Authentication Services *
____ is a database of subjects or users. In a Microsoft environment, this is Active Directory, but it could be any database of users.
Kerberos
_____ works on the basis of 'tickets' to allow nodes communicating over a <B>non-secure network</B> to prove their identity to one another in a secure manner.
Kerberos
____ is a network authentication mechanism used within Active Directory and some Unix environments known as <b>realms</b>.
Kerberos It is a authentication network protocol
The primary purpose of SAML is _____ and ____ between different parties.
authentication and authorization
TLS encrypts the data ___ (looking for time before or after) transmission.
before
Kerberos tickets are sometimes referred to as ____.
Logical Tokens
What three roles define SAML?
Principal. This is typically a user. The user logs on once. If necessary, the principal requests an identity from the identity provider. Identity provider. An identity provider creates, maintains, and manages identity information for principals. Service provider. A service provider is an entity that provides services to principals. For example, a service provider could host one or more web sites accessible through a web-based portal. When a principal tries to access a resource, the service provider redirects the principal to obtain an identity first. This process sends several XML-based messages between the systems. However, it is transparent to the user.
TLS does what?
Provides encryption.
What does KDC stand for? What is it associated with?
Key Distribution Center Kerberos
Unix <b>realms</b> use ____ to identify objects. Administrators often use **** in scripts, but they need to have a basic understanding of how to identify objects.
LDAP
What LDAP and Secure LDAP Lightweight Directory Access Protocol (LDAP) do?
LDAP and Secure LDAP Lightweight Directory Access Protocol (LDAP) specifies formats and methods to query directories. In this context, a directory is a database of objects that provides a central access point to manage users, computers, and other directory objects.
What does LDAP stand for?
Lightweight Directory Access Protocol
____ systems can connect to different OS and networks via a Federation
SSO SSO systems can connect to different OS and networks via a Federation. One common method is with a federated identity management system, often integrated as a federated database. This federated database provides central authentication in a nonhomogeneous (different) environment. As an example, imagine that the Springfield Nuclear Power Plant established a relationship with the Springfield school system, allowing the power plant employees to access school resources. It's not feasible or desirable to join these two networks into one. However, you can create a federation of the two networks. Once it's established, the power plant employees will log on using their power plant account, and then access the shared school resources without logging on again. A federation requires a federated identity management system that all members of the federation use. In the previous example, the members of the federation are the power plant and the school system. Members of the federation agree on a standard for federated identities and then exchange the information based on the standard.
Many web-based portals use SAML for ____ (for authentication and identification of users).
SSO The user logs on to the portal once, and the portal then passes proof of the user's authentication to back-end systems. As long as one organization has authenticated users, they are not required to authenticate again to access other sites within the portal.
How does SSO increase security?
SSO increases security because the user only needs to remember one set of credentials and is less likely to write them down. It's also much more convenient for users to access network resources if they only have to log on one time. As an example, consider a user who needs to access multiple servers within a network to perform normal work. Without SSO, the user would need to know one set of credentials to log on locally, and additional credentials for each of the servers. Many users would write these credentials down to remember them.
What does SAML stand for?
Security Assertion Markup Language
What does mutual authentication mean?
Two-Way authentication. In the case of Kerberos between client/server. Refers to two parties authenticating each other at the same time
Windows domains use ____ which is based on LDAP.
Active Directory
_____ (Symmetric or Asymmetric) encryption uses two keys: one key to encrypt and one key to decrypt.
Asymmetric
Identify what CN and DC means for the string below. LDAP: CN = Homer CN = Users DC = GetCertifiedGetAhead DC = com
CN=Homer is the user. CN=Users is the container DC=Domain DC=COM is the second part of the domain
Kerberos provides <b>mutual authentication</b> that help prevent ___ and ___.
Eavesdropping (man in the middle attacks) and replay attacks Eavesdropping is the act of surreptitiously listening to a private conversation. A replay attack (also known as playback attack) is a form of network attack in which a valid data transmission is maliciously or fraudulently repeated or delayed.
What does KDC do? What is it associated with?
KDC uses a complex process of issuing ticket-granting tickets (TGTs) and other tickets. Kerberos
<b>Same</b> sign-on is the same as SSO. (True or False)
False In a same sign-on system, users have to reenter their credentials each time they access another system. However, they use the same credentials.
The ___ packages user credentials within a ticket. What is it associated with?
KDC or TGT Server Kerberos
Queries to Active Directory use the ____format.
