CompTIA CASP+ CAS-004 Certification: Basics of Identification, Authentication, and Authorization

Key topics:
- User identification processes
- User validation and authentication
- Authorization

Identification of persons and devices, as well as determining the actions that a person or device is permitted to undertake, are at the heart of access control models. While this paradigm has stayed consistent since network computing’s conception, the methodologies for conducting this key set of activities have developed tremendously and continue to do so.
While simple usernames and passwords have historically served as access control, in today’s world, more complicated and secure approaches are fast developing. Not only are such primitive approaches no longer secure, but today’s access credential systems value convenience above everything else.

Single sign-on and federated access control are two techniques for making a system as user-friendly as possible. The newest authentication and authorization approaches and processes are discussed in this guide.

Structure:
- Authentication
- Attestation
- Identity proofing
- Identity propagation
- Federation
- Trust models

Objective
This guide covers certificate-based authentication, single sign-on, 802.1x, context-aware authentication, and push-based authentication. The objective of attestation, as well as OAuth, XACML, and SPML, are covered. SAML, OpenID, Shibboleth, and WAYF are all explored, as are identity proofing techniques, as well as the challenges and benefits of identity propagation. RADIUS, LDAP, and AD configurations are also covered.

Authentication
To get access to a resource, a user must verify their identity, provide the necessary credentials, and have the necessary permissions to execute the tasks they are completing. As a consequence, there are two distinct sections, which are as follows:
- Identification: A user identifies themselves to an access control system in the first phase.
- Authentication: The second stage comprises providing the appropriate credentials to authenticate a user’s unique identity.

When seeking to differentiate between these two components, security professionals should remember that identification identifies the person, whereas authentication verifies the authenticity of the user’s identity. Authentication is often accomplished by entering a user password at the time of login. The login method should validate the login when all of the input data has been submitted.

The most prevalent types of user identification are user IDs or user accounts, account numbers, and personal identity numbers (PINs), as illustrated in below:



Figure: Authentication

Authentication factors
After the user identification mechanism has been developed, an organization must decide which authentication approach to employ. Authentication methods are divided into the following five categories:
- The knowledge of a person is employed as part of the authentication process.
- A person’s possession is an aspect of ownership authentication.
- Authentication factor: A characteristic that distinguishes a person.
- The location of a person is utilized as a part of the authentication process.
- An authentication factor is a person’s activity.

During authentication, a single-factor authentication ensures that a user provides at least one element from each of these categories. This may be shown by entering a username and password upon login. The user must provide two of the three factors when utilizing two-factor authentication.

The two-factor authentication is shown by logging in using a username, password, and smart card. A user must provide three separate pieces of information when using three-factor authentication.

Three-factor authentication entails using a username, password, smart card, and fingerprint to log in. For authentication to be considered strong, a user must provide components from at least two different categories. (It’s important to note that the username is only identification and not an authentication factor.)
It’s vital to note that a single-factor authentication is defined as the use of several authentication factors from the same category. When a user provides a login, password, and the user’s mother’s maiden name, single-factor authentication is used. In this situation, the user is still only providing information that a person is aware of.

Knowledge-based factors
The knowledge factor is based on a person’s knowledge of a subject. For this sort of authentication, a Sort I authentication factor is employed. Additional knowledge factors such as date of birth, mother’s maiden name, key combination, or PIN may be used in addition to password authentication.

Ownership affecting factors
As previously stated, ownership factor authentication is a kind of authentication that is based on a person’s possession of something. For this sort of authentication, a Form II authentication factor is employed. Some instances of ownership considerations are as follows:

- Token devices: A token device is a small device that transmits a one-time password to the authentication server. If the authentication method requires the use of a token device, the user must have the device on hand to authenticate. Despite sending a password to the authentication server, the token device is designated as a Type II authentication factor since its use necessitates device ownership. Due to the high cost of establishing a token device, it is often reserved for the most secure settings. Furthermore, owing to the battery life of the token device, challenges with token-based systems may arise.
- Memory cards: A valid user is given a memory card, which functions as a swipe card. The user’s authentication information is stored on the card. When the card is swiped through a card reader, the information captured on the card is compared to the information input by the user. If the information is valid, the authentication server accepts the login. If the two don’t match, authentication is denied. Because the card must be read by a card reader, each computer or access device must have its own card reader. In addition, the cards must be created and programmed.

Both of these techniques add to the complexity and cost of the authentication process. The increased security it provides, however, is usually worth the added complexity and cost, which is a clear benefit of this method. The data on the memory cards, on the other hand, is not protected, which is a weakness that companies should be aware of before using this strategy. Memory cards are fairly easy to falsify.

