Contents

Acknowledgments
About the Author
About This Book

Chapter 1
User Identification and Authentication Concepts
1.1 Security Landscape
1.2 Authentication, Authorization, and Accounting
1.2.1 Identification and Authentication
1.2.2 Authorization
1.2.3 User Logon Process
1.2.4 Accounting
1.3 Threats to User Identification and Authentication
1.3.1 Bypassing Authentication
1.3.2 Default Passwords
1.3.3 Privilege Escalation
1.3.4 Obtaining Physical Access
1.3.5 Password Guessing: Dictionary, Brute Force, and Rainbow Attacks
1.3.6 Sniffing Credentials off the Network
1.3.7 Replaying Authentication
1.3.8 Downgrading Authentication Strength
1.3.9 Imposter Servers
1.3.10 Man-in-the Middle Attacks
1.3.11 Session Hijacking
1.3.12 Shoulder Surfing
1.3.13 Keyboard Loggers, Trojans, and Viruses
1.3.14 Offline Attacks
1.3.15 Social Engineering
1.3.16 Dumpster Diving and Identity Theft
1.4 Authentication Credentials
1.4.1 Password Authentication
1.4.1.1 Static Passwords
1.4.1.2 One-Time Passwords
1.4.2 Asymmetric Keys and Certificate-Based Credentials
1.4.3 Biometric Credentials
1.4.4 Ticket-Based Hybrid Authentication Methods
1.5 Enterprise User Identification and Authentication Challenges
1.6 Authenticating Access to Services and the Infrastructure
1.6.1 Authenticating Access to the Infrastructure
1.6.2 Authenticating Access to Applications and Services
1.7 Delegation and Impersonation
1.8 Cryptology, Cryptography, and Cryptanalysis
1.8.1 The Goal of Cryptography
1.8.2 Protection Keys
1.8.2.1 Symmetric Encryption
1.8.2.2 Asymmetric Keys
1.8.2.3 Hybrid Approaches: Diffie-Hellman Key Exchange Algorithm
1.8.3 Encryption
1.8.3.1 Data Encryption Standard (DES/3DES)
1.8.3.2 Advanced Encryption Standard (AES)
1.8.3.3 RC4 (ARCFOUR
1.8.3.4 RSA Encryption Algorithm (Asymmetric Encryption)
1.8.4 Data Integrity
1.8.4.1 Message Integrity Code (MIC)
1.8.4.2 Message Authentication Code (MAC

Chapter 2
UNIX User Authentication Architecture
2.1 Users and Groups
2.1.1 Overview
2.1.2 Case Study: Duplicate UIDs
2.1.3 Case Study: Group Login and Supplementary Groups
2.2 Simple User Credential Stores
2.2.1 UNIX Password Encryption
2.2.2 The /etc/passwd File
2.2.3 The /etc/group File
2.2.4 The /etc/shadow File
2.2.5 The /etc/gshadow File
2.2.6 The /etc/publickey file
2.2.7 The /etc/cram-md5.pwd File
2.2.8 The SASL User Database
2.2.9 The htpasswd File
2.2.10 Samba Credentials
2.2.11 The Kerberos Principal Database
2.3 Name Services Switch (NSS)
2.4 Pluggable Authentication Modules (PAM)
2.5 The UNIX Authentication Process
2.6 User Impersonation
2.7 Case Study: User Authentication against LDAP
2.7.1 Preparing Active Directory
2.7.2 PADL LDAP Configuration
2.7.3 User Authentication Using NSS LDAP
2.7.4 User Authentication Using PAM LDAP
2.8 Case Study: Using Hesiod for User Authentication in Linux

