C13 Authentication and Access Control (Lab & ?s)

IPSec (Internet Protocol Security)

A Layer 3 (network layer) authentication and encryption protocol. -defines encryption, authentication, and key management for TCP/IP transmissions. IPSec is an enhancement to IPv4 and is native to IPv6. IPSec is unique among authentication methods in that it adds security information to the header of all IP packets. Dominant authentication and encryption protocol

What are two possible items checked during a posture assessment?

Anti-malware updates, operating system updates, or Windows Registry settings

When utilizing multifactor authentication, which of the following is an example of verifying something you are? A. Smart card B. Password C. Fingerprint D. Certificate

C. A fingerprint is an example of something you are. Other examples include retina scans and facial recognition.

Which authentication standard is highly time sensitive? A. PAP B. RADIUS C. 802.1X D. Kerberos

D. Kerberos - all tickets are timestamped

Which of the following is not a type of public-key encryption? A. Diffie-Hellman algorithm B. RSA Data Security C. Pretty Good Privacy (PGP) D. DES

D. Public Key Encryption is asymmetrical. The Data Encryption Standard (DES) is not a type of public-key encryption (it is symmetrical).

Which of the following is a tunneling protocol? A. Layer 2 Tunneling Protocol (L2TP) B. Internet Protocol Security (IPSec) C. Secure Socket Layer (SSL) / SSL VPN D. All of the above

D. Tunneling is encapsulating one protocol within another protocol to complete a secure transmission. Options A, B, and C are all tunneling protocols you should be aware of, as well as Secure Socket Layer Virtual Private Network (SSL VPN) and Point-to-Point Tunneling Protocol (PPTP).

MD5 Hash

MD5 (Message Digest Algorithm) algorithm is widely used hash producing 128 bit hash value. Has vulnerabilities and used to verify data for integrity.

Kerberos vs MS CHAP

MS-Chap is typically used in PPTP (point to point tunneling protocol) connections, and Kerberos is used for lan logon and access. Kerberos is a ticket based authentication system and MS CHAP is a challenge response mechanism.

Which user-authentication method uses a public key and private key pair?

PKI

Persistent vs Non-Persistent

Persistent agents are installed on each end point before an incident occurs and they are there waiting to be called into action. Some of them play a role in detecting incidents and others are sleeper agents that are largely dormant until needed. Non-persistent agents are installed and run as needed on an endpoint. Installation could be from a USB drive, using a standard IT remote administration tool, or a dedicated incident response tool that uses a non-persistent approach.

PPP

Point-to-Point Protocol Point - to - Point Protocol (PPP) is a communication protocol of the data link layer that is used to transmit multiprotocol data between two directly connected (point-to-point) computers. It is a byte - oriented protocol that is widely used in broadband communications PPP comes in two flavors PAP - password authentication CHAP - challenge handshake authentication protocol

Cryptographic "Hash Function" / a hash

- Cryptographic hashes produce a fixed-size and unique hash value from variable-size transaction input - The SHA-256 (Secure Hash Algorithm) computational algorithm is an example of a cryptographic hash / MD5 is another A function that maps a bit string of arbitrary length to a fixed length bit string. Approved hash functions satisfy the following properties: 1. (One-way) It is computationally infeasible to find any input which maps to any pre-specified output, and 2. (Collision resistant) It is computationally infeasible to find any two distinct inputs that map to the same output.

Name two common methods of PPP (point to point protocol) authentication

1- PAP - Password Authentication Protocol - not safe 2. CHAP - Challenge Handshake Authentication Protocol (MS-CHAP, MS-CHAPv2) only for Windows is the best

Which network access security method is commonly used in wireless network?

802.1X

SHA (Secure Hash Algorithm)

A cryptographic hashing algorithm created to address possible weaknesses in MDA. The current version is SHA-2.