- Smart cards: A smart card is similar to a memory card in that it accepts, stores, and transmits data, but it has a bigger storage capacity. Smart cards, also known as integrated circuit cards (ICCs), include embedded circuits similar to those used in bank or credit cards, as well as memory akin to memory cards. Smart cards are read using card readers. The authentication server, on the other hand, uses the data on a smart card without the requirement for user input. To protect against lost or stolen smart cards, most implementations require the user to input a secret PIN, meaning that the user is providing both Type I (PIN) and Type II (smart card) authentication factors.

Characteristics to look for
As previously stated, characteristic factor authentication is authentication based on who a person is. For this sort of authentication, a Form III authentication factor is employed. Biometric technology is a kind of authentication that verifies a user’s identification by using physiological or behavioral factors. Physiological features include any unique physical property of the user, such as the iris, retina, and fingerprints. Behavioral factors that measure a person’s behaviors in a situation include voice patterns and data input characteristics.

Concepts of authentication that aren’t authentic
The following are some more authentication concepts that all security experts should be aware of:

- Time-Based One-Time Password Method (TOTP): This is a password-generating technique that generates a password using a shared secret and the current time. It’s similar to HOTP, except that it utilizes an integer-based counter instead of the current time.
- HMAC-Based One-Time Password Method (HOTP): This method generates a password using a shared secret that is only used once. This is achieved by employing a synchronized incrementing counter on both the client and the server.
- Single sign-on (SSO): This functionality is accessible when an authentication system requires a user to authenticate just once in order to access all network resources.

Management of accounts and identity
Identity and account management are required for every authentication system. As a security professional, you must ensure that your organization has a system in place to handle the creation and distribution of access credentials or identities. If invalid accounts are allowed to be created and not terminated, security breaches will occur. Most firms set up a system to verify the identification and authentication method to ensure that user accounts are current.

The following are a few questions that may be useful in the process:
- Is there a current, up-to-date, and approved list of permitted users and their permissions?
- Do you change your passwords at least once every 90 days, or more often as needed?
- Is it true that inactive user accounts expire after a specific period of time?

As part of any identity management approach, users must be created, modified, and deleted from the access control system. When establishing an account, a new user should be prompted to produce an adequate photo identity and sign a disclaimer about password security. One-of-a-kind user accounts are required. There should be policies in place to standardize the structure of user accounts.

For example, all user accounts should be called firstname.lastname or have another structure. This ensures that users inside an organization can determine the identification of a new user, which is helpful for communication.

Once created, user accounts should be maintained to ensure that they remain active. Inactive accounts should be automatically deleted after a predetermined period of inactivity, depending on business demands. A termination policy should also include procedures for deactivating or deleting all user accounts.

The components of excellent account management are as follows:
- Establish a method for generating, issuing, and deleting user accounts that is methodical.
- Conduct frequent audits of user accounts.
- Create a system for keeping track of access authorizations.
- Regularly rescreen personnel in critical jobs.
- Ensure that user accounts are valid on a frequent basis.

Examining user accounts is a crucial component of account management. User accounts should be checked to see whether they adhere to the principle of least privilege (which is explained later in this guide). User account assessments may be done on an enterprise-wide, system-wide, or application-by-application basis. The size of the company will have a significant influence on the technique employed. As part of their user account assessments, organizations should verify that all user accounts are active.

Password management
Password authentication is the most extensively used authentication technique today, as explained earlier in this guide. Password types, on the other hand, may vary from one system to the next. You must be acquainted with the many types of passwords that may be used.

