Mechanics of user identification and authentication: fundamentals of identity management
Gespeichert in:
| 1. Verfasser: | |
|---|---|
| Format: | Buch |
| Sprache: | English |
| Veröffentlicht: |
Boca Raton [u.a.]
Auerbach
2007
|
| Schlagworte: | |
| Online-Zugang: | Inhaltsverzeichnis |
| Beschreibung: | Includes bibliographical references and index |
| Beschreibung: | XXV, 728 S. Ill., graph. Darst. |
| ISBN: | 9781420052190 |
Internformat
MARC
| LEADER | 00000nam a2200000zc 4500 | ||
|---|---|---|---|
| 001 | BV022529372 | ||
| 003 | DE-604 | ||
| 005 | 20100505 | ||
| 007 | t | ||
| 008 | 070725s2007 xxuad|| |||| 00||| eng d | ||
| 010 | |a 2007060355 | ||
| 020 | |a 9781420052190 |9 978-1-4200-5219-0 | ||
| 035 | |a (OCoLC)77716961 | ||
| 035 | |a (DE-599)BVBBV022529372 | ||
| 040 | |a DE-604 |b ger |e aacr | ||
| 041 | 0 | |a eng | |
| 044 | |a xxu |c US | ||
| 049 | |a DE-29T |a DE-703 |a DE-355 | ||
| 050 | 0 | |a TK5105.59 | |
| 082 | 0 | |a 005.8 | |
| 084 | |a ST 276 |0 (DE-625)143642: |2 rvk | ||
| 084 | |a ST 277 |0 (DE-625)143643: |2 rvk | ||
| 100 | 1 | |a Todorov, Dobromir |e Verfasser |4 aut | |
| 245 | 1 | 0 | |a Mechanics of user identification and authentication |b fundamentals of identity management |c Dobromir Todorov |
| 264 | 1 | |a Boca Raton [u.a.] |b Auerbach |c 2007 | |
| 300 | |a XXV, 728 S. |b Ill., graph. Darst. | ||
| 336 | |b txt |2 rdacontent | ||
| 337 | |b n |2 rdamedia | ||
| 338 | |b nc |2 rdacarrier | ||
| 500 | |a Includes bibliographical references and index | ||
| 650 | 4 | |a Authentification | |
| 650 | 4 | |a Ordinateurs - Accès - Contrôle | |
| 650 | 4 | |a Réseaux d'ordinateurs - Sécurité - Mesures | |
| 650 | 4 | |a Systèmes d'exploitation (Ordinateurs) - Sécurité - Mesures | |
| 650 | 4 | |a Systèmes informatiques - Sécurité - Mesures | |
| 650 | 4 | |a Sécurité informatique | |
| 650 | 4 | |a Computer networks |x Security measures | |
| 650 | 4 | |a Computers |x Access control | |
| 650 | 4 | |a Computer security | |
| 650 | 0 | 7 | |a Computersicherheit |0 (DE-588)4274324-2 |2 gnd |9 rswk-swf |
| 650 | 0 | 7 | |a Authentifikation |0 (DE-588)4330656-1 |2 gnd |9 rswk-swf |
| 650 | 0 | 7 | |a Zugriffskontrolle |0 (DE-588)4293034-0 |2 gnd |9 rswk-swf |
| 689 | 0 | 0 | |a Computersicherheit |0 (DE-588)4274324-2 |D s |
| 689 | 0 | 1 | |a Zugriffskontrolle |0 (DE-588)4293034-0 |D s |
| 689 | 0 | 2 | |a Authentifikation |0 (DE-588)4330656-1 |D s |
| 689 | 0 | |5 DE-604 | |
| 856 | 4 | 2 | |m GBV Datenaustausch |q application/pdf |u http://bvbr.bib-bvb.de:8991/F?func=service&doc_library=BVB01&local_base=BVB01&doc_number=015736001&sequence=000001&line_number=0001&func_code=DB_RECORDS&service_type=MEDIA |3 Inhaltsverzeichnis |
| 999 | |a oai:aleph.bib-bvb.de:BVB01-015736001 | ||
Datensatz im Suchindex
| _version_ | 1804136638528356352 |
|---|---|
| adam_text | MECHANICS OF USER IDENTIFICATION AND AUTHENTICATION FUNDAMENTALS OF
IDENTITY MANAGEMENT DOBROMIR TODOROV A AUERBACH PUBLICATIONS TAYLOR &
FRANCIS GROUP BOCA RATON NEW YORK AUERBACH PUBLICATIONS IS AN IMPRINT OF
THE TAYLOR ST FRANCIS GROUP, AN INFORMA BUSINESS CONTENTS
ACKNOWLEDGMENTS XIX ABOUT THE AUTHOR XXI ABOUT THIS BOOK XXIII 1 USER
IDENTIFICATION AND AUTHENTICATION CONCEPTS 1 1.1 SECURITY LANDSCAPE 1
1.2 AUTHENTICATION, AUTHORIZATION, AND ACCOUNTING 3 1.2.1 IDENTIFICATION
AND AUTHENTICATION 4 1.2.2 AUTHORIZATION 7 1.2.3 USER LOGON PROCESS 8
1.2.4 ACCOUNTING 8 1.3 THREATS TO USER IDENTIFICATION AND AUTHENTICATION
9 1.3.1 BYPASSING AUTHENTICATION 9 1.3.2 DEFAULT PASSWORDS 10 1.3.3
PRIVILEGE ESCALATION 10 1.3.4 OBTAINING PHYSICAL ACCESS 11 1.3.5
PASSWORD GUESSING: DICTIONARY, BRUETE FORCE, AND RAINBOW ATTACKS 12 1.3.6
SNIFFING CREDENTIALS OFF THE NETWORK 14 1.3.7 REPLAYING AUTHENTICATION
14 1.3-8 DOWNGRADING AUTHENTICATION STRENGTH 15 1.3.9 IMPOSTER SERVERS
15 1.3.10 MAN-IN-THE-MIDDLE ATTACKS 16 1.3.11 SESSION HIJACKING 16
1.3.12 SHOULDER SURFING 16 1.3.13 KEYBOARD LOGGERS, TROJANS, AND VIRUSES
17 1.3.14 OFFLINE ATTACKS 17 1.3.15 SOCIAL ENGINEERING 17 1.3-16
