identity and access management (IAM)
- Identification—creating an account or ID that uniquely represents the user, device, or process on the network.
- Authentication—proving that a subject is who or what it claims to be when it attempts to access the resource.
- Authorization—determining what rights subjects should have on each resource, and enforcing those rights.
- Accounting—tracking authorized usage of a resource or use of rights by a subject and alerting when unauthorized use is detected or attempted.
cryptographic hashes
Knowledge-based authentication relies on cryptographic hashes
Windows Authentication
- Windows local sign-in—the Local Security Authority (LSA) compares the submitted credential to a hash stored in the Security Accounts Manager (SAM) database, which is part of the registry. This is also referred to as interactive logon.
- Windows network sign-in—the LSA can pass the credentials for authentication to a network service. The preferred system for network authentication is based on Kerberos, but legacy network applications might use NT LAN Manager (NTLM) authentication.
- Remote sign-in—if the user’s device is not connected to the local network, authentication can take place over some type of virtual private network (VPN) or web portal
Linux Authentication
Interactive login over a network is typically accomplished using Secure Shell (SSH). With SSH, the user can be authenticated using cryptographic keys instead of a password.
A pluggable authentication module (PAM) is a package for enabling different authentication providers, such as smart-card login. The PAM framework can also be used to implement authentication to network servers.
Kerberos Authentication
Uses SSO, network authentication, and authorization protocol used on many networks, notably as implemented by Microsoft’s Active Directory (AD) service.
Clients request services from application servers, which both rely on an intermediary—a Key Distribution Center (KDC)—to vouch for their identity.
There are two services that make up a KDC: the Authentication Service and the Ticket Granting Service. The KDC runs on port 88 using TCP or UDP.
The Authentication Service is responsible for authenticating user logon requests.
- The client sends the authentication service (AS) a request for a Ticket Granting Ticket (TGT). This is composed by encrypting the date and time on the local computer with the user’s password hash as the key.
The Ticket Granting Ticket (TGT; or user ticket) is time-stamped (under Windows, they have a default maximum age of 10 hours). This means that workstations and servers on the network must be synchronized (to within five minutes) or a ticket will be rejected. This helps prevent replay attacks.
- The AS checks that the user account is present, that it can decode the request by matching the user’s password hash with the one in the Active Directory database, and that the request has not expired. If the request is valid, the AS responds with the following data:
- Ticket Granting Ticket (TGT)—this contains information about the client (name and IP address) plus a timestamp and validity period. This is encrypted using the KDC’s secret key.
- TGS session key for use in communications between the client and the Ticket Granting Service (TGS). This is encrypted using a hash of the user’s password. The TGT is an example of a logical token. All the TGT does is identify who you are and confirm that you have been authenticated—it does not provide you with access to any domain resources.
The Challenge Handshake Authentication Protocol (CHAP)
CHAP relies on an encrypted challenge in a system called a three-way handshake.
- Challenge—the server challenges the client, sending a randomly generated challenge message.
- Response—the client responds with a hash calculated from the server challenge message and client password (or other shared secrets).
- Verification—the server performs its own hash using the password hash stored for the client. If it matches the response, then access is granted; otherwise, the connection is dropped.
online password attack
An online password attack is where the threat actor interacts with the authentication service directly—a web login form or VPN gateway. Will show up in audit logs as repeatedly failed logins and then a successful logon.
Password spraying
Password spraying is a horizontal brute-force online attack. This means that the attacker chooses one or more common passwords (for example, password or 123456) and tries them in conjunction with multiple usernames.
offline attack
An offline attack means that the attacker has managed to obtain a database of password hashes.
dictionary attack
A dictionary attack can be used where there is a good chance of guessing the likely value of the plaintext, such as a non-complex password.
Rainbow table attacks
Rainbow table attacks refine the dictionary approach. The attacker uses a precomputed lookup table of all possible passwords and their matching hashes.
hybrid password
A hybrid password attack uses a combination of dictionary and brute-force attacks.
It is principally targeted against naïve passwords with inadequate complexity, such as james1. The password cracking algorithm tests dictionary words and names in combination with a mask that limits the number of variations to test for, such as adding numeric prefixes and/or suffixes.
Smart-card authentication
Smart-card authentication means programming cryptographic information onto a card equipped with a secure processing chip. The chip stores the user’s digital certificate, the private key associated with the certificate, and a personal identification number (PIN) used to activate the card.
Smart card
Smart card—some cards are powerful enough to generate key material using the cryptoprocessor embedded in the card.
USB key
• USB key—a cryptoprocessor can also be implemented in the USB form factor.
Trusted Platform Module (TPM)
Trusted Platform Module (TPM)—a secure cryptoprocessor enclave implemented on a PC, laptop, smartphone, or network appliance. The TPM is usually a module within the cpu.
hardware security module (HSM)
hardware security module (HSM) is a network appliance designed to perform centralized PKI management for a network of devices.
This means that it can act as an archive or escrow for keys in case of loss or damage.
Extensible Authentication Protocol (EAP)
Extensible Authentication Protocol (EAP) provides a framework for deploying multiple types of authentication protocols and technologies.
EAP allows lots of different authentication methods, but many of them use a digital certificate on the server and/or client machines.
IEEE 802.1X Port-based Network Access Control (NAC)
IEEE 802.1X Port-based Network Access Control (NAC) protocol provides the means of using an EAP method when a device connects to an Ethernet switch port, wireless access point, or VPN gateway. 802.1X uses authentication, authorization, and accounting (AAA) architecture.
RADIUS
RADIUS supports PAP, CHAP, and EAP
TACACS+
TACACS+ uses TCP communications (over port 49), and this reliable, connection-oriented delivery makes it easier to detect when a server is down.
All the data in TACACS+ packets is encrypted (except for the header identifying the packet as TACACS+ data), rather than just the authentication data.
Open Authentication (OATH)
Open Authentication (OATH) is an industry body established with the aim of developing an open, strong authentication framework.
HMAC-based One-time Password Algorithm (HOTP)
HMAC-based One-time Password Algorithm (HOTP) is an algorithm for token-based authentication. The authentication server and client token are configured with the same shared secret.
-
Security+ 601 Acronyms340
-
Lesson 3: Performing Security Assessments29
-
Lesson 4: Identifying Social Engineering and Malware24
-
Lesson 5 - Basic Cryptography Concepts36
-
Lesson 6: Implementing PKI30
-
Lesson 7 Implementing Authentication Controls37
-
Lesson 8 Implementing IAM controls31
-
Lesson 12 + 1348
-
Lesson 14 - Analyze Indicators of Application Attacks66
-
Lesson 15 + 16 Implementing Secure Cloud Solutions77
-
Lesson 17 + 18 Performing Incident Response/Explaining Digital Forensics48
-
Lesson 19 + 20 Summarizing Risk Management Concepts55
-
Lesson 21 Explaining Physical Security33
