Domain 5 - Identity and Access Management Flashcards
Centralized administration
one element responsible for configuring access controls. Only modified
through central administration, very strict control,
Decentralized administration
access to information is controlled by owners or creators of
information, may not be consistency with regards to procedures, difficult to form system wide view of
all user access at any given time
SSO Advantage
Ability to use stronger passwords, easier administration, less time to access resources.
SSO Disadvantage
once a key is compromised all resources can be accessed, if Db compromised all PWs
compromised
KERBEROS Key Type
Guards a network with three elements: authentication, authorization, & auditing. SYMMETRIC
KEYS
Kerberos addresses Confidentiality and integrity and authentication, not availability, can be combined
with other SSO solutions
Kerberos Is based on symmetric key cryptology (and is not a propriety control)
Time synchronization is critical, 5 minutes is bad
Kerboros Advantages
Benefits: inexpensive, loads of OS’s, mature protocol. Passwords are never exchanged only hashes of passwords
Kerboros Disadvantages
Disadvantage: takes time to administer, can be bottleneck or single point of failure
The Kerberos logon process
• The user types a username and password into the client.
• The client encrypts the username with AES for trans. to the KDC.
• The KDC verifies the username against a database of known credentials.
• The KDC generates a symmetric key that will be used by the client and the Kerberos server. It
encrypts this with a hash of the user’s password. The KDC also generates an encrypted timestamped TGT. The KDC then ransmits the encrypted symmetric key and the encrypted timestamped TGT to the client.
• The client installs the TGT for use until it expires. The client also decrypts the symmetric key
using a hash of the user’s password.
• Then the user can use this ticket to service to use the service as
an application service
SESAME
- Public Key Cryptology
- European
- Needham-Schroeder protocol
SESAME weakness
only authenticates the first block and not the complete message
Rainbow Tables
(tables with passwords that are already in hash format, pre-hashed PW paired with
high-speed look up functions
Implementation Attack
This is a type of attack that exploits weaknesses in the Implementation of a
cryptography system. It focuses on exploiting the software code, not just errors and flaws but the
methodology employed to program the encryption system
Statistical Attack
Exploits statistical weaknesses in a cryptosystem, such as floating-point errors and inability to produce truly random numbers. Statistical attacks attempt to find a vulnerability in the
hardware or operating system hosting the cryptography application.
HAVAL
Hash of Variable Length (HAVAL) is a modification of MD5. HAVAL uses 1,024-bit
blocks and produces hash values of 128, 160, 192, 224, and 256 bits. Not a encryption
algorithm
Synchronous (TIME BASED) dynamic
Uses time or a counter between the token and the
authentication server, secure-ID is an example
Asynchronous (NOT TIME BASED)
Server sends a nonce (random value) This goes into token device, encrypts and delivers a one-time password, with an added PIN its strong authentication
Challenge/response token
Generates response on a system/workstation provided challenge; synchronous – timing, asynchronous - challenge
SAML (SOAP)
To exchange authentication and authorization data between security domains.
SAML 2.0 enables web-based to include SSO.
Most used federated SSO
XML Signature – use digital signatures for authentication and message integrity based on XML
signature standard.
Relies on XML Schema
SAML Roles
Principal (user)
• Identity provider (IdP)
• Service provider (SP)
Identity as a Service
Is a third-party service that provides
identity and access management, Effectively provides SSO for the cloud and is especially useful when
internal clients access cloud-based Software as a Service (SaaS) applications.
• Ability to provision identities held by the service to target applications
• Access includes user authentication, SSO, authorization enforcement
• Log events , auditing
• Federation - sharing identity and authentication behind the scenes (like booking flight →
booking hotel without re authenticating) by using a federate identity so used across business
boundaries
• SSO
• Access Management enforces RULES!
Access Control Matrix
An access control matrix is a table that includes subjects, objects, and
assigned privileges. When a subject attempts an action, the system checks the access control matrix to
determine if the subject has the appropriate privileges to perform the action
Capability Tables
They are different from ACLs in that a capability table is focused on subjects
(such as users, groups, or roles). For example, a capability table created for the accounting role will
include a list of all objects that the accounting role can access and will include the specific privileges
assigned to the accounting role for these objects
ACL focus
ACLs are object focused and identify access granted to subjects for any specific object.
Capability table focus
Capability tables are subject focused and identify the objects that subjects can access.
