Access Control

Question 0

Examples of MAC systems

Answer 0

include Honeywell’s SCOMP and Purple Penelope.

These systemswere developed under tight scrutiny of the U.S. and British governments.

Another example isthe Linux Intrusion Detection System(LIDS; see http://www.lids.org). Standard Linux is DAC;LIDS is a hardened Linux distribution that uses MAC.

Question 1

Non-repudiation

Answer 1

It combines authentication and integrity.

Non-repudiation authenticates the identity of a user who performs a transaction and ensures the integrity of that transaction.

You must have both authentication and integrity to have non-repudiation.

Question 2

Diameter

Answer 2

Improved AAA framework comparing to RADIUS. TCP.

It uses Attribute-Value Pairs but supports many more, which makes Diameter more flexible and allows support for mobile remote users.

uses a single server to manage policies for many services, as opposed to RADIUS, which requires many servers.

Uses TCP

Question 3

RADIUS is considered

Answer 3

an AAA system comprised of three components: authentication, authorization, and accounting.

UDP 1812 (authentication) and 1813 (accounting)

RADIUS request and response data is carried in Attribute-Value Pairs (AVPs).

can make uses of both dynamic and static passwords. Since it uses the PAP and CHAP protocols.

Question 4

TACACS

Answer 4

a centralized access control system that requires users to send an ID and static (reusable) password for authentication.

TACACS uses UDP port 49

RADIUS encrypts only the password (leaving other data, such as username, unencrypted). TACACS+ encrypts all data below the TACACS header.

Question 5

TACACS+

Answer 5

allows two-factor authentication.

TACACSþis not backward compatible with TACACS.

TACACS +uses TCP port 49

RADIUS encrypts only the password (leaving other data, such as username, unencrypted). TACACS+ encrypts all data below the header.

Question 6

Microsoft Trust Relationships

Answer 6

two categories: non-transitive and transitive.

Nontransitive trusts only exist between two trust partners.

Transitive trusts exist between two partners and all of their partner domains; for example, if A trusts B, in a transitive trust A will trust B and all of B’s trust partners.

Question 8

Iris scan

Answer 8

a passive biometric control, high-accuracy and no exchange of bodily fluids.

Question 9

Kerberos

Answer 9

uses symmetric encryption and provides mutual authentication of both clients and servers.

Based on key distribution model.

It protects against network sniffing and replay attacks using timestamps.

Question 10

primary weakness of Kerberos

Answer 10

o KDC stores the keys of all principals (clients and servers). A compromise of the KDC (physical or electronic) can lead to the compromise of every key in the Kerberos realm.

o The KDC and TGS are also single points of failure

o Replay attacks are still possible for the lifetime of the authenticator.

o Kerberos system calls must be compiled, and that may cause a problem for some applications (legacy or off-the-shelf).

o Kerberos is designed to mitigate a malicious network. Kerberos does not mitigate a malicious local host

Question 11

A few key points to remember about Kerberos tickets

Answer 11

 The user is authenticated once via a traditional log-on process and verified by means of message encryption to request and acquire service tickets.

 When the user is authenticated to the AS, it simply receives a TGT. This, in and of itself, does not permit access. Therefore, when the user obtains a TGT that only allows him to legitimately request access to a resource. It does not automatically mean he will receive that access.

 The possession of the ST signifies that the user has been authenticated and can be provided access

 Kerberos processes are extremely time sensitive and often require the use of Network Time Protocol (NTP) Daemons to ensure times are synchronized, otherwise this might result in DoS attack.

Question 12

SESAME (Secure European System for Applications in a Multivendor Environment)

Answer 12

SESAME adds to Kerberos: heterogeneity, sophisticated access control features, scalability of public key systems, better manageability, audit and delegation.”

addresses one of the biggest weaknesses in Kerberos: the plaintext storage of symmetric keys.

The use of public key cryptography for the distribution of secret keys.

Question 12

SESAME - notes

Answer 12

o It uses Privilege Attribute Certificates (PACs) in place of kerberos’ tickets.
o The use of the Kerberos V5 protocol to access SESAME components.
o The use of public key cryptography for the distribution of secret keys.
o SESAME is subject to password guessing like Kerberos.

Question 13

Examples of SSO(single sign on)

Answer 13

Scripts, directory services, thin clients, Kerberos, SESAME, NetSP, scripted access, and KrtyptoKnight

Question 14

Examples of centralized access control (remote dial-in)

Answer 14

RADIUS, Diameter, TACACS and LDAP

Question 15

What is an intrusive smart card attack in which the card is physically manipulated until the ROM chip can be accessed?

Answer 15

microprobing

Question 16

The steps in the equipment life cycle are

Answer 16

1) Assessment
2) Procurement and Deployment
3) Management
4) Retirement

Question 17

Capability tables

Answer 17

are attached to subjects (like users/processes) and their capabilities (like read, write, and update) against system objects (like, directories, and devices) and the ability to use those capabilities on those objects. It is a row within the matrix.

Question 18

What do the columns in an access control matrix indicate?

Answer 18

the capabilities that multiple users have to a single resource

Question 19

ACL’s

Answer 19

are attached to objects, it describe who has access to the object and what type of access they have. It is a column within the matrix.

Question 20

What is the term for a clearance in a mandatory access control environment?

Answer 20

a privilege

Question 21

What is a smart card attack that allows a hacker to uncover the encryption key using reverse engineering?

Answer 21

fault generation

Question 22

Which types of rules are used in the Clark-Wilson model?

Answer 22

certification rules and enforcement rules

Question 23

IDS has three components

Answer 23

sensor, control/communication and enunciator (rely system alert notification).

Question 24

Dynamic data exchange (DDE)

Answer 24

enables direct communication between two applications using interprocess communications (IPC) to exchange commands between themselves such as in the client/server model

Question 25

Data Link Control (DLC)

Answer 25

a connectivity protocol that is used to connect IBM mainframe computers with LANs and in some earlier models, HP printers.

Question 26

Access control decisions are often based on

Answer 26

organizational, social, or political considerations as well

Question 27

Key items on RADIUS

Answer 27

can make uses of both dynamic and static passwords. Since it uses the PAP and CHAP protocols.

vulnerable to cryptographic attacks: a replay attack.

Question 28

one to many means

Answer 28

identification

Question 30

one-to-one means

Answer 30

authentication

Question 31

Outsiders launch

Answer 31

most attacks

Question 32

Insiders launch the most

Answer 32

successful attacks

Question 33

what is Malnets?

Answer 33

are malware networks which typically consist of numerous infected web sites, desktops, laptops and increasingly mobile devices.

Web filtering, web proxy and user awareness are the best defenses against malnets.

Question 34

What is Malvertisments ?

Answer 34

are web advertisements which appear to be legitimate yet direct users to download malware onto systems.

Use web filtering or web proxy technologies to block advertising.

Question 35

Sensitive compartmented information (SCI)

Answer 35

is another label allowing additional control over highly sensitive information. These compartments require a documented and approved need to know in addition to a normal clearance such as top secret

Question 36

What is fault generation attack means in smart card?

Answer 36

occur when normal physical conditions, such as temperature, clock frequency, voltage, etc, are altered in order to gain access to sensitive information on the smartcard.

Question 37

What is common access card?

Answer 37

a worldwide smart card deployment by theDoD.

These cards are used for physical access control as well as with smart card readers to provide dual-factor authentication to critical systems.

CAC cards store data including cryptographic certificates as part of the DoD’s public key infrastructure (PKI).