Book-Notes Section 8 Flashcards
What Are SSH Keys in the Context of Identity Management?
SSH keys are cryptographic keys used to securely authenticate users and systems in an organization’s Identity and Access Management (IAM) strategy. Instead of using passwords, users authenticate with SSH key pairs, which provide stronger security and better identity management for system access.
🔹 How SSH Keys Work in Identity Management
✅ SSH keys consist of two parts:
Public Key → Stored on the server (identifies the user).
Private Key → Stored securely by the user (used to prove identity).
✅ When a user connects to a server via SSH, the server checks:
Does the public key match the user’s private key?
If yes, access is granted without needing a password.
✅ This allows passwordless authentication, reducing security risks like brute-force attacks.
🔹 Are SSH Keys Different from Public Key Cryptography?
✅ No, SSH keys are a type of public key cryptography!
But, they are specifically designed for secure remote authentication and communication, while public key cryptography is a broader concept used for many applications.
🔹 How SSH Keys Relate to Public Key Cryptography
SSH keys are based on the same principles as public key cryptography:
They use a key pair:
Public Key → Shared with servers (to verify identity).
Private Key → Kept secret by the user (used to authenticate).
Authentication works by proving ownership of the private key without exposing it.
However, SSH keys are specifically used for SSH-based authentication, while public key cryptography is used in many other applications (encryption, digital signatures, etc.).
Does the Server Take the Private Key from the User?
❌ No, the server never takes or sees the private key!
✅ Instead, the server only stores the public key, and the user proves they have the private key without revealing it.
This is done using public key cryptography, where authentication works without exposing the private key.
What Does It Mean That Passwords Sent by RADIUS Are “Obfuscated by a Shared Secret and MD5 Hash”?
This means that RADIUS (Remote Authentication Dial-In User Service) does not send passwords in plain text but instead hides (obfuscates) them using:
✔ A shared secret (a pre-shared key known to both the RADIUS client and server).
✔ An MD5 hash (a cryptographic function applied to obscure the password).
However, this is not strong encryption, and it has security weaknesses.
🔹 Is RADIUS Password Obfuscation a Form of Symmetric Encryption?
Not exactly! RADIUS password obfuscation uses XOR with an MD5 hash, but it does not qualify as true symmetric encryption. However, it shares some similarities with symmetric encryption because it relies on a shared secret between the client and server.
🔹 Who is the “Client” in the Context of RADIUS?
In RADIUS authentication, the client refers to the Authenticator, not the Supplicant.
so do you mean that the shared secret is between the RADIUS client and RADIUS server, not between the end user?
🔹 Yes! The Shared Secret is Between the RADIUS Client (Authenticator) and the RADIUS Server, NOT the End User.
✅ The end user (Supplicant) does not know or use the shared secret.
✅ Only the Authenticator (RADIUS Client) and the RADIUS Server share the secret.
🔹 Why is the Shared Secret Used?
The shared secret is a pre-configured key that ensures secure communication between the RADIUS Client (Authenticator) and the RADIUS Server.
It helps verify that the RADIUS Client is legitimate.
It is used to obfuscate (not encrypt) user passwords using MD5 hashing + XOR before sending them to the RADIUS server.
It prevents unauthorized devices from acting as RADIUS clients.
🔹 Step-by-Step Breakdown
1️⃣ End User (Supplicant) → Authenticator (RADIUS Client)
The user enters their username and password (e.g., connecting to Wi-Fi, VPN, or network switch).
The Supplicant does not know about the shared secret.
2️⃣ Authenticator (RADIUS Client) → RADIUS Server
The Authenticator (e.g., Wi-Fi AP, VPN, or switch) obfuscates the password using:
MD5(SharedSecret+RandomValue)⊕Password
This obfuscated password is sent to the RADIUS Server.
The shared secret is NOT sent—both devices just use it internally.
3️⃣ RADIUS Server Verifies the Credentials
The server uses the same shared secret to reverse the obfuscation and recover the password.
If the password is correct, the RADIUS Server sends an “Access-Accept” message to the Authenticator.
If incorrect, it sends an “Access-Reject” message.
4️⃣ Authenticator Grants or Denies Access to the Supplicant
If authentication is successful, the Authenticator allows the user (Supplicant) to access the network.
🔹 Does the User Authenticate to Kerberos Again After Logging Into the Windows Domain?
✅ No, the user does NOT need to reauthenticate separately for Kerberos.
✅ By logging into the Windows domain, the user is automatically authenticated to Kerberos.
🔹 How This Works (Step-by-Step)
1️⃣ User Logs Into the Windows Domain (Active Directory)
The user types their username and password on their Windows machine.
Windows hashes the password and checks it against the stored hashed password in Active Directory.
If the hash matches, the user is logged into the Windows domain.
2️⃣ Kerberos Authentication Happens Automatically in the Background
The Windows machine requests a Ticket Granting Ticket (TGT) from the Kerberos service (which is part of Active Directory).
