Chapter 10 (Authentication)
What are the authentication factors?
-Something you know -Something you have -Something you are -Somewhere you are -Something you do
How does kerberos authentication work?
1. Client logs onto the network. 2. The Authentication server provides the client with a ticket-granting ticket. 3. The client can then request service from a server on the network. 4. Before getting access, the TGS needs to grant the ticket to the client so the client can access the required server on the network.
What is Microsoft challenge handshake authentication protocol?
A form of the Challenge Handshake Authentication Protocol. It uses the same type of encryption methodology as the parent protocol, but is slightly more secure. The server sends a challenge to the originating host, which must return the user name and an MD-4 hash of the challenge string, the session ID, and the MD-4 hashed password.
What is diameter?
A newer AAA protocol and is designed to replace Radius. D
What is Kerberos?
A popular mutual authentication protocol and is used by default with active directory environments.
What is Implicit deny?
A security concept that relates to authentication by denying anyone access to a system until they are authenticated.
What is Federation?
A term used to authenticate and authorize users across organizations and application boundaries.
What is Trusted OS?
A term used to identify a system that implements multiple layer of security such as authentication and authorization to determine who can access a system and what they can do.
What is TACACS+?
AAA protocol used by cisco networks and supersedes the original TACACS and XTACACS protocols.
What is PAP?
An authentication protocol in which the client authenticates itself to a server by passing the user name and password to it. The server then compares this information to its password store. Because the password is passed in clear text, this is not recommended in an environment where security concerns are an issue
What is Challenge handshake authentication Protocol (CHAP)?
An authentication protocol that uses an encryption algorithm to pass the authentication data to protect it from hackers. Because CHAP is so much more secure than PAP, it is used widely today on the Internet.
What are the authentication methods used in microsoft?
Anonymous authentication Basic Authentication Integrated windows authentication Kerberos
What is Identity Federation?
Authenticating against an identity store in your organization and being authorized to use network services from other organizations.
What is Mutual Authentication?
Authentication scheme that involves both sides of the communication authenticating.
What is AAA?
Authentication, authorization, and Accounting
What is HOTP?
HMAC- based one time password is an HMAC based algorithm used to generate passwords.
What are three major types of token?
Hardware token, Software token, and Logical Token.
What is the difference between identification and authentication?
Idenitification is presenting identifying information such as a username, while authentication is proving you are that person.
What is the disadvantage of SSO?
If the hacker gets access to an account that uses SSO, they can access all of the servers that the account is authorized to.
What is Extensible authentication protocol?
It allows for multiple logon methods such as smartcard logon, certificates, kerberos, and public- key authentication. EAP is also frequently used with RADIUS, which is a central authentication service that can be used by RAS, wireless, or VPN solutions.
What does KDC do?
It's responsible for issuing tickets.
What is TACACS used for?
It's used as an authentication service that ran on Unix system.
What are other authentication protocols?
LDAP Secure LDAP SAML TOTP HOTP Implicit deny Trusted OS Federation Transitive trust
What is LDAP?
Lightweight directory access protocol standard is the internet protocol for accessing and querying a directory. Mostly used in Microsoft active directory.
What are the authentication protocols used by VPN and RAS?
Password Authentication protocol (PAP) Challenge handshake authentication protocol (CHAP) Microsoft challenge handshake authentication protocol (MS-CHAP) MS-CHAPv2 Extensible Authentication Protocol
Why was Radius replaced with Diameter?
Provides more reliable communication than radius because it is TCP based. Diameter has improved upon the services being offered over radius by being a more secure, scalable protocol.
What is Radius?
Radius is a central authentication service that has been popular for many years.
What are the AAA services?
Radius, Diameter, and TACACS+
What is RAS?
Remote access service is a remote access technology that supports point to point connections using PPP as the remote access protocol used by a telephony applications to connect to the ras server.
What is Secure LDAP?
Secure Ldap is the LDAP protocol using SSL over TCP port 636 to encrypt the communication between the client and LDAP system.
What is SAML?
Security Assertion Markup Language is an XML standard that is designed to allow systems to exchange authentication and authorization information. This is often used with identity federation.
What information does a token maintain?
Security identifier Group Security identifier Primary group security identifier Access rights
What Ports and Transport protocol does TACACS use?
TCP and UDP Port:49
What does TACACS stand for?
Terminal Access controller access control system
What is MS-CHAPv2?
The authentication method has been extended to authenticate both the client and the server. MS-CHAPv2 also uses stronger encryption keys than CHAP and MS-CHAP.
What happens in a bio-metric enrollment process?
The bio-metric data is read off of a bio-metric reader. 2. The bio-metric data is converted to a digital representation. 3. The bio-metric data is then run through a mathematical operation, and the results of that operation are stored in a database in a database for authentication to the system.
What is Transitive Trust?
The term associated with allowing access based on a trust model.
What is Logical Token?
The token that is generated at logon that contains the user SID, groups SIDs, the privileges the of the user.
Why is SSO valuable?
The user logs on with one set of credentials and then accesses many different servers, even servers in other organizations.
What is TOTP?
Time-based one time password is an algorithm used by authentication systems that involves passwords being generated based on the current time.
What transport protocol and ports does TACACS+ use?
Transport port: TCP Port: 49
What transport protocol does Radius use?
UDP
What UDP ports does Radius use?
UDP port 1812 for authentication and authorization serivices UDP port 1813 for accounting services
What are the common methods to implement authentication?
User accounts, access tokens, and biometrics.
What is a authentication protocol?
determines how the authentication information is passed from the client to the server.
What is Single Sign-on (SSO)?
he principle that when you authenticate with each different system you access- you authenticate once and then can gain access to multiple systems without authenticating again.
What is Bio-metrics?
the process of authenticating to a system or network by using a physical characteristic of yourself such as a fingerprint, retina scan, or voice recognition.
What is an Access token used for?
used to determine whether a user should be allowed to access a resource or to perform an operating system task.
What is the steps performed by CHAP?
1. The server sends the client a challenge (a key) 2. The client then combines the challenge with the password. Both the users password and the challenge are run through the MD 5 hashing algorithm, which generates a has value, or mathematical answer. The hash value is sent to the server for authentication. 3. The server uses the same key to create a hash value with the password stored on the server and then compares the resulting value with the hash value sent by the client. If the two hash values are the same, the client has supplied the correct password. The benefit is that the users credentials have not been passed across the network at all.