👨🏾💼🔑Authentication Management
Managing passwords and other authentication data can be challenging, especially when you are operating a large enterprise with a multitude of devices and accounts.
Let’s go over different methods to manage authentication.
🗝️Password Keys
Password Keys are often a common solution for authentication management.
Password keys can be both software-based and hardware-based, depending on the specific implementation and security requirements.
Software-Based Password Keys: These are typically stored in a secure area of the operating system or within an application. They are used in combination with a username to authenticate a user. The advantage of software-based keys is that they are easy to implement and use. However, they can be vulnerable to various attacks such as keylogging, phishing, or brute force attacks. Hardware-Based Password Keys: These are physical devices, such as smart cards or USB tokens, that store authentication information. When the device is inserted into a computer or connected via a wireless protocol, it provides the password key for authentication. Hardware-based keys offer a higher level of security because they are harder to duplicate or steal, and they often use encryption to protect the stored data. However, they can be more expensive and require additional hardware. In many cases, a combination of both types is used to provide multi-factor authentication. For example, a user might be required to enter a password (something they know) and insert a hardware token (something they have), providing a higher level of security.
🏦Password Vaults
A Password Vault, also known as a password manager, is a software tool that securely stores login information for all the websites and applications a user accesses.
It helps in managing multiple passwords, which is a common challenge for many users given the multitude of online accounts most people maintain.
Enterprise password manager applications are widely deployed in organizations to help with management of servers, applications, and devices, and they have additional features like logging and auditing as well as management tools to ensure that passwords are properly rotated and monitored for use and abuse.
LastPass: LastPass is a cloud-based password manager that stores encrypted passwords online.
It offers features like automatic form filling, random password generation, and secure notes for storing other types of sensitive information.
🫱🏾🫲🏻TPM (Trusted Platform Module)
A TPM, or Trusted Platform Module, is a specialized chip on a device that stores RSA encryption keys specific to the host system for hardware authentication.
The TPM helps to enhance system security by providing a secure space for key operations and protecting against external software attacks and physical theft.
TPM modules can help prevent unauthorized changes to firmware and software as part of a trusted or secure boot process, and they are supported by operating systems allowing drive encryption and other cryptographic-based security features.
🔨HSM (Hardware Security Module)
A Hardware Security Module (HSM) is a physical device that provides extra security for sensitive data. This device is used to manage, generate, store, and protect cryptographic keys, and it provides cryptographic processing capabilities.
It’s a high-end cryptographic hardware that offloads the cryptographic process from the computer to save resources.
Used in large environments.
Cryptographic Processing: HSMs can perform cryptographic operations like encryption, decryption, digital signing, and key exchange inside the device. This offloads these operations from the host system and keeps sensitive data within the secure environment of the HSM. Tamper Resistance: HSMs are designed to be tamper-resistant. They have physical or logical mechanisms to prevent unauthorized access or tampering. For example, they might erase all stored keys if someone tries to open the device.
🧠Knowledge-Based Authentication (KBA)
Knowledge-Based Authentication (KBA) is a method of identity verification that requires the user to answer at least one "secret" question. KBA is based on the concept that there are things that a user knows, which are not known by others, and these can be used to verify the user's identity.
There are two types of KBA:
Static KBA: In this method, the user sets up the secret question(s) and answer(s) in advance. When the user needs to be authenticated, they are asked to answer some of these questions.
The answers are then compared with the previously stored answers. Examples of static KBA questions include "What is your mother's maiden name?" or "What was your first pet's name?" Dynamic KBA: This method involves asking questions that are generated in real-time based on public and private data sources.
The user has not seen these questions before and has not provided the answers in advance. The questions could be something like "Which of the following addresses have you lived at in the past?" or "Which of these cars have you owned?"
🆔Authentication / Authorization
When a subject wants to claim an identity, they need to prove that the identity is theirs.
The primary purpose of an Authentication protocol is to verify the identity of the entities involved in a communication. This ensures that each party is who they claim to be and prevents unauthorized access.
