Here is Week 27 of the Google IT Support Professional Certification course on coursera.org. This is week 4 of course 5, Defense Against the Digital Dark Arts. We’re looking at AAA Security.
Authentication Best Practices
The Three As of It security are Authentication, Authorization, and Accounting.
A basic form of authentication that everyone should be familiar with is the username and password combination used to access online services.
Identification is the concept of “describing an entity uniquely.” Your email address is your identity when you are logging into an email service.
Authentication is verification of your identity, confirmed by entering a correct password. (This is kind of just an assumed verification—passwords can be stolen.)
Authorization is the level or amount of resources you are given access to once you have been authenticated.
These are often referred to as “authn” for authentication and “authz” for authorization.
Strong passwords help secure authentication systems, but strong passwords are hard to remember. Passwords that are easy to remember are probably weak passwords. This tradeoff is common in security—security vs. usability.
Security can best be thought of as risk mitigation. Understand the risks to systems and implement the best, most secure protections available that still allow the system to function. The most secure computer system is disconnected from the internet, air-gapped from other computers, powered of u unplugged, encased in concrete and lying at the bottom of the ocean and was never built in the first place. The trade-off.
It is important to know what strong passwords are and to try to implement password integrity and hygiene in your organization. Substituting “1” for “I” and “$” for “s” is not protecting anything anymore.
Good password systems ensure security. A strong password policy will incorporate length requirements, character complexity, and check for dictionary words. Sharing passwords, writing them down, and using them for multiple accounts are all bad practices.
Password rotation policies help protect against unknown password vulnerabilities. But the period a password is valid cannot be too short, because the inconvenience will make the organization less functional by encouraging poor security practices.
Single factor authentication is a system that uses one piece of information to authenticate an identity.
Multifactor authentication is a system that authenticates users based on multiple pieces of information or objects. These factors can be categorized into three distinct types and a good multifactor system will incorporate at least two different types:
- Something you know: password / PIN
- Something you have: Physical token such as ATM card
- Something you are: Biometric ID such as fingerprint
It is harder for attackers to steal multiple types of authentication tokens. Two passwords are not that much more secure than one. But adding a physical token, such as a debit card with a chip, adds another more complex layer of security.
Physical tokens can be USB devices with tokens embedded in them, standalone devices that generate tokens, or even actual keys for actual locks.
Short-term tokens are usually numbers generated for use in a limited time frame. They are referred to as one-time passwords, or OTPs.
An RSA SecurID Token is a small battery-powered device with an LCD display. It generates a time-based token (sometimes called a TOTP for some reason) and operates by having a “secret seed” or randomly generated value on the token that is registered with the authentication server. The token uses the time and this seed value to create a password that will authenticate. The user just needs to have the token or be able to see the LCD display.
These systems usually rely on Network Time Protocol (NTP) to synchronize the time between token and server.
A similar system of “counter based” token generation is seeded with an initial value and a secret counter value that increments to a new password value after every time it authenticates.
OTP tokens using SMS messages are very common, but somewhat problematic because you are relying on the security of the SMS carrier. It is also easy to impersonate a victim and gain recovery control over their device.
Using an OTP system adds a layer of complexity when used with a smartphone or smartphone app. There is also always the risk of users falling for phishing attacks, and compromising the system to a man-in-the-middle attack.
Biometrics use unique physiological characteristics of a user to authenticate users. Fingerprint scanners are common in smartphones now.
It is very important not to store biometric data, due to the serious privacy implications as well as the near-impossibility of changing biometric characteristics.
Biometric features are not very “shareable” and this makes them more secure than other systems.
U2F is a standard for two-factor authentication that is currently being finalized. U2F uses security keys with embedded processors that store asymmetric keys. Support for U2F is built into Chrome and the Opera browser and is coming to Firefox soon.
Here’s how a security key works:
First the key is registered with a site or authentication service. The key generates a private-public key pair that is unique to that site and submits the public key for registration with the site. Then it binds the identity of the site with the key pair.
