Chapter 8 Identity and Password Management Flashcards
Identities
Set of claims made about a subject. Subject can be a person, application, device, organization, etc. Identities are linked to information about the subject. This info includes ATTRIBUTES, or information about the subject.
Attributes vs. Traits
Attributes are changeable things like title or address. Traits are inherent, like place of birth.
SSH Keys
Cryptographic representations of Identity that replace username and password.
EAP (Extensible Authentication Protocol)
Authentication framework for wireless networks. Integrates with 802.1X
PAP (Password Authentication Protocol)
Password centric authentication protocol. More modern solutions such as CHAP and EAP have replaced it.
CHAP (Challenge Handshake Authentication Protocol)
Uses an encrypted challenge and a three-way handshake to send credentials. More secure than protocols like PAP.
RADIUS
AAA system for network devices. Passwords are obfuscated by a shared secret and MD5 hash, meaning password security isn’t strong.
TACACS+
Cisco proprietary protocol that uses TCP traffic to provide AAA services. Provides full packet encryption as well as granular command controls.
Kerberos
Network authentication protocol that allows communication over a non-secure network.
- Works on the basis of tickets to allow nodes communicating over a non-secure network to provide their identity to one another in a secure manner. Comprised of 3 elements, the primary, the instance, and realms. Can use SSO.
Kerberos Tickets
When a client wants to access a network service they request an authentication ticket, or ticket granting ticket (TGT). An authentication server checks the clients credentials and responds with the ticket, which is encrypted using the ticket granting service’s (TGS) key.
SAML (Security Assertion Markup Language) “Internet systems often rely on a number of core technologies to accomplish Authentication and Authorization”
XML based open standard for exchanging authentication and authorization information. Common solution for federated environments because it can accept SAML assertions from a range of identify providers.
OpenID open identity provider (IdP)
Open standard for decentralized authentication, can be leveraged for third party sites. (think Log In with Google). Relying Parties (RPs) direct authentication to the IdP and receive a response back.
OAuth
Open standard for authorization. OAuth provides a method for users to determine what information to provide to third-party applications and sites without sharing credentials.
SSO (Single Sign On)
SSO allows user to log in with single identity and use multiple systems/services without re-authenticating. *Additional authentication may be required for privileged accounts.
Federation
A federated environment allows different organizational units to work together through a defined contract.
IdP (Identity Provider)
Provides identity and authentication services via an attestation process in which the IdP validates that the user is who they claim to be.
SP (Service Providers)
Provide services to users whose identities have been attested to by an IdP.
RP (Relying Party)
Similar meaning to service party, the RP will require authentication and identity claims from an IdP.
LDAP (Lightweight Directory Access Protocol)
Used to manage and communicate with directories.
Protocol for enabling anyone to locate data about organizations, individuals, and other resources such as files and devices in a network. Often broken into OU (organizational units) and CN (Common Names).
MFA (multi-factor authentication) 3 factors
Something you know- passwords, PINs, answer to security question.
Something you have- smartcard, token, security key.
Something you are- fingerprint, retina scan, even typing speed.
MFA attributes
Somewhere you are- physical location (location factor)
Something you can do- picture password, (I am not a robot)
Something you can exhibit- behavior pattern
Someone you know- trusted relationships
TOTP (Time-based One Time Password)
Uses algorithm to derive a one-time password using the current time as part of the code-generation process (Google Authenticator). Codes valid for a set period of time.
HOTP (HMAC-based One-Time Password)
HMAC Based One Time Password, HMAC stands for Hash-based Message Authentication Code. HOTP uses a seed value that both the token or HOTP app and validation server use, as well as a moving factor. You typically press a button, moving factor is a counter, which is stored on the token and server. The codes are iterative so they can be checked for last known use of the token.
SMS One Time Password
SMS sent to phone with authentication code. Less secure than both TOTP and HOTP.