reflection 2
Implementing Authentication Controls
Lesson 7
1
Summarize Authentication Design Concepts
Topic 7A
CompTIA Security+ Lesson 7 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
2
2
2.4 Summarize authentication and authorization design concepts
Syllabus Objectives Covered
CompTIA Security+ Lesson 7 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
3
Identity and Access Management
Subjects
Users or software that request access
Objects
Resources such as networks, servers, and data
Identification
Associating a valid subject with a computer/network account
Authentication
Challenge to the subject to supply a credential to operate the account
Authorization
Rights, permissions, or privileges assigned to the account
Accounting
Auditing use of the account
CompTIA Security+ Lesson 7 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
4
Authentication Factors
Something you know
Knowledge factor
Password
Personal identification number (PIN)
Swipe pattern
Challenge questions/password reset
Something you have
Ownership factor
Hardware tokens and fobs
Something you are/do
Biometric factor
Screenshot used with permission from Microsoft.
CompTIA Security+ Lesson 7 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
5
Meet requirements for confidentiality, integrity, and availability
Confidentiality
Keep credentials secure
Integrity
Threat actors cannot bypass or subvert the authentication mechanism
Availability
The mechanism does not cause undue delay or support issues
Authentication Design
CompTIA Security+ Lesson 7 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
6
Multifactor Authentication
Strong authentication requires two (or three) types
Knowledge factor only is weak in terms of confidentiality
Multifactor authentication (MFA)
Two-factor authentication (2FA)
Something you KNOW and something you HAVE
Something you KNOW and something you ARE
NOT something you KNOW and something else you KNOW
CompTIA Security+ Lesson 7 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
7
Authentication Attributes
Somewhere you are
Geolocation via location services
IP location (logical versus geolocation)
Switch port, virtual LAN (VLAN), or wireless network name
Something you can do
Performing an action in a way that can be captured as a unique pattern
Something you exhibit
A behavior or personality trait that can be captured as a unique pattern
Someone you know
Web of trust
CompTIA Security+ Lesson 7 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
8
Authentication Design Concepts
CompTIA Security+ Lesson 7 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
9
Review Activity
Implement Knowledge-based Authentication
Topic 7B
CompTIA Security+ Lesson 7 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
10
10
1.2 Given a scenario, analyze potential indicators to determine the type of attack
3.8 Given a scenario, implement authentication and authorization solutions
4.1 Given a scenario, use the appropriate tool to assess organizational security (Password crackers only)
Syllabus Objectives Covered
CompTIA Security+ Lesson 7 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
11
Local , Network, and Remote Authentication
Authentication providers
Passwords versus password hashes
Windows authentication
Local sign-in
Network sign-in (Kerberos and NTLM)
Remote sign-in
Linux authentication
/etc/passwd and /etc/shadow
Pluggable authentication modules (PAMs)
Single sign-on (SSO)
CompTIA Security+ Lesson 7 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
12
12
Kerberos Authentication
Single sign-on authentication and authorization provider
Clients
Application servers
Key Distribution Center (KDC)
Authentication Service – Ticket Granting Ticket
Ticket Granting Service – Service Ticket
CompTIA Security+ Lesson 7 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
13
Images © 123rf.com.
Kerberos Authorization
CompTIA Security+ Lesson 7 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
14
Images © 123rf.com.
PAP, CHAP, and MS-CHAP Authentication
Password authentication designed to work with remote access protocols (Point-to-Point Protocol)
Password Authentication Protocol (PAP)
Completely unsecure
Challenge Handshake Authentication Protocol (CHAP)
Challenge/Response similar to NTLM
Challenge is repeated during the session to prevent replay
Various implementations (Cisco, MS-CHAPv2)
Not secure enough to use without an encrypted tunnel
CompTIA Security+ Lesson 7 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
15
Screenshot used with permission from Microsoft.
Password Attacks
Plaintext/unencrypted
Sniffing passwords from unsecure protocols
Locating passwords in documents/code repositories
Online password attack
Adversary interacts with authentication service
Restrict logon rates
Shun suspect hosts
Horizontal brute force/password spraying
Offline attacks
Password database
Hash transmitted directly
Hash used as key to sign an HMAC
CompTIA Security+ Lesson 7 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
16
Brute Force and Dictionary Attacks
Exploit weak user password selection or weak cryptographic mechanisms
Brute force attack
Generate every possible combination to match a hash
Large output space and sufficiently long input password increase time required
Dictionary attack and rainbow tables
Use a dictionary to test common words or phrases first
Rainbow tables assist dictionary attacks against Windows password databases by precomputing hash chains
Using salt means hash chains cannot be pre-computed
Hybrid attack
Dictionary and brute force
Fuzzing of dictionary terms (james1, james2, tom1, tom2,…)
CompTIA Security+ Lesson 7 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
17
Password Crackers
Cain and L0phtcrack
Hashcat
Hash type
Attack mode
Dictionary/word lists
Brute force
Masked
CompTIA Security+ Lesson 7 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
18
Screenshot hashcat (hashcat.net/hashcat.)
