Process of verifying that people are who they claim to be prior to issuing them credentials

Password recovery systems. Reduces overhead. The most common may be “I Forgot my Password”. Has inherent risks due to its automated nature.

Remembers past passwords and prevents users from reusing passwords

Prevents users from changing their password until a certain period of time has password 

Holds an embedded certificate; Holds the user’s private key, and it is matched with a public key.

PKI supports the use of smart cards

Common Access Card (CAC) - Smart card used by DOD (Department of Defence)

Personal Identity Verification (PIV) - Smart card used by federal agencies 

Issues an OTP (One time password)

Uses an algorithm to combine a secret key and an incrementing counter

Uses HMAC for hashing

OTP remains valid until used

Password changes at certain time intervals

Password usually expires after 30 seconds

Biometrics - Uses biological data for authentication

Geolocation - used to determine the location of the user

Gestures - performing a set of actions for authentication

Kerberos

Uses tickets for authentication

KDC issues ticket granting tickets (TGT)

Tickets are time stamped, meaning all systemed have to be synchronized within five minutes of each other. 

Has a database of subjects and users (active directory)

Uses port 88

Extension of X.500 standard and is used to communicate with directories, such as the active directory, which it is used with frequently. 

Port 389

Uses SSL / TLS 

Port 636

• SSO (Single Sign On)

Enhances security by requiring users to use and remember only one set of credentials 

Can also be used with a federated database / federation (A group of organizations sharing a similar database) 

Can also be used with SAML 

XML - based

Used for web based portals

Three components : 

Principal - The user

Identity provider - Provides the credentials

Service provider - The organizations in a federation\

• Transitive Trusts

• A trusts B

• B trusts C

• So A trusts C

• Can be problematic from a security perspective

• Allows for SSO

 authenticates a remote in session only with a cleartext password. Antiquated.

• Improvement on PAP, uses a three way challenge handshake. (CHAP challenges the user for credentials. User responds with credentials. CHAP replies back with an accept or deny message. Repeats this handshake constantly throughout the transmission for added security.)

• Uses roles based on jobs and functions

• Uses a matrix that matches the roles with required privileges

• Commonly accomplished with group-based privileges. Reduces administrative overhead.

• Rule-BAC (RBAC)

• Based on a set of approved actions. Usually accomplished with the use of an access control list.

• Can modify rules in response to security incidents

• Every object has an owner

• Owner established access for the objects

• Owner has full, explicit control of the object

• NTFS is used by Microsoft and is the most commonly used DAC

Mandatory AC (MAC) (Implemented often in government situations)

• Uses sensitivity labels for users and data

• Sensitivity labels often reflect classification levels of data and clearances granted to individuals

• Attribute based access control

• Evaluates attributes and grants access based on the value of these attributes

• Subject: Typically a user

• Object: Resource that the user is trying to access

• Action: Task user is attempting to perform

• Environment: Everything outside of the other attributes