CompTIA CASP+ CAS-004 – Chapter 03 – Implementing Advanced Authentication and Cryptographic Techniques
- Chapter Introduction
In this chapter, we’re going to be looking at implementing advanced authentication and cryptographic techniques. In any organization, it’s important to correctly identify the individuals who are logging on to the network. Whether it’s local, interactive logons or remote access or wireless access. We need to be able to correctly identify those individuals so that we can then use that identity to secure their access.
We want to make sure only authorized users are able to access our systems. And so we’re going to be talking about a number of advanced concepts and then we’ll move into cryptographic techniques and implementations. Of course, cryptography is the utilization of encryption algorithms and signing algorithms to both increase, ensure confidentiality as well as to increase and ensure data integrity.
- Topic A: Understanding Authentication and Authorization Concepts
In this first topic we’ll be looking at just getting an understanding of various authentication and authorization concepts. We will kind of COVID the basics briefly just to make sure everybody is on the same page. But then we’re going to look into some more advanced types of authentication and authorization.
- Authentication
So first, authentication is simply the process of providing the identity of a requester of network services, the requester of an application, the requester of a data. We have to be able to prove the identity of a user. So we’re asking the user to prove their identity. How do we do that? Well, typically we ask them for certain credentials, right? There are technically two parts to authentication. There’s identification. This is the first part. The user says this is who I am. They profess an identity to the access control system. And there’s authentication, which is the second part of the process that actually validates the user.
And so it looks for a unique identifier and the fact that the user has actually provided the appropriate credentials. So if you’re trying to differentiate between these two, you need to know that identification identifies the user authentication verifies that the identity that was provided by the user is valid. Now typically we just call them authentication, but it is technically two separate things. Authentication is then implemented, you know, after the user professes. This is my username and here is my password. Right? And so this is my username is the identification process. The authentication process is did you type in the right password?
Of course there are other types of authentication that can be done. There are basically five different broad categories that we have here. So the first is the knowledge factor authentication. Another way of saying it is it’s something you know. Right. And so a good example of that, of course, would be the password. And that doesn’t have to be the only type of knowledge factor authentication that we can have. We could also ask for things like date of birth, mother’s maiden name, key combination, pin number. But all of those are knowledge factors and it’s also referred to as a type one authentication factor. Then we have ownership factors. Ownership is something the person has, so they actually have to physically have something. It’s called a type two authentication factor. Well, what is it that they can have? Well, they could have a token device. This is a handheld device that presents the authentication server with a one time password. So if the authentication method requires a token device, then the user actually has to be in physical possession of this thing in order to authenticate. Right? It’s called a type two device because it requires ownership of that device. This is typically only done in extremely secure environments because it’s fairly costly to deploy that device.
Another type of ownership factor would be a memory card, a swipe card that’s issued to a valid user. And that card has their particular authentication information and so it’s read into a card reader. This is similar but not the exact same as a smart card. A smart card accepts stores and sends data, but can hold more data than a memory card. They’re also known as ICC’s integrated circuit cards. They contain memory but they also contain a chip like a bank or credit card smart card would use and require a smart card reader as a part of the keyboard or sometimes they’re as a part of the laptop itself. Then we have characteristic factors.
This is something a person is. So when you talk characteristics well, now you’re getting into type three authentication factors and biometrics. Biometrics a technology that’s going to allow users to be authenticated based on who they are, their physiological characteristics, their behavioral characteristics, iris retina fingerprint, voice recognition, facial recognition, et cetera. Others are going to be location based and then action. So location somewhere a person is, you have to be within the vicinity. For instance, you have to be within our wireless network.
An action factor is something a person does. So for instance, they have a real time code that was sent to them or accepting an authentication on an app. Now, keep in mind that if you’re just using one of these, you are using single factor authentication. If you happen to be using more than one of these, then you would be requiring multi factor authentication. And the more factors that you require, the more secure the authentication process.
- The Importance of Identity
So it’s incredibly important that we be able to securely store the identities that are going to be authenticating into our system. So we have identity and account management systems that provide this capability. They have the authentication services that are used to validate the identity that is presented. This is going to provide us with the ability to have centralized management. So I can create accounts in a central place like a domain controller. In Windows networks, they’re always created in the same place. They’re created, generally speaking, using naming conventions like first name, last name for instance. And they’re created with passwords and using certain password complexity requirements. So we have the ability to centrally provide password security.
