Chapter 4
Explain The Simple Object Access Protocol (SOAP)
Has minimal set of conventions for invoking code using XML over HTTP. It enables applications to request services from one another with XML-based requests and receive responses as data formatted with XML
____ is the most widely used application that implements an automated key distribution approach
Kerberos
The ____ resides on the Kerberos master computer system, which should be kept in a physically secure room
Kerberos database
What is Kerberos?
A key distribution and user authentication service developed at MIT
Explain Permanent Key
A permanent key is a key used between entities for the purpose of distributing session keys
What is Message Authentication?
A procedure that allows communicating parties to verify that the contents of a received message have not been altered and that the source is authentic
Explain Kerberos Principal
A service or user that is known to the Kerberos system
Explain WS-Security
A set of SOAP extensions for implementing message integrity and confidentiality in Web services. It assigns security tokens to each message for use in authentication
What is Kerberos Realm?
A set of managed nodes that share the same Kerberos database
Principal names consists of ____ parts
three
In most computer security contexts, ____ is the fundamental building block and the primary line of defense
user authentication
In NIST SP 800-63-2, the initial requirement for performing user authentication is that the...
user must be registered with the system
Anyone needing this user's public key can obtain the certificate and verify that it is...
valid by way of the attached trusted signature
Each certificate includes a period of ____
validity
Explain Security Assertion Markup Language (SAML)
An XML-based language for the exchange of security information between online business partners. It conveys authentication information in the form of assertions about subjects
What is the focus of identity management?
Defining an identity for each user (human or process), associating attributes with the identity, and enforcing a means by which a user can verify identity
Explain Certificate management protocols (CMP)
Designed to be a flexible protocol able to accommodate a variety of technical, operational, and business models
One of the major roles of public-key encryption is to address the problem of ____
key distribution
The ____ determines which systems are allowed to communicate with each other. When permission is granted for two systems to establish a connection, the key distribution center provides a one-time session key for that connection
key distribution center (KDC)
Changing or accessing the contents of a Kerberos database requires the Kerberos ____
master password
For ____ authentication, the most important methods involve cryptographic keys and something the individual knows, such as a password
network-based user
A typical item of authentication information associated with a user ID is a ____
password
Because certificates are unforgeable, they can be...
placed in a directory without the need for the directory to make special efforts to protect them
Each Kerberos principal is identified by its ____
principal name
A ____ of the Kerberos database might also reside on other Kerberos computer systems
read-only copy
Federated identity management refers to...
the agreements, standards, and technologies that enable the portability of identities, identity attributes, and entitlements across multiple enterprises and numerous applications and supports many thousands, even millions, of users
Typically a new certificate is issued just before...
the expiration of the old one
The automated key distribution approach provides...
the flexibility and dynamic characteristics needed to allow a number of users to access a number of servers and for the servers to exchange data with each other
Explain Kerberos Version 4
- A basic third-party authentication scheme - Authentication Server (AS) - Ticket Granting Server (TGS) - Complex protocol using DES
Symmetric key distribution can be achieved in a number of ways. For two parties A and B, there are the following options:
1. A key could be selected by A and physically delivered to B. 2. A third party could select the key and physically deliver it to A and B. 3. If A and B have previously and recently used a key, one party could transmit the new key to the other, using the old key to encrypt the new key. 4. If A and B each have an encrypted connection to a third party C, C could deliver a key on the encrypted links to A and B.
What is the typical sequence for registration in NIST SP 800-63-2?
