Ch10 - Authentication

Question 1

Authentication Factors:

Answer 1

1. Something you know
2. Something you have
3. Something you are (*)
4. Somewhere you are
5. Something you do

(*) biometrics offers the strongest form of authentication.

Question 2

Authentication Factors - Something you know

Answer 2

This is the most common authentication factor,
where you know information to prove your identity. Examples of this authentication factor are knowing a password or a PIN.

Question 3

Authentication Factors - Something you have

Answer 3

Also a common authentication factor, this is based on your having something in your possession to gain access to the environment. For example, you use a swipe card or physical token to enter a building. Another example is when a web site sends you a
text message with an authorization code when you log in. You need to have your phone with you to receive this SMS message, and then you type the authorization code as confirmation that you have the phone. This occurs after you have typed your username and password as well

Question 4

Authentication Factors - Something you are

Answer 4

With this more advanced authentication factor,
you submit a physical characteristic of yourself, such as your retina, fingerprint, or voice, to prove your identity. Authenticating to a system using this method is known as biometrics and is considered the most secure method of authentication.

Question 5

Authentication Factors - Somewhere you are

Answer 5

An authentication system can authenticate you based on your location. This could be GPS location or IP subnet information.

Question 6

Authentication Factors - Something you do

Answer 6

This newer form of authentication factor is based on your habits. For example, a system may use your typing patterns in conjunction with another authentication factor to authenticate you.

Question 7

Common examples of two-factor authentication schemes:

Answer 7

Physical token and password This is an example of
authenticating with something you have and something you know.

Smartcard and PIN Again, this is an example of authenticating with something you have and something you know.

Biometrics and password This example is using an
authentication scheme that uses something you are combined with something you know.

The exam will try to trick you by giving you examples that may look like multifactor authentication but are not because the exam-ples use the same authentication scheme. For example, using a retina scan and fingerprint for authentication is still only single-factor authentication because they are both examples of something you are. Another example of single-factor authentication would be a username and password because they are both examples of something you know.

Question 8

Single Sign-on

Answer 8

An important concept regarding authentication is the concept of single sign-on, also known as SSO. Single sign-on is the principle that when you authenticate to the network, you then have the capability to access multiple
systems based on your authentication information. With SSO you are not required to authenticate with each different system you access—you authenticate once and then can gain access to multiple systems without
authenticating again.

Question 9

Identity Federation

Answer 9

With SSO, the user logs on with one set of credentials and then accesses many different servers, even servers in other organizations. Authenticating against an identity store in your organization and being authorized to use network services from other organizations is known as identity federation.

Question 10

Authentication methods used in the Microsoft world - Kerberos

Answer 10

Kerberos is a popular mutual authentication protocol and is used by default with Microsoft Active Directory environments.

Active Directory adheres to the Lightweight Directory Access Protocol (LDAP) standard, which is the Internet protocol for accessing and querying a directory.

Kerberos uses a key distribution center (KDC) server that is responsible for issuing tickets. These tickets are needed in order for a client to request a service from any other server on the network (known as a realm).

The Kerberos process starts when the client logs on to the network. The KDC has a component known as the
Authentication Server (AS), which gives the client a ticket-granting ticket (TGT), which gives the client permission to request a service ticket. 

The service ticket is required to request service from a server on the network. When the client wants to connect to a specific server on the network, it must request a ticket from the ticket-granting service (TGS), which is another component of the KDC.

The TGS grants the ticket to the client so the client can access the required server on the network.

Question 11

Authentication Protocols:

Answer 11

1. Password Authentication Protocol (PAP)
2. Challenge Handshake Authentication Protocol (CHAP)
3. Microsoft Challenge Handshake Authentication Protocol (MS-CHAP)
4. MS-CHAPv2
5. Extensible Authentication Protocol (EAP)

Question 12

Password Authentication Protocol (PAP)

Answer 12

Password Authentication
Protocol sends the user’s credentials in plain text and is very insecure because of how easy it is for someone to analyze and interpret the logon traffic. This is the authentication protocol used by the basic authentication method mentioned previously.

Question 13

Challenge Handshake Authentication Protocol (CHAP)

Answer 13

With the Challenge Handshake Authentication Protocol, the server sends a challenge to the client that is then used in the authentication process.
The following steps are performed by CHAP:
1. The server sends the client a challenge (a key).

