Chapter 7: Implementing Authentication Controls
This is a single sign-on network authentication and authorization protocol used on many networks, notably as implemented by Microsoft's Active Directory (AD) service. -uses the KDC to vouch for the identity -designed to work over a trusted local network
Kerberos
This is a linux package for enabling different authentication providers, such as smart-card login -The PAM framework can also be used to implement authentication to network servers.
Pluggable authentication module (PAM)
These attacks refine the dictionary approach. The attacker uses a precomputed lookup table of all possible passwords and their matching hashes
Rainbow table
This system allows the user to authenticate once to a local device and be authenticated to compatible application servers without having to enter credentials again. In Windows, it is provided by the Kerberos framework.
A single sign-on (SSO)
Consider biometric methods that are used to authenticate a user. Knowing that errors are possible, which of the following would most likely result in a security breach? A.) False positive B.) False negative C.) A low Crossover-Error-Rate (CER) D.) A low throughput
A
Evaluate how identification and authentication are distinct in their functions. Which of the following scenarios best illustrates a user being authenticated? A.) A user's keyboard typing behavior is analyzed. B.) A system administrator sets up a user account for a new employee after HR sends employment verification. C.) An administrator sends an initial password to a new telecommuting employee through a VPN. D.) A user is assigned an SID.
A
Which of the following password cracker attacks are combined to create a typical hybrid password attack? (Select all that apply.) A.) Brute force B.) Dictionary C.) Rainbow table D.) PTH
A and B
An Identity and Account Management (IAM) system has four main processes. What are they?
Authorization, Accounting, Identification, and Authentication.
This means that the time taken to authenticate does not impede workflows and is easy enough for users to operate.
Availability
Analyze each scenario and determine which best describes the authentication process in an Identity and Access Management (IAM) system. A.) An account is created that identifies a user on the network. B.) A user logs into a system using a control access card (CAC) and PIN number. C.) An Access Control List (ACL) is updated to allow a new user access to only the databases that are required to perform their job. D.) A report is reviewed that shows every successful and unsuccessful login attempt on a server.
B
Assess the features and processes within biometric authentication to determine which scenario is accurate. A.) A company chooses to use a biometric cryptosystem due to the ease of revocation for a compromised certificate. B.) A company uses a fingerprint scanner that acts as a sensor module for logging into a system. C.) A company uses a fingerprint scanner that acts as a feature extraction module for logging into a system. D.) A company records information from a sample using a sensor module.
B
An Identity and Account Management (IAM) system has four main processes. Which of the following is NOT one of the main processes? A.) Accounting B.) Identification C.) Integrity D.) Authentication
C
Analyze the types of password cracker attacks to determine which scenario best describes a brute force attack. A.) An attacker guesses the password using software that enumerates values in the dictionary B.) An attacker uses a precomputed lookup table of all possible passwords and their matching hashes C.) An attacker attempts every possible combination in the key space in order to derive a plaintext password from a hash D.) An attacker tests dictionary words and names in combination with several numeric prefixes
C
Considering how to mitigate password cracking attacks, how would restricting the number of failed logon attempts be categorized as a vulnerability? A.) The user is exposed to a replay attack. B.) The user is exposed to a brute force attack. C.) The user is exposed to a DoS attack. D.) The user is exposed to an offline attack.
C
Evaluate the following controls that have been set by a system administrator for an online retailer. Determine which statement demonstrates the identification control within the Identity and Access Management (IAM) system. A.) A control is set to force a customer to log into their account prior to reviewing and editing orders. B.) A control is set to cancel automatic shipments for any customer that has an expired credit card on file. C.) A control is set to ensure that billing and primary delivery addresses match. D.) A control is set to record the date, time, IP address, customer account number, and order details for each order.
C
This was also developed as part of PPP as a means of authenticating users over a remote link. -relies on an encrypted challenge in a system called a three-way handshake. Challenge-> Response -> Verification -Handshake is repeated with a different challenge message periodically during the connection -guards against replay attacks
Challenge Handshake Authentication Protocol (CHAP)
This in terms of authentication, is critical, because if account credentials are leaked, threat actors can impersonate the account holder and act on the system with whatever rights they have.
