Domain 5: Identity and

Access Management
Domain 5: Overview
• Identity and access management is an essential component of
information security
• Involves provisioning and managing the identities and access used in
the interaction of humans and information systems
• Hacker’s Goal: Compromising an identity or an access control system to
gain unauthorized access
• This domain addresses the identification and authorization of users,
systems and services
Domain 5: Overview
CISSP candidates will be tested on:
◦ Identity management systems, single and multi-factor authentication,
accountability, session management, registration and proofing,
federated identity management, and credential management systems.
◦ The integration of third party cloud based and on premise identity
services
◦ Knowledge of implementing and managing authorization mechanisms
including those based on role-based, rule-based, mandatory and
discretionary access control
Domain 5: Identity and Access Management main topics:
• Authentication Methods
• Access Control Technologies
• Access Control Models
Domain 5: Identity and Access Management
Unique Terms and Definitions
• Crossover Error Rate (CER) – describes the point where the False Reject Rate (FRR)
and False Accept Rate (FAR) are equal.
• Discretionary Access Control (DAC) – gives subjects full control of objects they have
created or been given access to, including sharing the objects with other subjects
• False Accept Rate (FAR) – occurs when an unauthorized subject is accepted by the
biometric system as valid. Also called a Type II error.
• False Reject Rate (FRR) – occurs when an authorized subject is rejected by the
biometric system as unauthorized. Also called a Type I error.
• Mandatory Access Control (MAC) – system-enforced access control based on
subject’s clearances and object’s labels
• Role-Based Access Controls (RBAC) – subjects are grouped into roles and each
defined role has access permissions based upon the role, not the individual
Cornerstone access control concepts
The CIA triad
• CIA stands for confidentiality, integrity, and availability
• All three work together to provide assurance that data and systems
remain secure
• Do not assume that one part of the triad is more important than
another
• Every IT system will require a different prioritization of the three
• The opposite of CIA is disclosure, alteration, and destruction (DAD)
Cornerstone access control concepts
Confidentiality
• Keeping data secret
• Data must only be accessible to users who have the clearance, formal access
approval, and the need to know
• National security information
• Laws (example) - Health Insurance Portability and Accountability Act (HIPAA),
requires that medical providers keep the personal and medical information of their
patients private
• Information may be disclosed by unauthorized access to the system, the unencrypted
transmission of data across an insecure network, or a trusted user relaying
information to an unauthorized user
• Most users have no idea how easy it would be for someone to compromise
confidentiality
Cornerstone access control concepts
Integrity
• Protects against unauthorized alteration of data
• Important when the correctness of data is vital
Availability
• Ensures that information is readily accessible to authorized users or
programs as the information is needed
• Often the least considered part of the CIA triad, but most noticed when
not functioning properly.
• The protection of CIA is everyone’s responsibility in some part.
Identification and AAA
• Identification provides an identity to a system
• Alone it is just a claim
• Must be proven via authentication, which proves an identity claim
• A username is identification and a password is one method for providing authentication
• Identities must be unique
• AAA stands for authentication, authorization, and accountability
• Identity is implied in AAA
• Authorization describes the actions an identified and authorized user is allowed to take on a
system
• Accountability describes the ability to determine which actions each user performed on a system
• Sharing accounts (identities) harms accountability: policy should forbid sharing accounts, and
security awareness should be conducted to educate users of this risk
• Authorization creep occurs when subjects not only maintain old access rights but
gain new ones as they move from one division to another within an organization.
Subjects and objects
• A subject is an active entity on a data system
• People accessing data files
• Running computer programs (e.g. a Dynamic Link Library file or a Perl script that
updates database files)
• An object is any passive data within the system
• Can range from databases to text files
• Do not manipulate other objects
Access control models
• The primary models are Discretionary Access Control (DAC), Mandatory
Access Control (MAC), and Non-Discretionary Access Control
• Do not think of one model being better than another
• Each model is used for a specific information security purpose
Discretionary Access Controls (DAC)
• Gives subjects full control of objects they have been given access to,
including sharing the objects with other subjects
• Subjects are empowered and control their data
• Standard UNIX and Windows operating systems use DAC for filesystems
• If a subject makes a mistake, such as attaching the wrong file to an
email sent to a public mailing list, loss of confidentiality can result
• Mistakes and malicious acts can also lead to a loss of integrity or
availability of data
Mandatory Access Controls (MAC)
• System-enforced access control based on subject’s clearance and object’s labels
• Subjects and Objects have clearances and labels, respectively, such as confidential, secret,
and top secret
• A subject may access an object only if the subject’s clearance is equal to or greater than
the object’s label
• Subjects cannot share objects with other subjects who lack the proper clearance, or
“write down” objects to a lower classification level (such as from top secret to secret)
• Usually focused on preserving the confidentiality of data
• Expensive and difficult to implement
• Clearing users is an expensive process
• Some examples of MAC systems are Honeywell’s SCOMP and Purple Penelope
• Developed under tight scrutiny of the U.S. and British Governments
• Another example is the Linux Intrusion Detection System (LIDS; see http://www.lids.org)
• LIDS is a specially hardened Linux distribution that uses MAC
Non-Discretionary Access Control
• Role-Based Access Control (RBAC) defines how information is accessed on a system
based on the role of the subject
• Subjects are grouped into roles and each defined role has access permissions based
upon the role, not the individual
• According to NIST (see: http://csrc.nist.gov/rbac)
• Keeps each role separate on the system and reduces the exposure of more sensitive
accounts
• RBAC is a type of non-discretionary access control because users do not have
discretion regarding the groups of objects they are allowed to access, and are unable
to transfer objects to other subjects
• Task-based access control is another non-discretionary access control model
• Based on the tasks each subject must perform, such as writing prescriptions, or restoring data from a backup tape, or opening a
help desk ticket
• Focusing on specific tasks, instead of roles
Content and Context-Dependent Access Controls
• Not full-fledged access control methods
• Typically play a defense-in-depth supporting role
• May be added as an additional control, typically to DAC systems
• Content-dependent access control
• Adds additional criteria beyond identification and authentication: the actual content the subject is attempting to access
• Example: All employees of an organization may have access to the HR database to view their accrued sick time and
vacation time. Should an employee attempt to access the content of the CIO’s HR record, access is denied.
