SlideShare a Scribd company logo

CNIT 125 6. Identity and Access Management

Sam Bowne
Sam Bowne

For a college course at Coastline Community College taught by Sam Bowne. Details at https://samsclass.info/125/125_F17.shtml Based on: "CISSP Study Guide, Third Edition"; by Eric Conrad, Seth Misenar, Joshua Feldman; ISBN-10: 0128024372

Education
1 of 70
Download to read offline
CNIT 125: Information Security Professional (CISSP Preparation) Ch 6. Identity and Access Management
Authentication Methods
Authentication Methods • Type 1: Something you know • Easiest and weakest method • Type 2: Something you have • Type 3: Something you are • A fourth type is where you are
Passwords: Four Types • Static passwords • Passphrases • One-time passwords • Dynamic passwords
Static Passwords • Reusable passwords that may or may not expire • Typically user-generated • Work best when combined with another authentication type, such as a smart card or biometric control
Passphrases • Long static passwords comprised of words in a phrase or sentence • "I will pass the CISSP in 6 months!" • Stronger if you use nonsense words, mix case, and use numbers and symbols
One-Time Passwords • Very secure but difficult to manage • Impossible to reuse, valid only for one use
Dynamic Passwords • Change at regular intervals • Tokens are expensive
Strong Authentication • Also called Multifactor Authentication • More than one authentication factor • Ex: ATM card and PIN
Password Guessing • May be detected from system logs • Clipping levels distinguish malicious attacks from normal users • Ex: more than five failed logins per hour • Account lockout after a number of failed login attempts
Password Hashes and Password Cracking • Plaintext passwords are not usually stored on a system anymore • Password hash is stored instead • Password cracking • Calculating hash for a long list of passwords, trying to match the hash value
Password Hashes • Stored in /etc/shadow on Unix systems • In SAM (Security Accounts Manager) file (part of the Registry) on Windows • Local account hashes stored on local system drive • Domain account hashes stored on domain controller • Hashes also cached on the local system after a domain login
Capturing Hashes • May be sniffed from network traffic • Or read from RAM with fgdump or Metasploit's hashdump • SAM file is locked while the operating system is running
• LANMAN (LM) hash doesn't change
Dictionary Attack • Use a list of possible passwords • Fast and efficient technique • Countermeasure: password complexity and length rules
Brute Force and Hybrid Attacks • Brute Force: try all possible combinations of characters • Slow, but much faster with GPUs (Graphical Processing Units) • Rainbow tables trade time for memory • Most effective on unsalted passwords, like Microsoft's • Hybrid attack • Uses a dictionary and modifications of the words, like 1337sp33k
Salts • A random value added to the password before hashing • If two users have the same password, the hash is different • Makes rainbow tables less useful
Password Control • Users often write down passwords and place them somewhere unsafe • Like sticky notes on monitors
Type 2 Authentication Something You Have • Synchronous Dynamic Token • Synchronized with a central server • Uses time or counter to change values • Ex: RSA's SecureID, Google Authenticator • Asynchronous Dynamic Token • Not synchronized with a central server • Ex: Challenge-response token • User must enter challenge and PIN
Type 3 Authentication Something You Are • Enrollment • Registering users with a biometric system • Ex: taking fingerprints • Should take 2 minutes or less • Throughput • Time required to authenticate a user • Typically 6-10 seconds
Accuracy of Biometric Systems • False Reject Rate (FRR) -- Type I errors • False Accept Rate (FAR) -- Type II errors • Crossover Error Rate (CER)
Types of Biometric Controls • Fingerprints are most common • Data is mathematical representation of minutiae -- details of fingerprint whorls, ridges, bifurcation, etc.
Retina Scan • Laser scan of the capillaries that feed the retina in the back of the eye • Rarely used because of health risks and invasion-of-privacy issues • Exchange of bodily fluids should be avoided
Iris Scan • Passive biometric control • Can be done without subject's knowledge • Camera photographs the iris (colored portion of the eye) • Compares photo to database • Works through contact lenses and glasses • High accuracy, no exchange of bodily fluids
Hand Geometry • Measure length, width, thickness, and surface area of hand • Simple, can require as little as 9 bytes of data
Keyboard Dynamics • How hard a person presses each key • Rhythm of keypresses • Cheap to implement and effective
Dynamic Signature • Process of signing with a pen • Similar to keyboard dynamics
Voiceprint • Vulnerable to replay attack • So other access controls must be combined with it • Voices may change due to illness, leading to a false rejection
Facial Scan • Also called facial recognition • Passive but expensive • Not commonly used for authentication • Law enforcement and security agencies use facial recognition at high-value, publicly accessible targets • Superbowl XXXV was the first major sporting event to use facial recognition to look for terrorists in 2001 (link Ch 6a)
Someplace You Are • Location found from GPS or IP address • Can deny access if the subject is in the incorrect location • Credit card companies use this technique to detect fraud • Transactions from abroad are rejected, unless the user notifies the credit card company of the trip
34 1
Access Control Technologies
Centralized Access Control • One logical point for access control • Can provide Single Sign-On (SSO) • One authentication allows access to multiple systems • Can centrally provide AAA services • Authentication • Authorization • Accountability
Decentralized Access Control • Local sites maintain independent systems • Provides more local power over data • Risks: adherence to policies may vary • Attackers may find the weakest link • Note: DAC is Discretionary Access Control; not Decentralized Access Control
Single Sign-On (SSO) • One central system for authentication • More convenient for users and administrators • Risks: single point of attack, and increased damage from a compromise or unattended desktop
