Links

Access Protocols

Directories / Directory Service Protocols

  • Repositories of an organization's network resources and users.
  • Most follow a hierarchical database format, based on the X.500 Standard.
  • A directory service manages the entries and data in the directory and enables access control and identity management.
  • Types: Microsoft Active Directory (AD) & LDAP

Lightweight Directory Access Protocol (LDAP)

  • A standardized directory access protocol.
  • Main purpose is to query the LDAP user database - pared-down X.500-based directories.
  • Supported by most major vendors including Microsoft AD and OpenLDAP
  • Hierarchical structure.
  • An open protocol.
  • Weakness of LDAP:
    • Can be subject to LDAP injection attacks:
      • Similar to SQL injection attacks.
      • Occurs when user input is not properly filtered.

LDAP Data Interchange Format (LDIF)

  • Enables LDAP servers toe exchange directory information.
  • Servers must be able to authenticate to the server using the correct format
  • A standard plain text data interchange format for representing LDAP directory content and update requests.
  • {wiki}

LDAP Security

  • LDAP is vulnerable to snooping.
  • Encrypt communications using SSL/TLS to secure LDAP transmissions.
  • Certificates can validate authentication requests.
  • LDAPv3 bind requests should use Simple Authentication and Security Layer (SASL)
    • A framework for authentication and data security in internet protocols.
    • It decouples authentication from application protocols allowing all SASL authentication mechanisms to work with one another.

Directory Information Tree

  • A hierarchical structure that can be searched for directory information. This holds LDAP entries.

Kerberos

  • A symmetric key authentication protocol.
  • Kerberos v5 uses mutual authentication between the requesting client and the supporting server through a Key Distribution Center (KDC)
  • Once authenticated with the KDC, user is given a Ticket Granting Ticket (TGT)
    • Tickets are encrypted and have a limited life span.
    • Ticket lists user's privileges.
  • Works like using a driver's license to cash a check.

Kerberos Ticket

  • Contains information linking it in the user.
  • User presents ticket to network for a service.
  • Difficult to copy.
  • Expires after a few hours or a day.

Kerberos Key Distribution Center

  • Comprised of Three Components:
    • Kerberos Database
      • stores all the information about the principals and the realm they belong to, among other things.
    • Authentication Service (AS)
      • responsible for issuing a ticket-granting ticket (TGT) to a client when they initiate a request to the AS.
    • Ticket-Granting Service (TGS)
      • responsible for validating TGTs and granting service tickets.
        • Service tickets allow an authenticated principal to use the service provided by the application server, identified by the SPN (Service Principle Name).

Kerberos Authentication Process

  • Each time the user wishes to access some resource on the network, the user's computer present the KDC with the TGT.
  • The TGT then sends that user's computer a service ticket, granting the user access to that service.
  • User's computer then sends the service ticket to the server the user is trying to access.
  • As a final authentication check, that server then communicates the TGT to confirm and validate the service ticket.

Remote Authentication Dial-In User Service (RADIUS)

  • Developed in 1992.
  • Became industry standard.
  • Suitable for high volume service control applications such as dial-in access to a corporate network.
  • Still in use today.
  • An IETF Standard
  • Implemented by most of the major OS manufacturers.
  • Uses UDP transport to a centralized server providing authentication and access control for networks.
  • A RADIUS client is typically a device such as a wireless AP.
    • Responsible for sending user credentials and connection parameters to the RADIUS server.
  • RADIUS user profiles are stored in a central database.
    • All remote servers can share.
  • Advantages of a central service:
    • Increases security due to a single administered network point.
    • Easier to track usage for billing and keeping network statistics.

