AAA Flashcards - Authentication, Authorization

Questions and Answers

What is identification?

The idea of describing an entity uniquely.

What does Authentication (authn) refer to?

Proving you are who you claim to be.

What does Authorization (authz) pertain to?

Describing what the user account has access to or doesn't have access to.

What is Multifactor authentication?

A system where users are authenticated by presenting multiple pieces of information or objects.

Match the types of multifactor authentication with their descriptions:

Something you know = Password Something you have = Token or smartphone Something you are = Biometric verification

What is an OTP (one-time password)?

A password generated for use in one specific session that becomes invalid after the session ends.

What is NTP (Network Time Protocol)?

An Internet protocol for synchronizing computer clock times in a network by exchanging time signals.

What is Biometric authentication?

The process of using unique physiological characteristics to identify individuals.

What is U2F (Universal Second Factor)?

A standard for second-factor authentication that uses public key cryptography.

What is a CRL (Certificate Revocation List)?

A signed list published by the CA that defines certificates that have been explicitly revoked.

What is LDAP (Lightweight Directory Access Protocol)?

An open industry-standard protocol for accessing and maintaining directory services.

What does DN (Distinguished Name) represent?

A long form of an object's name in Active Directory that indicates the object name and its containers.

What operations can a client perform with an LDAP server?

Bind, StartTLS, Search, add/delete/modify, Unbind.

What is RADIUS?

A protocol that provides AAA services for users on a network.

What is Kerberos?

A network authentication protocol that uses tickets for identity verification.

What does the TGS (Ticket-Granting Service) do?

Issues Ticket-Granting Tickets to clients in Kerberos.

What is SSO (Single Sign-On)?

An authentication concept that allows users to authenticate once for multiple services.

How is authentication different from authorization?

Authentication proves an entity's identity; authorization determines access permissions.

In a multi-factor authentication scheme, a password can be thought of as?

Something you know.

What are some drawbacks to using biometrics for authentication?

Privacy concerns and difficulty in changing compromised biometrics.

Why are U2F tokens more secure than OTP generators?

U2F authentication is impossible to phish due to its public key cryptography design.

What elements are inspected when a certificate is verified?

The period of validity and the signature of the signing certificate authority.

What is the role of the Network Access Server in a RADIUS scheme?

The Network Access Server relays authentication messages but does not evaluate them.

What does a Kerberos authentication server issue to a successfully authenticated client?

A Ticket-Granting Ticket (TGT).

What advantages does single sign-on offer?

It reduces the total number of credentials and time spent authenticating.

What does OpenID provide?

Authentication delegation to a third-party authentication service.

What is OAuth?

An open standard allowing users to grant third-party access without sharing credentials.

What does Accounting mean in AAA?

Keeping records of user access to resources and services.

What does TACACS+ do?

It manages who has access to network devices and what they can do.

What role does authorization play?

Determining what resources a user or account can access.

What does auditing relate to in AAA?

Reviewing usage records for anomalies.

Authentication is concerned with determining _______.

identities of individuals.

Security Keys utilize a secure challenge-and-response authentication system, which is based on ______.

public key cryptography.

Which examples represent 'something you have' for multifactor authentication?

RSA SecureID token.

A Lightweight Directory Access Protocol (LDAP) uses a _____ structure to hold directory objects.

tree.

What is used to request access to services in the Kerberos process?

A Ticket Granting Ticket (TGT).

Why was TACACS+ chosen for a military base network?

To manage device administration authentication, authorization, and accounting.

In the three As of security, which part pertains to access permission?

Authorization.

Why should a company use OAuth when utilizing Google Business applications?

To allow apps to temporarily access a user's email without sharing credentials.

Access control entries can be created for what types of file system objects?

Folders, files, and programs.

Authorization is concerned with determining ______ to resources.

access.

Security Keys are more ideal than OTP generators because they're resistant to _______ attacks.

phishing.

What other factor qualifies for multifactor authentication combined with a password?