Chapter 3
Windows User Authentication Architecture
3.1 Security Principals
3.1.1 Security Identifiers (SIDs
3.1.2 Users and Groups
3.1.3 Case Study: Group SIDs
3.1.4 Access Tokens
3.1.5 Case Study: SIDs in the User Access Token
3.1.6 User Rights
3.2 Stand-Alone Authentication
3.2.1 Interactive and Network Authentication
3.2.2 Interactive Authentication on Windows Computers
3.2.3 The Security Accounts Manager Database
3.2.4 Case Study: User Properties — Windows NT Local User Accounts
3.2.5 Case Study: Group Properties — Windows Local Group Accounts
3.2.6 SAM Registry Structure
3.2.7 User Passwords
3.2.8 Storing Password Hashes in the Registry SAM File
3.2.8.1 LM Hash Algorithm
3.2.8.2 NT Hash Algorithm
3.2.8.3 Password Hash Obfuscation Using DES
3.2.8.4 SYSKEY Encryption for Storing Password Hashes in the SAM
3.2.8.5 Case Study: The SYSKEY Utility, the System Key, and Password Encryption
Key
3.2.8.6 Threats to Windows Password Hashes
3.2.8.7 Tools to Access Windows Password Hashes
3.2.8.8 Case Study: Accessing Windows Password Hashes with pwdump4
3.2.9 LSA Secrets
3.2.9.1 Case Study: Exploring LSA Secrets on a Windows NT 4.0 Domain Controller
that is an Exchange 5.5 Server
3.2.10 Logon Cache
3.2.11 Protected Storage
3.2.12 Data Protection API (DPAPI)
3.2.13 Credential Manager
3.2.14 Case Study: Exploring Credential Manager
3.3 Windows Domain Authentication
3.3.1 Domain Model
3.3.2 Joining a Windows NT Domain
3.3.3 Computer Accounts in the Domain
3.3.4 Domains and Trusts
3.3.5 Case Study: Workstation Trust and Interdomain Trust
3.3.6 SID Filtering across Trusts
3.3.7 Migration and Restructuring
3.3.8 Null Sessions
3.3.9 Case Study: Using Null Sessions Authentication to Access Resources
3.3.10 Case Study: Domain Member Start-up and Authentication
3.3.11 Case Study: Domain Controller Start-up and Authentication
3.3.12 Case Study: Windows NT 4.0 Domain User Logon Process
3.3.13 Case Study: User Logon to Active Directory Using Kerberos
3.3.14 Windows NT 4.0 Domain Model
3.3.14.1 User Accounts
3.3.14.2 Group Accounts and Group Strategies
3.3.14.3 Authentication Protocols: NTLM and LM
3.3.14.4 Trust Relationships
3.3.15 Active Directory
3.3.15.1 Active Directory Overview
3.3.15.2 Logical and Physical Structure
3.3.15.3 Active Directory Schema
3.3.15.4 Database Storage for Directory Information
3.3.15.5 Support for Legacy Windows NT Directory Services
3.3.15.6 Hierarchical LDAP-Compliant Directory
3.3.15.7 Case Study: Exploring Active Directory Using LDP.EXE
3.3.15.8 User Accounts in AD
3.3.15.9 Case Study: User Logon Names in Active Directory
3.3.15.10 Case Study: Using LDAP to Change User Passwords in Active Directory
3.3.15.11 Case Study: Obtaining Password Hashes from Active Directory
3.3.15.12 Group Accounts and Group Strategy in AD
3.3.15.13 Case Study: Exploring the Effects of Group Nesting to User Access Token
3.3.15.14 Computer Accounts in AD
3.3.15.15 Trees, Forests, and Intra-forest Trusts
3.3.15.16 Case Study: User Accesses Resources in Another Domain in the Same
Forest
3.3.15.17 Trusts with External Domains
3.3.15.18 Case Study: Exploring External Trusts
3.3.15.19 Case Study: Exploring Forest Trusts
3.3.15.20 Selective Authentication
3.3.15.21 Case Study: Exploring Authentication Firewall and User Access Tokens
3.3.15.22 Protocol Transition
3.4 Federated Trusts
3.5 Impersonation
3.5.1 Secondary Logon Service
3.5.2 Application-Level Impersonation

