Lesson 7 Implementing Authentication Controls

Question 1

identity and access management (IAM)

Answer 1

• Identification—creating an account or ID that uniquely represents the user, device, or process on the network.
• Authentication—proving that a subject is who or what it claims to be when it attempts to access the resource.
• Authorization—determining what rights subjects should have on each resource, and enforcing those rights.
• Accounting—tracking authorized usage of a resource or use of rights by a subject and alerting when unauthorized use is detected or attempted.

Question 2

cryptographic hashes

Answer 2

Knowledge-based authentication relies on cryptographic hashes

Question 3

Windows Authentication

Answer 3

• Windows local sign-in—the Local Security Authority (LSA) compares the submitted credential to a hash stored in the Security Accounts Manager (SAM) database, which is part of the registry. This is also referred to as interactive logon.
• Windows network sign-in—the LSA can pass the credentials for authentication to a network service. The preferred system for network authentication is based on Kerberos, but legacy network applications might use NT LAN Manager (NTLM) authentication.
• Remote sign-in—if the user’s device is not connected to the local network, authentication can take place over some type of virtual private network (VPN) or web portal

Question 4

Linux Authentication

Answer 4

Interactive login over a network is typically accomplished using Secure Shell (SSH). With SSH, the user can be authenticated using cryptographic keys instead of a password.

A pluggable authentication module (PAM) is a package for enabling different authentication providers, such as smart-card login. The PAM framework can also be used to implement authentication to network servers.

Question 5

Kerberos Authentication

Answer 5

Uses SSO, network authentication, and authorization protocol used on many networks, notably as implemented by Microsoft’s Active Directory (AD) service.

Clients request services from application servers, which both rely on an intermediary—a Key Distribution Center (KDC)—to vouch for their identity.

There are two services that make up a KDC: the Authentication Service and the Ticket Granting Service. The KDC runs on port 88 using TCP or UDP.

Question 6

The Authentication Service is responsible for authenticating user logon requests.

Answer 6

1. The client sends the authentication service (AS) a request for a Ticket Granting Ticket (TGT). This is composed by encrypting the date and time on the local computer with the user’s password hash as the key.

The Ticket Granting Ticket (TGT; or user ticket) is time-stamped (under Windows, they have a default maximum age of 10 hours). This means that workstations and servers on the network must be synchronized (to within five minutes) or a ticket will be rejected. This helps prevent replay attacks.

2. The AS checks that the user account is present, that it can decode the request by matching the user’s password hash with the one in the Active Directory database, and that the request has not expired. If the request is valid, the AS responds with the following data:

• Ticket Granting Ticket (TGT)—this contains information about the client (name and IP address) plus a timestamp and validity period. This is encrypted using the KDC’s secret key.
• TGS session key for use in communications between the client and the Ticket Granting Service (TGS). This is encrypted using a hash of the user’s password. The TGT is an example of a logical token. All the TGT does is identify who you are and confirm that you have been authenticated—it does not provide you with access to any domain resources.

Question 7

The Challenge Handshake Authentication Protocol (CHAP)

Answer 7

CHAP relies on an encrypted challenge in a system called a three-way handshake.

1. Challenge—the server challenges the client, sending a randomly generated challenge message.
2. Response—the client responds with a hash calculated from the server challenge message and client password (or other shared secrets).
3. Verification—the server performs its own hash using the password hash stored for the client. If it matches the response, then access is granted; otherwise, the connection is dropped.

Question 8

online password attack

Answer 8

An online password attack is where the threat actor interacts with the authentication service directly—a web login form or VPN gateway. Will show up in audit logs as repeatedly failed logins and then a successful logon.

Question 9

Password spraying

Answer 9

Password spraying is a horizontal brute-force online attack. This means that the attacker chooses one or more common passwords (for example, password or 123456) and tries them in conjunction with multiple usernames.

Question 10

offline attack

Answer 10

An offline attack means that the attacker has managed to obtain a database of password hashes.

Question 11

dictionary attack

Answer 11

A dictionary attack can be used where there is a good chance of guessing the likely value of the plaintext, such as a non-complex password.

Question 12

Rainbow table attacks

Answer 12

Rainbow table attacks refine the dictionary approach. The attacker uses a precomputed lookup table of all possible passwords and their matching hashes.

Question 13

hybrid password

Answer 13

A hybrid password attack uses a combination of dictionary and brute-force attacks.

It is principally targeted against naïve passwords with inadequate complexity, such as james1. The password cracking algorithm tests dictionary words and names in combination with a mask that limits the number of variations to test for, such as adding numeric prefixes and/or suffixes.

Question 14

Smart-card authentication

Answer 14

Smart-card authentication means programming cryptographic information onto a card equipped with a secure processing chip. The chip stores the user’s digital certificate, the private key associated with the certificate, and a personal identification number (PIN) used to activate the card.

