Lesson 7 Flashcards
IAM
• Subjects - Users or software that request access
• Objects - Resources such as networks, servers, and data
Four main processes:
• Identification - Associating a valid subject with a computer/network account
• Authentication - Challenge to the subject to supply a credential to operate the account
• Authorization - Rights, permissions, or privileges assigned to the account
• Accounting- Auditing use of the account
Kerberos vs NTLM
There preferred system for network authentication in windows. NTLM (Network Lan Manager) is iegacy network authentication
In Windows, SSO is provided by the Kerberos framework.
Secure Shell
SSH
With SSH, the user can be authenticated using cryptographic keys instead of a
password.
Kerberos Authentication
• Single sign-on authentication and authorization provider • Clients • Application servers • Key Distribution Center (KDC) • Authentication Service – Ticket Granting Ticket • Ticket Granting Service – Service Ticket
PAP vs CHAP vs MS-CHAP authentication
Kerberos is designed to work over a trusted local network. Several authentication
protocols have been developed to work with remote access protocols, where the
connection is made over a serial link or virtual private network (VPN).
PAP is bad
CHAP is good. MS-CHAP is microsofts version
Spraying
using multiple credentials
Brute force, dictionary, Hybrid
• Brute force attack
• Generate every possible combination to match a hash
• Large output space and sufficiently long input password increase time
required
• Dictionary attack and rainbow tables (salt defends against dictionary)
• Use a dictionary to test common words or phrases first
• Rainbow tables assist dictionary attacks against Windows password
databases by precomputing hash chains
• Using salt means hash chains cannot be pre-computed
- Hybrid attack
- Dictionary and brute force
- Fuzzing of dictionary terms (james1, james2, tom1, tom2,…)
Password crackers
- Cain and L0phtcrack
• Hashcat (linux)
Smart Card Authentication
• Kerberos-based smart card logon • Card readers • ***Card stores user’s private key and certificate • Use of card is protected by a PIN
Trusted Platform Module (TPM)
Trusted Platform Module (TPM) - • Virtual smart cards usually embedded in CPU
Hardware Security Module (HSM)
A hardware security module (HSM) is a network appliance
designed to perform centralized PKI management for a network of devices.
USB Key
smart card in USB form
Extensible Authentication Protocol (EAP) /IEEE 802.1X
smart card process is used for kerberos authentct. authentication may be required for other contexts (wireless network, vpn, etc)
EAP is very flexible fromwork for deploying multiple types of authoriztion. designed for interoperability
IEEE 802.1X Port-based Network Access Control (NAC) - allows or denys devices from gettng on the network (ethernet switch port, wirelss acces poing
EAP-TLS vs PEAP vs EAP FAST
- EAP-TLS
○ Transport layer security
○ **Both sides server and subject most have certicat- Protected PEAP ***Only the server needs a a certificat
EAP-FAST - no certificat
- Protected PEAP ***Only the server needs a a certificat
Supplicant
the device requesting access to the network, such as a user’s PC or laptop.
RADIUS
The Remote Authentication Dial-in User Service (RADIUS) standard is published as
an Internet standard. There are several RADIUS server and client products.
NAS Device
Network access server (NAS)—edge network appliances, such as switches, access
points, and VPN gateways. These are also referred to as RADIUS clients or authenticators.
• TACACS+
Whereas RADIUS can be used for this network
appliance administration role, the Cisco-developed Terminal Access Controller
Access-Control System Plus (TACACS+) is specifically designed for this purpose
- Centralizing administrative logins for network appliances
- Reliable TCP transport (over port 49)
- Data encryption
- Discrete authentication, authorization, and accounting functions
OAUTH
System based not on just a password boe also on 2 or 3 factor authentication or 2 step verification. Two algorithms:
• HMAC-based One-time Password
Algorithm (HOTP)
• Time-based One-time Password
Algorithm (TOTP)
2-Step Verification
- Transmit a code via an out-of-band channel
- Short message service (SMS)
- Phone call
- Push notification
- Email account
- Possibility of interception
