Part1 (ch 6-9) Flashcards
PKI
Prove the owners of public keys are who they say they are
To issue a Public Key (used to encrypt messages) should have a digital certificate (public assertion of identity)
CSR
Certificate Signing Request, when someone wants a certificate they fill out a CSR & send it to the CA
RAs
Registration Authority, checks Id & submits CSR, but doesn’t sign or issue certificates
digital certificate
A wrapper for a public key, has the info about the subject & who issued the certificate
based on X.509 standard
PKCS
Public Key Cryptography Standards, RSA created these to promote public key infrastructure
CN & SAN
Common Name used to id FQDN but difficult to use correctly
Subject Alternative Name, browser uses SAN over CN & can have different website subdomains (*.comptia.org)
server certificate
guarantees security of any site a user gives data to
What is the main weakness of a hierarchical trust model?
The structure depends on the integrity of the root CA.
How does a subject go about obtaining a certificate from a CA?
the subject generates a key pair then adds the public key along with subject information and certificate type in a (CSR) and submits it to the CA.
If the CA accepts the request, it generates a certificate with the appropriate key usage and validity, signs it, and transmits it to the subject.
What cryptographic information is stored in a digital certificate?
The subject’s public key and the algorithms used for encryption and hashing. The certificate also stores a digital signature from the issuing CA, establishing the chain of trust.
You are developing a secure web application. What sort of certificate should you request to show that you are the publisher of a program?
A code signing certificate. Certificates are issued for specific purposes. A certificate issued for one purpose should not be reused for other functions.
What does it mean if a certificate extension attribute is marked as critical?
That the application processing the certificate must be able to interpret the extension correctly. Otherwise, should reject the certificate.
key’s life cycle
Key Generation, Cert generation, storage (keep private key secure), revoke (if private key compromised), expire & renewal
M-of-N control
N # of admin permitted to access (N > M)
M # of admin present to get access (M > 1)
(OCSP)
Online Certificate Status Protocol - gives status of requested certificate
Encoding Certificate: DER & PEM
Distinguished Encoding Rules (binary files)
Privacy-enhanced Mail (ASCII) “BEGIN CERTIFICATE”
cryptographic data for certificates & keys
What are the potential consequences if a company loses control of a private key?
puts both data confidentiality and identification and authentication systems at risk
You are advising a customer about encryption for data backup security and the key escrow services that you offer. How should you explain the risks of key escrow and potential mitigations?
Escrow archiving the key
The risk is that an insider attack from your company may be able to decrypt the customer data backups. This risk can be mitigated by requiring M-of-N access to the escrow keys, reducing the risk of a rogue administrator
HTTP Public Key Pinning (HPKP)
ensures that when a client inspects the certificate presented by a server or a code-signed application, it is inspecting the proper certificate by submitting one or more public keys to an HTTP browser via an HTTP header.
Subject vs. Objects
users, devices, or software processes, or anything else that can request and be granted access to a resource
networks, servers, databases, files
IAM
Identity Access Mgmt
Identification: create acct or Id for user or device
Authentication: Prove Identity & make it unique
Authorization: Permissions
Accounting: Track Usage (Resource, Rights,…)
CIA Authentication Design
Confidential: critical to avoid impersonating
Integrity: Reliable, not easily tricked
Availability: Does not impeded workflow
Used for Authentication
What is the difference between authorization and authentication?
Authorization manages the privileges granted on a computer system or resource.
Authentication protects the user account by testing if the person accessing that account is who she/he says she/he is.
What methods can be used to implement location based authentication?
You can query the location service running on a device or geolocation by IP.
You could use location with the network, based on switch port, wireless network name, virtual LAN (VLAN), or IP subnet.
KDC aka TGS
AS
TGT
Key Distribution Center (vouches for identity)
Authentication Service
Ticket Granting Ticket (token confirms id)
Client sends AS a request for a TGT
AS checks if PW hash matches Active Directory
If yes, AS gives TGT & TGS session key
Kerberos
Lets nodes confirm identity securely
1) Request Service Ticket from TGS
2) Client gives TGS a TGT
3) TGS gives Service Session Key & service ticket
4) Client forwards service ticket + timestamp
5) App server decrypts service ticket
6) App server may give client timestamp
7) Server responds to client’s request if ACL ok
Offline Attack
Attacker has database of PW hashes
Detect by checking the file system audit log
Packet Sniffer
Monitors network traffic (can be used by attackers in NTLM or CHAP)
Brute Force Attack
Dictionary Attack
Rainbow Table
Hybrid PW Attack
Every Combo to match a hash & plaintext
SW generates hash values using plaintext dictionary
Table of all possible PW & their hashes - salt protects
Dictionary & Brute Force Combo
In what scenario would PAP be considered a secure authentication method?
The only way to ensure the security of PAP is to ensure that the endpoints established a secure tunnel (using IPSec, for instance). Best not to use PAP
True or false? In order to create a service ticket, Kerberos passes the user’s password to the target application server for authentication.
False—only the KDC verifies the user credential. The Ticket Granting Service (TGS) sends the user’s account details (SID) to the target application for authorization (allocation of permissions), not authentication
Which property of a plaintext password is most effective at defeating a brute-force attack?
The length of the password. If the password does not have any complexity (if it is just two dictionary words, for instance), it may still be vulnerable to a dictionary based attack. A long password may still be vulnerable if the output space is small or if the mechanism used to hash the password is faulty (LM hashes being one example).
True or false? When implementing smart card logon, the user’s private key is stored on the smart card.
