Lesson 7: Implementing Authentication Controls
authorization
The process of determining what rights and privileges a particular entity has.
token
A physical or virtual item that contains authentication and/or authorization data, commonly used in multifactor authentication.
EAPoL (Extensible Authentication Protocol over LAN)
A port-based network access control (PNAC) mechanism that allows the use of EAP authentication when a host connects to an Ethernet switch.
AAA (authentication, authorization, and accounting)
A security concept where a centralized platform verifies subject identification, ensures the subject is assigned relevant permissions, and then logs these actions to create an audit trail.
IAM (identity and access management)
A security process that provides identification, authentication, and authorization mechanisms for users, computers, and other entities to work with organizational assets like networks, operating systems, and applications.
Kerberos
A single sign-on authentication and authorization service that is based on a time-sensitive ticket-granting system.
IEEE 802.1X
A standard for encapsulating EAP communications over a LAN (EAPoL) to implement port-based authentication.
RADIUS (Remote Authentication Dial-in User Service)
A standard protocol used to manage remote and wireless authentication infrastructures.
PNAC (port-based network access control)
A switch (or router) that performs some sort of authentication of the attached device before activating the port.
masked attack
A type of brute-force password cracking that uses placeholders for predictable values based on typical user behavior when it comes to designing passwords.
dictionary attack
A type of password attack that compares encrypted passwords against a predetermined list of possible password values.
brute force attack
A type of password attack where an attacker uses an application to exhaustively try every possible alphanumeric combination to crack encrypted passwords.
OTP (one-time password)
A password that is generated for use in one specific session and becomes invalid after the session ends.
authenticator
A PNAC switch or router that activates EAPoL and passes a supplicant's authentication data to an authenticating server, such as a RADIUS server.
NTLM authentication (NT LAN Manager authentication)
A challenge-response authentication protocol created by Microsoft for use in its products.
key fob
A chip implanted in a plastic fob. The chip can store authentication data (such as a digital certificate) that can be read when put in proximity with a suitable scanner. Another use for fobs is to generate a One Time Password, valid for a couple of minutes only and mathematically linked to a code generated on a server.
What is a RADIUS client?
A device or server that accepts user connections, often referred to as a network access server (NAS) or as the authenticator. Using RADIUS architecture, the client does not need to be able to perform authentication itself; it performs pass-thru to an AAA server.
smart card
A device similar to a credit card that can store authentication information, such as a user's private key, on an embedded microchip.
You are providing consultancy to a firm to help them implement smart card authentication to on-premises networks and cloud services. What are the main advantages of using an HSM over server-based key and certificate management services?
A hardware security module (HSM) is optimized for this role and so present a smaller attack surface. It is designed to be tamper-evident to mitigate against insider threat risks. It is also likely to have a better implementation of a random number generator, improving the security properties of key material.
Why might a PIN be a particularly weak type of 'something-you-know' authentication?
A long personal identification number (PIN) is difficult for users to remember, but a short PIN is easy to crack. A PIN can only be used safely where the number of sequential authentication attempts can be strictly limited.
authentication
A method of validating a particular entity's or individual's unique credentials.
What is EAPoL?
A network access server that supports 802.1X port-based access control can enable a port but allow only the transfer of Extensible Authentication Protocol over LAN (EAPoL) traffic. This allows the supplicant and authentication server to perform the authentication process, with the network access server acting as a pass-thru.
How does OTP protect against password guessing or sniffing attacks?
A one-time password mechanism generates a token that is valid only for a short period (usually 60 seconds), before it changes again.
TACACS+ (Terminal Access Controller Access Control System Plus)
An AAA protocol developed by Cisco that is often used to authenticate to administrator accounts for network appliance management.
HOTP (HMAC-based One-time Password)
An algorithm that generates a one-time password using a hash-based authentication code to verify the authenticity of the message.
HSM (hardware security module)
An appliance for generating and storing cryptographic keys. This sort of solution may be less susceptible to tampering and insider threats than software-based storage.
hybrid password attack
An attack that uses multiple attack methods, such as dictionary and brute force attacks, when trying to crack a password.
MFA (multifactor authentication)
An authentication scheme that requires the user to present at least two different factors as credentials, from something you know, something you have, something you are, something you do, and somewhere you are. Specifying two factors is known as 2FA.
SSO (single sign-on)
An authentication technology that enables a user to authenticate once and receive authorizations for multiple services.
TOTP (Time-based One-time Password)
An improvement on HOTP that forces one-time passwords to expire after a short period of time.
OATH (Initiative for Open Authentication)
An industry body comprising the main PKI providers, such as Verisign and Entrust, that was established with the aim of developing an open, strong authentication framework.
How is a fingerprint reader typically implemented as hardware?
As a capacitive cell.
CHAP (Challenge Handshake Authentication Protocol)
Authentication scheme developed for dial-up networks that uses an encrypted three-way handshake to authenticate the client to the server. The challenge-response is repeated throughout the connection (though transparently to the user) to guard against replay attacks.
What is the difference between authorization and authentication?
Authorization means granting the account that has been configured for the user on the computer system the right to make use of a resource. Authorization manages the privileges granted on the resource. Authentication protects the validity of the user account by testing that the person accessing that account is who she/he says she/he is.