Session Management of Single Sign On • SSO should always be combined with dual-factor authentication • But an attacker might hijack an authenticated session • Session timeouts and locking screensavers should be used • Users should be trained to lock their workstations when they leave their desks
Access Provisioning Lifecycle • Password policy compliance checking • Notify users when passwords are about to expire • Identify life cycle changes, such as accounts inactive for 30 days or new accounts that are unused for 10 days • Revoke access rights when contracts expire • Coordinate account revocation with human resources; include termination, horizontal, and vertical moves
User Entitlement, Access Review, and Audit • Access aggregation occurs when a user gains more access to more systems • Authorization creep --users gain more entitlement without shedding the old ones • Can defeat least privilege and separation of duties • Entitlements must be regularly reviewed and audited
Federated Identity Management • Applies Single Sign-On across organizations • A trusted authority provides a digital identity above the enterprise level • In practice, Facebook seems to be the world's identity authority
• Link Ch 6b
SAML • Security Assertion Markup Language • XML-based framework for exchanging security information • Including authentication data • Enables SSO at Internet scale
Identity as a Service (IDaaS) • Also called "Cloud Identity" • Integrates easily with cloud hosted applications and third party services • Easier deployment of two-factor auth. • Compounds challenges with internal identity management and account/ access revocation • Larger attack services • Ex: Microsoft Accounts (formerly Live ID)
Credential Management Systems • Password managers, may offer: • Secure password generation • Secure password storage • Reduction in the number of passwords users must remember • Multifactor authentication to unlock credentials • Audit logging of all interactions
Integrating Third-party Identity Services • Hosting a third-party ID service locally, within an enterprise • Allows internal applications to integrate with a cloud identity
LDAP • Lightweight Directory Access Protocol • Used by most internal identity services • Including Active Directory • LDAP uses TCP or UDP 389 • Can use plaintext transmission • Supports authenticated connection and secure transmissions with TLS
Kerberos • Third-party authentication service developed at MIT • Prevents eavesdropping and replay attacks • Provides integrity and secrecy • Uses symmetric encryption and mutual authentication
Kerberos Operational Steps 1. Principal (Alice) contacts the KDC (Key Distribution Center) requesting authentication 2. KDC sends user a session key, encrypted with Alice's secret key. KDC also sends a TGT (Ticket Granting Ticket) encrypted with the TGS's secret key. 3. Alice decrypts the session key and uses it to request permission from the TGS (Ticket Granting Service)
Kerberos Operational Steps 4. TGS verifies Allice's session key and sends her a second session key "C/S session key" to use to print. TGS also sends a service ticket, encrypted with the printer's key 5. Alice connects to the printer. Printer sees a valid C/S session key, so provides service
Time in Kerberos • TGT lifetime is typically 10 hours • Authenticators contain a timestamp • Will be rejected if more than 5 minutes ol • Clocks must be synchronized on all systems
Kerberos Weaknesses • KDC stores all keys • Compromise of KDC exposes them all • KDC and TGS are single points of failure • Replay attacks possible for lifetime of authenticator • Kerberos 4 allowed one user to request a session key for another user, which could be used to guess a password • A weakness closed in Kerberos 5 • Plaintext keys can be stolen from a client's RAM
SESAME • Secure European System for Applications in a Multi-vendor Environment • Has new features not present in Kerberos • Most important: public-key encryption • This avoids Kerberos' plaintext storage of symmetric keys
RADIUS and Diameter • Remote Authentication Dial In User Service • Uses UDP ports 1812 and 1813 • An AAA server • Diameter is RADIUS' successor • Uses TCP and can manage policies for many services from a single server
TACACS and TACACS+ • Terminal Access Controller Access Control System • Uses UDP port 49 and may use TCP port 49 • TACACS+ is newer • Allows two-factor authentication • Encrypts all data (RADIUS only encrypts the password) • Not backwards-compatible with TACACS
PAP and CHAP • Password Authentication Protocol • Plaintext transmission • Vulnerable to sniffing • Challenge Handshake Authentication Protocol • Server sends client a challenge • Client adds challenge to secret and hashes it, and transmits that • Resists sniffing attacks
Microsoft Active Directory Domains • Groups users and network access into domains • Uses Kerberos • Domains can have trust relationships • One-way or two-way • Nontransitive or transitive • A transitive trust extends to any other domain either partner trusts • "Friend of a friend"
Access Control Models
Three Models • Discretionary Access Control (DAC) • Mandatory Access Control (MAC) • Non-Discretionary Access Control
Discretionary Access Control (DAC) • Owners have full control over assets • Can share them as they wish • Unix and Windows file systems use DAC • User errors can expose confidential data
Mandatory Access Control (MAC) • Subjects have clearance • Objects have labels • Typically Confidential, Secret, and Top Secret • MAC is expensive and difficult to implement
Non-Discretionary Access Control • Users don't have discretion when accessing objects • Cannot transfer objects to other subjects • Two types: • Role-Based Access Control (RBAC) • Task-based access control
Role-Based Access Control (RBAC) • Subjects have roles, like Nurse, Backup Administrator, or Help Desk Technician • Permissions are assigned to roles, not individuals
Task-Based Access Control • Works like RBAC, but focuses on the tasks each subject must perform • Such as writing prescriptions, restoring data from a backup tap,or opening a help desk ticket
Rule-Based Access Control • Uses a set of rules, in "it/then" format • Ex: firewall rules
Content- and Context-Dependent Access Controls • May be added to other systems for defense- in-depth • Content-dependent access control • Additional criteria beyond identification and authorization • Employees may be allowed to see their own HR data, but not the CIO's data • Context-dependent access controls • Applies additional context, such as time of day
70 2

