5. Identity and Access Management

Sam Bowne
Sam BowneInstructor at CCSF
CNIT 125:
Information Security
Professional
(CISSP
Preparation)
Ch 5. Identity and Access
Management
Authentication Methods
Authentication Methods
• Type 1: Something you know
• Easiest and weakest method
• Type 2: Something you have
• Type 3: Something you are
• A fourth type is where you are
Passwords: Four Types
• Static passwords
• Passphrases
• One-time passwords
• Dynamic passwords
Static Passwords
• Reusable passwords that may or may not
expire
• Typically user-generated
• Work best when combined with another
authentication type, such as a smart card
or biometric control
Passphrases
• Long static passwords comprised of
words in a phrase or sentence
• "I will pass the CISSP in 6 months!"
• Stronger if you use nonsense words, mix
case, and use numbers and symbols
One-Time Passwords
• Very secure but difficult to manage
• Impossible to reuse, valid only for one
use
Dynamic Passwords
• Change at regular
intervals
• Tokens are expensive
Strong Authentication
• Also called Multifactor Authentication
• More than one authentication factor
• Ex: ATM card and PIN
Password Guessing
• May be detected from system logs
• Clipping levels distinguish malicious
attacks from normal users
• Ex: more than five failed logins per
hour
• Account lockout after a number of failed
login attempts
Password Hashes and
Password Cracking
• Plaintext passwords are not usually
stored on a system anymore
• Password hash is stored instead
• Password cracking
• Calculating hash for a long list of
passwords, trying to match the hash
value
Password Hashes
• Stored in /etc/shadow on Unix systems
• In SAM (Security Accounts Manager) file
(part of the Registry) on Windows
• Local account hashes stored on local
system drive
• Domain account hashes stored on
domain controller
• Hashes also cached on the local
system after a domain login
Capturing Hashes
• May be sniffed from network traffic
• Or read from RAM with fgdump or
Metasploit's hashdump
• SAM file is locked while the operating
system is running
• LANMAN (LM) hash doesn't change
Dictionary Attack
• Use a list of possible passwords
• Fast and efficient technique
• Countermeasure: password complexity
and length rules
Brute Force and Hybrid Attacks
• Brute Force: try all possible combinations of
characters
• Slow, but much faster with GPUs (Graphical
Processing Units)
• Rainbow tables trade time for memory
• Most effective on unsalted passwords, like
Microsoft's
• Hybrid attack
• Uses a dictionary and modifications of the
words, like 1337sp33k
Salts
• A random value added to the password
before hashing
• If two users have the same password, the
hash is different
• Makes rainbow tables less useful
5. Identity and Access Management
Password Control
• Users often write down passwords and
place them somewhere unsafe
• Like sticky notes on monitors
Type 2 Authentication
Something You Have
• Synchronous Dynamic Token
• Synchronized with a central server
• Uses time or counter to change values
• Ex: RSA's SecureID, Google
Authenticator
• Asynchronous Dynamic Token
• Not synchronized with a central server
• Ex: Challenge-response token
• User must enter challenge and PIN
5. Identity and Access Management
Type 3 Authentication
Something You Are
• Enrollment
• Registering users with a biometric
system
• Ex: taking fingerprints
• Should take 2 minutes or less
• Throughput
• Time required to authenticate a user
• Typically 6-10 seconds
Accuracy of Biometric Systems
• False Reject Rate (FRR) -- Type I errors
• False Accept Rate (FAR) -- Type II errors
• Crossover Error Rate (CER)
Types of Biometric Controls
• Fingerprints are most common
• Data is mathematical representation of
minutiae -- details of fingerprint whorls,
ridges, bifurcation, etc.
5. Identity and Access Management
Retina Scan
• Laser scan of the capillaries that feed the
retina in the back of the eye
• Rarely used because of health risks and
invasion-of-privacy issues
• Exchange of bodily fluids should be
avoided
Iris Scan
• Passive biometric control
• Can be done without subject's
knowledge
• Camera photographs the iris (colored
portion of the eye)
• Compares photo to database
• Works through contact lenses and glasses
• High accuracy, no exchange of bodily
fluids
Hand Geometry
• Measure length, width, thickness, and
surface area of hand
• Simple, can require as little as 9 bytes of
data
Keyboard Dynamics
• How hard a person presses each key
• Rhythm of keypresses
• Cheap to implement and effective
Dynamic Signature
• Process of signing with a pen
• Similar to keyboard dynamics
Voiceprint
• Vulnerable to replay attack
• So other access controls must be
combined with it
• Voices may change due to illness,
leading to a false rejection
Facial Scan
• Also called facial recognition
• Passive but expensive
• Not commonly used for authentication
• Law enforcement and security agencies
use facial recognition at high-value,
publicly accessible targets
• Superbowl XXXV was the first major
sporting event to use facial recognition
to look for terrorists in 2001 (link Ch 6a)
Someplace You Are
• Location found from GPS or IP address
• Can deny access if the subject is in the
incorrect location
• Credit card companies use this
technique to detect fraud
• Transactions from abroad are rejected,
unless the user notifies the credit card
company of the trip
34
1
Access Control Technologies
Centralized Access Control
• One logical point for access control
• Can provide Single Sign-On (SSO)
• One authentication allows access to
multiple systems
• Can centrally provide AAA services
• Authentication
• Authorization
• Accountability
Decentralized Access Control
• Local sites maintain independent
systems
• Provides more local power over data
• Risks: adherence to policies may vary
• Attackers may find the weakest link
• Note: DAC is Discretionary Access
Control; not Decentralized Access
Control
Single Sign-On (SSO)
• One central system for authentication
• More convenient for users and
administrators
• Risks: single point of attack, and
increased damage from a compromise or
unattended desktop
Session Management of Single Sign On
• SSO should always be combined with
dual-factor authentication
• But an attacker might hijack an
authenticated session
• Session timeouts and locking
screensavers should be used
• Users should be trained to lock their