The Kerberos service (KDC) verifies the user and issues the TGT.
The TGT is stored in the user’s session memory (so they don’t have to enter their password again).
3️⃣ User Now Has a TGT and Can Access Services Without Reauthenticating
When the user tries to access file shares, printers, email, or databases, they don’t need to enter their password again.
Instead, their machine automatically presents the TGT to the Kerberos service to get Service Tickets (TGS tickets) for each service.
The services trust the TGS tickets issued by Kerberos and grant access.
🔹 Are Primary, Instance, and Realm Included in the Ticket Granting Ticket (TGT)?
✅ Yes! The TGT contains the full Kerberos Principal Name, which includes the Primary, Instance, and Realm.
The TGT (Ticket Granting Ticket) is issued by the KDC (Key Distribution Center) and contains identity information about the user, including their Kerberos Principal Name, which follows this format:
primary/instance@REALM
This ensures that Kerberos can verify and enforce role-based access control and authentication domains.
🔹 What’s Inside a TGT?
When a user logs in, the KDC creates a TGT, which includes:
TGT Field What It Contains
Principal Name The user’s full Kerberos principal (primary/instance@REALM).
Session Key A temporary symmetric key for encrypting further Kerberos communications.
Ticket Lifetime How long the TGT is valid (e.g., 8 hours).
KDC Signature A cryptographic signature from the KDC to prevent tampering.
🔹 How the Three Elements Are Used in the TGT
Element Purpose in the TGT Example in TGT
Primary Identifies the user or service alice@EXAMPLE.COM
Instance Differentiates roles or servers alice/admin@EXAMPLE.COM, host/server1.example.com
Realm Defines the authentication domain EXAMPLE.COM
✅ The Kerberos Principal Name inside the TGT tells the KDC exactly who the user is, their role, and what realm they belong to.
🔹 What Happens When the TGT is Used?
1️⃣ The user logs in and receives a TGT, which contains their Kerberos Principal Name (primary/instance@REALM).
2️⃣ When the user requests access to a service, they send their TGT to the KDC.
3️⃣ The KDC extracts the Principal Name from the TGT, verifies it, and issues a Service Ticket for the requested service.
4️⃣ The Service Ticket also includes the Principal Name, ensuring the service knows exactly who is accessing it.
📌 Final Answer
✅ Yes, the TGT contains the full Kerberos Principal Name (primary/instance@REALM) to properly authenticate and authorize users.
✅ The KDC and services use this information to enforce security policies and role-based access control.
✅ The TGT does not include the user’s password—only the Principal Name and encrypted authentication data.
🔹 Is an RP (Relying Party) the Same as a Service Provider (SP) in Identity Management?
✅ Yes, in most contexts, the terms “Relying Party (RP)” and “Service Provider (SP)” mean the same thing, but their usage depends on the authentication protocol being used.
🔹 What is Universal 2nd Factor (U2F)?
✅ Universal 2nd Factor (U2F) is a physical security key used for two-factor authentication (2FA) to enhance login security.
✅ It was developed by the FIDO (Fast Identity Online) Alliance to provide strong, phishing-resistant authentication.
✅ Instead of entering a code (like SMS or app-based 2FA), the user simply taps a physical security key (e.g., YubiKey, Google Titan).
🔹 How U2F Works (Step-by-Step)
1️⃣ User Logs into a Website or Service
The user enters their username and password as usual.
2️⃣ The Website Requests a U2F Security Key
Instead of an SMS code or authenticator app, the website asks for a physical security key.
3️⃣ User Taps the U2F Key to Authenticate
The user inserts the U2F security key into their USB/NFC port and taps it.
The key cryptographically signs the authentication request.
4️⃣ The Website Verifies the U2F Response
The server checks the digital signature and grants access if valid.
No passwords or codes are sent, preventing phishing attacks.
Difference Between Iris Recognition & Retina Scan (Simple Terms)
✔ Iris Recognition → Scans the colored part of the eye from a distance.
✔ Retina Scan → Scans the blood vessels at the back of the eye, requiring the user to look directly into a scanner.
✔ Iris Recognition is more common (used in smartphones & airports), while Retina Scanning is used in top-security environments (military & medical).
What is Vein Recognition in Biometric Authentication? (Simple Explanation)
✅ Vein Recognition is a biometric authentication method that scans the unique pattern of veins inside a person’s hand or finger.
✅ It uses infrared light to detect blood vessel patterns, which are hidden inside the body and impossible to replicate or steal.
🔹 How Vein Recognition Works (Step-by-Step)
1️⃣ User places their hand or finger on a scanner
The scanner shines infrared light on the skin.
2️⃣ The infrared light penetrates the skin and detects veins
Hemoglobin (in blood) absorbs the infrared light, making the veins appear as a dark pattern.
3️⃣ The scanner captures the unique vein pattern
The system converts the vein pattern into a biometric template.
4️⃣ The system verifies the user’s identity
If the vein pattern matches the stored template, access is granted.
