Lesson 7 Flashcards
IAM
• Subjects - Users or software that request access
• Objects - Resources such as networks, servers, and data
Four main processes:
• Identification - Associating a valid subject with a computer/network account
• Authentication - Challenge to the subject to supply a credential to operate the account
• Authorization - Rights, permissions, or privileges assigned to the account
• Accounting- Auditing use of the account
Kerberos vs NTLM
There preferred system for network authentication in windows. NTLM (Network Lan Manager) is iegacy network authentication
In Windows, SSO is provided by the Kerberos framework.
Secure Shell
SSH
With SSH, the user can be authenticated using cryptographic keys instead of a
password.
Kerberos Authentication
• Single sign-on authentication and authorization provider • Clients • Application servers • Key Distribution Center (KDC) • Authentication Service – Ticket Granting Ticket • Ticket Granting Service – Service Ticket
PAP vs CHAP vs MS-CHAP authentication
Kerberos is designed to work over a trusted local network. Several authentication
protocols have been developed to work with remote access protocols, where the
connection is made over a serial link or virtual private network (VPN).
PAP is bad
CHAP is good. MS-CHAP is microsofts version
Spraying
using multiple credentials
Brute force, dictionary, Hybrid
• Brute force attack
• Generate every possible combination to match a hash
• Large output space and sufficiently long input password increase time
required
• Dictionary attack and rainbow tables (salt defends against dictionary)
• Use a dictionary to test common words or phrases first
• Rainbow tables assist dictionary attacks against Windows password
databases by precomputing hash chains
• Using salt means hash chains cannot be pre-computed
- Hybrid attack
- Dictionary and brute force
- Fuzzing of dictionary terms (james1, james2, tom1, tom2,…)
Password crackers
- Cain and L0phtcrack
• Hashcat (linux)
Smart Card Authentication
• Kerberos-based smart card logon • Card readers • ***Card stores user’s private key and certificate • Use of card is protected by a PIN
Trusted Platform Module (TPM)
Trusted Platform Module (TPM) - • Virtual smart cards usually embedded in CPU
Hardware Security Module (HSM)
A hardware security module (HSM) is a network appliance
designed to perform centralized PKI management for a network of devices.
USB Key
smart card in USB form
Extensible Authentication Protocol (EAP) /IEEE 802.1X
smart card process is used for kerberos authentct. authentication may be required for other contexts (wireless network, vpn, etc)
EAP is very flexible fromwork for deploying multiple types of authoriztion. designed for interoperability
IEEE 802.1X Port-based Network Access Control (NAC) - allows or denys devices from gettng on the network (ethernet switch port, wirelss acces poing
EAP-TLS vs PEAP vs EAP FAST
- EAP-TLS
○ Transport layer security
○ **Both sides server and subject most have certicat- Protected PEAP ***Only the server needs a a certificat
EAP-FAST - no certificat
- Protected PEAP ***Only the server needs a a certificat
Supplicant
the device requesting access to the network, such as a user’s PC or laptop.
