3.8 Flashcards
(18 cards)
What is a TPM?
-A specification for cryptographic functions
–Hardware to help with all of this encryption
-Cryptographic processor
–Random number generator, key generators
-Persistent memory
–Comes with unique keys burned in during production
-Versatile memory
–Storage keys, hardware configuration information
-Password protected
–No dictionary attacks
What is a HSM?
-Hardware security module
-High-end cryptographic hardware
–Plug-in card or separate hardware device
-Key backup
–Secured storage
-Cryptographic accelerators
–Offload that CPU overhead from other devices
-Used in large environments
–Clusters, redundant power
What is KBA?
-Knowledge-based authentication
-Use personal knowledge as an authentication factor
–Something you know
-Static KBA
–Pre-configured shared secrets
–Often used with account recovery
–What was the make and model of your first car?
-Dynamic KBA
–Questions are based on an identity verification service
–What was your street number when you lived in blank
What is PAP?
-Password Authentication Protocol
-A basic authentication method
–Used in legacy OS
–Rare to see singularly used
-PAP is in the clear
–Weak authentication scheme
–Non-encrypted password exchange
–We didn’t require encryption on analog dialup lines
–The application would need to provide any encryption
What is CHAP?
-Challenge-Handshake Authentication Protocol
–Encrypted challenge sent over the network
-Three-way handshake
–After link is established, server sends a challenge message
–Client responds with a password hash calculated from the challenge and the password
–Server compares received hash with stored hash
-Challenge-Response continues
–Occurs periodically during the connection
–User never knows it happens
What is MS-CHAP?
-Microsoft Implementations of CHAP
–Used commonly on Microsoft’s point-to-point tunneling protocol (PPTP) MS-CHAP v2 is the more recent version
-Security issues related to the use of DES
–Relatively easy to brute force the 2^56 possible keys to decrypt the NTLM hash
–Don’t use MS-CHAP!
–Consider L2
What is RADIUS?
-Remote Authentication Dial-In User Service
-One of the more common AAA protocols
–Supported on a wide variety of platforms and devices
–Not just for dial-in
-Centralize authentication for users
–Routers, switches, firewalls
–Server authentication
–Remote VPN access
–802.1X network access
-RADIUS services available on almost any server OS
-Ports 1645 and 1812***(more common)
What is TACAS
-Terminal Access Controller Access-Control system
–Remote Authentication protocol
–Created to control access to dial-up lines to ARPANET
-XTACACS (Extended TACACS)
–A Cisco-created (proprietary) version of TACACS
–Additional support for accounting and auditing
-TACACS+
–The latest version of TACACS, not backwards compatible
–More authentication requests and response codes
–Released as an open standard in 1993
- Port # - TCP 389
What is Kerberos?
-Network authentication protocol
–Authenticate once, trusted by the system
–No need to re-authenticate to everything
–Mutual authentication - the client and the server
–Protect against on-path or replay attacks
-Standard since the 1980s
–Developed by the Massachusetts Institute of Technology (MIT)
-Microsoft starting using Kerberos in Windows 2000
–Based on Kerberos 5.0 open standard
–Compatible with other OS and devices
What is IEEE 802.1X?
-IEEE 802.1X
–Port-based Network Access Control (NAC)
–You don’t get access to the network until you authenticate
-EAP integrates with 802.1X
–Extensible Authentication Protocol
–802.1X prevents access to the network until the authentication succeeds
-Used in conjunction with an access database
–RADIUS, LDAP, TACACS+
What is a federation?
-Provide network access to others
–Not just employees - Partners, suppliers, customers, etc.
–Provides SSO and more
-Third-Parties can establish a federated network
–Authenticate and authorize between the two organizations
–Login with your Facebook credentials
-The third-parties must establish a trust relationship
–And the degree of the trust
What is SAML?
-Security Assertion Markup Language
-Open standard for authentication and authorization
–You can authenticate through a third-party to gain access
–One standard does it all, sort of
-Not originally designed for mobile apps
–This has been SAML’s largest roadblock
What is OAuth?
-Authorization framework
–Determines what resources a user will be able to access
-Created by Twitter, Google,. and many others
–Significant industry support
-Not an authentication protocol
–OpenID connect handles the single sing-on authentication
–OAuth provides authorization between applications
-Relatively popular
–Used by twitter, Google, Facebook, LinkedIn and more
What is MAC (access control)?
- Mandatory Access Control
-The operating system limits the operation on an object
–Based on security clearance levels
-Every object gets a label
–Confidential, secret, top secret, etc.
-Labeling of objects uses predefined rules
–The administrator decides who gets access to what security level
–Users cannot change these settings
What is DAC (access control)?
-Discretionary access control
-Used in most OS
–A familiar access control model
-You create a spreadsheet
–As the owner, you control who has access
–You can modify access at any time
-Very flexible access control
–And very weak security
What is RBAC (access control)?
-Role-Based access control
-You have a role in your organization
–Manager, director, team lead, project manager
-Administrators provide access based on the role of the user
–Rights are gained implicitly instead of explicitly
-In windows, use groups to provide role-based access control
–You are in shipping and receiving, so you can use the shipping software
–You are the manager, so you can review shipping logs
What is ABAC (access control)?
-Attribute-based access control
-Users can have complex relationships to applications and data
–Access may be based on many different criteria
-ABAC can consider many parameters
–A “next generation” authorization model
–Aware of context
-Combine and evaluate multiple parameters
–Resource information, IP address,. time of day, desired action, relationship to the data, etc.
What is Rule-based access control?
-Generic term for following rules
–Conditions other than who you are
-Access is determined through system-enforced rules
–System administrators, not users
-The rule is associated with the object
–System checks the ACLs for that object
-Rule examples
–Lab network access is only available between 9am and 5pm
–Only Chrome browsers may complete this web form
