Topic 4 and 5 Flashcards
Integrating Advanced Authentication and Authorization Techniques Implementing Cryptographic Techniques
What is the three-level hierarchy used for XACML?
- Rules (define action permissions)
- Policies (sets of *rules* used in conjunction)
- PolicySets (group of *policies* used together)
When discussing XACML, define PEP and DEP
Policy Enforcement Point (protects resource), Policy Decision Point (Review request, compare to policies and provide answer)
What two kinds of VPN’s can you deploy?
Hardware VPN and Software VPN
Define “Advanced Authentication”
A complex process required to authenticate users, grant permissions and control access to resources
What is SPML and what two components make it up?
Service Provisioning Markup Language used for automating and managing the provision of network and organization resources Made up of a Requesting Authority which is a client that creates a request and Provisioning Service Point (PSP) that processes the request
Define Authorization
Process of determining what rights and privileges an entity has, usually after the system has authenticated them. There are three primary types of access control: Discretionary, Mandatory and Role-based.
What is Crossover Error Rate (CER)?
Point at which the FRR & FAR are equal
Explain PEAP
Protected EAP - Encapsulates EAP in TLS
What components make up an XACML rule?
Subject (entity requesting access), Resource (service or application being requested), Action (examples include database reading or writing, file modification)
What are the components of “Kerberos”?
Key Distribution Center (KDC) - trusted 3rd party authentication service made up of Authentication Server (AS) - verifies and accepts/rejects tickets, Ticket Granting Server (TGS) - issues tickets to authorized users
Explain USB OTG
Flash drive storage with a physical interface that can be connected to almost any smartphone
What is “tethering” and what forms does it come in?
Connecting a device to the Internet by leveraging/sharing another devices connection. Can tether by Bluetooth, Wired Connection and USB
When talking about “RADIUS”, what is a call back system?
A system that called back the user at a predefined phone number for added security
What are Kerberos concerns?
Replayed credentials, physical security, single point of failure, length of the keys, encryption process is based on passwords
Define “PAP” and explain why it shouldn’t be used
Password Authentication Protocol transmits credentials in clear text
What is SPML used with?
Security Assertion Markup Language (SAML) and XACML
What port does “Back Orifice” use?
UDP/31337
What is “SMTP” and what port does it use?
Simple Mail Transfer Protocol sends mail from clients and relays mail between servers. It uses TCP/25
What is XACML?
Extensible Access Control Markup Language is an XML-based standard for access control and authorization
Name and explain the 2 biometric error types
FRR - False Rejection Rate - Valid subject denied FAR - False Acceptance Rate - Invalid subject allowed
Explain “RADIUS”
Remote Access Dial In User Service provides centralized remote access authentication, authorization and auditing.
What is OAuth and what is the latest version?
An authorization standard used by many websites that allows a user to authorize access to a third-party resource without providing the user’s credentials, instead using a token. Current version is 2.0 Example, a Facebook app being allowed access to your Facebook account.
Define “Authentication”
Method of validating the identity of a person or asset
Generally describe a “Remote Assistance” program?
Programs that can be used to provide temporary control of a remote computer over a network or the Internet
What is “Domain Bridging”?
The connecting of two different network connections. Example home network and VPN to the office.
“SPIM” is an acronym for receiving what types of messages?
Spam over Instant Message
IntServ has what three classes?
Guaranteed services, controlled load and best effort.
Name examples of collaboration sites and platforms.
Social media sites, storage and document sites
Define “LDAP”
Lightweight Directory Access Protocol
Define “SSO”
Single sign-on allows a user to authenticate once and then access all of the resources that a user is authorized to use
In relation to VOIP, what is “convergence”?
Running voice over data lines
What is a Trust Model and what types exist?
Defines relationships between authentication services so that they may accept each other’s assertions of users’ id’s and permissions. Two types are hierarchical (one authority that can very all resources under it) and peer (resources establish a transitive relationship)
Explain the 3 different TACAS types
TACAS - Terminal Access Controller Access-Control System - Original - Integrates authentication & authorization XTACAS - Allows separation of authentication, authorization and accounting TACAS+ - Adds 2 factor authentication and uses TCP 49
Explain EAP
Extensible Authentication Protocol - it’s actually a framework for wireless and wired networks
What is “cramming”
Making unauthorized phone charges
What is “slamming”
Switching a user’s long-distance phone carrier without their knowledge
IAAA stands for what?
Identity Authentication Authorization Access (or Audit)
Name the Apple product that is similar to Windows Remote Desktop
Presence
Define “S/MIME”
Secure Multipurpose Internet Mail Extensions
What is “SPIT”?
Spam over Internet Telephony
What is Baseband on a mobile device?
All communication that requires radio transmission.
What protocol was designed to be an improvement over “RADIUS” but isn’t widely accepted yet?
Diameter Benefits - Has failover due to TCP use, mandates IPSec and TLS
What is “IMAP” and what port does it use?
