Use LEFT and RIGHT arrow keys to navigate between flashcards;
Use UP and DOWN arrow keys to flip the card;
H to show hint;
A reads text to speech;
17 Cards in this Set
- Front
- Back
What is Legacy single sign-on (SSO) systems and what is its limitation?
|
Legacy single sign-on (SSO) systems do just that: users sign into the SSO application, which stores every user's login ID and password to every supported application. Users launch various applications through the SSO client software, which opens the appropriate client program, and sends keystrokes to that program simulating the user typing his/her own login ID and password.
Because they require the installation of client software, legacy SSO systems are only appropriate for use by insiders. Legacy SSO systems have had limited success in large production environments for a number of reasons: Deployment and integration costs are very high. There are serious concerns about security because the SSO system stores every user's password to every system. There are also concerns about availability- if the SSO system fails, entire user populations will be unable to log into their systems |
|
list of featrues for account management systems
|
A central facility for managing user access to multiple systems at once
A workflow system where users can submit requests for new, changed or terminated systems access, and these requests are automatically routed to the appropriate people for approvals. Approved requests trigger creation of accounts and allocation of other resources. Automatic replication of data, and in particular, of user records, between multiple systems and directories A facility for loading batch changes to user directories Automatic creation, change or removal of access to system resources based on policies, and triggered by changes to information elsewhere (for example, in an HR system or corporate directory) |
|
True or false
Once a web access management system is in place, a directory can be developed |
flase
|
|
Ture or false:
For security reasons, users should never be able to identify their own login ID |
fasle
|
|
Single Sign-On (SSO)
|
An authentication system that permits the user to enter a single id and password to access multiple systems.
|
|
Kerberos
|
This is a security system that was created at MIT in the 1980s. It enables secure multiple system access to a client/server computing environment. Kerberos was the three-headed dog, Cerberus, who guarded the gates of Hades in ancient Greek mythology.
|
|
SESAME
|
Secure European System for Application in a Multi-Vendor Environment is a European research and development project that resulted in technology of the same name. This is a Single Sign-On technology that provides role based distributed access.
It offers single sign-on with added distributed access controls using symmetric and asymmetric cryptographic techniques for protection of interchanged data. |
|
Security Domains
|
Establish an area of trust for specified users. The domain shares a single management and security policy. The domain establishes the access control parameters in which its programs operate and defines a set of objects its trusted users can access.
|
|
advantage of single sign-on (5)
|
Efficient log-on process
Users may create stronger passwords No need for multiple passwords Timeout and attempt thresholds enforced across entire platform Centralized administration |
|
disadvantage of SSO (2)
|
A compromised password allows an intruder into all authorized resources
Inclusion of unique platforms may be challenging |
|
Kerberos meets which 4 basic requirements for access control?
|
Security - Network eavesdropper should not be able to obtain the needed information to impersonate a user
Reliability - Available for users when needed Transparency - User is not aware of authentication process Scalability - Must support a small or large number of clients and servers |
|
The Kerberos key distribution center (KDC) server serves two functions:
|
An authentication server (AS), which authenticates a principal (any entity that interacts with the Kerberos server, such as a user workstation, an application, or a service) via a pre-exchanged secret key
A ticket-granting server (TGS), which provides a means to securely authenticate a trusted relationship between two principals |
|
what is a principle in Kerberos key distribution center ( KDC)
|
A "principal" is any entity that interacts with the Kerberos server, such as a user workstation, an application, or a service. A principal must be pre-registered with a unique secret key exchanged in advance between the principal and the Kerberos server. The KDC maintains a database of the secret keys of all the principals on the network.
|
|
T or F
Kerberos is based on symmetrical encryption |
True
|
|
What factor needs to be considered during the implementation of Kerberos authentication?
|
Enforcing limited lifetimes for authentication credentials minimizes the threat of replayed credentials. (These should be based on time stamps.)
The KDC must be physically secured. (It may be a single point of failure.) The KDC should be hardened and should not allow any non-Kerberos network activity. The Kerberos authentication server is a single point of failure. A redundant authentication server should be provided. |
|
Kerberos is a static password ( one-factor) authentication system and it is vulnerable to brute force attacks.
|
true
|
|
what is Unix Kerberos defaults key length?
what about windows 200/XP kerberos |
Unix Kerberos defaults to using 56 bit DES for Kerberos keys - very vulnerable to brute force
Windows 2000/XP Kerberos defaults to 128 bit RC4-HMAC - harder to attack by brute force |