CompTIA CASP+ CAS-004 – Chapter 03 – Implementing Advanced Authentication and Cryptographic Techniques Part 2
- Authorization
Now, once a user is successfully identified, they have to be granted rights and permissions to resources, and that process is referred to as authorization. Identification and authentication have to proceed. Authorization, but they don’t imply authorization. So I’ve always said it like this. Just because you are who you say you are doesn’t mean that you can do whatever it is you’re trying to do. Right? And so you could like it to somebody produces an identity to get into a VIP party and they’re not on the list. Well, okay. Yes, you are Sam Smith. Yes. You were born in Pittsburgh, Pennsylvania, and your birthday is XY, whatever it is, but you’re not on the list, so you’re not getting it. You have a valid identity. It comes from a valid entity, the DMV, the state agency. But it doesn’t matter because you’re not allowed access. So that’s what authorization is all about. I have to know who you are before I can determine if that individual, that identity is authorized.
But just because you are that person doesn’t mean you’re authorized. So that gets us into these access control models. An access control model is essentially a formal description of the organization security policy. They’re implemented to simplify the administration of access control, and they do so by grouping objects and subjects. So the subjects are the people who are requesting access to an object, like a file, a folder, a printer. So you get users, computers, processes. Those are subjects. The objects are the entities that contain the information or functionality. So this is databases, files, programs, directories, computers. Now, computers can actually be both subjects and objects. It just kind of depends on exactly what’s happening in the scenario. But if you’re going to have a secure access control model, you need to make sure that secure objects can’t flow to an object with a classification that’s lower. And you’re also going to need to make sure that objects aren’t accessible by unauthorized users. So we’re going to talk about the different access control methods.
And you do need to be familiar with all of these. DAC or Discretionary access Control is the first. And this is a type of access control where the owner of an object specifies the subjects that can access that particular resource. It’s typically used in local dynamic type situations where we are just granting permissions to whomever needs access rights. Unfortunately, it can be an administrative burden because the person who creates it has to actually grant privileges. There’s not really a centralized way of doing it. Nondiscretionary access control would obviously be the opposite of DAC. And in this type of situation, access controls are configured by the administrator or another authority that decides which subjects have access to which objects.
And that’s based on the organization’s policy. An example of that, while it’s not in the list, is Microsoft’s Dynamic Access Control, which is unfortunate because it has the exact same acronym as Discretionary. So Discretionary Access control models use essentially permissions list. They call it a DACL on each file and folder, and it identifies the users and groups that can access it. But by default, the only person who has rights to that is the owner of the object. They would be able to grant permissions to that object. With dynamic Access Control, it’s more policy based and more centrally managed. But I digress because that’s really more of a Microsoft thing. So Mandatory Access Control is the next this is going to subject authorization based on security levels or security labels.
Mandatory Access Control is described often as prohibitive because it’s based on the label system. Anything basically that’s not expressly permitted is forbidden. And only administrators have the ability to change the category of a resource. So it is more secure than Discretionary Access control. But DAC is more flexible and scalable. With the mandatory access control, you are assigning labels like secret, top secret, confidential and unclassified. And then the subject security level determines whether or not they can access a particular object given its label. Role based Access Control is an Access control model where each subject is assigned one or more roles.
These roles are typically hierarchical. Often collections of roles can be assigned to a particular individual. And if whatever task I’m trying to perform is associated with a role that’s assigned to my user account or to a group that I belong to, then I’m able to perform those functions. RBAC usually has a much lower implementation cost than the other models. It’s very popular in applications. In fact, that’s typically where it’s used because the authorization can be completely handled by the application. You can utilize Windows, logins or just accounts that are created within the application, but you don’t ever actually have to go and change group memberships in Active Directory. You can manage all of the permissions right there from within the application.
All right? But then you have Rule Based Access Control, which is a method that facilitates frequent changes to data permissions. So you have a security policy that has global rules that are imposed for all users, profiles that are used to control access. A lot of routers and firewalls are using this type of access control, right? It’s based on rules. Determining whether packet types are allowed or denied is based on a rule. And I have a list of rules that define, this is all the traffic that’s allowed, and if it gets all the way to the bottom, then there’s a rule that denies it. So that’s typically where that would be content dependent. Access Control makes access decisions based on an object’s data. And so it’s looking at the data inside the object and the data that a user sees may change based on the policies and access rules that are applied.
An Access Control matrix is going to be a table that consists of a list of all the subjects, a list of the objects, and a list of the actions that a subject can take on a particular object, and it’s just a way of tracking permissions. ACL’s access control lists correspond to the object column in the access control matrix. The ACL just lists all the rights particular subject will have with a particular object. Access control policies, defined methods for identifying and authenticating users, as well as the level of access that’s granted to them.
