Lesson 7 Authentication Controls

Question 1

Access management

* know for test

Answer 1

Subjects
- user or sw that requests access

Objects
- resources networks, servers, data

Identification
- associating a subject with computer/network account

Authentication

• Challenge the subject to supply credentials to gain access to the account
• passwords, pin, biometrics

Authorization

• rights/permissions/privileges assigned to the account
• What we are allowed to access

Accounting

• auditing use of the account
• who did what on the system

Question 2

AAA Server

Answer 2

A Server which handles Authentication, Authorization and Accounting

RADIUS, TACACS+, Kerberos

Question 3

Authentication Factors

* know for test

Answer 3

Something you know

• knowledge factor
• password, PIN, challenge questions, data of birth

Something you have

• Ownership factor
• Hardware token, FOB, smart card, birth certificate

Something you are/do

• biometric factor
• fingerprint, iris

Question 4

MFA

Answer 4

Multi Factor Authentication

- two or more authentication factors are used to authenticate user

Question 5

2FA

Answer 5

Two-Factor Authentication
requires two of the three authentication factors
something you know and something you have
or
something you know and something you are

NOT two of the same thing: something you know and something else you know

Question 6

Authentication Attributes

* know for test

Answer 6

somewhere you are

• geolocation
• IP location
• switch port, VLAN, wireless network

something you can do
-perform an action uniquely

something you exhibit
-behavior or trait unique to you

someone you know
-web of trust

Question 7

OS Authentication Provider

Answer 7

OS Authentication Provider
OS sw arch and code providing access mechanisms to provide authentication before starting a shell for subject
-usually is a knowledge based authentication using a password or PIN

• passwords hash more secure than plain text
• even better with salt
• even better to encrypt the hash

Win Authentication

• local sign in uses LSA and SAM
  
  • LSA - Local Security Authority
  • SAM - Security Accounts Manager DB
• network sign-in (Kerberos and NTLM)

Linux Authentication

• /etc/password
• /etc/shadow - hashed passwords
• Pluggable Authentication Modules (PAM)

Single Sign-on (SSO)

Question 8

Windows OS Authentication
Interactive login
network login

Answer 8

Local - interactive login
Local Security Authorization (LSA) compares submitted credentials to hash stored in the Security Accounts Manager (SAM)

Network login:
The LSA submits credentials to a network service (Kerberos, or NT Lan Manager (NTLM for older OSs)

Question 9

Linux OS Authentication Provider

Answer 9

Local interactive shell logins, passwords are checked against hashes in /etc/shadow

• uses names and info is stored in /etc/passwd
• hashed passwords are stored in /etc/shadow

Network interactive shell logins, SSH (tcp over port 22) is used, which uses key pairs instead of passwords

Question 10

SSO - Single Sign-On

Answer 10

Allows the system to authentication once to a local device and be authenticated to compatible application servers without having to enter credentials again

Kerberos framework provides this service

Question 11

Kerberos Authentication Summarized

Answer 11

Utilizes a Key Distribution Center (KDC) to provide encrypted tickets to a client for use in establishing an authenticated connection to the App Server. Once this mutual authentication has occurred, client-server actions then take place.

Clients and App Servers rely on a Key Distribution Center (KDC) to vouch for their identity

Runs on TCP or UDP port 88

Question 12

Kerberos Authorization - gory details

Answer 12

Assumes principle has been Authenticated and has a Ticket Granting Ticket and a Ticket Granting Session session key
The client should decrypt the TGS session key with users hashed password
The client sends two messages to the KDC:
- a copy of the TGT and the name of the application it wishes to access; TGT is already encrypted by the KDC’s secret key
- an authenticator consisting of time-stamped client ID encrypted using the TGS session key
The KDC TGS will decrypt both messages
- uses the KDC’s secret key for the TGT and app svr name message
- uses the TGS session key for the authenticator message
The KDC TGS responds with
- Service session key for use between the app svr and the principle
- Service ticket containing info about the user, encrypted with the app srvs secret key
The client forwards two messages to the app svr:
- the Service Ticket, previously encrypted by the KDC using the app svrs secret key
- a time-stamped authenticator encrypted with the session key
The app svr decrypts
- the service ticket to obtain the session key with its secret key, confirming the message has not been tampered
- the authenticator message with the session key
- sends to the client the timestamp used in the authenticator, encrypted by the session key
The client decrypts the authenticator and concludes the app svr is trustworthy
This is called mutual authentication
The server now responds to the clients requests

