Authentication Flashcards
Time-Based One-Time Password: TOTP
Time-Based One-Time Password:
A password is computed from a shared secret and current time
Hash based one time password: HOTP
uses Hash-based Message Authentication Code (HMAC)
Parties intending to use HOTP must establish some parameters;
A cryptographic hash method H (default is SHA-1)
A secret key K, which is an arbitrary byte string and must remain private
A counter C, which counts the number of iterations
A HOTP value length d (6–10, default is 6, and 6–8 is recommended)
Both parties compute the HOTP value derived from the secret key K and the counter C. Then the authenticator checks its locally generated value against the value supplied by the authenticated.
Counter makes it different from TOTP
Context-Aware Authentication
Process to check the user’s or system’s attributed or characteristics prior to allowing it to connect
Restrict authentication based on the time of day or location
Federated Identity Management: FidM
an arrangement between multiple enterprises or domains that enables their users to use the same identification data (digital identity) to access all their networks
Federated Identity Management - FidM: Cross-Certification
Utilizes a web of trust between organizations where each one certifies others in the federation
Federated Identity Management - FidM: Trusted Third-Party
Organizations are able to place their trust in a single third-party (also called the bridge model)
Trusted third-party model is more efficient than a cross certification or web of trust mode
Federated Identity Management - FidM: SAML- Security Assertion Markup Language
Security Assertion Markup Language:
Attestation model built upon XML used to share federated identity management information between systems
Open standard for authentication & authorization
Authenticate via third-party
Federated Identity Management - FidM: OpenID
An open standard and decentralized protocol that is used to authenticate users in a federated identity management system
Used in conjunction with OAuth2
User logs into an Identity Provider (IdP) and uses their account at Relying Parties (RP)
OpenID is easier to implement than SAML
SAML is more efficient than OpenID
802.1x
Standardized framework used for port-based authentication on wired and wireless networks
Helps prevent rogue devices
(Ex: RADIUS, TACACS+)
Extensible Authentication Protocol: EAP
A framework of protocols that allows for numerous methods of authentication including passwords, digital certificates, and public key infrastructure
EAP-MD5 uses simple passwords for its challenge-authentication
EAP-TLS uses digital certificates for mutual authentication
EAP-TTLS uses a server-side digital certificate and a client-side password for mutual authentication
Extensible Authentication Protocol:- EAP-FAST
Provides flexible authentication via secure tunneling (FAST) by using a protected access credential instead of a certificate for mutual authentication
Protected EAP - PEAP & Lightweight EAP - LEAP
Protected EAP:
Supports mutual authentication by using server certificates and Microsoft’s Active Directory to authenticate a client’s password
Lightweight EAP:
Proprietary to Cisco-based networks (supposedly FAST is an upgrade from LEAP)
Lightweight Directory Access Protocol - LDAP
Lightweight Directory Access Protocol:
A database used to centralize information about clients and objects on the network
Unencrypted: Port 389
Encrypted: Port 636
Active Directory is Microsoft’s version
Kerberos
An authentication protocol used by Windows to provide for two-way (mutual) authentication using a system of tickets
Port 88
A domain controller can be a single point of failure for Kerberos
Challenge-Handshake Authentication Protocol - CHAP
Challenge-Handshake Authentication Protocol:
Used to provide authentication by using the user’s password to encrypt a challenge string of random numbers
3-way handshake
After link, server sends challenge message
Client responds with password hash calculated from challenge & password
Server compares hash with stored hash
Occurs periodically