workstations when they leave their desks
Access Provisioning Lifecycle
• Password policy compliance checking
• Notify users when passwords are about to
expire
• Identify life cycle changes, such as accounts
inactive for 30 days or new accounts that are
unused for 10 days
• Revoke access rights when contracts expire
• Coordinate account revocation with human
resources; include termination, horizontal,
and vertical moves
User Entitlement, Access Review,
and Audit
• Access aggregation occurs when a user
gains more access to more systems
• Authorization creep --users gain more
entitlement without shedding the old
ones
• Can defeat least privilege and separation
of duties
• Entitlements must be regularly reviewed
and audited
Federated Identity Management
• Applies Single Sign-On across
organizations
• A trusted authority provides a digital
identity above the enterprise level
• In practice, Facebook seems to be the
world's identity authority
• Link Ch 6b
SAML
• Security Assertion Markup Language
• XML-based framework for exchanging
security information
• Including authentication data
• Enables SSO at Internet scale
Identity as a Service (IDaaS)
• Also called "Cloud Identity"
• Integrates easily with cloud hosted
applications and third party services
• Easier deployment of two-factor auth.
• Compounds challenges with internal
identity management and account/
access revocation
• Larger attack services
• Ex: Microsoft Accounts (formerly Live ID)
Credential Management Systems
• Password managers, may offer:
• Secure password generation
• Secure password storage
• Reduction in the number of passwords
users must remember
• Multifactor authentication to unlock
credentials
• Audit logging of all interactions
Integrating Third-party Identity Services
• Hosting a third-party ID service locally,
within an enterprise
• Allows internal applications to integrate
with a cloud identity
LDAP
• Lightweight Directory Access Protocol
• Used by most internal identity services
• Including Active Directory
• LDAP uses TCP or UDP 389
• Can use plaintext transmission
• Supports authenticated connection and
secure transmissions with TLS
Kerberos
• Third-party authentication service
developed at MIT
• Prevents eavesdropping and replay
attacks
• Provides integrity and secrecy
• Uses symmetric encryption and mutual
authentication
5. Identity and Access Management
Kerberos Operational Steps
1. Principal (Alice) contacts the KDC (Key
Distribution Center) requesting
authentication
2. KDC sends user a session key, encrypted
with Alice's secret key. KDC also sends a
TGT (Ticket Granting Ticket) encrypted
with the TGS's secret key.
3. Alice decrypts the session key and uses it
to request permission from the TGS
(Ticket Granting Service)
Kerberos Operational Steps
4. TGS verifies Allice's session key and
sends her a second session key "C/S
session key" to use to print. TGS also
sends a service ticket, encrypted with
the printer's key
5. Alice connects to the printer. Printer
sees a valid C/S session key, so
provides service
5. Identity and Access Management
Time in Kerberos
• TGT lifetime is typically 10 hours
• Authenticators contain a timestamp
• Will be rejected if more than 5 minutes ol
• Clocks must be synchronized on all
systems
Kerberos Weaknesses
• KDC stores all keys
• Compromise of KDC exposes them all
• KDC and TGS are single points of failure
• Replay attacks possible for lifetime of
authenticator
• Kerberos 4 allowed one user to request a
session key for another user, which could be
used to guess a password
• A weakness closed in Kerberos 5
• Plaintext keys can be stolen from a client's RAM
SESAME
• Secure European System for
Applications in a Multi-vendor
Environment
• Has new features not present in
Kerberos
• Most important: public-key encryption
• This avoids Kerberos' plaintext storage
of symmetric keys
RADIUS and Diameter
• Remote Authentication Dial In User
Service
• Uses UDP ports 1812 and 1813
• An AAA server
• Diameter is RADIUS' successor
• Uses TCP and can manage policies for
many services from a single server
TACACS and TACACS+
• Terminal Access Controller Access
Control System
• Uses UDP port 49 and may use TCP port
49
• TACACS+ is newer
• Allows two-factor authentication
• Encrypts all data (RADIUS only encrypts
the password)
• Not backwards-compatible with TACACS
PAP and CHAP
• Password Authentication Protocol
• Plaintext transmission
• Vulnerable to sniffing
• Challenge Handshake Authentication
Protocol
• Server sends client a challenge
• Client adds challenge to secret and
hashes it, and transmits that
• Resists sniffing attacks
Microsoft Active Directory Domains
• Groups users and network access into
domains
• Uses Kerberos
• Domains can have trust relationships
• One-way or two-way
• Nontransitive or transitive
• A transitive trust extends to any other
domain either partner trusts
• "Friend of a friend"
Access Control Models
Three Models
• Discretionary Access Control (DAC)
• Mandatory Access Control (MAC)
• Non-Discretionary Access Control
Discretionary Access Control (DAC)
• Owners have full control over assets
• Can share them as they wish
• Unix and Windows file systems use DAC
• User errors can expose confidential data
Mandatory Access Control (MAC)
• Subjects have clearance
• Objects have labels
• Typically Confidential, Secret, and Top
Secret
• MAC is expensive and difficult to
implement
Non-Discretionary Access Control
• Users don't have discretion when
accessing objects
• Cannot transfer objects to other subjects
• Two types:
• Role-Based Access Control (RBAC)
• Task-based access control
Role-Based Access Control (RBAC)
• Subjects have roles, like Nurse, Backup
Administrator, or Help Desk Technician
• Permissions are assigned to roles, not
individuals
Task-Based Access Control
• Works like RBAC, but focuses on the
tasks each subject must perform
• Such as writing prescriptions, restoring
data from a backup tap,or opening a help
desk ticket
Rule-Based Access Control
• Uses a set of rules, in "it/then" format
• Ex: firewall rules
Content- and Context-Dependent
Access Controls
• May be added to other systems for defense-
in-depth
• Content-dependent access control
• Additional criteria beyond identification and
authorization
• Employees may be allowed to see their own
HR data, but not the CIO's data
• Context-dependent access controls
• Applies additional context, such as time of
day
70
2
1 of 70