Recommended

CNIT 125: Ch 4. Security Engineering (Part 1)
CNIT 125: Ch 4. Security Engineering (Part 1)CNIT 125: Ch 4. Security Engineering (Part 1)
CNIT 125: Ch 4. Security Engineering (Part 1)
Sam Bowne
 
CNIT 125 Ch 8. Security Operations
CNIT 125 Ch 8. Security OperationsCNIT 125 Ch 8. Security Operations
CNIT 125 Ch 8. Security Operations
Sam Bowne
 
CISSP Prep: Ch 6. Identity and Access Management
CISSP Prep: Ch 6. Identity and Access ManagementCISSP Prep: Ch 6. Identity and Access Management
CISSP Prep: Ch 6. Identity and Access Management
Sam Bowne
 
CNIT 125 7. Security Assessment and Testing
CNIT 125 7. Security Assessment and TestingCNIT 125 7. Security Assessment and Testing
CNIT 125 7. Security Assessment and Testing
Sam Bowne
 
CNIT 125 Ch 4. Security Engineering (Part 1)
CNIT 125 Ch 4. Security Engineering (Part 1)CNIT 125 Ch 4. Security Engineering (Part 1)
CNIT 125 Ch 4. Security Engineering (Part 1)
Sam Bowne
 
CISSP Prep: Ch 4. Security Engineering (Part 2)
CISSP Prep: Ch 4. Security Engineering (Part 2)CISSP Prep: Ch 4. Security Engineering (Part 2)
CISSP Prep: Ch 4. Security Engineering (Part 2)
Sam Bowne
 
CNIT 125 Ch 3. Asset Security
CNIT 125 Ch 3. Asset SecurityCNIT 125 Ch 3. Asset Security
CNIT 125 Ch 3. Asset Security
Sam Bowne
 
CISSP Prep: Ch 7. Security Assessment and Testing
CISSP Prep: Ch 7. Security Assessment and TestingCISSP Prep: Ch 7. Security Assessment and Testing
CISSP Prep: Ch 7. Security Assessment and Testing
Sam Bowne
 

Recommended

CNIT 125: Ch 4. Security Engineering (Part 1)
CNIT 125: Ch 4. Security Engineering (Part 1)CNIT 125: Ch 4. Security Engineering (Part 1)
CNIT 125: Ch 4. Security Engineering (Part 1)
Sam Bowne
 
CNIT 125 Ch 8. Security Operations
CNIT 125 Ch 8. Security OperationsCNIT 125 Ch 8. Security Operations
CNIT 125 Ch 8. Security Operations
Sam Bowne
 
CISSP Prep: Ch 6. Identity and Access Management
CISSP Prep: Ch 6. Identity and Access ManagementCISSP Prep: Ch 6. Identity and Access Management
CISSP Prep: Ch 6. Identity and Access Management
Sam Bowne
 
CNIT 125 7. Security Assessment and Testing
CNIT 125 7. Security Assessment and TestingCNIT 125 7. Security Assessment and Testing
CNIT 125 7. Security Assessment and Testing
Sam Bowne
 
CNIT 125 Ch 4. Security Engineering (Part 1)
CNIT 125 Ch 4. Security Engineering (Part 1)CNIT 125 Ch 4. Security Engineering (Part 1)
CNIT 125 Ch 4. Security Engineering (Part 1)
Sam Bowne
 
CISSP Prep: Ch 4. Security Engineering (Part 2)
CISSP Prep: Ch 4. Security Engineering (Part 2)CISSP Prep: Ch 4. Security Engineering (Part 2)
CISSP Prep: Ch 4. Security Engineering (Part 2)
Sam Bowne
 
CNIT 125 Ch 3. Asset Security
CNIT 125 Ch 3. Asset SecurityCNIT 125 Ch 3. Asset Security
CNIT 125 Ch 3. Asset Security
Sam Bowne
 
CISSP Prep: Ch 7. Security Assessment and Testing
CISSP Prep: Ch 7. Security Assessment and TestingCISSP Prep: Ch 7. Security Assessment and Testing
CISSP Prep: Ch 7. Security Assessment and Testing
Sam Bowne
 
7. Security Operations
7. Security Operations7. Security Operations
7. Security Operations
Sam Bowne
 
5. Identity and Access Management
5. Identity and Access Management5. Identity and Access Management
5. Identity and Access Management
Sam Bowne
 
3. Security Engineering
3. Security Engineering3. Security Engineering
3. Security Engineering
Sam Bowne
 
1. Security and Risk Management
1. Security and Risk Management1. Security and Risk Management
1. Security and Risk Management
Sam Bowne
 
CNIT 125: Ch 2. Security and Risk Management (Part 2)
CNIT 125: Ch 2. Security and Risk Management (Part 2)CNIT 125: Ch 2. Security and Risk Management (Part 2)
CNIT 125: Ch 2. Security and Risk Management (Part 2)
Sam Bowne
 
Ch 7: Attacking Session Management
Ch 7: Attacking Session ManagementCh 7: Attacking Session Management
Ch 7: Attacking Session Management
Sam Bowne
 
3. Security Engineering
3. Security Engineering3. Security Engineering
3. Security Engineering
Sam Bowne
 
CNIT 50: 1. Network Security Monitoring Rationale
CNIT 50: 1. Network Security Monitoring RationaleCNIT 50: 1. Network Security Monitoring Rationale
CNIT 50: 1. Network Security Monitoring Rationale
Sam Bowne
 
6. Security Assessment and Testing
6. Security Assessment and Testing6. Security Assessment and Testing
6. Security Assessment and Testing
Sam Bowne
 
CISSP Prep: Ch 4. Security Engineering (Part 1)
CISSP Prep: Ch 4. Security Engineering (Part 1)CISSP Prep: Ch 4. Security Engineering (Part 1)
CISSP Prep: Ch 4. Security Engineering (Part 1)
Sam Bowne
 
CNIT 50: 9. NSM Operations
CNIT 50: 9. NSM OperationsCNIT 50: 9. NSM Operations
CNIT 50: 9. NSM Operations
Sam Bowne
 
CISSP Prep: Ch 8. Security Operations
CISSP Prep: Ch 8. Security OperationsCISSP Prep: Ch 8. Security Operations
CISSP Prep: Ch 8. Security Operations
Sam Bowne
 
CNIT 125: Ch 2. Security and Risk Management (Part 1)
CNIT 125: Ch 2. Security and Risk Management (Part 1)CNIT 125: Ch 2. Security and Risk Management (Part 1)
CNIT 125: Ch 2. Security and Risk Management (Part 1)
Sam Bowne
 
