Domain 5 - Identity and Access Management Flashcards
Centralized administration
one element responsible for configuring access controls. Only modified
through central administration, very strict control,
Decentralized administration
access to information is controlled by owners or creators of
information, may not be consistency with regards to procedures, difficult to form system wide view of
all user access at any given time
SSO Advantage
Ability to use stronger passwords, easier administration, less time to access resources.
SSO Disadvantage
once a key is compromised all resources can be accessed, if Db compromised all PWs
compromised
KERBEROS Key Type
Guards a network with three elements: authentication, authorization, & auditing. SYMMETRIC
KEYS
Kerberos addresses Confidentiality and integrity and authentication, not availability, can be combined
with other SSO solutions
Kerberos Is based on symmetric key cryptology (and is not a propriety control)
Time synchronization is critical, 5 minutes is bad
Kerboros Advantages
Benefits: inexpensive, loads of OS’s, mature protocol. Passwords are never exchanged only hashes of passwords
Kerboros Disadvantages
Disadvantage: takes time to administer, can be bottleneck or single point of failure
The Kerberos logon process
• The user types a username and password into the client.
• The client encrypts the username with AES for trans. to the KDC.
• The KDC verifies the username against a database of known credentials.
• The KDC generates a symmetric key that will be used by the client and the Kerberos server. It
encrypts this with a hash of the user’s password. The KDC also generates an encrypted timestamped TGT. The KDC then ransmits the encrypted symmetric key and the encrypted timestamped TGT to the client.
• The client installs the TGT for use until it expires. The client also decrypts the symmetric key
using a hash of the user’s password.
• Then the user can use this ticket to service to use the service as
an application service
SESAME
- Public Key Cryptology
- European
- Needham-Schroeder protocol
SESAME weakness
only authenticates the first block and not the complete message
Rainbow Tables
(tables with passwords that are already in hash format, pre-hashed PW paired with
high-speed look up functions
Implementation Attack
This is a type of attack that exploits weaknesses in the Implementation of a
cryptography system. It focuses on exploiting the software code, not just errors and flaws but the
methodology employed to program the encryption system
Statistical Attack
Exploits statistical weaknesses in a cryptosystem, such as floating-point errors and inability to produce truly random numbers. Statistical attacks attempt to find a vulnerability in the
hardware or operating system hosting the cryptography application.
HAVAL
Hash of Variable Length (HAVAL) is a modification of MD5. HAVAL uses 1,024-bit
blocks and produces hash values of 128, 160, 192, 224, and 256 bits. Not a encryption
algorithm
Synchronous (TIME BASED) dynamic
Uses time or a counter between the token and the
authentication server, secure-ID is an example