Chapter 7 - 01 - Discuss Essential Network Security Protocols - 09_ocred_fax_ocred.pdf

Full Transcript

Certified Cybersecurity Technician Network Security Controls —- Technical Controls Exam 212-82 QO OAuth is an authorization protocol that allows a user to grant limited access to their resources on one site from another site, without having to expose their credentials O OAuth does not transfer user credentials between applications; instead, it uses authorization tokens to verify an identity between the client and server. Client Application Access data 5) e v ’ i Access Autp, : : : server Owngr JREE JREEE Server e, T" 70" " T I It EIeene Ereene Authorization and °fiza" ----i2atigyy on ¢, odg e ss Resource Resource > < eretereseIeesunTERe ereteseneInIIenTENe authentication T ISIR NNONI RTINS ERSIULLIRITILIONS) SRR INLLIRITRS ONS) > v Authorization Server Grant Access Copyright © by [ tiL All ciL Al Rights Reserved. Reproduction is Strictly Prohibited OAuth According to https://auth0.com, OAuth is an authorization protocol that allows a user to grant limited access to their resources on one site from another site, without having to expose their credentials. OAuth grants authorization flows for many computing devices and applications; for example, it connects users of one application to different applications for accessing the required information. OAuth does not transfer user credentials between applications; instead, it uses authorization tokens to verify an identity between the client and server. Different actors involved in the OAuth process: = Owner of the resource: The resource owner is also known as a user who grants permission to an application to access his/her account. The access to the application is limited or conditional, such as providing only read and write permissions. = Authorization/Resource Server (APIl): (API): The resource server provides the secured user account, and the authorization server validates the user identity and then supplies the access token to the application. = Client or Application: It is an application that seeks access to the user account. To access the account, the user must authorize the application; then, the APl should validate the authorization. Module 07 Page 725 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Exam Exam 212-82 212-82 Certified Cybersecurity Technician Certified Cybersecurity Technician Network Security Controls — Technical Controls Network Security Controls — Technical Controls Steps involve involved Authorization Code Grant Grant ization Code d inin Author Steps rs can h which There are are four four steps steps involve involved the authori authorization code grant, grant, throug through which attacke attackers can zation code d inin the There perform various authori authorization attacks onon the the API. API. zation attacks m various perfor The user user passes passes the the GET GET request request toto the the client client via via the the user user agent agent toto initiate initiate the the = The ” Connect or ed via authorization process. This This operati operation can bebe perform performed via the the “Login “Login with with or Connect” on can zation process. authori button display displayed the client’s client’s site. site. ed onon the button zation server The user user agent agent can can bebe redirec redirected the authori authorization server byby the the client client using using the the ted toto the The = following parameters: ng parame ters: followi oo ions toto execute response _type: Code Code used used for for informi informing the server server which which permiss permissions execute ng the e _type: respons oo client_id: assigned the client client d toto the d: IDID assigne client_i oo s the redirect_uri: URI where where the the authori authorization server redirect redirects the user user agent agent when when the the zation server _uri: URI redirect authorization code isis provide provided d zation code authori oo tion scope: Defines Defines the the level level ofof access access toto the the applica application scope: entations. The State: Opaque Opaque value value used for for securit securityy implem implementations. The value value isis also also used used for for State: k maintaining between callback n request and callbac ning the state betwee maintai e, the When the the user user isis authen authenticated authorized resource, the user user agent agent isis zed to access the resourc ticated and authori When ng redirected to redirec redirect_uri authorization the followi following zation server. The server uses the t_uri by the authori ted to redirec oo = parameters ters to do this: parame = oo Code: Authorization code Code: Authorization oo State: abovementioned request supplied in the