Ch 1: Web Application (In)security & Ch 2: Core Defense Mechanisms
Ch 1: Web Application (In)security & Ch 2: Core Defense Mechanisms Ch 1: Web Application (In)security & Ch 2: Core Defense Mechanisms
Ch 1: Web Application (In)security & Ch 2: Core Defense Mechanisms
Sam Bowne
 
CNIT 121: 2 IR Management Handbook
CNIT 121: 2 IR Management HandbookCNIT 121: 2 IR Management Handbook
CNIT 121: 2 IR Management Handbook
Sam Bowne
 
3. Security Engineering
3. Security Engineering3. Security Engineering
3. Security Engineering
Sam Bowne
 
CNIT 121: 16 Report Writing
CNIT 121: 16 Report WritingCNIT 121: 16 Report Writing
CNIT 121: 16 Report Writing
Sam Bowne
 
CNIT 121: 11 Analysis Methodology
CNIT 121: 11 Analysis MethodologyCNIT 121: 11 Analysis Methodology
CNIT 121: 11 Analysis Methodology
Sam Bowne
 
3. Security Engineering
3. Security Engineering3. Security Engineering
3. Security Engineering
Sam Bowne
 
CNIT 125: Ch 2. Security and Risk Management (Part 2)
CNIT 125: Ch 2. Security and Risk Management (Part 2)CNIT 125: Ch 2. Security and Risk Management (Part 2)
CNIT 125: Ch 2. Security and Risk Management (Part 2)
Sam Bowne
 
Authentication Methods authauthauthauthauthautha
Authentication Methods authauthauthauthauthauthaAuthentication Methods authauthauthauthauthautha
Authentication Methods authauthauthauthauthautha
Olajide Kuku
 
CNIT 129S: Ch 6: Attacking Authentication
CNIT 129S: Ch 6: Attacking AuthenticationCNIT 129S: Ch 6: Attacking Authentication
CNIT 129S: Ch 6: Attacking Authentication
Sam Bowne
 

More Related Content

What's hot

What's hot (20)

7. Security Operations
7. Security Operations7. Security Operations
7. Security Operations
 
5. Identity and Access Management
5. Identity and Access Management5. Identity and Access Management
5. Identity and Access Management
 
3. Security Engineering
3. Security Engineering3. Security Engineering
3. Security Engineering
 
1. Security and Risk Management
1. Security and Risk Management1. Security and Risk Management
1. Security and Risk Management
 
CNIT 125: Ch 2. Security and Risk Management (Part 2)
CNIT 125: Ch 2. Security and Risk Management (Part 2)CNIT 125: Ch 2. Security and Risk Management (Part 2)
CNIT 125: Ch 2. Security and Risk Management (Part 2)
 
Ch 7: Attacking Session Management
Ch 7: Attacking Session ManagementCh 7: Attacking Session Management
Ch 7: Attacking Session Management
 
3. Security Engineering
3. Security Engineering3. Security Engineering
3. Security Engineering
 
CNIT 50: 1. Network Security Monitoring Rationale
CNIT 50: 1. Network Security Monitoring RationaleCNIT 50: 1. Network Security Monitoring Rationale
CNIT 50: 1. Network Security Monitoring Rationale
 
6. Security Assessment and Testing
6. Security Assessment and Testing6. Security Assessment and Testing
6. Security Assessment and Testing
 
CISSP Prep: Ch 4. Security Engineering (Part 1)
CISSP Prep: Ch 4. Security Engineering (Part 1)CISSP Prep: Ch 4. Security Engineering (Part 1)
CISSP Prep: Ch 4. Security Engineering (Part 1)
 
CNIT 50: 9. NSM Operations
CNIT 50: 9. NSM OperationsCNIT 50: 9. NSM Operations
CNIT 50: 9. NSM Operations
 
CISSP Prep: Ch 8. Security Operations
CISSP Prep: Ch 8. Security OperationsCISSP Prep: Ch 8. Security Operations
CISSP Prep: Ch 8. Security Operations
 
CNIT 125: Ch 2. Security and Risk Management (Part 1)
CNIT 125: Ch 2. Security and Risk Management (Part 1)CNIT 125: Ch 2. Security and Risk Management (Part 1)
CNIT 125: Ch 2. Security and Risk Management (Part 1)
 
Ch 1: Web Application (In)security & Ch 2: Core Defense Mechanisms
Ch 1: Web Application (In)security & Ch 2: Core Defense Mechanisms Ch 1: Web Application (In)security & Ch 2: Core Defense Mechanisms
Ch 1: Web Application (In)security & Ch 2: Core Defense Mechanisms
 
CNIT 121: 2 IR Management Handbook
CNIT 121: 2 IR Management HandbookCNIT 121: 2 IR Management Handbook
CNIT 121: 2 IR Management Handbook
 
3. Security Engineering
3. Security Engineering3. Security Engineering
3. Security Engineering
 
CNIT 121: 16 Report Writing
CNIT 121: 16 Report WritingCNIT 121: 16 Report Writing
CNIT 121: 16 Report Writing
 
CNIT 121: 11 Analysis Methodology
CNIT 121: 11 Analysis MethodologyCNIT 121: 11 Analysis Methodology
CNIT 121: 11 Analysis Methodology
 
3. Security Engineering
3. Security Engineering3. Security Engineering
3. Security Engineering
 
CNIT 125: Ch 2. Security and Risk Management (Part 2)
CNIT 125: Ch 2. Security and Risk Management (Part 2)CNIT 125: Ch 2. Security and Risk Management (Part 2)
CNIT 125: Ch 2. Security and Risk Management (Part 2)
 

Similar to CNIT 125 6. Identity and Access Management

Information-Security-Lecture-8.pptx
Information-Security-Lecture-8.pptxInformation-Security-Lecture-8.pptx
Information-Security-Lecture-8.pptx
anbersattar
 
Authenticationtechnologies 120711134100-phpapp01
Authenticationtechnologies 120711134100-phpapp01Authenticationtechnologies 120711134100-phpapp01
Authenticationtechnologies 120711134100-phpapp01
Hai Nguyen
 
