3.8 - 3.9 Flashcards
Password keys and vaults
Hardware based authentication, prevents unauthorized access, doesn’t replace ither factors
Password manager in one central location, secure storage
Trusted platform module
Tpm specification for cryptographic functions, with cryptographic processor and persistent memory
Hsm and kba
Hardware security module centralize all encryption keys and can offload cpu overhead from other devices
Knowledge based authentication uses personal knowledge as authentication can be static or dynamic something configured previously or questions are using identity verification service
Pap and chap
Password authentication protocol check to see if credentials are valid is very old and sends through network in clear
Challenge handshake authentication protocol add encryption with three way handshake and uses challenge message and evaluates both challenge and password
Ms-chap Microsoft for point to point protocol pptp but can possible bruteforce, and use instead l2tp, ipsec or 802.1x
Access services
Radius remote authentication dial in user service is a centralized authentication for users routers switches firewalls server authentication remote vpn access and 802.1x network access
Tacacs terminal access controller dialup time, so now used extended then tacacs+
Sso with kerberos use one time then trusted by system so it remembers
Radius, tacacs+ or kerberos? Depends what ur connected to, vpn concentrator may need radius, cisco may use tacacs and Microsoft may use kerberos
Network assess control 802.1x port based network access control
Federated identities
Federation all devices have same login creds
Security assertion markup language saml
Open standard for authentication and authorization to access third party resources. Not to be used with mobile apps
Oauth determines what resources will be used by third parties uses openid connect and oauth determines what resources to use
Access control
Mandatory access Control mac separate security levels and objects get a sec label and ppl assigned to those levels can access like secret, top secret etc
Discretionary access control dac ob ject is created and that object is tasked to a
Group or person like a spreadsheet
Role based access control rbac role of employee is assigned rights based on role
Attribute based access control abac different parameters is checked from a user trying to access like time, ip, actions and relation of user to data
Rule based access control generic term, sys admin. Sets rules associated with object like time of day or if using specific type of browser
File system security store and secure access and see the user rights and group rights from group policy
Conditional access new employee or partner and change rules
Based on conditional access
Privileged access management pam from admins to give access to admins
Certificates
Web server ssl certs domain validation dv, extended validation cert ev with additional checks than dv, subject alternate name san add many diff dns names, wildcard domain *= www ftp ssl ect
Code signing certs received and install and validate from manufacture distributer if fails we can stop or cont
Root certs for starting pki need root certificate authority (ca)
Self signed certs to build our own certs and distribute to all devices internally
Machine and computer certs to all devices needing trust to see if devices contain certs or not to be trusted or not among large set of devices in org
Email certs encrypted from send and receive and used for digital signatures
User certs for every user can be used in id cards and use for additional authentication
Cert formats
X.509 standards for structure of certs so can read all formats like
Der format or distinguished encoded rules
Pem privacy enhanced email so der in email form
Pkcs#12 to send many certs efficiently compatible with key pairs
Cer format used in windows
Pkc#7 .p7b file transfer over email but not for private keys
Cert concepts
Online and offline ca
Ocsp online cert status protocol stapling check revocation status of certs
Pinning tls/ssl checking for someone in the middle to see if anything changed before or after transfer or network connection
Pki trust relationships single, hierarchical, mesh, web of trust, mutual authentication
Key escrow hand over keys to third party and access if validated by third party
Certificate chaining chain of trust starts with ssl cert and ends with root ca
