ch24 questions and definitions Flashcards
The user presents credentials and requests a ticket from the key Distribution Server
Step 1 of Kerberos
The KDS verifies credentials and issues a TGT
Step 2 of Kerberos
The user presents a TGT and request for service to the KDS
Step 3 of Kerberos
The KDS verifies authorization and issues a client-to-server ticket to the desired service
Step 4 of Kerberos
The user presents a request and a client-to-server ticket to the desired service.
Step 5 of Kerberos
If the client-to-server ticket is valid, service is granted to the client.
Step 6 of Kerberos
A flexible EAP method that allows mutual authentication between a supplicant and a server.
EAP-FAST
A open standard that provides enhanced network security by locking down the network, only allowing authenticated users to access company data, resources, and applications.
EAP-TLS
Protocol that extends TLS and provides certificate-based mutual authentication of the client and network through an encrypted channel.
EAP-TTLS
An access control approach in which access is mediated based on attributes associated with subjects and the objects to be accessed.
ABAC (Attribute Based Access Control)
Access Control policy that is enforced over all subjects and objects in a system where the policy specifies that a subject has been granted access to information can do one or more actions.
DAC (Discretionary Access Control)
Access Control that restricts the ability of a subject or initiator to access or perform some sort of operation on an object or target.
MAC (Mandatory Access Control)
A strategy for managing user access on IT systems.
RBAC (Rule Based Access Control)
A policy-neutral access control mechanism that restricts network access based on a person’s role within an organization.
RBAC (Role Based Access Control)
Stores login credentials, including username, passwords, and addresses, for use on a local computer or on other computers in the same network server.
Credential Manager.
Password management system for macOS.
Keychain
An authentication standard that supports port-based authentication services between a user and an authorization device.
802.1x
An authentication method in which users are asked to answer at least one secret question. Often used as a component for MFA and self-service password retrieval.
Knowledge-based authentication.
Encrypted authentication scheme in which the unencrypted password is not transmitted over the network.
CHAP (Challenge-Handshake Authentication Protocol)
Encrypted authentication scheme used in wide area network (WAN) communication.
MS-CHAP
A simple user authentication protocol that does not encrypt the data and sends the password and username to the authentication server as plain text
PAP (Password Authentication Protocol)
What is the purpose of a daemon?
Service process on a server.
CHAP three-way handshake is.
Challenge sent to client. Client uses one-way hashing function to calculate response to send back. If match, communication continues.
To describe what constituted a trusted computing system.
DOD’s orange book.
An international standard for a secure crypto processor, a dedicated microcontroller designed to secure hardware through integrated cryptographic keys.
TPM
A physical computing device that safeguards and manages digital keys, performs encryption and decryption functions for digital signatures, authentication, and other cryptographic functions.
HSM
What is the difference between permissions and rights
Permissions are for files.
Rights are for actions.
Software mechanism designed to manage the problem of users having multiple passwords for the myriad of different systems.
Password Vault
Why does a password vault represent a single point of failure?
If an attacker gets the password key or master password, they have access to all the user’s passwords.
An open protocol that allows secure, token-based authorization on the internet from the web, mobile, and desktop applications.
OAuth
Is OAuth 2.0 backward-compatible with OAuth 1.0?
No it’s not backward-compatible.
A simple identity layer on top of the OAuth protocol that allows clients of all types to request and received information about authenticated sessions and end users.
OpenID
What role does NAS play in RADIUS and TACACS+?
Contacting the two servers and transmit the request for authentication to the server.
What types of communications in RADIUS are subject to compromise?
Communications between a user and the client.
What transport-layer protocol does RADIUS use?
UDP
What port# does RADIUS use for accounting?
UDP Port 1813
What port# does RADIUS use for authentication and authorization?
UDP Port 1812
What types of communications in TACACS+ are subject to compromise?
NAS client and TACACS+ client.
Is TACACS+ backward-compatible with previous TACACS versions?
No it’s not backward-compatible.
What transport-layer protocol does TACACS+ use?
UDP and TCP
What port# does TACACS+ use?
49
Compare browser-based password storage and OS password vaults.
Browser-based is much less secured, OS based ones are more robust and have less overall risk.