Chapter 10 (Authentication Protocols)
Federation
a term used to authenticate and authorize users across organizations and application boundaries
HMAC- based One Time Password (HOTP)
an HMAC-based algorithm used to generate passwords
Time-based One Time Password (TOTP)
an algorithm used by authentication systems that involves passwords being generated based on the current time
Implicit Deny
deny anyone access to a system until they are authenticated
Windows Authentication Protocols
- Anonymous Authentication - Basic Authentication - Integrated Windows Authentication - Kerberos
Authentication Services
- Authentication - Authorization - Accounting - also known as AAA - Some AAA services are: RADIUS, DIAMETER, and TACACS+
Remote Access Authentication
- Both RAS (remote access services)and VPN support these authentication protocols: - Password Authentication Protocol (PAP) - Challenge Handshake Authentication Protocol (CHAP) - Microsoft Challenge Hanshake Authentication Protocol (MS-CHAP) - MS-CHAPv2 - Extensible Authentication Protocol (EAP)
Extended TACACS (XTACACS)
- Cisco created their own authentication service - used on Cisco devices
Other Authentication Protocols
- LDAP - Secure LDAP - SAML - TOTP - HOTP - Implicit Deny - Trusted OS - Federation - Transitive Trust
TACACS+
- a AAA protocol - uses TCP - like RADIUS but better - it encrypts all info between the client and server
DIAMETER
- a new AAA protocol designed to replace RADIUS - provides more reliable communication because it uses TCP - it's also more scalable and secure
Remote Access Dial-In User Service (RADIUS)
- a popular central authentication service - a AAA protocol - uses UDP - UDP port: 1812 for authentication and authorization service - UDP port: 1813 for accounting services - the client requests connection to RADIUS server, then the RADIUS server verifies the credentials and sends back a reply to grant or deny - only encrypts the password
Key Distribution Center (KDC)
- a server that is responsible for issuing tickets - the tickets are needed for a client to request a service from any other server on the network - it requests a ticket from the ticket-granting service (TGS)
Microsoft Challenge Handshake Authentication Protocol (MS-CHAP)
- a variation of CHAP and uses MD4 as the hashing algorithm - it also uses Microsoft Point-to-Point Encryption (MPPE) to encrypt all traffic from client to server
Extensible Authentication Protocol (EAP)
- allows for multiple logon methods such as smart card logon, certificates, Kerberos, and public-key authentication - frequently used with RADIUS, which is a central authentication service that can be used by RAS, wireless, or VPN solution
Security Assertion Markup Language (SAML)
- an XML standard - allows systems to exchange authentication and authorization info - often used with identity federation
Accounting
- an authentication service - it deals with logging activity so that you can bill different departments for their usage of the different services
Authorization
- an authentication service - once the account information has been verified , the user is granted access to the network - it may then need other criteria besides account info before granting access - ex. it may require that the authentication request come from a specific subnet
Authentication
- an authentication service - responsible for validating the credentials presented by the user and typically involves having an authentication database of criteria - ex. user logs on with username and password, which are verified against an account database
Lightweight Directory Access Protocol (LDAP)
- an internet protocol - designed for access to a directory service - TCP prot 389 - allows it to authenticate then retrieve info about objects stored in the directory
Secure LDAP
- it uses SSL over TCP port 636 - encrypts the communication between the client and the LDAP system
Transitive Trust
- means to allow access based on a trust model - ex. if ComputerA trusts ComputerB, and ComputerB trusts ComputerC, then ComputerA also trusts ComputerC
Terminal Access Controller Access Control System (TACACS)
- originated as an authentication system for UNIX system - ran over TCP and UDP port 49
Kerberos
- popular mutual authentication protocol and is used by default with Active Directory environments - **it uses a Key Distribution Center (KDC)
Password Authentication Protocol (PAP)
- sends the user's credentials in plain text and is very insecure - the protocol used by Basic Authentication
Challenge Handshake Authentication Protocol (CHAP)
- the server sends a challenge to the client that is then used in the authentication process - uses MD5 - Steps: 1. server sends the client a challenge (a key) 2. the client then combines the challenge with the password. they hash the password and challenge, the hash value is sent to the server for authentication 3. the server uses the same key to create a hash with the password stored on the server then it compares the hash it made with the one sent to it - benefit is the users credentials have not been passed across the network
Ticket-Granting Service (TGS)
- this grants the ticket to the client so the client can access the required server on the network - it's part of KCD
MS-CHAPv2
- version 2 - authentication method has been extended to authenticate both the client and the server - it also uses a stronger encryption key than CHAP and MS-CHAP
Anonymous Authentication
- you are not required to log on - windows uses an account for the actual service, and you are passed through as that account - you get the permissions that an anonymous account has - popular for web sites or FTP servers
Basic Authentication
- you are required to log on - the username and password are sent to the server in clear text - meaning if someone has a packet sniffer between the server and you they can get you username and password - uses PAP
Integrated Windows Authentication
- you are required to log onto the server - your username and password are sent to the server in an encrypted format - more secure than basic authentication
Trusted OS
used to identify a system that implements multiple layers of security such as authentication and authorization to determine who can access a system ans what they can do
VPN server with RADIUS
what the network client connects to, which then sends the authentication request to the RADIUS server, which means that the *****VPN server is the RADIUS client*****