DUMPSTER DIVING AND IDENTITY THEFT 18 IX X * CONTENTS 1.4 AUTHENTICATION
CREDENTIALS 18 1.4.1 PASSWORD AUTHENTICATION 20 1.4.1.1 STATIC PASSWORDS
20 1.4.1.2 ONE-TIME PASSWORDS 22 1.4.2 ASYMMETRIE KEYS AND
CERTIFICATE-BASED CREDENTIALS 26 1.4.3 BIOMETRIE CREDENTIALS 34 1.4.4
TICKET-BASED HYBRID AUTHENTICATION METHODS 37 1.5 ENTERPRISE USER
IDENTIFICATION AND AUTHENTICATION CHALLENGES 39 1.6 AUTHENTICATING
ACCESS TO SERVICES AND THE INFRASTRUCTURE 43 1.6.1 AUTHENTICATING ACCESS
TO THE INFRASTRUCTURE 43 1.6.2 AUTHENTICATING ACCESS TO APPLICATIONS AND
SERVICES 44 1.7 DELEGATION AND IMPERSONATION 45 1.8 CRYPTOLOGY,
CRYPTOGRAPHY, AND CRYPTANALYSIS 45 1.8.1 THE GOAL OF CRYPTOGRAPHY 46
1.8.2 PROTECTION KEYS 47 1.8.2.1 SYMMETRIE ENCRYPTION 49 1.8.2.2
ASYMMETRIE KEYS 51 1.8.2.3 HYBRID APPROACHES: DIFFIE-HELLMAN KEY
EXCHANGE ALGORITHM 52 1.8.3 ENCRYPTION 54 1.8.3.1 DATA ENCRYPTION
STANDARD (DES/3DES) 55 1.8.3.2 ADVANCED ENCRYPTION STANDARD (AES) 57
1.8.3.3 RC4 (ARCFOUR) 58 1.8.3.4 RSA ENCRYPTION ALGORITHM (ASYMMETRIE
ENCRYPTION) 58 1.8.4 DATA INTEGRITY 59 1.8.4.1 MESSAGE INTEGRITY CODE
(MIC) 60 1.8.4.2 MESSAGE AUTHENTICATION CODE (MAC) 61 2 UNIX USER
AUTHENTICATION ARCHITECTURE 65 2.1 USERS AND GROUPS 65 2.1.1 OVERVIEW 66
2.1.2 CASE STUDY: DUPLICATE UIDS 67 2.1.3 CASE STUDY: GROUP LOGIN AND
SUPPLEMENTARY GROUPS 68 2.2 SIMPLE USER CREDENTIAL STORES 69 2.2.1 UNIX
PASSWORD ENCRYPTION 70 2.2.2 THE /ETC/PASSWD FILE 73 2.2.3 THE
/ETC/GROUP FILE 76 2.2.4 THE /ETC/SHADOW FILE 76 2.2.5 THE /ETC/GSHADOW
FILE 79 2.2.6 THE /ETC/PUBLICKEY FILE 80 2.2.7 THE /ETC/CRAM-MD5.PWD
FILE 81 2.2.8 THE SASL USER DATABASE 82 2.2.9 THE HTPASSWD FILE 82
2.2.10 SAMBA CREDENTIALS 83 2.2.11 THE KERBEROS PRINCIPAL DATABASE 84
2.3 NAME SERVICES SWITCH (NSS) 84 CONTENTS * XI 2.4 PLUGGABLE
AUTHENTICATION MODULES (PAM) 88 2.5 THE UNIX AUTHENTICATION PROCESS 95
2.6 USER IMPERSONATION 96 2.7 CASE STUDY: USER AUTHENTICATION AGAINST
LDAP 104 2.7.1 PREPARING ACTIVE DIRECTORY 105 2.7.2 PADL LDAP
CONFIGURATION 105 2.7.3 USER AUTHENTICATION USING NSS LDAP 108 2.7.4
USER AUTHENTICATION USING PAM LDAP 124 2.8 CASE STUDY: USING HESIOD FOR
USER AUTHENTICATION IN LINUX 129 3 WINDOWS USER AUTHENTICATION
ARCHITECTURE 139 3.1 SECURITY PRINCIPALS 140 3.1.1 SECURITY IDENTIFIERS
(SIDS) 140 3.1.2 USERS AND GROUPS 140 3.1.3 CASE STUDY: GROUP SIDS 152
3.1.4 ACCESS TOKENS 153 3.1.5 CASE STUDY: SIDS IN THE USER ACCESS TOKEN
155 3.1.6 USER RIGHTS 157 3.2 STAND-ALONE AUTHENTICATION 160 3.2.1
INTERACTIVE AND NETWORK AUTHENTICATION 161 3.2.2 INTERACTIVE
AUTHENTICATION ON WINDOWS COMPUTERS 162 3.2.3 THE SECURITY ACCOUNTS
MANAGER DATABASE 165 3.2.4 CASE STUDY: USER PROPERTIES * WINDOWS NT
LOCAL USER ACCOUNTS 168 3.2.5 CASE STUDY: GROUP PROPERTIES * WINDOWS
LOCAL GROUP ACCOUNTS 169 3.2.6 SAM REGISTRY STRUCTURE 170 3.2.7 USER
PASSWORDS 173 3.2.8 STORING PASSWORD HASHES IN THE REGISTRY SAM FILE 174
3.2.8.1 LM HASH ALGORITHM 174 3.2.8.2 NT HASH ALGORITHM 178 3.2.8.3
PASSWORD HASH OBFUSCATION USING DES 178 3.2.8.4 SYSKEY ENCRYPTION FOR
STORING PASSWORD HASHES IN THE SAM 179 3.2.8.5 CASE STUDY: THE SYSKEY
UTILITY, THE SYSTEM KEY, AND PASSWORD ENCRYPTION KEY 181 32.8.6 THREATS
TO WINDOWS PASSWORD HASHES 185 3.2.8.7 TOOLS TO ACCESS WINDOWS PASSWORD
HASHES 188 3.2.8.8 CASE STUDY: ACCESSING WINDOWS PASSWORD HASHES WITH
PWDUMP4 188 3.2.9 LSA SECRETS 190 3.2.9.1 CASE STUDY: EXPLORING LSA
SECRETS ON A WINDOWS NT 4.0 DOMAIN CONTROLLER THAT IS AN EXCHANGE 5.5
SERVER 192 3.2.10 LOGON CACHE 197 3.2.11 PROTECTED STORAGE 199 3.2.12
DATA PROTECTION API (DPAPI) 200 XII * CONTENTS 3.2.13 CREDENTIAL MANAGER
205 3.2.14 CASE STUDY: EXPLORING CREDENTIAL MANAGER 208 3.3 WINDOWS
DOMAIN AUTHENTICATION 210 3.3.1 DOMAIN MODEL 210 3.3-2 JOINING A WINDOWS
NT DOMAIN 214 3.33 COMPUTER ACCOUNTS IN THE DOMAIN 215 3.3.4 DOMAINS AND
TRUSTS 217 3.3.5 CASE STUDY: WORKSTATION TRUST AND INTERDOMAIN TRUST 219
3.3.6 SID FILTERING ACROSS TRUSTS 220 3.3.7 MIGRATION AND RESTRUCTURING
222 3.3.8 NULL SESSIONS 224 3.3.9 CASE STUDY: USING NULL SESSIONS