Knock x Knock: The Design and Evaluation of a Unified Authentication Manageme...
Knock x Knock: The Design and Evaluation of a Unified Authentication Manageme...Knock x Knock: The Design and Evaluation of a Unified Authentication Manageme...
Knock x Knock: The Design and Evaluation of a Unified Authentication Manageme...
Jason Hong
 
Lock it Down: Access Control for IBM i
Lock it Down: Access Control for IBM iLock it Down: Access Control for IBM i
Lock it Down: Access Control for IBM i
Precisely
 
Security 101: Protecting Data with Encryption, Tokenization & Anonymization
Security 101: Protecting Data with Encryption, Tokenization & AnonymizationSecurity 101: Protecting Data with Encryption, Tokenization & Anonymization
Security 101: Protecting Data with Encryption, Tokenization & Anonymization
Precisely
 
Crypto passport authentication
Crypto passport authenticationCrypto passport authentication
Crypto passport authentication
David Hoen
 

Similar to CNIT 125 6. Identity and Access Management (20)

Authentication Methods authauthauthauthauthautha
Authentication Methods authauthauthauthauthauthaAuthentication Methods authauthauthauthauthautha
Authentication Methods authauthauthauthauthautha
 
CNIT 129S: Ch 6: Attacking Authentication
CNIT 129S: Ch 6: Attacking AuthenticationCNIT 129S: Ch 6: Attacking Authentication
CNIT 129S: Ch 6: Attacking Authentication
 
Information and network security 47 authentication applications
Information and network security 47 authentication applicationsInformation and network security 47 authentication applications
Information and network security 47 authentication applications
 
CNIT 129S - Ch 6a: Attacking Authentication
CNIT 129S - Ch 6a: Attacking AuthenticationCNIT 129S - Ch 6a: Attacking Authentication
CNIT 129S - Ch 6a: Attacking Authentication
 
Information-Security-Lecture-8.pptx
Information-Security-Lecture-8.pptxInformation-Security-Lecture-8.pptx
Information-Security-Lecture-8.pptx
 
CNIT 160 4e Security Program Management (Part 5)
CNIT 160 4e Security Program Management (Part 5)CNIT 160 4e Security Program Management (Part 5)
CNIT 160 4e Security Program Management (Part 5)
 
Track 5 session 2 - st dev con 2016 - security iot best practices
Track 5 session 2 - st dev con 2016 - security iot best practicesTrack 5 session 2 - st dev con 2016 - security iot best practices
Track 5 session 2 - st dev con 2016 - security iot best practices
 
20-security.ppt
20-security.ppt20-security.ppt
20-security.ppt
 
Authenticationtechnologies 120711134100-phpapp01
Authenticationtechnologies 120711134100-phpapp01Authenticationtechnologies 120711134100-phpapp01
Authenticationtechnologies 120711134100-phpapp01
 
Entrepreneurship & Commerce in IT - 11 - Security & Encryption
Entrepreneurship & Commerce in IT - 11 - Security & EncryptionEntrepreneurship & Commerce in IT - 11 - Security & Encryption
Entrepreneurship & Commerce in IT - 11 - Security & Encryption
 
Ch 6: Attacking Authentication
Ch 6: Attacking AuthenticationCh 6: Attacking Authentication
Ch 6: Attacking Authentication
 
Protecting Sensitive Data (and be PCI Compliant too!)
Protecting Sensitive Data (and be PCI Compliant too!)Protecting Sensitive Data (and be PCI Compliant too!)
Protecting Sensitive Data (and be PCI Compliant too!)
 
Encryption in the enterprise
Encryption in the enterpriseEncryption in the enterprise
Encryption in the enterprise
 
CNIT 129S: Ch 7: Attacking Session Management
CNIT 129S: Ch 7: Attacking Session Management CNIT 129S: Ch 7: Attacking Session Management
CNIT 129S: Ch 7: Attacking Session Management
 
#MFSummit2016 Secure: Is your mainframe less secure than your fileserver
#MFSummit2016 Secure: Is your mainframe less secure than your fileserver#MFSummit2016 Secure: Is your mainframe less secure than your fileserver
#MFSummit2016 Secure: Is your mainframe less secure than your fileserver
 
Single sign on - benefits, challenges and case study : iFour consultancy
Single sign on - benefits, challenges and case study : iFour consultancySingle sign on - benefits, challenges and case study : iFour consultancy
Single sign on - benefits, challenges and case study : iFour consultancy
 
Knock x Knock: The Design and Evaluation of a Unified Authentication Manageme...
Knock x Knock: The Design and Evaluation of a Unified Authentication Manageme...Knock x Knock: The Design and Evaluation of a Unified Authentication Manageme...
Knock x Knock: The Design and Evaluation of a Unified Authentication Manageme...
 
Lock it Down: Access Control for IBM i
Lock it Down: Access Control for IBM iLock it Down: Access Control for IBM i
Lock it Down: Access Control for IBM i
 
Security 101: Protecting Data with Encryption, Tokenization & Anonymization
Security 101: Protecting Data with Encryption, Tokenization & AnonymizationSecurity 101: Protecting Data with Encryption, Tokenization & Anonymization
Security 101: Protecting Data with Encryption, Tokenization & Anonymization
 
Crypto passport authentication
Crypto passport authenticationCrypto passport authentication
Crypto passport authentication
 

More from Sam Bowne

More from Sam Bowne (20)

Cyberwar
CyberwarCyberwar
Cyberwar
 
3: DNS vulnerabilities
3: DNS vulnerabilities 3: DNS vulnerabilities
3: DNS vulnerabilities
 
8. Software Development Security
8. Software Development Security8. Software Development Security
8. Software Development Security
 
4 Mapping the Application
4 Mapping the Application4 Mapping the Application
4 Mapping the Application
 
3. Attacking iOS Applications (Part 2)
3. Attacking iOS Applications (Part 2) 3. Attacking iOS Applications (Part 2)
3. Attacking iOS Applications (Part 2)
 