Kerberos Authentication (KDC)

A fairly secure, but also complex and comprehensive, authentication system, default in Windows, version 5. There are three primary elements in a Kerberos system: Client, which is the Kerberos client application representing a principal (computer or user or software application). Target server, provides the service the client wants to access. Key Distribution Center (KDC), handles the distribution of keys and tickets.

Network Control Protocol (NCP)

A part of Point-to-Point protocol (PPP) that encapsulates network traffic. The following NCPs may be used with PPP: IPCP for IP, protocol code number 0x8021, RFC 1332 the OSI Network Layer Control Protocol (OSINLCP) for the various OSI network layer protocols, protocol code number 0x8023, RFC 1377 the AppleTalk Control Protocol (ATCP) for AppleTalk, protocol code number 0x8029, RFC 1378 the Internetwork Packet Exchange Control Protocol (IPXCP) for the Internet Packet Exchange, protocol code number 0x802B, RFC 1552 the DECnet Phase IV Control Protocol (DNCP) for DNA Phase IV Routing protocol (DECnet Phase IV), protocol code number 0x8027, RFC 1762 the NetBIOS Frames Control Protocol (NBFCP) for the NetBIOS Frames protocol (or NetBEUI as it was called before that), protocol code number 0x803F, RFC 2097 the IPv6 Control Protocol (IPV6CP) for IPv6, protocol code number 0x8057, RFC 5072

SFTP (Secure File Transfer Protocol)

A protocol available with the proprietary version of SSH that copies files between hosts securely. Like FTP, SFTP first establishes a connection with a host and then allows a remote user to browse directories, list files, and copy files. Unlike FTP, SFTP encrypts data before transmitting it. TCP 22 (same as SSH and SCP )

SCP (Secure Copy Protocol) (never became popular) FTP still reigns

A protocol that uses SSH to securely copy files between a local and a remote host, or between two remote hosts. Never became popular enough. FTP is still dominant (Ports 20 & 21)

PPPoE (Point-to-Point Protocol over Ethernet)

A protocol used to connect multiple network users on an Ethernet local area network to a remote site through a common device.

CA (Certificate Authority)

A server that can issue digital certificates and the associated public/private key pairs.

Which network utilities does not have the ability to encrypt passwords? (Select two.) A. FTP B. SSH C. Telnet D. SCP (secure copy protocol)

A, C. Some older network utilities such as FTP and Telnet don't have the ability to encrypt passwords.

Nonpersistent or dissolvable NAC agents may help to make what possible? A. BYOD initiative (bring your own device) B. Edge control C. Unified voice services D. Host-based IDS

A. A nonpersistent agent is one that is used to assess the device only during the onetime check-in at login. It can be used to support the assessment of endpoints not owned by the organization and as such can help to make a Bring Your Own Device (BYOD) policy possible.

Which of the following is a hash function? A. SHA-3 B. RC4 C. AES D. BMX

A. SHA-3 RC4 is a stream cipher AES is simply a standard (advanced encryption standard)

In a PKI encryption method which key encrypts the data? A. Public B. Private C. Both D. Depends on who sends the data.

A. you send someone a public key that is used in turn to encrypt the data. The private key can decrypt data encrypted with the public key.

RADIUS, TACACS+

AAA authentication protocols used with 802.1x. RADIUS uses (UDP) ports 1812, 1813, 1645, and 1646 TACACS+ used TCP 49 TACACS+ is considered more stable and secured than RADIUS

SNMP (Simple Network Management Protocol)

An Application-layer protocol used to exchange information between network devices. UDP 161, 162 SNMPv3 is the standard used today

NTP (Network Time Protocol)

An Internet protocol that enables synchronization of computer clock times in a network of computers by exchanging time signals. UDP 123

CHAP (Challenge Handshake Authentication Protocol)

An authentication mechanism where a server challenges a client. Compare with MS-CHAPv2 and PAP. (dial up connections) Replaces PAP (password Authentication Protocol)