We can also extend these identity and account management systems to provide federation and single sign on. Now SSO single sign on can actually occur within an organization that just has multiple domain controllers and multiple servers. It could just mean that once you log into this collection of systems, you are no longer going to be asked what your username and password is. So in a domain environment, when I log in, I’m authenticated. If I go try to access the file server, I don’t get asked for a username and password. Again, I don’t get asked for a username and password when I try to print to the printer down the hall. Because it’s single sign on within a Kerberos network, within Active Directory and Windows, which uses Kerberos, you have single sign on. The boundary of that is going to be your organization. So in order to extend it beyond the organization, then that’s when we get into some of the federated services and federated trust that allow my systems to trust the systems of another organization for the purposes of accessing resources.
We mentioned password policies. It is a lot of times authentication is happening via passwords and in lower security environments that’s the only way that we’re ever going to authenticate anybody or identify them. So in those situations it’s incredibly important for us to have secure passwords. But you have to realize that it’s not always something that’s going to be just readily accepted by the organization or its users. So let’s talk about some of the types of passwords that you should be familiar with. The first is standard word passwords.
As the name implies, this is basically just a single word. Now it can have a mixture of upper and lowercase letters and the advantage of course is that it’s easy to remember but it’s also very easy to crack. And so it’s not recommended that you use dictionary words in a password combination. Passwords would use a mix of dictionary words. Most of the time the two words are not really related to one another. You can have uppercase, lowercase numbers.
It’s a little bit harder to break than standard word password, but it is harder to remember static passwords, a password that is the same for each login that would be a very minimal level of security because the password never changes. That’s typically only done in much smaller peer to peer type networks. Complex passwords are in any situation where a user is forced to include a mixture of typically uppercase, lowercase alphanumeric and special characters. All right, this is the default password complexity in Windows, but the problem in Windows is that it doesn’t force you to not use dictionary words. So you could use apples, one with a capital A and beat the complexity requirements. Well, actually that was just a standard word password and it’s a flaw in the Windows system.
But there are third party add ins that can allow you to prevent whole words from being used. And whatnot your best bet is to actually come up with a combination password, a couple of words and some numbers, and then go back in and just replace some of the numbers with symbols, some of the letters with symbols and numbers so that there are not complete words there passphrase passwords. These tend to be a longer phrase that’s used because of the length of the password. It’s much harder to attack and it also makes it easier to remember.
All right, if you throw in some numbers and symbols, then it’s going to significantly increase authentication security. I mean, I think the limit on number of characters and your passwords 128 in a Windows system. So technically you could have the chorus to your favorite song in there, the hook, if you wanted to. It doesn’t matter, but it makes it easy to remember. I actually worked on the system recently that they had configured one of these and it was just a lengthy password, I don’t know how many characters was it’s? Five or six words with a couple of exclamation points in there. But it was and still is, I can still remember to this day. It’s very easy to remember while providing a high level of security. Cognitive passwords.
This is a piece of information that can be used to verify the individual’s identity. All right? So it would be something that is asked of the user. These are your security questions, right? What’s your favorite color, which pet’s name, your mother’s maiden name, et cetera? One time password is also known as a dynamic password used to log into the access control system once it provides the highest level of security because it’s discarded after it’s used. These are heavily used as a second factor of authentication when you’re logging on to a system from a new computer, right? And we’ve all seen this login. If you use Gmail or your bank credit card websites, you log in from a new browser and what does it want to do? It wants to text you or email you a code.
Well, that is a one time password and it’s being used as a second factory because you’ve already typed in your username and password. But it’s saying, hey, we recognize something’s different. And so we’re going to modify this sign in and we’re going to ask you for a one time password, graphical passwords. These are the captcha passwords.
So they use graphics as a part of the authentication mechanism. It asks you either to put in typically it’s asking you to put in a series of characters that’s there. And at this point, that has sort of graduated to pictures. So a tiled picture and which of the frames has an automobile in it or a traffic signal or things like that. It’s predominantly just trying to make sure that we don’t have bots that are trying to log in and that you are actually a human. And then we have numeric passwords.
So this type of password would have only numbers. Okay, so you’re a little bit limited on here based on the number of digits. If all passwords are four digits, then the maximum number of password policy is going to be 10,000 from four zeros to four nines. If this is realized by the attacker, it actually becomes pretty easy because the attacker knows every possible combination and just has to work through them. So those are the different types of passwords and it’s pretty easy to see which ones are more secure than others.
