Lesson 7

Implementing Authentication Controls

Topic 7A
Summarize Authentication Design Concepts

CompTIA Security+ Lesson 7 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 2
Syllabus Objectives Covered

• 2.4 Summarize authentication and authorization design concepts

CompTIA Security+ Lesson 7 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 3
Identity and Access Management

• Subjects
• Users or software that request access
• Objects
• Resources such as networks, servers, and data
• Identification
• Associating a valid subject with a computer/network account
• Authentication
• Challenge to the subject to supply a credential to operate the account
• Authorization
• Rights, permissions, or privileges assigned to the account
• Accounting
• Auditing use of the account

CompTIA Security+ Lesson 7 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 4
Authentication Factors

• Something you know

• Knowledge factor
• Password
• Personal identification number (PIN)
• Swipe pattern
• Challenge questions/password reset
• Something you have
• Ownership factor
• Hardware tokens and fobs
• Something you are/do
• Biometric factor
Screenshot used with permission from Microsoft.

CompTIA Security+ Lesson 7 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 5
Authentication Design

• Meet requirements for confidentiality, integrity, and availability

• Confidentiality
• Keep credentials secure
• Integrity
• Threat actors cannot bypass or subvert the authentication mechanism
• Availability
• The mechanism does not cause undue delay or support issues

CompTIA Security+ Lesson 7 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 6
Multifactor Authentication

• Strong authentication requires two (or three) types

• Knowledge factor only is weak in terms of confidentiality
• Multifactor authentication (MFA)
• Two-factor authentication (2FA)
• Something you KNOW and something you HAVE
• Something you KNOW and something you ARE
• NOT something you KNOW and something else you KNOW

CompTIA Security+ Lesson 7 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 7
Authentication Attributes

• Somewhere you are

• Geolocation via location services
• IP location (logical versus geolocation)
• Switch port, virtual LAN (VLAN), or wireless network name
• Something you can do
• Performing an action in a way that can be captured as a unique pattern
• Something you exhibit
• A behavior or personality trait that can be captured as a unique pattern
• Someone you know
• Web of trust

CompTIA Security+ Lesson 7 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 8
Topic 7B
Implement Knowledge-based Authentication

CompTIA Security+ Lesson 7 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 9
Syllabus Objectives Covered

• 1.2 Given a scenario, analyze potential indicators to determine the type of

attack
• 3.8 Given a scenario, implement authentication and authorization solutions
• 4.1 Given a scenario, use the appropriate tool to assess organizational
security (Password crackers only)

CompTIA Security+ Lesson 7 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 10
Local , Network, and Remote Authentication

• Authentication providers
• Passwords versus password hashes
• Windows authentication
• Local sign-in
• Network sign-in (Kerberos and NTLM)
• Remote sign-in
• Linux authentication
• /etc/passwd and /etc/shadow
• Pluggable authentication modules (PAMs)
• Single sign-on (SSO)

CompTIA Security+ Lesson 7 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 11
 Kerberos Authentication

• Single sign-on
authentication and
authorization provider
• Clients
• Application servers
• Key Distribution Center
(KDC)
• Authentication Service –
Ticket Granting Ticket
• Ticket Granting Service –
Service Ticket Images © 123rf.com.

CompTIA Security+ Lesson 7 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 12
Kerberos Authorization

Images © 123rf.com.

CompTIA Security+ Lesson 7 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 13
PAP, CHAP, and MS-CHAP Authentication

• Password authentication designed to work

with remote access protocols (Point-to-Point
Protocol)
• Password Authentication Protocol (PAP)
• Completely unsecure
• Challenge Handshake Authentication
Protocol (CHAP)
• Challenge/Response similar to NTLM
• Challenge is repeated during the session to
prevent replay
• Various implementations (Cisco, MS-CHAPv2)
• Not secure enough to use without an
encrypted tunnel
Screenshot used with permission from Microsoft.

CompTIA Security+ Lesson 7 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 14
Password Attacks

• Plaintext/unencrypted
• Sniffing passwords from unsecure protocols
• Locating passwords in documents/code repositories
• Online password attack
• Adversary interacts with authentication service
• Restrict logon rates
• Shun suspect hosts
• Horizontal brute force/password spraying
• Offline attacks
• Password database
• Hash transmitted directly
• Hash used as key to sign an HMAC

CompTIA Security+ Lesson 7 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 15
Brute Force and Dictionary Attacks

• Exploit weak user password selection or weak cryptographic

mechanisms
• Brute force attack
• Generate every possible combination to match a hash
• Large output space and sufficiently long input password increase time
required
• Dictionary attack and rainbow tables
• Use a dictionary to test common words or phrases first
• Rainbow tables assist dictionary attacks against Windows password
databases by precomputing hash chains
• Using salt means hash chains cannot be pre-computed
• Hybrid attack
• Dictionary and brute force
• Fuzzing of dictionary terms (james1, james2, tom1, tom2,…)

CompTIA Security+ Lesson 7 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 16
Password Crackers

• Cain and L0phtcrack

• Hashcat
• Hash type
• Attack mode
• Dictionary/word lists
• Brute force
• Masked
Screenshot hashcat (hashcat.net/hashcat.)