True. The smart card implements a crypto-processor for secure generation and storage of key and certificate material
Smart cards stores user digital certificate, PIN, & private key used for certification
Smart-card Authentication, Kerberos
1) Smart card + Pin
2) Smart Card uses private key to create TGT to send to AS
3) AS returns with TGT & TGS session key
NAS (Network Access Server)
Radius Client/Authenticators
Edge Network Appliances, switches, AP, VPN gateways
any device that handles remote logins to establish a point-to-point protocol connection. Some people call these devices media access gateways or remote access servers
Supplicant
In AAA, the device requesting access (i.e. PC or laptop)
OATH
2 algorithms for OTPs
Open Authentication
HOTP (i.e. QR code, tokens don’t expire)
TOTP (PW quickly expires)
HMAC One-Time-Password Algo vs Token OTP
FRR
FAR
CER
False Rejection Rate - legit user not recognized
(False Negative)
False Acceptance Rate - interloper accepted
(False Positive)
Crossover Error Rate - lower = more reliable
How is a fingerprint reader typically implemented as hardware?
As a capacitive cell
What two ways can biometric technologies be used other than for logon authentication?
For identification based on biometric features and in continuous authentication mechanisms.
default account
Created by the OS or application when it is installed. Has every permission available. In Windows, this account is called Administrator; in Linux, it is called root.
Service Accounts
Used to run processes & background services
System (most privilege), Local (Standard, anonymous user), Network (same as Local but can use acct credentials)
SSH & 3rd party credentials
Host key pair Ids SSH server
User key pair lets client login to SSH
These are poorly managed, sony hack
API keys are also vulnerable
For what type of account would interactive logon be disabled?
Interactive logon refers to starting a shell. Service accounts do not require this type of access. Default superuser accounts, such as Administrator and root, may also be disabled, or limited to use in system recovery or repair.
How to Id a user account?
SID, name, credential, profile (stores user info)
PW age vs. PW History
Age (How long since the PW was used)
History (Was the PW already used?)
What container would you use if you want to apply a different security policy to a subset of objects within the same domain?
Organization Unit (OU)
DAC
RBAC
Mandatory access control (MAC)
ABAC
Discretionary Access Control - Owner gives rights, weakest, more flexible
Rule-based Access Control - better, system-enforced rules
MAC - only given access to their clearance level or lower (hierarchy-based)
Attribute-based Access Control - try rbac before this
Directory services
What is the purpose of directory services?
principal means of providing privilege management and authorization on an enterprise network, storing information about users, computers, security groups/roles, and services
To store information about network resources and users in a format that can be accessed and updated using standard queries.
SAML
Security Assertions Markup Language
Written in XML & SOAP, provider Identity assert (via digital signature) for federations
i.e. AWS
SOAP - simple object access protocol (XML, tight)
REST
Representational State Transfer
looser public cloud API, more control over implementation, better mobile app support
OAuth
Open Authorization, RESTful API, does not authenticate users
OIDC
Open ID Connect - authentication protocol implemented with OAuth
CTF
Capture the flag, ethical hacker training programs.
Threat actor activity (blue team)
Vulnerability (red team)
Switches Routers Firewalls Load Balancers DNS
Forward frames, OSI-2
Forward packets, OSI-3
apply ACL to filter in Network segment, OSI-3
Distribute traffic between Network for optimal performance, OSI-4
Ph book, OSI-7
ARP
Does anybody know how has this IP?
Zone
area of the network where the security configuration is the same for all hosts within it.
Internet (public), Extranet (semi), Intranet (private)
screened subnet
2 firewalls placed on either side of DMZ
screened host
cheaper DMZ for SOHO, dual-homed proxy/gateway
DMZ
How can an enterprise DMZ be implemented?
a perimeter network protecting an organization’s internal (LAN) from untrusted traffic.
A subnetwork that sits between the public internet and private networks
By using two firewalls (external and internal) around a screened subnet, or by using a triple-homed firewall (one with three network interfaces).
Why is subnetting useful in secure network design?
Subnet traffic is routed, allowing it to be filtered by devices such as a firewall. An attacker must be able to gather more information about the configuration of the network and overcome more barriers to launch successful attacks.
What port security feature mitigates ARP poisoning?
Dynamic ARP inspection—though this relies upon DHCP snooping being enabled.
What is a dissolvable agent?
Some network access control (NAC) solutions perform host health checks via a local agent, running on the host. A dissolvable agent is one that is executed in the host’s memory and CPU but not installed to a local disk.
mac address vs ip address
MAC Address is used to ensure the physical address of computer. It uniquely identifies the devices on a network. While IP address are used to uniquely identifies the connection of network with that device take part in a network
WAP
wireless access point, forwards traffic to& from switch network MAC address (aka BBISD) ids each WAP SSID ids each Wireless network
WPA
Wi-fi Protected Access, fix critical vulnerabilities in WEP
Add TKIP to make it stronger
Use WPA2 with 128-bit keys & CCMP over TKIP
Tougher on Replay attacks
SAE
Simultaneous Authentication of Equals
replaces WPA’s 4-way handshake with Diffie-Hellman key agreement
GCMP
AES Galois Counter Mode Protocol
Enterprise must use 192-bit, updated cryptographic protcols
Evil Twin
Rogue WAP masquerading as a legit one
i.e. hotel WAP
persistence
What mechanism provides the most reliable means of associating a client with a particular server node when using load balancing?
keep a client connected to a session
Persistence is a layer 7 mechanism that works by injecting a session cookie. This is generally more reliable than the layer 4 source IP affinity mechanism
