Chapter 14 Flashcards
the access granted for an object that determine what you can do with it (read/edit/create/delete)
permissions
the ability to take an action on an object
right
a combination of rights and permissions
privileges
access control model that restricts access to data based on the content within an object
content-dependent control
access control model that requires specific activity before granting users access
context-dependent control
subjects are granted access only to what they need to know
need to know
subjects are granted only the privileges they need
least privilege
access control model where every object has an owner and the owner can grant or deny access to other subjects
discretionary access control (DAC)
access control model where roles or groups are used to assign permissions
Role-Based Access Control (RBAC)
access control model that applies global rules to all subjects (such as a firewall)
Rule-Based Access Control
access control model where rules can include multiple attributes and apply differently to different subjects
Attribute-Based Access Control
access control model where labels are applied to both subjects and objects (clearances)
Mandatory Access Control (MAC)
access control model that grants access after evaluating risk based on machine learning
Risk-Based Access control
MAC classification where labels are ordered from low to high security
Hierarchical
MAC classification where there is no relationship between security domains
Compartmentalized Environment
MAC classification that combines hierarchical and compartmentalized concepts
hybrid environment
this XML based standard is used to send authentication information within federated environments
SAML
3 entities involved in SAML
principal or user agent
service provider (SP) - website
identity provider (IdP) - third party that authenticates user
what are the three types of XML messages an IdP can send in SAML?
Authentication Assertion
Authorization Assertion
Attribute Assertion
an authorization framework maintained by the IETF
OAuth 2.0
Can you authenticate users with OAuth 2.0?
No, it is only authorization, not authentication
this standard provides decentralized authentication and allows users to log into mulptiple websites with one set of credentials by providing a URI.
OpenID
an authentication layer using the OAuth 2.0 framework - provides both authentication and authorization
OpenID Connect (OIDC)
what does RFC 6749 describe?
OAuth 2.0
which auth framework exchanges information using APIs?
OAuth
which auth framework uses a JSON Web Token?
OIDC
AAA protocol that uses ticket authentication
Kerberos
what is the primary purpose of Kerberos
authentication
what Kerberos element is the trusted third party that provides authentication services?
Key Distribution Center
what Kerberos element hosts the functions of a ticket-granting service (TGS) and an Authentication Service (AS)?
Kerberos Authentication Server
what kerberos element is an encrypted message that provides proof that a subject is authorized?
Ticket
what Kerberos element provides proof that a subject has authenticated through a KDC, and includes a symmetric key, and expiration time, and the user’s IP address?
TGT Ticket-Granting Ticket
What Kerberos element receives the tickets (usually a user)
Kerberos Principal
what encryption standard does Kerberos use?
AES
This remote authentication service uses UDP and only encrypts the password’s exchange by default
RADIUS
how can RADIUS encrypt the entire session?
Using TLS over TCP with RADIUS/TLS
this Cisco authentication service uses separate processes for authentication, authorization, and accounting
TACACS+
what does TACACS+ encrypt
all of the authentication information
an attacker steals credentials and can login as the user
impersonation attack
when an attacker sends a captured hash of a password to an authenticating service
pass-the-hash
Kerberos attacks
Overpass the Hash
Pass the Ticket
Silver Ticket
Golden Ticket
Kerberos Brute-Force
ASREPRoast
Kerberoasting