CompTIA Security+ Lesson 7 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 17
Authentication Management

• Hardware and software solutions for storing and submitting multiple user
passwords
• Password key
• USB token
• Possibly Bluetooth/NFC connectivity
• Password vaults
• Software-based
• Federal Information Processing standard (FIPS 140-2)

CompTIA Security+ Lesson 7 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 18
Topic 7C
Implement Authentication Technologies

CompTIA Security+ Lesson 7 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 19
Syllabus Objectives Covered

• 2.4 Summarize authentication and authorization design concepts

• 3.3 Given a scenario, implement secure network designs (HSM only)
• 3.8 Given a scenario, implement authentication and authorization solutions

CompTIA Security+ Lesson 7 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 20
Smart Card Authentication

• Kerberos-based smart card logon

• Card readers
• Card stores user’s private key and
certificate
• Use of card is protected by a PIN

Image © 123RF.com.

CompTIA Security+ Lesson 7 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 21
 Key Management Devices
• Provision keys with risk of insider threat
reduced
• Smart cards and USB keys
• Trusted Platform Module (TPM)
• Virtual smart cards
• Hardware Security Module (HSM)
• Provision keys to devices across the
network
• Key archive and escrow
• Reduced attack surface and tamper-evident
• Cryptographically secure pseudorandom
Images © 123RF.com.
number generator (CSPRNG)
• Plug-in card and network rack form factors

CompTIA Security+ Lesson 7 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 22
Extensible Authentication Protocol/IEEE 802.1X

• Authenticate user at network access devices

• Wireless networks
• Port authentication for switched networks
• Remote access over a virtual private network
• Extensible Authentication Protocol (EAP)
• Supports multiple authentication implementations
• Certificates and smart cards
• IEEE 802.1X Port-based Network Access Control
• Supplicant
• Network access server (NAS)
• AAA server

CompTIA Security+ Lesson 7 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 23
Remote Authentication Dial-in User Service

Images © 123RF.com. 24
Terminal Access Controller Access-Control System

• TACACS+
• Centralizing administrative logins for network appliances
• Reliable TCP transport (over port 49)
• Data encryption
• Discrete authentication, authorization, and accounting functions

CompTIA Security+ Lesson 7 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 25
Token Keys and Static Codes

• One-time password (OTP)

• Generated by some algorithm and used only once
• RSA SecurID
• Static code
• “Dumb” smart cards
• Fast Identity Online (FIDO) Universal Second Factor
(U2F)

Image © 123RF.com.

CompTIA Security+ Lesson 7 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 26
Open Authentication (OATH)

• HMAC-based One-time Password

Algorithm (HOTP)
• Time-based One-time Password
Algorithm (TOTP)

CompTIA Security+ Lesson 7 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 27
2-Step Verification

• Transmit a code via an out-of-band channel

• Short message service (SMS)
• Phone call
• Push notification
• Email account
• Possibility of interception

CompTIA Security+ Lesson 7 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 28
Topic 7D
Summarize Biometrics Authentication Concepts

CompTIA Security+ Lesson 7 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 29
Syllabus Objectives Covered

• 2.4 Summarize authentication and authorization design concepts

CompTIA Security+ Lesson 7 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 30
Biometric Authentication

• Enrollment
• Sensor and feature extraction
• Efficacy rates and considerations
• False Rejection Rate (FRR) or Type I error
• False Acceptance Rate (FAR) or Type II error
• Crossover Error Rate (CER)
• Throughput (speed)
• Failure to Enrol Rate (FER)
• Cost/implementation
• Privacy concerns
• Accessibility concerns

CompTIA Security+ Lesson 7 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 31
Fingerprint Recognition

• Fingerprint sensors
• Small capacitive cells
• Easy to implement
• Relatively simple enrollment
• Quite vulnerable to spoofing
• Vein matching (vascular
biometrics)
• More complex scanner

Android is a
trademark of
Google LLC.

CompTIA Security+ Lesson 7 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 32
 Facial Recognition

• Facial recognition
• Enrollment can be relatively slow
• Privacy issues
• Prone to relatively high false
acceptance/rejection rates/spoofing
• Retinal scan
• Pattern of blood vessels
• Scanning relatively intrusive and complex
Photo by Ghost Presenter on Unsplash.
• Iris scan
• Pattern of eye surface
• Easier to scan
• More vulnerable to spoofing

CompTIA Security+ Lesson 7 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 33
Behavioral Technologies

• Something you do
• Voice recognition
• Gait analysis
• Signature recognition
• Typing
• Other uses than authentication
• Identification/alerting
• Continuous authentication/account locking

CompTIA Security+ Lesson 7 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 34
Lesson 7
Summary

CompTIA Security+ Lesson 7 | Copyright © 2020 CompTIA Properties, LLC. All Rights Reserved. | CompTIA.org 35