Kerberos Authentication

Authenticates by using a ticket provided by server once granted access. Ticket will allow client to access network resources. KERBEROS is an authentication method that has no connection to PPP. Part of the windows domain controller which lists all user names and passwords . Kerberos uses port 88 (TCP or UDP) The cornerstone of Kerberos is the key distribution center (KDC) , which has two processes : the Authentication Server (AS) and the Ticket Granting Service (TGS) (in Windows server environments KDC is installed in the domain controller - that's how its called and nothing to do with DNS)

AAA stands for

Authentication - usually done through the use of a username and password although more forms of identification can be required, Authorization - what exactly can one do or not on the network, and Accounting - basically auditing what the user did, length of session, data traffic.

In computer security, what does AAA stand for?

Authentication, authorization, and accounting Two common implementations of AAA are RADIUS (Remote Authentication Dial-in User Service) and TACACS+ (terminal access Controller Access Control System plus) .

If you saw some traffic running on UDP ports 1812 and 1813, what AAA standard would you know was running? A. PPP B. RADIUS C. MS-CHAP D. TACACS+

B. RADIUS ( remote authentication DIAl-in User Service)

What is the main difference between a private network and a public network? A. In a private network, everyone has access; in a public network, only authorized users have access B. There is no difference; in both a private and public network, only authorized users have access C. In a private network, only authorized users have access; in a public network, everyone that is connected has access D. In a private network, everyone has access; in a public network, only the first 100 people have access

C. On a private network, only authorized users have access to the data, whereas in a public network, everyone connected has access to the data. (an intranet is an example of a pvt network)

By definition, a hash is A. complex function B. PKI function C. one-way function D. systematic function

C. one-way function

In order to have a PKI you must have a(n) ______. A. Web server B. Web of trust C. root authority D. unsigned certificate

C. root authority

Port Triggering

Enables you to specify outgoing ports that your computer uses for special applications; their corresponding inbound ports open automatically when the sessions are established.

Encryption vs Hashing

Hashing (with salting) is a one-way street, you usually can't decrypt it. It's best used for passwords Encryption is a two way street, it can be encrypted an decrypted. It's used for classified messages that are to be sent somewhere securely and then have to be decrypted to be read

IPsec

In computing, Internet Protocol Security is a secure network protocol suite that authenticates and encrypts packets of data to provide secure encrypted communication between two computers over an Internet Protocol network. It is used in virtual private networks.

Which authentication method relies on tickets to grant access to resources?

Kerberos

Encryption in the OSI model

Layer 1 -no common encryption done at this layer, until one gets to WAN technologies, like SONET. Layer 2 A common place for encryption using proprietary encryption devices. These boxes scramble all of the data in an Ethernet frame except the MAC address information. Devices or software encodes and decodes the information on-the-fly at each end Layer 3 IPsec is the only common protocol that encrypts at this layer. IPsec is typically implemented cia software that takes the IP packet and encrypts everything inside the packet, leaving only the IP addresses and a few other fields unencrypted. Layer 4 Neither TCP or UDP offers any encryption methods, so little happens security-wise at Layer 4 Layer 5, 6, and 7 Important encryption standards (such as SSL and TLS used in e-commerce) happen within these layers, but don't fit cleanly into the OSI model.

Which user-authentication method is available only in an all-Windows environment?

MS-CHAPv2 is the most current one. Still in use today.

RAS (Remote Access Service)

Microsoft service used (no longer used) for connecting to other systems. It is used with Remote Assistance and with Remote Desktop Connection. RAS itself was not secure, but there are options within RAS to include a secure protocol for tunneling, such as PTPP RAS is not a protocol but refers to the combination of hardware and software required to make a remote access connection.

MS-CHAP

Microsoft's variation of the Challenge Handshake Authentication Protocol (CHAP) that uses a slightly more advanced encryption protocol. Windows Vista uses MSCHAP v2 (version 2), and does not support MS-CHAP v1 (version 1).