And so this is just a policy as a whole guideline, best practices, et cetera. But it’s very important because if an organization doesn’t adopt one of these, they’re going to have trouble assigning, managing, and administering access management. The default. No access is just another way of saying, hey, if you’re not explicitly granted access, then you’re not going to be allowed access. There is no implicit allow. There is only an implicit deny, or possibly even an explicit deny at the end of everything. So those are different access control models. The first three is what we see used when we’re talking about user based authentication. And some of these others are really just kind of terms that you need to be familiar with.
- Open Authorization
Open Authorization, otherwise known as OAuth, is a standard for authorization that allows users to share private resources from one site to another without using credentials. So it’s a single sign on of source. It’s sometimes called the valet key for the web, whereas a valet key only gives the valet the ability to park your car but not access the trunk. For instance, OAuth uses tokens that give restricted access to a user’s data when the client application requires that access.
The tokens are issued by an authorization server, and it allows interaction between those web applications. So it’s really a good choice whenever one application uses another application’s API on behalf of a user. A good example that would be the geolocation application that’s integrated with Facebook. So OAuth gives that Geolocation application a secure way to get an access token for Facebook without revealing the Facebook password to the Geolocation application itself.
- XACML
Another standard that you should be familiar with is the Extensible Access Control Markup Language or XACML. This is a standard for access control policy language using XML. The goal is to create an attributebased access control system that’s based on a number of different criteria. It’s also decoupling the access decision from the application of the local machine.
And so it gives the ability to have fine grain control over activities based on different criteria, like the attribute of the user requesting access. So for instance, everybody who’s a manager in a particular city, the protocol over which the request is made, like Https and then the authentication mechanism. So for example, the requester has to be authenticated with a certificate. There are a number of different distributed components. These include the policy enforcement point or Pep, which is the entity protecting the resource that a subject is trying to access.
When it receives a request from the subject, it creates an exam request based on the attributes, the requested action, the resource trying to be accessed, and other information. Then you have the policy decision point. This is the entity that retrieves all of the applicable policies and compares the request with the policy and then that transmits the answer back, which is just access or no access boost protocol or standard is really valuable because it’s able to function across different application types.
So it’s a good solution when you have disparate applications that use their own authorization logic within the enterprise. Developers can then remove the authorization logic from the application and they can centrally manage access using policies that are able to be managed or modified based on business needs. And you don’t have to make any additional changes to the application itself.
- SPML
Another open standard for exchanging authorization information between cooperating organizations is Service Provisioning Markup Language, or SPML. It’s another XML based framework. It was developed by the Organization for Advancement of Structured Information Standards, or Oasis. It has three main components the Requesting Authority, which is the entity that makes the provisioning request the Provisioning service provider or PSP the entity that responds to the RA request and then the PST, or Provisioning Service Target, which is the entity that actually performs the provisioning. In this case, you have a trust relationship that’s established between two organizations with web based services. One of them is acting as the request authority and the other one is acting as the PSP. The trust relationship is using SAML or Security Assertion Markup Language in a simple object access protocol or Soap header. It’s the soap body that actually transmits these requests and responses.
- Authorization Concepts
Talk about some other authorization concepts that you need to be familiar with. The first is attestation. This allows changes to a user’s computer to be detected by authorized parties. Alternatively, it can allow a machine to be assessed for a correct version of a particular software or maybe the presence of a particular piece of software on the computer. And so that can play a role in defining what a user is allowed to do in a particular particular situation. So let’s say example, you have a server that has credit card information for customers. The policy being implemented calls for authorized users on authorized devices to access the server, but only if they’re also running authorized software. So in this scenario, three goals would have to be achieved. We have to make sure the user is authorized by using authentication and authorization.
The machine has to be authorized using the same two functions. And then we have to identify running authorized software. And this is done by Attestation and the attestation has to be done before the access is going to be allowed. Then we have identity proofing. This is an additional step in the identification step of authentication. An example of this would be the presentation of secret questions, right? Only the individual undergoing authentication would know the answer to. So the subject still has to provide credentials like a username and password.
But then there’s this additional step to help mitigate instances when the password might be compromised. Identity propagation is the passing or sharing of a user or device’s authenticated identity information from one part of a multi tier system into another. In most cases, each of the components in the system is going to have to do its own authentication. So identity propagation allows this to happen pretty seamlessly. And there are several approaches in performing this. Some systems like for instance, active directory in a Microsoft network uses a proprietary method and tickets to perform identity propagation. So the user request a service ticket for a particular resource and then that service ticket is signed by the Kerberos server, the domain controller and passed to the server that is holding the resource. Federation is another concept that is necessary for us to understand. Federated identities are portable across businesses and domains.