Recommended

Identity and Access Management 101 by
Identity and Access Management 101Identity and Access Management 101
Identity and Access Management 101Jerod Brennen
32.5K views20 slides
Identity and Access Management Introduction by
Identity and Access Management IntroductionIdentity and Access Management Introduction
Identity and Access Management IntroductionAidy Tificate
31K views27 slides
Privileged Access Management (PAM) by
Privileged Access Management (PAM)Privileged Access Management (PAM)
Privileged Access Management (PAM)danb02
9.8K views23 slides
Privileged Access Management - 2016 by
Privileged Access Management - 2016Privileged Access Management - 2016
Privileged Access Management - 2016Lance Peterman
2.8K views26 slides
IDENTITY ACCESS MANAGEMENT by
IDENTITY ACCESS MANAGEMENTIDENTITY ACCESS MANAGEMENT
IDENTITY ACCESS MANAGEMENTProf. Jacques Folon (Ph.D)
2.3K views103 slides
Building Your Roadmap Sucessful Identity And Access Management by
Building Your Roadmap Sucessful Identity And Access ManagementBuilding Your Roadmap Sucessful Identity And Access Management
Building Your Roadmap Sucessful Identity And Access ManagementGovernment Technology Exhibition and Conference
5.4K views40 slides

More Related Content

What's hot

Identity & access management by
Identity & access managementIdentity & access management
Identity & access managementVandana Verma
1.7K views11 slides
Access Control Presentation by
Access Control PresentationAccess Control Presentation
Access Control PresentationWajahat Rajab
45.1K views97 slides
Cybersecurity roadmap : Global healthcare security architecture by
Cybersecurity roadmap : Global healthcare security architectureCybersecurity roadmap : Global healthcare security architecture
Cybersecurity roadmap : Global healthcare security architecturePriyanka Aash
8.5K views22 slides
CISSP Prep: Ch 6. Identity and Access Management by
CISSP Prep: Ch 6. Identity and Access ManagementCISSP Prep: Ch 6. Identity and Access Management
CISSP Prep: Ch 6. Identity and Access ManagementSam Bowne
2.4K views68 slides
Chapter 1 Security Framework by
Chapter 1   Security FrameworkChapter 1   Security Framework
Chapter 1 Security FrameworkKarthikeyan Dhayalan
3.2K views14 slides
Introduction to NIST Cybersecurity Framework by
Introduction to NIST Cybersecurity FrameworkIntroduction to NIST Cybersecurity Framework
Introduction to NIST Cybersecurity FrameworkTuan Phan
9.5K views48 slides

What's hot(20)

Identity & access management by Vandana Verma
Identity & access managementIdentity & access management
Identity & access management
Vandana Verma1.7K views
Access Control Presentation by Wajahat Rajab
Access Control PresentationAccess Control Presentation
Access Control Presentation
Wajahat Rajab45.1K views
Cybersecurity roadmap : Global healthcare security architecture by Priyanka Aash
Cybersecurity roadmap : Global healthcare security architectureCybersecurity roadmap : Global healthcare security architecture
Cybersecurity roadmap : Global healthcare security architecture
Priyanka Aash8.5K views
CISSP Prep: Ch 6. Identity and Access Management by Sam Bowne
CISSP Prep: Ch 6. Identity and Access ManagementCISSP Prep: Ch 6. Identity and Access Management
CISSP Prep: Ch 6. Identity and Access Management
Sam Bowne2.4K views
Introduction to NIST Cybersecurity Framework by Tuan Phan
Introduction to NIST Cybersecurity FrameworkIntroduction to NIST Cybersecurity Framework
Introduction to NIST Cybersecurity Framework
Tuan Phan9.5K views
Security Information and Event Management (SIEM) by k33a
Security Information and Event Management (SIEM)Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)
k33a43.1K views
SOC presentation- Building a Security Operations Center by Michael Nickle
SOC presentation- Building a Security Operations CenterSOC presentation- Building a Security Operations Center
SOC presentation- Building a Security Operations Center
Michael Nickle49.3K views
Identity and Access Management (IAM): Benefits and Best Practices  by Veritis Group, Inc
Identity and Access Management (IAM): Benefits and Best Practices Identity and Access Management (IAM): Benefits and Best Practices 
Identity and Access Management (IAM): Benefits and Best Practices 
Veritis Group, Inc561 views
Adopting A Zero-Trust Model. Google Did It, Can You? by Zscaler
Adopting A Zero-Trust Model. Google Did It, Can You?Adopting A Zero-Trust Model. Google Did It, Can You?
Adopting A Zero-Trust Model. Google Did It, Can You?
Zscaler1.5K views
Developing an IAM Roadmap that Fits Your Business by ForgeRock
Developing an IAM Roadmap that Fits Your BusinessDeveloping an IAM Roadmap that Fits Your Business
Developing an IAM Roadmap that Fits Your Business
ForgeRock5.4K views
Identity and access management by Piyush Jain
Identity and access managementIdentity and access management
Identity and access management
Piyush Jain194 views
2. access control by 7wounders
2. access control2. access control
2. access control
7wounders3.5K views
Extended Detection and Response (XDR) An Overhyped Product Category With Ulti... by Raffael Marty
Extended Detection and Response (XDR)An Overhyped Product Category With Ulti...Extended Detection and Response (XDR)An Overhyped Product Category With Ulti...
Extended Detection and Response (XDR) An Overhyped Product Category With Ulti...
Raffael Marty976 views