In an authentication system that uses private and public keys, who should have access to the private key?

Only the owner of the key

Which type of agent is one that is installed on a NAC (network access control) client and starts when the operating system loads?

Persistent

Which user-authentication method utilizes the UDP protocol?

RADIUS Layer 4 UDP port 1645 or 1812 for authentication and UDP port 1646 or 1813 for accounting

RC4 (Rivest Cipher 4)

RC4 (Rivest Cipher 4) is a stream cipher. RC4 is a stream cipher designed by Ron Rivest. It is used in many applications including Transport Layer Security (TLS), Wired Equivalent Privacy (WEP), Wi-Fi Protected Access (WPA), and so on. RC4 is fast and simple. However, it has weaknesses that argue against its use in new systems. It is especially vulnerable when the beginning of the output keystream is not discarded, nonrandom or related keys are used, or a single keystream is used twice. Some ways of using RC4 can lead to very insecure cryptosystems such as WEP.

Which security / encryption protocol or standard allows you to create a "VIRTUAL" private network (VPN) on an intranet?

SSL VPN is really the process of using SSL to create a virtual private network (VPN). A VPN is a secured connection between two systems that would otherwise have to connect to each other through a non-secured network.

How does SSL work?

SSl requires a server with a certificate. when a client requests access to an SSL-secured server, the server sends to the client a copy of the certificate. the SSL client checks the certificate if the certificate checks out . the server is authenticated and the client negotiates a symmetric-key cipher for use in the session. the session is not in a very secure encrypted tunnel btw the SSL server and the SSL client.

Which user-authentication method utilizes the TCP protocol?

TACACS+ is a user-authentication method that uses port 49 and separates (AAA) into different parts. TACACS+ uses authentication standards such as PAP (not great), CHAP (not great) , MS-CHAP , MD5 hashes or Kerberos.

TCP/IP Security

TCP/IP was not designed with security in mind. TCP/IP flaws fall into two categories: Implementation flaws; protocol flaws. Both were addressed via new technology with Example user authentication standards such as PPP and CHAP encryption standards such as MD5 or CHAP

Advanced Encryption Standard (AES)

The AES Encryption algorithm (also known as the Rijndael algorithm) is a symmetric block cipher algorithm with a block/chunk size of 128 bits. It converts these individual blocks using keys of 128, 192, and 256 bits. Once it encrypts these blocks, it joins them together to form the ciphertext. Practically uncrackable. Very secure. Points to remember AES is a block cipher. The key size can be 128/192/256 bits. Encrypts data in blocks of 128 bits each. Many apps that used stream ciphers are switching to AES.

In which layers are the TLS and the SSL protocols located?

The TLS (and SSL) protocols are located between the application protocol layer and the TCP/IP transport layer, where they can secure and send application data to the transport layer.

IPSec works in two modes which are...

The mode one uses depends on the application: Transport Mode - only the actual payload of the IP packet is encrypted: the destination and source IP addresses and other IP header info are still readable. IPv6 will use the transport mode by default. Tunnel Mode - the entire IP packet is encrypted and then placed into an IPsec endpoint where it is encapsulated inside another IP packet.

LDAP (Lightweight Directory Access Protocol)

The most common use of LDAP is to provide a central place for authentication, meaning it stores usernames and passwords. Scenario: If a domain controller fails another domain controller can and must take place . To do this every domain controller must have a copy of the Active Directory Database. That means that if a single domain controller makes a change to the Active Directory Database it must quickly send that change to the other domain controllers. This is where LDAP comes into play. Domain controllers use LDAP to keep databases in good order. LDAP uses TCP and UDP ports 389 by default.