12 Elliptic Curves
12 Elliptic Curves12 Elliptic Curves
12 Elliptic Curves
 
11. Diffie-Hellman
11. Diffie-Hellman11. Diffie-Hellman
11. Diffie-Hellman
 
2a Analyzing iOS Apps Part 1
2a Analyzing iOS Apps Part 12a Analyzing iOS Apps Part 1
2a Analyzing iOS Apps Part 1
 
9 Writing Secure Android Applications
9 Writing Secure Android Applications9 Writing Secure Android Applications
9 Writing Secure Android Applications
 
12 Investigating Windows Systems (Part 2 of 3)
12 Investigating Windows Systems (Part 2 of 3)12 Investigating Windows Systems (Part 2 of 3)
12 Investigating Windows Systems (Part 2 of 3)
 
10 RSA
10 RSA10 RSA
10 RSA
 
12 Investigating Windows Systems (Part 1 of 3
12 Investigating Windows Systems (Part 1 of 312 Investigating Windows Systems (Part 1 of 3
12 Investigating Windows Systems (Part 1 of 3
 
9. Hard Problems
9. Hard Problems9. Hard Problems
9. Hard Problems
 
8 Android Implementation Issues (Part 1)
8 Android Implementation Issues (Part 1)8 Android Implementation Issues (Part 1)
8 Android Implementation Issues (Part 1)
 
11 Analysis Methodology
11 Analysis Methodology11 Analysis Methodology
11 Analysis Methodology
 
8. Authenticated Encryption
8. Authenticated Encryption8. Authenticated Encryption
8. Authenticated Encryption
 
7. Attacking Android Applications (Part 2)
7. Attacking Android Applications (Part 2)7. Attacking Android Applications (Part 2)
7. Attacking Android Applications (Part 2)
 
7. Attacking Android Applications (Part 1)
7. Attacking Android Applications (Part 1)7. Attacking Android Applications (Part 1)
7. Attacking Android Applications (Part 1)
 
5. Stream Ciphers
5. Stream Ciphers5. Stream Ciphers
5. Stream Ciphers
 
6 Scope & 7 Live Data Collection
6 Scope & 7 Live Data Collection6 Scope & 7 Live Data Collection
6 Scope & 7 Live Data Collection
 

Recently uploaded

1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdf1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdf
QucHHunhnh
 
Beyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global ImpactBeyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global Impact
PECB
 
9548086042 for call girls in Indira Nagar with room service
9548086042 for call girls in Indira Nagar with room service9548086042 for call girls in Indira Nagar with room service
9548086042 for call girls in Indira Nagar with room service
discovermytutordmt
 
Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...
Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...
Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...
fonyou31
 
Russian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in Delhi
Russian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in DelhiRussian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in Delhi
Russian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in Delhi
kauryashika82
 
The basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptxThe basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptx
heathfieldcps1
 

Recently uploaded (20)

Nutritional Needs Presentation - HLTH 104
Nutritional Needs Presentation - HLTH 104Nutritional Needs Presentation - HLTH 104
Nutritional Needs Presentation - HLTH 104
 
Disha NEET Physics Guide for classes 11 and 12.pdf
Disha NEET Physics Guide for classes 11 and 12.pdfDisha NEET Physics Guide for classes 11 and 12.pdf
Disha NEET Physics Guide for classes 11 and 12.pdf
 
Measures of Central Tendency: Mean, Median and Mode
Measures of Central Tendency: Mean, Median and ModeMeasures of Central Tendency: Mean, Median and Mode
Measures of Central Tendency: Mean, Median and Mode
 
1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdf1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdf
 
Accessible design: Minimum effort, maximum impact
Accessible design: Minimum effort, maximum impactAccessible design: Minimum effort, maximum impact
Accessible design: Minimum effort, maximum impact
 
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
 
Holdier Curriculum Vitae (April 2024).pdf
Holdier Curriculum Vitae (April 2024).pdfHoldier Curriculum Vitae (April 2024).pdf
Holdier Curriculum Vitae (April 2024).pdf
 
APM Welcome, APM North West Network Conference, Synergies Across Sectors
APM Welcome, APM North West Network Conference, Synergies Across SectorsAPM Welcome, APM North West Network Conference, Synergies Across Sectors
APM Welcome, APM North West Network Conference, Synergies Across Sectors
 
Beyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global ImpactBeyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global Impact
 
Student login on Anyboli platform.helpin
Student login on Anyboli platform.helpinStudent login on Anyboli platform.helpin
Student login on Anyboli platform.helpin
 
BAG TECHNIQUE Bag technique-a tool making use of public health bag through wh...
BAG TECHNIQUE Bag technique-a tool making use of public health bag through wh...BAG TECHNIQUE Bag technique-a tool making use of public health bag through wh...
BAG TECHNIQUE Bag technique-a tool making use of public health bag through wh...
 
General AI for Medical Educators April 2024
General AI for Medical Educators April 2024General AI for Medical Educators April 2024
General AI for Medical Educators April 2024
 
Paris 2024 Olympic Geographies - an activity
Paris 2024 Olympic Geographies - an activityParis 2024 Olympic Geographies - an activity
Paris 2024 Olympic Geographies - an activity
 
Key note speaker Neum_Admir Softic_ENG.pdf
Key note speaker Neum_Admir Softic_ENG.pdfKey note speaker Neum_Admir Softic_ENG.pdf
Key note speaker Neum_Admir Softic_ENG.pdf
 
Sanyam Choudhary Chemistry practical.pdf
Sanyam Choudhary Chemistry practical.pdfSanyam Choudhary Chemistry practical.pdf
Sanyam Choudhary Chemistry practical.pdf
 
9548086042 for call girls in Indira Nagar with room service
9548086042 for call girls in Indira Nagar with room service9548086042 for call girls in Indira Nagar with room service
9548086042 for call girls in Indira Nagar with room service
 
Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...
Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...
Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...
 
