Chapter 8 Identity and Password Management Flashcards
Identities
Set of claims made about a subject. Subject can be a person, application, device, organization, etc. Identities are linked to information about the subject. This info includes ATTRIBUTES, or information about the subject.
Attributes vs. Traits
Attributes are changeable things like title or address. Traits are inherent, like place of birth.
SSH Keys
Cryptographic representations of Identity that replace username and password.
EAP (Extensible Authentication Protocol)
Authentication framework for wireless networks. Integrates with 802.1X
PAP (Password Authentication Protocol)
Password centric authentication protocol. More modern solutions such as CHAP and EAP have replaced it.
CHAP (Challenge Handshake Authentication Protocol)
Uses an encrypted challenge and a three-way handshake to send credentials. More secure than protocols like PAP.
RADIUS
AAA system for network devices. Passwords are obfuscated by a shared secret and MD5 hash, meaning password security isn’t strong.
TACACS+
Cisco proprietary protocol that uses TCP traffic to provide AAA services. Provides full packet encryption as well as granular command controls.
Kerberos
Network authentication protocol that allows communication over a non-secure network.
- Works on the basis of tickets to allow nodes communicating over a non-secure network to provide their identity to one another in a secure manner. Comprised of 3 elements, the primary, the instance, and realms. Can use SSO.
Kerberos Tickets
When a client wants to access a network service they request an authentication ticket, or ticket granting ticket (TGT). An authentication server checks the clients credentials and responds with the ticket, which is encrypted using the ticket granting service’s (TGS) key.
SAML (Security Assertion Markup Language) “Internet systems often rely on a number of core technologies to accomplish Authentication and Authorization”
XML based open standard for exchanging authentication and authorization information. Common solution for federated environments because it can accept SAML assertions from a range of identify providers.
OpenID open identity provider (IdP)
Open standard for decentralized authentication, can be leveraged for third party sites. (think Log In with Google). Relying Parties (RPs) direct authentication to the IdP and receive a response back.
OAuth
Open standard for authorization. OAuth provides a method for users to determine what information to provide to third-party applications and sites without sharing credentials.
SSO (Single Sign On)
SSO allows user to log in with single identity and use multiple systems/services without re-authenticating. *Additional authentication may be required for privileged accounts.
Federation
A federated environment allows different organizational units to work together through a defined contract.
IdP (Identity Provider)
Provides identity and authentication services via an attestation process in which the IdP validates that the user is who they claim to be.
SP (Service Providers)
Provide services to users whose identities have been attested to by an IdP.
RP (Relying Party)
Similar meaning to service party, the RP will require authentication and identity claims from an IdP.
LDAP (Lightweight Directory Access Protocol)
Used to manage and communicate with directories.
Protocol for enabling anyone to locate data about organizations, individuals, and other resources such as files and devices in a network. Often broken into OU (organizational units) and CN (Common Names).
MFA (multi-factor authentication) 3 factors
Something you know- passwords, PINs, answer to security question.
Something you have- smartcard, token, security key.
Something you are- fingerprint, retina scan, even typing speed.
MFA attributes
Somewhere you are- physical location (location factor)
Something you can do- picture password, (I am not a robot)
Something you can exhibit- behavior pattern
Someone you know- trusted relationships
TOTP (Time-based One Time Password)
Uses algorithm to derive a one-time password using the current time as part of the code-generation process (Google Authenticator). Codes valid for a set period of time.
HOTP (HMAC-based One-Time Password)
HMAC Based One Time Password, HMAC stands for Hash-based Message Authentication Code. HOTP uses a seed value that both the token or HOTP app and validation server use, as well as a moving factor. You typically press a button, moving factor is a counter, which is stored on the token and server. The codes are iterative so they can be checked for last known use of the token.
SMS One Time Password
SMS sent to phone with authentication code. Less secure than both TOTP and HOTP.
Push Notification Authentication
Sometimes used when hardware, software tokens and SMS aren’t suitable. Not as secure as other methods of authentication.
Static Codes
At times there is a need for a one time password that doesn’t require connectivity. Static codes are algorithmically pre-generated and printed or stored in a secure location (creating new risk).
Biometrics - FRR and FAR
False Rejection Rate is when legitimate biometric measures are presented and the system rejects it.
False Acceptance Rate is when illegitimate biometric measures are presented and the system accepts it.
Biometrics - ROC and CRR
Relative Operating Characteristic compares FRR and FAR, typically a graph. As you decrease FAR, you increase FRR. System should balance both. CRR is the point on the graph where the two lines intersect.
Knowledge Based Authentication
KBA is frequently used for password resets in the form of security questions. Also used to validate users creating accounts. Generated from things the account requestor should know, such as last years tax return amount, or previous home address street number. NOT likely to be your pet name or first car since these things are easily discoverable.
Managing Passwords
Password Vaults are software solutions that manage store and secure passwords.
TPM (Trusted Platform Module) Standard
TPM Modules have crypto-processors that store RSA key pairs protected by a password set by the user.
International Standard.
HSM (Hardware Security Module)
Physical security device that manages and secures digital keys, performs encryption/decryption for digital signatures and strong authentication. Traditionally in the form of a plug in card, cloud providers now provide HSMs as a service, allowing secure HSMs to cloud infrastructure.
Privileged Access Management
PA tools can be used to ensure the concept of least privilege, allowing only minimum privileges needed for a role/task.
Access Control: ABAC
Attribute Based Access Control relies on attributes of the user., allowing rulesets based on attributes that provide the user with specific rights based on the attributes they have. Can be very flexible, but ABAC policies can be complex to manage as a result of that flexibility.
Access Control: RBAC
Role Based Access Control systems rely on roles that are matched with the privileges that are assigned to those roles. 3 Rules:
Role Assignment - subject can only use permissions matching role they’ve been assigned.
Role Authorization - subjects active role must be authorized for the subject. (prevents subjects from taking on roles not assigned to them.)
Permission Authorization - subjects can use only permissions that their active role is allowed to use.
Access Control: RuBAC
Rule Based Access Control is applied using set of rules, or access control lists (ACLs) that apply to various objects/resources. When an attempt is made to access an object, the rule is checked to see if the access is allowed.
Access Control: MAC
Mandatory Access Control systems rely on the operating system to enforce control as set by a security policy administrator. Relatively rare compared to DAC.
Access Control: DAC
Discretionary Access Control is access control in which the owner delegates rights and permissions to those objects they desire. This is how most people run home PCs. Linux Default setup.
Security+ Specific Access Controls
Privileged Access Management is the set of controls, tools, and processes used to handle privileges for elevated accounts and rights.
Conditional Access describes the process of testing security state of devices and users before allowing access to data, networks and other resources.
Filesystem Controls
Filesystem controls determine which accounts, users, groups, or services can perform actions like reading, writing, and executing files.
What is DHCP?
Dynamic Host Configuration Protocol is a network management protocol used to assign local IP addresses to devices on a network.
What is TLS
Transport Layer Security is an encryption protocol that replaced SSL.
What is TCP and UDP
Transmission Control Protocol is a connection oriented protocol whereas UDP is a connectionless protocol. Key difference is speed, UDP is much faster.
When is it appropriate to use either TCP or UDP?
TCP should be used when security is more important than speed, such as in file transfers. TCP can retransmit lost packets of data.
UDP should be used when speed is more important than security, such as live streaming or video gaming.
What is AAA refer to?
Authentication, Authorization, and Accounting.
