Module 2, Unit 3 - Identification and Authentication
Also known as EAP (Extensible Authentication Protocol) is an authentication standard, developed to allow remote, wireless, and wired authentication to be centrally managed. A client device, such as an access point, passes authentication information to a RADIUS server on the wired network for validation. The authentication information could be a user name and password or could employ smart cards or tokens.
802.1X
What type of logon security is provided by OTP?
A One-Time Password is valid only for a short period (usually 60 seconds), before it changes again.
Where is a biometric template recorded and stored in?
A database on the authentication server
The permissions attached to, or configured on, a network resource, such as a folder, file, or firewall. This specifies which subjects (user accounts, host IP addresses, and so on) are allowed or denied access and the privileges given over the object (read only, read/write, and so on).
ACL (Access Control List)
A library of programming utilities used, for example, to enable software developers to access functions of the TCP/IP network stack under a particular operating system.
API (Application Programming Interface)
A subject is identified on a computer by what?
Account
Which "Something You Know" authentication property is a unique identifier by which the computer system manages the account?
Account ID
The process of tracking authorized and unauthorized usage of a resource or use of rights by a subject.
Accounting
Which access control system main process is defined as tracking authorized and unauthorized usage of a resource or use of rights by a subject?
Accounting
A means for a user to prove their identity to a computer system. This is implemented as either something you (a user name and password), something you have (a smart card or key fob), or something you are (biometric information). Often, more than one method is employed (2-factor authentication).
Authentication
Which access control system main process is defined as proving that a subject is who or what it claims to be when it attempts to access the resource?
Authentication
Which KDC service is responsible for authenticating user logon requests?
Authentication Service
What two services makes up a KDC in Kerberos?
Authentication Service and Ticket Granting Service
The process of determining what rights subjects should have on each resources and enforcing those rights.
Authorization
Which access control system main process is defined as determining what rights subjects should have on each resource and enforcing those rights?
Authorization
Which Key stretching library is an extension of the crypt UNIX library for generating hashes from passwords and uses the Blowfish cipher to perform multiple rounds of hasing?
Bcrypt
Why might a standalone installation of Windows XP by more vulnerable to password cracking than in Windows 7?
Because it uses LM authentication (LM is weak because alphabetic characters use limited ASCII characters and converted to uppercase, max password length is 14 characters and long passwords are split in 2, and the password is not salted all of which make it vulnerable to brute force and rainbow table attacks)
What type of biometric technology are classified as "Something You Do", are cheap to implement, but generate more errors?
Behavioral technologies
Identifying features stored as digital data can be used to authenticate a user. Typical features used include facial pattern, iris, retina, or fingerprint pattern, and signature recognition. This requires the relevant scanning device, such as a fingerprint reader, and a database of biometric information (the template).
Biometric
What is used to scan the chosen biometric information so that it can be converted as binary information?
Biometric reader
Which type of attack attempts every possible combination in the key space in order to derive a plaintext from a ciphertext?
Brute Force Attack
An identity and authentication smart card produced for the Department of Defense employees and contractors in response to a Homeland Security Directive.
CAC (Common Access Card)
This is an image of text characters or audio of some speech that is difficult for a computer to interpret. These are used for purposes such as preventing "bots" from creating accounts on web forums and social media sites to spam them.
CAPTCHA (Completely Automated Public Turing Test To Tell Computers and Humans Apart)
What is the metric called for biometric technologies referring to the point where FRR and FAR intersect?
CER (Crossover Error Rate)
Authentication scheme developed for dial-up networks that uses an encrypted three-way handshake to authenticate the client to the server. The challenge-response is repeated throughout the connection ( though transparent to the user) to guard against replay attacks.
CHAP (Challenge Handshake Authentication Protocol)
Which remote authentication protocol supports smart cards?
Certain EAP protocols that support client-side digital certificates
What are the three components of a three-way handshake that CHAP uses?
Challenge, Response, Verification
Your company has won a contract to work with the Department of Defense. What type of site access credentials will you need to provide?
Common Access Card (issued to military personnel, civilian employees, and contractors to gain access to DoD facilities and systems)
Authentication is performed when the account holder supplies what to the system?
Credentials
Information used to authenticate a subject when it tries to access the user account.
Credentials
Which type of attack can be used where there is a good chance of guessing the likely value of the plaintext and the cracking software enumerates the values in the dictionary?
Dictionary attack
Framework for negotiating authentication methods, Supporting a range of authentication devices.
EAP (Extensible Authentication Protocol)
What is the first step in setting up a biometric authentication system?
Enrollment
What is the metric called for biometric technologies when an interloper is accepted (False positives)?
FAR (False Acceptance Rate)
What is the metric called for biometric technologies when a legitimate user is not recognized (false negative)?
FRR (False Rejection Rate)
What type of biometric technology records multiple indicators about the size and shape of the face?
Facial recognition
True or False? An account requiring a password, PIN, and one-time password is an example of three-factor authentication.
False (Those are all examples of "Something You Know", multifactor authentication requires a combination of different technologies for defining credentials)
True of False? The holder of a Common Access Card can authenticate to a computer system using biometric information stored on the card.
