Authentication Flashcards
What are the 5 types of authentication with examples
Something you know - Password, Pin
Something you have - Key Fob, License
Somewhere you are - Context Authentication
Something you are - Biometric, finger print
Something you do - Signature, mouse movemnt
True or false, Password and username are considered single factor authentication
True
True or False, One or more items from the same factor class are still considered single factor
True
What is a TOTOP
Time based One time password, it is computed with a shared secret key and current time.
What are the three authentication models
Context Aware
SSO
Federated Identity Management
Describe the context aware authentication model
Process to check the users or systems attributes or characteristics or attributes prior to allowing a connection
It will commonly restrict authentication based on time of day or location
Describe the Single Sign on model
A default user profile for each user is created and linked with all the resources needed.
Uses single set of authentication factors to access multiple systems.
Compromised creds can cause disasters
Descirbe FiDM (Federated Identify Management)
A single identity is created for a user and share with all of the organizations within a federation.
Two authentication methods:
Cross Certificate
Trusted thrid part
Explain Cross certificate for the FIDM model
Utilizes a web of trust between organizations where each one certifies other sin the federation
Explain trusted third party for the FIDM
Organizations are able to put their trust in a single third party.
True or false:
Trusted third party is more efficient than a cross certificate or web of trust model
True
What is SAML
Securitly Assertation markup language:
Attestation model built on XML used to share FIDM info between systems
What is OpenID
OpenID is a decentralized open standed for authenticating users in an FIDM system.
The user will log into an IP ( identity provider) and uses their account at RPs (relaying parties)
Google is an open ID provider that allows user to sign into their google account in order to accces other programs
True or False:
OpenID is easier to implement thatn SAML
True, BUT
SAML is more efficient than OpenID
What is 802.1x
Standardized framework for port based authentication on wired and wireless networks that uses data-link authentication technology to connect devices on wired or wireless LAN
True of False:
802.1x is only a framework
True,
802.1x is only a framework, that requires RADIUS or TACACS+ to perform the actual authentication.
There are three roles required for 802.1x to work, what are they?
- supplicant - Device or user requesting access to the network
- Authenticator - Device through which the supplicant passes through to reach the authentication server. (Switch, WAP)
- Authentication Server - Centralized device that performs authentication (RADIUS TACACS+)
True of False, 802.1 can prevent rouge devices
True
What is EAP
EAP is the extensible Authentication Protocol-
It is a framework of protocols that allow for numerous authentation methods including passwords, digital certificates and PKI.
What are the forms of EAP authentication methods
EAP - MD5
EAP - TLS
EAP - TTLS
EAP - Fast
PEAP
Describe the EAP-MD5 authentication method
Uses one way authentication via simple passwords for challenge-authentication
Describe the EAP - TLS
Uses digital certificates for authentication
Describe EAP -TTLS
Use server side digital certificates and a client side password for mutual authentication.
Describe EAP - Fast
Provides flexible authentication via secure tunneling using a protected access credential instead of a certificate for mutual authentication.
What is LDAP
lightweight Directory Access Protocol - A database used centralize information about clients and objects on a network.
True or False: LDAP Is cross platform
True
What is Kerberos
Authentication protocol used by windows to provide for two way (mutual) authentication using a system of tickets
Describe how kerberos works
- Client connects to network and pings DC with creds
- DC acts as a (KDC) Key Distrobution Center and authenticates client
- Once authenticated, the KDC provides a TGT (Ticket Granting Ticket)
What is a TGT
A ticket Granting Ticket is a component of Kerberos.
TGTs are provided by clients to the KDC when attempting to access resources. The client provides the KDC its TGT when requesting the issuing of a service ticket or session key based on what what was requested.
What port on the DC needs to be enabled for Kerberos to work
Port 88
True of False: RDP provides authentication
False, RDP uses encryption, but does not have native authentication.
SSL+TLS should be used to increase securirty
What port does RDP use
3389
What is VNC
Virtual Network Computer - Cross platform - Port 5900
Uses VNC server to host
Uses VNC client to connect to VNC Server\ host
The VNC protocol must be enabled
True of false: RDP is cross platform
False, If cross platform is required, use VNC
What is the VNC protocol known as
The remote frame buffer
What are the remote access service Authentication protocols
PAP, CHAP, and EAP
Describe PAP
Password authentication protocol - Used to provide authentication but is not considered secure since it transmits passwords unencrypted and in clear text
Describe Chap
Challenge Handshake AP -
A client initiates authentication with the server and is sent a random string of numbers (Challenge String).
The client uses their password to encrypt the string of numbers and sends the encrypted challenge key back to the server
The server un-encrypts the challenge string using the password that it has on file.
What is M-CHap
Microsoft’s version of CHAP
True or False: PAP and CHAP were used for dial up
True
What are the two common VPN Topologies
Client to Site and Site to Site
What are the hardware requirements of Client to Site and Site to Site VPNs
Client to Site requires a VPN server to be online and listening for inbound requests. Admins can make use of a VPN Concentrator instead of a dedicated server.
Site to Site VPNs use Routers that are configured with mutual encryption keys
What is a VPN Concentrator
Specialized hardware device that allows for hundreds of simultaneous VPN connections for remote workers.
What is VPN split tunneling
Occurs when a remote workers machine diverts internal traffic over the VPN, but external traffic over their own internet connection.
What are the Pros and Cons of VPN Splitting. How do you prevent it?
Good for bandwidth usage over the VPN, but allows for traffic to bypass network defenses.
Prevent it through proper client configuration and network segmentation.
Describe RADIUS
Remote Authentication Dial-in User Service:
Allows centralized administration of dial up, VPN, and wireless authentication services for 802.1x and EAP
What layer of the OSI model does RADIUS run. How is it hosted and what transmission method does it use?
Radius is a client server model that runs at the application layer.
It can be run as its own server or be hosted on a Windows server.
It enables AAA and uses UDP.
True of False: Radius is cross platform
True
What is TACACS+
Cisco’s propriatary version of RADIUS
It supports the protocols that RADIUS doesn’t such as Remote access protocol, NetBios Frame