• Context-dependent access control
• Applies additional context before granting access
• A commonly used context is time
Centralized Access Control
• Concentrates access control in one logical point for a system or organization
• Can be used to provide Single Sign-On (SSO), where a subject may
authenticate once, and then access multiple systems
• Can centrally provide the three “A’s” of access control: Authentication,
Authorization, and Accountability
• Authentication: proving an identity claim
• Authorization: authenticated subjects are allowed to take on a system
• Accountability: the ability to audit a system and demonstrate the actions of subjects
Decentralized Access Control
• Allows IT administration to occur closer to the mission and operations of the
organization
• Also called distributed access control
• Provides more local power: each site has control over its data
• The U.S. military uses decentralized access control in battlefield situations

Exam Warning - Do not get confused on the CISSP exam if asked about DAC compared
to decentralized access control. DAC stands for discretionary access control.
Decentralized access control will always be spelled out on the exam.
Domain 5: Identity and Access Management
Authentication Methods
• A subject first identifies his or her self; this identification cannot be
trusted
• The subject then authenticates by providing an assurance that the
claimed identity is valid
• A credential set is the term used for the combination of both the
identification and authentication of a user
• Three basic authentication methods: Type 1 (something you know),
Type 2 (something you have), and Type 3 (something you are). A fourth
type of authentication is some place you are.
Domain 5: Identity and Access Management
Type 1 Authentication: Something You Know
• Requires testing the subject with some sort of challenge and response
where the subject must respond with a knowledgeable answer
• Subject is granted access on the basis of something they know, such as
a password or PIN (Personal Identification Number, a number-based
password)
• The easiest, and often weakest, form of authentication
Domain 5: Identity and Access Management
Type 1 Authentication: Something You Know - Passwords
• The cornerstone for access control to IT systems
• Relatively easy and cheap to implement
• Static passwords
• Reusable passwords that may or may not expire
• Typically user-generated and work best when combined with another
authentication type, such as a smart card or biometric control
Domain 5: Identity and Access Management
Type 1 Authentication: Something You Know - Passwords
• Passphrases
• Long static passwords, comprised of words in a phrase or sentence
• An example of a passphrase is: “I will pass the CISSP® in 2 months!”
• Usually have less randomness per character compared to shorter complex
passwords (such as “B$%Jiu⁎!”), but make up for the lack of randomness with
length
• One-time passwords
• Used for a single authentication
• Very secure but difficult to manage
• A one-time password is impossible to reuse and is valid for just one-time use
Domain 5: Identity and Access Management
Type 1 Authentication: Something You Know - Passwords
• Dynamic passwords
• Change at regular intervals
• RSA Security makes a synchronous token device called SecureID that generates a
new token code every 60 seconds. The user combines their static PIN with the RSA
dynamic token code to create one dynamic password that changes every time it is
used.
• One drawback when using dynamic passwords is the expense of the tokens
themselves
• Strong authentication (also called multifactor authentication) requires
that the user present more than one authentication factor
Domain 5: Identity and Access Management
Type 1 Authentication: Something You Know – Passwords
Password Hashes and Password Cracking
• In most cases, clear text passwords are not stored within an IT system; only the
hashed outputs
• Hashing is one-way encryption using an algorithm and no key
• When a user attempts to log in, the password they type is hashed, and that hash is
compared against the hash stored on the system
• The hash function cannot be reversed: it is impossible to reverse the algorithm and
produce a password from a hash
• An attacker may run the hash algorithm forward many times, selecting various
possible passwords, and comparing the output to a desired hash, hoping to find a
match (and to derive the original password). This is called password cracking.