Chapter 4
Authenticating Access to Services and Applications
4.1 Security Programming Interfaces
4.1.1 Generic Security Services API (GSS-API)
4.1.1.1 Kerberos Version 5 as a GSS-API Mechanism
4.1.1.2 SPNEGO as a GSS-API Mechanism
4.1.2 Security Support Provider Interface (SSPI)
4.1.2.1 SSP Message Support
4.1.2.2 Strong Keys and 128-bit Encryption
4.1.2.3 SSPI Signing
4.1.2.4 SSPI Sealing (Encryption)
4.1.2.5 Controlling SSP behavior using Group Policies
4.1.2.6 Microsoft Negotiate SSP
4.1.2.7 GSS-API and SSPI Compatibility
4.2 Authentication Protocols
4.2.1 NTLM Authentication
4.2.1.1 NTLM Overview
4.2.1.2 The Concept of Trust and Secure Channels
4.2.1.3 Domain Member Secure Channel Establishment
4.2.1.4 Domain Controller Secure Channel Establishment across Trusts
4.2.1.5 SMB/CIFS Signing
4.2.1.6 Case Study: Pass-through Authentication and Authentication Piggybacking
4.2.1.7 NTLM Authentication Mechanics
4.2.1.8 Case Study: NTLM Authentication Scenarios
4.2.1.9 NTLM impersonation
4.2.2 Kerberos Authentication
4.2.2.1 Kerberos Overview
4.2.2.2 The Concept of Trust in Kerberos
4.2.2.3 Name Format for Kerberos Principals
4.2.2.4 Kerberos Authentication Phases
4.2.2.5 Kerberos Tickets
4.2.2.6 Kerberos Authentication Mechanics
4.2.2.7 Case Study: Kerberos Authentication: CIFS
4.2.2.8 Authorization Information and the Microsoft PAC Attribute
4.2.2.9 Kerberos Credentials Exchange (KRB_CRED)
4.2.2.10 Kerberos and Smart Card Authentication (PKInit)
4.2.2.11 Kerberos User-to-User Authentication
4.2.2.12 Kerberos Encryption and Checksum Mechanisms
4.2.2.13 Case Study: Kerberos Authentication Scenarios
4.2.2.14 Kerberos Delegation
4.2.3 Simple Authentication and Security Layer (SASL)
4.2.3.1 Kerberos IV
4.2.3.2 GSS-API
4.2.3.3 S/Key Authentication Mechanism
4.2.3.4 External Authentication
4.2.3.5 SASL Anonymous Authentication
4.2.3.6 SASL CRAM-MD5 Authentication
4.2.3.7 SASL Digest-MD5 authentication
4.2.3.8 SASL and User Password Databases
4.3 Transport Layer Security (TLS) and Secure Sockets Layer (SSL)
4.3.1 Hello Phase
4.3.2 Server Authentication Phase
4.3.3 Client Authentication Phase
4.3.3.1 Calculate the Master Secret
4.3.3.2 Calculate Protection Keys
4.3.4 Negotiate Start of Protection Phase
4.3.5 Resuming TLS/SSL Sessions
4.3.6 Using SSL/TLS to Protect Generic User Traffic
4.3.7 Using SSL/TLS Certificate Mapping as an Authentication Method
4.4 Telnet Authentication
4.4.1 Telnet Login Authentication
4.4.2 Telnet Authentication Option
4.5 FTP Authentication
4.5.1 FTP Simple Authentication
4.5.2 Anonymous FTP
4.5.3 FTP Security Extensions with GSS-API
4.5.4 FTP Security Extensions with TLS
4.6 HTTP Authentication
4.6.1 HTTP Anonymous Authentication
4.6.2 HTTP Basic Authentication
4.6.3 HTTP Digest Authentication
4.6.4 HTTP GSS-API/SSPI Authentication using SPNEGO and Kerberos
4.6.5 HTTP NTLMSSP Authentication 501
4.6.6 HTTP SSL Certificate Mapping as an Authentication Method
4.6.7 Form-Based Authentication
4.6.8 Microsoft Passport Authentication
4.6.9 HTTP Proxy Authentication
4.7 POP3/IMAP Authentication
4.7.1 POP3/IMAP Password Authentication
4.7.2 POP3/IMAP Plain Authentication
4.7.3 POP3 APOP Authentication
4.7.4 POP3/IMAP Login Authentication
4.7.5 POP3/IMAP SASL CRAM-MD5 and DIGEST-MD5 Authentication
4.7.6 POP3/IMAP and NTLM Authentication 9Secure Password Authentication)
4.8 SMTP Authentication
4.8.1 SMTP Login Authentication
4.8.2 SMTP Plain Authentication
4.8.3 SMTP GSS-API Authentication
4.8.4 SMTP CRAM-MD5 and DIGEST-MD5 Authentication
4.8.5 SMTP Authentication Using NTLM
4.9 LDAP Authentication
4.9.1 Simple Authentication
4.9.2 LDAP Anonymous Authentication
4.9.3 LDAP SASL Authentication using Digest-MD5
4.9.4 LDAP SASL Authentication using GSS-API
4.10 SSH Authentication
4.10.1 SSH Public Key Authentication
4.10.2 SSH Host Authentication
4.10.3 SSH Password Authentication
4.10.4 SSH Keyboard Interactive Authentication
4.10.5 SSH GSS-API User Authentication
4.10.6 SSH GSS-API Key Exchange and Authentication
4.11 Sun RPC Authentication
4.11.1 RPC AUTH_NULL (AUTH_NONE) Authentication
4.11.2 RPC AUTH_UNIX (AUTH_SYS) Authentication
4.11.3 RPC AUTH_SHORT Authentication
4.11.4 RPC AUTH_DES (AUTH_DH) Authentication
4.11.5 RPC AUTH_KERB4 Authentication
4.11.6 RPCSEC_GSS Authentication
4.12 SMB/CIFS Authentication
4.13 NFS Authentication
4.14 Microsoft Remote Procedure Calls
4.15 MS SQL Authentication
4.15.1 MS SQL Authentication over the TCP/IP Transport
4.15.2 MS SQL Server Authentication over Named Pipes
4.15.3 MS SQL Server Authentication over Multiprotocol
4.15.4 MS SQL Server and SSL
4.16 Oracle Database Server Authentication
4.17 Oracle Legacy Authentication Database
4.16.2 Legacy OracleNet Authentication
4.16.3 Oracle Advanced Security Mechanisms for User Authentication
4.17 MS Exchange MAPI Authentication
4.18 SAML, WS-Security, and Federated Identity
4.18.1 XML and SOAP
4.18.2 SAML
4.18.2.1 SAML and Web Single Sign-On
4.18.2.2 Case Study: Web Single Sign-On Mechanics
4.18.2.3 SAML Federated Identity
4.18.2.4 Account Linking
4.18.3 WS-Security

