Domain 5: Identity and Access Management Flashcards
Authentication Methods
Type 1- Something you know (Password, Pin)
Type 2- Something you have (Token, phone)
Type 3- Something you are
Type 4- Some place you are
Credential Set
Term used for the combination of both the identification and authentication of a user
Type 1 Authentication
.Dynamic Passwords change at regular intervals
.Strong authentication = multifactor
Dictionary attack
.Uses a word list: a predefined list of words
.Fast but least effective
Rainbow Table
.Acts as a database that contains the precomputed hashed output for most or all words
Hybrid attack
Appends or prepends or changes the characters in words in a dictionary before hashing to attempt the fasted crack of complex words
Type 2 Authentication
. Requires the user to possess something
.Token, card, phone, etc
Synchronous Dynamic Token
synchronized with a central server
.Challenge-response token most common
False Reject Rate (FRR)
.When authorized subject is rejected by the biometric system.
Type 1 error
False Accept Rate (FAR)
.When an unauthorized subjects is accepted as valid by a biometric system
.Type 2 error
.Worse
Asynchronous Dynamic Tokens
.Not synchronized with a central server
.Challenge-response token most common
Crossover Error Rate (CER)
.Describes the point where the FRR and the FAR are equal
.Also know as the Equal Error Rate (ERR)
Retina Scans
.Can seem intrusive due to privacy concerns
.Can identify health condition
Centralized Access Control
One logical point
.Can be used for Single Sign On (SSO)
Decentralized Access Control
Allow IT administration to occur closer to the mission and operation of the organization
.Provides more local power.
.Each site has control over its data
Single Sign On (SSO)
.Allows multiple systems to use a centralize authentication server.
Users authenticate once and then access multiple systems
.Improves user productivity
.Improves developer productivity
.Simplifies administration
Federated Identity Access (FIdM)
.SSO across organizations
.Trusted authority for digital identities across multiple organizations
.SAML Oauth, OpenID
LDAP
Lightweight Directory Access Protocol
.TCP/UPD Port 389
.LDAPS (LDAP over TLS) TCP 636 and 3269
Kerberos
.network authentication systems for use on physically insecure networks
.allows entities to communicating over networks to prove their identity to each other while preventing eavesdropping
.proved data stream integrity and secrecy use cryptographic systems
.Uses secret key encryption
.Provides mutual authentication of both clients and servers
.mitigates replay attacks via the use of timestamps
.KDC stores plaintext keys of all principals
Kerberos Components
- Principal: Any server or client that can be assigned a ticket.
- Authentication Server (AS): Server that authorizes the principal and connects them to the ticket granting server.
- Ticket Granting Server (TGS): Issues tickets.
- Key Distribution Center (KDC): Server that provides the initial ticket and handles TGS requests.
- Realm: A boundary within an organization. Each realm has its own AS and TGS.
- Ticket Granting Ticket (TGT): Ticket that is granted during the authentication process.
- Ticket: Used to authenticate. Contains the identity of the client, the session key, the timestamp, and the checksum. Encrypted with the servers key.
- Session Key: Temporary encryption key.
SESAME
.addresses Kerberos plaintext storage of symmetric key
.Uses Privilege Attribute Certificates (PAC) in place of Kerberos tickets
Radius
FRC 2865 and 2866
UDP ports:
1812 (authentication)
1813 (accounting)
Diameter
.Radius successor
.Designed to improve AAA framework
Uses single serve to manage the policies for many servers
TCP protocol makes more reliable
TACACS+
TACACS: UDP Port 49
TACACS+: TCP Port 49
Discretionary Access Control (DAC)
System-enforced access control based on subject’s clearance and objects labels
.Expensive and difficult to implement
SPML
Service Provisioning Markup Language
.allows the exchange of provisioning data between applications.
.could reside in one organization or many
SAML
Security Assertions Markup Language
.Provides the authentication pieces to federated identity management systems.
XACML
eXtensible Access Control Markup Language
.used to express security policies and access rights to assets provided through web services and other enterprise applications
Risk-based access control
Risk-based access control is relatively new, and the implementation can be quite complex. The model attempts to evaluate risk by considering several different elements, such as:
The environment
The situation
Security policies
.Multifactor Authentication The system will deny access to users logging on with just one factor of authentication.
.Compliant Mobile Devices The policy may require that smartphones and tablets meet specific security requirements, such as an up-to-date operating system and device encryption.