PKI (Public Key Infrastructure)

User Authentication Method that enables users of a public network such as the Internet to securely and privately exchange data through the use of a pair of keys—a public one and a private one—that is obtained from a trusted authority and shared through that authority. Verifies the user's identity by using a certificate authority(CA). https://www.techtarget.com/searchsecurity/definition/PKI

TSL (Transport Layer Security) / TLS 2.0

a protocol that guarantees privacy and data integrity between client/server applications communicating over the Internet. TLS (Transport Layer Security) is a later version on SSL The latest version of Transport Layer Security (TLS 2.0) provides a number of enhancements over earlier versions. The following are the most noteworthy: ■ Several improvements in the operation of a central component, the MD5/SHA-1 hashing function. Hashing functions are used to ensure that the data is not changed or altered (also known as maintaining data integrity). ■ More flexibility in the choice of hashing and encryption algorithms on the part of the client and the server. ■ Enhanced support for the Advanced Encryption Standard (AES)

asymmetric encryption

a type of cryptographic based on algorithms that require two keys -- one of which is secret (or private) and one of which is public (freely known to others). if the original sender does not have a public key the message can still be sent with a digital certificate , often called a digital ID

tunnel

a virtual, private pathway over a public or shared network from the VPN client to the VPN server a tunnel is an encrypted link btw two programs on two separate computers.

Tunneling

process that encrypts each data packet to be sent and places each encrypted packet inside another packet

NAC (Network Access Control)

A general term for the collected protocols, policies, and hardware that authenticate and authorize access to a network at the device level. These systems examine the state of a computers operating system before allowing access. Key components: posture assessment placing the device in a guest network until a posture assessment is performed Using a persistent or a non persistent agent to assess the device using a captive portal that may ask for credentials or agreement to the usage policy -placing the device in a quarantine network until the posture assessment is passed (if NAC supports remediation, the device will be connected to a remediation server that can make the necessary changes to the system before joining the network)

ACL (Access Control List)

A list of statements used by a router to permit or deny the forwarding of traffic on a network based on one or more criteria. MAC filtering - advisable if you are not denying access based on IP addresses. Best to NOT combine both. Either filter by IP or by MAC (not both bc it can create problems) Port Filtering - based on port numbers as well as IP addresses

802.1x

A port-based authentication protocol. We are talking about physical interfaces (ports) Not tcp udp ports. Wireless can use 802.1X. For example, WPA2-Enterprise mode uses an 802.1X server (implemented as a RADIUS server) to add authentication.

Which user-client-server authentication software system combines user authentication and authorization into one central database and maintains user profiles? A. RADIUS B. TACACS+ C. Kerberos D. PKI

A. RADIUS combines user Authentication and Authorization into one centralized database and maintains user profiles. TACACS+ does not combine Authentication and Authorization

Which of the following authentication methods allows for domain authentication on both wired and wireless networks? A. RADIUS B. CHAP C. PKI D. RDP

A. RADIUS servers provide both authentication and encryption services and can combine these into one service. RADIUS can be used for allowing or denying both wired and wireless access at the domain level. 802.1X RADIUS uses UDP. (could also be TACACS+ using TCP- CISCO)

Which tunneling protocol is based on RSA public-key encryption? A. SSL B. L2TP C. IPSec D. SSL VPN

A. SSL is based on RSA public-key encryption and is used to provide secure Session layer connections over the internet between a web browser and a web server.

802.1x authentication

An authentication standard that uses username/passwords, certificates, or devices such as smart cards to authenticate clients. 802.1X is a network authentication protocol that opens ports for network access when an organization authenticates a user's identity and authorizes them for access to the network. The user's identity is determined based on their credentials or certificate, which is confirmed by the RADIUS server. The RADIUS server is able to do this by communicating with the organization's directory, typically over the LDAP or SAML protocol.

Stream Cipher

An encryption method that encrypts a single bit at a time. Popular when data comes in long streams (such as with older wireless networks or cell phones).

Block Cipher

An encryption method that encrypts data in fixed-sized blocks. Block ciphers are faster than stream ciphers.