🔹 Why is Vein Recognition More Secure?
✔ Vein patterns are unique → Even twins have different vein patterns!
✔ Vein patterns are hidden inside the body → Unlike fingerprints or facial recognition, veins can’t be copied, stolen, or faked.
✔ Works in harsh conditions → Gloves, dirt, or sweat don’t affect it, unlike fingerprints.
✔ Liveness detection → Vein recognition only works on living tissue (stopping fake attempts using photos or artificial fingers).
🔹 Where is Vein Recognition Used?
✅ Banks & ATMs → Some banks use finger vein scanners instead of PINs.
✅ High-Security Facilities → Military and government buildings use palm vein recognition.
✅ Healthcare → Used for patient identification to prevent medical fraud.
✅ Corporate Access Control → Used for secure office entry instead of ID cards.
🔹 What is the FIDO Alliance? (Simple Explanation)
✅ The FIDO (Fast Identity Online) Alliance is a group of companies and organizations that work together to create passwordless and secure authentication methods.
✅ Their goal is to eliminate passwords by using strong, phishing-resistant authentication, like biometric logins (fingerprint, face scan) and security keys (U2F, FIDO2).
🔹 What Does the FIDO Alliance Do?
1️⃣ Develops Passwordless Authentication Standards
Instead of passwords, FIDO supports fingerprints, face scans, PINs, and security keys.
2️⃣ Creates Secure Login Methods (FIDO2, U2F, WebAuthn)
These allow users to log in using biometrics or hardware security keys instead of passwords.
3️⃣ Prevents Phishing & Password Hacks
FIDO-based authentication stops phishing attacks, as users don’t enter passwords that hackers can steal.
4️⃣ Works with Big Tech Companies
FIDO authentication is used by Google, Microsoft, Apple, PayPal, and banks to provide secure logins.
🔹 What is a Service Account? (Simple Explanation)
✅ A Service Account is a special type of account used by applications, software, or automated processes instead of human users.
✅ It allows services, scripts, and background tasks to run securely without needing a human to log in.
✅ Service accounts often have specific permissions to access databases, APIs, or other system resources.
🔹 How Service Accounts Work
✔ Used by software, not people → Unlike regular user accounts, service accounts are designed for programs, applications, and system processes.
✔ Have limited permissions → They are usually restricted to only what they need to do (Principle of Least Privilege).
✔ Can run automatically → Service accounts allow tasks to run without manual intervention.
🔹 JIT, Password Vaulting, and Ephemeral Accounts in PAM (Simple Explanation)
✅ PAM (Privileged Access Management) helps secure and control administrator or high-privilege accounts to prevent security risks.
✅ JIT, Password Vaulting, and Ephemeral Accounts are different methods to manage and protect privileged access.
🔹 1️⃣ Just-In-Time (JIT) Access
✅ What is JIT?
JIT (Just-In-Time) is a security model that grants privileged access only when needed and for a limited time.
Instead of keeping always-active admin accounts, JIT temporarily elevates user permissions for a short time.
✅ How it Works:
A user requests elevated access (e.g., admin privileges).
PAM approves the request based on rules and policies.
The user gets temporary privileged access (e.g., for 1 hour).
Access expires automatically, reducing the risk of misuse.
✅ Example Use Case:
A developer needs admin rights to install software on a server.
JIT grants them temporary admin access for 2 hours.
After 2 hours, their admin privileges are revoked automatically.
🔹 Key Benefit: Reduces attack risk by ensuring privileged access is not always available.
🔹 2️⃣ Password Vaulting (Privileged Credential Management)
✅ What is Password Vaulting?
A secure “vault” that stores and protects admin passwords from unauthorized access.
Instead of users knowing or reusing passwords, PAM manages access to credentials securely.
✅ How it Works:
Admin credentials (e.g., database root password) are stored in an encrypted vault.
Users request access to a privileged account.
PAM retrieves the password from the vault, logs the user in, and never exposes the actual password.
After use, the password can be changed automatically to prevent misuse.
✅ Example Use Case:
A database admin needs to log into a critical database.
Instead of knowing the root password, they access the database via PAM, which retrieves the password from the vault.
The password is changed automatically after use to prevent reuse.
🔹 Key Benefit: Prevents credential theft by keeping passwords hidden and rotating them automatically.
🔹 3️⃣ Ephemeral Accounts (Temporary Accounts for One-Time Use)
✅ What is an Ephemeral Account?
An ephemeral account is a temporary, short-lived account created only for a specific task.
Once the task is complete, the account is automatically deleted.
✅ How it Works:
A user requests access to a privileged system.
PAM creates a new temporary account with the required permissions.
The user logs in using the temporary account.
After the session ends, the account is deleted automatically.
✅ Example Use Case:
A third-party contractor needs access to a server for 24 hours.
PAM creates a temporary account for them.
After 24 hours, the account is deleted, ensuring they can’t access the system again.
🔹 Key Benefit: Eliminates persistent privileged accounts, reducing the risk of attack.
