2.4 - Authentication and Authorization Design Concepts

Question 1

Directory Services

Answer 1

• A feature that keep all of an organization’s usernames / passwords in a single database
• Also contains computers, printers, and other devices that might be connected to a network
• Large distributed database
• Constantly replicated so that every DB is always up to date with latest info
• This means a user only needs one set of credentials for all services

Question 2

Microsoft Active Directory

Answer 2

• One of the most common examples of Directory Services
• Accessed via Kerberos protocol or LDAP
• This allows access to a DB from an external device

Question 3

Federation

Answer 3

• Instead of maintaining your own DB of usernames / passwords (Directory Services)
• Federation allows users access to your network from information that is stored by a third party
• Federation is an alternative - Use authentication information that is already at another site
• Not just employees - partners, suppliers, customers, etc.
• Provides SSO and more

Question 4

Enable Federation

Answer 4

• Need to coordinate authentication / authorization between two organizations
• Ex: Log in page that allows you to log into site X via Facebook, LinkedIn, Twitter, etc.
• Once trust relationship is established with this third party, users can use other credentials to log in to your network

Question 5

Attestation

Answer 5

• Want to make sure users are connecting to our network using our hardware (not a 3rd party)
• Prove the hardware you’re using is really yours (a system you can trust)
• AKA can the hardware attest that it is the hardware it should be
• Ex: if managing a single device, it’s easy to determine this, but if you’ve got thousands of devices you need to automate it

Question 6

Remote Attetstation

Answer 6

• Remote device provides operational support to a verification server
• Will allow / prevent access to network
• Encrypted and digitally signed with the TPM (Trusted Platform Module) of the remote device
• An IMEI (International Mobile Equipment Identification Number) or other unique hardware component can be included in the report
• This will confirm that the device on the other end of the communication is trustworthy and allowed access

Question 7

SMS

Answer 7

• Short Message Service (text message)
• Login factor can be sent via SMS to send a code and the user uses this code to login
• This confirms that you are the person that has the phone (hardware in your position)
• An example of Remote Attestation
• However generally seen as less secure than other methods (ex: user an reprogram the number that the code is being sent to. they can also be intercepted.) These types of issues are relatively rare, but they exist
• MFA is better than single authentication.

Question 8

Push Notification

Answer 8

• Instead of an SMS, can rely on a similar process to an SMS notification
• server is “pushing” Authentication Factor is to a specialized app on a device.
• Usually on a mobile device
• Another example of Remote Attestation
• Security Concerns: The app receiving the push notification could have vulnerabilities that let 3rd parties see info or perhaps it doesn’t have encryption
• Probably more secure than SMS with the right app
• MFA is better than single authentication

Question 9

Authentication Apps

Answer 9

• Pseudo random token generators
• Useful authentication factor
• Ex: RSA physical device or RSA app

Question 10

TOTP

Answer 10

• Time-based One-Time Password algorithm
• Use a secret key and the time of day
• No incremental counter
• Usually available around 30 sec
• One time synchronization process, for setup, with a secret key + time of day. The authentication server and token generator will know what the next number in sequence will be based on the time of day
• Used by many token generators (like RSA)
• Commonly used: enter user name, password, open app and enter the number in a box (If you’ve used MFA ex: Microsoft, google, etc probably used TOTP, it’s pretty common OTP method)

Question 11

HOTP

Answer 11

• HMAC-based One-Time Password algorithm
• Another authentication method
• One-time password
• Similar to TOTP, but instead of having a number that changes every 30 sec, you have a number you use once then throw away
• Keys are based on a keyed hash method code (HMAC) and a counter (go down a list and use the code then cross it off and go down the list)

Question 12

HMAC

Answer 12

• Keyed-hash message authentication code
• keys are based on a secret code + counter (check codes off list)
• Example of HOTP (HMAC - based One-Time Password Algorithm)

Question 13

Token-based authentication

Answer 13

• Hash is different every time, could be an app
• will integrate with server for authentication
• Can be an example of HOTP

Question 14

Hardware and software token available

Answer 14

• Need additional technology to make this work

Question 15

Phone call

Answer 15

• An automated process can call you and tell you the pseudo random token generators
• Similar disadvantages to SMS (can be intercepted or forwarded, phone number can be added to a phone number (meaning it rings across multiple phones simultaneously so someone else can answer first))

Question 16

Exploiting an application

Answer 16

• Attackers often exploit an application’s vulnerability.
• Once you exploit one binary, you can exploit them all
• Ex: A Windows 10 exploit affects all Windows 10 users
• But, what if all computers were running different software? (Solution: Software diversity. Ex: Unique binaries, functionally identical)

Question 17

Software Diversity

Answer 17

• A solution to the problem if a hacker can exploit one application they can exploit them all
• Ex: Each compiled application is a little different but functionally they’re the same
• Final binary file is different every time you compile (doesn’t change the way the application works)
• Hackers may not be able to use an exploit on the same application on a different person’s machine
• Does create extra work during development and deployment, but adds a layer of security