The following are some password samples that you should be familiar with:
- Standard word passwords: This kind of password is made up of a single word with a mix of capital and lowercase letters, as the name implies. This password has the advantage of being easy to remember. However, this password type has the issue of being easy to crack or break for attackers, which might lead to a compromised account.
- Combination passwords: These are passwords made up of a few dictionary terms—usually two unrelated words. Like conventional word passwords, they may include capital and lowercase letters as well as numerals. This form of a password has the advantage of being more difficult to break than a standard word password. One disadvantage is that it may be difficult to remember.
- Static passwords: These are the passwords that are used every time you log in. Because the password is never updated, it provides only rudimentary security. Peer-to-peer (P2P) networks are the most prevalent.
- Complex passwords: When generating a complex password, a user must use a mix of upper- and lowercase letters, numerals, and special characters. Many businesses now demand this kind of password as part of their password rules. This password has the advantage of being very tough to crack. One disadvantage is that it is more difficult to remember and, in many cases, far more difficult to enter precisely.
- Passphrases: A long-phrase is required for this kind of password. Because the password is longer, it is easier to remember while also being much more difficult to break, which are both important advantages. Because it contains upper- and lowercase letters, numerals, and special characters, this kind of password may significantly improve authentication security.
- Cognitive passwords: A cognitive password is a piece of information that may be used to verify an individual’s identity. This information is sent to the system by the user answering a series of questions about themselves, such as their favorite color, pet’s name, mother’s maiden name, and so on. The ability of customers to recollect this information is a benefit of this kind. The disadvantage is that someone who is closely familiar with the person’s life (spouse, child, sibling, etc.) may also be able to provide this information.
- One-time passwords (OTPs): A one-time password, also known as a dynamic password, is a one-time password that is used just once to log into an access control system. This password provides the highest level of protection since it is erased after one use.
- Graphical passwords: Also known as Completely Automated Public Turing Test to Tell Computers and Humans Apart (CAPTCHA) passwords, these use pictures to help with authentication. In one popular approach, a user must enter a string of characters that display in a visual. This method ensures that a human rather than a machine enters the password. Another common way involves the user selecting the appropriate graphic for his account from a library of photographs.
- Numeric passwords: These are passwords that are made up entirely of numbers. Keep in mind that the maximum number of digits you may use in a password is limited. The maximum number of potential passwords is 10,000, spanning from 0000 to 9999 if all passwords are four digits. Because the attacker will be aware of the alternatives, cracking user passwords will be much easier if they realize that only numbers are used.

Passwords, one-time passwords, token devices, and login phrases are all considered to be less secure than simple passwords. A corporation must establish password management policies after deciding on the kind of password to use.

Password management considerations may include, but are not limited to the following:
- Password life: How long will a password be valid? In most businesses, passwords are good for 60 to 90 days.
- Password history: How long does a password have to be used before it may be reused? Most password rules only keep track of a certain number of previously used passwords.
- Authentication period: This indicates the length of time a user may be logged in without doing anything; if a user remains logged in for the specified amount of time without doing anything, they will be logged out instantly.
- Password complexity: This indicates the combination of upper- and lowercase letters, numerals, and special characters required by most firms.
- Password length: Most companies need passwords to be between eight and twelve characters long.

As part of password management, a system for upgrading passwords should be developed. Most companies provide a feature that allows customers’ passwords to be automatically changed before they expire. In the event that users forget their passwords or the credentials are compromised, most firms should consider implementing a password reset procedure. A self-service password reset technique allows users to reset their passwords without the assistance of a help desk representative. Customers must call the support line for assistance in resetting their passwords using an assisted password reset process.
Other organizational rules, such as account lockout policies, might affect password reset processes. Businesses employ account lockout policies as a security strategy to protect themselves against password attacks. Organizations often set up account lockout policies that lock user accounts after a certain number of unsuccessful login attempts. If the user account has been shut out, the system administrator may need to unlock or re-enable it. Security experts should push businesses to require users to reset their passwords if their accounts have been locked. Most companies impose all password restrictions, including account lockout rules, at the enterprise level on the servers that govern the network.
Depending on which servers are used to run the company, security specialists must be aware of the security concerns that affect user accounts and password management.

The two most popular server operating systems are Linux and Windows.

- UNIX/Linux passwords are saved in the /etc/passwd or /etc/shadow files. Because the /etc/passwd file is unencrypted and easily readable, all Linux servers should utilize the /etc/shadow file, which employs a hash to protect the passwords. The root user is a default account in Linux that has full administrative access to the system. If the root account is compromised, all passwords should be changed. The root account should be accessible only to system administrators, and root login should be done via a system console.
- For Windows Server 2003 and before, as well as all client versions of Windows in workgroups, the Security Accounts Manager (SAM) records user passwords in a hashed format. A password is kept in the form of a Lan Manager (LM) or NT LAN Manager (NTLM) hash. However, there are known security flaws with a SAM, especially with LM hashes, such as the ability to extract password hashes directly from the registry. You should follow all Microsoft-recommended security practices to protect this file. You should either rename or deactivate the default administrator account if you’re in control of a Windows network. Make sure you give this account a password if you intend to maintain it. The default administrator account on a Windows server may have full access. Most versions of Windows may be configured to prohibit the creation and storing of valid LM hashes when a user changes her password. Although it was disabled by default in prior versions of Windows, this is the default option in Windows Vista and the following versions of Windows.