When you next go to log in to the site, you will enter your username and password, and will then be prompted to press a button on the key. This is a check for user presence, and protects from some forms of remote attack. Pressing the button unlocks the private key on the security key device, and is then authenticated.
This session is conducted as a unique “call and response” session so that eavesdroppers cannot reuse the session because each response will be unique to that session. This makes a security key system much more secure than OTP systems, and alleviates user frustration due to typing in passwords or using a phone to get a text message and typing that in.
Terrible children are cheating at fingerprint scanners!
We’ve already mentioned that client certificates are issued by CAs (certificate authorities) to establish trust.
“In order to issue client certificates, an organization must setup and maintain CA infrastructure to issue and sign certificates.”
This relationship also includes the client authenticating the server, establishing mutual authentication. This is important because the client should know it is communicating with the real authentication server.
Certificates have two dates that will need to be verified during authentication: “Not valid before” and “not valid after.” These are almost self-explanatory, but note that certificates can be issued for future use.
Certificates will be checked against a Certificate Revocation List (CRL), a signed list published by a CA enumerating certificates that have been revoked.
The last step in server verification is a “challenge-response” mechanism that checks if the server has possession of the private key.
I’m sure you all recall LDAP, the Lightweight Directory Access Protocol, which is an open protocol for accessing and maintaining directory services. We’ve covered this in a previous course, which I will try to link to in the future.
Directories manage data in data information trees, including user and computer profiles, identities, policies, etc. This is the whole parent/child relationship between objects. It is similar to a filesystem, but the “folders” are called Organizational Units, (OUs).
Entries in a directory must have what is called a distinguished name, or DN.
Common actions a client can request from an LDAP server are Bind, which is how a client authenticates; StartTLS, which permits a client to communicate LDAP v3 over TLS; Search for looking up records; add/delete/modify which write data to the directory; And unbind which closes the connection to the server.
Remote Authentication Dian-In User Service is a protocol that provides AAA services to users on a network. RADIUS started as a service for dial-up protocols, but has evolved. It can now handle many different authentication protocols, including EAP, or Extensible Authentication Protocol.
Clients don’t directly authenticate to a RADIUS server, but rather contact a NAS that relays the request and itself authenticates the client with the RADIUS server. Once the server has processed the request it will respond with one of three responses: Access Reject, Access Challenge, or Access Accept.
Kerberos is a network authentication protocol. It uses “tickets” to authenticate entities over possibly insecure network channels, thereby granting mutual authentication. It uses symmetric encryption.
Kerberos was published in the 1980s. It uses checksums to validate data.
Kerberos is the default authentication protocol for Windows domains.
Tickets in Kerberos are a kind of token used to authenticate to services without using a username/password. Tickets expire after some time, but it can be configured to auto-renew.
The authentication process works like this:
First, a client logs into their machine using their username and password. Their Kerberos client software will use their password and generate a symmetric encryption key. The Kerberos client hen sends a plaintext message to the Kerberos Authentication Server (AS), and includes the user ID. The AS checks that there is a valid user with that ID.
If there is a matching user, the AS will generate a private key using the stored password hash in the Key Distribution Center server, or KDC.
The AS then uses the private key to encrypt a message containing a client TGS session key, which allows communication with a Ticket Granting Service. It also sends a Ticket Granting Ticket (TGT) which has been encrypted using the TGS secret key. The TGT contains the client ID, ticket validity dates, and the client ticket granting service session key, so that that the second message can be decrypted.
There follows is a nearly impenetrable jumble of messages being encrypted, sent, decrypted, from server to client and back to server. The point being that Kerberos does a lot of work during authentication. I am not going to need these specifics probably ever, and if I do, I will feel fine relearning this. Anyone starting out in IT will not be tasked with anything understanding the intricacies of the Kerberos authentication process.
Kerberos is a single monolithic service, and has been criticized for being a single point of failure danger. If Kerberos servers go down, nothing can authenticate. If a Kerberos server is compromised, attackers can create valid tickets for accounts, and be able to pose as any user.
Kerberos uses NTP to synchronize servers and clients.