Diameter

  • Diameter was created to deal with VoIP and wireless services.
  • Addresses new technologies that RADIUS was not designed to handle.
  • Backwards compatible with RADIUS but not all RADIUS servers work with Diameter.
Could not load image

Terminal Access Controller Access Control System Plus (TACACS+)

  • Handles authentication, authorization, and accounting (AAA) services.
  • Similar to RADIUS
  • TCP rather than UDP in its transport method.
  • Client/server model.
  • Communicates by forwarding user authentication information to a centralized server.
  • TACACS+ advantages over RADIUS:
    • TCP rather than UDP as its transport method means it is more reliable.
    • Encrypts the entire packet, not just authentication.
    • Controls the authorization of router commands.
Feature
RADIUS
TACACS+
Transport Protocol
UDP
TCP
Authentication and Authorization
Combined
Separated
Communication
Unencrypted
Encrypted
Interacts with Kerberos
No
Yes
Can authorize network devices
No
Yes

Password Authentication Protocol (PAP)

  • Legacy
  • User ID and password sent clear text.
  • No protection for playback or trial-and-error attacks.

Challenge Handshake Authentication Protocol (CHAP)

  • Provides on-demand authentication over encrypted channels.
  • Server first authenticates client.
  • Client generates a one-way hashing function (MD5 algorithm) and sends to the service.
  • Client hash is compared against service's hash by the authenticator service.
  • Process is repeated at random intervals to prevent replay attacks.

MSCHAP & PEAP

  • MSCHAPv2 - Microsoft proprietary version.
    • Uses a new string each time for authentication.
    • The client and server mutually authenticate and use two encryption keys.
  • Should not be used alone.
  • Use MS-CHAP with Protected Extensible Authentication Protocol (PEAP) or L2TP/IPSec
  • PEAP
    • Provides a TLS/SSL tunnel.
    • Protects the authentication traffic.
    • Uses a certificate on the authentication server.

NT LAN Manager (NTLM / NT LANMan)

  • Legacy authentication from Microsoft.
  • Replaced by Kerberos.
  • Similar to CHAP and MSCHAP.
  • All NTLM versions use relatively weak cryptographic schemes.
  • Lacks MFA support.

Federated Services

  • Security Assertion Markup Language (SAML)
    • An Extensible Markup Language (XML) framework for creating and exchanging security information between online systems.
    • Main purpose is SSO for enterprise users over the web.
    • Three main functions:
      • The user seeking to verify its identity is the principle.
      • The entity that can verify the identity of the end user is the ID provider.
      • The entity that uses the ID provider to verify the ID of the end user is the Service Provider.
    • Defines security authorizations on web pages as opposed to web page elements in HTML.
  • Shibboleth system uses SAML.
  • OAuth
    • Framework used for internet token-based authorization.
    • Purpose is API authorization between applications.
    • Current version is 2.0
    • Allows access tokens to be issued to third-party clients (resource consumers) with the approval of the resource owner, such as a social media site.
    • OAuth2.0 uses the JSON and HTTP protocols.
    • Uses SSL/TLS to prevent eavesdropping.
  • Simple Web Tokens and JSON Web Tokens
  • OpenID Connect
    • An identity layer based on OATH 2.0 specifications.
    • Used for consumer single sign-on.
    • OpenID Connect implements authentication as an extension to the OATH 2.0 auth process.
    • Provides additional security - signing, encryption of ID data, and session management.
    • Uses an ID token structure, including the authentication of end user via JSON Web Token (JWT).
    • A JWT is used to prove that an authentic source created the originating data.

Two-Phase Commit

  • A two-phase commit ensures that an entire transaction is executed to ensure data integrity.
  • If a portion of a transaction cannot complete, the entire transaction is not performed.

Secure European System for Applications in a Multi-vendor Environment (SESAME) {source}

  • Sophisticated single-sign-on with added distributed access control features and cryptographic protection of interchanged data.
  • To access the distributed system, a user first authenticates ta an Authentication Server to get a cryptographically protected token used to prove his or her ID.
  • The user then presents the token to a Privilege Attribute Server to obtain a guaranteed set of access rights contained in a Privilege Attribute Certificate (PAC). {source}