Comparing Authentication Services Flashcards
What is NTLM ?
What key security principles does it support?
Which version of it isn’t it recommended to use and why?
What is the difference with NTLMv2 and NTLM2 session?
What does Microsoft recommend developers use instead?
New Technology LAN Manager - it’s a suite of protocols that provide authentication, integrity and confidentiality within windows systems.
It isn’t recommended because it uses the MD4 hash for passwords which has been cracked
NTLMv2 uses HMAC-MD5 hash / NTLM2 Session adds mutual authentication
Developers should use the ‘Negotiate’ security package which will automatically pick the best security possible between two machines
How does Single Sign On increase security?
It means users have to remember less passwords and thus less likely to write them down
What are transitive trusts?
What authentication method do transitive trusts support?
Transitive Trusts create an indirect trust partnershipt between two child domains that trust the same parent.
It support single sign on.
What Extensible Markup Language based data format is used for SSO on web browsers?
Security Assertion Markup Language
What could two organisations who trusted each other use to enable users logging into their websites to access both of them freely?
They can use SAML (Security Assertions Markup Language) for single sign on as a federated identity management system
What 3 roles does SAML define?
Principle - typically a user
Identity provider - manages identity information for principles
Service provider - provides services to principles
SSO provides authorization, true or false?
FALSE. It provides identification and authentication
What is the term given to a central authentication system for a nonhomogenous environment?
a federated identity management system
What is the name of a popular open source federated identity management system that uses SAML?
Shibboleth
What is the popular open standard for authorization that allows a client to access resources for an online service by allowing that service to get authorization for the client from the authorization/identity provider (e.g. from their google account)?
OAuth
Using the example of using Google credentials on another app/service. Why is OAuth considered an authorization method and not authentication?
Because the service provider that uses OAuth is seeking authorization to identity and content information of your Google account. To do this, Google presents credentials prompt on the application requesting authorization, this provides the authentication step. After this step, the application is then authorized to access your Google profile information.
What works with OAuth 2.0 to provide authentication of users for clients (clients being websites). What does it save the client doing?
OpenID Connect.
It saves the client having to handle separate user credentials. It also streamlines the experience for users by allowing them to use their Facebook credentials for instance instead of creating a new user login.
The OAuth and SAML process often uses tokens as part of the authorization process, true or false?
TRUE
SAML can’t be used with what?
Mobile applications, because SAML assumes the client is a web-browser.