3.8 Authentication and Authorization Solutions Flashcards
• Hardware-based authentication – Something you have • Helps prevent unauthorized logins and account takeovers – The key must be present to login • Doesn’t replace other factors – Passwords are still important
Password keys
• Password managers – All passwords in one location – A database of credentials • Secure storage – All credentials are encrypted – Cloud-based synchronization options • Create unique passwords – Passwords are not the same across sites • Personal and enterprise options – Corporate access
Password vaults
• A specification for cryptographic functions
– Hardware to help with all of this encryption stuff
• Cryptographic processor
– Random number generator, key generators
• Persistent memory
– Comes with unique keys burned in
during production
• Versatile memory
– Storage keys, hardware configuration information
• Password protected
– No dictionary attacks
Trusted Platform Module (TPM)
• High-end cryptographic hardware – Plug-in card or separate hardware device • Key backup – Secured storage • Cryptographic accelerators – Offload that CPU overhead from other devices • Used in large environments – Clusters, redundant powers
Hardware Security Module (HSM)
• Use personal knowledge as an authentication factor
– Something you know
• Static KBA
– Pre-configured shared secrets
– Often used with account recovery
– What was the make and model of your first car?
• Dynamic KBA
– Questions are based on an identity verification service
– What was your street number when you lived in
Pembroke Pines, Florida?
Knowledge-based authentication (KBA)
• A basic authentication method – Used in legacy operating systems – Rare to see singularly used • PAP is in the clear – Weak authentication scheme – Non-encrypted password exchange – We didn’t require encryption on analog dialup lines – The application would need to provide any encryption
PAP (Password Authentication Protocol)
• Challenge-Handshake Authentication Protocol
– Encrypted challenge sent over the network
• Three-way handshake
– After link is established, server sends a challenge
– Client responds with a password hash calculated
from the challenge and the password
– Server compares received hash with stored hash
• Challenge-Response continues
– Occurs periodically during the connection
– User never knows it happens
CHAP
• Microsoft’s implementation of CHAP
– Used commonly on Microsoft’s
– Point-to-Point Tunneling Protocol (PPTP)
– MS-CHAP v2 is the more recent version
• Security issues related to the use of DES
– Relatively easy to brute force the 256 possible keys to
decrypt the NTLM hash
– Don’t use MS-CHAP!
– Consider L2TP, IPsec, 802.1X or some other secure
authentication method
MS-CHAP
• One of the more common AAA protocols
– Supported on a wide variety of platforms and devices
– Not just for dial-in
• Centralize authentication for users
– Routers, switches, firewalls, server authentication,
remote VPN access, 802.1X network access
• RADIUS services available on almost any server OS
RADIUS (Remote Authentication Dial-in User Service)
• Terminal Access Controller
– Access-Control System
– Remote authentication protocol
– Created to control access to dial-up lines to ARPANET
• XTACACS (Extended TACACS)
– A Cisco-created (proprietary) version of TACACS
– Additional support for accounting and auditing
• TACACS+
– The latest version of TACACS, not backwards
compatible
– More authentication requests and response codes
– Released as an open standard in 1993
TACACS
• Network authentication protocol
– Authenticate once, trusted by the system
– No need to re-authenticate to everything
– Mutual authentication - the client and the server
– Protect against on-path or replay attacks
• Standard since the 1980s
– Developed by the Massachusetts Institute of
Technology (MIT)
• Microsoft starting using Kerberos in Windows 2000
– Based on Kerberos 5.0 open standard
– Compatible with other operating systems and devices
Kerberos
• Authenticate one time – Lots of backend ticketing – Cryptographic tickets • No constant username and password input! – Save time • Only works with Kerberos – Not everything is Kerberos-friendly • There are many other SSO methods – Smart-cards, SAML, etc.
SSO with Kerberos
• Three different ways to communicate to an authentication server – More than a simple login process • Often determined by what is at hand – VPN concentrator can talk to a RADIUS server – We have a RADIUS server • TACACS+ – Probably a Cisco device • Kerberos – Probably a Microsoft network
RADIUS, TACACS+, or Kerberos?
• IEEE 802.1X
– Port-based Network Access Control (NAC)
– You don’t get access to the network until you
authenticate
• EAP integrates with 802.1X
– Extensible Authentication Protocol
– 802.1X prevents access to the network until the
authentication succeeds
• Used in conjunction with an access database
– RADIUS, LDAP, TACACS+
IEEE 802.1X
• Provide network access to others
– Not just employees - Partners, suppliers, customers, etc.
– Provides SSO and more
• Third-parties can establish a federated network
– Authenticate and authorize between the two
organizations
– Login with your Facebook credentials
• The third-parties must establish a trust relationship
– And the degree of the trust
Federation