Physiological characteristics
In physiological systems, a biometric scanning device is used to examine particular information about a physiological trait. It’s important to understand the following physiological biometric systems:
- Fingerprint scan: This form of scan examines a finger’s ridges to determine whether they match. Minutiae matching, a kind of fingerprint scan that records bifurcations and other minute characteristics, is much smaller. Minutiae matching takes longer and takes up more capacity on the authentication server than ridge fingerprint scans. A fingerprint scanning system will be used and shared.
- Finger scan: This kind of scan only recovers certain fingerprint features. Because just a tiny percentage of the fingerprint information is needed, finger scans require less server space and processing time than other kinds of fingerprint scans.
- Hand geometry scan: This kind of scan is used to figure out the size, form, and other layout aspects of a user’s hand, as well as bone length and finger length. Mechanical and image-edge detective systems are two forms of hand geometry systems. Hand geometry scanners use less server space and processing time than fingerprint or finger scans, regardless of which category is used.
- A hand topography scan records the hand’s peaks and valleys as well as its shape. Hand topography scans are typically used in conjunction with hand geometry scans since they are not unique enough when used alone.
- Fingerprint and hand geometry technologies are combined in a palm or hand scan. It keeps track of the fingerprints on each finger as well as the hand’s geometry.
- Facial scan: This kind of scan records data about your face, including bone structure, eye width, and forehead size. In this biometric method, eigenfeatures and eigenfaces are utilized.
- Retina scan: This kind of scan examines the pattern of blood vessels in the retina. Iris scanning is less intrusive than retina scanning.
- Iris scan: An iris scan examines the colored portion of the eye, as well as any rifts, corneas, or furrows. Iris scans have a better level of precision than other biometric scans.
- Vascular scan: This scan examines the user’s vein pattern in their hand or face. While this process is a great option since it is non-invasive, depending on which system is utilized, physical harm to the hand or face may result in false rejections.

Behavior characteristics
In behavioral systems, a biometric scanning device is used to assess a person’s behavior. It’s important to understand the following behavioral biometric systems:
- Signature dynamics: This kind of technology tracks the speed, pressure, acceleration, and deceleration of the user’s signature stroke. Dynamic signature verification (DSV) looks at the features of signatures as well as specific components of the signing process.
- Keystroke dynamics: This technology analyses a user’s typing pattern as they type a password or another predetermined text. If the correct password or phrase is entered but the input pattern on the keyboard does not match the recorded value, the user will be denied access. In keystroke dynamics, flight time refers to the length of time it takes to migrate between keys. Dwell time refers to how long you keep a key pressed.
- Voice pattern or print: When a user pronounces particular words, this kind of technology analyses their voice pattern. When attempting to log in, the user will be asked to repeat the words in reverse order. If the pattern matches, authentication is allowed.

Biometrics considerations
Security experts should be familiar with the following terminology when it comes to biometrics:
- Enrolment time: This is the time it takes to acquire a sample for the biometric system. This technique has a number of stages that must be completed many times.
- A method for obtaining biometric data from a sample of a user’s physiological or behavioral traits is feature extraction.
- Accuracy: Accuracy is the most important aspect of biometric technologies. It has to do with the precision of the overall readings.
- Throughput rate: This refers to how quickly a biometric system can scan and evaluate characteristics in order to allow or deny access. It is recommended that participants move at a rate of 6 to 10 per minute. A single user should be able to complete the procedure in 5 to 10 seconds.
- Acceptability: This relates to people’s willingness to accept and follow the system.
- False rejection rate (FRR): This is a metric that indicates how many legitimate consumers the system would mistakenly reject. A Type I error is what it’s called.
- False acceptance rate (FAR): This is a measure of how many invalid users will be wrongly accepted by the system. This is known as a Type II blunder. Type II mistakes are more hazardous than type I faults.
- Crossover error rate (CER): This is the point at which FRR and FAR are equal. The most important metric is presented in percentages.

Security professionals sometimes utilize a Zephyr chart to evaluate biometric systems, which displays the relative strengths and weaknesses of biometric systems. However, you should consider the success of each biometric technique as well as user acceptance. When considering FAR, FRR, and CER, keep in mind that lower figures are preferable. FAR errors are more dangerous than FRR errors. Security specialists may use the CER for comparative analysis while aiding their company in determining which system to use. For example, voice print systems have a higher CER than iris scans, hand geometry, or fingerprints.

