Chapter 7: Implementing Authentication Controls
This system allows the user to authenticate once to a local device and be authenticated to compatible application servers without having to enter credentials again. In Windows, it is provided by the Kerberos framework.
A single sign-on (SSO)
Evaluate how identification and authentication are distinct in their functions. Which of the following scenarios best illustrates a user being authenticated?
A. A user accesses a system by having their face scanned. A face scan is also known as biometrics, which is a "something you are" authentication. This is known as behavioral biometric recognition.
Analyze the features of behavioral technologies for authentication, and choose the statements that accurately depict this type of biometric authentication. (Select all that apply.)
A. Behavioral technologies are cheap to implement, but have a higher error rate than other technologies. D. Behavior technologies may use typing as a template, which matches the speed and pattern of a user's input of a passphrase. Behavioral technologies are sometimes classified as "something you do." These technologies often have a lower cost to implement than other types of biometric cryptosystems, but they have a higher error rate. Typing is used as a behavioral technology, and the template is based on the speed and pattern of a user's input of a passphrase.
Which of the following password cracker attacks are combined to create a typical hybrid password attack? (Select all that apply.)
A. Brute force B. Dictionary A typical hybrid password attack uses a combination of dictionary and brute force attacks. A dictionary attack is a type of password attack that compares encrypted passwords against a predetermined list of possible password values. A brute force attack attempts every possible combination in the key space in order to derive a plaintext password from a hash
A security team has just added iris scanners to two access control points in a secure facility. They are in the process of making adjustments to ensure authorized users have access, while unauthorized users cannot get through. Analyze the scenario and determine what metric the team is in the process of fine-tuning.
A. Crossover error rate (CER) The process of fine-tuning a biometric system involves adjusting the crossover error rate, the point at which the false rejection rate and false acceptance rate meet.
Consider biometric methods that are used to authenticate a user. Knowing that errors are possible, which of the following would most likely result in a security breach?
A. False positive Regarding biometric authentication, a false positive is where an unauthorized person is accepted, leading to possible security breaches. This is the False Acceptance Rate (FAR).
When a network uses Extensible Authentication Protocol (EAP) as the authentication method, what access control protocol provides the means for a client to connect from a Virtual Private Network (VPN) gateway?
A. IEEE802.1X The IEEE 802.1X Port-based Network Access Control (NAC) standard provides the means of using an EAP method when a device connects to a VPN gateway. With 802.1X, the network access server (NAS) device accepting remote connections does not have to store any authentication credentials. The network access server forwards only EAP authentication data between the authentication server (implemented by TACACS+ or RADIUS) and the supplicant requesting remote access. Full network access is only granted once the supplicant has been authenticated.
A user presents a smart card to gain access to a building. Authentication is handled through integration to a Windows server that's acting as a certificate authority on the network. Review the security processes and conclude which are valid when using Kerberos authentication. (Select all that apply.)
A. Inputting a correct PIN authorizes the smart card's cryptoprocessor to use its private key to create a Ticket Granting Ticket (TGT) request. C. The Authentication Server (AS) trusts the user's certificate as it was issued by a local certification authority. Inputting a correct PIN authorizes the smart card's cryptoprocessor to use its private key to create a Ticket Granting Ticket (TGT) request to an Authentication Server (AS). The AS can place trust when the user's certificate is issued by a local or third-party root certification authority.
Select the explanations that accurately describe the Ticket Granting Ticket (TGT) role within the Authentication Service (AS). (Select all that apply.)
A. The client sends the AS a request for a TGT that is composed by encrypting the date and time on the local computer with the user's password hash as the key. B. The AS responds with a User Ticket that contains information about the client. This includes the name and IP address of the client, plus a timestamp and validity period. The Authentication Service (AS) is responsible for authenticating user logon requests. The first step within AS is when the client sends the AS a request for a Ticket Granting Ticket (TGT). This is composed by encrypting the date and time on the local computer with the user's password hash as a key. A User Ticket contains information about the client and includes a timestamp and validity period. The information is encrypted using the KDC's secret key. This occurs after the user is found in the database and the request is valid.