Domain 5: Identity and Access Management
Type 1 Authentication: Something You Know – Passwords
Password Hashes and Password Cracking
• Password hashes for modern UNIX/Linux systems are stored in/etc/shadow
(which is typically readable only by root)
• Windows systems store hashes both locally and on the domain controller (DC)
in a file called the security account management file or SAM file
• Password hashes may be sniffed on networks or read from memory
• The SAM file is locked while the Windows operating system is running: tools
such as fgdump by foofus.net (http://www.foofus.net/fizzgig/fgdump/) can
dump the hashes from memory
Domain 5: Identity and Access Management
Type 1 Authentication: Something You Know – Passwords
Dictionary Attacks
• Uses a word list: a predefined list of words, and then runs each word through a hash algorithm
• Fastest type of password attack, but often the least effective

Note - Attackers will often tune their dictionary to their target, adding a Spanish dictionary to their
word list for a target organization with Spanish speakers, or even a Klingon dictionary for an
organization with Star Trek fans. Packetstorm Security maintains multiple dictionaries at:
http://packetstormsecurity.org/Crackers/wordlists/.

• Many organizations require users to create passwords that have a special character, number, capital
letter, and be eight characters or greater
• Cain & Abel has cracked user deckard’s password with a dictionary attack: his password is
“replicant,” shown as “REPLICANT” as the LM hash, which ignores case
• Access to the SAM file (Windows) and shadow file (UNIX/Linux) should be restricted.
Domain 5: Identity and Access Management
Type 1 Authentication: Something You Know – Passwords
Dictionary Attacks
Domain 5: Identity and Access Management
Type 1 Authentication: Something You Know – Passwords
Brute-Force and Hybrid Attacks
• Take more time, but are more effective
• Calculates the hash outputs for every possible password
• With the advances in CPU speeds and parallel computing, the ability to brute-force
complex passwords has been considerably reduced
• Attackers may also use a rainbow table for their password attack
• Acts as a database that contains the precomputed hashed output for most or all possible
passwords
• Rainbow tables are not always complete: they may not include possible password/hash
combinations.
• A hybrid attack appends, prepends, or changes characters in words from a dictionary
before hashing, to attempt the fastest crack of complex passwords
Domain 5: Identity and Access Management
Type 1 Authentication: Something You Know – Passwords
Tools
1. Brutus
Brutus is one of the most popular remote online password cracking
tools. It claims to be the fastest and most flexible password cracking tool.
This tool is free and is only available for Windows systems. It was
released back in October 2000.
Domain 5: Identity and Access Management
Type 1 Authentication: Something You Know – Passwords
Tools
2. RainbowCrack
RainbowCrack is a hash cracker tool that uses a large-scale time-memory
trade off process for faster password cracking than traditional brute
force tools. Time-memory trade off is a computational process in which
all plain text and hash pairs are calculated by using a selected hash
algorithm. After computation, results are stored in the rainbow table.
This process is very time consuming. But, once the table is ready, it can
crack a password must faster than brute force tools.
Domain 5: Identity and Access Management
Type 1 Authentication: Something You Know – Passwords
Tools
3. Wfuzz
Wfuzz is another web application password cracking tool that tries to
crack passwords with brute forcing. It can also be used to find hidden
resources like directories, servlets and scripts. This tool can also identify
different kind of injections including SQL Injection, XSS Injection, LDAP
Injection, etc in Web applications.
Domain 5: Identity and Access Management
Type 1 Authentication: Something You Know – Passwords
Tools
4. Cain and Abel
Cain and Abel is a well-known password cracking tool that is capable of
handling a variety of tasks. The most notable thing is that the tool is only
available for Windows platforms. It can work as sniffer in the network,
cracking encrypted passwords using the dictionary attack, recording VoIP
conversations, brute force attacks, cryptanalysis attacks, revealing
password boxes, uncovering cached passwords, decoding scrambled
passwords, and analyzing routing protocols.
Domain 5: Identity and Access Management
Type 1 Authentication: Something You Know – Passwords
Tools
5. John the Ripper
John the Ripper is another well-known free open source password
cracking tool for Linux, Unix and Mac OS X. A Windows version is also
available. This tool can detect weak passwords. A pro version of the tool
is also available, which offers better features and native packages for
target operating systems. You can also download Openwall GNU/*/Linux
that comes with John the Ripper.