Question 18

Automation and Scripting

Answer 18

• Create automation around deployment and issues that arise during deployment
• Ex: Continuous monitoring a certain drive so that it doesn’t get too full. If it does you can automatically work to free up disk space.
• Very important for cloud (automatic provisioning / deprovisioning)

Question 19

CI

Answer 19

• Continuous Integration
• Application developers may be constantly updating and merging several times a day
• A lot of chances for security issues
• Need security checks during development
• Documented security baselines is the bare minimum
• Large-scale security analysis during the testing phase (significant problems will have already been covered)

Question 20

CD

Answer 20

• Continuous Delivery (or deployment)
• Automated checks during testing process and release
• Click a button and deploy an application

Question 21

CD 2

Answer 21

• Continuous Deployment
• Testing, deployment process is automated
• Automatically deploy to production (assuming no issues)

Question 22

Biometric (authentication factors)

Answer 22

• Refers to something you are
• Ex: finger print scanner on phones, laptops, doors
• Ex: Retina to authenticate, relatively unique and don’t often change making them a good biometric
• Ex: Iris (front of eye)
• Ex: Voice recognition
• Ex: face recognition
• All of them are uncertain science (differences in users, sensitives in readers) have to spend some time making sure sensitivity levels are accurately authentication

Question 23

Biometric factor (rarely used)

Answer 23

• Gait analysis, but a pretty unique biometric
• Veins, vascular scanners in arms

Question 24

FAR

Answer 24

• False Acceptance Rate
• Likelihood that an unauthorized user will be accepted
• Often used when discussing biometrics
• Need to increase FAR if your FAR is too high

Question 25

FRR

Answer 25

• False Rejection Rate
• When an authorized user is denied access to something they should have access to
• Opposite from FAR (False Acceptance Rate)
• A large number of FRR can cause frustration
• Solution: you’d need to decrease sensitivity if your FRR rate is too high

Question 26

CER

Answer 26

• Crossover Error Rate
• Defines the overall accuracy of a biometric system
• The rate at which the FAR (False Acceptance Rate) and FRR (False Rejection Rate are equalized (or at least minimized both)
• “Sweet spot”

Question 27

AAA Framework

Answer 27

• Authentication, Authorization, and Accounting
• Authentication- Are we who we say we are? (Ex: user name associates an account with an individual)
• During Authentication, you have to prove this (Ex: password, biometric factor, etc.)
• Authorization: What do you have access to? (Ex: A particular file share or printer access)
• Accounting: Who authenticated onto a network? (Ex: On premise or cloud based accounting )
• Cloud is often 3rd party, centralized platform, often includes API integration, may also have additional cloud options

Question 28

Cloud-based security authentication

Answer 28

• The “A” in Accounting in the AAA Framework
• Cloud is often managed by a 3rd party
• Centralized platform
• Often includes API integration
• May also have additional cloud options

Question 29

On-Premises Authentication System

Answer 29

• Another option for the “A” in Accounting in the AAA framework (vs Cloud)
• Internal monitoring / management
• Need internal expertise
• External access must be granted and managed
• Need processes in place for outside users who need access to authenticate

Question 30

Factors

Answer 30

• Something you know
• Something you have
• Something you are
• From here you can add attributes

Question 31

Attributes

Answer 31

• These are add-ons to the 3 factors for authentication ( a bit more fluid)
• Somewhere you are
• Something you can do
• Something you exhibit
• Someone you know

Question 32

Something you know

Answer 32

• Authentication Factor (1 of 3)
• Something you know (in your brain)
• Ex: password , secret word/ phrase, PIN
• Very common authentication factor
• Ex: Pattern for unlocking a phone
• An example of a factor

Question 33

Something you have

Answer 33

• Authentication Factor (1 of 3)
• Ex: A smart card, can integrate with a laptop (usually combining with PIN, aka something you know)
• Ex: a USB token (certificate is on the USB) or software based version
• Ex: SMS code to your phone

Question 34

Something you are

Answer 34

• Authentication Factor (1 of 3)
• Biometric factor
• Ex: fingerprint, iris scan, voice print
• Usually a mathematical representation of your biometrics
• Difficult to change so you can associate with an individual
• Biometrics should be combined with others, not foolproof

Question 35

Somewhere you are

Answer 35

• Authentication Attribute
• Provides a factor based on location
• Ex: Transaction only completes if you’re in a certain geography (ex: in US)
• EX: IPV4, not perfect, but can provide more info (sometimes can give wrong location of a country in IPV4. IPV6 doesn’t list specific countries but gives a good amount of info on whether user is authenication)
• Ex: GPS or wireless triangulation (again not perfect) and can spoof GPS (ex: near an identified mobile or 802.11 network)

Question 36

Something you can do

Answer 36

• Authentication Attribute
• Personal way of doing something
• May seem similar to biometrics, but this is much broader
• Ex: signature

Question 37

Something you exhibit

Answer 37

• Authentication Attribute
• Ex: gait analysis
• Ex: The way you type or tming b/n key stroks

Question 38

Someone you know

Answer 38

• Authentication Attribute- Can give you more credibility
• A social factor
• Ex: used in cryptography when creating web of trust of creating a digital signature