AUTHENTICATION TO ACCESS RESOURCES 227 3.3.10 CASE STUDY: DOMAIN MEMBER
START-UP AND AUTHENTICATION 230 3.3.11 CASE STUDY: DOMAIN CONTROLLER
START-UP AND AUTHENTICATION 233 3.3.12 CASE STUDY: WINDOWS NT 4.0 DOMAIN
USER LOGON PROCESS 233 33.13 CASE STUDY: USER LOGON TO ACTIVE DIRECTORY
USING KERBEROS 235 3.3.14 WINDOWS NT 4.0 DOMAIN MODEL 235 3.3.14.1 USER
ACCOUNTS 235 3.314.2 GROUP ACCOUNTS AND GROUP STRATEGIES 236 3.3.14.3
AUTHENTICATION PROTOCOLS: NTLM AND LM 237 3.3.14.4 TRUST RELATIONSHIPS
237 3.3.15 ACTIVE DIRECTORY 240 3.3.15.1 ACTIVE DIRECTORY OVERVIEW 240
3.3.15.2 LOGICAL AND PHYSICAL STRUCTURE 240 3.3.15.3 ACTIVE DIRECTORY
SCHEMA 244 3.3-15.4 DATABASE STORAGE FOR DIRECTORY INFORMATION 245
3-3.15.5 SUPPORT FOR LEGACY WINDOWS NT DIRECTORY SERVICES 246 3.3.15.6
HIERARCHICAL LDAP-COMPLIANT DIRECTORY 249 3.3.15.7 CASE STUDY: EXPLORING
ACTIVE DIRECTORY USING LDPEXE 249 3.3.15.8 USER ACCOUNTS IN AD 252
3.3.15.9 CASE STUDY: USER LOGON NAMES IN ACTIVE DIRECTORY 257 3.3.15.10
CASE STUDY: USING LDAP TO CHANGE USER PASSWORDS IN ACTIVE DIRECTORY 259
3.3.15.11 CASE STUDY: OBTAINING PASSWORD HASHES FROM ACTIVE DIRECTORY
262 3-3.15.12 GROUP ACCOUNTS AND GROUP STRATEGY IN AD 262 3.3.15.13 CASE
STUDY: EXPLORING THE EFFECTS OF GROUP NESTING TO USER ACCESS TOKEN 266
3-3.15.14 COMPUTER ACCOUNTS IN AD 270 CONTENTS * XIII 33.15.15 TREES,
FORESTS, AND INTRA-FOREST TRUSTS 270 3.3.15.16 CASE STUDY: USER ACCESSES
RESOURCES IN ANOTHER DOMAIN IN THE SAME FOREST 275 3-3.15.17 TRUSTS WITH
EXTERNAL DOMAINS 279 3.3.15.18 CASE STUDY: EXPLORING EXTERNAL TRUSTS 281
3.3.15.19 CASE STUDY: EXPLORING FOREST TRUSTS 283 3.3.15.20 SELECTIVE
AUTHENTICATION 285 3.3.15.21 CASE STUDY: EXPLORING AUTHENTICATION
FIREWALL AND USER ACCESS TOKENS 287 3.3.15.22 PROTOCOL TRANSITION 290
3.4 FEDERATED TRUSTS 291 3.5 IMPERSONATION 291 3.5.1 SECONDARY LOGON
SERVICE 292 3.5.2 APPLICATION-LEVEL IMPERSONATION 294 4 AUTHENTICATING
ACCESS TO SERVICES AND APPLICATIONS 301 4.1 SECURITY PROGRAMMING
INTERFACES 301 4.1.1 GENERIC SECURITY SERVICES API (GSS-API) 302 4.1.1.1
KERBEROS VERSION 5 AS A GSS-API MECHANISM 306 4.1.1.2 SPNEGO AS A
GSS-API MECHANISM 308 4.1.2 SECURITY SUPPORT PROVIDER INTERFACE (SSPI)
310 4.1.2.1 SSP MESSAGE SUPPORT 311 4.1.2.2 STRONG KEYS AND 128-BIT
ENCRYPTION 312 4.1.2.3 SSPI SIGNING 314 4.1.2.4 SSPI SEALING
(ENCRYPTION) 314 4.1.2.5 CONTROLLING SSP BEHAVIOR USING GROUP POLICIES
314 4.1.2.6 MICROSOFT NEGOTIATE SSP 315 4.1.2.7 GSS-API AND SSPI
COMPATIBILITY 330 4.2 AUTHENTICATION PROTOCOLS 331 4.2.1 NTLM
AUTHENTICATION 331 4.2.1.1 NTLM OVERVIEW 331 4.2.1.2 THE CONCEPT OF
TRUST AND SECURE CHANNELS 332 4.2.1.3 DOMAIN MEMBER SECURE CHANNEL
ESTABLISHMENT 334 4.2.1.4 DOMAIN CONTROLLER SECURE CHANNEL ESTABLISHMENT
ACROSS TRUSTS 338 4.2.1.5 SMB/CIFS SIGNING 339 4.2.1.6 CASE STUDY:
PASS-THROUGH AUTHENTICATION AND AUTHENTICATION PIGGYBACKING 342 4.2.1.7
NTLM AUTHENTICATION MECHANICS 344 4.2.1.8 CASE STUDY: NTLM
AUTHENTICATION SCENARIOS 362 4.2.1.9 NTLM IMPERSONATION 387 4.2.2
KERBEROS AUTHENTICATION 387 4.2.2.1 KERBEROS OVERVIEW 387 4.2.2.2 THE
CONCEPT OF TRUST IN KERBEROS 388 4.2.2.3 NAME FORMAT FOR KERBEROS
PRINCIPALS 389 XIV * CONTENTS 4.2.2.4 KERBEROS AUTHENTICATION PHASES 389
4.2.2.5 KERBEROS TICKETS 391 4.2.2.6 KERBEROS AUTHENTICATION MECHANICS
394 4.2.2.7 CASE STUDY: KERBEROS AUTHENTICATION: CIFS 403 4.2.2.8
AUTHORIZATION INFORMATION AND THE MICROSOFT PAC ATTRIBUTE 414 4.2.2.9
KERBEROS CREDENTIALS EXCHANGE (KRB_CRED) 416 4.2.2.10 KERBEROS AND SMART
CARD AUTHENTICATION (PKINIT) 416 4.2.2.11 KERBEROS USER-TO-USER
AUTHENTICATION 418 4.2.2.12 KERBEROS ENCRYPTION AND CHECKSUM MECHANISMS
420 4.2.2.13 CASE STUDY: KERBEROS AUTHENTICATION SCENARIOS 423 4.2.2.14
KERBEROS DELEGATION 428 4.2.3 SIMPLE AUTHENTICATION AND SECURITY LAYER
(SASL) 430 4.2.3.1 KERBEROS IV 432 4.2.3.2 GSS-API 433 4.2.3.3 S/KEY
AUTHENTICATION MECHANISM 433 4.2.3.4 EXTERNAL AUTHENTICATION 433 4.2.3.5
SASL ANONYMOUS AUTHENTICATION 433 4.2.3.6 SASL CRAM-MD5 AUTHENTICATION
