Authentication and Authorization Services

Question 1

Which factor of authentication would a password key fulfill?

Answer 1

Something you have.

A password key is a physical device.
Something you have.

Question 2

Are credentials encrypted inside of a password manager/password vault?

Answer 2

Yes
Other than just the basic features of holding all your passwords in one place and creating random strong passwords they are also securely stored using encryption.

Question 3

What is a TPM?

Answer 3

Trusted platform module.
This is hardware that is typically a part of your motherboard that helps with all of this encryption stuff.
It contains a cryptographic processor which has a random number generator and key generators.
Comes with unique keys burned in during production.
Can also store keys

Question 4

What is a HSM? (hardware security module)

Answer 4

This is a centralized standalone server with specialized hardware for performing cryptographic function very quickly.
These allow for centralized store of all of our encryption and decryption keys used by an entire enterprise network or multiple other servers.
This Can offload CPU overheard from other devices such as servers because cryptography takes a lot of CPU. The thing inside of it that does this is called a cryptographic accelerator.

Question 5

What is knowledge based authentication? (KBA)

Answer 5

This is using personal knowledge as an authentication factor.
Something you know.
There are two types:

Static KBA - pre configured shared secrets, often used with account recovery. “what is your mothers maiden name?”
Dynamic KBA - Questions are not pre configured. These questions are based on an identity verification service. “What was your street name when you lived in the zip code 32258”

Question 6

What is a AAA server?

Answer 6

A server specifically designed to provide authentication, authorization, and accounting.

Question 7

What is PAP? (password authentication protocol)

Answer 7

This is a basic authentication method.
Used in legacy operating systems (very old)

Pap is completely unencrypted. Non encrypted password exchange.

Question 8

What is CHAP? (challenge handshake authentication protocol)

Answer 8

This is a step up from PAP.
This provides an encrypted challenge sent over the network.
Chap has a 3 way handshake.
Client sends their username unencrypted.
Chap sends a challenge(stored password+challenge), client responds with a password hash calculated from the challenge and their password.
Server compares received hash with the stored hash they have for that user.

This actually occurs periodically through the conversation but the end user never knows it is happening over and over.

Question 9

What is MS-CHAP?

Answer 9

MS-CHAP is microsofts implementation of CHAP and it is incredibly outdated since it uses DES(data encryption standard) for encryption.

You want to use L2TP, IPsec, or 802.1x instead.

Question 10

What is RADIUS?

Answer 10

Remote authentication dial-in user service
This is a very common solution for centralizing authentication for your users.
If a user is trying to authenticate from any part of your network (routers,switches,802.1x,etc) they can use RADIUS to authenticate their username and password.

Question 11

What is TACACS?

Answer 11

Terminal access controller access control system.
This is a remote authentication protocol like RADIUS.

Cisco created a proprietary version of TACACS with additional support for accounting and auditing called XTACACS.

But if you see this being implemented today you will likely see the newest version of it TACACS+

Question 12

What is Kerberos?

Answer 12

Kerberos is a network authentication protocol.
More complex than RADIUS/TACACS but more robust.
This is a type of authentications system that is able to use single sign on, which means you authenticate once and are trusted by the system without any need to re-authenticate to everything.

Unlike RADIUS and TACACS there is a mutual authentication as well. The server authenticates to you as well as you authenticating to the server. So both sides know exactly who they are talking to.
This protects against on-path or replay attacks.

Question 13

Why is kerberos sometimes called a ticketing system?

Answer 13

The cryptography that is used is referenced as a cryptographic ticket.
When you authenticate to your authentication server you are given a service ticket.
And then instead of having to put in a username and password every time you access a different resource you simply have to show your service ticket.

Not everything is kerberos friendly though so you may find that some devices you do have to log into manually.

Question 14

What would be the deciding factors when choosing between using RADIUS,kerberos, or TACACS+?

Answer 14

It is often determined by what is at hand, since they are all pretty similar.

If you have a Microsoft network you will be using kerberos by default.
If you have a bunch of cisco hardware then you may choose to set up TACACS+ for just those devices.
If your VPN concentrator can only talk to a RADIUS server than you probably want to use RADIUS.

Question 15

What is 802.1x?

Answer 15

This is a port based Network Access control.
You don’t get access to the network until you authenticate.

This can be used for both wireless and wired connections.
We often integrate this with EAP.

On the back end we probably have a RADIUS, LDAP, TACACS+, or kerberos server to authenticate the user’s credentials.

Question 16

What is federation?

Answer 16

“log in with google”
“log in with facebook”

Third parties can establish a federated network where you can authenticate and authorize with your credentials from another service or company.

Question 17

What is SAML?

Answer 17

Security assertion markup language.
This is an open standard for authentication and authorization.
It was made for federation.
Allows you to authenticate through a third party to gain access.

The largest rockblock for SAML is that it can not be used with mobile apps.

Question 18

What is OAuth?

Answer 18

Think “afkit wants to access your discord account” “this will allow afkit to: see what servers you are in, etc”
OAuth is a more modern authorization framework than SAML (works on mobile devices)
It determines what resources a user will be able to access.

This is NOT an authentication protocol, it is only used for authorization.
And it lets OpenID connect handle the single sign-on authentication.
Once the authentication is complete OAuth determines what types of data is accessible by that 3rd party app.

Question 19

What is Mandatory Access Control?

Answer 19

MAC is an access control level used in the highest security organizations.
The operating system limits operations based on security clearance levels.
Each object in the system gets a label: confidential, secret, top secret, TSCI, etc.
These settings can not be changed by users.

Question 20

What is discretionary access control?

Answer 20

DAC is a method of access control used in most operating systems.
This is what we are all the most familiar with.

If you create a file, you as the owner control who has access.
You can modify access at any time.

Or you can set permissions that one group has read only access, and others have read and write priveleges, etc.

Question 21

What is RBAC? break it down RB-AC

Answer 21

Role based access control.
This is common in large organizations.
An access control that goes on the role that an employee may have in a company. (manager, director, team lead, etc)
Only administrators can provide access based on the role of the user and their roles.
In windows we use groups to provide role-based access control.

Question 22

What is ABAC? break it down AB……AC

Answer 22

Attribute based access control.
This is a next generation authorization model.
Takes into account many different criteria when trying to access applications and data.
Checks and evaluates many different parameters, such as: IP address, time of day, desired action, resource information, etc.
The user must meet all of the necessary criteria for that resource to be authorized.

Question 23

What is rule-based access control?

Answer 23

This is a generic term for following rules in access control.
Access is determined through system enforced rules.
The system administrator is making the rules, not the users.
The rule is generally associated with the object.
The system checks the ACLs for that object.

Some rule examples would be
“lab access is only available between 9am and 5pm”
“only chrome browsers can complete this web form”

Question 24

What is conditional access?

Answer 24

This is more modern was of doing access control.
Think of cloud environments with this.
This allows us to set certain conditions, such as checking if an employee is in a certain location, which device they are on, whether they are a vendor or an employee, etc. Depending on these conditions there will be a wide array of controls that can be implemented in response such as:
Allow/block
Require MFA
Provide limited access
Require password reset
etc

Question 25

What is PAM? (privileged access management)

Answer 25

This is a way of managing superuser access, such as administrator and root.
This is a centralized way of being able to handle elevated access to system resources in large organizations with many different administrators.

It stores privileged accounts in a digital vault and is only granted from the vault by request. These privileges are temporary and need to be checked in and checked out.

This has many advantages, most notably centralized password management, enabling auditing for each user, and it enables automation since the administrator may not have to manually log in.