Multi-factor authentication
Combining information, characteristics, and behavioral elements may increase the security of an authentication system. When this is done, the phrase used is dual-factor or multi-factor authentication. Multi-factor authentication contains all three factors, while dual-factor authentication combines two authentication components (for example, a knowledge component and a behavioral factor). The following are a few examples:
- Dual-factor authentication, as illustrated below, is a password (knowledge factor) and a one-time password (characteristic factor):



Figure: Two Factor Authentication

- Multi-factor, as presented below, is PIN (knowledge factor), retina scan (characteristic factor), and signature dynamics (behavioral component):


Figure: Multiple Factor Authentication

Using certificates for authentication
When a system’s authentication is based on certificates rather than passwords or PINs, the system’s security is likely to be considerably enhanced. A digital certificate provides credentials to verify an entity’s identity and links that identify to a public key, which is usually a user. At the very least, a digital certificate must contain the serial number, issuer, subject (owner), and public key.

When employing certificate-based authentication, you’ll need to set up a public key infrastructure (PKI). A public key infrastructure consists of the systems, software, and communication protocols that distribute, manage, and control public key cryptography (PKI).

A public key infrastructure (PKI) issues digital certificates. Because it creates confidence within an environment, a PKI may certify that a public key is associated with an entity and verify that a public key is valid. Public keys are provided through digital certificates. In certain instances, trusting the certificates of another organization or vice versa may be essential.

Cross-certification establishes confidence between certification authorities (CAs), enabling them to rely on other participants’ digital certificates and public keys. Users may check each other’s certificates when they are certified under different certification hierarchies. When a cross-certification trust relationship exists, a CA for one firm may be able to recognize digital certificates issued by a CA for another company. By using a single sign-on, you may save time and effort.
A user only has to enter his login credentials once to have access to all network resources in a single sign-on (SSO) system.

The Open Group Security Forum has defined a number of objectives for single sign-on systems. Some of the aims for a user sign-on interface and user account management are as follows:
- Regardless of the kind of authentication data handled, the user interface should be agnostic.
- Creating, deleting, and changing user accounts should all be available.
- With assistance, a user should be able to build a default user profile.
- The user interface should be independent of the platform and operating system.

The following are some of the advantages of using an SSO system:
- Users may create stronger passwords.
- User management and password administration are simpler.
- Getting to resources is a lot faster now.
- The user login procedure has been improved.
- Users only need to remember the login credentials for one system.
- Once a user has been granted system access via the initial SSO login, he has access to all resources to which he has been granted access.
- If a user’s credentials are stolen, the attackers will have access to all of the user’s resources.

While much of the discussion around SSO has focused on how it may be used for networks and domains, it can also be used for web-based services. Enterprise access management (EAM) provides access control management for web-based business applications. Support for a variety of authentication systems, as well as role-based access control, are among its features. The web access control architecture in this example offers authentication and transmits attributes to a variety of applications through an HTTP header.

SSO entails a secondary authentication domain that depends on and trusts a primary domain to perform the following task:
- Correctly assert the end user’s identity and authentication credentials to the secondary domain for allowed usage by protecting the authentication credentials used to validate the end user’s identity to the secondary domain.

Context-aware authentication
Context-aware or context-dependent access control is based on subject or object characteristics as well as environmental factors. These variables include things like location and time of the day. Assume that administrators have implemented a security policy that restricts users to log in only at particular hours of the day from a specific workstation.

Push authentication
When a user accesses a protected resource, a notification is delivered to the user’s device, which is often a smartphone, through a secure network. With push-based authentication, device possession becomes the main mode of authentication. To get access, the smartphone must be in the hands of someone who can reply correctly to a text message.

Authorization
After a person has been verified, resources must be made available to him or her. Authorization is the name of the process. Authorization necessitates the identification and authentication processes. Furthermore, standards for managing authorization functions have emerged in the form of OAuth, XACML, and SPML, as shown below:


Figure: Authorization

Access control models
An access control model is a formal description of an organization’s security policy, as presented in below. To make access control administration simpler, access control models are used to group things and themes. Subjects are entities that desire access to an object or data contained inside an object. Users, applications, and processes are among the topics covered. Objects are data-carrying or function-performing entities. Computers, databases, files, apps, directories, and fields are examples of objects. Secure items must not flow to objects with a lower category in a safe access control paradigm. Access control concepts and principles you should be aware of include discretionary access control, mandatory access control, role-based access control, role-based access control, content dependent access control, access control matrix, and access control list. T

he figure below illustrates the access control models:


Figure: Access control models

Discretionary access control
Discretionary access control (DAC) is used by the item’s owner to decide which subjects have access to the resource. DAC is often used in local and dynamic situations. Who has access is determined by the subject’s identity, profile, or role.