1. An applicant applies to a registration authority (RA) to become a subscriber of a credential service provider (CSP). In this model, the RA is a trusted entity that establishes and vouches for the identity of an applicant to a CSP 2. The CSP then engages in an exchange with the subscriber. Depending on the details of the overall authentication system, the CSP issues some sort of electronic credential to the subscriber. The credential is a data structure that authoritatively binds an identity and additional attributes to a token possessed by a subscriber, and can be verified when presented to the verifier in an authentication transaction 3. The token could be an encryption key or an encrypted password that identifies the subscriber. The token may be issued by the CSP, generated directly by the subscriber, or provided by a third party. The token and credential may be used in subsequent authentication events 4. Once a user is registered as a subscriber, the actual authentication process can take place between the subscriber and one or more systems that perform authentication and, subsequently, authorization. The party to be authenticated is called a claimant and the party verifying that identity is called a verifier 5. When a claimant successfully demonstrates possession and control of a token to a verifier through an authentication protocol, the verifier can verify that the claimant is the subscriber named in the corresponding credential. The verifier passes on an assertion about the identity of the subscriber to the relying party (RP). That assertion includes identity information about a subscriber, such as the subscriber name, an identifier assigned at registration, or other subscriber attributes that were verified in the registration process 6. The RP can use the authenticated information provided by the verifier to make access control or authorization decisions
User certificates generated by a CA have the following characteristics:
1. Any user with access to the public key of the CA can verify the user public key that was certified 2. No party other than the certification authority can modify the certificate without this being detected
Principal elements of an identity management system:
1. Authentication 2. Authorization3 3. Accounting 4. Provisioning 5. Workflow automation 6. Delegated administration 7. Password synchronization 8. Self-service password reset 9. Federation
What are some Alternative Management Protocols:
1. Certificate management protocols (CMP) 2. Certificate management messages over CMS (CMC)
RFC 4949 (Internet Security Glossary) contains a process that consists of 2 steps:
1. Identification Step 2. Verification Step
Functions that potentially need to be supported by management protocols:
1. Registration 2. Initialization 3. Certification 4. Key pair recovery 5. Key pair update 6. Revocation request 7. Cross certification
There are four general means of authenticating a user's identity, which can be used alone or in combination:
1. Something the individual knows 2. Something the individual possesses 3. Something the individual is (static biometrics) 4. Something the individual does (dynamic biometrics)
List some Standards
1. The Extensible Markup Language (XML) 2. The Simple Object Access Protocol (SOAP) 3. WS-Security 4. Security Assertion Markup Language (SAML)
There are two distinct aspects to the use of public-key encryption int his regard:
1. The distribution of public keys 2. The use of public-key encryption to distribute secret keys
It may be desirable on occasion to revoke a certificate before it expires for one of the following reasons:
1. The user's private key is assumed to be compromised 2. The user is no longer certified by this CA; reasons for this include subject's name has changed, the certificate is superseded, or the certificate was not issued in conformance with the CA's policies 3. The CA's certificate is assumed to be compromised
In general terms, the operation of a KDC proceeds as follows:
1. When host A wishes to set up a connection to host B, it transmits a connection-request packet to the KDC. The communication between A and the KDC is encrypted using a primary key shared only by A and the KDC. 2. If the KDC approves the connection request, it generates a unique one-time session key. It encrypts the session key using the permanent key it shares with A and delivers the encrypted session key to A. Similarly, it encrypts the session key using the permanent key it shares with B and delivers the encrypted session key to B. 3. A and B can now set up a logical connection and exchange messages and data, all encrypted using the temporary session key.
What is Identity Mangement?
A centralized, automated approach to provide enterprise wide access to resources by employees and other authorized individuals
Explain The Extensible Markup Language (XML)
Appear similar to HTML documents that are visible as Web pages, but provide greater functionality. It includes strict definitions of the data type of each field. Additionally, it provides encoding rules for commands that are used to transfer and update data objects
The problem that Kerberos addresses is this:
Assume an open distributed environment in which users at workstations wish to access services on servers distributed throughout the network. We would like for servers to be able to restrict access to authorized users and to be able to authenticate requests for service. In this environment, a workstation cannot be trusted to identify its users correctly to network services. In particular, the following three threats exist: 1. A user may gain access to a particular workstation and pretend to be another user operating from that workstation. 2. A user may alter the network address of a workstation so that the requests sent from the altered workstation appear to come from the impersonated workstation. 3. A user may eavesdrop on exchanges and use a replay attack to gain entrance to a server or to disrupt operations.
Explain how either "A key could be selected by A and physically delivered to B" and "A third party could select the key and physically deliver it to A and B" could be used to achieve symmetric key encryption
Call for manual delivery of a key. For link encryption, this is a reasonable requirement, because each link encryption device is only going to be exchanging data with its partner on the other end of the link. However, for end-to-end encryption over a network, manual delivery is awkward. In a distributed system, any given host or terminal may need to engage in exchanges with many other hosts and terminals over time. Thus, each device needs a number of keys supplied dynamically. The problem is especially difficult in a wide-area distributed system
____ is the use of single sign-on (SSO) which enables a user to access all network resources after a single authentication
Central concept
Explain Public-key certificate
Consists of a public key plus a user ID of the key owner, with the whole block signed by a trusted third party. Typically, the third party is a certificate authority (CA) that is trusted by the user community, such as a government agency or a financial institution. A user can present his or her public key to the authority in a secure manner and obtain a certificate. The user can then publish the certificate
____ may restrict the types of certificates that can be issued by the subject CA or that may occur subsequently in a certification chain
Constraints
What are the differences between versions 4 and 5 of Kerberos?
