4: 2 Authentication Flashcards
What are the three types of authenticators
Something you know, something you are, something you have
Something you know
Most popular i.e. passwords, security questions
Something you are
Biometrics
Something you have
Physical possession of device i.e. keyFOB, smartphone
Authentication Attributes
Weaker versions of the 3 main authenticators - somewhere you are, something you can do, someone know you, something you exhibit
FAR
False Acceptance Rate - misidentifies as an authorized user
FRR
False Rejection Rate - Fails to identify an authorized user
HOTP
HMAC-based One-Time Password - based on hardware tokens
TOTP
Time-based one time code - time of day with shared secret and only valid until the code works (both must have synched clocks)
SMS and Phone-based authentication
Weaker than HOTP and TOTP
Static Code
Becomes something you know
PAP
Password authentication protocol, not encrypted
CHAP
Challenge handshake authentication protocol - both server and user know password, challenge value sent from server to client. client merging the hash and value to create a value to send to the server. Server then computers hash itself and validates client’s response.
MS-CHAP
Microsoft’s CHAP version, has been broken and is insecure.
MS-CHAPv2
Microsoft’s second version of CHAP, has been broken and is insecure.
Federated Identity Management
Individual has accounts across multiple systems that share identity information, reducing number of accounts needed (i.e. Facebook, Twitter logins)
SSO
Single-Sign On - Shares authentication across systems so logins persist
One Way Trust
Domain 1 trusts Domain 2, but D2 doesn’t trust D1
Two Way Trust
D1 and D2 trust each other
Transitive Trust
Trust Relationships that transfer across domains - automatically inferred
Non-Transitive Trust
Trust relationships that do not transfer and aren’t automatically inferred
RADIUS Protocols
Remote Access Dial In User Service - Centralized server could authenticate modem servers across the country
Disadvantages of Radius
User Datagram Protocol is unreliable, and the entire sequence isn’t encrypted
TACACS
Terminal Access Controller Access Control System
TACACS+
Best version of access control similar to RADIUS but uses TCP (transmission control protocol) to fully encrypt authentication system
Kerberos
Access Control that is core protocol of Microsoft Access Directory. Ticket based authentication system.
What are the 4 parties in a Kerberos Access Request
End User - Authentication Server, Ticket Granting Server, Service
LDAP
Lightweight Directory Access Protocol - Allows means to query a centralized directory service like Microsoft AD
Kerberos Port
88
LDAP Port
389
Secure LDAP port
636
NT LAN Manager
Old version of access protocol for windows that uses hashes, but weak encryption open to pass the hash vulnerability.
SAML
Security Assertion Markup Language- allows browser based single sign-on.
Who are the 3 parties in a SAML Request
Principal, Identity Provider, Service Provider
OAuth, Open ID
Identity Protocols
OpenID Connect
Authentication protocol that proves your identity
OAuth
Authentication protocol that isn’t for authorization, brings you to a 3rd party OAuth login screen where correct authentication redirects you to the initial party screen.
Certificate-based AUthentication
Users a public-private key pair to grant access, same strength as a password but can be automated.