434 4.2.3.7 SASL DIGEST-MD5 AUTHENTICATION 437 4.2.3.8 SASL AND USER
PASSWORD DATABASES 445 4.3 TRANSPORT LAYER SECURITY (TLS) AND SECURE
SOCKETS LAYER (SSL) .... 446 4.3.1 HELLO PHASE 449 4.3.2 SERVER
AUTHENTICATION PHASE 450 4.3.3 CLIENT AUTHENTICATION PHASE 451 4.3.3.1
CALCULATE THE MASTER SECRET 452 4.3.3.2 CALCULATE PROTECTION KEYS 453
4.3.4 NEGOTIATE START OF PROTECTION PHASE 454 4.3.5 RESUMING TLS/SSL
SESSIONS 454 4.3.6 USING SSL/TLS TO PROTECT GENERIC USER TRAFFIC 454
4.3.7 USING SSL/TLS CERTIFICATE MAPPING AS AN AUTHENTICATION METHOD 455
4.4 TELNET AUTHENTICATION .464 4.4.1 TELNET LOGIN AUTHENTICATION 465
4.4.2 TELNET AUTHENTICATION OPTION 470 4.5 FTP AUTHENTICATION 479 4.5.1
FTP SIMPLE AUTHENTICATION 480 4.5.2 ANONYMOUS FTP 481 4.5.3 FTP SECURITY
EXTENSIONS WITH GSS-API 481 4.5.4 FTP SECURITY EXTENSIONS WITH TLS 485
4.6 HTTP AUTHENTICATION 486 4.6.1 HTTP ANONYMOUS AUTHENTICATION 487
4.6.2 HTTP BASIC AUTHENTICATION 489 4.6.3 HTTP DIGEST AUTHENTICATION 492
CONTENTS * XV 4.6.4 HTTP GSS-API/SSPI AUTHENTICATION USING SPNEGO AND
KERBEROS 495 4.6.5 HTTP NTLMSSP AUTHENTICATION 501 4.6.6 HTTP SSL
CERTIFICATE MAPPING AS AN AUTHENTICATION METHOD 501 4.6.7 FORM-BASED
AUTHENTICATION 506 4.6.8 MICROSOFT PASSPORT AUTHENTICATION 506 4.6.9
HTTP PROXY AUTHENTICATION 509 4.7 POP3/IMAP AUTHENTICATION 510 4.7.1
POP3/IMAP PASSWORD AUTHENTICATION 510 4.7.2 POP3/IMAP PIAIN
AUTHENTICATION 511 4.7.3 POP3 APOP AUTHENTICATION 511 4.7.4 POP3/IMAP
LOGIN AUTHENTICATION 513 4.7.5 POP3/IMAP SASL CRAM-MD5 AND DIGEST-MD5
AUTHENTICATION 513 4.7.6 POP3/IMAP AND NTLM AUTHENTICATION (SECURE
PASSWORD AUTHENTICATION) 513 4.8 SMTP AUTHENTICATION 515 4.8.1 SMTP
LOGIN AUTHENTICATION 517 4.8.2 SMTP PIAIN AUTHENTICATION 519 4.8.3 SMTP
GSS-API AUTHENTICATION 519 4.8.4 SMTP CRAM-MD5 AND DIGEST-MD5
AUTHENTICATION 520 4.8.5 SMTP AUTHENTICATION USING NTLM 520 4.9 LDAP
AUTHENTICATION 520 4.9.1 SIMPLE AUTHENTICATION 522 4.9.2 LDAP ANONYMOUS
AUTHENTICATION 522 4.9.3 LDAP SASL AUTHENTICATION USING DIGEST-MD5 522
4.9.4 LDAP SASL AUTHENTICATION USING GSS-API 526 4.10 SSH AUTHENTICATION
533 4.10.1 SSH PUBLIC KEY AUTHENTICATION 535 4.10.2 SSH HOST
AUTHENTICATION 538 4.10.3 SSH PASSWORD AUTHENTICATION 539 4.10.4 SSH
KEYBOARD INTERACTIVE AUTHENTICATION 541 4.10.5 SSH GSS-API USER
AUTHENTICATION 541 4.10.6 SSH GSS-API KEY EXCHANGE AND AUTHENTICATION
543 4.11 SUN RPC AUTHENTICATION 544 4.11.1 RPC AUTH_NULL (AUTH_NONE)
AUTHENUECAUEON 545 4.11.2 RPC AUTHJJNIX (AUTH_SYS) AUTHENTICATION 549
4.11.3 RPC AUTH_SHORT AUTHENTICATION 553 4.11.4 RPC AUTH_DES (AUTH_DH)
AUTHENTICATION 553 4.11.5 RPC AUTH_KERB4 AUTHENTICATION 558 4.11.6
RPCSEC_GSS AUTHENTICATION 558 4.12 SMB/CIFS AUTHENTICATION 560 4.13 NFS
AUTHENTICATION 561 4.14 MICROSOFT REMOTE PROCEDURE CALLS 56L 4.15 MS SQL
AUTHENTICATION 562 4.15.1 MS SQL AUTHENTICATION OVER THE TCP/IP
TRANSPORT 563 XVI * CONTENTS 4.15.2 MS SQL SERVER AUTHENTICATION OVER
NAMED PIPES 564 4.153 MS SQL SERVER AUTHENTICATION OVER MULTIPROTOCOL
565 4.15.4 MS SQL SERVER AND SSL 566 4.16 ORACLE DATABASE SERVER
AUTHENTICATION 567 4.16.1 ORACLE LEGACY AUTHENTICATION DATABASE 567
4.16.2 LEGACY ORACLENET AUTHENTICATION 568 4.16.3 ORACLE ADVANCED
SECURITY MECHANISMS FOR USER AUTHENTICATION 570 4.17 MS EXCHANGE MAPI
AUTHENTICATION 571 4.18 SAML, WS-SECURITY, AND FEDERATED IDENTITY 571
4.18.1 XML AND SOAP 572 4.18.2 SAML 572 4.18.2.1 SAML AND WEB SINGLE
SIGN-ON 575 4.18.2.2 CASE STUDY: WEB SINGLE SIGN-ON MECHANICS 577
4.18.2.3 SAML FEDERATED IDENTITY 578 4.18.2.4 ACCOUNT LINKING 578 4.18.3
WS-SECURITY 580 5 AUTHENTICATING ACCESS TO THE INFRASTRUCTURE 583 5.1
USER AUTHENTICATION ON CISCO ROUTERS AND SWITCHES 583 5.1.1
AUTHENTICATION TO ROUTER SERVICES 584 5.1.2 LOCAL USER DATABASE AND
PASSWORDS 585 5.1.3 CENTRALIZING AUTHENTICATION 588 5.1.4 NEW-MODEL AAA
589 5.2 AUTHENTICATING REMOTE ACCESS TO THE INFRASTRUCTURE 590 5.2.1
SLIP AUTHENTICATION 590 5.2.2 PPP AUTHENTICATION 590 5.2.3 PASSWORD
AUTHENTICATION PROTOCOL (PAP) 591 5.2.4 CHAP 593 5.2.5 MS-CHAP VERSION 1
AND 2 594 5.2.6 EXTENSIBLE AUTHENTICATION PROTOCOL (EAP) 600 5.2.7
