Methods of authetication Flashcards
PKI(Public Key Infrastructure)
Certificatess are the cornerstones of the PKI. A certificate is essentially a form of electronic credential that validates users, computers, or devices on the network.
A PKI is a collection of software, standards, and policies combined.
Components of PKI
Certificates: A certificate is a digitally signed statement that associates the credentials of a public key to the identity of the person, device, or service that holds the corresponding private key.
Certificate authorities (CAs):CAs issue and manage certificates. CAs can be either independent third parties, known as a public CA, or they can be organizations running their own certificate-issuing server software, known as private CAs.
Certificate templates: Templates used to customize certificates issued by a Certificate Server. This customization includes a set of rules and settings created on the CA and used for incoming certificate requests.
Certificate Revocation List (CRL): Certificate Revocation List (CRL): A list of certificates that were revoked before they reached the certificate expiration date. Certificates are often revoked due to security concerns such as a compromised certificate.
Two keys of PKI Public and private… public freely give to all; Private never transmitted over the network.
Two ways Keys can be used to secure data communications:
- Uses both a private and public key to encrypt(verify sign) and decrypt messages(sign document)
- Private (symmetric) key encryption uses a single key for both encryption and decryption. If encrypted permitted persons on can decrypt.
Kerberos
Kerberos is an Internet Engineering Task Force (IETF) standard for providing authentication.
Kerberos uses a single sign-on; (sign in once and no more user name)
Kerberos is designed to have entities authenticate themselves by demonstrating possession of secret information.
Kerberos is designed to provide strong authentication for client/server applications by using secret-key cryptography. Kerberos uses symmetric key cryptography, in which both client and server use the same encryption key to cipher and decipher data.
Kerberos authentication: Kerberos authentication works by assigning a unique key (called a ticket).
Each ticket is time-stamped. It expires after a period of time, and a new one is issued.
Kerberos is a client-server authentication protocol, which supports mutual authentication between a client and a server.
Kerberos uses the concept of a trusted third party (a key distribution center ) that hands out tickets that are used instead of a username and password combination.
Authentication, authorization, and accounting (AAA)
allows a network to have a single repository of user credentials. A network administrator can then, for example, supply the same credentials to log onto various network devices (for example, routers and switches). RADIUS and TACACS+ are protocols commonly used to communicate with a AAA server.
TACACS+
Terminal Access Controller Access Control System+ (TACACS+) is a security protocol designed to provide centralized validation of users who are attempting to gain access to a router or Network Access Server (NAS). Like RADIUS, TACACS+ is a set of security protocols designed to provide authentication, authorization, and accounting (AAA) of remote users. TACACS uses TCP port 49 by default.
Remote Authentication Dial-In User Service (RADIUS): is a UDP-based protocol used to communicate with a AAA server. Unlike TACACS+, RADIUS does not encrypt an entire authentication packet, but only the password. However, RADIUS does offer more robust accounting features than TACACS+.
CHAP Challenge-Handshake Authentication Protocol
CHAP performs a one-way authentication for a remote-access connection. However, authentication is performed through a three-way handshake (challenge, response, and acceptance messages) between a server and a client. The three-way handshake allows a client to be authenticated without sending credential information across a network.
MS-CHAP (Microsoft Challenge-Handshake Authentication Protocol)
(MS-CHAP) is a Microsoft-enhanced version of CHAP, offering a collection of additional features not present with CHAP, including two-way authentication. MS-CHAP uses a challenge/response mechanism to keep the password from being sent during the authentication process. MS-CHAP uses the Message Digest 5 (MD5) hashing algorithm and the Data Encryption Standard (DES) encryption algorithm to generate the challenge and response MS-CHAP v2 is the most secure protocol,
Two-factor authentication
Two-factor authentication (TFA) requires two types of authentication from a user seeking admission to a network. For example, Password and biometrics
Multifactor authentication
Similar to two-factor authentication, multifactor authentication requires two or more types of successful authentication before granting access to a network.
Single sign-on
Single sign-on (SSO) allows a user to authenticate only once to gain access to multiple systems, without requiring the user to independently authenticate with each system.
EAP (Extensible Authentication Protocol)
An extension of PPP that supports authentication methods that go beyond the simple submission of a username and password. EAP was developed in response to an increasing demand for authentication methods that use other types of security devices such as token cards, smart cards, and digital certificates.
An Extensible Authentication Protocol (EAP) specifies how authentication is performed by an IEEE 802.1X. A variety of EAP types exist: Extensible Authentication Protocol-Flexible Authentication via Secure Tunneling (EAPFAST), Extensible Authentication Protocol-Message Digest 5 (EAP-MD5), and Extensible Authentication Protocol-Transport Layer Security (EAP-TLS).
Network access control (802.1x, posture assessment)
Network Admission Control (NAC) can permit or deny access to a network based on characteristics of the device seeking admission, rather than just checking user credentials. For example, a client’s OS and version of antivirus software could be checked against a set of requirements before allowing the client to access a network. This process of checking a client’s characteristics is called posture assessment
Used for wireless or wired LAN.
The device seeking admission to the network is called the supplicant . The device to which the supplication connects (either wirelessly or through a wired connection) is called the authenticator . The device that checks the supplicant’s credentials and permits or denies the supplicant to access the network is called an authentication server . Usually, an authentication server is a RADIUS server.