Confidentiality
This attack can be used where there is a good chance of guessing the likely value of the plaintext, such as a non-complex password. The software generates hash values from a dictionary of plaintexts to try to match one to a captured hash.
Dictionary attack
The point at which the false rejection rate and false acceptance rate meet.
Crossover error rate (CER)
Based on knowledge of the fundamentals of One-time Passwords (OTP), which of the following choices represents the problem that exists with HMAC-based One-time Password Algorithm (HOTP) and is addressed by Time-based One-time Password Algorithm (TOTP)? A.) HOTP is not configured with a shared secret. B.) The server is not configured with a counter in HOTP. C.) Only the HOTP server computes the hash. D.)Tokens can be allowed to continue without expiring in HOTP.
D
Based on the known facts of password attacks, critique the susceptibility of the password "DogHouse23" to an attack. A.) This is a sufficient password. It is ten characters and contains uppercase characters, lowercase characters, and numbers. B.) This is an insufficient password. There are not enough uppercase characters within the password. C.) This is a sufficient password. The password is easy for the user to remember yet long enough to meet character requirements. D.) This is an insufficient password. The password contains words that are found in the dictionary and does not contain special characters.
D
Ways of implementing hardware token keys
Fast Identity Online (FIDO) Universal Second Factor (U2F) USB token registers a public key with the authentication service. The authentication mechanism then requires the private key locked to the token, which is authorized using PIN or fingerprint activation
This means that the authentication mechanism is reliable and not easy for threat actors to bypass or trick with counterfeit credentials.
Integrity
This is a password that is generated automatically, rather than being chosen by a user, and used only once. -SecurID token from RSA represents one popular implementation of
One-time password (OTP) i
This is a refinement of the HOTP -automatically expires each token after a short window (60 seconds, for instance).
Time-Based One-Time Password Algorithm (TOTP)
Tools for cracking passwords
linux and windows -Cain -L0phtcrack linux -hashcat
When a network uses Extensible Authentication Protocol (EAP) as the authentication method, what access control protocol provides the means for a client to connect from a Virtual Private Network (VPN) gateway? A.) IEEE802.1X B.) Kerberos C.) Terminal Access Controller Access-Control System Plus (TACACS+) D.) Remote Authentication Dial-in User Service (RADIUS)
A
Select the explanations that accurately describe the Ticket Granting Ticket (TGT) role within the Authentication Service (AS). (Select all that apply.) A.) The client sends the AS a request for a TGT that is composed by encrypting the date and time on the local computer with the user's password hash as the key. B.) The AS responds with a TGT that contains information about the client, to include name and IP address, plus a timestamp and validity period. C.) The AS responds with a TGT key for use in communications between the client and the Ticket Granting Service (TGS). D.) The TGT responds with a service session key for use between the client and the application server.
A and B
A user presents a smart card to gain access to a building. Authentication is handled through integration to a Windows server that's acting as a certificate authority on the network. Review the security processes and conclude which are valid when using Kerberos authentication. (Select all that apply.) A.) Inputting a correct PIN authorizes the smart card's cryptoprocessor to use its private key to create a Ticket Granting Ticket (TGT) request. B.) The smart card generates a one-time use Ticket Granting Service (TGS) session key and certificate. C.) The Authentication Server (AS) trusts the user's certificate as it was issued by a local certification authority. D.) The Authentication Server (AS) is able to decrypt the request because it has a matching certificate.
A and C
Analyze the features of behavioral technologies for authentication, and choose the statements that accurately depict this type of biometric authentication. (Select all that apply.) A.) Behavioral technologies are cheap to implement but have a higher error rate than other technologies. B.) Signature recognition is popular within this technology because everyone has a unique signature that is difficult to replicate. C.) Obtaining a voice recognition template for behavioral technologies is rather easy and can be obtained quickly. D.) Behavior technologies may use typing as a template, which matches the speed and pattern of a user's input of a passphrase.
A and D
Biometric authentication methods have different error rates, with some methods being easier to fool than others. An unauthorized user is unlikely to fool which of the following methods? A.) Fingerprint scan B.) Retinal scan C.) Facial recognition D.) Voice recognition
B
Which of the following options represents Two-Factor Authentication (2FA)? A.) A user logs in using a password and a PIN. B.) A user logs in using a password and a smart card. C.) A user logs in using a fingerprint and retina scanner. D.) A user logs in using a smart card and a key fob.
