AAA Security - Authentication - Certificates, LDAP, RADIUS
Mutual authentication
A security mechanism that requires that each party in a communication verify its identity.
there are many implementations of LDAP servers, like
Active Directory from Microsoft and OpenLDAP for open source implementations.
all clients that are using certificate authentication would also need to have the
CA certificate in their certificate trust store.
Distinguished Name, or DN.
Every entry in the directory has a distinguished name (DN). The DN is the name that uniquely identifies an entry in the directory
LDAP
Lightweight Directory Access Protocol
certificates have two dates that need to be verified.
Not valid before, and not valid after.
In LDAP language, we call these folders
Organizational Units, or OUs.
Data Information Tree
The tree structure that LDAP uses
Organizational Units
They let us group related objects into units like people or groups to distinguish between individual user accounts and groups that accounts can belong to. subdivision within an Active Directory into which you can place users, groups, computers, and other organizational units.
revocation list or a CRL
This is a signed list published by the CA which defines certificates that have been explicitly revoked.
When a Client authenticates to a RADIUS server, the client will present authentication credentials to
a NAS or Network Access Server which will relay the credentials to the RADIUS server.
possession of the private key is verified through
a challenge response mechanism.
Coming back to our file system analogy, you can think of a DN as
a full path to a file as opposed to a file name. This is because you can have multiple files with the same file name across a file system. But the fully qualified path to the file would describe one unique file.
A challenge response mechanism is where the server requests
a randomized bit of data to be signed using the private key corresponding to the public key presented for authentication.
client certificates.
a server (website) makes a client generate a keypair for authentication purpose. The private key, the heart of an SSL certificate, is kept with the client instead of the server. It's stored in the browser. These operate very similarly to server certificates but are presented by clients and allow servers to authenticate and verify clients.
Once the RADIUS server has evaluated the user authentication request, it replies with one of three messages
access reject, access challenge or access accept.
So what kind of data gets stored in directory entry, exactly?
an entry for a particular user will contain information pertaining to that user account, like their first and last name, phone number, desk location, email address, login shell, and other such data.
certificates
are public keys that are signed by a certificate authority or CA as a sign of trust.
TLS server certificates
are small data files that encapsulate information about the server that owns the certificate
The LDAP tree structure also allows for inheritance and nesting of objects, where
attributes or properties of a parent object can be inherited by children further down the tree.
LDAP It's most commonly used as a backend for
authentication of accounts.
When an ID is presented, the ID is checked to see if it was issued by an
authority that is trusted by the verifier.
RADIUS was originally designed to transport authentication information for remote dial up users, It's evolved to
carry a wide variety of standard authentication protocols like EAP or Extensible Authentication Protocol.
It's not uncommon for VPN systems or enterprise Wi-Fi setups to use
client certificates for authentication.
If we don't prove possession of the corresponding private key, there's nothing stopping an attacker from
copying the certificate, since it's not considered secret, and pretending to be the owner.
One last step that's performed as part of the authentication server verification process is to prove possession of the
corresponding private key, since the certificate is a signed public key.
You can think of a directory like a database, but with more
details or attributes, describing entities within the database.
Clients who want to authenticate to a RADIUS server don't
directly interact with it.
RADIUS servers can verify user authentication information stored in a
flat file or can plug into external sources like SQL databases, LDAP, Kerberos or Active Directory.
Another more common operation that can be called by a client to interact with an LDAP server is search
for performing look ups and retrieval of records.
The structure of an LDAP directory is a sort of tree layout and is optimized for
for retrieval of data more so than writing.
Some of the more common operations that can be called by a client to interact with an LDAP server are bind, which is
how clients authenticate to the server.
RADIUS or Remote Authentication Dial-In User Service,
is a protocol that provides AAA services for users on a network. It's a very common protocol used to manage access to internal networks, WiFi networks, email services and VPN services.
Certificate-Based Authentication
is a scheme that uses a public key cryptography and digital certificate to authenticate a user. ... The server then confirms the validity of the digital signature and if the certificate has been issued by a trusted certificate authority or not.
not valid after
is a straightforward expiration date, after which the certificate is no longer valid.
LDAP, or Lightweight Directory Access Protocol,
is an open industry-standard protocol for accessing and maintaining directory services.
Not valid before
is checking to see if the certificate is valid yet since it's possible to have certificates issued for future use.
Because LDAP uses a tree structure called a Data Information Tree, objects will have
one parent and can have one or more children that belong to the parent object.
The folder an object belongs to will provide information about that object because of its relationship to the
parent object
Directories can be hosted across lots of different LDAP servers to facilitate more
rapid look ups, and are kept in sync through replication of the directory.
the certificate will be checked against a
revocation list or a CRL
The data information tree can be look at as a file system with the
root file system in folders under that.
In order to issue client certificates, an organization must
set up and maintain CA infrastructure to issue and sign certificates.
When we say directory services, we're referring to
something similar to a phone or email directory.
mutual authentication is a positive because...
the client can verify that it's talking to the real authentication server and not an impersonator.
The LDAP specification describes the data structure of
the directory itself. And defines functions for interacting with the service, like performing look ups and modifying data.
Part of certificate authentication also involves the client authenticating
the server, giving us mutual authentication.
Along with object attributes the location of an entry within the overall data structure will represent information pertaining to
to the objects as relationships between objects.
since it is possible for entries in the directory to share attributes, there must be a
unique identifier for each entry.
The Client having a certificate authority certificate in their certificate trust store establishes trust with the CA and allows the client to
verify it's talking to the real server when trying to authenticate.
After the NAS or Network Access Server relays the clients credentials to the RADIUS server, The RADIUS server will then
verify the credentials using a configured authentication scheme.
Another more common operation that can be called by a client to interact with an LDAP server isAdd/delete/modify
which are various operations to write data to the directory
Another more common operation that can be called by a client to interact with an LDAP server is unbind
which closes the connectin to the LDAP server
Another more common operation that can be called by a client to interact with an LDAP server is StartTLS
which permits a client to communicate using LDAP v3 over TLS.