An Identity and Account Management (IAM) system has four main processes. What are they?
Authorization, Accounting, Identification, and Authentication.
Analyze each scenario and determine which best describes the authentication process in an Identity and Access Management (IAM) system.
B A user logs into a system using a control access card (CAC) and PIN number. Authentication proves that a subject is who or what it claims to be when it attempts to access the resource. A CAC and pin login are examples of authentication.
An Identity and Account Management (IAM) system has four main processes. Which of the following is NOT one of the main processes?
C. Integrity Integrity is the fundamental security goal of keeping organizational information accurate, free of errors, and without unauthorized modifications. However, it is not part of the IAM system. IAM defines the attributes that comprise an entity's identity. The four processes include Authorization, Accounting, Identification, and Authentication.
Assess the features and processes within biometric authentication to determine which scenario is accurate.
B. A company uses a fingerprint scanner that acts as a sensor module for logging into a system. A sensor module acquires the biometric sample from the target. Examples of a sensor module can be a fingerprint scanner or retina scanner.
Which of the following options represents Two-Factor Authentication (2FA)?
B. A user logs in using a password and a smart card. In Two-Factor Authentication (2FA), a user must possess two of the three authentication types of "something you know", "something you have", or "something you are". Using a password and a smart card would be 2FA since it combines "something you know" (password) with "something you have" (smart card).
Both Remote Access Dial-In User Service (RADIUS) and Terminal Access Controller Access-Control System (TACACS+) provide authentication, authorization, and accounting using a separate server (the AAA server). Based on the protocols' authentication processes, select the true statements. (Select all that apply.)
B. RADIUS uses UDP and TACACS+ uses TCP. C. TACACS+ encrypts the whole packet (except the header) and RADIUS only encrypts the password. D. RADIUS is primarily used for network access and TACACS+ is primarily used for device administration. RADIUS uses TCP or UDP by default over ports 1812 and 1813 and TACACS+ uses TCP on port 49. TACACS+ encrypts the whole packet (except the header, which identifies the packet as TACACS+ data) and RADIUS only encrypts the password portion of the packet using MD5. RADIUS is primarily used for network access for a remote user and TACACS+ is primarily used for device administration. TACACS+ provides centralized control for administrators to manage routers, switches, and firewall appliances, as well as user privileges.
Biometric authentication methods have different error rates, with some methods being easier to fool than others. An unauthorized user is unlikely to fool which of the following methods?
B. Retinal scan Biometric authentication based on a retinal scan is the hardest method to fool. Retinal scanning is used to identify the patterns of blood vessels with the eye, whereas an iris scan only uses the surface of the eye.
Evaluate the following controls that have been set by a system administrator for an online retailer. Determine which statement demonstrates the identification control within the Identity and Access Management (IAM) system.
C. A control is set to ensure that billing and primary delivery addresses are valid. Identification controls are set to ensure that customers are legitimate. An example is to ensure that billing and primary delivery addresses are real and valid.
Analyze the types of password cracker attacks to determine which scenario best describes a brute force attack.
C. An attacker attempts every possible combination in the key space in order to derive a plaintext password from a hash A brute force attack attempts every possible combination in the key space in order to derive a plaintext password from a hash. The key space is determined by the number of bits used.
A company receives a massive flood of requests which throttles their network traffic to the internet. How would restricting the number of connections be categorized as a vulnerability?
C. The user is exposed to a DoS attack. Clogging a company's pipe in and out of the network would be considered a Denial of Service (DoS) attack. The attacker can do this various ways, one example is to keep trying to connect to a device that is externally facing. A company can throttle connections to mitigate DoS attacks.