Domain 5: Identity and Access Management
Type 1 Authentication: Something You Know – Passwords
Tools
6. THC Hydra
THC Hydra is a fast network logon password cracking tool. When it is
compared with other similar tools, it shows why it is faster. New modules
are easy to install in the tool. You can easily add modules and enhance
the features. It is available for Windows, Linux, Free BSD, Solaris and OS
X. This tool supports various network protocols.
Domain 5: Identity and Access Management
Type 1 Authentication: Something You Know – Passwords
Tools
7. Medusa
Medusa is also a password cracking tool similar to THC Hydra. It claims to
be a speedy parallel, modular and login brute forcing tool. It supports
HTTP, FTP, CVS, AFP, IMAP, MS SQL, MYSQL, NCP, NNTP, POP3,
PostgreSQL, pcAnywhere, rlogin, SMB, rsh, SMTP, SNMP, SSH, SVN, VNC,
VmAuthd and Telnet. While cracking the password, host, username and
password can be flexible input while performing the attack.
Domain 5: Identity and Access Management
Type 1 Authentication: Something You Know – Passwords
Tools
8. OphCrack
OphCrack is a free rainbow-table based password cracking tool for
Windows. It is the most popular Windows password cracking tool, but
can also be used on Linux and Mac systems. It cracks LM and NTLM
hashes. For cracking Windows XP, Vista and Windows 7, free rainbow-
tables are also available.
Domain 5: Identity and Access Management
Type 1 Authentication: Something You Know – Passwords
Tools
9. L0phtCrack
L0phtCrack is an alternative to OphCrack. It attempts to crack Windows
password from hashes. For cracking passwords, it uses Windows
workstations, network servers, primary domain controllers, and Active
Directory. It also uses dictionary and brute force attacking for generating
and guessing passwords. It was acquired by Symantec and discontinued
in 2006. Later L0pht developers again re-acquired it and launched
L0phtCrack in 2009.
Domain 5: Identity and Access Management
Type 1 Authentication: Something You Know – Passwords
Tools
10. Aircrack-NG
Aircrack-NG is a WiFi password cracking tool that can crack WEP or WPA
passwords. It analyzes wireless encrypted packets and then tries to crack
passwords via its cracking algorithm. It uses the FMS attack along with
other useful attack techniques for cracking password. It is available for
Linux and Windows systems. A live CD of Aircrack is also available.
Domain 5: Identity and Access Management
Type 1 Authentication: Something You Know – Passwords
Salts
• Allows one password to hash multiple ways
• Some systems (like modern UNIX/Linux systems) combine a salt with a
password before hashing: “The designers of the UNIX operating system
improved on this method by using a random value called a “salt.” A salt value
ensures that the same password will encrypt differently when used by
different users. This method offers the advantage that an attacker must
encrypt the same word multiple times (once for each salt or user) in order to
mount a successful password-guessing attack.”
• Makes rainbow tables far less effective (if not completely ineffective)
Domain 5: Identity and Access Management
Type 1 Authentication: Something You Know – Passwords
Password Management
• Typically, the minimum password management security features include the following:
• Password history = set to remember 24 passwords
• Maximum password age = 90 days
• Minimum password age = 2 days (this is because users do not cycle through 24 passwords to return immediately to
their favorite)
• Minimum password length = 8 characters
• Passwords must meet complexity requirements = true
• Store password using reversible encryption = false
• These are the minimum password security controls for the U.S. Department of Defense and this
standard has been adopted by the Microsoft community as the baseline password complexity
standard.
• It is not uncommon for users to write down passwords and store them within wallets, address
books, cell phones, and even sticky notes posted on their monitors
Domain 5: Identity and Access Management
Type 1 Authentication: Something You Know – Passwords
Password Control
• Complex passwords are harder to remember
• Users who write passwords down and leave them in an insecure place
(such as under a keyboard or stored in a wallet, purse, or rolodex) can
undermine the entire security posture of a system
Domain 5: Identity and Access Management
Type 2 Authentication: Something You Have
• Something you have - requires that users possess something, which
proves they are an authenticated user
• A token is an object that helps prove an identity claim
• Possessing the car keys, credit cards, bank ATM cards, smartcards, and
paper documents
Domain 5: Identity and Access Management
Type 2 Authentication: Something You Have
Asynchronous Dynamic Token
• Not synchronized with a central server
• Most common variety is challenge-response tokens
• Systems produce a challenge, or input for the token device
• The user manually enters the information into the device along with their PIN, and the
device produces an output
• Output is then sent to the system
• Combining access control types is recommended
• Using more than one type of access control is referred to as strong
authentication or multifactor authentication
Domain 5: Identity and Access Management
Type 2 Authentication: Something You Have
Asynchronous Dynamic Token
Domain 5: Identity and Access Management
Type 3 Authentication: Something You Are
• Something you are - biometrics, which uses physical characteristics as a means of
identification or authentication
• Biometrics may be used to establish an identity, or to authenticate (prove an identity
claim)
• Associated with the physical traits of an individual, it is more difficult for that
individual to forget, misplace, or otherwise lose control of the access capability
• Care should be given to ensure appropriate accuracy and to address any privacy
issues that may arise
• Should be reliable, and resistant to counterfeiting
• Data storage required to represent biometric information (called the template or the
file size) should be relatively small: 1000 bytes or less is typical
Domain 5: Identity and Access Management
Type 3 Authentication: Something You Are
Biometric Fairness, Psychological Comfort, and Safety
• Biometrics should not cause undue psychological stress to subjects, and
should not introduce unwarranted privacy issues
• Biometric controls must be usable by all staff, or compensating controls must
exist
• Potential exchange of bodily fluid is a serious negative for any biometric
control: this includes retina scans (where a user typically presses their eye
against an eyecup), and even fingerprint scanning (where many subjects
touch the same scanner)
• Fully passive controls, such as iris scans, may be preferable (there is no
exchange of bodily fluid)
Domain 5: Identity and Access Management
Type 3 Authentication: Something You Are
Biometric Enrollment and Throughput
• Enrollment describes the process of registering with a biometric
system: creating an account for the first time
• Enrollment is a one-time process that should take 2 minutes or less.