- Additional Password Options
There are a number of other password settings that can be used to enhance or possibly even diminish network security. Just depends on how they are set. Password lifetime is how long the password will be valid. In a lot of situations, it’s going to be 60 days, 90 days. Password history would be the number of passwords that are remembered by the system before a password can be reused.
Password complexity is it’s just how the password needs to be structured, password length, how long it has to be, and then sometimes you have things like an authentication period for how long the user can remain logged in. So we need to configure these as appropriate for the organization. But typically we do want to utilize these options to ensure that users aren’t just reusing the same passwords over and over and to ensure that they’re not using simple passwords.
- Demo – Enforcing Strong Passwords
In this demonstration, we’re going to take a look at just some options that you have for enforcing strong passwords. I’m actually going to start by going out to the Internet. There are a couple of different password generation websites. One which it seems to be popular with users is Dinopass. com. This is a really easy password generator. I know it says awesome Password generator for kids. You’d be surprised as to the number of adults that like this as well. Now, I don’t like this. Some of these are not going to be great. You say another simple password, and it gives you that. You say another strong password and at least makes it a little bit better. Unfortunately, we still got dictionary words, but you can use this as a starting point. You can also learn that this is how we go about creating complex passwords, right? I mean, like, for instance, this one, I would just replace that the O there with a zero. I might replace this A with an at symbol. Then you have no complete dictionary words at all. And so you can keep going here until you get one that you like. But like I said, usually if you really want to make it complex, you’re going to have to add one other alteration to it.
But Dynopass, like I said, it’s a good way of doing it. You can instruct users to go here. That certainly doesn’t help you to enforce that doesn’t help you to enforce password policies. We’ll look at how to do that, but beyond just stating a policy that says your password has to be this, well, we really need some resources for people to use. We need some education for them. If you’ve been in this industry for any point in time, you know that one of two things happens. One of three things. Sorry. One is that users are not educated and not forced to set secure passwords, and so they just use the simplest things you can imagine. And to them, secure is a capital letter and some numbers that’s better than nothing, but it’s not very secure. The second one is you enforce secure passwords. You don’t really give people any guidance, and you just push it on them.
And then what happens is they create somewhat secure, more secure passwords, but then they write them down. I think the third is that you enforce it, but you provide them with the tools in order to create secure passwords that they can actually remember. And this is just one of them. And I realize it looks like a kids site, but they’re decent passwords that adults can utilize, too. So there are some other ones. Strong password. Generator is one. I can’t remember the name of the URL of the site ever, so I always just do a search for it, let this come up, possibly.
Actually, let’s forget Bing and let’s go to Google. It’s coming. It was just taking a second, but okay. I don’t know why I can’t ever remember strong password generator. com. But that’s the one. And the nice thing about this one, especially if you’re trying to enforce passwords, is actually that’s not the correct one, it’s passwordsgeneratornet. The nice one about these is that they are significantly complex passwords, although you have at least some level of control over that. So they’re significantly complex and they can be used for higher level, higher privileged accounts administrator accounts. And whatnot that in reality, we should have strong passwords and we should just deal with it.
LastPass is a good tool to direct users to if they’re having a problem remembering these passwords because that allows you to create very, very secure passwords and not have to worry about forgetting them because you can always log into LastPass. com and get that password. I’m not really sure what is taking so long here. Let’s try to open up firefox. Maybe it’s just edge. All right, so strong password generator again, as that goes very quickly and you can see, I mean, there’s a few of them here. So, I mean, first step, weak versus strong. Now they say strong is up to is over 16 characters, but you just kind of say that this is what you want to generate. And this site is just being finicky today and not actually showing me, it’s just taking forever.
Specify the password length and what should also come up under that is the number of special characters and whatnot that you need. So anyway, while that’s taking a minute, let me go into how we would actually enforce these. On a Windows network, we would use group policy and we would create password policies. Now, I just opened up the local policy editor, which is not where you would do this. You would do this in a GPO at the domain level, but it’s the same settings, so you can still see the settings here. So we would go into our Windows settings, security settings, account policies, and we see our password policy. All right, and so this would be the way that you would enforce it. Number one, it needs to meet complexity requirements, and you can always double click this and see exactly what it means. In Windows, it’s uppercase, lowercase, numeric and non alphabetic characters. You need four I’m sorry, you need three of those four categories. Has to be at least six characters in length or the minimum password length, whichever one is greater.
