Chapter 14 Flashcards
Kerberos
KDC (Key Distribution Center) -
Kerberos Authentication Server
- hosts KDC functions
- Ticket granting service
- authentication service
Ticket-granting Ticket for requesting Service Ticket
Tickets can expire
Kerberos principal - user or ticket requester
Uses AES
Uses and used by MS Active Directory
RADIUS
RADIUS:
- Encrypts password only
- UDP 1812/1813
RADIUS/TLS:
- for encrypting entire session
- TCP 2083
TACACS+
Open standard
Created by Cisco
TCP 49
Separates AAA into their own services
Encrypts all auth info, not just password
Better than RADIUS
Internal SSO protocols
(AAA)
Kerberos (most common)
RADIUS
TACACS+
Internet/Web SSO protocols
- SAML - authentication and authorization assertions (exchanged info)
- Principal, Service Provider, Identity Provider - OAuth - authorization only; uses tokens
- OpenID - authentication; ID provider
- OpenID Connect (OIDC) - incorporates OAuth for authorization; JWT for tokens
Permission - usually for info object e.g. file
Right - action
Privilege - permission + right
Access control matrix (ACL) - focus on objects
Capability table - focus on user/subject
- Content-dependent access controls - restrict access to data based on the content within an object.
- Context-dependent access controls - require specific
activity before granting users access.
Access Control Types
- Discretionary access control - managed by owner via ACL’s
- Non-discretionary access control - centrally managed by admin
- Role-based
- Rule-based - used in firewalls
- Attribute-based - more advanced implementation of rule-based; used by SDN
- Mandatory access control - uses labels; lattice; Hierarchical, Compartmentalized, Hybrid
- Risk-based - considers environment, situation, security policies
Access Control attacks
Password attack
Brute-force attack
Spraying attack - circumvent lockouts by rotating across diff accounts
Credential stuffing - try compromised user credentials on other sites