Kerberos only allows authentication with devices that have already established trust in the Kerberos server. This makes BYOD (bring your own device) very difficult or impossible in Kerberos environments.
Terminal Access Controller Access-Control System Plus is a really great name for something. It is an AAA protocol developed by Cisco and released as an open standard in 1993. It replaced TACACS, and XTACACS.
TACACS+ is used primarily for administration, authentication, authorization, and accounting for devices.
Single Sign-On (SSO) is an authentication concept that “allows users to authenticate once and be granted access to many different services or applications.”
SSO works by authenticating to a central authentication server, which provides a token or cookie that can be used to access multiple services.
This reduces the number of usernames and passwords that users must remember, thus reducing the number of insecurely stored passwords.
This may reduce support overhead for lost or forgotten account info, but also grants successful attackers access to more services and data than if authentication was done separately.
OpenID is an example of an SSO system. It allows participating sites, known as relying parties to rely on a third party authentication service.
Rob Path to IT
Rob liked video games as a child. He may have said more, I kind of drifted off.
Authorization and Access Control Methods
Authorization is the second “A” in AAA. Authentication verifies the identity of a user, and authorization describes what a user account has access to.
There is some overlap between authentication and authorization, in that a user may be able to authenticate to a service except for that they have not been authorized to do so, they will be denied.
A popular open standard for authorization is OAuth.
OAuth is an open standard which “allows users to grant third-party websites and applications access to their information without sharing account credentials.”
Once a user agrees to share specified information, the service is granted a token by the identity provider, and the third-party can access information held by the identity provider.
OAuth is primarily used to interact with APIs and applications. It is important to understand what a third party will be granted access to when using OAuth.
OAuth permissions can be used in phishing attacks, and can gain access to accounts without requiring compromised credentials.
Authorization systems allow you to give admin credentials to people who need them, like the networking people, and keep lower-level employees at appropriate access levels.
RADIUS authentication systems can be configured for authorization control.
An OAuth-based phishing attack in 2017.
Access Control List
An Access Control List (ACL) is a way to define permissions and authorizations for objects.
Filesystems have ACLs, which specify access permissions (read-only, read-write, etc) and determine which users have which permissions. Individual Access Control Entries make up the ACL.
ACLs are used extensively in network security by applying access control to routers, switches, firewalls, etc., or to restrict inbound and outbound traffic.
Tracking Usage and Access
Accounting is the final “A” in AAA. Accounting, in this context, means recording what resources and services users accessed, and what they did when using a system.
Auditing these records is a review intended to maintain compliance, and is a critical component of security and accounting.
Accounting systems may focus differently depending on use and configuration.
A TACACS+ server will be more oriented to keeping track of user authentications, what commands they ran, and what services they authenticated to, because TACACS+ is a device AAA system.
A Cisco AAA system will track command executions, connections to network devices, and network services and system details.
RADIUS is a network access AAA system, and will track things like network access and usage, client location, bandwidth, etc.
Rob Important Skills in Security
This guy shares some more deep thoughts on helping people.
I think this week’s assignment was abandoned at the last minute, because what’s his name said in the final video that they had a neat project for us. But no, it was just a quiz…
See you next week for Network Security.
Homer's Odyssey | Translated by Norbert A.D. Albertson | Paperback
The Hapless Rube's Apocalypse Survival Guide | by Jack Barker
Democracy in Black: How Race Still Enslaves the American Soul | by Eddie S. Glaude Jr.
HTML and CSS: Design and Build Websites 1st Edition by Jon Duckett
Live Work Work Work Work Die | by Corey Pein
WD 4TB Black My Passport Portable External Hard Drive - USB 3.0Lenovo 320 Business Laptop PC 15.6" Intel i7-7500U 2.7GHz Processor 12GB DDR4 RAM 256GB SSD Sony XB20 Portable Wireless Speaker with Bluetooth NETGEAR R6700 Nighthawk AC1750 Dual Band Smart WiFi Router Google WiFi system, 3-Pack - Router replacement for whole home coverage