False (the card allows a user to authenticate using a toked and pass code)
True or False? In order to create a service ticket, Kerberos passes the user's password to the target application server for authentication?
False (the client sends the TGS a copy of its TGT and the name of the application server it wishes to access plus an authenticator, consisting of a time-stamped client ID encrypted using teh TGS session key)
Which step in the biometric scanning process records the significant information from the sample?
Feature extraction module
What is the most widely implemented biometric technology?
Fingerprint recognition
What type of authentication system is comprised of a authentication server and client token that are configured with the same shared secret that is created from an 8-byte value generated by a cryptographically strong number generator, and is combined with a counter to create a one-time password when the user wants to authenticate?
HOTP (HMAC-based One-Time Password)
What directive mandated that access to Federal property be controlled by a secure identification and authentication mechanism?
HSPD-12 (Homeland Security Presidential Directive 12)
Which type of attack is a combination of dictionary and brute force attacks that is principally targeted against "naively strong" passwords?
Hybrid Password Attack
The principal stages of security control. A resource should be protected by all three types of control.
IAAA (Identification Authentication Authorization Accounting)
Which access control system main process is defined as creating an account or ID that identifies the user or process on the computer system?
Identification
An account consists of what?
Identifier, credentials, and a profile
What is it referred to the issues and problems that must be overcome in implementing the identification and authentication system across different networks and appliances?
Identity management
The company you work for has suffered numerous intrusions due to poor password management by employees. Given a significant budget to mitigate the problem, what type of security control would you use?
Implement multifactor authentication (it combines more than one type of something you know/have/are eliminating the vulnerability of single factor of being easily compromised by losing or sharing a password)
Which type of eye recognition is easier to perform: retinal or iris scanning?
Iris (matches the patterns on the surface of the eye and so is less intrusive than retinal scans and a lot quicker)
Performed by Identification, this is the process by which a user account (and its credentials ) is issued to the correct person.
Issuance / enrollment
What attribute must an identifier posses?
It must be unique (in the event an account is deleted and a subsequent account is created with the exact same user name - the new account will not gain the old version's permissions)
Named after the mythical multi-headed guard-dog of the underworld, this is an authentication standard and protocol. Windows networks use this protocol for client and server authentication. It provides Single Sign-On (SSO) authentication scheme where clients authenticate once to a Key Distribution Center and are granted service tickets to use with particular applications without having to log on to each application separately.
Kerberos
A form of EAP, this is a password based mechanism used by Cisco.
LEAP (Lightweight EAP)
A Network Operating System (NOS) developed by Microsoft and 3com that is a challenge/response authentication protocol in which passwords are stored using the 56-bit DES cryptographic function.
LM (LAN Manager)
A single sign-on system, such as Kerberos (issues a TGT), issues users with a software token to present as confirmation that they have been previously authenticated.
Logical token
What are the main concerns with "Something You Have" authentication?
Loss or theft of token and the chance of it being counterfeited
NTLM only provides for client authentication, what type of attack does this make it vulnerable to?
MITM (Man-In-The-Middle)
Which authentication protocol is Microsft's first implementation of CHAP that is supported by older clients?
MS-CHAP
A method of making authentication schemes stronger by combining more than one authentication method, such as something you know, something you have, or something you are. For example, combining the use of a smart card certification (something you have) with a PIN (something you know).
Multi-factor Authentication
While a client typically authenticates to a server, this is the process of having the server ALSO authenticate to the client, to prevent Man-In-The-Middle attacks.
Mutual Authentication
An updated version of LM authentication protocol that was implemented in Windows NT, the password is unicode and mixed case and can be up to 127 characters long, and the 128-bit MD4 hash function is used.
NTLM
Which authentication protocol's response is an HMAC-MD5 hash of the username and authentication target, plus the server challenge, a timestamp, and a client challenge; it also uses a MD4 password hash as the key for the HMAC-MD5 function?
NTLMv2
A user maintains a list of commonly used passwords in a file located deep within the computer's directory structure. Is this secure password management?
No (this is security by obscurity and the hidden file could be discovered by an attacker - with no other security controls in place would leave the passwords in the clear text for the attacker to use)
In what scenario would PAP be an appropriate cryptographic method?
None (It relies on clear text password exchange and is therefore obsolete for the purposes of any sort of secure connection)
What is an industry body comprising mostly of the big PKI providers with the aim of developing an open strong authentication framework?
OATH (Initiative for Open Authentication)
Which type of attack is where a password cracker can work on a database of hashed passwords and the attacker does not interact with the authentication system to perform the cracking?
Offline attack
What type of toke is one that is generated automatically and use only once, and is not vulnerable against guessing or sniffing attacks?
One-Time Password
Which type of password attack is where the adversary directly interacts with the authentication service and submit passwords using either a database of known passwords or a list of passwords that have been cracked offline?
Online Password Attack
An obsolete authentication mechanism used with PPP. This mechanism transfers the password in plaintext and so is vulnerable to eavesdropping.
PAP (Password Authentication Protocol)
Which key stretching library is part of the RSA security's public key cryptography standards (PKCS#5)?
