4. ID and Access Management Flashcards
AAA
ABAC
CHAP
DAC
AAA- authentication, authorization and accounting- a security concept where a centralized platform verifies object identification, ensures the object is assigned relevant permissions and then logs these actions to create an audit trail.
ABAC- Attribute based access control- an access control technique that evaluates a set of attributes that each subject possesses to determine if access should be granted
CHAP- Challenge handshake authentication protocol- an encrypted remote access authentication method that enables connection from any authentication method requested by the server, except for PAP and SPAP unencrypted authentication.
DAC- Discretionary access control- access is controlled based on a user’s ID. Objects are configured with a list of users who are allowed access to them. An admin has the discretion to place the user on the list or not. IF a user is on the list, the user is granted access, ig the user is not on the list, access is denied.
Data security-
Data security- the security controls and measures taken to keep an organizations data safe and accessible and to prevent unauthorized access to it
HOTP/TOTP
HOTP/TOTP- HMAC-Based One-time Password Algorithm (HOTP) and Time-Based One-time Password Algorithm (TOTP) allow users to authenticate using a logical token. Both are considered secure
What major advantage does Time-Based One-Time Password Algorithm (TOTP) have over HMAC-Based One-Time Password Algorithm (HOTP)?
TOTP adds an expiration time to the token, making it more difficult to gain access to resources if a device is intercepted.
Susceptibility to interception is a risk associated with one-time passwords, since the token is delivered to a physical space. Both HMAC-Based One-time Password Algorithms (HOTP) and Time-Based One-time Password Algorithms (TOTP) generate these tokens.
Device synchronization errors can result in key expiration or key error. Although HMAC-Based One-time Password Algorithm (HOTP) does not use a timestamp, the device and server may still be synchronized with a counter to invalidate the key should they go out of sync.
Neither algorithm requires a physical device to be used as the token. One-time passwords can be generated and sent via smartphone app.
implicit deny-
least privilege-
Access keys
Access assessment
implicit deny- This type stipulates if a user is not expressly granted permission to a resource, they are by default, denied access.
least privilege- least privilege entails only granting users permissions to the resources they need to access.
Access keys grant users’ access to resources to which they have permissions, based on access control lists.
Access assessment would be a process of evaluating what access users need to perform their jobs; this would not include implementation of policy.
IEEE 802.1x IEEE Kerberos- LDAP MAC MS-CHAP NTLM- NT LAN Manager
IEEE 802.1x- A standard for encapsulating EAP communications over a LAN or wireless LAN and that provides port-based authentication.
IEEE- Institute of electrical and electronics engineers- a professional association of electrical and electronic engineers that develops industry standards for a variety of technologies
Kerberos- an authentication service that is based on a time-sensitive ticket-granting system. It uses an SSO method where the user enters access credentials that are then passed to the authentication server, which contains the allowed access credentials. Kerberos supports the use of tokens or biometric authentication.
LDAP- Lightweight Directory Access Protocol- a simple network protocol used to access network directory databases, which store information about authorized users and their privileges, as well as other organizational information.
MAC- Mandatory access control- a system in which objects (files and other resources) are assigned security labels of varying levels, depending on the objects sensitivity. Users are assigned a security level or clearance, and when they try to access an object, their clearance is compared to the object’s security label. If there is a match, the user can access the object. IF there is no match, the user is denied access.
MS-CHAP- Microsoft Challenge Handshake
Authentication Protocol- a protocol that strengthens the password authentication provided by Protected Extensible Authentication Protocol (PEAP)
NTLM- NT LAN Manager- (New Technology LAN Manager) a challenge-response authentication protocol created by Microsoft for use with its products.
OAuth-
OpenID Connect –
PAP
OAuth- Open Authorization- a token-based authorization protocol that is often used in conjunction with OpenID
- The “auth” in OAuth stands for “authorization,” not authentication. This is an easy way to distinguish between OAuth and OpenID Connect (OIDC). OAuth facilitates the transfer of information between sites, with authentication delegated to the OAuth provider, not the OAuth consumer.
- OAuth is an authorization mechanism, which facilitates authentication, but does not directly authenticate users
- OAuth does not authenticate, but if authentication is required through OAuth, then users will authenticate with the OAuth provider, not the consumer.