Authentication technologies like authentication protocols, servers, and standards all serve to ensure that the subject is who they claim that they are, that the authentication process remains safe and secure, and that capabilities like the ability to use single sign-on (SSO) work. Authorization; Once a user, device, or system is authenticated, the next step is to determine what they are allowed to do. This is the process of authorization.
Authorization answers the question, "What are you allowed to do?" Authorization is typically managed through policies that define permissions for specific roles.
🖼️EAP
Extensible Authentication Protocol (EAP): EAP is not a wireless encryption protocol itself but a framework for authentication methods used in wireless networks. It allows for more secure and flexible authentication mechanisms, such as EAP-TLS (Transport Layer Security) and EAP-PEAP (Protected Extensible Authentication Protocol). EAP is commonly used in enterprise networks and provides a framework for integrating various authentication methods within wireless security protocols like WPA2 and WPA3. The Extensible Authentication Protocol (EAP) is a widely used framework for authentication in network communication protocols. In the context of the 802.1X authentication process, EAP plays a vital role in facilitating secure and flexible authentication for devices connecting to a network.
🫱🏽🫲🏼Challenge Handshake Authentication Protocol (CHAP)
Challenge Handshake Authentication Protocol (CHAP) is an authentication protocol designed to provide more security than protocols like PAP, which you will read about later in this section.
CHAP uses an encrypted challenge and three-way handshake to send credentials. CHAP is primarily used to authenticate a user or network host to an authenticating entity (like a server, router, or network access server). Here's a simplified explanation of how CHAP works:
After the initial link establishment, the server (or authenticating entity) sends a "challenge" message to the client (the user or network host). The client responds to the challenge with a value calculated using a one-way hash function (typically MD5). The hash function uses the challenge value, a secret shared between the client and server, and possibly other data. The server checks the response against its own calculation of the expected hash value. If the values match, the server acknowledges the authentication; if they don't match, the server can terminate the connection. This process can be repeated any number of times during the session to guard against replay attacks. The server can issue a new challenge randomly at any time to force the client to respond with a new hashed value. While CHAP is more secure than some other authentication methods (like PAP, Password Authentication Protocol), it's not as secure as others (like EAP, Extensible Authentication Protocol).
EAP > CHAP > PAP
MS-CHAP, which stands for Microsoft Challenge Handshake Authentication Protocol, is a type of authentication protocol used in network connections.
It was developed by Microsoft and is used in various network protocols, including PPP (Point-to-Point Protocol), which is commonly used in establishing direct connections between two networking nodes. MS-CHAP is not used anymore due to three reasons: MS-CHAP v2 uses a two-way handshake process that is susceptible to dictionary attacks. In a dictionary attack, an attacker systematically enters every word in a dictionary as a password in an attempt to gain unauthorized access to a user account. While MS-CHAP v2 provides a way for the server to authenticate itself to the client, it does not provide a way for the client to authenticate itself to the server. This makes it vulnerable to man-in-the-middle attacks. In 2012, a cryptographic weakness was discovered in MS-CHAP v2 that allows an attacker to derive the user's password from the data transmitted during the authentication process. 🤐Password Authentication Protocol (PAP)
Password Authentication Protocol (PAP) is the weakest and oldest password-centric authentication protocol that was commonly used with the Point-to-Point Protocol (PPP) to authenticate users.
Although PAP still appears in the Security+ exam outline, you are not likely to use PAP in modern implementations because it has been supplanted by CHAP and EAP implementations. Used in legacy operating systems and rarely used today. Weak encryption scheme and non-encrypted password exchange.
📶802.1X
802.1X is an IEEE standard for network access control (NAC), and it is used for authentication for devices that want to connect to a network.
Supplicants send authentication requests to authenticators such as network switches, access points, or wireless controllers. Those controllers connect to an authentication server, typically via RADIUS. The RADIUS servers may then rely on a backend directory using LDAP or Active Directory as a source of identity information.
The more detailed sequence of events is as follows:
The client device initiates the authentication process with the network access device (authenticator). The authenticator sends an EAP-Request/Identity message to the client device. The client device responds with an EAP-Response/Identity message. The authenticator forwards this response to the RADIUS server in a RADIUS Access-Request message. The RADIUS server sends an LDAP Bind Request to the LDAP server to authenticate the user. The LDAP server responds with an LDAP Bind Response indicating the result of the authentication. The RADIUS server sends a RADIUS Access-Accept or Access-Reject message back to the authenticator, depending on the result of the LDAP authentication. The authenticator sends an EAP-Success or EAP-Failure message to the client device, depending on the response from the RADIUS server.
📏RADIUS (Remote Authentication Dial-In User Service)
RADIUS, which stands for Remote Authentication Dial-In User Service, is a networking protocol that provides centralized Authentication, Authorization, and Accounting (AAA) management for users who connect and use a network service.
It's widely used in enterprise environments and by Internet Service Providers (ISPs) due to its ability to manage a large number of users. RADIUS is often associated with AAA (authentication, authorization, and accounting) systems. In an AAA system, users must first authenticate, typically with a username and password. The system then allows them to perform actions they are authorized to by policies or permission settings. Accounting tracks resource utilization like time, bandwidth, or CPU utilization.
📌TACACS+
Terminal Access Controller Access Control System Plus (TACACS+), is a Cisco-designed extension to TACACS, the Terminal Access Controller Access Control System.
Provides access control for routers, network access servers, and other networked computing devices via one or more centralized servers. It provides full-packet encryption as well as granular command controls, allowing individual commands to be secured as needed. This makes it the more secure option over RADIUS. TACACS+ uses TCP (port 49 by default) for connection control, which provides a reliable connection One of the key features of TACACS+ is that it separates the Authentication, Authorization, and Accounting services. This means that you can use one server for authentication and another for authorization and accounting, providing more flexibility and control.
☝🏿Single Sign-On (SSO)
Single sign-On (SSO) systems allow a user to log in with a single identity and then use multiple systems or services without reauthenticating.
SSO systems provide significant advantages because they simplify user interactions with authentication and authorization systems, but they require a trade-off in the number of identity-based security boundaries that are in place. This SSO process provides a seamless user experience, as users don't need to remember multiple sets of credentials or authenticate multiple times to access different resources. It also provides a centralized point of user authentication, which can simplify user management and increase security. SSO uses the SAML protocol to enable make single-sign on possible.
Internet-based systems often rely on a number of core technologies to accomplish authentication and authorization. These include the following:
🪪Security Assertion Markup Language (SAML)
Security Assertion Markup Language (SAML) is an XML-based open standard protocol for exchanging authentication and authorization information.
SAML is often used between identity providers and service providers for web-based applications. Using SAML means that service providers can accept SAML assertions from a range of identity providers, making it a common solution for federated environments and SSO use. Here are a few examples of SAML in action:
Enterprise Single Sign-On (SSO): In a large organization, an employee might need to access multiple different applications, each of which requires its own set of credentials. With SAML, the employee can log in once (to the identity provider) and then access all of the applications (the service providers) without needing to log in again. Federated Identity: SAML can be used to implement federated identity, where users from different organizations can use their own credentials to access shared resources. For example, researchers from different universities might use SAML to access a shared academic database. SSO is the concept of using a single set of credentials to access multiple services, and SAML is one of the key technologies that makes SSO possible.
🅾️OAuth
OAuth, which stands for Open Authorization, is an open standard for token-based authentication and authorization on the internet.
OAuth provides a method for users to determine what information to provide to third-party applications and sites without sharing credentials. OAuth is widely used because it allows users to utilize their existing accounts to use new services without worrying about their account credentials being compromised. It also allows users to control what data third-party apps can access, enhancing user privacy. Not an authentication protocol
🐶Kerberos
Kerberos is a network authentication protocol that uses secret-key cryptography for secure, reliable authentication in a client-server environment.
It was developed by the Massachusetts Institute of Technology (MIT) and is named after the three-headed dog, Kerberos (or Cerberus), from Greek mythology, which guarded the entrance to the underworld.
The 3 main components of Kerberos are:
🎛️Access Control Schemes
Systems also implement access control schemes to determine which users, services, and programs can access various files or other objects that they host.
Discretionary Access Control (DAC): In DAC, the owner of the resource decides who is allowed to access it. The owner can grant permissions to other users or groups. This is the least restrictive type of access control and is commonly used in file systems and databases. Mandatory Access Control (MAC): In MAC, access to resources is controlled by a central authority based on predefined policies. Users are given security labels (such as "confidential" or "top secret"), and resources are given security classifications. A user can only access a resource if their security label matches or exceeds the resource's security classification. This is a very strict form of access control often used in military or government settings. Role-Based Access Control (RBAC): In RBAC, access to resources is based on the user's role within the organization. Users are assigned roles (such as "employee", "manager", or "administrator"), and each role has a set of permissions associated with it. When a user is assigned a role, they automatically get the permissions associated with that role. This is a very flexible and scalable form of access control that is widely used in businesses and organizations. Attribute-Based Access Control (ABAC): In ABAC, access to resources is based on attributes associated with the user, the resource, the action, and the context. Attributes can include things like the user's department, the resource's classification, the current time, or the user's location. Policies can be very granular, such as "users in the finance department can view financial documents during business hours from the office". ABAC is a very flexible and powerful form of access control, but it can also be complex to manage. Rule-Based Access Control: In this model, access is granted or denied to resource objects based on a set of rules defined by a system administrator. For example, a rule might be set to deny access to a particular system between the hours of 8 PM and 6 AM. In addition to access control schemes, the Security+ exam outline covers two specific implementations of access control systems that you need to be familiar with:
Privileged Access Management (PAM) and Conditional Access are both important concepts in the field of Identity and Access Management (IAM), but they serve different purposes and are used in different contexts.
🧐Privileged Access Management (PAM)
Privileged Access Management (PAM): This is a subset of IAM that focuses specifically on managing and securing the accounts of users who have elevated permissions, also known as 'privileged' users.
These users include administrators, superusers, or system owners who have the ability to change system configurations, install software, access sensitive data, or perform other high-level tasks. PAM solutions typically include features like:
Privileged Account Discovery: Identifying all privileged accounts in a system. Access Control: Ensuring only authorized users can use privileged accounts. Session Monitoring and Recording: Keeping a record of all actions taken during a privileged session for audit purposes. Password Management: Automatically generating and changing passwords for privileged accounts. 📃Conditional Access
Conditional Access: This is a policy-based approach to access control. Rather than granting all authenticated users the same level of access, conditional access systems evaluate a number of factors, or 'conditions', before deciding whether to grant access.
These conditions can include the user's role, the device they're using, their location, the time of day, the sensitivity of the data they're trying to access, and more. For example, a conditional access policy might state that users can only access certain sensitive resources if they are on a company device, within the company's network, and during regular business hours. In summary, PAM is about controlling who has access to high-level capabilities within a system, while Conditional Access is about adjusting access rights based on a variety of factors.
Both are important for maintaining security, but they address different aspects of the access control challenge.
🗃️Filesystem Permissions
Filesystem Permissions determine which accounts, users, groups, or services can perform actions like reading, writing, and executing (running) files.
Each operating system has its own set of filesystem permissions and capabilities for control, and you should make sure you are familiar with both Linux and Windows permissions for the exam. Linux and Windows are the main Filesystems used.
Linux filesystem permissions are shown in file listings with the letters drwxrwxrwx, indicating whether a file is a directory, and then displaying user, group, and world (sometimes called other) permissions.
Figure 8.9 shows how this is displayed and a chart describing the numeric representation of these settings that is frequently used for shorthand when using the chmod Linux command used to change permissions. Windows file permissions can be set using the command line or the GUI. Figure 8.10 shows the properties of a file using the GUI. Note that the permissions are similar but not quite the same as those set in Linux. Windows provides full control (like rwx or 7 in Linux).
3.8 Given a scenario, implement authentication and authorization solutions.
