Chapter 13 Managing Identity and Authentication

Question 1

What is identification?

Answer 1

The process of a subject claiming or professing an identity. A subject must provide an identity to begin the authentication, authorization, and accounting process. Could involve typing a username, swiping a smartcard, speaking a phrase, or providing a body part for biometrics.

Question 2

What is authentication?

Answer 2

Verifying a subject’s identity by comparing one or more factors against a database of valid identities. This information needs to be protected (ie hashed).

Identifcation and authentication occur together as a two-set process.

Each authentication technique has benefits and drawbacks, and so each mechanism should be evaluated based on the environment where it is being deployed.

Question 3

What is the difference between subjects and objects?

Answer 3

Access control is more than controlling which users can access while files or services. It is about the relationship between entities. Access is the transfer of information from an object to a subject.

–Subject is an active entity that accesses a passive object to receive information from, or data about, an objects. Subjects can be users, programs, processes, services, computers, or anything that can access a resource. When authorized, subjects can modify objects.

–Objects are passive entities that provide information to active objects. These include files, databases, computers, programs, processes, services, printers, and storage media.

Can think of subjects as users and files as objects. However, subjects are more than users and objects are more than files.

Some things can be both an object and subject. Key is that the subject is always the active entity that receives information about, or data from, a passive object. Example: when a user queries a web application to retrieve a Web page, the application is an object. however, the application becomes he subject when it queries the user’s computer to retrieve a cookie.

Question 4

What is authorization, accountability, and auditing?

Answer 4

Authorization is granting access to objects based on proven identities. Indicates who is trusted to perform an operation.

Accountability is holding users and other subjects accountable for their actions via auditing, logging, and monitoring. Accountability requires identification and authentication but not authorization.

Auditing tracks subjects and records when they access objects, creating an audit trail in one or more logs.

Audit logs also provide nonrepudiation.

Question 5

What are authentication factors?

Answer 5

Primary:

Something you know: Memorized secrets. Aka Type 1 authentication factor
Something you have: Physical devices such as smartcards, hardware tokens, memory cards, or USB drive. Aka Type 2 authentication factor.
Something you are: Biometrics. Aka type 3 authentication factor.

Secondary:

Somewhere you are: based on use of a specific computer, an IP address or a phone number.
Somewhere you are not: Use of geolocation to detect suspicious activity

Context aware Authenication: MDM can look at location, time of day, and mobile device.
Somethiing you do: gestures or finger swipes

Question 6

What does NIST say about passwords? What about DCI PSS?

Answer 6

There is NIST SP-800-63B and PCI DSS.

NiST says:
–passwords should never be stored or transmitted in cleartext
–Passwords should not expire
–Users should not be required to use special characters
–Users should be able to copy and paste passwords, so they can use password managers
–Users should be able to use all characters
–Length should be between 8-64 characters
–Password systems should screen for commonly used passwords

DCI PSS says:
–Passwords expire at least every 90 days
–Should be at least seven characters long

Question 7

What is a smart card?

Answer 7

Credit card-sized device with an integrated circuit chip. usually have a microprocessor and one or more certificates.

Question 8

What is a token?

Answer 8

Password-generating device that users carry with them. Generally shows a six- to eight-digit token. An authentication server stores the details of the token, so that at any moment, it knows what number is displayed.

Synchronous dynamic password tokens are time-based and synchronized with an authentication server. They generate a PIN periodically, typically 30-60 seconds. This requires both the token and server to have an accurate timie. a common way to do this is by requiring a user to enter a username, static password, and/or PIN.

An asynchronous dynamic password does not use a clock. Instead, the token generates PINs based on an algorithim and an incrementing counter. When using the counter, it creates a dynamic one-time PIN that remains until actually used. Some create a onetime PIN when. you enter a PIN into the authentication server.

Some organizations use the same concept but do so with software running on a user device, such as the Symantec VIP Access app.

Question 9

What are fingerprints?