Hardware and software solutions for storing and submitting multiple user passwords
Password key
USB token
Possibly Bluetooth/NFC connectivity
Password vaults
Software-based
Federal Information Processing standard (FIPS 140-2)
Authentication Management
CompTIA Security+ Lesson 7 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
19
Knowledge-Based Authentication
CompTIA Security+ Lesson 7 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
20
Review Activity
Assisted Lab
Auditing Passwords with a Password Cracking Utility
CompTIA Security+ Lesson 7 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
21
Lab Activity
Implement Authentication Technologies
Topic 7C
CompTIA Security+ Lesson 7 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
22
22
2.4 Summarize authentication and authorization design concepts
3.3 Given a scenario, implement secure network designs (HSM only)
3.8 Given a scenario, implement authentication and authorization solutions
Syllabus Objectives Covered
CompTIA Security+ Lesson 7 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
23
Smart Card Authentication
Kerberos-based smart card logon
Card readers
Card stores user’s private key and certificate
Use of card is protected by a PIN
Image © 123RF.com.
CompTIA Security+ Lesson 7 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
24
Key Management Devices
Provision keys with risk of insider threat reduced
Smart cards and USB keys
Trusted Platform Module (TPM)
Virtual smart cards
Hardware Security Module (HSM)
Provision keys to devices across the network
Key archive and escrow
Reduced attack surface and tamper-evident
Cryptographically secure pseudorandom number generator (CSPRNG)
Plug-in card and network rack form factors
CompTIA Security+ Lesson 7 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
25
Images © 123RF.com.
25
Extensible Authentication Protocol/IEEE 802.1X
Authenticate user at network access devices
Wireless networks
Port authentication for switched networks
Remote access over a virtual private network
Extensible Authentication Protocol (EAP)
Supports multiple authentication implementations
Certificates and smart cards
IEEE 802.1X Port-based Network Access Control
Supplicant
Network access server (NAS)
AAA server
CompTIA Security+ Lesson 7 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
26
Remote Authentication Dial-in User Service
27
Images © 123RF.com.
27
Terminal Access Controller Access-Control System
TACACS+
Centralizing administrative logins for network appliances
Reliable TCP transport (over port 49)
Data encryption
Discrete authentication, authorization, and accounting functions
CompTIA Security+ Lesson 7 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
28
Token Keys and Static Codes
One-time password (OTP)
Generated by some algorithm and used only once
RSA SecurID
Static code
“Dumb” smart cards
Fast Identity Online (FIDO) Universal Second Factor (U2F)
Image © 123RF.com.
CompTIA Security+ Lesson 7 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
29
Open Authentication (OATH)
HMAC-based One-time Password Algorithm (HOTP)
Time-based One-time Password Algorithm (TOTP)
CompTIA Security+ Lesson 7 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
30
Transmit a code via an out-of-band channel
Short message service (SMS)
Phone call
Push notification
Email account
Possibility of interception
2-Step Verification
CompTIA Security+ Lesson 7 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
31
31
Authentication Technologies
CompTIA Security+ Lesson 7 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
32
Review Activity
Assisted Lab
CompTIA Security+ Lesson 7 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
Managing Centralized Authentication
33
Lab Activity
Summarize Biometrics Authentication Concepts
Topic 7D
CompTIA Security+ Lesson 7 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
34
34
2.4 Summarize authentication and authorization design concepts
Syllabus Objectives Covered
CompTIA Security+ Lesson 7 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
35
Biometric Authentication
Enrollment
Sensor and feature extraction
Efficacy rates and considerations
False Rejection Rate (FRR) or Type I error
False Acceptance Rate (FAR) or Type II error
Crossover Error Rate (CER)
Throughput (speed)
Failure to Enrol Rate (FER)
Cost/implementation
Privacy concerns
Accessibility concerns
CompTIA Security+ Lesson 7 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
36
Fingerprint Recognition
Fingerprint sensors
Small capacitive cells
Easy to implement
Relatively simple enrollment
Quite vulnerable to spoofing
Vein matching (vascular biometrics)
More complex scanner
Android is a trademark of Google LLC.
CompTIA Security+ Lesson 7 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
37
Facial Recognition
Facial recognition
Enrollment can be relatively slow
Privacy issues
Prone to relatively high false acceptance/rejection rates/spoofing
Retinal scan
Pattern of blood vessels
Scanning relatively intrusive and complex
Iris scan
Pattern of eye surface
Easier to scan
More vulnerable to spoofing
Photo by Ghost Presenter on Unsplash.
CompTIA Security+ Lesson 7 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
38
Behavioral Technologies
Something you do
Voice recognition
Gait analysis
Signature recognition
Typing
Other uses than authentication
Identification/alerting
Continuous authentication/account locking
CompTIA Security+ Lesson 7 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
39
Biometrics Authentication Concepts
CompTIA Security+ Lesson 7 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
40
Review Activity
Summary
Lesson 7
CompTIA Security+ Lesson 7 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org
41
41