The DAC control is considered a “need-to-know” parameter. DAC may be an administrative burden since the data custodian or owner gives access credentials to users. Under DAC, a person’s rights must be ended when he or she leaves an organization. DAC is a subset of identity-based access control, which is based on the user’s identity or participation in a group. The subject’s identity is checked against the object’s access control list in DAC. The polar opposite of discretionary access control is non-discretionary access control. In non-discretionary access control, access restrictions are established by a security administrator or another authority. The central authority selects which subjects have access to objects based on the organization’s policy.

Mandatory access control
In required access control, subject approval is based on security labels (MAC). MAC is frequently referred to be limiting since it is based on a security label system. Under MAC, everything that isn’t expressly approved is banned. The category of a resource may only be changed by administrators. DAC is more flexible and extensible than MAC, despite MAC’s superior security. Because of the importance of security in MAC, labeling is required. Data classification reflects the sensitivity of the data. In a MAC system, a clearance is a privilege. Each subject and item is given a security or sensitivity designation. Security labels are presented in a logical order.

Commercial businesses may be classified as private, proprietary, corporate, sensitive, or public in terms of security. Government or military groups may be classified as top secret, secret, confidential, or unclassified, depending on their level of security. When the clearance level of a person is compared to the security label of an item, MAC determines access decisions.

Role-based access control
Under role-based access control (RBAC), each subject is assigned to one or more roles. The roles are grouped in a hierarchical manner, and the roles define access control. RBAC may be used to simply assign minimal privileges to subjects. RBAC is used to implement different access control policies for bank tellers and loan officers. RBAC is less secure than the previously described access control systems since it is based on roles. RBAC is utilized in commercial applications since it is less expensive to build than the other varieties. It’s a fantastic solution for firms with a high turnover rate. RBAC may effectively replace DAC and MAC since it allows you to specify and apply corporate security policies in a way that suits the organization’s structure.

There are four main techniques to regulate RBAC. There are no positions available in non-RBAC. Under limited RBAC, users are allocated to single application roles; however, some applications do not support RBAC and need identity-based access. In hybrid RBAC, each user is assigned to a single role that allows them access to several systems, but they may also be assigned to additional roles that provide them access to single systems. Users are allocated to a single role based on the organization’s security policy, and organizational roles restrict access to systems.

Rules-based access control
Using rule-based access control, data permissions may be altered more often. This approach is used to construct a security policy by imposing global rules on all users. Profiles are used to manage access. Many routers and firewalls employ this kind of access control to identify which packet types are allowed on a network. Rules may be defined to enable or limit access based on the packet type, the port number used, MAC address, and other factors.

Controlling access content-driven
Content-dependent access control makes access decisions based on an item’s data. Depending on the policy and access restrictions in place with this kind of access control, the data that a user sees may vary. According to some security experts, another sort of access restriction is a limited user interface. A restricted user interface, such as a shell, is a software interface to an operating system that implements access control by limiting the system commands that are available. Another example is database views that are filtered depending on user or system criteria. Constrained user interfaces might be content or context-dependent, depending on how the administrator constrains the interface.

Access control matrix
An access control matrix is a table that contains a list of subjects, a list of objects, and a list of the actions that a subject may perform on each object. The subjects in the matrix are represented by the rows, while the objects are represented by the columns. A capabilities table or an access control list are common ways to create an access control matrix (ACL).

The Capability table lists a subject’s access rights to objects. A capability table is focused on the subject, and capability correlates to a subject’s row in an access control matrix.

ACLs
An ACL refers to a column in an item’s access control matrix. An access control list (ACL) is a list of all of a subject’s access rights to a certain object.

An ACL’s focus is the object, as presented below:



Figure: Access Control Lists

Access control policies
The way the users are identified and validated, as well as the level of access they have, are all specified in an access control policy. Organizations should develop access control rules to ensure that users’ access control decisions are based on specified criteria. Access management will be difficult to assign, monitor, and administer if a business does not establish an access control policy. The default option is no access. During the authorization process, the default level of security for an organization’s access control systems should be no access. This means that if a person or group has not been given certain rights, they will be unable to access the resource. Starting with no access and gradually increasing rights is the best security technique.
OAuth is an authorization standard that allows users to exchange private resources from one site with another without having to use passwords. It’s often referred to as the “valet key” of the Internet. Unlike a valet key, which only enables the valet to park your car but not open the trunk, OAuth uses tokens to offer restricted access to a user’s data when a client application requests it. These tokens are generated by an authorization server. The exact sequence of events changes based on how it is implemented.