Answer 9

Visible patterns on the fingers and thumbs. Have loops, whorls, ridges, and bifurcations (aka minutiae). Usually takes less than a minute to register.

Question 10

What are face scans?

Answer 10

Use the geometric patterns of faces for detection and recognition.

Question 11

What are retina scans?

Answer 11

Focus on the pattern of blood vessels at the back of the eye. Most accurate form of biometric authentication, but can reveal medical conditions, and require the user to be three inches away.

Question 12

What are iris scans?

Answer 12

Focus on the colored area around the pupils. Second-most accurate, and can be done from 6-12 meters away, but lighting, glasses, and contact lens can fool them.

Question 13

What are palm scans?

Answer 13

Use near-infrared light to measure vein patterns in the palm. Nearly as unique as fingerprints.

Question 14

What is voice pattern recognition?

Answer 14

User speaks a specific phrase, which is recorded by the authentication system. Do not use them alone.

Not the same think as speech recognition. Voice pattern recognition differentiates between voices for identification and authentication, while speech recognition differentiates between words with any person’s voice.

Question 15

What are Biometric Factor Error Ratings?

Answer 15

False rejection rate: The ratio of false rejections to valid authentications. Type 1 error.

False acceptance rate: The ratio of false positives to valid authentications. Type 2 error.

The crossover error rate is when the FRR and FAR percentages are equal.

Question 16

What is biometric registration?

Answer 16

Biometric devices can be ineffective due to factors known as enrollment time, throughput rate, and acceptance. For a biometric device to work, enrollment must occur. A subject’s biometric factor is sampled and stored. The stored sample is the reference profile/template.

The time required to scan and store a factor depends on which physical or performance characteristics is measured. Users don’t want to wait–two minutes is probably the max.

Throughput rate is the time needed to scan a subject and approve or deny access. The more complex the biometric characteristic, the longer it takes. Subjects typically accept a max of six seonds.

Question 17

What is the HOTP?

Answer 17

HMAC-based One Time Password.

Question 18

What is the TOTP?

Answer 18

Time-based One-Time Password.

Question 19

What is LDAP?

Answer 19

A directory service is a centralized database that includes information about subjects and objects, including authentication data. Many directory services are based on Lightweight Directory Access Protocol (LDAP). AD is LDAP-based. LDAP is like a telephone directory for network services and assets. Users, clients, and processes can search it to find where a system or resource resides. They must first authenticate, and they can only see certain information based on privileges.

Multiple domains and trusts are commonly used in access control systems. A security domain is a collection of subjects and objects that share a common security policy, and indivdiual domains can operate separately from other domains. Trusts are established between domains to crate a security bridge and allow users in one domain to access another domain’s resources.

Question 20

What is federated identity management?

Answer 20

SSO is common both on internal networks and also used on the Internet with third-party cloud services. Cloud-based applications use federated identity management (FIM), which are a form of SSO.

Identity management is the management of user identities and their credentials. A federated identity links a user’s identity in one system with multiple IDMs.

FIM extends this beyond a single organization. Multiple organizations can join a federation or group, where they agree to share identity information. Users in each organization can log on once, and their credentials are matched with a federated identity. They can then use this identity to access resources in any other organization within the group.

A federation can be composed of multiple networks within a single university campus, numerous college campuses, multiple organizations sharing resources, or any other group that can agree on a common federated identity management system. Members of the federation match user identities within an organization to federated identities.

Membership in the federation doesn’t automatically grant access to everything. Each organization decides what to share.

A challenge is finding a common language. Typical federated identity management systems include SAML, OAuth, and OpenID Connect (OIDC).

Question 21

What is just in time provisioning?

Answer 21

Solutions create a relationship between two entities so that new users can access resources. Does not require administrator intervention. Example: I log into Deloitte’s network. I access a third-party benefits provider. The first time I do, the JIT system exhanges data with Deloitte, and creates an account. They typically use SAML.