OIDC authenticates federated applications.
- OpenID—an identity federation method that enables users to be authenticated on cooperating websites by a third-party authentication service.
- OpenID Connect (OIDC) is an authentication protocol for federated applications.
PAP- Password Authentication Protocol- a remote access authentication service that sends user IDs and passwords as cleartext.
RADIUS-
Role-base access control
RADIUS- remote authentication dial in user service- a standard protocol for providing centralized authentication and authorization services for remote users. (is a standard protocol used to manage remote and wireless authentication infrastructures.)
Role-base access control – a non-discretionary access control technique that is based on a set of operation rules or restrictions.
SAML
SAML- security assertion markup language- an XML-based data format used to exchange authentication information between client and service.
Security Association Markup Language (SAML) authorizations or tokens are written and signed with the extensible Markup Language (XML) signature specification; this digital signature allows the service provider to trust the identity provider.
Security Association Markup Language (SAML) is not an identity provider; it is an open standard that allows identity providers (IdP) to pass authorization to service providers (SP).
Security Association Markup Language (SAML) can be implemented on mobile devices.
Shibboleth
Shibboleth- an identity federation method that provides single sign on capabilities and enables websites to make informed authorization decisions for access to protected online resources.
One of Shibboleth’s main components, the Embedded Discovery Service, allows the user to choose a preferred identity provider.
Shibboleth is an identity provider, and it supports authentication from several different directory and authentication systems.
Shibboleth is both an IdP and an SP.
Shibboleth is open source. OAuth protocol, (in this context, Auth- stands for authorization, not authentication) is generally preferred over SAML for mobile apps.
TACACS+
TACACS+- Cisco’s extension to TACACS protocol that provides multi-factor authentication
(Terminal Access Controller Access Control System Plus) is a similar protocol to RADIUS, but designed to be more flexible and reliable.
TACACS+ uses TCP communications for reliable, connection-oriented delivery, making it easier to detect when a server is down.
All data in TACACS+ packets is encrypted (not just authentication data).
TACACS+ is more often used for device management than for authenticating end user devices. It allows centralized control of accounts set up to manage routers, switches, and firewall appliances, and detailed management of privileges assigned to those accounts.
TACACS- terminal access controller access control system- A remote access protocol that provides centralized authentication and authorization services for remote users.
Transitive trust
two-way trust-
one-way trust
Transitive trust- a principle in which one entity implicitly trusts another entity because both of them trust the same third party.
two-way trust- both companies must trust each other equally for the trust to qualify as two-way.
one-way trust-A one-way trust describes the relationship between parent and child domains.
- The child trusts the parent, but the parent does not trust the child.
- Company 1 trust Company 2 but not vice versa. Company 2 is the parent.
- Company 1, the child company trust credentials provided by Company 2 but trust is not reciprocated. Company 1 trusts credentials provided by company 2 clients but company 2 does not trust credentials provided by company 1.
location-based authentication
location-based authentication-Location-based technologies should not be used for primary authentication, but can be used for continuous authentication measures and as access control features. EXAMPLE: VPN gateway
X.500
X.500 distinguished naming convention standard- n X.500 naming convention, the most specific attribute goes first, and definitions become broader further down the list.
A distinguished name in an X.500 directory, or similar directory, identifies a resource by attribute=value pairs, separated by commas. The attributes are listed in order from most specific to broadest term.
Common Name, Organizational Unit, Organization, Country, Domain Component.
TACAS+ V. RADIUS-
RADIUS is most commonly used for network access. TACACS+ is more advantageous when performing device administration, because it can separate the Authentication, Authorization, and Accounting (AAA) functions.
TACACS+ is preferable for device administration. RADIUS gives remote users network access, when the remote user connects to a RADIUS client, such as an access point, switch, or remote access server.
TACACS+ is better than RADIUS for device management, as it can separate the Authentication, Authorization, and Accounting (AAA) functions for greater flexibility, whereas RADIUS cannot separate authentication and authorization.
TACACS+ is able to operate Authentication, Authorization, and Accounting (AAA) functions separately, which gives it greater flexibility for device management, whereas RADIUS is used more for user network access.