Introduction to Nonprofit Accounting: The Basics
Introduction to Nonprofit Accounting: The BasicsIntroduction to Nonprofit Accounting: The Basics
Introduction to Nonprofit Accounting: The Basics
 
Russian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in Delhi
Russian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in DelhiRussian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in Delhi
Russian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in Delhi
 
The basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptxThe basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptx
 

CNIT 125 6. Identity and Access Management

  • 3. Authentication Methods • Type 1: Something you know • Easiest and weakest method • Type 2: Something you have • Type 3: Something you are • A fourth type is where you are
  • 4. Passwords: Four Types • Static passwords • Passphrases • One-time passwords • Dynamic passwords
  • 5. Static Passwords • Reusable passwords that may or may not expire • Typically user-generated • Work best when combined with another authentication type, such as a smart card or biometric control
  • 6. Passphrases • Long static passwords comprised of words in a phrase or sentence • "I will pass the CISSP in 6 months!" • Stronger if you use nonsense words, mix case, and use numbers and symbols
  • 7. One-Time Passwords • Very secure but difficult to manage • Impossible to reuse, valid only for one use
  • 8. Dynamic Passwords • Change at regular intervals • Tokens are expensive
  • 9. Strong Authentication • Also called Multifactor Authentication • More than one authentication factor • Ex: ATM card and PIN
  • 10. Password Guessing • May be detected from system logs • Clipping levels distinguish malicious attacks from normal users • Ex: more than five failed logins per hour • Account lockout after a number of failed login attempts
  • 11. Password Hashes and Password Cracking • Plaintext passwords are not usually stored on a system anymore • Password hash is stored instead • Password cracking • Calculating hash for a long list of passwords, trying to match the hash value
  • 12. Password Hashes • Stored in /etc/shadow on Unix systems • In SAM (Security Accounts Manager) file (part of the Registry) on Windows • Local account hashes stored on local system drive • Domain account hashes stored on domain controller • Hashes also cached on the local system after a domain login
  • 13. Capturing Hashes • May be sniffed from network traffic • Or read from RAM with fgdump or Metasploit's hashdump • SAM file is locked while the operating system is running
  • 14. • LANMAN (LM) hash doesn't change
  • 15. Dictionary Attack • Use a list of possible passwords • Fast and efficient technique • Countermeasure: password complexity and length rules
  • 16. Brute Force and Hybrid Attacks • Brute Force: try all possible combinations of characters • Slow, but much faster with GPUs (Graphical Processing Units) • Rainbow tables trade time for memory • Most effective on unsalted passwords, like Microsoft's • Hybrid attack • Uses a dictionary and modifications of the words, like 1337sp33k
  • 17. Salts • A random value added to the password before hashing • If two users have the same password, the hash is different • Makes rainbow tables less useful
  • 18.
  • 19. Password Control • Users often write down passwords and place them somewhere unsafe • Like sticky notes on monitors
  • 20. Type 2 Authentication Something You Have • Synchronous Dynamic Token • Synchronized with a central server • Uses time or counter to change values • Ex: RSA's SecureID, Google Authenticator • Asynchronous Dynamic Token • Not synchronized with a central server • Ex: Challenge-response token • User must enter challenge and PIN
  • 21.
  • 22. Type 3 Authentication Something You Are • Enrollment • Registering users with a biometric system • Ex: taking fingerprints • Should take 2 minutes or less • Throughput • Time required to authenticate a user • Typically 6-10 seconds
  • 23. Accuracy of Biometric Systems • False Reject Rate (FRR) -- Type I errors • False Accept Rate (FAR) -- Type II errors • Crossover Error Rate (CER)
  • 24. Types of Biometric Controls • Fingerprints are most common • Data is mathematical representation of minutiae -- details of fingerprint whorls, ridges, bifurcation, etc.
  • 25.
  • 26. Retina Scan • Laser scan of the capillaries that feed the retina in the back of the eye • Rarely used because of health risks and invasion-of-privacy issues • Exchange of bodily fluids should be avoided
  • 27. Iris Scan • Passive biometric control • Can be done without subject's knowledge • Camera photographs the iris (colored portion of the eye) • Compares photo to database • Works through contact lenses and glasses • High accuracy, no exchange of bodily fluids
  • 28. Hand Geometry • Measure length, width, thickness, and surface area of hand • Simple, can require as little as 9 bytes of data
  • 29. Keyboard Dynamics • How hard a person presses each key • Rhythm of keypresses • Cheap to implement and effective
  • 30. Dynamic Signature • Process of signing with a pen • Similar to keyboard dynamics
  • 31. Voiceprint • Vulnerable to replay attack • So other access controls must be combined with it • Voices may change due to illness, leading to a false rejection
  • 32. Facial Scan • Also called facial recognition • Passive but expensive • Not commonly used for authentication • Law enforcement and security agencies use facial recognition at high-value, publicly accessible targets • Superbowl XXXV was the first major sporting event to use facial recognition to look for terrorists in 2001 (link Ch 6a)
  • 33. Someplace You Are • Location found from GPS or IP address • Can deny access if the subject is in the incorrect location • Credit card companies use this technique to detect fraud • Transactions from abroad are rejected, unless the user notifies the credit card company of the trip
  • 34. 34 1
  • 36. Centralized Access Control • One logical point for access control • Can provide Single Sign-On (SSO) • One authentication allows access to multiple systems • Can centrally provide AAA services • Authentication • Authorization • Accountability
  • 37. Decentralized Access Control • Local sites maintain independent systems • Provides more local power over data • Risks: adherence to policies may vary • Attackers may find the weakest link • Note: DAC is Discretionary Access Control; not Decentralized Access Control
  • 38. Single Sign-On (SSO) • One central system for authentication • More convenient for users and administrators • Risks: single point of attack, and increased damage from a compromise or unattended desktop
