2.4 - Summarize authentication and authorization design concepts.

Question 1

• Directory services

Answer 1

*
Keep all of an organization’s usernames and passwords
in a single database
– Also contains computers, printers, and other devices
*
Large distributed database
– Constantly replicated
*
All authentication requests reference this directory
– Each user only needs one set of credentials
– One username and password for all services
*
Access via Kerberos or LDAP

Question 2

• Federation

Answer 2

*
Provide network access to others
– Not just employees - Partners, suppliers, customers, etc.
– Provides SSO and more
*
Third-parties can establish a federated network
– Authenticate and authorize between the
two organizations
– Login with your Facebook credentials
*
The third-parties must establish a trust relationship
– And the degree of the trust

Question 3

• Attestation

Answer 3

*
Prove the hardware is really yours
– A system you can trust
*
Easy when it’s just your computer
– More difficult when there are 1,000
*
Remote attestation
– Device provides an operational report to a
verification server
– Encrypted and digitally signed with the TPM
– An IMEI or other unique hardware component can be
included in the report

Question 4

• Time-based one- time password (TOTP)

Answer 4

*
Time-based One-Time Password algorithm
– Use a secret key and the time of day
– No incremental counter
*
Secret key is configured ahead of time
– Timestamps are synchronized via NTP
*
Timestamp usually increments every 30 seconds
– Put in your username, password, and TOTP code
*
One of the more common OTP methods
– Used by Google, Facebook, Microsoft, etc.

Question 5

• HMAC-based one-time password (HOTP)

Answer 5

*
One-time passwords
– Use them once, and never again
– Once a session, once each authentication attempt
*
HMAC-based One-Time Password algorithm
– Keyed-hash message authentication code (HMAC)
– The keys are based on a secret key and a counter
*
Token-based authentication
– The hash is different every time
*
Hardware and software tokens available
– You’ll need additional technology to make this work

Question 6

• Short message service (SMS)

Question 7

• Token key

Question 8

• Static codes

Answer 8

*
Authentication factors that don’t change
– You just have to remember
*
Personal Identification Number (PIN)
– Your secret numbers
*
Can also be alphanumeric
– A password or passphrase

Question 9

• Authentication applications

Answer 9

*
Pseudo-random token generators
– A useful authentication factor
*
Carry around a physical hardware token generator
– Where are my keys again?
*
Use software-based token generator on your phone
– Powerful and convenient

Question 10

• Push notifications

Answer 10

*
Similar process to an SMS notification
– Authentication factor is pushed to a specialized app
– Usually on a mobile device
*
Security challenges
– Applications can be vulnerable
– Some push apps send in the clear
*
Still more secure than SMS
– Multiple factors are better than one factor

Question 11

• Phone call

Answer 11

*
A voice call provides the token
– The computer is talking to you
– “Your code is 1-6-2-5-1-7.”
*
Similar disadvantages to SMS
– Phone call can be intercepted or forwarded
– Phone number can be added to another phone

Question 12

• Smart card authentication

Answer 12

Integrated circuit card - Contact or contactless
*
Common on credit cards - Also used for access control
*
Must have physical card to provide digital access
– A digital certificate
*
Multiple factors
– Use the card with a PIN or fingerprint

Chapple 231
Weiss 324
Gibson 41

Question 13

• Fingerprint

Answer 13

Chapple
Weiss
Gibson

Question 14

• Retina

Answer 14

Chapple
Weiss
Gibson

Question 15

• Iris

Answer 15

Chapple
Weiss
Gibson

Question 16

• Facial

Answer 16

Chapple
Weiss
Gibson

Question 17

• Voice

Answer 17

Chapple
Weiss
Gibson

Question 18

• Vein

Answer 18

Chapple
Weiss
Gibson

Question 19

• Gait analysis

Answer 19

• the way you walk

Question 20

• Efficacy rates

Question 21

• False acceptance

Answer 21

False acceptance rate (FAR)
– Likelihood that an unauthorized user will be accepted
– Not sensitive enough

Question 22

• False rejection

Answer 22

False rejection rate (FRR)
– Likelihood that an authorized user will be rejected
– Too sensitive

Question 23

• Crossover error rate

Answer 23

– Defines the overall accuracy of a biometric system

– The rate at which FAR and FRR r equal

– Adjust sensitivity to equalize both values

Question 24

AAA - (Authentication, authorization, and accounting)

Answer 24

*
Identification
– This is who you claim to be
– Usually your username
*
Authentication
– Prove you are who you say you are
– Password and other authentication factors
*
Authorization
– Based on your identification and authentication,
what access do you have?
*
Accounting
– Resources used: Login time, data sent
and received, logout time

Question 25

Cloud vs. on-premises requirements

Answer 25

* Cloud-based security – Third-party can manage the platform – Centralized platform – Automation options with API integration – May include additional options (for a cost) * On-premises authentication system – Internal monitoring and management – Need internal expertise – External access must be granted and managed

Question 26

- Somewhere you are (MFA Attributes)

Answer 26

Provide a factor based on ur location - The transaction only completes if u r in a particular geography IP address – Not perfect, but can help provide more info – Works wth IPv4, NOT so much wth IPv6 Mobile device location services – Geolocation to a specific area – Must be in a location that can receive GPS info/near an identified mobile/802.11 net – Still not a perfect identifier of location

Question 27

- Something you can do (MFA Attributes)

Answer 27

-A personal way of doing things Handwriting analysis – Signature comparison – Writing technique V similar to biometrics – Close to something you are

Question 28

- Something you exhibit (MFA Attributes)

Answer 28

– unique trait, personal to u -> Gait analysis - the way you walk ->Typing analysis - the way u hit the enter key too hard

Question 29

- Someone you know (MFA Attributes)

Answer 29

– A social factor -> not what you know… – Web of trust – Digital signature

Question 30

- Something you know (MFA Factors)

Answer 30

Password – Secret word/phrase, string of characters – v common auth factor PIN – Personal identification # – Not typically contained anywhere on a smart card/ATM card Pattern – Complete a series of patterns – Only u know the right format

Question 31

- Something you have ( MFA Factors)

Answer 31

Smart card – Integrates with devices – May require a PIN USB token - Certificate is on the USB device Hardware/software tokens – Generates pseudo-random auth codes Your phone -SMS a code to your phone

Question 32

- Something you are (MFA Factors)

Answer 32

Biometric authentication – Fingerprint, iris scan, voice print Usually stores a mathematical representation of your biometric – ur actual fingerprint isn’t usually saved Difficult to change – u can change ur pswd – u can’t change ur fingerprint Used in very specific situations – Not foolproof