2.4 Summarize authentication and authorization design concepts

Question 1

What is authentication, authorization and accounting (AAA)?

Answer 1

A security concept where a centralized platform verifies subject identification, ensures the subject is assigned relevant permissions, and then logs these actions to create an audit trail.

Question 2

What does the acronymn IAM stand for?

Answer 2

Identity and access management: A security process that provides identification, authentication, and authorization mechanisms for users, computers, and other entities to work with organizational assets like networks, operating systems, and applications.

Question 3

What is knowledge-based authentication?

Answer 3

Knowledge-based authentication refers primarily to issuing users with password-based account access mechanisms. Configuring password-based authentication protocols and supporting users with authentication issues is an important part of the information security role.

Knowledge-based authentication relies on cryptographic hashes. A plaintext password is not usually transmitted or stored in a credential database because of the risk of compromise.

Question 4

What is SSO?

Answer 4

A single sign-on (SSO) system allows the user to authenticate once to a local device and be authenticated to compatible application servers without having to enter credentials again. In Windows, SSO is provided by the Kerberos framework.

Question 5

What is kerberos and what port does the it run on?

Answer 5

Kerberos is a single sign-on network authentication and authorization protocol used on many networks, notably as implemented by Microsoft’s Active Directory (AD) service.

Clients request services from application servers, which both rely on an intermediary—a Key Distribution Center (KDC)—to vouch for their identity. There are two services that make up a KDC: the Authentication Service and the Ticket Granting Service. The KDC runs on port 88 using TCP or UDP.

Question 6

Describe the Keberos login process.

Answer 6

1.) The client sends the authentication service (AS) a request for a Ticket Granting Ticket (TGT). This is composed by encrypting the date and time on the local computer with the user’s password hash as the key.

2.) The AS checks that the user account is present, that it can decode the request by matching the user’s password hash with the one in the Active Directory database, and that the request has not expired. If the request is valid, the AS responds with the following data:
Ticket Granting Ticket (TGT)—this contains information about the client (name and IP address) plus a timestamp and validity period. This is encrypted using the KDC’s secret key.
TGS session key for use in communications between the client and the Ticket Granting Service (TGS). This is encrypted using a hash of the user’s password.

Question 7

What are three remote authentication protocols?

Answer 7

1.) Password authentication protocol (PAP)
2.) Challenge Handshake Authentication Protocol (CHAP)
3.) MS-CHAPv2

Question 8

What is PAP?

Answer 8

The Password Authentication Protocol (PAP) is an unsophisticated authentication method developed as part of the Point-to-Point Protocol (PPP), used to transfer TCP/IP data over serial or dial-up connections. It is also used as the basic authentication mechanism in HTTP. It relies on clear text password exchange and is therefore obsolete for most purposes, except through an encrypted tunnel.

Question 9

What is CHAP?

Answer 9

The Challenge Handshake Authentication Protocol (CHAP) was also developed as part of PPP as a means of authenticating users over a remote link. CHAP relies on an encrypted challenge in a system called a three-way handshake.

Challenge—the server challenges the client, sending a randomly generated challenge message.
Response—the client responds with a hash calculated from the server challenge message and client password (or other shared secret).
Verification—the server performs its own hash using the password hash stored for the client. If it matches the response, then access is granted; otherwise, the connection is dropped.
The handshake is repeated with a different challenge message periodically during the connection (although transparent to the user). This guards against replay attacks, in which a previous session could be captured and reused to gain access.

Question 10

What is an online password attack?

Answer 10

An online password attack is where the threat actor interacts with the authentication service directly—a web login form or VPN gateway, for instance. The attacker submits passwords using either a database of known passwords (and variations) or a list of passwords that have been cracked offline.

An online password attack can show up in audit logs as repeatedly failed logons and then a successful logon, or as successful logon attempts at unusual times or locations.

Question 11

What is an offline password attack?

Answer 11

An offline attack means that the attacker has managed to obtain a database of password hashes, such as %SystemRoot%\System32\config\SAM, %SystemRoot%\NTDS\NTDS.DIT (the Active Directory credential store), or /etc/shadow. Once the password database has been obtained, the password cracker does not interact with the authentication system. The only indicator of this type of attack (other than misuse of the account in the event of a successful attack) is a file system audit log that records the malicious account accessing one of these files.

Question 12

What is a password spraying attack?

Answer 12

Brute force attack in which multiple user accounts are tested with a dictionary of common passwords.

Question 13

What is a brute force attack?

Answer 13

A type of password attack where an attacker uses an application to exhaustively try every possible alphanumeric combination to crack encrypted passwords.