• Throughput describes the process of authenticating to a biometric
system
• Also called the biometric system response time
• A typical throughput is 6-10 seconds
Domain 5: Identity and Access Management
Type 3 Authentication: Something You Are
Accuracy of Biometric Systems
• Should be considered before implementing a biometric control
program
• Three metrics are used to judge biometric accuracy: the False Reject
Rate (FRR), the False Accept Rate (FAR), and the Crossover Error Rate
(CER).
Domain 5: Identity and Access Management
Type 3 Authentication: Something You Are
Accuracy of Biometric Systems
• False Reject Rate (FRR)
• When an authorized subject is rejected by the biometric system as unauthorized
• Also called a Type I error
• Cause frustration of the authorized users, reduction in work due to poor access
conditions, and expenditure of resources to revalidate authorized users
• False Accept Rate (FAR)
• Occurs when an unauthorized subject is accepted as valid
• Risks an unauthorized user gaining access
• Also called a Type II error
Domain 5: Identity and Access Management
Type 3 Authentication: Something You Are
Accuracy of Biometric Systems
Note - A false accept is worse than a false reject: most organizations would prefer
to reject authentic subjects to accepting impostors. FARs (Type II errors) are
worse than FRRs (Type I errors). Two is greater than one, which will help you
remember that FAR is Type II, which are worse than Type I (FRRs).
Over 40 data points are usually collected and compared in a typical fingerprint
scan. The accuracy of the system may be lowered by collecting fewer minutiae
points (ten or so). This will lower the FRR, but raise the FAR. It also increases the
possibility that a user’s fingerprints would be easier to counterfeit.
Domain 5: Identity and Access Management
Type 3 Authentication: Something You Are
Accuracy of Biometric Systems
• Crossover Error Rate (CER)
• Describes the point where the False Reject Rate (FRR) and
False Accept Rate (FAR) are equal
• Also known as the Equal Error Rate (EER)
• The overall accuracy of a biometric system
• As the accuracy of a biometric system increases, FARs will rise
and FRRs will drop
• As the accuracy is lowered, FARs will drop and FRRs will rise
Domain 5: Identity and Access Management
Type 3 Authentication: Something You Are
Types of Biometric Controls
• Fingerprints
• The most widely used biometric control
• Smartcards can carry fingerprint information
• Smart keyboards require users to present a fingerprint to unlock a
computer’s screen saver
• The data used for storing each person’s fingerprint must be of a
small enough size to be used for authentication
• The data is a mathematical representation of fingerprint minutiae,
specific details of fingerprint friction ridges, which include whorls,
ridges, bifurcation, and others
Domain 5: Identity and Access Management
Type 3 Authentication: Something You Are
Types of Biometric Controls
• Retina Scan
• A laser scan of the capillaries which feed the retina of the back of the eye
• Can seem personally intrusive because the light beam must directly enter the pupil,
and the user usually needs to press their eye up to a laser scanner eye cup
• Health information of the user can be gained through a retina scan: conditions such
as pregnancy and diabetes can be determined, which may raise legitimate privacy
issues
• Exchange of bodily fluids is possible Exam Warning - Retina scans are rarely used because of health risks
and invasion-of-privacy issues. Alternatives should be considered for
biometric controls that risk exchange of bodily fluid or raise legitimate
privacy concerns.
Domain 5: Identity and Access Management
Type 3 Authentication: Something You Are
Types of Biometric Controls
• Iris Scan
• A passive biometric control
• A camera takes a picture of the iris (the colored portion of the eye) and then
compares photos within the authentication database
• Works through contact lenses and glasses
• Each person’s two irises are unique, even twins’ irises
• Benefits include high-accuracy, passive scanning (which may be accomplished
without the subject’s knowledge), and no exchange of bodily fluids
Domain 5: Identity and Access Management
Type 3 Authentication: Something You Are
Types of Biometric Controls
• Hand Geometry
• Measurements are taken from specific points on the
subject’s hand
• The devices use a simple concept of measuring and
recording the length, width, thickness, and surface area of
an individual’s hand while guided on a plate.