Similar to 5. Identity and Access Management

Information and network security 47 authentication applications by
Information and network security 47 authentication applicationsInformation and network security 47 authentication applications
Information and network security 47 authentication applicationsVaibhav Khanna
164 views15 slides
CNIT 129S: Ch 6: Attacking Authentication by
CNIT 129S: Ch 6: Attacking AuthenticationCNIT 129S: Ch 6: Attacking Authentication
CNIT 129S: Ch 6: Attacking AuthenticationSam Bowne
1.2K views66 slides
CNIT 129S - Ch 6a: Attacking Authentication by
CNIT 129S - Ch 6a: Attacking AuthenticationCNIT 129S - Ch 6a: Attacking Authentication
CNIT 129S - Ch 6a: Attacking AuthenticationSam Bowne
851 views71 slides
Information-Security-Lecture-8.pptx by
Information-Security-Lecture-8.pptxInformation-Security-Lecture-8.pptx
Information-Security-Lecture-8.pptxanbersattar
38 views29 slides
CNIT 160 4e Security Program Management (Part 5) by
CNIT 160 4e Security Program Management (Part 5)CNIT 160 4e Security Program Management (Part 5)
CNIT 160 4e Security Program Management (Part 5)Sam Bowne
151 views62 slides
Track 5 session 2 - st dev con 2016 - security iot best practices by
Track 5   session 2 - st dev con 2016 - security iot best practicesTrack 5   session 2 - st dev con 2016 - security iot best practices
Track 5 session 2 - st dev con 2016 - security iot best practicesST_World
1.2K views40 slides

Similar to 5. Identity and Access Management(20)

Information and network security 47 authentication applications by Vaibhav Khanna
Information and network security 47 authentication applicationsInformation and network security 47 authentication applications
Information and network security 47 authentication applications
Vaibhav Khanna164 views
CNIT 129S: Ch 6: Attacking Authentication by Sam Bowne
CNIT 129S: Ch 6: Attacking AuthenticationCNIT 129S: Ch 6: Attacking Authentication
CNIT 129S: Ch 6: Attacking Authentication
Sam Bowne1.2K views
CNIT 129S - Ch 6a: Attacking Authentication by Sam Bowne
CNIT 129S - Ch 6a: Attacking AuthenticationCNIT 129S - Ch 6a: Attacking Authentication
CNIT 129S - Ch 6a: Attacking Authentication
Sam Bowne851 views
Information-Security-Lecture-8.pptx by anbersattar
Information-Security-Lecture-8.pptxInformation-Security-Lecture-8.pptx
Information-Security-Lecture-8.pptx
anbersattar38 views
CNIT 160 4e Security Program Management (Part 5) by Sam Bowne
CNIT 160 4e Security Program Management (Part 5)CNIT 160 4e Security Program Management (Part 5)
CNIT 160 4e Security Program Management (Part 5)
Sam Bowne151 views
Track 5 session 2 - st dev con 2016 - security iot best practices by ST_World
Track 5   session 2 - st dev con 2016 - security iot best practicesTrack 5   session 2 - st dev con 2016 - security iot best practices
Track 5 session 2 - st dev con 2016 - security iot best practices
ST_World 1.2K views
Entrepreneurship & Commerce in IT - 11 - Security & Encryption by Sachintha Gunasena
Entrepreneurship & Commerce in IT - 11 - Security & EncryptionEntrepreneurship & Commerce in IT - 11 - Security & Encryption
Entrepreneurship & Commerce in IT - 11 - Security & Encryption
Sachintha Gunasena394 views
Authenticationtechnologies 120711134100-phpapp01 by Hai Nguyen
Authenticationtechnologies 120711134100-phpapp01Authenticationtechnologies 120711134100-phpapp01
Authenticationtechnologies 120711134100-phpapp01
Hai Nguyen276 views
Protecting Sensitive Data (and be PCI Compliant too!) by Security Innovation
Protecting Sensitive Data (and be PCI Compliant too!)Protecting Sensitive Data (and be PCI Compliant too!)
Protecting Sensitive Data (and be PCI Compliant too!)
Ch 6: Attacking Authentication by Sam Bowne
Ch 6: Attacking AuthenticationCh 6: Attacking Authentication
Ch 6: Attacking Authentication
Sam Bowne154 views
CNIT 129S: Ch 7: Attacking Session Management by Sam Bowne
CNIT 129S: Ch 7: Attacking Session Management CNIT 129S: Ch 7: Attacking Session Management
CNIT 129S: Ch 7: Attacking Session Management
Sam Bowne1.1K views
#MFSummit2016 Secure: Is your mainframe less secure than your fileserver by Micro Focus
#MFSummit2016 Secure: Is your mainframe less secure than your fileserver#MFSummit2016 Secure: Is your mainframe less secure than your fileserver
#MFSummit2016 Secure: Is your mainframe less secure than your fileserver
Micro Focus 1.1K views
Single sign on - benefits, challenges and case study : iFour consultancy by Devam Shah
Single sign on - benefits, challenges and case study :  iFour consultancySingle sign on - benefits, challenges and case study :  iFour consultancy
Single sign on - benefits, challenges and case study : iFour consultancy
Devam Shah2K views
Lock it Down: Access Control for IBM i by Precisely
Lock it Down: Access Control for IBM iLock it Down: Access Control for IBM i
Lock it Down: Access Control for IBM i
Precisely132 views
Security 101: Protecting Data with Encryption, Tokenization & Anonymization by Precisely
Security 101: Protecting Data with Encryption, Tokenization & AnonymizationSecurity 101: Protecting Data with Encryption, Tokenization & Anonymization
Security 101: Protecting Data with Encryption, Tokenization & Anonymization
Precisely278 views
Knock x Knock: The Design and Evaluation of a Unified Authentication Manageme... by Jason Hong
Knock x Knock: The Design and Evaluation of a Unified Authentication Manageme...Knock x Knock: The Design and Evaluation of a Unified Authentication Manageme...
Knock x Knock: The Design and Evaluation of a Unified Authentication Manageme...
Jason Hong233 views
Key Concepts for Protecting the Privacy of IBM i Data by Precisely
Key Concepts for Protecting the Privacy of IBM i DataKey Concepts for Protecting the Privacy of IBM i Data
Key Concepts for Protecting the Privacy of IBM i Data
Precisely264 views
Crypto passport authentication by David Hoen
Crypto passport authenticationCrypto passport authentication
Crypto passport authentication
David Hoen107 views