Question 14

What is a dictionary attack?

Answer 14

A type of password attack that compares encrypted passwords against a predetermined list of possible password values.

Question 15

What is a rainbow table?

Answer 15

Rainbow table attacks refine the dictionary approach. The attacker uses a precomputed lookup table of all possible passwords and their matching hashes.

Question 16

What is a plaintext/unencrypted attack?

Answer 16

A plaintext/unencrypted attack exploits password storage or a network authentication protocol that does not use encryption. Examples include PAP, basic HTTP/FTP authentication, and Telnet. These protocols must not be used.

Question 17

What are password crackers?

Answer 17

Password guessing software can attempt to crack captured hashes of user credentials by running through all possible combinations (brute force). This can be made less computationally intensive by using a dictionary of standard words or phrases. Password crackers run primarily on Linux.

Question 18

How does smartcard authentication work?

Answer 18

For Kerberos authentication, smart-card logon works as follows:

The user presents the smart card to a reader and is prompted to enter a PIN.
Inputting the correct PIN authorizes the smart card’s cryptoprocessor to use its private key to create a Ticket Granting Ticket (TGT) request, which is transmitted to the authentication server (AS).
The AS is able to decrypt the request because it has a matching public key and trusts the user’s certificate, either because it was issued by a local certification authority or by a third-party CA that is a trusted root CA.
The AS responds with the TGT and Ticket Granting Service (TGS) session key.

Question 19

What is an HSM?

Answer 19

Hardware security module: An appliance for generating and storing cryptographic keys. This sort of solution may be less susceptible to tampering and insider threats than software-based storage.

HSMs can be implemented in several form factors, including rack-mounted appliances, plug-in PCIe adapter cards, and USB-connected external peripherals.

Question 20

What is a TPM?

Answer 20

Trusted Platform Module (TPM)—a secure cryptoprocessor enclave implemented on a PC, laptop, smartphone, or network appliance. The TPM is usually a module within the CPU. Modification of TPM data is only permitted by highly trusted processes. A TPM can be used to present a virtual smart card (docs.microsoft.com/en-us/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-overview).

Question 21

What is EAP?

Answer 21

Framework for negotiating authentication methods that enables systems to use hardware-based identifiers, such as fingerprint scanners or smart card readers, USB, or TPMs for authentication.

Question 22

What is an AAA server? What are two main types of AAA servers?

Answer 22

AAA server—the authentication server, positioned within the local network.

There are two main types of AAA server: RADIUS and TACACS+.

Question 23

What is RADIUS?

Answer 23

A standard protocol used to manage remote and wireless authentication infrastructures.

Steps of logging in:

1.) The user’s device (the supplicant) makes a connection to the NAS appliance, such as an access point, switch, or remote access server.
2.) The NAS prompts the user for their authentication credentials. RADIUS supports PAP, CHAP, and EAP. Most implementations now use EAP, as PAP and CHAP are not secure. If EAP credentials are required, the NAS enables the supplicant to transmit EAP over LAN (EAPoL) data, but does not allow any other type of network traffic.
3.) The supplicant submits the credentials as EAPoL data. The RADIUS client uses this information to create an Access-Request RADIUS packet, encrypted using the shared secret. It sends the Access-Request to the AAA server using UDP on port 1812 (by default).
4.) The AAA server decrypts the Access-Request using the shared secret. If the Access-Request cannot be decrypted (because the shared secret is not correctly configured, for instance), the server does not respond.
5.) With EAP, there will be an exchange of Access-Challenge and Access-Request packets as the authentication method is set up and the credentials verified. The NAS acts as a pass-thru, taking RADIUS messages from the server, and encapsulating them as EAPoL to transmit to the supplicant.
6.) At the end of this exchange, if the supplicant is authenticated, the AAA server responds with an Access-Accept packet; otherwise, an Access-Reject packet is returned.

Optionally, the NAS can use RADIUS for accounting (logging). Accounting uses port 1813. The accounting server can be different from the authentication server.

Question 24

What is TACACS+?

Answer 24

Terminal Access Controller Access-Control System Plus (TACACS+):
An AAA protocol developed by Cisco that is often used to authenticate to administrator accounts for network appliance management. Allows network administrators to be allocated specific privileges on each switch, router, access point, and firewall.

Question 25

What are static codes?

Answer 25

There are also simpler token keys and smart cards that simply transmit a static token programmed into the device. For example, many building entry systems work on the basis of static codes. These mechanisms are highly vulnerable to cloning and replay attacks.

Question 26

What is an example of implementing a hardware token key?