DES (Digital/Data Encryption Standard)

An older symmetric encryption standard from the 90s used to provide confidentiality. DES uses 56 bits and is considered cracked. replaced by AES The Data Encryption Standard (DES) is not a type of public-key encryption.

You have a remote user who can connect to the internet but not to the office via their VPN client. After determining the problem, which should be your next step? A. Have the client reboot their host B. Make sure the user has the correct VPN address and password C. Have the client reinstall their VPN software D. Reboot the router at the corporate office

B. After determining that the user has internet access, your next step would be to verify the VPN address and password.

Companies that want to ensure that their data is secure during transit should use which of the following? A. Firewalls B. Encryption C. Data accounting D. Routing table

B. Companies that want to ensure that their data is secure during transit should encrypt their data before transmission. Encryption is the process that encodes and decodes data.

In which layer of the OSI model does IPSec (Internet Protocol Security) operate? A. Physical B. Network C. Transport D. Application

B. IPSec works at the Network layer 3 of the OSI model (Layer 3) and secures all applications that operate above it (Layer 4 and above). Additionally, because it was designed by the IETF and designed to work with IPv4 and IPv6, it has broad industry support and is quickly becoming the standard for VPNs on the internet.

At which stage of PPPoE are the MAC addresses of the endpoints exchanged? A. Session B. Discovery C. Transport D. Final

B. PPPoE has only two stages: discovery and session. In the discovery phase, the MAC addresses of the endpoints are exchanged so that a secure PPP connection can be made. PPPoE is an acronym that stands for Point-to-Point Protocol over Ethernet. PPPoE is a networking protocol that derived from another, older protocol, called PPP, which you guessed, stands for Point-to-Point Protocol. PPPoE was designed for managing how data is transmitted over Ethernet networks (cable networks), and it allows a single server connection to be divided between multiple clients, using Ethernet.

Which of the following is not an enhancement provided by TLS version 2.0? A. Improvements in the operation of the MD5/SHA-1 hashing function B. Enhanced support for the Advanced Encryption Standard (AES) C. Expansion of the use of TLS to VPNs D. More flexibility in the choice of hashing and encryption algorithm

C. TLS was available for use with VPNs in earlier versions prior to 2.0.

What is the minimum number of characters you should use when creating a secure password? A. 6 B. 7 C. 8 D. 15

C. The minimum length should be 8 characters, and the maximum length should be 15 characters. A strong password is a combination of alphanumeric and special characters that is easy for you to remember but difficult for someone else to guess.

To encode or read an encrypted message, what tool is necessary? A. Routing table B. Internet access C. Encryption key D. Email address

C. To encode a message and decode an encrypted message, you need the proper encryption key or keys. The encryption key is the table or formula that defines which character in the data translates to which encoded character.

Which protocol works in both the transport mode and tunneling mode? A. SSL B. L2TP C. PPTP D. IPSec

D. IPSec works in both transport mode and tunneling mode. In transport mode, a secure IP connection between two hosts is created. Data is protected by authentication or encryption (or both). Tunnel mode is used between network endpoints to protect all data going through the tunnel. In tunnel mode, the entire original IP packet is encapsulated to become the payload of a new IP packet. https://www.twingate.com/blog/ipsec-tunnel-mode/

Which of the following is not a Network Access Control (NAC) method? A. CHAP / MS CHAP B. 802.1X C. EAP D. ICA

D. Independent Computer Architecture (ICA) is a protocol designed by Citrix Systems to provide communication between servers and clients. ICA is a remote-access method. 802.1x one of the most common NACs in a wireless network. EAP (extensible Authentication Protocol) is an extension to PPP (point to point protocol) that provides additional authentication methods for remote-access clients such as Kerberos, smart cards) Hashes, MD5, SHA (family of algorithms much like MD5) https://www.techtarget.com/searchnetworking/definition/network-access-control

Which of the following VPN protocols runs over TCP port 1723, allows encryption to be done at the data level, and allows secure access? A. RAS (Remote Access Services) B. RADIUS C. PPPoE D. PPTP (not used that much anymore - dated)