More from Sam Bowne

Cyberwar by
CyberwarCyberwar
CyberwarSam Bowne
15 views22 slides
3: DNS vulnerabilities by
3: DNS vulnerabilities 3: DNS vulnerabilities
3: DNS vulnerabilities Sam Bowne
40 views40 slides
8. Software Development Security by
8. Software Development Security8. Software Development Security
8. Software Development SecuritySam Bowne
24 views85 slides
4 Mapping the Application by
4 Mapping the Application4 Mapping the Application
4 Mapping the ApplicationSam Bowne
62 views88 slides
3. Attacking iOS Applications (Part 2) by
 3. Attacking iOS Applications (Part 2) 3. Attacking iOS Applications (Part 2)
3. Attacking iOS Applications (Part 2)Sam Bowne
33 views45 slides
12 Elliptic Curves by
12 Elliptic Curves12 Elliptic Curves
12 Elliptic CurvesSam Bowne
54 views50 slides

More from Sam Bowne(20)

3: DNS vulnerabilities by Sam Bowne
3: DNS vulnerabilities 3: DNS vulnerabilities
3: DNS vulnerabilities
Sam Bowne40 views
8. Software Development Security by Sam Bowne
8. Software Development Security8. Software Development Security
8. Software Development Security
Sam Bowne24 views
4 Mapping the Application by Sam Bowne
4 Mapping the Application4 Mapping the Application
4 Mapping the Application
Sam Bowne62 views
3. Attacking iOS Applications (Part 2) by Sam Bowne
 3. Attacking iOS Applications (Part 2) 3. Attacking iOS Applications (Part 2)
3. Attacking iOS Applications (Part 2)
Sam Bowne33 views
12 Elliptic Curves by Sam Bowne
12 Elliptic Curves12 Elliptic Curves
12 Elliptic Curves
Sam Bowne54 views
11. Diffie-Hellman by Sam Bowne
11. Diffie-Hellman11. Diffie-Hellman
11. Diffie-Hellman
Sam Bowne58 views
2a Analyzing iOS Apps Part 1 by Sam Bowne
2a Analyzing iOS Apps Part 12a Analyzing iOS Apps Part 1
2a Analyzing iOS Apps Part 1
Sam Bowne42 views
9 Writing Secure Android Applications by Sam Bowne
9 Writing Secure Android Applications9 Writing Secure Android Applications
9 Writing Secure Android Applications
Sam Bowne31 views
12 Investigating Windows Systems (Part 2 of 3) by Sam Bowne
12 Investigating Windows Systems (Part 2 of 3)12 Investigating Windows Systems (Part 2 of 3)
12 Investigating Windows Systems (Part 2 of 3)
Sam Bowne30 views
12 Investigating Windows Systems (Part 1 of 3 by Sam Bowne
12 Investigating Windows Systems (Part 1 of 312 Investigating Windows Systems (Part 1 of 3
12 Investigating Windows Systems (Part 1 of 3
Sam Bowne59 views
9. Hard Problems by Sam Bowne
9. Hard Problems9. Hard Problems
9. Hard Problems
Sam Bowne43 views
8 Android Implementation Issues (Part 1) by Sam Bowne
8 Android Implementation Issues (Part 1)8 Android Implementation Issues (Part 1)
8 Android Implementation Issues (Part 1)
Sam Bowne23 views
11 Analysis Methodology by Sam Bowne
11 Analysis Methodology11 Analysis Methodology
11 Analysis Methodology
Sam Bowne12 views
8. Authenticated Encryption by Sam Bowne
8. Authenticated Encryption8. Authenticated Encryption
8. Authenticated Encryption
Sam Bowne71 views
7. Attacking Android Applications (Part 2) by Sam Bowne
7. Attacking Android Applications (Part 2)7. Attacking Android Applications (Part 2)
7. Attacking Android Applications (Part 2)
Sam Bowne35 views
7. Attacking Android Applications (Part 1) by Sam Bowne
7. Attacking Android Applications (Part 1)7. Attacking Android Applications (Part 1)
7. Attacking Android Applications (Part 1)
Sam Bowne29 views
5. Stream Ciphers by Sam Bowne
5. Stream Ciphers5. Stream Ciphers
5. Stream Ciphers
Sam Bowne108 views
6 Scope & 7 Live Data Collection by Sam Bowne
6 Scope & 7 Live Data Collection6 Scope & 7 Live Data Collection
6 Scope & 7 Live Data Collection
Sam Bowne124 views

