reflection 2

profiletamerrabee3
sy0-601-07v1.0.pptx

Implementing Authentication Controls

Lesson 7

1

Summarize Authentication Design Concepts

Topic 7A

CompTIA Security+ Lesson 7 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

2

2

2.4 Summarize authentication and authorization design concepts

Syllabus Objectives Covered

CompTIA Security+ Lesson 7 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

3

Identity and Access Management

Subjects

Users or software that request access

Objects

Resources such as networks, servers, and data

Identification

Associating a valid subject with a computer/network account

Authentication

Challenge to the subject to supply a credential to operate the account

Authorization

Rights, permissions, or privileges assigned to the account

Accounting

Auditing use of the account

CompTIA Security+ Lesson 7 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

4

Authentication Factors

Something you know

Knowledge factor

Password

Personal identification number (PIN)

Swipe pattern

Challenge questions/password reset

Something you have

Ownership factor

Hardware tokens and fobs

Something you are/do

Biometric factor

Screenshot used with permission from Microsoft.

CompTIA Security+ Lesson 7 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

5

Meet requirements for confidentiality, integrity, and availability

Confidentiality

Keep credentials secure

Integrity

Threat actors cannot bypass or subvert the authentication mechanism

Availability

The mechanism does not cause undue delay or support issues

Authentication Design

CompTIA Security+ Lesson 7 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

6

Multifactor Authentication

Strong authentication requires two (or three) types

Knowledge factor only is weak in terms of confidentiality

Multifactor authentication (MFA)

Two-factor authentication (2FA)

Something you KNOW and something you HAVE

Something you KNOW and something you ARE

NOT something you KNOW and something else you KNOW

CompTIA Security+ Lesson 7 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

7

Authentication Attributes

Somewhere you are

Geolocation via location services

IP location (logical versus geolocation)

Switch port, virtual LAN (VLAN), or wireless network name

Something you can do

Performing an action in a way that can be captured as a unique pattern

Something you exhibit

A behavior or personality trait that can be captured as a unique pattern

Someone you know

Web of trust

CompTIA Security+ Lesson 7 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

8

Authentication Design Concepts

CompTIA Security+ Lesson 7 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

9

Review Activity

Implement Knowledge-based Authentication

Topic 7B

CompTIA Security+ Lesson 7 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

10

10

1.2 Given a scenario, analyze potential indicators to determine the type of attack

3.8 Given a scenario, implement authentication and authorization solutions

4.1 Given a scenario, use the appropriate tool to assess organizational security (Password crackers only)

Syllabus Objectives Covered

CompTIA Security+ Lesson 7 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

11

Local , Network, and Remote Authentication

Authentication providers

Passwords versus password hashes

Windows authentication

Local sign-in

Network sign-in (Kerberos and NTLM)

Remote sign-in

Linux authentication

/etc/passwd and /etc/shadow

Pluggable authentication modules (PAMs)

Single sign-on (SSO)

CompTIA Security+ Lesson 7 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

12

12

Kerberos Authentication

Single sign-on authentication and authorization provider

Clients

Application servers

Key Distribution Center (KDC)

Authentication Service – Ticket Granting Ticket

Ticket Granting Service – Service Ticket

CompTIA Security+ Lesson 7 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

13

Images © 123rf.com.

Kerberos Authorization

CompTIA Security+ Lesson 7 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

14

Images © 123rf.com.

PAP, CHAP, and MS-CHAP Authentication

Password authentication designed to work with remote access protocols (Point-to-Point Protocol)

Password Authentication Protocol (PAP)

Completely unsecure

Challenge Handshake Authentication Protocol (CHAP)

Challenge/Response similar to NTLM

Challenge is repeated during the session to prevent replay

Various implementations (Cisco, MS-CHAPv2)

Not secure enough to use without an encrypted tunnel

CompTIA Security+ Lesson 7 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

15

Screenshot used with permission from Microsoft.

Password Attacks

Plaintext/unencrypted

Sniffing passwords from unsecure protocols

Locating passwords in documents/code repositories

Online password attack

Adversary interacts with authentication service

Restrict logon rates

Shun suspect hosts

Horizontal brute force/password spraying

Offline attacks

Password database

Hash transmitted directly

Hash used as key to sign an HMAC

CompTIA Security+ Lesson 7 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

16

Brute Force and Dictionary Attacks

Exploit weak user password selection or weak cryptographic mechanisms

Brute force attack

Generate every possible combination to match a hash

Large output space and sufficiently long input password increase time required

Dictionary attack and rainbow tables

Use a dictionary to test common words or phrases first

Rainbow tables assist dictionary attacks against Windows password databases by precomputing hash chains

Using salt means hash chains cannot be pre-computed

Hybrid attack

Dictionary and brute force

Fuzzing of dictionary terms (james1, james2, tom1, tom2,…)

CompTIA Security+ Lesson 7 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

17

Password Crackers

Cain and L0phtcrack

Hashcat

Hash type

Attack mode

Dictionary/word lists

Brute force

Masked

CompTIA Security+ Lesson 7 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

18

Screenshot hashcat (hashcat.net/hashcat.)

