3.8 Authentication and Authorization Solutions

Authentication Management

hardware-based authentication = physical password key, Yubikey

trusted platform module (TPM) - cryptographic functions

hardware security module (HSM) - high-end cryptographic hardware

knowledge-based authentication (KBA) - use personal knowledge as authentication factor

PAP and CHAP

authentication to a network

password authentication protocol (PAP) = basic auth method used in legacy OSs, sends data in clear text, non-encrypted password exchange

challenge-handshake authentication protocol (CHAP) = encrypted challenge sent over the network - three-way handshake occurs 1. link is established, server sends a challenge message 2. client responds with a password hash calculated from the challenge and the password 3. server compares received hash with stored hash

MS-CHAP = Microsoft's implementation of CHAP - commonly used in point-to-point tunneling protocol (PPTP) - MS-CHAPv2 is not secure anymore, use L2TP, IPsec, 802.1X

Identity and Access Services

RADIUS (remote authentication dial-in user service) - centralized Authentication, Authorization, and Accounting (AAA) management for users who connect and use a network service

TACACS+ (terminal access controller access-control system) - handles remote authentication and related services for networked access control through a centralized server - unlike RADIUS, TACACS+ separates authentication, authorization, and accounting processes, providing more flexibility and control. - TACACS+ encrypts the entire body of the packet, providing greater security for the management of network devices

Kerberos - network authentication protocol designed to provide strong authentication for client/server applications by using secret-key cryptography key components - key distribution center (KDC) = central authority that provides temporary tickets and session keys. KDC has two parts: the Authentication Server (AS) and the Ticket Granting Server (TGS) - tickets = used to authenticate and establish sessions between clients and services - principal = refers to a user or service that can authenticate using Kerberos

802.1X = network access control protocol that provides an authentication mechanism for devices wishing to connect to a LAN or WLAN.

Federated Identities

Establishment of mutual trust between separate IT systems or organizations, enabling them to share resources and data securely

SSO (single sign-on) = allowing users to log in once and gain access to multiple systems without the need for multiple logins. - common standards used in federation include SAML (Security Assertion Markup Language), OAuth, and OpenID Connect, which facilitate secure information exchange for authentication and authorization.

Access Control

Authorization - process of ensuring only authorized rights are exercised

Mandatory Access Control (MAC) - operating system limits the operation on an object, based on security clearance levels - strict security model in which access rights and permissions are assigned based on regulations and policies established by a central authority - access to resource objects (like files and directories) is determined by settings configured by the system administrator and based on the user’s clearance level, as well as the classification of the information

Discretionary Access Control (DAC) - owners or creators of files, programs, or other resources have the authority to decide who can access those resources and what permissions they have - more flexibility than MAC, as permissions can be changed by the resource owner rather than requiring administrative intervention - like Google Docs

Role-based access control (RBAC) - an approach to restricting system access to authorized users based on their role within an organization - users are assigned roles, and those roles are then granted permissions to perform certain operations - can be seen as a type of MAC if roles are assigned with central authority and cannot be changed by users - like AWS services roles

Attribute-based access control (ABAC) - access decisions are based on attributes. these attributes can be related to the user (such as department or role), the resource (like the classification of the data), the action (like read or write), and the contextual (such as time of day or location)

Rule-based access control (RuBAC) - the system administrator defines the rules that govern access to resource objects. access decisions are typically based on conditions set within the rules, such as time-of-day restrictions, the state of the system, or the location of the user or resource

Privileged access management (PAM) - refers to the strategies and technologies used to control and monitor the access and activities of privileged users — those with administrative or special access to critical systems and data

• Account Management: Includes managing the lifecycle of privileged accounts, ensuring that privileges are granted according to need and revoked when no longer necessary.

• Session Monitoring and Recording: Often includes the ability to monitor and record sessions for auditing and forensics.

• Credential Protection: Involves securing credentials for privileged accounts, often through vaults or other secure storage mechanisms, and frequently involves rotating passwords.