Domain 5 - Identity and Access Management Flashcards
Crossover Error rate
point where false reject rate and false accept rate equal
Represents the overall accuracy of system.
False accept rate
occurs when unauth subject is accepted by a biometric system as valid. AKA Type 2 error
False reject rate
when an authorized subject is falseley rejected. Type 1 error
Type 1 authentication
something you know
password
type 2 auth
something you have (key, keycard)
Type 3
something you are (biometric)
Credential set
term used for combination of identification and authentication.
Passphrase
long password in the form of a sentance. Usually less random.
One time passwords
used for single auth. Very secure but difficult to manage.
NIST 800-63B guideline
guidelines for password complexity
Dynamic Passwords
change at regular intervals. RSA Security makes a synchronous token every 60 seconds.
Expensive
Strong authentication
AKA Multifactor authentication
Password hashes and pass cracking
password is run through a hash and the hash is stored in DB
Linux password hashes
stored in etc/shadow. Only readable by root
Windows password hash
stored locally and on domain controller in SAM File/security management file.
Dictionary attack
run large list of words through hash algs to try and find collision.
Brute force attack
Go through the entire key space. All combos
Hybrid attack
appends, prepends, or changes characters in words from a dictionary before hashing. Attempts fastest crack of complex passwords.
Rainbow table
large dictionary of HASHED passwords. Trandes off lower CPU resources required, for more storage required.
Salts
random value added to pre-hash value. Ensures the same password doesn’t have the same hash twice.
Password MGMT: Pasword history
remember the last 24 passwords
Password MGMT: Max password age
90
Password MGMT: Min password age
2 days
Password MGMT: Min password length
8 char
Password MGMT: Storage
use non-reversible encryption. i.e. hashing
Password MGMT: Storage
use non-reversible encryption. i.e. hashing
Synchronous Dynamic Token
Time or Counters are synced with an auth server.
Google authenticator, RSA Secureid
Asynchronous Dynamic Token
Not synced with a central server. Most common variet are challenge response tokens (CHAP)
Biometrics - accuracy
high accuracy needed
Biometrics - data storage
should be less than 1000 bytes
Enrollment
How long it takes to get biormetrics initially entered into a system for a user
Throughput
How long it takes to be authenticated w/biometric system
Throughput
How long it takes to be authenticated w/biometric system
Retina scan
scans back of eye
iris scan
picture of front of eye.
Hand geometry scan
measures specific points of hand. Can store data in as little as 9 bytes.
Keyboard dynamics
measures how you type. Not super accurate.
Dynamic signature
measures how someone signs their name.
voice print
vulnerable to replay attacks. Measures subjects tone of voice while stating a specific phrase.
Facial scan/recognition
really accurate.
centralized access control
centralized system to provide AAA services
Decentralized access control
AC is pushed to perimeter. Branch offices. Provides more local power. Each site has control over data.
DAC vs DAC
Decentralized access control or Discretionary access control.
SSO
Single sign on
SSO
Allows multiple systems to use a central auth server.
Allows sec admins to add, change, or revoke permissions on one central system
SSO
Disadvantages of SSO
difficult to retrofit
Unattendand desktop is a juicier target. Gives access to more.
Single point of attack.
Access provisioning lifecycle
lifecycle of an identity in an AAA system. Accounts for everything from onboarding through to leaving the organization.
IBM identity lifecycle rules
- password policy compliance checking
- notify users to change passwords before they expire.
- Identify l8ifecycle changes such as accounts that haven’t been used for 30 days.
- Identify new accounts that have not been used for 10 days.
- Identify candidates for deletion because they’ve been suspended for 30 days.
- when a contract expires, identifying all accts belonging to a business partner and revoke access.
Authorization creep/Access Aggregation
subjects maintain old authorization while gaining new.
Federated identiy management
Applies SSO at a wider scale. cross organization to internet.
microsoft acct, google acct, github and others.
SAML
XML based framework for exchanging sec info, including auth.
IDaaS
Identity as a services.
LDAP
lightweight directory access protocol. Common, open protocol for interfacing and querying directory service info. TCP/UDP 389
LDAPS
LDAP over TLS
Kerberos
third party auth service that is used for SSO
AAA
Kerberos key distrib model
needham and Schroeder
needham and Schroeder key protocol
symmetric encryption alg. base of Kerberos protocol. Aims to establish secure seesion key over insecure network.
Kerberos SSO
secret key encryption.
Kerberos authentication
Mutual authentication.
Current kerberos version
5
Kerberos principal
client/user
Kerberos realm
logical kerberos network
Kerberos ticket
data that authenticates the principals identity
Kerberos creds
ticket + service key
Kerberos KDC
Key distribution center, authenticates principals
Kerberos TGS
ticket granting service
Kerberos TGT
ticket granting ticket
Kerberos C/S
client server. Regarding comms between the two.
Kerberos weaknesses
KDC Stores plaintext keys
Compromise of KDC can be a compromise of every key
KDC and TGS are single points of failure
Replay attacks are possible for the lifetime of the authenticator.
SESAME
secure european system for applications in a multi vendor environment
Fixes kerberos weakness of plaintext keys, by using asymmetric encryption.
SESAME PACs
private attribute certificate - in place of Kerberos tickets.
RADIUS
remote user dial in user servers
RADIUS RFCs
2865 and 2866
RADIUS Ports
1812 (auth) and 1813 (accounting) both UDP
RADIUS old ports
1645 1646 UDP
RADIUS AVP
attribute value pairs
Diameter
RADIUS successor
Diameter
32 bit AVP instead of 8 bit
Diameter port
TCP instead of UDP 1812, 1813
Diameter RFC
3588 draft, 6733 official
TACACS and TACACS+
UDP 49 Not backwards compatible.
TACACS
auth is similar to RADIUS
AD One way trust
active directory, trust that provides access from trusted domain to resources in teh trustnig domain
AD two way trust
both domains trust each other uflly
AD Nontransitive
Only the explicitly trusted domains have a trust relationship
If I trust Domain A, and Domain A trusts Domain B. I do not trust Domain B.
AD Transitive
If I trust Domain A, and Domain A trusts Domain B. I also trust domain B.
Non discretionary Access Control
NDAC - Major difference is that NDACs are centrally administrated, and can make changes that affect the entire environment.
DAC -
Discretionary Access Control:
Subjects may have full control of objects. i.e. I have permission to edit certain work documents. Windows, Linux and Unix use DAC
MAC
Mandatory Access Controls subjects and objects have clearances and labels.
subject may access only objects of their clearance or lower
Password guessing
Online attampt to authenticate with guessed password
PAP
Insecure auth AAA Protocol. Cleartext
CHAP
Challenge Handshake Auth Protocol. More secure than PAP
RBAC
Role Based Access Control
Users are grouped by roles (i.e. doctors, nurses). Permissions/access is granted per role, not per individual.
RBAC is a Type of Nondiscretionary Access control NAC
Task-based Access Control
Similar to RBAC, but refined down to giving access based on the tasks/actions and end user would take.
i.e. not all nurses would have the same access. Family practice nurses would not need or want the same access as a surgical nurse.
rule-based access control
fairly self-explanatory. Uses if/then statements to code rules.
Content dependent AC
Defense in depth additional layer.
Takes into account the nature of the content a user is accessing. I.e. a user has access to HR records, but only their HR records
Context Dependent AC
Brings into consideration additional context. I.e. time or location. .