2.4 Summarize authentication and authorization design concepts Flashcards
What is authentication, authorization and accounting (AAA)?
A security concept where a centralized platform verifies subject identification, ensures the subject is assigned relevant permissions, and then logs these actions to create an audit trail.
What does the acronymn IAM stand for?
Identity and access management: A security process that provides identification, authentication, and authorization mechanisms for users, computers, and other entities to work with organizational assets like networks, operating systems, and applications.
What is knowledge-based authentication?
Knowledge-based authentication refers primarily to issuing users with password-based account access mechanisms. Configuring password-based authentication protocols and supporting users with authentication issues is an important part of the information security role.
Knowledge-based authentication relies on cryptographic hashes. A plaintext password is not usually transmitted or stored in a credential database because of the risk of compromise.
What is SSO?
A single sign-on (SSO) system allows the user to authenticate once to a local device and be authenticated to compatible application servers without having to enter credentials again. In Windows, SSO is provided by the Kerberos framework.
What is kerberos and what port does the it run on?
Kerberos is a single sign-on network authentication and authorization protocol used on many networks, notably as implemented by Microsoft’s Active Directory (AD) service.
Clients request services from application servers, which both rely on an intermediary—a Key Distribution Center (KDC)—to vouch for their identity. There are two services that make up a KDC: the Authentication Service and the Ticket Granting Service. The KDC runs on port 88 using TCP or UDP.
Describe the Keberos login process.
1.) The client sends the authentication service (AS) a request for a Ticket Granting Ticket (TGT). This is composed by encrypting the date and time on the local computer with the user’s password hash as the key.
2.) The AS checks that the user account is present, that it can decode the request by matching the user’s password hash with the one in the Active Directory database, and that the request has not expired. If the request is valid, the AS responds with the following data:
Ticket Granting Ticket (TGT)—this contains information about the client (name and IP address) plus a timestamp and validity period. This is encrypted using the KDC’s secret key.
TGS session key for use in communications between the client and the Ticket Granting Service (TGS). This is encrypted using a hash of the user’s password.
What are three remote authentication protocols?
1.) Password authentication protocol (PAP)
2.) Challenge Handshake Authentication Protocol (CHAP)
3.) MS-CHAPv2
What is PAP?
The Password Authentication Protocol (PAP) is an unsophisticated authentication method developed as part of the Point-to-Point Protocol (PPP), used to transfer TCP/IP data over serial or dial-up connections. It is also used as the basic authentication mechanism in HTTP. It relies on clear text password exchange and is therefore obsolete for most purposes, except through an encrypted tunnel.
What is CHAP?
The Challenge Handshake Authentication Protocol (CHAP) was also developed as part of PPP as a means of authenticating users over a remote link. CHAP relies on an encrypted challenge in a system called a three-way handshake.
Challenge—the server challenges the client, sending a randomly generated challenge message.
Response—the client responds with a hash calculated from the server challenge message and client password (or other shared secret).
Verification—the server performs its own hash using the password hash stored for the client. If it matches the response, then access is granted; otherwise, the connection is dropped.
The handshake is repeated with a different challenge message periodically during the connection (although transparent to the user). This guards against replay attacks, in which a previous session could be captured and reused to gain access.
What is an online password attack?
An online password attack is where the threat actor interacts with the authentication service directly—a web login form or VPN gateway, for instance. The attacker submits passwords using either a database of known passwords (and variations) or a list of passwords that have been cracked offline.
An online password attack can show up in audit logs as repeatedly failed logons and then a successful logon, or as successful logon attempts at unusual times or locations.
What is an offline password attack?
An offline attack means that the attacker has managed to obtain a database of password hashes, such as %SystemRoot%\System32\config\SAM, %SystemRoot%\NTDS\NTDS.DIT (the Active Directory credential store), or /etc/shadow. Once the password database has been obtained, the password cracker does not interact with the authentication system. The only indicator of this type of attack (other than misuse of the account in the event of a successful attack) is a file system audit log that records the malicious account accessing one of these files.
What is a password spraying attack?
Brute force attack in which multiple user accounts are tested with a dictionary of common passwords.
