Identity And Access Services Flashcards
Kerberos
- What does it do
- What does it prevent
- What does it have, what does that prevent
- SSO?
- AAA?
Kerberos
- Network authentication mechanism used with Windows Active Directory and some Unix realms
- Provides mutual authentication.
- Mutual authentication prevents man in the middle attacks
- SSO (Single Sign On) - only authenticate once
- Tickets and timestamps prevent replay attacks.
- Not AAA - no accounting
NTLM
-Vulnerable to what
NTLM
New Technology LAN Manager
-Message digest hashing algorithm to challenge users and check credentials
-Confidentiality, integrity, authentication
-Windows
-Somewhat insecure
-Vulnerable to pass the hash attacks (use someone else’s password hash to log in)
-Use Kerberos instead
LDAP
-Port
Windows active directory domains and linux realms
- use to identify objects with codes like CN=Users and CD=GetCertifiedGetAhead (X.500 attribute/value pairs, most specific listed first; hierarchical tree)
- TCP/IDP port 389
- LDAPS encrypts w/ TLS
RADIUS
- What is it?
- What does it provide?
- How does it work?
- Encryption?
- key?
- Connection?
- Does it challenge
RADIUS
- Authentication service that provides central authentication for remote clients
- AAA - Authentication, Authorization, Accounting
- All VPNs connect to RADIUS server, so only change password once, all VPNs will see
- Common for RADIUS server to access LDAP server holding accounts
- Encrypts password packets, but not entire authentication process
- Used shared key (shared secret) - symmetric encryption
- Uses UDP - best effort delivery, not guaranteed delivery
- Server does not challenge
Diameter
- What is it?
- What does it provide?
- What does it use?
- Security
- Does it challenge
Diameter
- Authentication service that provides central authentication for remote clients
- AAA - Authentication, Authorization, Accounting
- Extension of RADIUS
- TCP - guaranteed delivery
- Can secure transmissions with EAP
- Server does not challenge
CHAP
- What is it?
- What does it do?
- Is it secure?
- Does it challenge?
CHAP
- Challenge Handshake Authentication Protocol
- VPN authentication service
- Server send encrypted challenge
- Client responds with hash calculated from challenge and password and nonce
- Server compares received hash with stored hash
- Not plaintext - more secure than PAP
MS-CHAP
- What is it?
- What doe sit provide?
- How does it work?
- Is it good?
MS-CHAP
- Microsoft CHAP
- VPN authentication service (provides authentication)
- v2 supports mutual authentication
- Don’t use! Uses DES, easy to brute force 256 possible keys
PAP
PAP
- Password Authentication Protocol
- VPN authentication service
- Sends passwords as cleartext
- Should not use
TACACS+
- What is it?
- What does it provide?
- Encryption?
- How does it work?
- Does it challenge?
- SSO?
TACACS+
- Authentication service that provides central authentication for remote clients
- AAA - Authentication, Authorization, Accounting
- Alternative to RADIUS
- Cisco
- Encrypts entire authentication process
- Multiple challenge/response
- Can be used with with Kerberos
- No SSO
- TCP
OAuth
OAuth
- Authorization framework
- Use Google, Facebook, Twittter, etc accounts to authorize
- Not an authentication protocol
- OpenID Connect handles single sign-on authentication
NAC
NAC
Network Access Control
-Inspect clients to ensure healthy
-user or system authentication
-802.1x is a form of NAC
-Encryption of traffic to the wireless and wired network using protocols for 802.1X such as EAP-TLS, EAP-PEAP or EAP-MSCHAP
-Often tied to Role-based Access. Access to the network will be given according to the profile of the person and the results of a posture/health check.
Uses a challenge message during authentication
-Three answers
Uses a challenge message during authentication
- CHAP - Challenge Handshake Authentication Protocol
- MS-CHAPv2 - mutual authentication
- NTLM
- TACAS+ (multiple challenge/response)
Directory Services
-What technology to implement?
Directory Services
- Authentication protocol: Kerberos
- LDAP or LDAPS
RADIUS Federation
RADIUS Federation
- 802.1x and RADIUS can create federation
- Two or more entities share
- SSO