So it has to be an eight character password. These are actually defined for me and these are not the default settings. So this is 180 day maximum password. The default setting is 42 days minimum password age, how long I have to wait before I change it, and then how many passwords is it going to remember? 24. That goes in conjunction with the account lockout policy that says I can inaccurately type in my password five times before the account is going to be locked out at that point. It’ll be locked out for 30 minutes, and then it will unlock itself. It will keep tabulating my five invalid login attempts for a period of 30 minutes before it resets that counter. Okay, well, for whatever reason, my strong password generator site is just going really slow today. I’m going to give that one more shot to refresh, but it doesn’t look good, so it doesn’t really matter. Random password generator. I was just going to give you a couple of examples of some other ones.
So let’s go to random. org password generators. They generate five random passwords. Each password should be twelve characters long. The passwords will not contain characters or digits that are easily mistaken from one another. And then you can just hit get passwords, and then it will just generate. Now those are truly random passwords. You may not want that. You can switch into advanced mode at this point. You can choose the output format. You can choose the randomization all right, and which form to use and whatnot. But those are truly random. Here we go. This thing finally woke up. Okay, this one I like is a little nicer. Password length, what do you want to include? So I’ll say alphanumeric symbols, uppercase, lowercase, exclude, similar, exclude, ambiguous, ambiguous characters, generate here on my device, auto, select, et cetera.
And then you go here and hit generate password. Now this one is also nice because it tries to give you some way to remember that. Now, I mean, goodness, I don’t know that that’s going to help you at all, but with each one it will give you that kind of thing, some phrase that you can use personally. I just grab that, copy it, make it the password, go right over to Last Pass, plug it in. Okay, so if I’m doing something to this level, which I do have, that for a few places on the Internet that have been compromised before we’ve gone, okay, forget it. We’re going to go to 24 character passwords.
It’s just going to be completely random. Nobody’s ever going to get this unless they have a keylogger on my system. So that’s why I like these password generator sites. But the Dyno Pass site is probably a little bit better from a user awareness perspective. LastPass, as we mentioned, is a great site to utilize as well. And then we use the group policy in order to actually enforce these settings. Now this is enforcing the settings for a Windows account. You can’t really enforce settings for web accounts and whatnot, but with your internal web applications and things, you may have different ways to enforce password policies.
- Biometric Authentication
We mentioned biometrics earlier. Physiological systems use a sort of biometric scanning device to try to measure certain information about the person. Okay? And there are a number of different types of these. They’re scanning devices like fingerprint scanners. Usually examines the ridges of a finger for matching. Finger scan extracts only certain features from a fingerprint, so it requires a little less than a fingerprint scanner. Although they sound very similar to one another.
You have hand geometry or topography. So that usually takes into account the size, the shape, the other layout attributes of a user’s hand. But it can also measure bone length or finger length. There are two kinds of these. They’re mechanical and then image edge detective system. But they don’t require a lot of server space and processing time in comparison to fingerprint scanners and finger scanners, ironically, the hand topography. So you have a hand geometry and then you have hand topography. Hand topography is the peaks and the valleys of the hand. A palm or hand scan that just combines fingerprint and hand geometry technologies, facial scans, facial characteristics, bone structure, eye width, forehead size, et cetera. Retina scan.
It looks at the retina’s blood vessel pattern or iris scan, which is examining the colored portion of the eye. The retina scan is a bit more intrusive than the eyrisk scan and then vascular. This is actually looking at the pattern of veins in the user’s hand or face. It’s not very intrusive, but physical injuries to the hand or the face, depending on which the system uses, maybe can cause some false rejections. We also have behavioral systems. These are the ones that are mentioned on the exam.
Signature dynamics is a type of system that measures the stroke speed, the amount of pressure you’re putting on the pen, the acceleration when you’re writing your signature, and then it analyzes it and identifies you. Key stroke dynamics is measuring the typing pattern when a user types in their password or some predetermined phrase. Flight time would be in relation to this term associated with keystroke dynamics and the amount of time it takes to switch between keys.