EAP-TLS 603 5.2.8 EAP-TTLS 604 5.2.9 PROTECTED EAP (PEAP) 605 5.2.10
LIGHTWEIGHT EAP (LEAP) 606 5.2.11 EAP-FAST 607 5.2.11.1 EAP-FAST
AUTOMATIC PROVISIONING (EAP-FAST PHASE 0) 608 5.2.11.2 TUNNEL
ESTABLISHMENT (EAP-PHASE 1) 610 5.2.11.3 USER AUTHENTICAUEON (EAP-FAST
PHASE2) 610 5.3 PORT-BASED ACCESS CONTROL 611 5.3.1 OVERVIEW OF
PORT-BASED ACCESS CONTROL 613 5.3.2 EAPOL 614 5.3.3 EAPOL KEY MESSAGES
616 5.4 AUTHENTICATING ACCESS TO THE WIRELESS INFRASTRUCTURE 623 5.4.1
WI-FI AUTHENTICATION OVERVIEW 624 5.4.2 WEP PROTECTION 625 CONTENTS *
XVII 5.4.3 OPEN AUTHENTICATION 627 5.4.4 SHARED KEY AUTHENTICATION 633
5.4.5 WPA/WPA2 AND IEEE 802.LLI 639 5.4.6 WPA/WPA2 ENTERPRISE MODE 641
5.4.7 WPA/WPA2 PRESHARED KEY MODE (WPA-PSK) 643 5.5 IPSEC, IKE, AND VPN
CLIENT AUTHENTICATION 644 5.5.1 IKE PEER AUTHENTICATION 644 5.5.1.1 IKE
AND IPSEC PHASES 645 5.5.1.2 PRESHARED KEY AUTHENTICATION 648 5.5.1.3
IKE SIGNATURE-BASED AUTHENTICATION 649 5.5.1.4 IKE PUBLIC KEY
AUTHENTICATION, OPTION 1 650 5.5.1.5 IKE PUBLIC KEY AUTHENTICATION,
OPTION 2 652 5.5.2 IKE XAUTH AUTHENTICATION AND VPN CLIENTS 654 5.6
CENTRALIZED USER AUTHENTICATION 670 5.6.1 RADIUS 672 5.6.1.1 OVERVIEW
672 5.6.1.2 THE MODEL OF TRUST IN RADIUS 674 5.6.1.3 RADIUS
AUTHENTICATION REQUESTS FROM EDGE DEVICES 676 5.6.1.4 RADIUS AND EAP
PASS-THROUGH AUTHENTICATION... 678 5.6.2 TACACS+ 682 5.6.2.1 OVERVIEW
683 5.6.2.2 TACACS+ CHANNEL PROTECTION 684 5.6.2.3 TACACS+
AUTHENTICATION PROCESS 684 APPENDICES A REFERENCES 691 PRINTED
REFERENCES 691 ONLINE REFERENCES 692 B LAB CONFIGURATION 701 C INDICES
OF TABLES AND FIGURES 705 INDEX OF TABLES 705 INDEX OF FIGURES 709 INDEX
713
|
| adam_txt |
MECHANICS OF USER IDENTIFICATION AND AUTHENTICATION FUNDAMENTALS OF
IDENTITY MANAGEMENT DOBROMIR TODOROV A AUERBACH PUBLICATIONS TAYLOR &
FRANCIS GROUP BOCA RATON NEW YORK AUERBACH PUBLICATIONS IS AN IMPRINT OF
THE TAYLOR ST FRANCIS GROUP, AN INFORMA BUSINESS CONTENTS
ACKNOWLEDGMENTS XIX ABOUT THE AUTHOR XXI ABOUT THIS BOOK XXIII 1 USER
IDENTIFICATION AND AUTHENTICATION CONCEPTS 1 1.1 SECURITY LANDSCAPE 1
1.2 AUTHENTICATION, AUTHORIZATION, AND ACCOUNTING 3 1.2.1 IDENTIFICATION
AND AUTHENTICATION 4 1.2.2 AUTHORIZATION 7 1.2.3 USER LOGON PROCESS 8
1.2.4 ACCOUNTING 8 1.3 THREATS TO USER IDENTIFICATION AND AUTHENTICATION
9 1.3.1 BYPASSING AUTHENTICATION 9 1.3.2 DEFAULT PASSWORDS 10 1.3.3
PRIVILEGE ESCALATION 10 1.3.4 OBTAINING PHYSICAL ACCESS 11 1.3.5
PASSWORD GUESSING: DICTIONARY, BRUETE FORCE, AND RAINBOW ATTACKS 12 1.3.6
SNIFFING CREDENTIALS OFF THE NETWORK 14 1.3.7 REPLAYING AUTHENTICATION
14 1.3-8 DOWNGRADING AUTHENTICATION STRENGTH 15 1.3.9 IMPOSTER SERVERS
15 1.3.10 MAN-IN-THE-MIDDLE ATTACKS 16 1.3.11 SESSION HIJACKING 16
1.3.12 SHOULDER SURFING 16 1.3.13 KEYBOARD LOGGERS, TROJANS, AND VIRUSES
17 1.3.14 OFFLINE ATTACKS 17 1.3.15 SOCIAL ENGINEERING 17 1.3-16
DUMPSTER DIVING AND IDENTITY THEFT 18 IX X * CONTENTS 1.4 AUTHENTICATION
CREDENTIALS 18 1.4.1 PASSWORD AUTHENTICATION 20 1.4.1.1 STATIC PASSWORDS
20 1.4.1.2 ONE-TIME PASSWORDS 22 1.4.2 ASYMMETRIE KEYS AND
CERTIFICATE-BASED CREDENTIALS 26 1.4.3 BIOMETRIE CREDENTIALS 34 1.4.4
TICKET-BASED HYBRID AUTHENTICATION METHODS 37 1.5 ENTERPRISE USER
IDENTIFICATION AND AUTHENTICATION CHALLENGES 39 1.6 AUTHENTICATING
ACCESS TO SERVICES AND THE INFRASTRUCTURE 43 1.6.1 AUTHENTICATING ACCESS
TO THE INFRASTRUCTURE 43 1.6.2 AUTHENTICATING ACCESS TO APPLICATIONS AND
SERVICES 44 1.7 DELEGATION AND IMPERSONATION 45 1.8 CRYPTOLOGY,
CRYPTOGRAPHY, AND CRYPTANALYSIS 45 1.8.1 THE GOAL OF CRYPTOGRAPHY 46
1.8.2 PROTECTION KEYS 47 1.8.2.1 SYMMETRIE ENCRYPTION 49 1.8.2.2
ASYMMETRIE KEYS 51 1.8.2.3 HYBRID APPROACHES: DIFFIE-HELLMAN KEY
EXCHANGE ALGORITHM 52 1.8.3 ENCRYPTION 54 1.8.3.1 DATA ENCRYPTION
STANDARD (DES/3DES) 55 1.8.3.2 ADVANCED ENCRYPTION STANDARD (AES) 57
1.8.3.3 RC4 (ARCFOUR) 58 1.8.3.4 RSA ENCRYPTION ALGORITHM (ASYMMETRIE
ENCRYPTION) 58 1.8.4 DATA INTEGRITY 59 1.8.4.1 MESSAGE INTEGRITY CODE
(MIC) 60 1.8.4.2 MESSAGE AUTHENTICATION CODE (MAC) 61 2 UNIX USER