OAuth is a good option for authorization when one online application uses the API of another online application on behalf of the user. A good example is a Facebook-connected geolocation application. OAuth allows the geolocation application to get a Facebook access token without revealing the geolocation application’s Facebook login information.

Attestation
Authorized parties may use attestation to detect changes to a user’s system. It may also be used to verify a system for the correct software version or the presence of a particular piece of software. This function may be used to limit what a user can do in a certain situation. Consider the situation where you have a server that keeps credit card information for customers. According to the rules in place, approved users on allowed devices may only access the server if they are also running authorized software.

In this situation, the following three goals must be fulfilled:
- Using authentication and authorization to identify authorized users will help the organization achieve these goals.
- Authorized computers are identified via authentication and authorization.
- Using attestation to identify programs that are allowed to execute.

Prior to granting access, attestation provides evidence about a target to an appraiser so that the target’s policy compliance may be evaluated.

Attestation has an impact on the operation of a Trusted Platform Module (TPM) chip. During the manufacturing process, an endorsement key (EK) pair is embedded in TPM chips. This key pair is specific to the chip and has been certified by a credible certifying organization. A pair of attestation integrity keys (AIK) are also included. This key is generated and used to allow an application to do remote attestation of its integrity. Identity Proofing allows a third party to confirm that the software has not been modified.

Following the identification stage, identity proofing is the next step in the authentication process. One kind of identity proofing is the presentation of secret questions to which only the individual undertaking verification knows the answer. While the subject would still be needed to provide credentials such as a password, this additional step reduces the danger of a password being compromised.

Identity propagation
Identity propagation is the process of moving or distributing a user’s or device’s authenticated identity information from one part of a multitier system to another. Identity propagation is achievable because each component of the system normally performs its own authentication. Identity propagation may take place in a number of ways. Some systems, such as Microsoft’s Active Directory, use a proprietary mechanism and tickets to propagate identities.
It’s likely that not all system components support SSO (meaning a component can accept the identity token in its original format from the SSO server). A proprietary approach must be adjusted in this case to communicate in a manner that the third-party software understands. Assume the application service receives a request to visit an external third-party web application that is not SSO enabled. The application service redirects the user to the SSO server. The SSO server will now provide the authenticated identity information to the external application using an XML token rather than an SSO token.
Another protocol that performs identity propagation is Credential Security Support Provider (CredSSP). In the Microsoft Remote Desktop Terminal services context, it’s often used to provide network-layer authentication. Kerberos, TLS, and NTLM are just a few of the authentication and encryption protocols that might be utilized.

Federation
A federated identity is one that may be used across domains and organizations. When an organization enters a federation, it agrees to follow a set of common norms and standards. These rules and standards define how user authentication, authorization, and identity should be given and handled.

Providing divergent authentication techniques with federated IDs has the lowest up-front development cost as compared to other alternatives such as a PKI or attestation, as presented below:


Figure: Federated Identity

Federated identity management uses two major models to link firms inside the federation, which are as follows:
- Model of cross-certification: Each organization checks the credibility of every other institution in this paradigm. Trust is developed when organizations assess each other’s standards. Due diligence requires each entity to investigate and certify that the other organizations meet or exceed requirements. The disadvantage of cross-certification is that it increases the number of trust links that must be managed.
- Trusted third-party (or bridge) model: Each organization follows a set of third-party standards under this strategy. Third-party manages all of the firms’ verification, certification, and due diligence. This is usually the best option if a company has to have federated identity management agreements with a significant number of entities.

OpenID
The OpenID Foundation, a non-profit organization, has developed an open standard and decentralized protocol that allows users to be authenticated by specified websites. Sites that cooperate are referred to as relying parties (RPs). Users may connect to several websites using OpenID without having to re-register their information. A user selects an OpenID identity provider and then uses that account to log in to any website that accepts OpenID authentication.

While OpenID solves the same issue as SAML, it may be beneficial to an enterprise for the following reason:
- It’s easier to use than SAML, and it’s widely utilized by companies like Google.
When contrasted to SAML, however, OpenID has a few disadvantages:
- Each user must establish auto-discovery of the identity provider using OpenID, although SAML offers better performance.
- With SAML, either the service provider or the identity provider can start SSO, but with OpenID, only the service provider may start SSO.
In February 2014, OpenID Connect, the third version of OpenID, was released. It’s a layer of authentication developed on top of the OAuth 2.0 architecture. It’s compatible with both native and mobile applications. It also outlines how papers should be signed and encrypted.