Question 13

Authentication Protocols for use with remote access protocols (serial link or VPN)

Answer 13

PAP - Password Authentication Protocol

• uses clear text very outdated and unsafe
• uses Point to Point and authentication similar to HTTP

CHAP - Challenge Handshake Authentication Protocol

• harder to cheat, not encrypted so not really secure
• a threeway handshake: challenge, response, verification

Question 14

Password Attacks

Answer 14

Plain text passwords and protocols (PAP, basic HTTP/FTP and Telnet) should not be used

Online Attacks - should lock after a number of failed attempts, evidence shows up in logs as several failed attempts then a successful login, or successful logon at usually times or locations

Password Spraying - horizontal brute force online attack; attack uses common passwords against multiple usernames

Offline Attacks - attacker has a db of hashed password (win - NTDS.DIT, linux - /etc/shadow) so attacker does not have to interact with authentication system. Indication of such an attack is the access of the file in the system logs.

Question 15

Password Attacks - Brute Force and Dictionary Attacks

Answer 15

Brute Force - use every combination of character space, difficult for longer passwords due to time and compute power needed

Dictionary - tries to match hashes of plaintext words to a captured hash. Rainbow tables help to speed up the matching. Using salt in hashes helps thwart this type of attack.

Question 16

EAP / IEEE 802.1

Answer 16

EAP - Extensible Authentication Protocol

• a framework for deploying multiple types of authentication protocols and technologies
• think 802.1X, see diagram

Question 17

IEEE 802.1X

Answer 17

IEEE 802.1x Port based Network Access Control (NAC) protocol

• provides a means of using the EAP method when a device connects to an access point
• utilizes a supplicant (device requesting access), a Network Access Server (NAS) and a AAA svr

The AAA svr can be a RADIUS(UDP 1812/1813) or TACACS+ (UDP/TCP 49)

See diagram

Question 18

RADIUS Server

Answer 18

An Authentication Authorization and Auditing server used in a network

See diagram for details

Uses UDP over ports 1812 (Authentication and Authorization) and 1813 (auditing)

Shares secrets with the NAP (Network Access Point)

The NAP is the go between of the Supplicant and the RADIUS AAA server

Question 19

TACACS+

Answer 19

Terminal Access Controller Access-Control System

• a form of an AAA server
• used for network admins to allocate special privileges on each switch, router, access point and firewall
• uses TCP over port 49 encrypted

Question 20

Biometric Authentication

Answer 20

FRR - False Rejection Rate
-lower sensitivity, the lower the error rate
FAR - False Acceptance Rate
-lower sensitivity, the higher the error rate
CER - Cross-over Error Rate - the sweet spot
-where FRR and FAR curves meet

recall the diagram Error Rate (y-axis) vs Sensitivity of Sensor (x-axis)

Higher security with FRR, but less usable since no one gets in
Higher FAR can lead to security breaches

Question 21

Smart Card Authentication using Kerberos - ordered steps

Answer 21

For Kerberos Authentication using a smart card:

1. user presents the smart card to a reader and enters a PIN
2. A correct PIN authorizes the smart card’s cryptoprocessor to use its private key to create a Ticket Granting Ticket (TGT) request, which is sent to the Authentication Server (AS)
3. The AS decrypts the request as it has the matching public key and trusts the users cert either because it was issued by a local CA or by a 3rd party CA which is trusted by the root CA
4. The AS responds with a TGT and the Ticket Granting Service (TGS) session key

Question 22

Key Management Devices

Answer 22

Smart Card - has a crypto processor
USB Key - if it has a crypto processor
TPM - Trusted Platform Module
- a secure crypto processor enclave implemented on devices within the CPU

HSM - hardware security module

• a network appliance designed to perform centralized PKI management for a network of devices
• used to provision keys to non-users such as servers and network appliances
• provides a Key Escrow service

Question 23

2 Biometric scanning steps

Answer 23

1. A sensor module to acquire the sample

2. A feature extraction module to record the features to uniquely identify the target