AUTHENTICATION ARCHITECTURE 65 2.1 USERS AND GROUPS 65 2.1.1 OVERVIEW 66
2.1.2 CASE STUDY: DUPLICATE UIDS 67 2.1.3 CASE STUDY: GROUP LOGIN AND
SUPPLEMENTARY GROUPS 68 2.2 SIMPLE USER CREDENTIAL STORES 69 2.2.1 UNIX
PASSWORD ENCRYPTION 70 2.2.2 THE /ETC/PASSWD FILE 73 2.2.3 THE
/ETC/GROUP FILE 76 2.2.4 THE /ETC/SHADOW FILE 76 2.2.5 THE /ETC/GSHADOW
FILE 79 2.2.6 THE /ETC/PUBLICKEY FILE 80 2.2.7 THE /ETC/CRAM-MD5.PWD
FILE 81 2.2.8 THE SASL USER DATABASE 82 2.2.9 THE HTPASSWD FILE 82
2.2.10 SAMBA CREDENTIALS 83 2.2.11 THE KERBEROS PRINCIPAL DATABASE 84
2.3 NAME SERVICES SWITCH (NSS) 84 CONTENTS * XI 2.4 PLUGGABLE
AUTHENTICATION MODULES (PAM) 88 2.5 THE UNIX AUTHENTICATION PROCESS 95
2.6 USER IMPERSONATION 96 2.7 CASE STUDY: USER AUTHENTICATION AGAINST
LDAP 104 2.7.1 PREPARING ACTIVE DIRECTORY 105 2.7.2 PADL LDAP
CONFIGURATION 105 2.7.3 USER AUTHENTICATION USING NSS LDAP 108 2.7.4
USER AUTHENTICATION USING PAM LDAP 124 2.8 CASE STUDY: USING HESIOD FOR
USER AUTHENTICATION IN LINUX 129 3 WINDOWS USER AUTHENTICATION
ARCHITECTURE 139 3.1 SECURITY PRINCIPALS 140 3.1.1 SECURITY IDENTIFIERS
(SIDS) 140 3.1.2 USERS AND GROUPS 140 3.1.3 CASE STUDY: GROUP SIDS 152
3.1.4 ACCESS TOKENS 153 3.1.5 CASE STUDY: SIDS IN THE USER ACCESS TOKEN
155 3.1.6 USER RIGHTS 157 3.2 STAND-ALONE AUTHENTICATION 160 3.2.1
INTERACTIVE AND NETWORK AUTHENTICATION 161 3.2.2 INTERACTIVE
AUTHENTICATION ON WINDOWS COMPUTERS 162 3.2.3 THE SECURITY ACCOUNTS
MANAGER DATABASE 165 3.2.4 CASE STUDY: USER PROPERTIES * WINDOWS NT
LOCAL USER ACCOUNTS 168 3.2.5 CASE STUDY: GROUP PROPERTIES * WINDOWS
LOCAL GROUP ACCOUNTS 169 3.2.6 SAM REGISTRY STRUCTURE 170 3.2.7 USER
PASSWORDS 173 3.2.8 STORING PASSWORD HASHES IN THE REGISTRY SAM FILE 174
3.2.8.1 LM HASH ALGORITHM 174 3.2.8.2 NT HASH ALGORITHM 178 3.2.8.3
PASSWORD HASH OBFUSCATION USING DES 178 3.2.8.4 SYSKEY ENCRYPTION FOR
STORING PASSWORD HASHES IN THE SAM 179 3.2.8.5 CASE STUDY: THE SYSKEY
UTILITY, THE SYSTEM KEY, AND PASSWORD ENCRYPTION KEY 181 32.8.6 THREATS
TO WINDOWS PASSWORD HASHES 185 3.2.8.7 TOOLS TO ACCESS WINDOWS PASSWORD
HASHES 188 3.2.8.8 CASE STUDY: ACCESSING WINDOWS PASSWORD HASHES WITH
PWDUMP4 188 3.2.9 LSA SECRETS 190 3.2.9.1 CASE STUDY: EXPLORING LSA
SECRETS ON A WINDOWS NT 4.0 DOMAIN CONTROLLER THAT IS AN EXCHANGE 5.5
SERVER 192 3.2.10 LOGON CACHE 197 3.2.11 PROTECTED STORAGE 199 3.2.12
DATA PROTECTION API (DPAPI) 200 XII * CONTENTS 3.2.13 CREDENTIAL MANAGER
205 3.2.14 CASE STUDY: EXPLORING CREDENTIAL MANAGER 208 3.3 WINDOWS
DOMAIN AUTHENTICATION 210 3.3.1 DOMAIN MODEL 210 3.3-2 JOINING A WINDOWS
NT DOMAIN 214 3.33 COMPUTER ACCOUNTS IN THE DOMAIN 215 3.3.4 DOMAINS AND
TRUSTS 217 3.3.5 CASE STUDY: WORKSTATION TRUST AND INTERDOMAIN TRUST 219
3.3.6 SID FILTERING ACROSS TRUSTS 220 3.3.7 MIGRATION AND RESTRUCTURING
222 3.3.8 NULL SESSIONS 224 3.3.9 CASE STUDY: USING NULL SESSIONS
AUTHENTICATION TO ACCESS RESOURCES 227 3.3.10 CASE STUDY: DOMAIN MEMBER
START-UP AND AUTHENTICATION 230 3.3.11 CASE STUDY: DOMAIN CONTROLLER
START-UP AND AUTHENTICATION 233 3.3.12 CASE STUDY: WINDOWS NT 4.0 DOMAIN
USER LOGON PROCESS 233 33.13 CASE STUDY: USER LOGON TO ACTIVE DIRECTORY
USING KERBEROS 235 3.3.14 WINDOWS NT 4.0 DOMAIN MODEL 235 3.3.14.1 USER
ACCOUNTS 235 3.314.2 GROUP ACCOUNTS AND GROUP STRATEGIES 236 3.3.14.3
AUTHENTICATION PROTOCOLS: NTLM AND LM 237 3.3.14.4 TRUST RELATIONSHIPS
237 3.3.15 ACTIVE DIRECTORY 240 3.3.15.1 ACTIVE DIRECTORY OVERVIEW 240
3.3.15.2 LOGICAL AND PHYSICAL STRUCTURE 240 3.3.15.3 ACTIVE DIRECTORY
SCHEMA 244 3.3-15.4 DATABASE STORAGE FOR DIRECTORY INFORMATION 245
3-3.15.5 SUPPORT FOR LEGACY WINDOWS NT DIRECTORY SERVICES 246 3.3.15.6
HIERARCHICAL LDAP-COMPLIANT DIRECTORY 249 3.3.15.7 CASE STUDY: EXPLORING
ACTIVE DIRECTORY USING LDPEXE 249 3.3.15.8 USER ACCOUNTS IN AD 252
3.3.15.9 CASE STUDY: USER LOGON NAMES IN ACTIVE DIRECTORY 257 3.3.15.10
CASE STUDY: USING LDAP TO CHANGE USER PASSWORDS IN ACTIVE DIRECTORY 259
3.3.15.11 CASE STUDY: OBTAINING PASSWORD HASHES FROM ACTIVE DIRECTORY