Fingerprint or PIN.

An organization needs to set up a(n) _____ infrastructure for issuing client certificates.

PKI.

What supports secure operations for modifying directory objects in an LDAP architecture?

Bind and modify operations.

Which examples represent a Single Sign-On (SSO) service?

Kerberos and OpenID.

An Open Authorization (OAuth) access token would have a _____ indicating third-party access.

scope.

What does TACACS+ keep track of?

User authentication and commands executed by users.

Why is a client certificate used in a Certificate Authority (CA) infrastructure?

To authenticate the client with other computers.

Study Notes

Authentication, Authorization, Accounting (AAA)

• Identification: Unique description of an entity.
• Authentication (authn): Validating the identity of a user claiming to be someone.
• Authorization (authz): Specifies what resources a user can access or not.

Multifactored Authentication

• Definition: Users authenticate using multiple identifiers.
• Types of authentication:
  • Something you know (e.g., passwords)
  • Something you have (e.g., security tokens)
  • Something you are (e.g., biometrics)

OTP and NTP

• One-Time Password (OTP): A session-specific password that is invalid after use.
• Network Time Protocol (NTP): Synchronizes computer clocks within a network using time signals.

Biometric and U2F Authentication

• Biometric Authentication: Uses physiological traits (like fingerprints) to verify identity.
• Universal Second Factor (U2F): Developed by Google, Yubico, and NXP Semiconductors, utilizes public key cryptography for secure authentication.

Certificate Management

• Certificate Revocation List (CRL): A list by a Certificate Authority (CA) of revoked certificates.
• Lightweight Directory Access Protocol (LDAP): A standard protocol for accessing and maintaining directory services, akin to an electronic phone directory.
• Distinguished Name (DN): The complete name of an object in Active Directory, indicating its location within the directory structure.

Client Operations in LDAP

• Common Operations:
  • Bind: Client authentication to the server.
  • StartTLS: Connection upgrade to secure communication.
  • Search: Retrieve records.
  • Add/Delete/Modify: Manage directory data.
  • Unbind: Terminate connection to the LDAP server.

Authentication Protocols

• RADIUS: Provides AAA services for users on a network.
• Kerberos: Network authentication protocol using tickets for secure identity verification.
• TACACS+: Cisco-developed AAA protocol that manages network device access.

SSO and OAuth

• Single Sign-On (SSO): Users authenticate once for multiple services.
• Open Authorization (OAuth): Allows third-party applications to access user data without sharing credentials directly.

Accounting and Auditing

• Accounting: Records user resource access and system interactions.
• Auditing: Reviews access records for anomalies.

Key Comparisons and Differences

• Authentication vs. Authorization: Authentication confirms identity while authorization determines access rights.
• Biometrics Drawbacks: Privacy concerns and difficulty in changing compromised biometric data.
• U2F vs. OTP: U2F offers better security as it cannot be phished unlike OTPs.

Security Elements

• Auditing in Accounting: Auditing reviews access and usage records, searching for irregularities.
• Security Keys: Use public key cryptography for secure challenge-response authentication; resistant to phishing.

Additional Context on Protocol Usage

• Kerberos TGT: A Ticket-Granting Ticket is issued post-authentication for service access requests.
• TACACS+ Implementation: Provides device administration authentication, authorization, and accounting.
• Certificate Validations: Certificate verification involves checking validity period and CA signatures.

Specific Use Cases

• OAuth for Apps: Ideal for applications needing temporary access to user accounts (e.g., email previews).
• LDAP Infrastructure: Required for issuing and signing client certificates in secure directory setups.

Directory and Access Control

• File System Control: Access control entries can be created for folders, files, and programs.
• Client Tracking in TACACS+: Monitors user actions and commands executed on network devices.

Description

Explore the fundamental concepts of AAA with these flashcards. Learn about identification, authentication, authorization, and multifactor authentication. Perfect for anyone looking to deepen their understanding of security measures.