abovementioned Value supplied State: Value requests the access token Using authorization code, the client requests the authorization Using the following request: the body ofof a request: parameters in the following parameters oo grant_type: Authorization_code grant_type: Authorization_code oo message previous message code: the previous received inin the code received Authorization code code: Authorization oo redirect_uri: request first request the first used inin the URI used redirect_uri: URI ". CHant | Client Application Application Resource Resource data Access Access data B 2 [eerrer Besssomsmminsssminsisiinisinissoisnnstatomsionssiomisimnsnisssinssmaniing > erennnnnen Server Server..., ’ the adding the by adding by /O Access : server........ AUU.,;;_'.......... ‘qllt;,;'r'i 2atio,, co:,"" R2atio,, Mo Ode e. Resource Resource OWner owner. LL ]. e. and Authorization and i : Authorization authentication :: authentication L]. '''''. ‘e L] L... :. Authorization Authorization llllllllllllllllllll> llllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll lllllllllllllllllllllllllll lllllllllllllllllllllllllll Server Server Grant Grant Access Access Figure Figure 7.26: 7.26: Working Working ofofOAUTH OAUTH Module Page726726 Module 0707Page EC-Council Copyright© © by byEG-Council Technician Copyright CybersecurityTechnician CertifiedCybersecurity Certified Prohibited. StrictlyProhibited. Reproduction is isStrictly Reserved. Reproduction RightsReserved. AllAllRights Certified Cybersecurity Cybersecurity Technician Technician Certified Networ k Security Controls Controls — —Technical Technical Controls Controls Network Security.. Exam Exam 212-82 212-82 OpenID Open ID Conn Connect ect (OID (OIDC) C) 0IDCis authentication QQ O0IDC is anan authentication protocol that that isis built built asas a a protocol thin layer layer onon the the OAuth20 OAuth 2.0 thin Resource provider ——™ protocol protocol provides authentication authentication QQ It1t provides functions such such asas login, login, functions profili ng informa and profiling informatio n, and.. tion, end-user identity identity end-user by verification verificatio n D D It It Cl'eates a secure Createsas ecure 'D token 'Dtoken using JSON JSON that that contains contains using basic information information such such asas basic name, phone phone number, number, and and name, address address | Resource Resource g h User ication, , authorl , and scope owner/user, owner/user 0IDC application 0IDC application User accesses accesses User ghgapplkauon (heapplicatlon CEEEEERY COLL [} =| Relying Relying party/ party/ &= Redivects Y RL.---u-----'-.---.-'---'.'.-.--...---n§.................... ::....................E ----------------................. - :: User User info info request request and and response response Copyright Copyright ©© byby ECEC OpenID Connect Connect (OIDC) (OIDC) OpenID > > All All Rights Rights Reserved. Reserved. ReproductionIs Strictly Prohibited. Reproduct ionis Strictly Prohibited OpenlID Connect Connect (OIDC) (OIDC) is an authentic OpenID authenticaation tion protocol protocol built as a thin layer on the OAuth OAuth 2.0 2.0 proto col. OIDC provides authentic protocol. authenticaation provides tion functions functions such as login, profiling profiling informati and endinformatioon, n, enduser identity identity verificati verification. The main identity user identity concepts concepts used by OIDC is an identity identity token and and ident ity attri bute API. It also permits identity attribute permits mobil mobile-, e-, web-, and JavaS JavaScrip criptt-based clientss to reque -based client request and st and recei ve data receive data on on end end users users who are authe nticaated. authentic ted. ODIC offers other adva advanced features such as nced featu res such as the ptionn of ident ity data and the abilit the encry encryptio identity abilityy to find OIDC provi providers ders.. The h proto col is used to provi The OAut OAuth protocol de permi provide permissio ssionnss to acces accesss the user infor informati of one one matioon n of appli catioonn from anoth applicati er catioonn by excha another appli applicati exchangi nging ng acces accesss token betw between client and and een the client resou rce serve r. OIDC uses resource server. uses this this retri retrieved eved infor informati matioon creates n and creat an account the client client es accou nt inin the appli catioon n on applicati on behal behalff ofof the the user. user. OIDC OIDC creat creates es aa secur secure token toto verify e IDID token verify the the ident identity the ity ofof the user. user. ItIt isis aa JSON JSON web web token token that that conta ins basic contains basic infor informati such matioon as name, n such as