Sec+ Chapter 08: Identity and Access Management Flashcards
(47 cards)
Common ways to assert or claim an identity
1) Username: The most commonly used means of claiming an identity. Remember: associated with an identity, not an authentication factor itself
2) Certs: Stored on a system or paired with a storage device or security token
3) Tokens: A physical device that might generate a code, plug in via USB, or connect via Bluetooth to present a cert or other info
4) SSH keys: Cryptographic representations of identity that replace a username and password
5) Smartcards: Cards that use an embedded chip. Both contactless and physical chip reader-capable cards as well as hybrid cards are broadly deployed, and cryptographic smartcards can generate key pairs on the card itself
EAP
Extensible authentication protocol
An authentication framework that’s commonly used for wireless network authentication. Many implementations exist that use the EAP framework, including vendor-specific and open methods like EAP-TLS, LEAP, and EAP-TTLS
Each of these protocols implements EAP messages using the protocol’s messaging standards
CHAP
Challenge handshake authentication protocol
An encrypted challenge sent across the network, which provides more security than PAP
CHAP uses an encrypted challenge and 3 way handshake:
1) After the link is established, the server sends a challenge message
2) Client sends combined challenge message and password hash back to server
3) Server evaluates the password and challenge to see if it matches what’s expected
This occurs at the beginning of the process, but also periodically during the connection
MS-CHAP
Microsoft’s own version of CHAP, commonly used with point to point tunneling protocol (PPTP)
It’s been largely replaced because it uses DES for encryption, which is super weak and makes it easy to brute force keys during the connection
Don’t use it or v2
Use L2TP, IPsec, 802.1x
PAP
Password authentication protocol
A password-centric authentication protocol that was commonly used with point to point protocol (PPP) to authenticate users
Almost nobody uses PAP anymore because it’s been replaced by CHAP and EAP. PAP sends unencrypted passwords YIKES
802.1X
An IEEE standard for NAC, also called port based NAC, and used for authentication for devices that want to connect to a network
User tries to connect, 802.1x stops the connection and asks for credentials
User provides credentials
Checked with databases on the back end for proper access
If authenticates properly, they can access the network
802.1x can prevent people from accessing the network until they’ve gone through this specific authentication method
Common to see this used with wireless or wired authentication, and is integrated with EAP
Used in conjunction with RADIUS, LDAP, TACACS+, or other authentication servers
RADIUS
Remote authentication dial-in user service
One of the most common AAA systems for network devices, wireless networks, and WAN/LAN, etc
Centralize authentication for users, if they’re logging into the network, VPN concentrator, or authenticating to switch or router, they can use RADIUS
Sends passwords obfuscated by a shared secret and MD5 hash (aka, not great security)
Traffic between RADIUS network access server and RADIUS server is usually encrypted with IPsec tunnels or other protections
AAA
Authentication, authorization, and accounting
In these systems, users must first authenticate with user and pass
The system then allows them to perform actions they’re authorized to by policies or permissions settings
Accounting tracks the resource utilization like time, bandwidth, or CPU use
TACACS+
Terminal access controller access control system plus
A remote authentication protocol
A Cisco designed an extension called XTACACS (extended) which provided additional support for accounting and auditing
Today, it’s TACTACS+ which uses TCP traffic to provide AAA services as well as full-packet encryption and granular command controls, allowing individual commands to be secured as needed
Kerberos
A more complex but robust authentication method that can use SSO
Authenticate once and then be trusted by the system, no need to reauthenticate to everything
Also provides mutual authentication which means you authenticate to the server and it to you so both sides know exactly who they’re talking to
Protects against MITM and replay attacks
Kerberos authentication flow
The cryptography used in Kerberos is referred to as a cryptographic ticket
When you authenticate to a KDC (ticket granting service / key distribution center which is your centralized authentication server), it gives you a service ticket
Instead of putting in a username and password every time you access a resource, you show the service ticket to a device which recognizes you’re authenticated by the KDC, then provides access to services
SAML
Security assertion markup language
An XML based open standard for exchanging authentication and authorization for users to access third party resources
User accesses an application URL
The site sees we haven’t authenticated, sends back a signed and encrypted SAML request and asks us to send it to the authorization server
We communicate to the authorization server with our login credentials and the SAML request
If it’s correct, authorization server sends us a successful notification and SAML token
We present the SAML token to the third party website, and it gives access to the service
Good for federated environments, but not great for mobile apps which means we’ll likely see it decline in the coming years
OpenID Connect
Works in conjunction with OAuth
Provides all the authentication functionality to access third party apps while OAuth determines what types of data that app can access
EX: Log in with Google options on websites
OAuth
A framework that allows us to control what types of resources a third party app can access
Unlike SAML, OAuth is used in conjunction with OpenID connect which provides the authentication functionality
EX: Zoom wants to access your Google Calendar, and this will allow Zoom to…
SSO
Single sign on
Allows a user to log in with a single identity and then use multiple systems or services without reauthenticating. SSO systems provide significant advantages because it simplifies user interactions with authentication and authorization systems.
But they require a trade-off in the number of identity-based security boundaries that are in place.
Commonly implemented using LDAP and Kerberos in Windows domains or Linux infrastructures. SAML for web apps and federated services.
IdP
Identity provider
Manages the life cycle of digital identities from creation through maintenance to retirement of the identity in the systems and services it supports.
Often part of federated identity deployments, where they’re paired with relying parties which trust the IdP to handle authentication and then rely on that to grant access to services
Terms used in federated environments
1) The principal: typically, a user
2) IdPs: Identity providers who provide identity and authentication services via an attestation process in which the IdP validates that the user is who they claim to be
3) SPs: Service providers who provide services to users whose identities have been attested to by an identity provider
LDAP
Lightweight directory access protocol
Directory services
Used in networks to provide info about systems, users, and other information about an org
LDAP is a type of directory service that’s commonly deployed as part of an identity management infrastructure and offers hierarchically organized info about the org
Frequently used to make an organizational directory for email and other contact info available
MFA
Multifactor authentication
Becoming a default option for security-conscious orgs
7 Types of MFA factors
1) Something you know, including passwords, PINs, or answers to security questions
2) Something you have, like your phone, a smartcard, USB or Bluetooth token, or item in your possession like a Titan security key
3) Something you are, which relies on a physical characteristic of the person who is authenticating themselves. Fingerprints, retina scans, voice prints, and even typing speed are all options
4) Somewhere you are, based on your current location. GPS, network location, etc to ensure only users who are in a specific location can authenticate
5) Something you can do, like picture password features in Windows or gesture authentication on Android phones
6) Something you exhibit, like a behavior pattern or similar characteristic. Typically a form of the something you are factor like typing speed
7) Someone you know, which can include trust relationships from others
One-time passwords
A form of second-factor authentication. Important in fighting password theft and password-based attacks.
Attackers might obtain a one-time password, but they can’t continue using it.
TOTP
Time based one time passwords
Uses an algo to derive a one-time password using the current time as part of the code-generation process.
EX: Authenticator apps use TOTP
TOKEN KEY is how sec+ calls it on the exam
HOTP
HMAC-based one time password
HMAC = Hash-based message authentication codes
You have a number you use once, and that number is thrown away and never used again
Uses a seed value that both the token or HOTP code-generation app and the validation server use, as well as a moving factor
EX: PayPal token
TOKEN KEY is how sec+ calls it on the exam