B
Both Remote Access Dial-In User Service (RADIUS) and Terminal Access Controller Access-Control System (TACACS+) provide authentication, authorization, and accounting using a separate server (the AAA server). Based on the protocols' authentication processes, select the true statements. (Select all that apply.) A.) TACACS+ is open source and RADIUS is a proprietary protocol from Cisco. B.) RADIUS uses UDP and TACACS+ uses TCP. C.) TACACS+ encrypts the whole packet (except the header) and RADIUS only encrypts the password. D.) RADIUS is primarily used for network access and TACACS+ is primarily used for device administration.
B, C and D
This is an algorithm for token-based authentication -The authentication server and client token are configured with the same shared secret. -server is configured with a counter window to cope with the circumstance that the device and server counters move out of sync. -Tokens can persist unexpired, increasing the risk of an attacker obtaining one and decrypting data in the futur
HMAC-based One-time Password Algorithm (HOTP)
This is a network appliance designed to perform centralized PKI management for a network of devices. This means that it can act as an archive or escrow for keys in case of loss or damage. -designed to be tamper-evident to mitigate the risk of insider threat
Hardware Security Module (HSM)
This attack uses a combination of dictionary and brute-force attacks. It is principally targeted against naively strong passwords. The password cracking algorithm tests dictionary words, and names in combination with several numeric prefixes.
Hybrid Attack
This system enables you to define the attributes that make up an entity's identity, such as its purpose, function, security clearance, and more. It is usually described in terms of four main processes: -Identification -Authentication -Authorization -Accounting
Identity and access management (IAM)
This is an industry body established with the aim of developing an open, strong authentication framework. -Open means a system that any enterprise can link into to perform authentication of users and devices across different networks. -Strong means that the system is based not just on passwords, but also on 2- or 3-factor authentication or on 2-step verification. It has developed two algorithms for implementing one time passwords (OTPs).
Initiative for Open Authentication (OATH)
This authentication, using a password or personal identification number (PIN), is the default authentication provider for most operating systems. -It relies on cryptographic hashes
Knowledge-based authentication,
This is Microsoft's implementation of CHAP. Because of the way it uses vulnerable NTLM hashes, it should not be deployed without the protection of a secure connection tunnel so that the credentials being passed are encrypted.
MS-CHAPv2
This authentication technology is considered strong if it combines the use of more than one type of knowledge, ownership, and biometric factor
Multifactor authentication Authentication (MFA)
This attack occurs when an attacker obtains the hash of a user's password and presents the hash (without cracking it) to authenticate to network protocols.
Pass the hash (PTH)
This is an unsophisticated authentication method developed as part of the Point-to-Point Protocol (PPP), used to transfer TCP/IP data over serial or dial-up connections. -basic authentication mechanism in HTTP. -clear text password exchange -obsolete for most purposes, except through an encrypted tunnel
Password Authentication Protocol (PAP)
This provide authentication, authorization, and accounting using a separate server (the AAA server) -uses UDP over ports 1812 -only encrypts the password portion of the packet using MD5 -primarily used for network access for a remote user -open-source protocol,
RADIUS
Kerberos authentication cycle
Service request -Ticket Granting ticket -Ticket granting service -service ticket Present service ticket -service ticket -application server -multifactor authentication -data transfer
Authentication factors
Something You Know -username -password -PIN Something you have -smart card -fob Something you are/do -biometrics
This uses TCP communications (over port 49), and this reliable, connection-oriented delivery makes it easier to detect when a server is down. It is primarily used for device administration All the data is encrypted (except for the header identifying the packet
TACACS+
This compares the submitted credential to a hash stored in the Security Accounts Manager (SAM) database, which is part of the registry. This is also referred to as interactive logon.
Windows local sign-in—the Local Security Authority (LSA)
This can pass the credentials for authentication to a network service. The preferred system for network authentication is based on Kerberos, but legacy network applications might use NT
Windows network sign-in—the LSA
Authentication design refers to selecting a technology that meets requirements for
confidentiality, integrity, and availability