name, phon phone number, and e numb er, and addre ss inin the address s. ItIt provi the form form ofof string strings. des the provides the conv convenie nce ofof using enience using the the same same login login with with all all client client appli catioons. ns. This applicati re isis also This featu feature also called called single single signsign-on (SSO). on (SSO). Module Module 0707 Page Page 727 727 Certified Certifie Cybersecurit d Cyberse Technician Copyright curity y Technic EC-Council ian Copyrig ht © © byby EC-Coun cil Rights Reserve Reserved. AllAll Rights Reproduction Strictly Prohibi Prohibited. d. Reprodu ction is isStrictly ted werunea Lybersecur ity Technic Certifie Technician d Cyberse curity ian Network Security Controls Networ k Securit Technical y Control s - - Technic Controls al Control s Exam Exam 212-82 212-82 Resource Resource provider provider vsermame @@ vsemame password Y w.. password User authent authentica User tion, ication authorizat , authori zation, ion, and and scope scope %99 (—_ 7 Resour ce Resou rce :: H Authorization Authorization server server : } ‘; Relying Relyin g party/ party/ owner/ user, owner /user , 0IDC applic 0IDC applicat ation ion User access accesses User es ication the applica applicat ion the tion A AA : v URL qedirec Redirect tss UR _9 e o s Access token Access token ++ IDID token token 5 g T !* : — ;. - 9 9.................................................................................... feesene........ Rl s >>........ User User info info requ request est and and respon se response :: — S % — : : Resource Resource server server Figure 7.27: Figure 7.27: Worki Working ng of 0IDC OIDC B anssssssanansas ; OIDC funct functiions ons thro OIDC throug followwing ughh the follo ing steps steps.. ** Step 1: The user acces accesses ses the client client appli applicat catio ionn from the relyi ng part relying partyy or the brows browseerr to Createe an accou accounntt by using creat using the infor informmatio ationn avail availabl ablee on other other appli catio applicat ns.. ions "* Step 2: The user clic ks on clicks a fami familliar iar res resou ourrce ce pro provi vidder er for whi which ch they alre alreaady dy have an acc ounnt, t, and the bro accou wse r browser redi redirrect ectss to that appl appliicat catio n. ion. ®" Step Step 3:3: The user sel f-aauthe uthent selficates with thei ntica theirr cred credeenti ntial s, auth authooriz als, rizes and sele seleccts es,, and ts the the sco pe of inf ormmatio scope ation, infor n, followin followingg whi ch they are redi which redirrect ected ed back to the "* Step Step 4:4: The henntica ticati The aut authe on serv tion err sen serve sends ds an acce acces sss toke token n and ID tok token en "* Step Step 5:5: The clie nt uses client the uses ID tok en to req token reque uesst t the the user inf infor ormmatio ationn serv serveerr and and rece receiives ves aa res pon response se with with the the req requ ues este tedd inf infor ormmatio n. ation. Advantages: Advantages: client appliicat catio clie nt appl n. ion. client toto the clie nt.. from the res resou fro m the ourrce ce ** Red ucees s the Reduc the time time take n for taken for the the sign sign-up up pro proce cesss acros s acro multi sss mult ple appl appli catio iple ns and and icat ions web sittes es websi ** Prov ides Provi des easy ssib easy acce ilit acces y toto mult sibil ity iple multi ple appl appli icat catio ions ns and and the the abil abilit ityy toto main maint ain mult multi ple tain iple iden titi es identities ** Simp lici ty;; mos Simpl t pop icity ulaar most r appl popul icat appli ions catio ns and and web websi sittes es feat featu re both both OAu ure OAut and OID 0OIDC thh and C prot ocol s proto cols ** Dec ent rallize izedd Dece ntra Dis adv anttage ages: Disa dvan s: ** ** Sup por tedd byby few Supp orte sit few web es and webs ites and appl applicat ications ions The -inin pro The sign ces signs may proc ess may bebe slig htly sligh tly diff diffi icul cult t and and com comp lex ple for new x for new user users s Modu le 0707 Page Module Page 728 728 Certifi Certi fieded Cyber Cybers ecurit secur Technic ity y Techn ian Copyr Copyrig ician EG-Coun ightht © © byby EC-Co cil uncil Rights AllAll Right Reserve s Reser Reprod ved.d. Repro uction ducti Strictly on is isStrict lv P Prohibi Certified Cybersecurity Technician Network Security Controls - Technical Controls Exam 212-82 Vulnerable to several phishing attacks; if one website is breached, one sign-in may result in the compromise of other connected accounts Loss of anonymity due to the sharing of the personal information from one website to other websites Module 07 Page 729 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited.