CompTIA® Security+ Exam Notes : Install And Configure Identity And Access Services

4. Identity and Access Management

4.2 Given a scenario, install and configure identity and access services

Usually the user names and passwords are transmitted in plain text. But this kind of transmission of authentication details is not secure. Any body with a packet sniffer can read the login and password.

Kerberos : Kerberos is basically an authentication protocol that uses secret-key cryptography for secure authentication. In Kerberos, all authentication takes place between clients and servers. The name Kerberos comes from Greek mythology; it is the three-headed dog that guarded the entrance to Hades. It was developed by the Massachusetts Institute of Technology, USA. Kerberos require that the time sources are approximately in synchronization (with in 5 minutes) with each other. However, with recent revisions of Kerberos software, this rule has become flexible. It is an authentication protocol uses a Key Distribution Center (KDC) to orchestrate the process. The KDC authenticates the principal (which can be a user, program, or system) and provides it with a ticket. After this ticket is issued, it can be used to authenticate against other principals.

  • When a user first authenticates to Kerberos, he talks to the Authentication Service on the KDC to get a Ticket Granting Ticket (TGT). This ticket is encrypted with the user's password.
  • When the user wants to talk to a Kerberized service, he uses the TGT to talk to the Ticket Granting Service (TGS, also runs on the KDC). The TGS verifies the user's identity using the TGT and issues a ticket for the desired service.
  • The TGT ensures that a user doesn't have to enter in their password every time they wish to connect to a Kerberized service. The TGT usually expires after eight hours. If the Ticket Granting Ticket is compromised, an attacker can only masquerade as a user until the ticket expires.

The following are the important properties of Kerberos:

1. It uses symmetric encryption

2. Tickets are time stamped

3. Passwords are not sent over the network

4. Tickets are time stamped

5. Passwords are not sent over the network

Some of the features of Kerberos authentication system:

1. Uses client-server based architecture.

2. Kerberos server, referred to as KDC (Key Distribution Ceter) implements the Authentication Service (AS) and the Ticket Granting Service (TGS).

3. The term "application server" generally refers to Kerberized programs that clients communicate with using Kerberos tickets for authentication purpose. For example, the Kerberos telnet daemon (telnetd) is an example of an application server.

4. Unlike other authentication protocols ( FTP, PAP, etc. which transmits passwords over the network) passwords are not transmitted over the network.


Kerberos uses port 88 by default. FTP uses port 21, https uses port 443, and SNMP uses port 161.

CHAP (Challenge Handshake Authentication Protocol): CHAP works on point to point connections. It uses a three step process for authentication (excluding making the connection itself). If making the connection is also involved, it would be a 4 step process.

The PAP (Password Authentication Protocol) transmits login and password in clear text. CHAP, MS-CHAT, and MS-CHAP-v2 encrypt the login credentials while transmitting on the network.

SAML(Security Assertions Markup Language): The Security Assertion Markup Language is an open standard that allows security credentials to be shared by multiple computers across a network. SAML is an XML-based data format used for Single Sign On (SSO) on web browsers

SAML defines three roles:

1. Principal: This is normally a user. The user logs on once.

2. Identity provider: An identity provider creates, maintains, and manages identity information for principals. An Identity Provider (IdP), sometimes called an Identity Service Provider or Identity Assertion Provider, is an online service or website that authenticates users on the Internet by means of security tokens.

The normal Identity Provider process is:

  • Accept a SAML authentication request from the Service Provider a user wants to access.
  • Authenticate the user against your organization's existing authentication service.
  • Collect user data from your organization's existing data stores;
  • Apply policy to control what data is released to which Service Provider.
  • Securely transmit the collected information to the Service Provider.

3. Service provider: A Service Provider (SP) is an entity that provides Web Services like Application Services, Storage Services, etc. An SP provides provides services to principals. When a user tries to access a website, the service provider redirects the user to an identity provider for authentication.

LDAP: LDAP, Lightweight Directory Access Protocol, is an Internet protocol that email and other programs use to look up information from a server. Secure LDAP encrypts transmissions with SSL or TLS

AAA: Authentication, Authorization and Accounting (AAA) is a system for tracking user activities on an IP-based network and controlling their access to network resources. AAA is often is implemented as a dedicated server. Examples of AAA protocol include RADIUS and TACACS+ .

RADIUS: Remote Authentication Dial-In User Service (RADIUS) is a mechanism that allows authentication of remote and other network connections. Originally intended for use on dial-up connections. Radius enables a single server to become responsible for all remote-access authentication, authorization, and auditing (or accounting) services. It is an authentication and accounting system used by many Internet Service Providers (ISPs). When you dial in to the ISP you must enter your username and password. This information is passed to a RADIUS server, which checks that the information is correct, and then authorizes access to the ISP network. RADIUS implements a client/server architecture, where typical client is a router, switch, or AP and the typical server is a Windows or Unix device that is running RADIUS software.

TACACS: Short for Terminal Access Controller Access Control System, is a client-server-oriented environment, and it operates in a manner similar to RADIUS. Extended TACACS (XTACACS) replaced the original version and combined authentication and authorization with logging to enable auditing.

TACACS+: a TCP-based access control protocol, TACACS+ allows a device to forward a user's username and password to an authentication server to determine whether access can be allowed. TACACS+ itself can also act as an authentication server, if configured so. TACACS+ can also provide authorization and accounting services. TACACS+ services are maintained in a database on a server with TACACS+ daemon running, typically, on a UNIX or Windows workstation. It provides for separate and modular authentication, authorization, and accounting facilities. TACACS+ allows for a single access control server (the TACACS+ daemon) to provide each service authentication, authorization, and accounting independently. Each service can be tied into its own database to take advantage of other services available on that server or on the network, depending on the capabilities of the daemon. The goal of TACACS+ is to provide a methodology for managing multiple network access points from a single management service.

Previous   Contents   Next

Security+ Cram Notes Contents
certexams ad

simulationexams ad