PBKDF2 (Public Key Derivation Function 2)
This framework creates a TLS-protected tunnel between the supplicant and authenticator to secure the user authentication method.
PEAP (Protected EAP)
What includes things such as full name, birth date, social security number, and so on?
PII (Personally Identifiable Information)
Other than a username and password, what is another example of "Something You Know"?
PIN (Personal Identification Number)
What type of CAC is for civilian Federal Government Employees and Contractors?
PIV (Personal Identification Verification)
By strongly restricting the workstation that will accept logon (interactive or remotely) from account with domain administrative privileges, which type of attack is prevented?
Pass-The-Hash Attack (domain administrators should be logging in to dedicated and hardened workstation that are protected against physical and network access)
What type of attack occurs if an attacker can obtain the hash of a user password, and it is possible to present the hash, without cracking it, to authenticate to network protocols such as CIFS?
Pass-The-Hash attack
What is longer than a password, is comprised of a number of words, and has the advantages of being more secure and easier to remember?
Passphrase
Which "Something You Know" authentication property is a secret known only to the account holder used to authenticate against the account?
Password
Password guessing software, such as John the Ripper or Cain and Abel. This software attempts to identify a user's password by running through all possible combinations (Brute Force). This can be made less computationally intensive by using a dictionary of standard words or phrases.
Password Cracker
What is a device that is combined with some sort of support software that provides single sign-on for the applications that do not support other architectures, such as Kerberos?
Password Manager
A particular subject may have numerous "digital identities", both within and outside of the company that forces users into unsecure practices, such as sharing passwords between different account. What two practices can help mitigate this?
Password reset and single sign-on
What steps should be taken to enroll a new user?
Perform identity proofing to confirm the user's identity, issue authentication credentials securely, and assign appropriate permissions / privileges to the account.
Information about a subject.
Profile
Which type of attack does the attacker use a pre-computed lookup table of all possible passwords and their matching hashes?
Rainbow Table Attack
What type of biometric technology is where an infrared light is shone into the eye to identify the pattern of the blood vessels?
Retina scan
What is it referred to when hash functions are made more secure by adding a random value to the plaintext, which helps slow down rainbow table attacks?
Salt
Which step in the biometric scanning process acquires the biometric sample from a target?
Sensor module
Once the client sends the TGS a copy of its TGT and the name of the application server it wishes to access plus an authenticator, what does the TGS respond with?
Service Session Key and Service Ticket
What are three key security problems for biometric templates?
Should not be used to reconstruct a sample, should be tamper proof, and should be "injected"
Which type of token is a credit card-sized device with an integrated chip and data interface that can be either contact or contactless (proximity) based?
Smart card
What type of authentication employs some sort of biometric recognition system?
Something You Are
What type of authentication refers to behavioral biometric recognition, such as analyzing the behavior of how you type or write your signature?
Something You Do
What type of authentication includes a smart card, USB token, or a key fob that contains a chip with authentication data, such as a digital certificate?
Something You Have
What type of authentication is location-based that measures some statistic about "where" you are, such as by geographic location using GPS/IPS or by analyzing the IP address?
Somewhere You Are
Which Kerberos component is for use in communications between the client and the Ticket Granting Service (TGS)?
TGS Session Key
Which Kerberos component contains information about the client plus a timestamp and validity period?
TGT (Ticket Granting Ticket)
What type of authenticaton system is a refinement of the HOTP where the HMAC is built from the shared secret plus a value derived from the device's and server's local timestamps, and automatically expires of after a shor window?
TOTP (Time-based One-Time Password)
WHat is one of the noted drawbacks of Kerberos?
That the KDS presents a single point of failure
Why are Windows password databases vulnerable to "cracking"?
The store LM hash versions of a password for backwards compatibility of Windows (if compatibility is not required this feature should be disabled)
A physical or software-based authentication object. Software forms of this object are generated by logon systems such as Kerberos (TGT), so that users do not have to authenticate multiple times (Single Sign-On). A hardware version of this object can be a device containing a chip with a digital certificate but it is more often a device that generates a one-time password.
Token
Apart from cost, what would you consider to be the major considerations for evaluating a biometric recognition technology?
User acceptance (may find it intrusive), accessibility (users with disabilities), chance of being counterfeited, errors, and throughput (speed)
Which "Something You Know" authentication property is a friendly name for the user to use when logging on to the system?
Username
The typical "Something You Know" technology is the log on and is comprised of what?
Username and password
Your company creates software that requires a database of stored encrypted passwords. What security control could you use to makes the password database more resistant to brute force attacks?
Using key stretching (A technique to make a key generated from a user password stronger is by mucking about with it lots of times. The initial key is put through thousands of rounds of hashing. It may be performed by Bcrypt or PBKDF2)
What behavioral technology is relatively cheap as the hardware and software required is already built into many standard PCs and Mobiles, but background noise and other environmental factors can interfere with log on and is subject to voice impersonation?
Voice recognition
These are login credentials that use dictionary words or parts of the username, are not complex, or are too short (less than 8 characters).
Weak passwords
How can online password attacks be mitigated against?
restricting the number or rate of logon attempts and shunning logon attempts from known "bad" IP addresses