Chapter 5
Authenticating Access to the Infrastructure
5.1 User Authentication on Cisco Routers and Switches
5.1.1 Authentication to Router Services
5.1.2 Local User Database and Passwords
5.1.3 Centralizing Authentication
5.1.4 New-Model AAA
5.2 Authenticating Remote Access to the Infrastructure
5.2.1 SLIP Authentication
5.2.2 PPP Authentication
5.2.3 Password Authentication Protocol (PAP)
5.2.4 CHAP
5.2.5 MS-CHAP Version 1 and Version 2
5.2.6 Extensible Authentication Protocol (EAP
5.2.7 EAP-TLS
5.2.8 EAP-TTLS
5.2.9 Protected EAP (PEAP)
5.2.10 Lightweight EAP (LEAP)
5.2.11 EAP-FAST
5.2.11.1 EAP-FAST Automatic Provisioning (EAP-FAST Phase 0)
5.2.11.2 Tunnel Establishment (EAP-Phase 1)
5.2.11.3 User Authentication (EAP-FAST Phase 2)
5.3 Port-Based Access Control
5.3.1 Overview of Port-Based Access Control
5.3.2 EAPOL
5.3.3 EAPOL Key Messages
5.4 Authenticating Access to the Wireless Infrastructure
5.4.1 Wi-Fi Authentication Overview
5.4.2 WEP Protection
5.4.3 Open Authentication
5.4.4 Shared Key Authentication
5.4.5 WPA/WPA2 and IEEE 802.11i
5.4.6 WPA/WPA2 Enterprise Mode
5.4.7 WPA/WPA2 Preshared Key Mode (WPA-PSK
5.5 IPSec, IKE, and VPN Client Authentication
5.5.1 IKE Peer Authentication
5.5.1.1 IKE and IPSec Phases
5.5.1.2 Preshared Key Authentication
5.5.1.3 IKE Signature-Based Authentication
5.5.1.4 IKE Public Key Authentication, Option 1
5.5.1.5 IKE Public Key Authentication, Option 2
5.5.2 IKE XAUTH Authentication and VPN Clients
5.6 Centralized User Authentication
5.6.1 RADIUS
5.6.1.1 Overview
5.6.1.2 The Model of Trust in RADIUS
5.6.1.3 RADIUS Authentication Requests from Edge Devices
5.6.1.4 RADIUS and EAP Pass-through Authentication
5.6.2 TACACS
5.6.2.1 Overview683
5.6.2.2 TACACS+ Channel Protection
5.6.2.3 TACACS+ Authentication Process

Appendices
A - References
Printed References  
Online References

B - Lab Configuration

C - Indices of Tables and Figures
Index of Tables
Index of Figures
Book Index
Comments