5 Identity and Access Flashcards
authentication factors
1 know
2 have
3 be
cognitive pw
series of questions to restore forgotten pw
tokens
synchronous dynamic token: time based, periodically regenerated. MOST RELIABLE FOR REMOTE ACCESS
asynchonous dynamic token: counter based, regeneration per use
biometric
type 1: false rejection
type 2: false acceptance (WORSE!)
-> CER Crossover Error Rate indicates overall accuracy
SSO
LDAP Kerberos FidM SESAME KryptoKnight OAuth, OpenID
LDAP
X500
Microsoft AD
TCP/UDP 389
supports TLS and connection authentication
trusts between domains possible
Kerberos
- provides confidentiality and integrity for authentication traffic
- no eavesdropping, replay possible
- uses symmetric keys only -> SCALABILITY!
plaintext storage of all symmetric keys - identity of all participiants is assured
- KDC maintains keys for all network members
- TGS grants TGT (prooves that a subject has authenticated at KDC and is authorized to request tickets)
- Ticket provides proof, that a subject is authorized to access an object
Federated Identity Management
FIdM
multiple organizations use a SSO system together and identities are shared
SESAME
ticket based authentication
fixed weaknesses in kerberos (no plaintext storage of sym keys, uses public key krypto, better scalability and more secure)
KryptoKnight
ticket based, 2p2 authentication system by IBM
OAuth, OpenID
open authentication standards
SAML
Security Assertion Markup Language
XML-based to exchange authorization and authentication info between federated organizations to provide SSO
assertion
protocol
binding
SPML
similar to SAML, is able to dislay LDAP-based info
RADIUS
UDP 1812/1813 or 1645/1646
encrypts pw only
provides callback security
can also be used between network access server (client) and shared authentication server (server)
accept
reject
challenge (token, caller ID)
Diameter
TCP 3868
more flexible, scalable and secure than radius
not backward compatible, supports IP, VoIP and more
supports IPSEC and TLS
good for wireless roaming
TACACS+
open public protocol, most used
TCP:49
encrypts entire payload, separates authentication and authorization
uses static pw, two factor auth is possible
hybrid attack on pw
change dictionary words before cracking, for example o to 0.
provides fastest crack for complex passwords, like root pws
authorization mechanisms
context dependent: restrict access based on context (time, location) or conditions (after payment)
content dependent: restrict access based on content (database view, own personnel info)
constrained interface: restrict what users can do or see based on privilege
DAC
IDENTITY BASED
discretionary AC:
controlled by owner, permissions are maintained in ACLs
owners can easily change permissions -> flexible
used in standalone unix/windows system
Nondiscretionary AC
RBAC: role based using groups based on job description (AD)
Taskbased: similar, but focuses on tasks, not on roles
MAC
mandatory AC:
use of classification labels
different security domains and clearences -> focusd on confidentiality
lattice-based MAC possible (more granular)
Hierarchical | + Compartmentalized = Hybrid Environment
APT
Advanced Persistent Threat
highly skilled and equiped attackers
often funded by gov, advanced knowledge
additional access control objectives
reliability and utility
microprobing
analysis of inner smart card circuits