Federation provides really single sign on across organizational and domain boundaries. And so in Federated identity management, each organization that joins into the federation agrees to a sort of common set of policies and standards. And it’s those policies and standards that then define exactly how we’re going to provision and manage user identification. There are two basic models for this. There’s the cross certification model where each organization certifies that the other one is trusted. And then there’s a trusted third party.
Microsoft for instance, has the Microsoft Federation broker where we can enable the sharing of information across organizational boundaries without a direct trust between them. Because they both trust, the federation broker a few different standards for this open ID Shibolith are a couple of those, but both of them are open standards that provide single sign on for federation. The final one is Waif. Where are you from? This is another SSO system that allows credentials to be used in more than one place. It’s been used to allow a user from an institution that participates to log in by simply identifying the institution that is its home organization. And then that organization plays the role of identity provider to other institutions.
- Trust Models
At some point earlier we had mentioned Radius remote authentication dial in user service. And that comes into play when we start talking about trust models. Radius allows you to centralize authentication functions for all network access devices. With Radius we can be using dial up remote access, VPNs, wireless access points and security enabled switches.
Each of these devices can be configured as a Radius client. They are, then the authenticator. The Supplicant is the actual client that’s making a request. The device seeking authentication. The Authenticator is the Radius client and the Radius server is the authentication server. Now, the Radius server may contain usernames and passwords, or more likely it is querying that information from an identity management database. LDAP is lightweight directory access protocol and it’s a protocol that’s used with directory services. It’s essentially a database that’s designed to centralize data management in regards to network subjects and objects.
Your typical directory has a hierarchy of objects. This includes users, groups, servers, client workstations, organizational units and so on. And the directory service standard is LDAP for locating those objects within the directory. It’s based on the earlier standard, which was X 500. But LDAP is a lot simpler than X 500. Active Directory is Microsoft’s implementation of LDAP. And so it organizes directories into forests and trees, domains and ous. And it’s used to manage those accounts. And it’s also another example of a single sign on system. In fact, it uses the same authentication and authorization system as that’s used in Unix and that is known as Kerberos.
- Topic B: Cryptographic Techniques
At some point earlier we had mentioned Radius remote authentication dial in user service. And that comes into play when we start talking about trust models. Radius allows you to centralize authentication functions for all network access devices. With Radius we can be using dial up remote access, VPNs, wireless access points and security enabled switches. Each of these devices can be configured as a Radius client. They are, then the authenticator.
The Supplicant is the actual client that’s making a request. The device seeking authentication. The Authenticator is the Radius client and the Radius server is the authentication server. Now, the Radius server may contain usernames and passwords, or more likely it is querying that information from an identity management database. LDAP is lightweight directory access protocol and it’s a protocol that’s used with directory services. It’s essentially a database that’s designed to centralize data management in regards to network subjects and objects.
Your typical directory has a hierarchy of objects. This includes users, groups, servers, client workstations, organizational units and so on. And the directory service standard is LDAP for locating those objects within the directory. It’s based on the earlier standard, which was X 500. But LDAP is a lot simpler than X 500. Active Directory is Microsoft’s implementation of LDAP. And so it organizes directories into forests and trees, domains and ous. And it’s used to manage those accounts. And it’s also another example of a single sign on system. In fact, it uses the same authentication and authorization system as that’s used in Unix and that is known as Kerberos.
- Introduction to Cryptography
In this next topic, we’re going to be looking at cryptographic techniques. Cryptography is one of the most complicated domains in the security knowledge base. It’s also a crucial factor in protecting data at rest, as well as data in transit. Essentially, it’s the science that involves either hiding data or making data unreadable by transforming it. And so in this section, we’re going to be looking at the ways in which crypto photography works.
- Cryptographic Techniques
There are a number of different cryptographic techniques that are employed and these are going to be based on the needs of the enterprise. It’s really important that we choose the correct technique and that’s going to involve examining the context of the data and trying to determine which technique to use. As a security professional, you need to consider the data type, the sensitivity level, the data values, as well as any threats to the data. And there are a number of techniques that we need to understand. We’ll go through these in this section. Key stretching caching, digital signatures message authentication code signing, pseudo random number generation perfect forward secrecy as well as data in transit, data at rest and data in memory type types of encryption.
- Key Stretching
So we’ll start with key stretching. Key stretching, also referred to as key strengthening, is a cryptographic technique that involves making a weak key stronger by increasing the time that it takes to test each possible key. In key stretching, the original key is fed into an algorithm to produce an enhanced key, which should be at least 128 bits to be actually effective.
If key stretching is used, then an attacker would have to try every possible combination of the enhanced key or try likely combinations of the initial key. And so what it does is it slows them down because they have to compute the stretching function for every guess in the attack. Some examples of products that use key stretching are PGP pretty good privacy. Ah, the GNU Privacy Guard. Or GPC and WiFi protected access WPA and WPA Two.