Internet Message Access Protocol can work with mail remotely without retrieving it from the server. IMAP uses TCP/143
Define “MS-CHAP” and which version is to be used today
Microsoft Challenge Handshake Authentication Protocol is currently running version 2.0 for secure authentication.
What are centralized remote authentication services?
Services that keep separate the autnetication & authorization process for remote clients and LAN based clients
List the 3 categories of Authentication
Something you know, something you have, something you are
The 802.1x authentication process involves what 3 roles?
Supplicant (client), Authenticator (switch), Authentication Server (RAIDUS server)
What are the terms “slamming” and “cramming” associated with?
Telephony
What is “POP3” and what port does it use?
Post Office Protocol retrieves mail from a mail server and uses TCP/110
Wireless authentication protocol is known as…
802.1x
Define RADIUS and it’s ports
Remote Access Dial-In User Service UDP 1812 (unsecured) and TCP 2083 (secured)
Outline the Kerberos logon process
1) User provides username and pw through a client, 2) client encrypts only the username using AES and transmits to KDC, 3) KDC verifies the username, 4) KDC generates a symmetric key to be used by the client encrypted with a hash of the users pw and generates a TGT, 5) KDC transmits encrypted symmetric key and the TGT to the client, 6) client installs the TGT and uses till expiration
What are two early VPN tunneling protocols you want to avoid?
Layer 2 Forwarding (L2F) and Point-to-Point Tunneling Protocol (PPTP)
What are “Assertions”?
Claims that a subject will make or provide about their identity.
Define “CHAP” and explain why it shouldn’t be used
Challenge Handshake Authentication Protocol utilizes MD5 and isn’t considered secure
“PGP” stands for?
Pretty Good Privacy
“BO” stands for what early desktop sharing program?
Back Orifice
Describe “Tickets” used by “Kerberos”
Ticket - An encrypted message that provides a form or type of proof. There are 2 types: Ticket-Granting Ticket (TGT) - Proof that a subject has been authenticated (Passport) Service Ticket (ST) - Proof that a subject is authorized (Plane ticket)
What does “SPAN” stand for?
Switched Port Analyzer
List the four different OAuth2.0 roles
User, Application, Resource Server, Authorization Server
What are current VPN tunneling protocols you should use?
Layer 2 Tunneling Protocol (L2TP) and IP Security (IPsec)
What are the 3 types of access modes?
Read, read/write, execute
What is eFuse?
Developed by IBM Always the alteration of chips in real time
Explain LEAP
Lightweight EAP - CISCO proprietary, used in wireless in conjunction with WEP. Shouldn’t be used
List authentication methods/factors
Token, pin code/password, swipe gesture and biometric
What is SOAP?
Simple Object Access Protocol is a protocol for exchanging structured information and relies on XML
What attack is meant to sidestep a TPM?
A cold boot attack
In relation to access control, explain what Subjects and Objects are
Subject - User/thing that is requesting access to data Object - Data
QoS prioritizes traffic by what two models?
IntServ and DiffServ
Explain the difference be tween “Jitter” and “Latency”
Jitter is the variation in transmission latency that can cause packet loss. Latency is a delay in the transmission of data packets
Context based authentication is authentication controlled by what factors?
Their location, time, job role or even behavior
Does VoIP rely on TCP or UDP for call transmission?
UDP
List the 4 different OAuth2.0 grant types
Authorization code (server-side apps), implicit (used in mobile apps), Resource owner password credentials (typically used if the user trusts the app), Client credentials (typically used when an app needs to access it’s own service account)
Explain “OEM/carrier Android fragmentation”
A wide variation on the version of Android operating systems in use.
What tool deciphers any voice traffic on the same VLAN?
Voice Over Misconfigured Internet Telephones (VOMIT)
Name federated identity schemes
XACML, SOAP, SSO, Federated Identity, certificate based authentication
Describe “Unified Communications and Collaboration”
All forms of call and multimedia used for personal and business
What term is used for defined by “proving a user is who they claim they are”?
Authentication
What is the name of the framework where certificates are generated for each user and service, who then use the certificates to authenticate actions?
Certificate-based Authentication Framework
Explain the differences between user-focused and resource-focused attestation
- Resource-focused: An attestation agent will look over each application or system and see which users have which access privileges
- User-focused: Attestation agent monitors the privileges that specific users have
Define Least privileges
Has the ability to do what is needed to complete a task or job, but nothing more
What is Itentity propagation?
The technique of replicatin an authenticate identity through variious processes in a system
What is Identity Federation?
The practice of linking a siingle entity accross multiple disparate systems
Explain the most common identity federation methods
- SAML
- XML based framework
- Sends assertions over HTTPS
- OpenID
- Allows a single account for participating sites (login to Spotify with Facebook creds)
- Used with OAuth
- Shibboleth
- Used in education/public institutions
- Uses SAML
- Where are you from (WAYF)
- Asks where you are from before being sent to the service providers (e.g. please choose your country > state > city when visiting a website)