click below
click below
Normal Size Small Size show me how
AAA
cnit 242 exam 1-authentication, authorization, accounting
Term | Definition |
---|---|
what is authentication? | Do you have the credentials necessary to access this system? |
how is authentication accomplished? | • What you know • Where you are • What you have • What you are |
what is two-factor authentication (+ multifactor)? | Using two or more methods of proving authentication (ex: password + security token) |
what are the two main parts of authentication? | identification and proof of identification |
identification vs proof of identification? | Identification • User ID (UID) • Physical Object (e.g. - ATM card) • Biometrics • Digital Certificates Proof of Identification • Passwords • Access Code (e.g. - PIN number) • One-Time Tokens • Biometrics • Digital Certificates |
User ID strategies | - shouldn't be simple names or computer generated -usually created based on algorithm LNI or ILN -ideally shouldn't be email address |
Password strategies and rules | Rule #1 - Don’t write passwords down!!!!! Avoid easy to guess passwords Complexity requirements: cannot contain username or FN/LN, contain mixed-casing, numbers, special characters, Unicode char |
password security through changes | force periodic password changes -optimal time of 90 days (anywhere from 30 days to a year are common) -disallow last x passwords -mix case, use non-alpha chars -disallow plain english |
what security tradeoff comes with password requirements | -the more strict password rules, the higher the chances users will violate the first rule of secure passwords |
biometrics auth | Functions as both ID and Proof of ID Separated into two groups: Physiological -Includes fingerprints, hand scans, retina scans Behavioral -Include speech, signature or keystroke recognition Issues with false negatives and false positive |
digital certificates auth | Encrypted data file that uses a Certificate Authority to guarantee the identity of the holder If you trust the CA, you trust the certificates the CA issues -Also includes an encryption key for secure transmissions |
authentication across the network | some known good object, compare input to that object -can exist on local computer (Default) -or in enterprise, can be stored on different server |
Domain Logon | authenticate against the domain, not the local machine |
TACACS+ | Cisco-proprietary TCP AAA are separate processes |
RADIUS | (Remote Authentication Dial In User Service) -used to authenticate to network access devices to gain network access Open standard UDP Combines authentication and authorization Only encrypts password |
KERBEROS | authentication only, no author or account ing -has at least 3 servers: Authentication Server (AS), Ticket Granting Server (TGS), 1+ Application Server -typically reliant on symmetric key encryption, can be configured to use public key encryption |
what is authorization? | Once authenticated, what do you have permission to do? -users should only be allowed to access resources they are supposed to be able to access |
how is authorization accomplished? | rights and permissions |
how should rights and permissions be assigned? to individual users or groups? | best to assign permission to groups, not individual users, for efficiency and future expansion of enterprise |
Group policy | assigns RIGHTS at the system level |
Access Control Lists (ACLs) | assign PERMISSIONS at the objects level -simplest method of providing authorization -requires separate authentication method -contains a list of authorized users and their authorization level |
KERBEROS Realm | admins create realms that encompass all that is available to access -client, server/host being accessed, and KDC exist in it |
KERBEROS communication | -when requesting a service/host, there are 3 interactions between user and AS, TGS, server/host -each interaction sends 2 messages, one that can be decrypted and that cannot -server/host never communicates directly with KDC |
KDC | Key Distribution Center-encrypted with master key to prevent keys from being stolen -stores all of the secret keys for user machines + servers-gen by admin during setup -secret key= hashed (password + salt) -no passwords for services/hosts |
According to lecture, _____ days is typically the optimal duration between password changes. A. 30 B. 90 C. 120 D. 60 | B. 90 days |
The number one rule of passwords is: Do not write them down. True or False? | True |
The two basic parts of authentication are usernames and passwords. True or False? | False, The two basic parts of authentication are identity and proof of identity. |
In an enterprise environment, it is best to assign permissions to individual users. True or False? | False. It is best to assign permissions to groups and place the applicable user(s) in the group. |
RADIUS is typically only used for authentication to network equipment for configuration purposes and terminal access. True or False? | False. RADIUS is typically used to authenticate to network access devices to gain network access. |