3.8 Authentication and Authorization Solutions

Question 1

• Hardware-based authentication
– Something you have
• Helps prevent unauthorized logins and
account takeovers
– The key must be present to login
• Doesn’t replace other factors
– Passwords are still important

Answer 1

Password keys

Question 2

• Password managers
– All passwords in one location
– A database of credentials
• Secure storage
– All credentials are encrypted
– Cloud-based synchronization options
• Create unique passwords
– Passwords are not the same across sites
• Personal and enterprise options
– Corporate access

Answer 2

Password vaults

Question 3

• A specification for cryptographic functions
– Hardware to help with all of this encryption stuff
• Cryptographic processor
– Random number generator, key generators
• Persistent memory
– Comes with unique keys burned in
during production
• Versatile memory
– Storage keys, hardware configuration information
• Password protected
– No dictionary attacks

Answer 3

Trusted Platform Module (TPM)

Question 4

• High-end cryptographic hardware
– Plug-in card or separate hardware device
• Key backup
– Secured storage
• Cryptographic accelerators
– Offload that CPU overhead from other devices
• Used in large environments
– Clusters, redundant powers

Answer 4

Hardware Security Module (HSM)

Question 5

• Use personal knowledge as an authentication factor
– Something you know
• Static KBA
– Pre-configured shared secrets
– Often used with account recovery
– What was the make and model of your first car?
• Dynamic KBA
– Questions are based on an identity verification service
– What was your street number when you lived in
Pembroke Pines, Florida?

Answer 5

Knowledge-based authentication (KBA)

Question 6

• A basic authentication method
– Used in legacy operating systems
– Rare to see singularly used
• PAP is in the clear
– Weak authentication scheme
– Non-encrypted password exchange
– We didn’t require encryption on analog dialup lines
– The application would need to provide any encryption

Answer 6

PAP (Password Authentication Protocol)

Question 7

• Challenge-Handshake Authentication Protocol
– Encrypted challenge sent over the network
• Three-way handshake
– After link is established, server sends a challenge
– Client responds with a password hash calculated
from the challenge and the password
– Server compares received hash with stored hash
• Challenge-Response continues
– Occurs periodically during the connection
– User never knows it happens

Answer 7

CHAP

Question 8

• Microsoft’s implementation of CHAP
– Used commonly on Microsoft’s
– Point-to-Point Tunneling Protocol (PPTP)
– MS-CHAP v2 is the more recent version
• Security issues related to the use of DES
– Relatively easy to brute force the 256 possible keys to
decrypt the NTLM hash
– Don’t use MS-CHAP!
– Consider L2TP, IPsec, 802.1X or some other secure
authentication method

Answer 8

MS-CHAP

Question 9

• One of the more common AAA protocols
– Supported on a wide variety of platforms and devices
– Not just for dial-in
• Centralize authentication for users
– Routers, switches, firewalls, server authentication,
remote VPN access, 802.1X network access
• RADIUS services available on almost any server OS

Answer 9

RADIUS (Remote Authentication Dial-in User Service)

Question 10

• Terminal Access Controller
– Access-Control System
– Remote authentication protocol
– Created to control access to dial-up lines to ARPANET
• XTACACS (Extended TACACS)
– A Cisco-created (proprietary) version of TACACS
– Additional support for accounting and auditing
• TACACS+
– The latest version of TACACS, not backwards
compatible
– More authentication requests and response codes
– Released as an open standard in 1993

Answer 10

TACACS

Question 11

• Network authentication protocol
– Authenticate once, trusted by the system
– No need to re-authenticate to everything
– Mutual authentication - the client and the server
– Protect against on-path or replay attacks
• Standard since the 1980s
– Developed by the Massachusetts Institute of
Technology (MIT)
• Microsoft starting using Kerberos in Windows 2000
– Based on Kerberos 5.0 open standard
– Compatible with other operating systems and devices

Answer 11

Kerberos

Question 12

• Authenticate one time
– Lots of backend ticketing
– Cryptographic tickets
• No constant username and password input!
– Save time
• Only works with Kerberos
– Not everything is Kerberos-friendly
• There are many other SSO methods
– Smart-cards, SAML, etc.

Answer 12

SSO with Kerberos

Question 13

• Three different ways to communicate to an
authentication server
– More than a simple login process
• Often determined by what is at hand
– VPN concentrator can talk to a RADIUS server
– We have a RADIUS server
• TACACS+
– Probably a Cisco device
• Kerberos
– Probably a Microsoft network

Answer 13

RADIUS, TACACS+, or Kerberos?

Question 14

• IEEE 802.1X
– Port-based Network Access Control (NAC)
– You don’t get access to the network until you
authenticate
• EAP integrates with 802.1X
– Extensible Authentication Protocol
– 802.1X prevents access to the network until the
authentication succeeds
• Used in conjunction with an access database
– RADIUS, LDAP, TACACS+

Answer 14

IEEE 802.1X

Question 15

• Provide network access to others
– Not just employees - Partners, suppliers, customers, etc.
– Provides SSO and more
• Third-parties can establish a federated network
– Authenticate and authorize between the two
organizations
– Login with your Facebook credentials
• The third-parties must establish a trust relationship
– And the degree of the trust

Answer 15

Federation

Question 16

• Open standard for authentication and authorization
– You can authenticate through a third-party to gain access
– One standard does it all, sort of
• Not originally designed for mobile apps
– This has been SAML’s largest roadblock

Answer 16

Security Assertion Markup Language (SAML)

Question 17

• Authorization framework
– Determines what resources a user will be
able to access
• Created by Twitter, Google, and many others
– Significant industry support
• Not an authentication protocol
– OpenID Connect handles the single sign-on
authentication
– OAuth provides authorization
between applications
• Relatively popular
– Used by Twitter, Google, Facebook,
– LinkedIn, and more

Answer 17

OAuth

Question 18

• Authorization
– The process of ensuring only authorized
rights are exercised
• Policy enforcement
– The process of determining rights
• Policy definition
• Users receive rights based on
– Access Control models
– Different business needs or mission requirements

Answer 18

Access control

Question 19

• The operating system limits the operation on an object
– Based on security clearance levels
• Every object gets a label
– Confidential, secret, top secret, etc.
• Labeling of objects uses predefined rules
– The administrator decides who gets access to
what security level
– Users cannot change these settings

Answer 19

Mandatory Access Control (MAC)

Question 20

• Used in most operating systems
– A familiar access control model
• You create a spreadsheet
– As the owner, you control who has access
– You can modify access at any time
• Very flexible access control
– And very weak security

Answer 20

Discretionary Access Control (DAC)

Question 21

• You have a role in your organization
– Manager, director, team lead, project manager
• Administrators provide access based on the role
of the user
– Rights are gained implicitly instead of explicitly
• In Windows, use Groups to provide role-based
access control
– You are in shipping and receiving, so you can
use the shipping software
– You are the manager, so you can review shipping logs

Answer 21

Role-based access control (RBAC)

Question 22

• Users can have complex relationships to
applications and data
– Access may be based on many different criteria
• ABAC can consider many parameters
– A “next generation” authorization model
– Aware of context
• Combine and evaluate multiple parameters
– Resource information, IP address, time of day, desired
action, relationship to the data, etc.

Answer 22

Attribute-based access control (ABAC)

Question 23

• Generic term for following rules
– Conditions other than who you are
• Access is determined through system-enforced rules
– System administrators, not users
• The rule is associated with the object
– System checks the ACLs for that object
• Rule examples
– Lab network access is only available between 9 and 5
– Only Chrome browsers may complete this web form

Answer 23

Rule-based access control

Question 24

• Store files and access them
– Hard drive, SSDs, flash drives, DVDs, part of most OSs
• Accessing information
– Access control list
– Group/user rights and permissions
– Can be centrally administered and/or users can
manage files they own
• The file system handles encryption and decryption

Answer 24

File system security

Question 25

• Difficult to apply old methods of authentication to new
methods of working
– Mobile workforce, many different devices,
constantly changing cloud
• Conditions
– Employee or partner, location, type of
application accessed, device
• Controls
– Allow or block, require MFA, provide limited access,
require password reset
• Administrators can build complex access rules
– Complete control over data access

Answer 25

Conditional access

Question 26

• Managing superuser access
– Administrator and Root
– You don’t want this in the wrong hands
• Store privileged accounts in a digital vault
– Access is only granted from the vault by request
– These privileges are temporary
• PAM advantages
– Centralized password management
– Enables automation
– Manage access for each user
– Extensive tracking and auditing

Answer 26

Privileged access management (PAM)