This was also developed as part of PPP as a means of authenticating users over a remote link. -relies on an encrypted challenge in a system called a three-way handshake. Challenge-> Response -> Verification -Handshake is repeated with a different challenge message periodically during the connection -guards against replay attacks
Challenge Handshake Authentication Protocol (CHAP)
Authentication design refers to selecting a technology that meets requirements for
Confidentiality, Integrity, and Availability
Based on the known facts of password attacks, critique the susceptibility of the password "DogHouse23" to an attack.
D. This is an insufficient password. The password contains words that are found in the dictionary and does not contain special characters. The password does not contain special characters, and also contains words that are found in the dictionary. Both of these attributes make the password vulnerable.
Based on knowledge of the fundamentals of One-time Passwords (OTP), which of the following choices represents the problem that exists with HMAC-based One-time Password Algorithm (HOTP) and is addressed by Time-based One-time Password Algorithm (TOTP)?
D. Tokens can be allowed to continue without expiring in HOTP. Tokens can persist unexpired in HOTP, increasing the risk of an attacker obtaining one and decrypting data in the future. TOTP addresses this by adding a value to the shared secret derived from the device's and server's local timestamp. TOTP automatically expires each token after a short window of time.
This attack can be used where there is a good chance of guessing the likely value of the plaintext, such as a non-complex password. The software generates hash values from a dictionary of plaintexts to try to match one to a captured hash.
Dictionary attack
Ways of implementing hardware token keys
Fast Identity Online (FIDO) Universal Second Factor (U2F) USB token registers a public key with the authentication service. The authentication mechanism then requires the private key locked to the token, which is authorized using PIN or fingerprint activation
This is a network appliance designed to perform centralized PKI management for a network of devices. This means that it can act as an archive or escrow for keys in case of loss or damage. -designed to be tamper-evident to mitigate the risk of insider threat
Hardware Security Module (HSM)
This attack uses a combination of dictionary and brute-force attacks. It is principally targeted against naively strong passwords. The password cracking algorithm tests dictionary words, and names in combination with several numeric prefixes.
Hybrid Attack
This is an industry body established with the aim of developing an open, strong authentication framework. -Open means a system that any enterprise can link into to perform authentication of users and devices across different networks. -Strong means that the system is based not just on passwords, but also on 2- or 3-factor authentication or on 2-step verification. It has developed two algorithms for implementing one time passwords (OTPs).
Initiative for Open Authentication (OATH)
This is a single sign-on network authentication and authorization protocol used on many networks, notably as implemented by Microsoft's Active Directory (AD) service. -uses the KDC to vouch for the identity -designed to work over a trusted local network
Kerberos
This is Microsoft's implementation of CHAP. Because of the way it uses vulnerable NTLM hashes, it should not be deployed without the protection of a secure connection tunnel so that the credentials being passed are encrypted.
MS-CHAPv2
This is a password that is generated automatically, rather than being chosen by a user, and used only once. -SecurID token from RSA represents one popular implementation of
One-time password (OTP)
This is an unsophisticated authentication method developed as part of the Point-to-Point Protocol (PPP), used to transfer TCP/IP data over serial or dial-up connections. -basic authentication mechanism in HTTP. -clear text password exchange -obsolete for most purposes, except through an encrypted tunnel
Password Authentication Protocol (PAP)
This provide authentication, authorization, and accounting using a separate server (the AAA server) -uses UDP over ports 1812 -only encrypts the password portion of the packet using MD5 -primarily used for network access for a remote user -open-source protocol,
RADIUS
These attacks refine the dictionary approach. The attacker uses a precomputed lookup table of all possible passwords and their matching hashes
Rainbow table
Kerberos authentication cycle
Service request -Ticket Granting ticket -Ticket granting service -service ticket Present service ticket -service ticket -application server -multifactor authentication -data transfer
Authentication factors
Something You Know -username -password -PIN Something you have -smart card -fob Something you are/do -biometrics
This uses TCP communications (over port 49), and this reliable, connection-oriented delivery makes it easier to detect when a server is down. It is primarily used for device administration All the data is encrypted (except for the header identifying the packet
TACACS+
Tools for cracking passwords
linux and windows -Cain -L0phtcrack linux -hashcat