Dwell time is the amount of time you hold down a key and so that is a good indicator. It’s tough to copy from one person to another. Voice pattern or print measures the sound pattern of a user saying certain words. And so when the user tries to authenticate, they’ll just be asked to repeat those words in different orders. And if the pattern matches, then the authentication is allowed.
- Biometric Considerations
Some additional considerations if we’re using Biometric technologies. First, the enrollment time. This is going to be the process of obtaining the sample that’s used by the Biometric system. So it is going to require actions, and these are actions that are going to be repeated several times. You have feature extraction. Another consideration how we are going to obtain this information from a user. Users physiological or behavioral characteristics. Accuracy the most important characteristic of Biometrics, we need it to be accurate throughput rate is the rate at which it will be able to scan characteristics and complete the analysis to then determine whether to permit or deny access. Acceptable rate, six to ten subjects per minute is generally the guideline.
Single users should be able to complete this process in under 10 seconds. Acceptability is the likelihood that users will accept and follow the system. A false rejection rate is the measurement of valid users that would be falsely rejected. This is called a type one error. The false acceptance rate far is the other way. This is a type two error. These are invalid users that are accepted and that’s farm more dangerous than a type one error than a crossover error. Rate, the point at which the FRR the false rejection rate equals the far, it’s expressed as a percentage, and it is the most important metric. So we want to evaluate Biometric systems with those considerations in mind.
- Beyond Single Factor
Now as I mentioned before, if you add additional factors of authentication that is going to increase security. Of course it is also going to increase configuration as well. But it’s just collectively referred to as multifactor authentication. So you can call it dual factor if you want. That’s just two factors, a knowledge and a behavioral. For instance, multifactor is technically a combination of all three factors.
So dual factor would be something like, you know a password but then you also have an iris scan, you know a password but then you’re asked for a one time password because you’re logging into a different type of system. Multifactor would be something where you need a pin, a knowledge factor, you need a retina scan and you need signature dynamic. So they are classifying multifactor as three factors of authentication. We also have context aware types of authentication and this is also referred to as context dependent access control.
So it’s going to be based on the subject or object attributes or also environmental characteristics. Okay? And so it can include like the location or the time of day. So the administrators may only for instance allow users to log in from a particular workstation during particular times of the day. Push based authentication involves sending a notification to a user’s device, usually a smartphone, when we’re accessing a protected resource. So that’s often going to ask me for an additional code or just acceptance of the fact that yes, it is me trying to access this resource.
- Certificate Authentication
Certificate based authentication is going to be used in addition to other factors and will raise security levels significantly. If I’m using a digital ID rather than a password or Pin number, then it is much more difficult to fake. Essentially, this digital certificate is providing an entity, like a user with the credentials to prove who I am. It’s like a driver’s license in the It world, right? I can present my digital certificate, which has been issued to me by a trusted party known as a certificate authority, and that certificate then validates who I am.
Nothing more is necessary here’s who I am, and my certificate is essentially signed by a trusted certificate authority. So there are a lot of different terms here. Public key infrastructure, certificate authority, trust models, cross certification. We’re going to talk about some of these things more in the future in this course. So as of right now, I’ll just say that a PKI is just a term for a collection of systems, software, and communication protocols that help to distribute digital certificates, manage digital certificates, and control public key cryptography.
The CA is the server in a PKI. It’s the server that actually issues out and manages the digital certificates. The trust model is all about who you trust. As an example, I always say, well, if you asked me for my driver’s license and I gave you a driver’s license that clearly had been created in Microsoft Word and just printed out and laminated, you wouldn’t accept that. Why wouldn’t you accept it? Well, because it didn’t come from a trusted authority.
You don’t trust that the information on that is valid because it’s clear that I just made it so I could say anything I want. I could say whatever, what my name is, birth date, et cetera. But if it comes from the DMV, if it comes from a state agency, then you’re going to trust it, right? And the same thing kind of goes here. If it comes from a certificate authority that is trusted by both parties, then it’ll be accepted. If it’s coming from an internal CA, it’s not going to be trusted outside the organization. If it’s self signed, it’s like the driver’s license that I made in Microsoft Word, right? So that’s kind of the trust model and cross certification can be used in situations where you do have multiple organizations, multiple PKIs that need their users to be able to communicate via internal based certificates and so they will cross certify. So I’ll trust your CA, your CA, trust my CA, and then we can trust one another’s certificates. All right? So those are the ways in which the certificate can be used to authenticate.