Recently uploaded

Gross Anatomy of the Liver by
Gross Anatomy of the LiverGross Anatomy of the Liver
Gross Anatomy of the Liverobaje godwin sunday
77 views12 slides
JRN 362 - Lecture Twenty-Three (Epilogue) by
JRN 362 - Lecture Twenty-Three (Epilogue)JRN 362 - Lecture Twenty-Three (Epilogue)
JRN 362 - Lecture Twenty-Three (Epilogue)Rich Hanley
41 views57 slides
DISTILLATION.pptx by
DISTILLATION.pptxDISTILLATION.pptx
DISTILLATION.pptxAnupkumar Sharma
65 views47 slides
Parts of Speech (1).pptx by
Parts of Speech (1).pptxParts of Speech (1).pptx
Parts of Speech (1).pptxmhkpreet001
46 views20 slides
STRATEGIC MANAGEMENT MODULE 1_UNIT1 _UNIT2.pdf by
STRATEGIC MANAGEMENT MODULE 1_UNIT1 _UNIT2.pdfSTRATEGIC MANAGEMENT MODULE 1_UNIT1 _UNIT2.pdf
STRATEGIC MANAGEMENT MODULE 1_UNIT1 _UNIT2.pdfDr Vijay Vishwakarma
130 views68 slides
ICS3211_lecture 09_2023.pdf by
ICS3211_lecture 09_2023.pdfICS3211_lecture 09_2023.pdf
ICS3211_lecture 09_2023.pdfVanessa Camilleri
141 views10 slides

Recently uploaded(20)

JRN 362 - Lecture Twenty-Three (Epilogue) by Rich Hanley
JRN 362 - Lecture Twenty-Three (Epilogue)JRN 362 - Lecture Twenty-Three (Epilogue)
JRN 362 - Lecture Twenty-Three (Epilogue)
Rich Hanley41 views
Parts of Speech (1).pptx by mhkpreet001
Parts of Speech (1).pptxParts of Speech (1).pptx
Parts of Speech (1).pptx
mhkpreet00146 views
12.5.23 Poverty and Precarity.pptx by mary850239
12.5.23 Poverty and Precarity.pptx12.5.23 Poverty and Precarity.pptx
12.5.23 Poverty and Precarity.pptx
mary850239381 views
Creative Restart 2023: Leonard Savage - The Permanent Brief: Unearthing unobv... by Taste
Creative Restart 2023: Leonard Savage - The Permanent Brief: Unearthing unobv...Creative Restart 2023: Leonard Savage - The Permanent Brief: Unearthing unobv...
Creative Restart 2023: Leonard Savage - The Permanent Brief: Unearthing unobv...
Taste55 views
Create a Structure in VBNet.pptx by Breach_P
Create a Structure in VBNet.pptxCreate a Structure in VBNet.pptx
Create a Structure in VBNet.pptx
Breach_P86 views
NodeJS and ExpressJS.pdf by ArthyR3
NodeJS and ExpressJS.pdfNodeJS and ExpressJS.pdf
NodeJS and ExpressJS.pdf
ArthyR348 views
ANGULARJS.pdf by ArthyR3
ANGULARJS.pdfANGULARJS.pdf
ANGULARJS.pdf
ArthyR351 views
Guess Papers ADC 1, Karachi University by Khalid Aziz
Guess Papers ADC 1, Karachi UniversityGuess Papers ADC 1, Karachi University
Guess Papers ADC 1, Karachi University
Khalid Aziz99 views
Education of marginalized and socially disadvantages segments.pptx by GarimaBhati5
Education of marginalized and socially disadvantages segments.pptxEducation of marginalized and socially disadvantages segments.pptx
Education of marginalized and socially disadvantages segments.pptx
GarimaBhati543 views
Nelson_RecordStore.pdf by BrynNelson5
Nelson_RecordStore.pdfNelson_RecordStore.pdf
Nelson_RecordStore.pdf
BrynNelson546 views