2. The client then combines the challenge with the password. Both the user’s password and the challenge are run through the MD5 hashing algorithm (a formula), which generates a hash value, or mathematical answer. The hash value is sent to the server for authentication.
3. The server uses the same key to create a hash value with the password stored on the server and then compares the resulting value with the hash value sent by the client. If the two hash values are the same, the client has supplied the correct password.

The benefit is that the user’s credentials have not been passed across the network at all.

Question 14

Microsoft Challenge Handshake Authentication Protocol (MSCHAP)

Answer 14

MS-CHAP is a variation of CHAP that uses MD4 as the
hashing algorithm, versus MD5 used by CHAP. MS-CHAP also uses the Microsoft Point-to-Point Encryption (MPPE) protocol along with MS-CHAP to encrypt all traffic from the client to the server.

Question 15

MS-CHAPv2

Answer 15

With MS-CHAP version 2, the authentication method
has been extended to authenticate both the client and the server. MSCHAPv2 also uses stronger encryption keys than CHAP and MSCHAP.

Question 16

Extensible Authentication Protocol (EAP)

Answer 16

The Extensible Authentication Protocol allows for multiple logon methods such as smartcard logon, certificates, Kerberos, and public-key authentication.
EAP is also frequently used with RADIUS, which is a central authentication service that can be used by RAS, wireless, or VPN solutions, as described in the next section.

Question 17

Authentication Services:

Answer 17

1. Remote Authentication Dial-In User Service (RADIUS)
2. DIAMETER
3. TACACS and XTACACS
4. TACACS+

Question 18

Remote Authentication Dial-In User Service (RADIUS)

Answer 18

Remote Authentication Dial-In User Service (RADIUS) is a central authentication service that has been popular for many years.

As its name suggests, it was originally used with dial-in services. The client computer that needs access to the network connects to the network by dialing into a RAS
server or making a connection to a VPN server from across the Internet.

The RAS or VPN server in this case is known as the RADIUS client because it sends the authentication request to the RADIUS server that is running in the
background. This RADIUS server verifies the credentials and sends back a reply as to whether the network client is to be granted or denied access

RADIUS is an AAA protocol that uses UDP as the transport layer protocol and uses the following UDP ports:

+ UDP port 1812 for authentication and authorization services
+ UDP port 1813 for accounting services

802.1X is a common authentication protocol that controls who gains access to a wired or wireless network by requiring the client to authenticate against a central authentication database such as a RADIUS server.

You can use 802.1X to control access to wireless networks and switches that support 802.1X authentication. This is a method of implementing network access control (NAC), where you are controlling who can connect to the network.

Question 19

DIAMETER

Answer 19

DIAMETER is a newer AAA protocol and is designed to replace RADIUS. DIAMETER provides more reliable communication than RADIUS because it is TCP based. DIAMETER has improved upon the services being offered over RADIUS by being a more secure, scalable protocol.

Question 20

TACACS and XTACACS

Answer 20

TACACS stands for Terminal Access Controller Access Control System and originated as an authentication service that ran on Unix systems. TACACS services ran over TCP and UDP port 49. A few years after TACACS came out, Cisco created their own proprietary
authentication service known as Extended TACACS (XTACACS), which worked as a central authentication service for Cisco devices.

Question 21

TACACS+

Answer 21

The Terminal Access Controller Access Control System+ (TACACS+) protocol is the AAA protocol used by Cisco networks and supersedes the original TACAS and XTACACS protocols. TACACS+ uses TCP for communication and uses the same topology as RADIUS in the sense that the client tries to connect to the network, and the NAS (which is the TACACS client) sends the authentication request to the TACACS server.

TACACS+ has been improved over RADIUS from a security standpoint because it encrypts all information between the TACACS client and the TACACS server, whereas RADIUS encrypts only the password between the RADIUS client and the RADIUS server.

