3.8 Given a Scenarior, Implement authentication and authorization Solutions Flashcards
Authentication management
Authentication proves an identity with some type of credentials, such as a username and password. For example, identification occurs when users claim (or profess) their identity with identifiers such as usernames or email addresses. Users then prove their identity with authentication, such as with a password. In this context, a user’s credentials refer to both a claimed identity and an authentication mechanism.
Password keys
Password keys are used to reset passwords on systems. They are commonly a bootable optical disc or bootable USB flash drive. After rebooting the system to the device, they allow you to recover or reset all user and administrator passwords. These are useful to users who have forgotten their passwords. They are also helpful to forensic experts who need to access computers without knowing the passwords. Of course, they are also valuable for attackers who have stolen computers, such as laptops.
Password vaults
A password vault (or password manager) is a single source designed to keep most of your passwords. Instead of requiring you to memorize many different passwords, you only need to remember the password to open the vault. It keeps these passwords in an encrypted format, preventing unauthorized users from seeing them.
Trusted platform module (TPM)
The Trusted Platform Module (TPM) technology is designed to provide hardware-based, security-related functions. A TPM chip is a secure crypto-processor that is designed to carry out cryptographic operations
Hardware Security Module (HSM)
A physical computing device that safeguards and manages cryptographic keys and provides cryptographic processing. An HSM is or contains a cryptographic module.
Knowledge-based authentication
Some organizations use knowledge-based authentication (KBA) to prove the identity of individuals. There are two types: static KBA and dynamic KBA. Static KBA is typically used to verify your identity when you’ve forgotten your password. After creating your account (or when you create your account), you’re prompted to answer questions about yourself, such as your first dog’s name or your mother’s maiden name. Later, when you try to retrieve a forgotten password, you’re first prompted to answer the same questions. Dynamic KBA identifies individuals without an account. Organizations use this for high-risk transactions, such as with a financial institution or a health care company. The site queries public and private data sources, such as credit reports or third-party organizations. It then crafts multiple-choice questions that only the user would know and often includes an answer similar to “none of these apply.”
Authentication/Authorisation
If you understand identification (claiming an identity, such as with a username) and authentication (proving the identity, such as with a password), it’s easier to add in the other two elements of AAA—authorization and accounting.
If users can prove their identity, that doesn’t mean that they are automatically granted access to all resources within a system. Instead, users are granted authorization to access resources based on their proven identity. This can be as simple as granting a user permission to read data in a shared folder.
Extensible authentication protocol (EAP)
The Extensible Authentication Protocol (EAP) is a protocol for wireless networks that expands the authentication methods used by the Point-to-Point Protocol (PPP), a protocol often used when connecting a computer to the internet. EAP is used on encrypted networks to provide a secure way to send identifying information to provide network authentication.
Challenge-Handshake Authentication Protocol (Chap)
CHAP (Challenge-Handshake Authentication Protocol) is a challenge and response authentication method that Point-to-Point Protocol (PPP) servers use to verify the identity of a remote user
Password authentication protocol (PAP)
PAP, or password authentication protocol, is a point-to-point protocol (PPP) authentication method that uses passwords to validate users. It is an internet standard (RFC 1334), password-based authentication protocol. Using PAP, data is not encrypted. It is sent to the authentication server as plain text.
802.1x
802.1X defines a port-based network access control and authentication protocol that prevents unauthorized clients from connecting to a LAN through publicly accessible ports unless they are properly authenticated.
RADIUS
Remote Authentication Dial-In User Service (RADIUS) is a networking protocol that authorizes and authenticates users who access a remote network. A protocol is a collection of rules that control how something communicates or operates.
Single sign on (SSO)
Single sign-on (SSO) refers to a user’s ability to log on once and access multiple systems without logging on again. SSO increases security because the user only needs to remember one set of credentials and is less likely to write them down. It’s also much more convenient for users to access network resources if they only have to log on one time.
Security Assertion markup language (SAML)
Security Assertion Markup Language (SAML) is an Extensible Markup Language (XML)–based data format used for SSO on web browsers. Imagine two websites hosted by two different organizations. Normally, a user would have to provide different credentials to access either website. However, if the organizations trust each other, they can use SAML as a federated identity management system. Users authenticate with one website and are not required to authenticate again when accessing the second website.
Terminal access controller access control system plus (TACACS+)
Terminal Access Controller Access Control System) An access control protocol used to authenticate a user logging into the network. TACACS is a simple username/password system.