Question 15

Smart card

Answer 15

Smart card—some cards are powerful enough to generate key material using the cryptoprocessor embedded in the card.

Question 16

USB key

Answer 16

• USB key—a cryptoprocessor can also be implemented in the USB form factor.

Question 17

Trusted Platform Module (TPM)

Answer 17

Trusted Platform Module (TPM)—a secure cryptoprocessor enclave implemented on a PC, laptop, smartphone, or network appliance. The TPM is usually a module within the cpu.

Question 18

hardware security module (HSM)

Answer 18

hardware security module (HSM) is a network appliance designed to perform centralized PKI management for a network of devices.

This means that it can act as an archive or escrow for keys in case of loss or damage.

Question 19

Extensible Authentication Protocol (EAP)

Answer 19

Extensible Authentication Protocol (EAP) provides a framework for deploying multiple types of authentication protocols and technologies.

EAP allows lots of different authentication methods, but many of them use a digital certificate on the server and/or client machines.

Question 20

IEEE 802.1X Port-based Network Access Control (NAC)

Answer 20

IEEE 802.1X Port-based Network Access Control (NAC) protocol provides the means of using an EAP method when a device connects to an Ethernet switch port, wireless access point, or VPN gateway. 802.1X uses authentication, authorization, and accounting (AAA) architecture.

Question 21

RADIUS

Answer 21

RADIUS supports PAP, CHAP, and EAP

Question 22

TACACS+

Answer 22

TACACS+ uses TCP communications (over port 49), and this reliable, connection-oriented delivery makes it easier to detect when a server is down.

All the data in TACACS+ packets is encrypted (except for the header identifying the packet as TACACS+ data), rather than just the authentication data.

Question 23

Open Authentication (OATH)

Answer 23

Open Authentication (OATH) is an industry body established with the aim of developing an open, strong authentication framework.

Question 24

HMAC-based One-time Password Algorithm (HOTP)

Answer 24

HMAC-based One-time Password Algorithm (HOTP) is an algorithm for token-based authentication. The authentication server and client token are configured with the same shared secret.

Question 25

Time-Based One-Time Password Algorithm (TOTP)

Answer 25

In Time-Based One-Time Password Algorithm (TOTP), the HMAC is built from the shared secret plus a value derived from the device’s and server’s local timestamps.

TOTP automatically expires each token after a short window (60 seconds, for instance). For this to work, the client device and server must be closely time-synchronized.

Question 26

False Rejection Rate (FRR)

Answer 26

False Rejection Rate (FRR)—where a legitimate user is not recognized. This is also referred to as a Type I error or false non-match rate (FNMR).

FRR is measured as a percentage.

Question 27

False Acceptance Rate (FAR)

Answer 27

False Acceptance Rate (FAR)—where an interloper is accepted (Type II error or false match rate [FMR]).

FAR is measured as a percentage.

Question 28

Crossover Error Rate (CER)

Answer 28

Crossover Error Rate (CER)—the point at which FRR and FAR meet. The lower the CER, the more efficient and reliable the technology.

Question 29

Failure to Enroll Rate (FER)

Answer 29

Failure to Enroll Rate (FER)—incidents in which a template cannot be created and matched for a user during enrollment

Question 30

fingerprint sensor

Answer 30

fingerprint sensor is usually implemented as a small capacitive cell that can detect the unique pattern of ridges making up the pattern.

Question 31

Retinal scan

Answer 31

Retinal scan—an infrared light is shone into the eye to identify the pattern of blood vessels. Retinal scanning is therefore one of the most accurate forms of biometrics.

Question 32

Iris scan

Answer 32

Iris scan—matches patterns on the surface of the eye using near-infrared imaging and so is less intrusive than retinal scanning (the subject can continue to wear glasses, for instance) and a lot quicker.

Iris scanners offer a similar level of accuracy as retinal scanners but are much less likely to be affected by diseases.

Question 33

Gait analysis

Answer 33

Gait analysis—produces a template from human movement. The technologies can either be camera-based or use smartphone features, such as an accelerometer and gyroscope.

Question 34

Signature recognition

Answer 34

Signature recognition—signatures are relatively easy to duplicate, but it is more difficult to fake the actual signing process. Signature matching records the user applying their signature (stroke, speed, and pressure of the stylus).

Question 35

Typing

Answer 35

Typing—matches the speed and pattern of a user’s input of a passphrase.

Question 36

Biometric identification

Answer 36

Biometric identification refers to matching people to a database, as opposed to authenticating them

Question 37

Continuous authentication

Answer 37

Continuous authentication verifies that the user who logged on is still operating the device. if a user successfully authenticates to a smartphone using a fingerprint, the device continues to monitor key motion and pressure statistics as the device is held and manipulated. If this deviates from the baseline, the detection system would lock the phone.