Environmental shortcomings: Encryption system dependence, Internet protocol dependence, Message byte ordering, Ticket lifetime, Authentication forwarding, Interrealm authentication Technical deficiencies: Double encryption, PCBC encryption, Session keys, Password attacks
Explain Something the individual knows
Examples include a password, a personal identification number (PIN), or answers to a prearranged set of questions
Explain Something the individual possesses
Examples include cryptographic keys, electronic keycards, smart cards, and physical keys. This type of authenticator is referred to as a token
Explain Something the individual is (static biometrics)
Examples include recognition by fingerprint, retina, and face
Explain Something the individual does (dynamic biometrics)
Examples include recognition by voice pattern, handwriting characteristics, and typing rhythm
____ support alternative names, in alternative formats, for a certificate subject or certificate issuer and can convey additional information about the certificate subject to increase a certificate user's confidence that the certificate subject is a particular person or entity
Extensions
Explain how "If A and B each have an encrypted connection to a third party C, C could deliver a key on the encrypted links to A and B" could be used to achieve symmetric key encryption
For option 4, two kinds of keys are used: Session key and Permanent key. It should be noted that a necessary element of this option is a key distribution center (KDC)
____ is, in essence, an extension of identity management to multiple security domains
Identity federation
What is the difference between identification and user authentication?
In essence, identification is the means by which a user provides a claimed identity to the system; user authentication is the means of establishing the validity of the claim
Explain Certificate management messages over CMS (CMC)
Is built on earlier work and is intended to leverage existing implementations
Explain NIST SP 800-63-2 (Electronic Authentication Guideline, August 2013)
It defines electronic user authentication as the process of establishing confidence in user identities that are presented electronically to an information system. Systems can use the authenticated identity to determine if the authenticated individual is authorized to perform particular functions, such as database transactions or access to system resources. In many cases, the authentication and transaction or other authorized function take place across an open network such as the Internet. Equally, authentication and subsequent authorization can take place locally, such as across a local area network
Explain how "If A and B have previously and recently used a key, one party could transmit the new key to the other, using the old key to encrypt the new key" could be used to achieve symmetric key encryption
It is a possibility for either link encryption or end-to-end encryption, but if an attacker ever succeeds in gaining access to one key, then all subsequent keys are revealed. Even if frequent changes are made to the link encryption keys, these should be done manually. To provide keys for end-to-end encryption, option 4 is preferable
Explain the Identification Step
Presenting an identifier to the security system. (Identifiers should be assigned carefully, because authenticated identities are the basis for other security services, such as access control service)
Explain the Verification Step
Presenting or generating authentication information that corroborates the binding between the entity and the identifier
____ defines user authentication as the process of verifying an identity claimed by or for a system entity
RFC 4949 (Internet Security Glossary)
In X.509 certificates, the standard does not dictate the use of a specific algorithm but recommends ____
RSA
Explain Identity Mapping
The federated identity management protocols map identities and attributes of a user in one domain to the requirements of another domain
How does symmetric encryption work?
The two parties to an exchange must share the same key, and that key must be protected from access by others. Furthermore, frequent key changes are usually desirable to limit the amount of data compromised if an attacker learns the key. Therefore, the strength of any cryptographic system rests with the "key distribution technique," a term that refers to the means of delivering a key to two parties that wish to exchange data, without allowing others to see the key
Another key function of federated identity management is ____
identity mapping
In a Kerberos realm, all changes to the database must be made on the master computer system (T/F)
True
User authentication is the basis for most types of access control and for user accountability (T/F)
True
Explain Authentication Server (AS)
Users initially negotiate with AS to identify self. AS provides a non-corruptible authentication credential (ticket granting ticket TGT)
Explain Ticket Granting Server (TGS)
Users subsequently request access to other services from TGS on basis of users TGT
Kerberos ____ [MILL88, STEI88] implementations still exist, although this version is being phased out
Version 4
What are the 2 versions of Kerberos in use?
Version 4 and 5
Kerberos ____ [KOHL94] corrects some of the security deficiencies of version 4 and has been issued as a proposed Internet Standard (RFC 4120)
Version 5
Explain Session Key
When two end systems (hosts, terminals, etc.) wish to communicate, they establish a logical connection (e.g., virtual circuit). For the duration of that logical connection, called a session, all user data are encrypted with a one-time session key. At the conclusion of the session the session key is destroyed
ITU-T recommendation X.509 is part of the ____ series of recommendations that define a directory service
X.500
____ defines a framework for the provision of authentication services by the X.500 directory to its users
X.509
____ defines alternative authentication protocols based on the use of public-key certificates
X.509
A ____ is a named set of rules that indicates the applicability of a certificate to a particular community and/or class of application with common security requirements
certificate policy
Extensions allow constraint specifications to be included in...
certificates issued for CAs by other CAs
Regarding X.509 Certificates, the ____ may serve as a repository of public-key certificates
directory
____ convey additional information about the subject and issuer keys, plus indicators of certificate policy
extensions
