Identity & Access Management

Question 1

EAP

Answer 1

Extensible Authentication Protocol
Integrates with 802.1X
Framework commonly used for wireless networks ; EAP-TLS, LEAP , EAP-TTLS, PEAP.

Question 2

CHAP

Answer 2

Challenge Handshake Authentication Protocol.

Uses an encrypted challenge and three-way handshake to send credentials
-Challenge message
-Password hash from challenge and password
-Server compares hash

Question 3

802.1X

Answer 3

IEEE standard for network access control (port based NAC)
RADIUS, LDAP, TACACS+
Supplicant - the client
Authenticator- go between provides access
Server - validates credentials

Question 4

What is RADIUS?

Answer 4

Remote Authentication Dial-in User Service
Operates via TCP or UDP
sends passwords that are obfuscated by a shared secret and MD5 hash.
Typically encrypted using IPSec

Question 5

TACACS+

Answer 5

Terminal Access Controller Access Control System

Cisco designed, uses TCP for AAA providing full packet encryption and granular command controls

Question 6

Kerberos

Answer 6

Favoured by Microsoft: Operates on untrusted networks and uses authentication to shield its traffic.
The primary - username
The instance - to differentiate similar primaries
The realm - groups of users separated by trust boundaries.

Question 7

TGT

Answer 7

Ticket Granting Ticket

When I client wants to use Kerberos to access a service they request this; (authentication ticket)

Question 8

TGS

Answer 8

Ticket Granting Service (Kerberos)

Question 9

KDC

Answer 9

Kerberos Distribution Centre

Question 10

SAML

Answer 10

Security Assertion Markup Language

XML based open standard for exchanging AA information between identity and service providers

Question 11

LDAP

Answer 11

Lightweight Directory Access Protocol

Deployed as part of an identity management infrastructure database to offer hierarchically organised directory

Question 12

MFA

Answer 12

Multi Factor Authentication

-something you know
-something you have
-something you are
- somewhere you are
- something you can do
- something you exhibit
- someone you know

Question 13

TOTP

Answer 13

Time-based One Time Passwords

Use algorithm to drive a password using current time as part of the process, and is valid for set period
eg Google Authenticator

Question 14

HMAC

Answer 14

Hash Based Message Authentication Code

Question 15

HOTP

Answer 15

HMAC based One Time Password
(Hash Based Authentication Code)

Question 16

FRR

Answer 16

False Rejection Rate

Question 17

FAR

Answer 17

False Acceptance Rate

Question 18

ROC

Answer 18

Relative Operating Characteristics (biometrics) compares the FAR and FRR of a system typically as a graph

Question 19

COR

Answer 19

Cross Over Error Rate (biometrics)
Where FRR and FAR intersect
Lower is better

Question 20

KBA

Answer 20

Knowledge Based Authentication

I.e. security questions

Question 21

TPM

Answer 21

Trusted Platform Module
Cryptoprocessor Modules or chips help prevent unauthorised changes to firmware or software as part of secure boot

Question 22

HSM

Answer 22

Hardware Security Module

Create, store, manage crypto keys

Question 23

ABAC

Answer 23

Attribute Based Access Control

For setups requiring more complex options than RBAC

Question 24

RBAC

Answer 24

Role Based Access Control

Question 25

R(u)BAC

Answer 25

Rule Based Access Control

Question 26

MAC (security not hardware)

Answer 26

Mandatory Access Control

Question 27

DAC

Answer 27

Discretionary Access Control

I.e self managing file permissions

Question 28

OAuth

Answer 28

Protocol to allow users to grant 3rd party access without providing password, typically used by OpenID providers
I.e Login with Google is an OpenID provider

Question 29

PAM

Answer 29

Privileged Access Management

Tools focus on principles of ‘least privilege’

Question 30

SIEM

Answer 30

Security Information Event Management

Software provides real time analysis of security alerts generated by apps and (network) hardware

Question 31

X.509

Answer 31

International standard governing digital certificates

Question 32

WPA2

Answer 32

CCMP (Counter mode with Cipher block chaining Message authentication code Protocol /CNC-MAC)
DATA protected with AES
Message integrity Check (MIC) CBC-MAC

Question 33

WPA3

Answer 33

Uses different block cipher mode: GCMP (Galois/Counter Mode Protocol)

Data integrity with AES
MIC with GMAC

Question 34

WPA2 PSK problem

Answer 34

Can listen to 4 way handshake | capture hash and then brute force

Question 35

SAE

Answer 35

Simultaneous Authentication of Equals
In WPA3 gives mutual authentication with 4 way (dragonfly) handshake which gives shared key without sending across the network

Question 36

EAP-FAST

Answer 36

EAP Flexible Authentication Secure Tunnel
Server and supplicant share PAC
Supplicant and AS negotiate TLS Tunnel
Needs RADIUS

Question 37

PEAP

Answer 37

Protected EAP
CISCO, MS & RSA
Also encapsulate ms in TLS
Server uses a certificate instead of PAC (protected access credential/secret)

Combined with CHAP with MS

Question 38

EAP-TLS

Answer 38

Requires digital certificates in all devices with an exchange so need PKI

Question 39

EAP-TTLS

Answer 39

EAP-TunneledTLS
Only a certificate on the AS to build a tunnel and uses any authentication method in the tunnel

Question 40

Linux File Permissions 0-7

Answer 40

0 - - -
1 - - x
2 -w-
3 -wx
4 r- -
5 r-x
6 rw-
7 rwx