262 3-3.15.12 GROUP ACCOUNTS AND GROUP STRATEGY IN AD 262 3.3.15.13 CASE
STUDY: EXPLORING THE EFFECTS OF GROUP NESTING TO USER ACCESS TOKEN 266
3-3.15.14 COMPUTER ACCOUNTS IN AD 270 CONTENTS * XIII 33.15.15 TREES,
FORESTS, AND INTRA-FOREST TRUSTS 270 3.3.15.16 CASE STUDY: USER ACCESSES
RESOURCES IN ANOTHER DOMAIN IN THE SAME FOREST 275 3-3.15.17 TRUSTS WITH
EXTERNAL DOMAINS 279 3.3.15.18 CASE STUDY: EXPLORING EXTERNAL TRUSTS 281
3.3.15.19 CASE STUDY: EXPLORING FOREST TRUSTS 283 3.3.15.20 SELECTIVE
AUTHENTICATION 285 3.3.15.21 CASE STUDY: EXPLORING AUTHENTICATION
FIREWALL AND USER ACCESS TOKENS 287 3.3.15.22 PROTOCOL TRANSITION 290
3.4 FEDERATED TRUSTS 291 3.5 IMPERSONATION 291 3.5.1 SECONDARY LOGON
SERVICE 292 3.5.2 APPLICATION-LEVEL IMPERSONATION 294 4 AUTHENTICATING
ACCESS TO SERVICES AND APPLICATIONS 301 4.1 SECURITY PROGRAMMING
INTERFACES 301 4.1.1 GENERIC SECURITY SERVICES API (GSS-API) 302 4.1.1.1
KERBEROS VERSION 5 AS A GSS-API MECHANISM 306 4.1.1.2 SPNEGO AS A
GSS-API MECHANISM 308 4.1.2 SECURITY SUPPORT PROVIDER INTERFACE (SSPI)
310 4.1.2.1 SSP MESSAGE SUPPORT 311 4.1.2.2 STRONG KEYS AND 128-BIT
ENCRYPTION 312 4.1.2.3 SSPI SIGNING 314 4.1.2.4 SSPI SEALING
(ENCRYPTION) 314 4.1.2.5 CONTROLLING SSP BEHAVIOR USING GROUP POLICIES
314 4.1.2.6 MICROSOFT NEGOTIATE SSP 315 4.1.2.7 GSS-API AND SSPI
COMPATIBILITY 330 4.2 AUTHENTICATION PROTOCOLS 331 4.2.1 NTLM
AUTHENTICATION 331 4.2.1.1 NTLM OVERVIEW 331 4.2.1.2 THE CONCEPT OF
TRUST AND SECURE CHANNELS 332 4.2.1.3 DOMAIN MEMBER SECURE CHANNEL
ESTABLISHMENT 334 4.2.1.4 DOMAIN CONTROLLER SECURE CHANNEL ESTABLISHMENT
ACROSS TRUSTS 338 4.2.1.5 SMB/CIFS SIGNING 339 4.2.1.6 CASE STUDY:
PASS-THROUGH AUTHENTICATION AND AUTHENTICATION PIGGYBACKING 342 4.2.1.7
NTLM AUTHENTICATION MECHANICS 344 4.2.1.8 CASE STUDY: NTLM
AUTHENTICATION SCENARIOS 362 4.2.1.9 NTLM IMPERSONATION 387 4.2.2
KERBEROS AUTHENTICATION 387 4.2.2.1 KERBEROS OVERVIEW 387 4.2.2.2 THE
CONCEPT OF TRUST IN KERBEROS 388 4.2.2.3 NAME FORMAT FOR KERBEROS
PRINCIPALS 389 XIV * CONTENTS 4.2.2.4 KERBEROS AUTHENTICATION PHASES 389
4.2.2.5 KERBEROS TICKETS 391 4.2.2.6 KERBEROS AUTHENTICATION MECHANICS
394 4.2.2.7 CASE STUDY: KERBEROS AUTHENTICATION: CIFS 403 4.2.2.8
AUTHORIZATION INFORMATION AND THE MICROSOFT PAC ATTRIBUTE 414 4.2.2.9
KERBEROS CREDENTIALS EXCHANGE (KRB_CRED) 416 4.2.2.10 KERBEROS AND SMART
CARD AUTHENTICATION (PKINIT) 416 4.2.2.11 KERBEROS USER-TO-USER
AUTHENTICATION 418 4.2.2.12 KERBEROS ENCRYPTION AND CHECKSUM MECHANISMS
420 4.2.2.13 CASE STUDY: KERBEROS AUTHENTICATION SCENARIOS 423 4.2.2.14
KERBEROS DELEGATION 428 4.2.3 SIMPLE AUTHENTICATION AND SECURITY LAYER
(SASL) 430 4.2.3.1 KERBEROS IV 432 4.2.3.2 GSS-API 433 4.2.3.3 S/KEY
AUTHENTICATION MECHANISM 433 4.2.3.4 EXTERNAL AUTHENTICATION 433 4.2.3.5
SASL ANONYMOUS AUTHENTICATION 433 4.2.3.6 SASL CRAM-MD5 AUTHENTICATION
434 4.2.3.7 SASL DIGEST-MD5 AUTHENTICATION 437 4.2.3.8 SASL AND USER
PASSWORD DATABASES 445 4.3 TRANSPORT LAYER SECURITY (TLS) AND SECURE
SOCKETS LAYER (SSL) . 446 4.3.1 HELLO PHASE 449 4.3.2 SERVER
AUTHENTICATION PHASE 450 4.3.3 CLIENT AUTHENTICATION PHASE 451 4.3.3.1
CALCULATE THE MASTER SECRET 452 4.3.3.2 CALCULATE PROTECTION KEYS 453
4.3.4 NEGOTIATE START OF PROTECTION PHASE 454 4.3.5 RESUMING TLS/SSL
SESSIONS 454 4.3.6 USING SSL/TLS TO PROTECT GENERIC USER TRAFFIC 454
4.3.7 USING SSL/TLS CERTIFICATE MAPPING AS AN AUTHENTICATION METHOD 455
4.4 TELNET AUTHENTICATION .464 4.4.1 TELNET LOGIN AUTHENTICATION 465
4.4.2 TELNET AUTHENTICATION OPTION 470 4.5 FTP AUTHENTICATION 479 4.5.1
FTP SIMPLE AUTHENTICATION 480 4.5.2 ANONYMOUS FTP 481 4.5.3 FTP SECURITY
EXTENSIONS WITH GSS-API 481 4.5.4 FTP SECURITY EXTENSIONS WITH TLS 485
4.6 HTTP AUTHENTICATION 486 4.6.1 HTTP ANONYMOUS AUTHENTICATION 487
4.6.2 HTTP BASIC AUTHENTICATION 489 4.6.3 HTTP DIGEST AUTHENTICATION 492
CONTENTS * XV 4.6.4 HTTP GSS-API/SSPI AUTHENTICATION USING SPNEGO AND
KERBEROS 495 4.6.5 HTTP NTLMSSP AUTHENTICATION 501 4.6.6 HTTP SSL
CERTIFICATE MAPPING AS AN AUTHENTICATION METHOD 501 4.6.7 FORM-BASED