D. PPTP is a VPN protocol that was created by Microsoft and uses TCP port 1723 for authentication and Generic Routing Encapsulation (GRE) to encrypt the data at the Application level. RAS is not a protocol but refers to the combination of hardware and software required to make a remote access connection. RADIUS uses UDP 1645-46 & 1812-13 PPPoE - encapsulates PPP frames inside Ethernet frames

Which IP address should you deny into your inter-network? A. 126.10.10.9/8 B. 168.0.0.0/8 C. 128.0.0.0/8 D. 127.0.0.0/8

D. To have a good security on your network configure ACLs btw the internet and your pvt network. (four conditions) 1. deny any addresses from your internal networks, 2. deny and local host addresses (127.0.0.0/8), 3. deny any reserved private addresses, 10.0.0.0 to 10.255.255.255 172.16.0.0 to 172.31.255.255 192.168.0.0 to 192.168.255.255 4. and deny any addresses in the IP multicast address range (224.0.0.0/4).

The process of verifying that the sender is indeed the sender A. PKI B. authentication C. locking D. nonrepudiation

D. nonrepudiation Assurance that the sender of information is provided with proof of delivery and the recipient is provided with proof of the sender's identity, so neither can later deny having processed the information.

Symmetric Key Encryption

Encryption system in which a single key is used for both encryption and decryption. sender and user use the same key Using the same key to encrypt and decrypt a message. not safe. In cryptography, a Caesar cipher, also known as Caesar's cipher, is one of the simplest and most widely known symmetric encryption techniques. It is a type of substitution cipher in which each letter in the plaintext is replaced by a letter some fixed number of positions down the alphabet. For example, with a left shift of 3, D would be replaced by A, E would become B, and so on. The method is named after Julius Caesar, who used it in his private correspondence.

Components of PPP? (three)

Point - to - Point Protocol is a layered protocol having three components − Encapsulation Component − It encapsulates the datagram so that it can be transmitted over the specified physical layer. Link Control Protocol (LCP) − It is responsible for establishing, configuring, testing, maintaining and terminating links for transmission. It also imparts negotiation for set up of options and use of features by the two endpoints of the links. One or more Network Control Protocols (NCP) used to negotiate optional configuration parameters and facilities for the network layer. There is one NCP for each higher-layer protocol supported by PPP. Authentication Protocols (AP) − These protocols authenticate endpoints for use of services. The two authentication protocols of PPP are − Password Authentication Protocol (PAP) Challenge Handshake Authentication Protocol (CHAP) --------------------------------------------------------------- Point-to-Point Protocol (PPP) (tutorialspoint.com)

RSA Encryption

RSA (Rivest-Shamir-Adleman) is the most common internet asymmetric encryption and authentication system. Uses public key and private key authentication instead of a password. Used by Netscape in the 90s implementation of this method.

SSL (Secure Sockets Layer) developed by Netscape to work with its browser

Requires a server with a certificate. A method of encrypting data to provide security for communications over networks such as the Internet. It's based on Rivest, Shamir, and Adleman (RSA) public-key encryption and used to enable secure Session layer connections over the Internet between a web browser and a web server. SSL is service independent, meaning a lot of different network applications can be secured with it—a famous one being the ubiquitous HTTP Secure (HTTPS) protocol. As time marched on, SSL was merged with other Transport layer security protocols to form a new protocol called Transport Layer Security (TLS).

User Authentication

the process of verifying the credentials of a particular user of a computer or software system (AuthenticationAA)

Challenges of Kerberos authentication

timestamping is impt bc it forces the client to request a new token (access token /service ticket) every so often (usually 8 hrs). if the KDC (key distribution center) goes down we have a major issue. Super impt to keep a backup KDC server (in Windows that means at least two domain controllers) timestamping requires that both clients and servers sync their clocks