• Devices are fairly simple, and can store information in as
little as 9 bytes
Domain 5: Identity and Access Management
Type 3 Authentication: Something You Are
Types of Biometric Controls
• Keyboard Dynamics
• Refers to how hard a person presses each key and the rhythm by which the keys are
pressed
• Cheap to implement and can be effective
• As people learn how to type and use a computer keyboard, they develop specific habits
that are difficult to impersonate, although not impossible
• Dynamic Signature
• Measure the process by which someone signs his/her name
• Measuring time, pressure, loops in the signature, and beginning and ending points all
help to ensure the user is authentic
Domain 5: Identity and Access Management
Type 3 Authentication: Something You Are
Types of Biometric Controls
• Voice Print
• Measures the subject’s tone of voice while stating a specific sentence or phrase
• Vulnerable to replay attacks (replaying a recorded voice), so other access controls
must be implemented along with the voice print
• State random words, protecting against an attacker playing pre-recorded specific
phrases
Domain 5: Identity and Access Management
Type 3 Authentication: Something You Are
Types of Biometric Controls
• Facial Scan
• Has greatly improved over the last few years
• Also called facial recognition
• Process of passively taking a picture of a subject’s face and comparing that picture to a list stored in a
database
• Not frequently used for biometric authentication control due to the high cost
• Law enforcement and security agencies use facial recognition and scanning technologies for biometric
identification to improve security of high-valued, publicly accessible targets
Domain 5: Identity and Access Management
Type 3 Authentication: Something You Are
Types of Biometric Controls
• Facial Scan
• Superbowl XXXV was the first major sporting event that used facial recognition technology to look for
potential terrorists. Cameras were placed at every entrance and each attendee’s face was scanned and
compared to a list of active terrorist threats. The technology worked and, although no terrorists were
identified, 19 petty criminals were identified. The companies that make the systems claim they are
primarily a deterrent control.
• Casinos have used the same facial recognition technology since 2003.
Domain 5: Identity and Access Management
Single Sign-On (SSO)
• Allows multiple systems to use a central authentication server (AS)
• Allows users to authenticate once, and then access multiple, different
systems
• Allows security administrators to add, change, or revoke user privileges
on one central system
Domain 5: Identity and Access Management
Single Sign-On (SSO)
As outlined in the IBM article, “Build and Implement a Single Sign-On Solution” by Chris Dunne,
September 30, 2003, SSO is an important access control and can offer the following benefits:
• “Improved user productivity. Users are no longer bogged down by multiple logins and they are not
required to remember multiple IDs and passwords. Also, support personnel answer fewer requests
to reset forgotten passwords.”
• “Improved developer productivity. SSO provides developers with a common authentication
framework. In fact, if the SSO mechanism is independent, then developers do not have to worry
about authentication at all. They can assume that once a request for an application is accompanied
by a username, then authentication has already taken place.”
• “Simplified administration. When applications participate in a single sign-on protocol, the
administration burden of managing user accounts is simplified. The degree of simplification depends
on the applications since SSO only deals with authentication. So, applications may still require user-
specific attributes (such as access privileges) to be set up.”
Domain 5: Identity and Access Management
Single Sign-On (SSO)
The disadvantages of SSO are listed below and must be considered before implementing
SSO on a system:
• “Difficult to retrofit. An SSO solution can be difficult, time consuming, and expensive
to retrofit to existing applications.”
• “Unattended desktop. Implementing SSO reduces some security risks, but increases
others. For example, a malicious user could gain access to a user’s resources if the
user walks away from his machine and leaves it logged in. Although this is a problem
with security in general, it is worse with SSO because all authorized resources are
compromised. At least with multiple logons, the user may only be logged into one
system at the time and so only one resource is compromised.”
• “Single point of attack. With single sign-on, a single, central authentication service is
used by all applications. This is an attractive target for hackers who may decide to
carry out a denial of service attack.”
Domain 5: Identity and Access
Management
Access Provisioning Lifecycle
• After an access control model has been
chosen.
• Identity Lifecycle – provisioning,
maintenance
(passwords/rights/privileges), changes,
re-provisioning, reconciliation/audit
Domain 5: Identity and Access Management
Access Provisioning Lifecycle
IBM describes the following identity lifecycle rules:
• “Password policy compliance checking
• Notifying users to change their passwords before they expire
• Identifying life cycle changes such as accounts that are inactive for more than 30
consecutive days
• Identifying new accounts that have not been used for more than 10 days following their
creation
• Identifying accounts that are candidates for deletion because they have been
suspended for more than 30 days
• When a contract expires, identifying all accounts belonging to a business partner or
contractor’s employees and revoking their access rights”
Domain 5: Identity and Access Management
User Entitlement, Access Review and Audit
• Authorization creep
• occurs when subjects not only maintain old access rights but gain new ones as they
move from one role to another within an organization
• User rights (or entitlements) must be routinely reviewed
Domain 5: Identity and Access Management
Single Sign-On (SSO)
• Identity as a service (IDaaS) - Gartner Inc., divides IDaaS services into
two categories:
• Web access software for cloud-based applications such as software as a service
(SaaS)
• Web-architected applications; and cloud-delivered legacy identity management
services.