5. Identity and Access Management

  • 3. Authentication Methods • Type 1: Something you know • Easiest and weakest method • Type 2: Something you have • Type 3: Something you are • A fourth type is where you are
  • 4. Passwords: Four Types • Static passwords • Passphrases • One-time passwords • Dynamic passwords
  • 5. Static Passwords • Reusable passwords that may or may not expire • Typically user-generated • Work best when combined with another authentication type, such as a smart card or biometric control
  • 6. Passphrases • Long static passwords comprised of words in a phrase or sentence • "I will pass the CISSP in 6 months!" • Stronger if you use nonsense words, mix case, and use numbers and symbols
  • 7. One-Time Passwords • Very secure but difficult to manage • Impossible to reuse, valid only for one use
  • 8. Dynamic Passwords • Change at regular intervals • Tokens are expensive
  • 9. Strong Authentication • Also called Multifactor Authentication • More than one authentication factor • Ex: ATM card and PIN
  • 10. Password Guessing • May be detected from system logs • Clipping levels distinguish malicious attacks from normal users • Ex: more than five failed logins per hour • Account lockout after a number of failed login attempts
  • 11. Password Hashes and Password Cracking • Plaintext passwords are not usually stored on a system anymore • Password hash is stored instead • Password cracking • Calculating hash for a long list of passwords, trying to match the hash value
  • 12. Password Hashes • Stored in /etc/shadow on Unix systems • In SAM (Security Accounts Manager) file (part of the Registry) on Windows • Local account hashes stored on local system drive • Domain account hashes stored on domain controller • Hashes also cached on the local system after a domain login
  • 13. Capturing Hashes • May be sniffed from network traffic • Or read from RAM with fgdump or Metasploit's hashdump • SAM file is locked while the operating system is running
  • 14. • LANMAN (LM) hash doesn't change
  • 15. Dictionary Attack • Use a list of possible passwords • Fast and efficient technique • Countermeasure: password complexity and length rules
  • 16. Brute Force and Hybrid Attacks • Brute Force: try all possible combinations of characters • Slow, but much faster with GPUs (Graphical Processing Units) • Rainbow tables trade time for memory • Most effective on unsalted passwords, like Microsoft's • Hybrid attack • Uses a dictionary and modifications of the words, like 1337sp33k
  • 17. Salts • A random value added to the password before hashing • If two users have the same password, the hash is different • Makes rainbow tables less useful
  • 19. Password Control • Users often write down passwords and place them somewhere unsafe • Like sticky notes on monitors
  • 20. Type 2 Authentication Something You Have • Synchronous Dynamic Token • Synchronized with a central server • Uses time or counter to change values • Ex: RSA's SecureID, Google Authenticator • Asynchronous Dynamic Token • Not synchronized with a central server • Ex: Challenge-response token • User must enter challenge and PIN
  • 22. Type 3 Authentication Something You Are • Enrollment • Registering users with a biometric system • Ex: taking fingerprints • Should take 2 minutes or less • Throughput • Time required to authenticate a user • Typically 6-10 seconds
  • 23. Accuracy of Biometric Systems • False Reject Rate (FRR) -- Type I errors • False Accept Rate (FAR) -- Type II errors • Crossover Error Rate (CER)
  • 24. Types of Biometric Controls • Fingerprints are most common • Data is mathematical representation of minutiae -- details of fingerprint whorls, ridges, bifurcation, etc.
  • 26. Retina Scan • Laser scan of the capillaries that feed the retina in the back of the eye • Rarely used because of health risks and invasion-of-privacy issues • Exchange of bodily fluids should be avoided
  • 27. Iris Scan • Passive biometric control • Can be done without subject's knowledge • Camera photographs the iris (colored portion of the eye) • Compares photo to database • Works through contact lenses and glasses • High accuracy, no exchange of bodily fluids
  • 28. Hand Geometry • Measure length, width, thickness, and surface area of hand • Simple, can require as little as 9 bytes of data
  • 29. Keyboard Dynamics • How hard a person presses each key • Rhythm of keypresses • Cheap to implement and effective
  • 30. Dynamic Signature • Process of signing with a pen • Similar to keyboard dynamics
  • 31. Voiceprint • Vulnerable to replay attack • So other access controls must be combined with it • Voices may change due to illness, leading to a false rejection
  • 32. Facial Scan • Also called facial recognition • Passive but expensive • Not commonly used for authentication • Law enforcement and security agencies use facial recognition at high-value, publicly accessible targets • Superbowl XXXV was the first major sporting event to use facial recognition to look for terrorists in 2001 (link Ch 6a)
  • 33. Someplace You Are • Location found from GPS or IP address • Can deny access if the subject is in the incorrect location • Credit card companies use this technique to detect fraud • Transactions from abroad are rejected, unless the user notifies the credit card company of the trip
  • 34. 34 1
  • 36. Centralized Access Control • One logical point for access control • Can provide Single Sign-On (SSO) • One authentication allows access to multiple systems • Can centrally provide AAA services • Authentication • Authorization • Accountability
  • 37. Decentralized Access Control • Local sites maintain independent systems • Provides more local power over data • Risks: adherence to policies may vary • Attackers may find the weakest link • Note: DAC is Discretionary Access Control; not Decentralized Access Control
  • 38. Single Sign-On (SSO) • One central system for authentication • More convenient for users and administrators • Risks: single point of attack, and increased damage from a compromise or unattended desktop
  • 39. Session Management of Single Sign On • SSO should always be combined with dual-factor authentication • But an attacker might hijack an authenticated session • Session timeouts and locking screensavers should be used • Users should be trained to lock their workstations when they leave their desks