FAR (false acceptance rate)
Biometric assessment metric that measures the number of unauthorized users who are mistakenly allowed access.
FRR (false rejection rate)
Biometric assessment metric that measures the number of valid subjects who are denied access.
fingerprint scanner
Biometric authentication device that can produce a template signature of a user's fingerprint then subsequently compare the template to the digit submitted for authentication.
crossover error rate
Biometric evaluation factor expressing the point at which FAR and FRR meet, with a low value indicating better performance.
gait analysis
Biometric mechanism that identifies a subject based on movement pattern.
password spraying
Brute force attack in which multiple user accounts are tested with a dictionary of common passwords.
credential stuffing
Brute force attack in which stolen user account names and passwords are tested against multiple websites.
EAP (Extensible Authentication Protocol)
Framework for negotiating authentication methods that enables systems to use hardware-based identifiers, such as fingerprint scanners or smart card readers, for authentication.
hashcat
Command-line tool used to perform brute force and dictionary attacks against password hashes.
KDC (key distribution center)
Component of Kerberos that authenticates users and issues tickets (tokens).
Apart from cost, what would you consider to be the major considerations for evaluating a biometric recognition technology?
Error rates (false acceptance and false rejection), throughput, and whether users will accept the technology or reject it as too intrusive or threatening to privacy.
True or false? An account requiring a password, PIN, and smart card is an example of three-factor authentication.
False—Three-factor authentication also includes a biometric-, behavioral-, or location-based element. The password and PIN elements are the same factor (something you know).
True or false? In order to create a service ticket, Kerberos passes the user's password to the target application server for authentication.
False—only the KDC verifies the user credential. The Ticket Granting Service (TGS) sends the user's account details (SID) to the target application for authorization (allocation of permissions), not authentication.
What two ways can biometric technologies be used other than for logon authentication?
For identification based on biometric features and in continuous authentication mechanisms.
PAM (pluggable authentication module)
Framework for implementing authentication providers in Linux.
MSCHAP (Microsoft Challenge Handshake Authentication Protocol)
Implementation of CHAP created by Microsoft for use in its products.
supplicant
In EAP architecture, the device requesting access to the network.
TGT (ticket granting ticket)
In Kerberos, a token issued to an authenticated account to allow access to authorized application servers.
Which type of eye recognition is easier to perform: retinal or iris scanning?
Iris scans are simpler.
Which network access control framework supports smart cards?
Local logon providers, such as Kerberos, support smart cards, but this is not network access control as the device has already been allowed on the network. The IEEE 802.1X framework means that network access servers (switches, access points, and VPN gateways) can accept Extensible Authentication Protocols (EAP) credentials, but block any other type of network access. They act as pass-thru for an authentication server, which stores and validates the credentials. Some EAP types support smart card or machine authentication.
password sniffing
Monitoring network transmissions for user credentials sent as cleartext or as cryptographic hashes.
A user maintains a list of commonly used passwords in a file located deep within the computer's directory structure. Is this secure password management?
No. This is security by obscurity. The file could probably be easily discovered using search tools.
PIN (personal identification number)
Number used in conjunction with authentication devices such as smart cards; as the PIN should be known only to the user, loss of the smart card should not represent a security risk.
PAP (Password Authentication Protocol)
Obsolete authentication mechanism used with PPP. PAP transfers the password in plaintext and so is vulnerable to eavesdropping.
In what scenario would PAP be considered a secure authentication method?
PAP is a legacy protocol that cannot be considered secure because it transmits plaintext ASCII passwords and has no cryptographic protection. The only way to ensure the security of PAP is to ensure that the endpoints established a secure tunnel (using IPSec, for instance).
password cracking
Password guessing software can attempt to crack captured hashes of user credentials by running through all possible combinations (brute force). This can be made less computationally intensive by using a dictionary of standard words or phrases.
What steps should be taken to enroll a new employee on a domain network?
Perform checks to confirm the user's identity, issue authentication credentials securely, assign appropriate permissions/privileges to the account, and ensure accounting mechanisms to audit the user's activity.
biometric authentication
Physical characteristics stored as a digital data template can be used to authenticate a user. Typical features used include facial pattern, iris, retina, or fingerprint pattern, and signature recognition.
Which property of a plaintext password is most effective at defeating a brute-force attack?
The length of the password. If the password does not have any complexity (if it is just two dictionary words, for instance), it may still be vulnerable to a dictionary-based attack. A long password may still be vulnerable if the output space is small or if the mechanism used to hash the password is faulty (LM hashes being one example).
identification
The process by which a user account (and its credentials) is issued to the correct person. Sometimes referred to as enrollment.
rainbow table
Tool for speeding up attacks against Windows passwords by precomputing possible hashes.
accounting
Tracking authorized usage of a resource or use of rights by a subject and alerting when unauthorized use is detected or attempted.
True or false? When implementing smart card logon, the user's private key is stored on the smart card.
True. The smart card implements a cryptoprocessor for secure generation and storage of key and certificate material.
What methods can be used to implement location-based authentication?
You can query the location service running on a device or geolocation by IP. You could use location with the network, based on switch port, wireless network name, virtual LAN (VLAN), or IP subnet.