What is a brute force attack?
A type of password attack where an attacker uses an application to exhaustively try every possible alphanumeric combination to crack encrypted passwords.
What is a dictionary attack?
A type of password attack that compares encrypted passwords against a predetermined list of possible password values.
What is a rainbow table?
Rainbow table attacks refine the dictionary approach. The attacker uses a precomputed lookup table of all possible passwords and their matching hashes.
What is a plaintext/unencrypted attack?
A plaintext/unencrypted attack exploits password storage or a network authentication protocol that does not use encryption. Examples include PAP, basic HTTP/FTP authentication, and Telnet. These protocols must not be used.
What are password crackers?
Password guessing software can attempt to crack captured hashes of user credentials by running through all possible combinations (brute force). This can be made less computationally intensive by using a dictionary of standard words or phrases. Password crackers run primarily on Linux.
How does smartcard authentication work?
For Kerberos authentication, smart-card logon works as follows:
The user presents the smart card to a reader and is prompted to enter a PIN.
Inputting the correct PIN authorizes the smart card’s cryptoprocessor to use its private key to create a Ticket Granting Ticket (TGT) request, which is transmitted to the authentication server (AS).
The AS is able to decrypt the request because it has a matching public key and trusts the user’s certificate, either because it was issued by a local certification authority or by a third-party CA that is a trusted root CA.
The AS responds with the TGT and Ticket Granting Service (TGS) session key.
What is an HSM?
Hardware security module: An appliance for generating and storing cryptographic keys. This sort of solution may be less susceptible to tampering and insider threats than software-based storage.
HSMs can be implemented in several form factors, including rack-mounted appliances, plug-in PCIe adapter cards, and USB-connected external peripherals.
What is a TPM?
Trusted Platform Module (TPM)—a secure cryptoprocessor enclave implemented on a PC, laptop, smartphone, or network appliance. The TPM is usually a module within the CPU. Modification of TPM data is only permitted by highly trusted processes. A TPM can be used to present a virtual smart card (docs.microsoft.com/en-us/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-overview).
What is EAP?
Framework for negotiating authentication methods that enables systems to use hardware-based identifiers, such as fingerprint scanners or smart card readers, USB, or TPMs for authentication.
What is an AAA server? What are two main types of AAA servers?
AAA server—the authentication server, positioned within the local network.
There are two main types of AAA server: RADIUS and TACACS+.
What is RADIUS?
A standard protocol used to manage remote and wireless authentication infrastructures.
Steps of logging in:
1.) The user’s device (the supplicant) makes a connection to the NAS appliance, such as an access point, switch, or remote access server.
2.) The NAS prompts the user for their authentication credentials. RADIUS supports PAP, CHAP, and EAP. Most implementations now use EAP, as PAP and CHAP are not secure. If EAP credentials are required, the NAS enables the supplicant to transmit EAP over LAN (EAPoL) data, but does not allow any other type of network traffic.
3.) The supplicant submits the credentials as EAPoL data. The RADIUS client uses this information to create an Access-Request RADIUS packet, encrypted using the shared secret. It sends the Access-Request to the AAA server using UDP on port 1812 (by default).
4.) The AAA server decrypts the Access-Request using the shared secret. If the Access-Request cannot be decrypted (because the shared secret is not correctly configured, for instance), the server does not respond.
5.) With EAP, there will be an exchange of Access-Challenge and Access-Request packets as the authentication method is set up and the credentials verified. The NAS acts as a pass-thru, taking RADIUS messages from the server, and encapsulating them as EAPoL to transmit to the supplicant.
6.) At the end of this exchange, if the supplicant is authenticated, the AAA server responds with an Access-Accept packet; otherwise, an Access-Reject packet is returned.
Optionally, the NAS can use RADIUS for accounting (logging). Accounting uses port 1813. The accounting server can be different from the authentication server.
What is TACACS+?
Terminal Access Controller Access-Control System Plus (TACACS+):
An AAA protocol developed by Cisco that is often used to authenticate to administrator accounts for network appliance management. Allows network administrators to be allocated specific privileges on each switch, router, access point, and firewall.