LDAP
Does Kerberos provide single or mutual authentication?
Mutual Authentication
LDAP was used by ____ and ____.
Novell and early Microsoft Exchange Server versions used extensively.
Asymmetric encryption requires a ___ to issue certificates. The two keys used in a **** are a public key and a private key created as matched pairs. Information encrypted with the public key can only be decrypted with the matching private key. Similarly, information encrypted with the private key can only be decrypted with the matching public key.
PKI
Secure LDAP encrypts transmissions with ____ or ____.
SSL or TLS SSL is a general method for protecting data transported over a network, whereas SSH is a network application for logging in and sharing data with a remote computer.
Within an LDAP-based network, domains use transitive trusts for___.
SSO
SSL stands for ___?
Secure Sockets Layer
What is TGT? What is it associated with?
TGT Kerberos
What is another name for KDC? What is it associated with?
TGT server Kerberos
Secure LDAP uses encryption to protect LDAP transmissions. When a client connects with a server using Secure LDAP, the two systems establish a ____ (session type) <b>before</b> transmitting any data.
TLS session
TLS stands for _____.
Transport Layer Security
Kerberos and LDAP both include SSO capabilities. (True or False)
True
Kerberos tickets provide authentication for users when they access resources such as files on a file server. (True or False)
True
LDAP is an extension of the ___standard.
X. 500
SSO can provide central authentication against a _____ for different operating systems.
federated database
Transitive trust ___ network administration in a domain.
reduce traffic
Kerberos uses _____ (Symmetric or Asymmetric) cryptography to prevent unauthorized disclosure and to ensure <b>confidentiality</b>.
symmetric-key
When a user logs on with Kerberos, the KDC issues the user a ticket-granting ticket, which typically has a lifetime of ____ (looking for time) to be useful for a single workday. When the user tries to access a resource, the ticket-granting ticket is presented as authentication, and the user is issued a ticket for the resource. However, the ticket expires if users stay logged on for an extended period, such as longer than ****. This prevents them from accessing network resources. In this case, users may be prompted to provide a password to renew the ticket-granting ticket, or they may need to log off and back on to generate a new ticket-granting ticket.
10 hours
____refers to the ability of a user to log on or access multiple systems by providing credentials only once.
<b>Single</b> sign-on (SSO)
Some SSO systems can connect (authorization or authentication) mechanisms from different environments, such as different operating systems or different networks.
Authentication
The primary purpose of SSO is for authorization of users. (True or False)
False It's important to realize that the primary purpose of SSO is for <b>identification</b> and <b>authentication</b> of users. Users claim an identity and prove that identity with credentials. SSO does not provide authorization. For example, if the power plant and the school system create a federation using SAML, this doesn't automatically grant everyone in the school system full access to the nuclear power plant resources. Authorization is completely separate. However, many federation SSO systems, including SAML, include the ability to <b>transfer authorization data</b> between their systems. In other words, it's possible to use SAML for single sign-on authentication and for authorization.
What is SAML?
Security Assertion Markup Language (SAML) is an Extensible Markup Language (XML)- based data format used for SSO on web browsers. Imagine two web sites hosted by two different organizations. Normally a user would have to provide different credentials to access either web site. However, if the organizations trust each other, they can use SAML as a federated identity management system. Users authenticate with one web site and are not required to authenticate again when accessing the second web site.
A ______ identity links a user's credentials from different networks or operating systems, but the federation treats it as one identity.
federated or federation
Kerberos version 5 requires all systems to be synchronized and within ____minutes of each other.
five
A transitive trust creates an ____trust relationship.
indirect As an example, imagine a transitive trust relationship exists between Homer, Moe, and Fat Tony. Homer trusts Moe. Moe trusts Fat Tony. Because of the transitive trust relationship, Homer trusts Fat Tony.
In a _____, a third party attempts to impersonate a client after intercepting data captured in a session. However, if an attacker intercepts a ticket, the timestamp limits the amount of time an attacker can use the ticket.
replay attack
Kerberos: The clock that provides the time synchronization is used to timestamp tickets, ensuring they expire correctly. This helps prevent____.
replay attacks
_____ (Symmetric or Asymmetric) cryptography uses a single key for both encryption and decryption of the same data.
symmetric-key
In a network with SSO capabilities, the user only needs to log on to the network once. The SSO system typically creates some type of SSO ____used during the entire logon session. Each time the user accesses a network resource, the SSO system uses this *** for authentication.
token