Advanced SSO methods for network authentication have been developed throughout time using various trust models. The following sections will teach you how to utilize the Remote Access Dial-In User Service (RADIUS), which allows you to centralize authentication for all network access devices. You’ll also learn about two network authentication protocols – Lightweight Directory Access Protocol (LDAP) and Active Directory (AD), which is a common service implementation.

RADIUS server configuration
Users must first be permitted before they may connect to the network in a number of ways. Users who connect to the network using dial-up remote access servers, VPN access servers, or wireless access points may fall into this category, as illustrated below:



Figure: Radius Server

Previously, each of the access devices had to perform the authentication operation locally. The administrators needed to ensure that all remote access rules and settings were consistent. When a password needed to be changed, it had to be done everywhere. RADIUS is a networking protocol that enables users to authenticate and authorize themselves remotely.

Remote access, Wireless access points (WAP), VPN are clients of the Radius server, which can then be handled from a single, central location. Authentication and authorization are provided by the RADIUS server whenever they are requested. This provides a single location for managing the network’s remote access rules and passwords. Another advantage of using these solutions is that the audit and access information (logs) are not kept on the access server.

RFC 2138 is the protocol that defines RADIUS. Its goal is to provide a three-part structure. The supplicant is the device that requests authentication. The authenticator is the device to which the supplicant is attempting to connect, and the RADIUS server is the authentication server (for example, an AP, switch, or remote access server). The device seeking access in RADIUS is not the RADIUS client. The authenticating server is the RADIUS server, and the authenticator is the RADIUS client (for example, an AP, switch, or remote access server).

In certain cases, a RADIUS server might be a client of another RADIUS server. In this case, the RADIUS server is acting as a proxy client for its RADIUS clients. The shared secret used to encrypt data between the network access device and the RADIUS server, as well as the fact that it only protects passwords and no other sensitive data like tunnel-group IDs or VLAN memberships, are all RADIUS security flaws. IPsec should be used to encrypt these communication paths since the shared secret offers inadequate security.

LDAP
A directory service is a database for managing information about network topics and objects. A traditional directory structure includes users, groups, systems, servers, client workstations, and so on, as presented below.

The directory service may be used by a broad variety of applications since it contains information about users and other network objects. A common directory service standard is Lightweight Directory Access Protocol (LDAP), which is based on the older standard X.500. X.500 employs the Directory Access Protocol (DAP). In X.500, the distinguished name (DN) describes the whole path to a record in the database. A relative distinguishing name (RDN) in X.500 is the name of an entry that does not include the whole route. LDAP is a simpler protocol than X.500. The common name (CN), domain component (DC), and organizational unit (OU) characteristics are all available in LDAP in addition to DN and RDN. In a client/server design, LDAP uses TCP port 389 to communicate. If you need more protection, LDAP over SSL utilizes a TCP port.

The figure below shows the LDAP process:


Figure: LDAP Process

Active Directory (AD)
Microsoft’s version of LDAP, AD, separates directories into forests and trees. AD technologies are used to manage and organize everything in a company, including people and equipment. This is where security is implemented, and Group Policy aids in its effectiveness. AD is another example of an SSO scheme. The Kerberos and UNIX authentication and authorization schemes are used. This system authenticates a user once and then allows them to perform all actions and access all resources to which they have been given authorization without having to authenticate again.

the figure below illustrates the Active Directory Flow:


Figure: Active Directory Flow

The stages involved in this method are shown in the figure below:


Figure: Kerberos Protocol

The domain controller not only authenticates the user but also performs a variety of other tasks. The key distribution center runs the authorization service (AS), which determines if a user has the right or permission to access a remote service or network resource (KDC).
When a user is authenticated, they are granted a ticket-granting ticket (when they connect to the network for the first time). This is then used to request session tickets, which are required to get access to resources. If they attempt to access a service or resource after that, they are redirected to the AS running on the KDC. When they produce their TGT, they are awarded a session, or service, a ticket for that resource. By providing the service ticket, which is signed by the KDC, the user allows access to the resource server. Because the resource server trusts the KDC, the user is granted access.

Conclusion
This guide discussed authentication, authorization, and attestation, including identity proofing and propagation as well as federation and trust models which identify persons and devices, as well as determine actions that a person or device is permitted to perform as the core of access control models.