5 Identity and Access

Question 1

authentication factors

Answer 1

1 know
2 have
3 be

Question 2

cognitive pw

Answer 2

series of questions to restore forgotten pw

Question 3

tokens

Answer 3

synchronous dynamic token: time based, periodically regenerated. MOST RELIABLE FOR REMOTE ACCESS

asynchonous dynamic token: counter based, regeneration per use

Question 4

biometric

Answer 4

type 1: false rejection
type 2: false acceptance (WORSE!)

-> CER Crossover Error Rate indicates overall accuracy

Question 5

SSO

Answer 5

LDAP
Kerberos
FidM
SESAME
KryptoKnight
OAuth, OpenID

Question 6

LDAP

X500

Answer 6

Microsoft AD
TCP/UDP 389
supports TLS and connection authentication
trusts between domains possible

Question 7

Kerberos

Answer 7

• provides confidentiality and integrity for authentication traffic
• no eavesdropping, replay possible
• uses symmetric keys only -> SCALABILITY!
  plaintext storage of all symmetric keys
• identity of all participiants is assured
• KDC maintains keys for all network members
• TGS grants TGT (prooves that a subject has authenticated at KDC and is authorized to request tickets)
• Ticket provides proof, that a subject is authorized to access an object

Question 8

Federated Identity Management

FIdM

Answer 8

multiple organizations use a SSO system together and identities are shared

Question 9

SESAME

Answer 9

ticket based authentication
fixed weaknesses in kerberos (no plaintext storage of sym keys, uses public key krypto, better scalability and more secure)

Question 10

KryptoKnight

Answer 10

ticket based, 2p2 authentication system by IBM

Question 11

OAuth, OpenID

Answer 11

open authentication standards

Question 12

SAML

Answer 12

Security Assertion Markup Language
XML-based to exchange authorization and authentication info between federated organizations to provide SSO

assertion
protocol
binding

Question 13

SPML

Answer 13

similar to SAML, is able to dislay LDAP-based info

Question 14

RADIUS

Answer 14

UDP 1812/1813 or 1645/1646
encrypts pw only
provides callback security
can also be used between network access server (client) and shared authentication server (server)

accept
reject
challenge (token, caller ID)

Question 15

Diameter

Answer 15

TCP 3868
more flexible, scalable and secure than radius
not backward compatible, supports IP, VoIP and more
supports IPSEC and TLS
good for wireless roaming

Question 16

TACACS+

Answer 16

open public protocol, most used
TCP:49
encrypts entire payload, separates authentication and authorization
uses static pw, two factor auth is possible

Question 17

hybrid attack on pw

Answer 17

change dictionary words before cracking, for example o to 0.
provides fastest crack for complex passwords, like root pws

Question 18

authorization mechanisms

Answer 18

context dependent: restrict access based on context (time, location) or conditions (after payment)

content dependent: restrict access based on content (database view, own personnel info)

constrained interface: restrict what users can do or see based on privilege

Question 19

DAC

IDENTITY BASED

Answer 19

discretionary AC:
controlled by owner, permissions are maintained in ACLs
owners can easily change permissions -> flexible
used in standalone unix/windows system

Question 20

Nondiscretionary AC

Answer 20

RBAC: role based using groups based on job description (AD)

Taskbased: similar, but focuses on tasks, not on roles

Question 21

MAC

Answer 21

mandatory AC:
use of classification labels
different security domains and clearences -> focusd on confidentiality

lattice-based MAC possible (more granular)
Hierarchical | + Compartmentalized = Hybrid Environment

Question 22

APT

Answer 22

Advanced Persistent Threat

highly skilled and equiped attackers
often funded by gov, advanced knowledge

Question 23

additional access control objectives

Answer 23

reliability and utility

Question 24

microprobing

Answer 24

analysis of inner smart card circuits