3.8 Authentication and Authorization Solutions Flashcards

1
Q
• Hardware-based authentication
– Something you have
• Helps prevent unauthorized logins and
account takeovers
– The key must be present to login
• Doesn’t replace other factors
– Passwords are still important
A

Password keys

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q
• Password managers
– All passwords in one location
– A database of credentials
• Secure storage
– All credentials are encrypted
– Cloud-based synchronization options
• Create unique passwords
– Passwords are not the same across sites
• Personal and enterprise options
– Corporate access
A

Password vaults

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

• A specification for cryptographic functions
– Hardware to help with all of this encryption stuff
• Cryptographic processor
– Random number generator, key generators
• Persistent memory
– Comes with unique keys burned in
during production
• Versatile memory
– Storage keys, hardware configuration information
• Password protected
– No dictionary attacks

A

Trusted Platform Module (TPM)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q
• High-end cryptographic hardware
– Plug-in card or separate hardware device
• Key backup
– Secured storage
• Cryptographic accelerators
– Offload that CPU overhead from other devices
• Used in large environments
– Clusters, redundant powers
A

Hardware Security Module (HSM)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

• Use personal knowledge as an authentication factor
– Something you know
• Static KBA
– Pre-configured shared secrets
– Often used with account recovery
– What was the make and model of your first car?
• Dynamic KBA
– Questions are based on an identity verification service
– What was your street number when you lived in
Pembroke Pines, Florida?

A

Knowledge-based authentication (KBA)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q
• A basic authentication method
– Used in legacy operating systems
– Rare to see singularly used
• PAP is in the clear
– Weak authentication scheme
– Non-encrypted password exchange
– We didn’t require encryption on analog dialup lines
– The application would need to provide any encryption
A

PAP (Password Authentication Protocol)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

• Challenge-Handshake Authentication Protocol
– Encrypted challenge sent over the network
• Three-way handshake
– After link is established, server sends a challenge
– Client responds with a password hash calculated
from the challenge and the password
– Server compares received hash with stored hash
• Challenge-Response continues
– Occurs periodically during the connection
– User never knows it happens

A

CHAP

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

• Microsoft’s implementation of CHAP
– Used commonly on Microsoft’s
– Point-to-Point Tunneling Protocol (PPTP)
– MS-CHAP v2 is the more recent version
• Security issues related to the use of DES
– Relatively easy to brute force the 256 possible keys to
decrypt the NTLM hash
– Don’t use MS-CHAP!
– Consider L2TP, IPsec, 802.1X or some other secure
authentication method

A

MS-CHAP

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

• One of the more common AAA protocols
– Supported on a wide variety of platforms and devices
– Not just for dial-in
• Centralize authentication for users
– Routers, switches, firewalls, server authentication,
remote VPN access, 802.1X network access
• RADIUS services available on almost any server OS

A

RADIUS (Remote Authentication Dial-in User Service)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

• Terminal Access Controller
– Access-Control System
– Remote authentication protocol
– Created to control access to dial-up lines to ARPANET
• XTACACS (Extended TACACS)
– A Cisco-created (proprietary) version of TACACS
– Additional support for accounting and auditing
• TACACS+
– The latest version of TACACS, not backwards
compatible
– More authentication requests and response codes
– Released as an open standard in 1993

A

TACACS

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

• Network authentication protocol
– Authenticate once, trusted by the system
– No need to re-authenticate to everything
– Mutual authentication - the client and the server
– Protect against on-path or replay attacks
• Standard since the 1980s
– Developed by the Massachusetts Institute of
Technology (MIT)
• Microsoft starting using Kerberos in Windows 2000
– Based on Kerberos 5.0 open standard
– Compatible with other operating systems and devices

A

Kerberos

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q
• Authenticate one time
– Lots of backend ticketing
– Cryptographic tickets
• No constant username and password input!
– Save time
• Only works with Kerberos
– Not everything is Kerberos-friendly
• There are many other SSO methods
– Smart-cards, SAML, etc.
A

SSO with Kerberos

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q
• Three different ways to communicate to an
authentication server
– More than a simple login process
• Often determined by what is at hand
– VPN concentrator can talk to a RADIUS server
– We have a RADIUS server
• TACACS+
– Probably a Cisco device
• Kerberos
– Probably a Microsoft network
A

RADIUS, TACACS+, or Kerberos?