• LDAP – Lightweight Directory Access Protocol – common, open
protocol for interfacing and querying directory service information over
a network. TCP/UDP port 389. LDAPS (LDAP over TLS); TCP 636 & 3269
Domain 5: Identity and Access Management
Single Sign-On (SSO) - Kerberos
• A third-party authentication service that may be used to support Single
Sign-On
• Kerberos (http://www.kerberos.org/) was the name of the three-
headed dog that guarded the entrance to Hades (also called Cerberus)
in Greek mythology
• The three heads of the mythical Kerberos were meant to signify the
three “A”s of AAA systems: authentication, authorization, and
accountability
• The original Kerberos mainly provided authentication
Domain 5: Identity and Access Management
Single Sign-On (SSO) - Kerberos
• Kerberos FAQ (see http://www.faqs.org/faqs/kerberos-faq/user/)
states:
• Kerberos is a network authentication system for use on physically
The insecure
Needham–Schroeder
networks Symmetric Key Protocol is based
• Based on the key distribution model presented by Needham and on aSchroeder
symmetric encryption
algorithm. It forms the basis for
• Allows entities communicating over networks to prove their identity to each other
while preventing eavesdropping or replay attacks the Kerberos protocol. This
protocol aims to establish a
• Provides for data stream integrity (detection of modification) and secrecy
(preventing unauthorized reading) using cryptography systemssession
such as key between
DES (Data two parties
Encryption Standard) on a network, typically to protect
further communication.
Domain 5: Identity and Access Management
Single Sign-On (SSO) - Kerberos
• Uses secret key encryption
• Provides mutual authentication of both clients and servers
• Protects against network sniffing and replay attacks
• Current version of Kerberos is version 5, described by RFC 4120 (http://www.ietf.org/rfc/rfc4120.txt)
• Kerberos has the following components:
• Principal: Client (user) or service
• Realm: A logical Kerberos network
• Ticket: Data that authenticates a principal’s identity
• Credentials: a ticket and a service key
• KDC: Key Distribution Center, which authenticates principals
• TGS: Ticket Granting Service
• TGT: Ticket Granting Ticket
• C/S: Client Server, regarding communications between the two
Domain 5: Identity and Access Management
Single Sign-On (SSO) - Kerberos
Domain 5: Identity and Access Management
Domain 5: Identity and Access Management
Single Sign-On (SSO) - Kerberos
• Strengths:
• Provides mutual authentication of client and server
• If a rogue KDC pretended to be a real KDC, it would not have access to keys
• mitigates replay attacks (where attackers sniff Kerberos credentials and replay them
on the network) via the use of timestamps
Domain 5: Identity and Access Management
Single Sign-On (SSO) - Kerberos
• Weaknesses:
• KDC stores the plaintext keys of all principals (clients and servers)
• A compromise of the KDC (physical or electronic) can lead to the compromise of every key in the
Kerberos realm
• KDC and TGS are single points of failure: if they go down, no new credentials can be issued
• Replay attacks are still possible for the lifetime of the authenticator (An attacker could sniff an
authenticator, launch a denial-of-service attack against the client, and then assume or spoof the client’s
IP address)
• Any user may request a session key for another user
• Kerberos does not mitigate a malicious local host: plaintext keys may exist in memory or cache
Domain 5: Identity and Access Management
Single Sign-On (SSO) - SESAME
• Secure European System for Applications in a Multi-vendor Environment
• A single sign-on system that supports heterogeneous environments
• Can be thought of as a sequel of sorts to Kerberos
• It addresses one of the biggest weaknesses in Kerberos: the plaintext storage of
symmetric keys
• Uses Privilege Attribute Certificates (PACs) in place of Kerberos’ tickets
• More information on SESAME is available at:
https://www.cosic.esat.kuleuven.be/sesame/
Domain 5: Identity and Access Management
Access Control Protocols And Frameworks - RADIUS
• Remote Authentication Dial In User Service (RADIUS) protocol
• A third-party authentication system
• Described in RFCs 2865 and 2866
• Uses the User Datagram Protocol (UDP) ports 1812 (authentication) and 1813
(accounting)
• Formerly used the (unofficially assigned) ports of 1645 and 1646 for the same respective
purposes; some continue to use those ports
• Considered an “AAA” system
• Authenticates a subject’s credentials against an authentication database
• Authorizes users by allowing specific users’ access to specific data objects
• Accounts for each data session by creating a log entry for each connection made
Domain 5: Identity and Access Management
Access Control Protocols And Frameworks - RADIUS
• Request and response data is carried in Attribute Value Pairs (AVPs)
• According to RFC 2865 (http://tools.ietf.org/html/rfc2865), RADIUS supports the following
codes:
• Access-Request
• Access-Accept
• Access-Reject
• Accounting-Request
• Accounting-Response
• Access-Challenge
• Status-Server (experimental)