Answer 26

Fast Identity Online (FIDO) Universal Second Factor (U2F) USB token registers a public key with the authentication service. The authentication mechanism then requires the private key locked to the token, which is authorized using PIN or fingerprint activation (fidoalliance.org/showcase/fido-u2f-security-key). This can also be used with the Windows Hello authentication provider (microsoft.com/security/blog/2019/06/10/advancing-windows-10-passwordless-platform).

Question 27

What is a HMAC-Based one-time password algorithm?

Answer 27

HOTP: is an algorithm for token-based authentication (https://www.ietf.org/rfc/rfc4226.html). The authentication server and client token are configured with the same shared secret. This should be an 8-byte value generated by a cryptographically strong random number generator. The token could be a fob-type device or implemented as a smartphone authentication/authenticator app.

Question 28

What is time-based one-time password algorithm?

Answer 28

TOTP is a refinement of the HOTP. One issue with HOTP is that tokens can be allowed to persist unexpired, raising the risk that an attacker might be able to obtain one and decrypt data in the future. In TOTP, the HMAC is built from the shared secret plus a value derived from the device’s and server’s local timestamps. TOTP automatically expires each token after a short window (60 seconds, for instance). For this to work, the client device and server must be closely time-synchronized. One well-known implementation of HOTP and TOTP is Google Authenticator.

Question 29

What methods are used for 2-step verification?

Answer 29

1.) Short Message Service (SMS)—the code is sent as a text to the registered phone number.
2.) Phone call—the code is delivered as an automated voice call to the registered phone number.
3.) Push notification—the code is sent to a registered authenticator app on the PC or smartphone.
4.) Email—the code is sent to a registered email account.

Question 30

What is EAPoL?

Answer 30

A port-based network access control (PNAC) mechanism that allows the use of EAP authentication when a host connects to an Ethernet switch.

Question 31

What is federated authentication?

Answer 31

Federated authentication redefines user identities and access to digital services. A user has a single digital identity built with data points managed by an identity provider (IdP). The identity provider establishes trust with other applications and services while using a single digital identity.

Question 32

What is attestation?

Answer 32

The attestation mechanism represents the method chosen for a device to confirm its identity when it connects to an IoT platform service like Azure IoT Hub. IoT Hub supports symmetric key, X. 509 thumbprint, and X. 509 CA attestation methods. Authentication is how the device identifies itself.

Question 33

In biometric authentication, what is a false rejection rate (FRR)?

Answer 33

Biometric assessment metric that measures the number of valid subjects who are denied access. FRR is measured as a percentage.

Question 34

In biometric authentication, what is a false acceptance rate?

Answer 34

Biometric assessment metric that measures the number of unauthorized users who are mistakenly allowed access. FAR is measured as a percentage. False rejection cause inconvenience to users, but false acceptance can lead to security breaches, and so is usually considered the most important metric.

Question 35

In biometric authentication, what is crossover error rate (CER)?

Answer 35

Biometric evaluation factor expressing the point at which FAR and FRR meet, with a low value indicating better performance. Errors are reduced over time by tuning the system. This is typically accomplished by adjusting the sensitivity of the system until CER is reached.

Question 36

Fingerprints used is biometric authentication.

Answer 36

Fingerprint recognition is the most widely implemented biometric authentication method. The technology required for scanning and recording fingerprints is relatively inexpensive and the process quite straightforward. The main problem with fingerprint scanners is that it is possible to obtain a copy of a user’s fingerprint and create a mold of it that will fool the scanner (tomsguide.com/us/iphone-touch-id-hack,news-20066.html). These concerns are addressed by vein matching scanners, or vascular biometrics.

Question 37

Retinal scans used in biometric recognition.

Answer 37

Retinal scan—an infrared light is shone into the eye to identify the pattern of blood vessels. The arrangement of these blood vessels is highly complex and typically does not change from birth to death, except in the event of certain diseases or injuries. Retinal scanning is therefore one of the most accurate forms of biometrics. Retinal patterns are very secure, but the equipment required is expensive and the process is relatively intrusive and complex. False negatives can be produced by disease, such as cataracts.

Question 38

Iris scan used in biometric recognition.

Answer 38

Iris scan—matches patterns on the surface of the eye using near-infrared imaging and so is less intrusive than retinal scanning (the subject can continue to wear glasses, for instance) and a lot quicker. Iris scanners offer a similar level of accuracy as retinal scanners but are much less likely to be affected by diseases. Iris scanning is the technology most likely to be rolled out for high-volume applications, such as airport security. There is a chance that an iris scanner could be fooled by a high-resolution photo of someone’s eye.