Question 22

Other Authentication Protocols:

Answer 22

1. LDAP
2. Secure LDAP
3. SAML (Security Assertion Markup Language)
4. TOTP Time-based One-Time Password
5. HOTP HMAC-based One-Time Password is a Hash-based Message Authentication Code (HMAC)
6. OAUTH
7. OpenID Connect
8. Shibboleth
9. NTLM NT LAN Manager

Question 23

Lightweight Directory Access Protocol (LDAP)

Answer 23

The Lightweight Directory Access Protocol is an Internet
protocol designed for access to a directory service over TCP port 389 and allows LDAP-enabled applications to authenticate to a directory and then retrieve information about objects stored in the directory.

Question 24

Secure LDAP

Answer 24

Secure LDAP is the LDAP protocol using Secure
Sockets Layer (SSL) over TCP port 636 to encrypt the communication between the client and LDAP system.

Question 25

Security Assertion Markup Language (SAML)

Answer 25

Security Assertion Markup Language is an XML standard that is designed to allow systems to exchange authentication and authorization information. This is often used with identity federation and claims-based authentication.

Question 26

Time-based One-Time Password (TOTP)

Answer 26

Time-based One-Time Password is an algorithm used by

authentication systems that involves passwords being generated based on the current time.

Question 27

HMAC-based One-Time Password (HOTP)

Answer 27

HMAC-based One-Time Password is a Hash-based Message Authentication Code (HMAC) algorithm used to generate passwords.

Question 28

OAUTH

Answer 28

OAUTH is an industry-standard protocol for authorizing

applications to access user information without exposing sensitive information such as a password.

Question 29

OpenID Connect

Answer 29

OpenID Connect is the authentication protocol that
works with the OAUTH authorization protocol. OpenID Connect allows applications to retrieve information about the authentication session.

Question 30

Shibboleth

Answer 30

Shibboleth is a software implementation that uses SAML

tokens and federation services for SSO (single sign-on) applications.

Question 31

NT LAN Manager (NTLM)

Answer 31

NT LAN Manager is a security protocol found on older

Microsoft networks that provided authentication services to the network. NTLM has been replaced by Kerberos

Question 32

Biometric Factors

Answer 32

Fingerprint
A fingerprint scanner scans your fingerprint and compares it with the system-stored fingerprint that you previously submitted during enrollment (described in the next section). A similar system is a palm scanner.

Retina
A retinal scanner scans the pattern of blood vessels around the retina of your eye and compares it with the system-stored image.

Iris
An iris scanner scans the colored part of your eye that surrounds the pupil and compares it with the system-stored image.

Voice
A voice-recognition system requires you to speak and verifies your voice pattern based on the system-stored sample you previously submitted.

Face
A facial-recognition system verifies features of your face based on your system-stored digital image.

Question 33

Biometric Error Types

Answer 33

Type I A type I error is known as the false rejection rate (FRR) and occurs when the biometric system fails to authenticate someone who is authorized to access the system.

Type II A type II error is the opposite of a type I error in that it allows someone to access the system who is not authorized to access the system. This type of error is known as the false acceptance rate (FAR).

Biometric devices are sometimes rated by the percentage of errors that occur using a value known as the crossover error rate (CER). The CER is a number representing when the number of type I errors equals the number of type II errors. For example, if 5 out of 100 authentication attempts are type I errors and 5 out of 100 authentication attempts are type II errors, then the CER is 5. The lower the CER value, the more accurate the biometric system
is.

Question 34

Common access card (CAC)

Answer 34

The U.S. military uses a form of smartcard known as a common access card (CAC). The common access card is issued to active-duty personnel and is used as an
identification card and as a form of authentication. The CAC is used to authenticate to the network and to grant access to military systems, as well as to encrypt and digitally sign messages.

Question 35

Personal identification verification (PIV) card

Answer 35

Another example of a form of smartcard being used by government agencies is the personal identification verification (PIV) card, which is used to store information about the government employee such as authentication
information (including biometrics) that is used to authenticate personnel and control access to computer systems and facilities.

Question 36

IEEE 802.1X

Answer 36

When looking to control which devices can be used to connect to a wireless network or wired LAN, you can use 802.1X with the Extensible Authentication Protocol over LAN (EAPOL)

Question 37

Federation services

Answer 37

Federation services use claims-based authentication, which is a token that contains different pieces of information, known as a claim, that can be used to authorize a user. Examples of claims could be a department, city, state, groups, or user id.