• Status-Client (experimental)
Domain 5: Identity and Access Management
Access Control Protocols And Frameworks - RADIUS
Domain 5: Identity and Access Management
Access Control Protocols And Frameworks - Diameter
• RADIUS’ successor
• Designed to provide an improved Authentication, Authorization, and Accounting (AAA)
framework
• Also uses Attribute Value Pairs, but supports many more:
• RADIUS uses 8 bits for the AVP field (allowing 256 total possible AVPs)
• Diameter uses 32 bits for the AVP field (allowing billions of potential AVPs)
• Uses a single server to manage policies for many services, as opposed to RADIUS which
requires many servers to handle all of the secure connection protocols
• Provides AAA functionality
• More reliable by using the Transmission Control Protocol (TCP)
• Currently a draft standard, first described by RFC 3588 (http://tools.ietf.org/html/rfc3588)
Domain 5: Identity and Access Management
Access Control Protocols And Frameworks - TACACS and TACACS+
• Terminal Access Controller Access Control System (TACACS)
• Centralized access control system that requires users to send an ID and static (reusable)
password for authentication
• TACACS uses UDP port 49 (and may also use TCP)
• Reusable passwords have security vulnerability: the improved TACACS+ provides better
password protection by allowing two-factor strong authentication
• TACACS+ is not backwards compatible with TACACS
• TACACS+ uses TCP port 49 for authentication with the TACACS+ server
• The actual function of authentication is similar to RADIUS
• RADIUS only encrypts the password (leaving other data, such as username, unencrypted);
TACACS+ encrypts all data below the TACACS+ header
Domain 5: Identity and Access Management
Access Control Protocols And Frameworks - TACACS and TACACS+
• Terminal Access Controller Access Control System (TACACS)
• Centralized access control system that requires users to send an ID and static (reusable)
password for authentication
• TACACS uses UDP port 49 (and may also use TCP)
• Reusable passwords have security vulnerability: the improved TACACS+ provides better
password protection by allowing two-factor strong authentication
• TACACS+ is not backwards compatible with TACACS
• TACACS+ uses TCP port 49 for authentication with the TACACS+ server
• The actual function of authentication is similar to RADIUS
• RADIUS only encrypts the password (leaving other data, such as username, unencrypted);
TACACS+ encrypts all data below the TACACS+ header
Domain 5: Identity and Access Management
PAP and CHAP
• Password Authentication Protocol (PAP)
• Defined by RFC 1334 (http://tools.ietf.org/html/rfc1334#section-2)
• Not a strong authentication method
• User password and it is sent across the network in clear text
• When received by the PAP server, it is authenticated and validated
• Challenge Handshake Authentication Protocol (CHAP)
• Defined by RFC 1994 (http://www.faqs.org/rfcs/rfc1994.html)
• Provides protection against playback attacks
• Uses a central location that challenges remote users
• “CHAP depends upon a ‘secret’ known only to the authenticator and the peer. The secret is not sent over the
link. Although the authentication is only one-way, by negotiating CHAP in both directions the same secret set
may easily be used for mutual authentication.”
• A sniffer that views the entire challenge/response process will not be able to determine the shared secret
Domain 5: Identity and Access Management
Access Control Protocols And Frameworks - Microsoft Active Directory
Domains
• Microsoft Windows Active Directory uses the concept of domains as the primary means to
control access
• For authentication purposes, Microsoft bases their authentication of trust relationships
on RFC 1510, the Kerberos Authentication Protocol, and it is fully integrated into
Microsoft Windows operating systems since Windows 2000.
• Each domain has a separate authentication process and space
• Each domain may contain different users and different network assets and data objects
• If a two-way trust between domains is created, then the users and data objects from each
domain can be accessed by groups belonging to either domain.
Domain 5: Identity and Access Management
Access Control Protocols And Frameworks - Microsoft Active Directory
Domains
As stated by Microsoft,
• “How a specific trust passes authentication requests depends on how it is configured;
trust relationships can be one-way, providing access from the trusted domain to
resources in the trusting domain, or two way, providing access from each domain to
resources in the other domain. Trusts are also either nontransitive, in which case trust
exists only between the two trust partner domains, or transitive, in which case trust
automatically extends to any other domains that either of the partners trusts.”
• Microsoft trust relationships fall into two categories; nontransitive and transitive.
Nontransitive trusts only exist between two trust partners. Transitive trusts exist between
two partners and all of their partner domains. For example, if A trusts B, in a transitive
trust, A will trust B and all of B’s trust partners.
Thank you.