Domain 5 - Identity and Asset Management¶
IAAA¶
Identification¶
- your name, username
Authentication¶
- type 1 - Knowledge
- password, pin, passphrase
- type 2 - posession
- type 3 - biometrics ("you are ...")
- type 4 - somewhere you are
- type 5 - something you do
- MfA - Multi-Factor Authentication
- two out of the types above
Type 1 Authentication¶
- Brute force attacks
- use key stretching
- Dictionary attacks
- limit number of logins
- do not allow dictionary words
- Rainbow tables
- limit number of logins (salts)
- Key logger
- Clipping levels
- to prevent administrative overhead
- allow failed attempts (only 3-4)
- block the account for an amount of time
- Microsoft Defaults:
- password history: set to 24
- max age: 90 days
- min age: 2 days
- min length: 8 chars
- complexity
- store password using irreversible encryption
Type 2 Authentication¶
- single-use passwords
- can be paper-based
- TAN
- smart-cards or token (HTOP / TOTP)
- contact
- contactless
- magnet-swipe cards
- very easy to replicate
Type 3 Authentication¶
- fingerprint
- facial geometry
- biological characteristics
- behavioral characteristics
- keystrokes dynamics
- signature dynamics
- FRR (type-1 error)
- False Rejection Rate
- valid subject denied
- FAR (type-2 error)
- False Acceptance Rate
- invalid subject allowed
- Point when FRR and FAR are equal, is the CER (Crossover Error Rate)
- Issues
- biometrics are easily to get / find out
- attackers can take pictures
- how you type can be replayed
Authorization¶
Discretionary Access Control (DAC)¶
- often used when availability is not important
- based on Data Owners discretion
- identity based access control
Mandatory Access Control (MAC)¶
- used when confidentiality is most important
- all objects and subjects have a label
- compartments may or may not be used
- access-control will be enforced on operation system level
Role-Based Access Control (RBAC)¶
- used when integrity is most important
Attribute Based Access Control (ABAC)¶
- subject attributes
- department
-
title
-
action attributes
- view
- edit
-
delete
-
object attributes
-
description
-
contextual attributes
- time
- location
- elements
Context-based access control¶
- based on location, time, access history
- providing username/password followed by challenge/response (such as CAPTCHA)
Accountability¶
- providing non-repudiation
- Track an action to a subjects identity
Access Control Systems¶
- centralized
- Pros
- all systems and location have the same
- security posture
- easier to manage
- only few have access
- provides separation of duties
- SSO can be used
- Cons
- Traffic overhead and response time
- is connectivity to head office stable?
- Identity and access provisioning lifecycle
- User access review
- System account access review
- Provisioning and Deprovisioning
- Accounts can have too much access (excessive privilege)
- Accounts can have inherited privilege (privilege creep)
Federated Identity Management¶
- extends IM from a single organization to multiple organization whishing to share identities between themselves.
- pros
- ease of account management
- single-sign-on
-
increased productivity (because staff has to remember just one login and can use SSO)
-
cons
-
doesn't prevent brute-force attacks
-
SSO
- OAuth, OpenID, Shibboleth, Kerberos, Active Directory Federation Services (ADFS), Central Authentication Services (CAS)
- SAML
- XML
- webbased SSO
- to secure SAML against eavesdropping or forged assertions use TLS with dig signatures
Authentication Protocols¶
Kerberos¶
- mutual authentication
- client-server model
- protected against eavesdropping and replay attacks
- build on symmetric keys
- uses realms
- KDC - Key Distribution Center
- trusted third party that provides authentication services. Maintains the secret keys for all registered entities.
- Authentication Server
- verifies and accepts/rejects tickets based on authenticity and timeliness
- Ticket Granting Server
- issues tickets to authorized users
- Ticket
- an encrypted message that provides some form or type of proof depending on what type of ticket it is.
- Ticket-Granting Ticket
- Service Ticket
- Concerns
- security depends on careful implementation
- enforcing limited lifetimes for authentication, minimize the threats of replayed credentials
- KDC must be physically secured and protected
- KDC can be a SPoF, and therefore must be considered in backup plan and BCP
- length of the keys (secret and session) is very important
- too short
- brute-force attacks
- too long
- system can be overloaded
- encryption processes are based on passwords
- password-guessing attacks
RADIUS¶
- uses UDP 1812 and 1813
- can support TLS in TCP
- provides AAA between NAS Client and Authentication Server.
- encrypts only the password exchange
TACACS+¶
- uses TCP 49
- two factor authentication
- encrypts entire package
- seperates AAA processes and allows them to be hosted seperately
Diameter¶
- uses TCP 3368 or SCTP port 3868
- supports IPSec and TLS
- was intended to replace RADIUS
- used in 3G space
- 32bit AVP field, RADIUS only 8bit
PAP¶
- plaintext user/password
CHAP¶
- need plaintext shared secret
- stores plaintext passwords
AD - Active Directory¶
- uses LDAPv2/v3, Kerberos and DNS
- often used as RBAC
- Trust Domains
- one-way host
- two-way host
- Trusted Domain
- transitive trust
- intransitive trust