Hardware and software solutions for storing and submitting multiple user passwords

Password key

USB token

Possibly Bluetooth/NFC connectivity

Password vaults

Software-based

Federal Information Processing standard (FIPS 140-2)

Authentication Management

CompTIA Security+ Lesson 7 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

19

Knowledge-Based Authentication

CompTIA Security+ Lesson 7 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

20

Review Activity

Assisted Lab

Auditing Passwords with a Password Cracking Utility

CompTIA Security+ Lesson 7 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

21

Lab Activity

Implement Authentication Technologies

Topic 7C

CompTIA Security+ Lesson 7 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

22

22

2.4 Summarize authentication and authorization design concepts

3.3 Given a scenario, implement secure network designs (HSM only)

3.8 Given a scenario, implement authentication and authorization solutions

Syllabus Objectives Covered

CompTIA Security+ Lesson 7 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

23

Smart Card Authentication

Kerberos-based smart card logon

Card readers

Card stores user’s private key and certificate

Use of card is protected by a PIN

Image © 123RF.com.

CompTIA Security+ Lesson 7 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

24

Key Management Devices

Provision keys with risk of insider threat reduced

Smart cards and USB keys

Trusted Platform Module (TPM)

Virtual smart cards

Hardware Security Module (HSM)

Provision keys to devices across the network

Key archive and escrow

Reduced attack surface and tamper-evident

Cryptographically secure pseudorandom number generator (CSPRNG)

Plug-in card and network rack form factors

CompTIA Security+ Lesson 7 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

25

Images © 123RF.com.

25

Extensible Authentication Protocol/IEEE 802.1X

Authenticate user at network access devices

Wireless networks

Port authentication for switched networks

Remote access over a virtual private network

Extensible Authentication Protocol (EAP)

Supports multiple authentication implementations

Certificates and smart cards

IEEE 802.1X Port-based Network Access Control

Supplicant

Network access server (NAS)

AAA server

CompTIA Security+ Lesson 7 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

26

Remote Authentication Dial-in User Service

27

Images © 123RF.com.

27

Terminal Access Controller Access-Control System

TACACS+

Centralizing administrative logins for network appliances

Reliable TCP transport (over port 49)

Data encryption

Discrete authentication, authorization, and accounting functions

CompTIA Security+ Lesson 7 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

28

Token Keys and Static Codes

One-time password (OTP)

Generated by some algorithm and used only once

RSA SecurID

Static code

“Dumb” smart cards

Fast Identity Online (FIDO) Universal Second Factor (U2F)

Image © 123RF.com.

CompTIA Security+ Lesson 7 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

29

Open Authentication (OATH)

HMAC-based One-time Password Algorithm (HOTP)

Time-based One-time Password Algorithm (TOTP)

CompTIA Security+ Lesson 7 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

30

Transmit a code via an out-of-band channel

Short message service (SMS)

Phone call

Push notification

Email account

Possibility of interception

2-Step Verification

CompTIA Security+ Lesson 7 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

31

31

Authentication Technologies

CompTIA Security+ Lesson 7 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

32

Review Activity

Assisted Lab

CompTIA Security+ Lesson 7 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

Managing Centralized Authentication

33

Lab Activity

Summarize Biometrics Authentication Concepts

Topic 7D

CompTIA Security+ Lesson 7 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

34

34

2.4 Summarize authentication and authorization design concepts

Syllabus Objectives Covered

CompTIA Security+ Lesson 7 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

35

Biometric Authentication

Enrollment

Sensor and feature extraction

Efficacy rates and considerations

False Rejection Rate (FRR) or Type I error

False Acceptance Rate (FAR) or Type II error

Crossover Error Rate (CER)

Throughput (speed)

Failure to Enrol Rate (FER)

Cost/implementation

Privacy concerns

Accessibility concerns

CompTIA Security+ Lesson 7 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

36

Fingerprint Recognition

Fingerprint sensors

Small capacitive cells

Easy to implement

Relatively simple enrollment

Quite vulnerable to spoofing

Vein matching (vascular biometrics)

More complex scanner

Android is a trademark of Google LLC.

CompTIA Security+ Lesson 7 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

37

Facial Recognition

Facial recognition

Enrollment can be relatively slow

Privacy issues

Prone to relatively high false acceptance/rejection rates/spoofing

Retinal scan

Pattern of blood vessels

Scanning relatively intrusive and complex

Iris scan

Pattern of eye surface

Easier to scan

More vulnerable to spoofing

Photo by Ghost Presenter on Unsplash.

CompTIA Security+ Lesson 7 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

38

Behavioral Technologies

Something you do

Voice recognition

Gait analysis

Signature recognition

Typing

Other uses than authentication

Identification/alerting

Continuous authentication/account locking

CompTIA Security+ Lesson 7 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

39

Biometrics Authentication Concepts

CompTIA Security+ Lesson 7 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

40

Review Activity

Summary

Lesson 7

CompTIA Security+ Lesson 7 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org

41

41