IT Security: Defense Against The Digital Dark Arts. Week3: AAA Security (Not Roadside Assistance)

authentication is verifying an identity, authorization is verifying access to a resource; Authentication is proving that an entity is who they claim to be, while authorization is determining whether or not that entity is permitted to access resources.

is at least eight characters long includes numbers and special characters; A strong password should contain a mix of character types and cases, and should be relatively long -- at least eight characters, but preferably more.

something you know; Since a password is something you memorize, it's something you know when talking about multi-factor authentication schemes.

there are potential privacy concerns biometric authentication is difficult or impossible to change if compromised; If a biometric characteristic, like your fingerprints, is compromised, your option for changing your "password" is to use a different finger. This makes "password" changes limited. Other biometrics, like iris scans, can't be changed if compromised. If biometric authentication material isn't handled securely, then identifying information about the individual can leak or be stolen.

they're resistant to phishing attacks; With one-time-password generators, the one-time password along with the username and password can be stolen through phishing. On the flip side, U2F authentication is impossible to phish, given the public key cryptography design of the authentication protocol.

"not valid before" date trust of the signatory CA "not valid after" date; To verify a certificate, the period of validity must be checked, along with the signature of the signing certificate authority, to ensure that it's a trusted one.

Certificate Revocation List; CRL stands for "Certificate Revocation List." It's a list published by a CA, which contains certificates issued by the CA that are explicitly revoked, or made invalid.

organizational units; Directory servers have organizational units, or OUs, that are used to group similar entities.

false; The Network Access Server only relays the authentication messages between the RADIUS server and the client; it doesn't make an authentication evaluation itself.

false; Clients don't actually interact directly with the RADIUS server; the authentication is relayed via the Network Access Server.

ticket-granting ticket; Once authenticated, a Kerberos client receives a ticket-granting ticket from the authentication server. This TGT can then be presented to the ticket-granting service in order to be granted access to a resource.

it reduces the total number of credentials it reduces time spent authenticating; SSO allows one set of credentials to be used to access various services across sites. This reduces the total number of credentials that might be otherwise needed. SSO authentication also issues an authentication token after a user authenticates using username and password. This token then automatically authenticates the user until the token expires. So, users don't need to reauthenticate multiple times throughout a work day.

authentication delegation; OpenID allows authentication to be delegated to a third-party authentication service.

it determines whether or not an entity has access to a resource; Authorization has to do with what resource a user or account is permitted or not permitted to access.

Access delegation; OAuth is an open authorization protocol that allows account access to be delegated to third parties, without disclosing account credentials directly.

Accounting is recording access and usage, while auditing is reviewing these records; Accounting involves recording resource and network access and usage. Auditing is reviewing these usage records by looking for any anomalies.

identity; Authentication is concerned with confirming the identities of individuals.

access; Authorization deals with determining access to resources.

public key cryptography; Security keys use public key cryptography to perform a secure challenge response for authentication.

identification; Not quite. Please refer back to the "Authentication" lesson for a refresher.

OTP; OTP or One-Time-Password, is a physical token that is commonly used to generate a short-lived number. RSA SecureID token; RSA SecureID token is an example of an OTP. It is a small battery-powered device with an LCD display.

Organizational Unit; Not quite. Please review the videos in the "LDAP" module for a refresher.

StartTLS, delete; StartTLS permits a client to communicate securely using LDAPv3 over TLS. The delete operation can make a change to a directory object.

Time; Kerberos enforces strict time requirements, requiring the client and server clocks to be relatively closely synchronized, otherwise authentication will fail.

Authorization; Authorization pertains to describing what the user account does or doesn't have access to.

scope; An Open Authorization (OAuth) access token would have a scope that tells what the third party app has access to.

track user authentication; TACACS+ tracks user authentication. commands that were ran; TACACS+ tracks commands that were ran by a user. systems users authenticated to; TACACS+ tracks the devices or systems that a user authenticated to.