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

• IEEE 802.1X
– Port-based Network Access Control (NAC)
– You don’t get access to the network until you
authenticate
• EAP integrates with 802.1X
– Extensible Authentication Protocol
– 802.1X prevents access to the network until the
authentication succeeds
• Used in conjunction with an access database
– RADIUS, LDAP, TACACS+

A

IEEE 802.1X

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

• Provide network access to others
– Not just employees - Partners, suppliers, customers, etc.
– Provides SSO and more
• Third-parties can establish a federated network
– Authenticate and authorize between the two
organizations
– Login with your Facebook credentials
• The third-parties must establish a trust relationship
– And the degree of the trust

A

Federation

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

• Open standard for authentication and authorization
– You can authenticate through a third-party to gain access
– One standard does it all, sort of
• Not originally designed for mobile apps
– This has been SAML’s largest roadblock

A

Security Assertion Markup Language (SAML)

17
Q
• Authorization framework
– Determines what resources a user will be
able to access
• Created by Twitter, Google, and many others
– Significant industry support
• Not an authentication protocol
– OpenID Connect handles the single sign-on
authentication
– OAuth provides authorization
between applications
• Relatively popular
– Used by Twitter, Google, Facebook,
– LinkedIn, and more
A

OAuth

18
Q
• Authorization
– The process of ensuring only authorized
rights are exercised
• Policy enforcement
– The process of determining rights
• Policy definition
• Users receive rights based on
– Access Control models
– Different business needs or mission requirements
A

Access control

19
Q

• The operating system limits the operation on an object
– Based on security clearance levels
• Every object gets a label
– Confidential, secret, top secret, etc.
• Labeling of objects uses predefined rules
– The administrator decides who gets access to
what security level
– Users cannot change these settings

A

Mandatory Access Control (MAC)

20
Q
• Used in most operating systems
– A familiar access control model
• You create a spreadsheet
– As the owner, you control who has access
– You can modify access at any time
• Very flexible access control
– And very weak security
A

Discretionary Access Control (DAC)

21
Q

• You have a role in your organization
– Manager, director, team lead, project manager
• Administrators provide access based on the role
of the user
– Rights are gained implicitly instead of explicitly
• In Windows, use Groups to provide role-based
access control
– You are in shipping and receiving, so you can
use the shipping software
– You are the manager, so you can review shipping logs

A

Role-based access control (RBAC)

22
Q

• Users can have complex relationships to
applications and data
– Access may be based on many different criteria
• ABAC can consider many parameters
– A “next generation” authorization model
– Aware of context
• Combine and evaluate multiple parameters
– Resource information, IP address, time of day, desired
action, relationship to the data, etc.

A

Attribute-based access control (ABAC)

23
Q

• Generic term for following rules
– Conditions other than who you are
• Access is determined through system-enforced rules
– System administrators, not users
• The rule is associated with the object
– System checks the ACLs for that object
• Rule examples
– Lab network access is only available between 9 and 5
– Only Chrome browsers may complete this web form

A

Rule-based access control

24
Q

• Store files and access them
– Hard drive, SSDs, flash drives, DVDs, part of most OSs
• Accessing information
– Access control list
– Group/user rights and permissions
– Can be centrally administered and/or users can
manage files they own
• The file system handles encryption and decryption

A

File system security

25
Q

• Difficult to apply old methods of authentication to new
methods of working
– Mobile workforce, many different devices,
constantly changing cloud
• Conditions
– Employee or partner, location, type of
application accessed, device
• Controls
– Allow or block, require MFA, provide limited access,
require password reset
• Administrators can build complex access rules
– Complete control over data access

A

Conditional access

26
Q
• Managing superuser access
– Administrator and Root
– You don’t want this in the wrong hands
• Store privileged accounts in a digital vault
– Access is only granted from the vault by request
– These privileges are temporary
• PAM advantages
– Centralized password management
– Enables automation
– Manage access for each user
– Extensive tracking and auditing
A

Privileged access management (PAM)