  • 39. Session Management of Single Sign On • SSO should always be combined with dual-factor authentication • But an attacker might hijack an authenticated session • Session timeouts and locking screensavers should be used • Users should be trained to lock their workstations when they leave their desks
  • 40. Access Provisioning Lifecycle • Password policy compliance checking • Notify users when passwords are about to expire • Identify life cycle changes, such as accounts inactive for 30 days or new accounts that are unused for 10 days • Revoke access rights when contracts expire • Coordinate account revocation with human resources; include termination, horizontal, and vertical moves
  • 41. User Entitlement, Access Review, and Audit • Access aggregation occurs when a user gains more access to more systems • Authorization creep --users gain more entitlement without shedding the old ones • Can defeat least privilege and separation of duties • Entitlements must be regularly reviewed and audited
  • 42. Federated Identity Management • Applies Single Sign-On across organizations • A trusted authority provides a digital identity above the enterprise level • In practice, Facebook seems to be the world's identity authority
  • 44. SAML • Security Assertion Markup Language • XML-based framework for exchanging security information • Including authentication data • Enables SSO at Internet scale
  • 45. Identity as a Service (IDaaS) • Also called "Cloud Identity" • Integrates easily with cloud hosted applications and third party services • Easier deployment of two-factor auth. • Compounds challenges with internal identity management and account/ access revocation • Larger attack services • Ex: Microsoft Accounts (formerly Live ID)
  • 46. Credential Management Systems • Password managers, may offer: • Secure password generation • Secure password storage • Reduction in the number of passwords users must remember • Multifactor authentication to unlock credentials • Audit logging of all interactions
  • 47. Integrating Third-party Identity Services • Hosting a third-party ID service locally, within an enterprise • Allows internal applications to integrate with a cloud identity
  • 48. LDAP • Lightweight Directory Access Protocol • Used by most internal identity services • Including Active Directory • LDAP uses TCP or UDP 389 • Can use plaintext transmission • Supports authenticated connection and secure transmissions with TLS
  • 49. Kerberos • Third-party authentication service developed at MIT • Prevents eavesdropping and replay attacks • Provides integrity and secrecy • Uses symmetric encryption and mutual authentication
  • 50.
  • 51. Kerberos Operational Steps 1. Principal (Alice) contacts the KDC (Key Distribution Center) requesting authentication 2. KDC sends user a session key, encrypted with Alice's secret key. KDC also sends a TGT (Ticket Granting Ticket) encrypted with the TGS's secret key. 3. Alice decrypts the session key and uses it to request permission from the TGS (Ticket Granting Service)
  • 52. Kerberos Operational Steps 4. TGS verifies Allice's session key and sends her a second session key "C/S session key" to use to print. TGS also sends a service ticket, encrypted with the printer's key 5. Alice connects to the printer. Printer sees a valid C/S session key, so provides service
  • 53.
  • 54. Time in Kerberos • TGT lifetime is typically 10 hours • Authenticators contain a timestamp • Will be rejected if more than 5 minutes ol • Clocks must be synchronized on all systems
  • 55. Kerberos Weaknesses • KDC stores all keys • Compromise of KDC exposes them all • KDC and TGS are single points of failure • Replay attacks possible for lifetime of authenticator • Kerberos 4 allowed one user to request a session key for another user, which could be used to guess a password • A weakness closed in Kerberos 5 • Plaintext keys can be stolen from a client's RAM
  • 56. SESAME • Secure European System for Applications in a Multi-vendor Environment • Has new features not present in Kerberos • Most important: public-key encryption • This avoids Kerberos' plaintext storage of symmetric keys
  • 57. RADIUS and Diameter • Remote Authentication Dial In User Service • Uses UDP ports 1812 and 1813 • An AAA server • Diameter is RADIUS' successor • Uses TCP and can manage policies for many services from a single server
  • 58. TACACS and TACACS+ • Terminal Access Controller Access Control System • Uses UDP port 49 and may use TCP port 49 • TACACS+ is newer • Allows two-factor authentication • Encrypts all data (RADIUS only encrypts the password) • Not backwards-compatible with TACACS
  • 59. PAP and CHAP • Password Authentication Protocol • Plaintext transmission • Vulnerable to sniffing • Challenge Handshake Authentication Protocol • Server sends client a challenge • Client adds challenge to secret and hashes it, and transmits that • Resists sniffing attacks
  • 60. Microsoft Active Directory Domains • Groups users and network access into domains • Uses Kerberos • Domains can have trust relationships • One-way or two-way • Nontransitive or transitive • A transitive trust extends to any other domain either partner trusts • "Friend of a friend"
  • 62. Three Models • Discretionary Access Control (DAC) • Mandatory Access Control (MAC) • Non-Discretionary Access Control
  • 63. Discretionary Access Control (DAC) • Owners have full control over assets • Can share them as they wish • Unix and Windows file systems use DAC • User errors can expose confidential data
  • 64. Mandatory Access Control (MAC) • Subjects have clearance • Objects have labels • Typically Confidential, Secret, and Top Secret • MAC is expensive and difficult to implement
  • 65. Non-Discretionary Access Control • Users don't have discretion when accessing objects • Cannot transfer objects to other subjects • Two types: • Role-Based Access Control (RBAC) • Task-based access control
  • 66. Role-Based Access Control (RBAC) • Subjects have roles, like Nurse, Backup Administrator, or Help Desk Technician • Permissions are assigned to roles, not individuals
  • 67. Task-Based Access Control • Works like RBAC, but focuses on the tasks each subject must perform • Such as writing prescriptions, restoring data from a backup tap,or opening a help desk ticket
  • 68. Rule-Based Access Control • Uses a set of rules, in "it/then" format • Ex: firewall rules
  • 69. Content- and Context-Dependent Access Controls • May be added to other systems for defense- in-depth • Content-dependent access control • Additional criteria beyond identification and authorization • Employees may be allowed to see their own HR data, but not the CIO's data • Context-dependent access controls • Applies additional context, such as time of day
  • 70. 70 2