  • 40. Access Provisioning Lifecycle • Password policy compliance checking • Notify users when passwords are about to expire • Identify life cycle changes, such as accounts inactive for 30 days or new accounts that are unused for 10 days • Revoke access rights when contracts expire • Coordinate account revocation with human resources; include termination, horizontal, and vertical moves
  • 41. User Entitlement, Access Review, and Audit • Access aggregation occurs when a user gains more access to more systems • Authorization creep --users gain more entitlement without shedding the old ones • Can defeat least privilege and separation of duties • Entitlements must be regularly reviewed and audited
  • 42. Federated Identity Management • Applies Single Sign-On across organizations • A trusted authority provides a digital identity above the enterprise level • In practice, Facebook seems to be the world's identity authority
  • 44. SAML • Security Assertion Markup Language • XML-based framework for exchanging security information • Including authentication data • Enables SSO at Internet scale
  • 45. Identity as a Service (IDaaS) • Also called "Cloud Identity" • Integrates easily with cloud hosted applications and third party services • Easier deployment of two-factor auth. • Compounds challenges with internal identity management and account/ access revocation • Larger attack services • Ex: Microsoft Accounts (formerly Live ID)
  • 46. Credential Management Systems • Password managers, may offer: • Secure password generation • Secure password storage • Reduction in the number of passwords users must remember • Multifactor authentication to unlock credentials • Audit logging of all interactions
  • 47. Integrating Third-party Identity Services • Hosting a third-party ID service locally, within an enterprise • Allows internal applications to integrate with a cloud identity
  • 48. LDAP • Lightweight Directory Access Protocol • Used by most internal identity services • Including Active Directory • LDAP uses TCP or UDP 389 • Can use plaintext transmission • Supports authenticated connection and secure transmissions with TLS
  • 49. Kerberos • Third-party authentication service developed at MIT • Prevents eavesdropping and replay attacks • Provides integrity and secrecy • Uses symmetric encryption and mutual authentication
  • 51. Kerberos Operational Steps 1. Principal (Alice) contacts the KDC (Key Distribution Center) requesting authentication 2. KDC sends user a session key, encrypted with Alice's secret key. KDC also sends a TGT (Ticket Granting Ticket) encrypted with the TGS's secret key. 3. Alice decrypts the session key and uses it to request permission from the TGS (Ticket Granting Service)
  • 52. Kerberos Operational Steps 4. TGS verifies Allice's session key and sends her a second session key "C/S session key" to use to print. TGS also sends a service ticket, encrypted with the printer's key 5. Alice connects to the printer. Printer sees a valid C/S session key, so provides service
  • 54. Time in Kerberos • TGT lifetime is typically 10 hours • Authenticators contain a timestamp • Will be rejected if more than 5 minutes ol • Clocks must be synchronized on all systems
  • 55. Kerberos Weaknesses • KDC stores all keys • Compromise of KDC exposes them all • KDC and TGS are single points of failure • Replay attacks possible for lifetime of authenticator • Kerberos 4 allowed one user to request a session key for another user, which could be used to guess a password • A weakness closed in Kerberos 5 • Plaintext keys can be stolen from a client's RAM
  • 56. SESAME • Secure European System for Applications in a Multi-vendor Environment • Has new features not present in Kerberos • Most important: public-key encryption • This avoids Kerberos' plaintext storage of symmetric keys
  • 57. RADIUS and Diameter • Remote Authentication Dial In User Service • Uses UDP ports 1812 and 1813 • An AAA server • Diameter is RADIUS' successor • Uses TCP and can manage policies for many services from a single server
  • 58. TACACS and TACACS+ • Terminal Access Controller Access Control System • Uses UDP port 49 and may use TCP port 49 • TACACS+ is newer • Allows two-factor authentication • Encrypts all data (RADIUS only encrypts the password) • Not backwards-compatible with TACACS
  • 59. PAP and CHAP • Password Authentication Protocol • Plaintext transmission • Vulnerable to sniffing • Challenge Handshake Authentication Protocol • Server sends client a challenge • Client adds challenge to secret and hashes it, and transmits that • Resists sniffing attacks
  • 60. Microsoft Active Directory Domains • Groups users and network access into domains • Uses Kerberos • Domains can have trust relationships • One-way or two-way • Nontransitive or transitive • A transitive trust extends to any other domain either partner trusts • "Friend of a friend"
  • 62. Three Models • Discretionary Access Control (DAC) • Mandatory Access Control (MAC) • Non-Discretionary Access Control
  • 63. Discretionary Access Control (DAC) • Owners have full control over assets • Can share them as they wish • Unix and Windows file systems use DAC • User errors can expose confidential data
  • 64. Mandatory Access Control (MAC) • Subjects have clearance • Objects have labels • Typically Confidential, Secret, and Top Secret • MAC is expensive and difficult to implement
  • 65. Non-Discretionary Access Control • Users don't have discretion when accessing objects • Cannot transfer objects to other subjects • Two types: • Role-Based Access Control (RBAC) • Task-based access control
  • 66. Role-Based Access Control (RBAC) • Subjects have roles, like Nurse, Backup Administrator, or Help Desk Technician • Permissions are assigned to roles, not individuals
  • 67. Task-Based Access Control • Works like RBAC, but focuses on the tasks each subject must perform • Such as writing prescriptions, restoring data from a backup tap,or opening a help desk ticket
  • 68. Rule-Based Access Control • Uses a set of rules, in "it/then" format • Ex: firewall rules
  • 69. Content- and Context-Dependent Access Controls • May be added to other systems for defense- in-depth • Content-dependent access control • Additional criteria beyond identification and authorization • Employees may be allowed to see their own HR data, but not the CIO's data • Context-dependent access controls • Applies additional context, such as time of day
  • 70. 70 2