AUTHENTICATION 506 4.6.8 MICROSOFT PASSPORT AUTHENTICATION 506 4.6.9
HTTP PROXY AUTHENTICATION 509 4.7 POP3/IMAP AUTHENTICATION 510 4.7.1
POP3/IMAP PASSWORD AUTHENTICATION 510 4.7.2 POP3/IMAP PIAIN
AUTHENTICATION 511 4.7.3 POP3 APOP AUTHENTICATION 511 4.7.4 POP3/IMAP
LOGIN AUTHENTICATION 513 4.7.5 POP3/IMAP SASL CRAM-MD5 AND DIGEST-MD5
AUTHENTICATION 513 4.7.6 POP3/IMAP AND NTLM AUTHENTICATION (SECURE
PASSWORD AUTHENTICATION) 513 4.8 SMTP AUTHENTICATION 515 4.8.1 SMTP
LOGIN AUTHENTICATION 517 4.8.2 SMTP PIAIN AUTHENTICATION 519 4.8.3 SMTP
GSS-API AUTHENTICATION 519 4.8.4 SMTP CRAM-MD5 AND DIGEST-MD5
AUTHENTICATION 520 4.8.5 SMTP AUTHENTICATION USING NTLM 520 4.9 LDAP
AUTHENTICATION 520 4.9.1 SIMPLE AUTHENTICATION 522 4.9.2 LDAP ANONYMOUS
AUTHENTICATION 522 4.9.3 LDAP SASL AUTHENTICATION USING DIGEST-MD5 522
4.9.4 LDAP SASL AUTHENTICATION USING GSS-API 526 4.10 SSH AUTHENTICATION
533 4.10.1 SSH PUBLIC KEY AUTHENTICATION 535 4.10.2 SSH HOST
AUTHENTICATION 538 4.10.3 SSH PASSWORD AUTHENTICATION 539 4.10.4 SSH
KEYBOARD INTERACTIVE AUTHENTICATION 541 4.10.5 SSH GSS-API USER
AUTHENTICATION 541 4.10.6 SSH GSS-API KEY EXCHANGE AND AUTHENTICATION
543 4.11 SUN RPC AUTHENTICATION 544 4.11.1 RPC AUTH_NULL (AUTH_NONE)
AUTHENUECAUEON 545 4.11.2 RPC AUTHJJNIX (AUTH_SYS) AUTHENTICATION 549
4.11.3 RPC AUTH_SHORT AUTHENTICATION 553 4.11.4 RPC AUTH_DES (AUTH_DH)
AUTHENTICATION 553 4.11.5 RPC AUTH_KERB4 AUTHENTICATION 558 4.11.6
RPCSEC_GSS AUTHENTICATION 558 4.12 SMB/CIFS AUTHENTICATION 560 4.13 NFS
AUTHENTICATION 561 4.14 MICROSOFT REMOTE PROCEDURE CALLS 56L 4.15 MS SQL
AUTHENTICATION 562 4.15.1 MS SQL AUTHENTICATION OVER THE TCP/IP
TRANSPORT 563 XVI * CONTENTS 4.15.2 MS SQL SERVER AUTHENTICATION OVER
NAMED PIPES 564 4.153 MS SQL SERVER AUTHENTICATION OVER MULTIPROTOCOL
565 4.15.4 MS SQL SERVER AND SSL 566 4.16 ORACLE DATABASE SERVER
AUTHENTICATION 567 4.16.1 ORACLE LEGACY AUTHENTICATION DATABASE 567
4.16.2 LEGACY ORACLENET AUTHENTICATION 568 4.16.3 ORACLE ADVANCED
SECURITY MECHANISMS FOR USER AUTHENTICATION 570 4.17 MS EXCHANGE MAPI
AUTHENTICATION 571 4.18 SAML, WS-SECURITY, AND FEDERATED IDENTITY 571
4.18.1 XML AND SOAP 572 4.18.2 SAML 572 4.18.2.1 SAML AND WEB SINGLE
SIGN-ON 575 4.18.2.2 CASE STUDY: WEB SINGLE SIGN-ON MECHANICS 577
4.18.2.3 SAML FEDERATED IDENTITY 578 4.18.2.4 ACCOUNT LINKING 578 4.18.3
WS-SECURITY 580 5 AUTHENTICATING ACCESS TO THE INFRASTRUCTURE 583 5.1
USER AUTHENTICATION ON CISCO ROUTERS AND SWITCHES 583 5.1.1
AUTHENTICATION TO ROUTER SERVICES 584 5.1.2 LOCAL USER DATABASE AND
PASSWORDS 585 5.1.3 CENTRALIZING AUTHENTICATION 588 5.1.4 NEW-MODEL AAA
589 5.2 AUTHENTICATING REMOTE ACCESS TO THE INFRASTRUCTURE 590 5.2.1
SLIP AUTHENTICATION 590 5.2.2 PPP AUTHENTICATION 590 5.2.3 PASSWORD
AUTHENTICATION PROTOCOL (PAP) 591 5.2.4 CHAP 593 5.2.5 MS-CHAP VERSION 1
AND 2 594 5.2.6 EXTENSIBLE AUTHENTICATION PROTOCOL (EAP) 600 5.2.7
EAP-TLS 603 5.2.8 EAP-TTLS 604 5.2.9 PROTECTED EAP (PEAP) 605 5.2.10
LIGHTWEIGHT EAP (LEAP) 606 5.2.11 EAP-FAST 607 5.2.11.1 EAP-FAST
AUTOMATIC PROVISIONING (EAP-FAST PHASE 0) 608 5.2.11.2 TUNNEL
ESTABLISHMENT (EAP-PHASE 1) 610 5.2.11.3 USER AUTHENTICAUEON (EAP-FAST
PHASE2) 610 5.3 PORT-BASED ACCESS CONTROL 611 5.3.1 OVERVIEW OF
PORT-BASED ACCESS CONTROL 613 5.3.2 EAPOL 614 5.3.3 EAPOL KEY MESSAGES
616 5.4 AUTHENTICATING ACCESS TO THE WIRELESS INFRASTRUCTURE 623 5.4.1
WI-FI AUTHENTICATION OVERVIEW 624 5.4.2 WEP PROTECTION 625 CONTENTS *
XVII 5.4.3 OPEN AUTHENTICATION 627 5.4.4 SHARED KEY AUTHENTICATION 633
5.4.5 WPA/WPA2 AND IEEE 802.LLI 639 5.4.6 WPA/WPA2 ENTERPRISE MODE 641
5.4.7 WPA/WPA2 PRESHARED KEY MODE (WPA-PSK) 643 5.5 IPSEC, IKE, AND VPN
CLIENT AUTHENTICATION 644 5.5.1 IKE PEER AUTHENTICATION 644 5.5.1.1 IKE
AND IPSEC PHASES 645 5.5.1.2 PRESHARED KEY AUTHENTICATION 648 5.5.1.3
IKE SIGNATURE-BASED AUTHENTICATION 649 5.5.1.4 IKE PUBLIC KEY
AUTHENTICATION, OPTION 1 650 5.5.1.5 IKE PUBLIC KEY AUTHENTICATION,
OPTION 2 652 5.5.2 IKE XAUTH AUTHENTICATION AND VPN CLIENTS 654 5.6
CENTRALIZED USER AUTHENTICATION 670 5.6.1 RADIUS 672 5.6.1.1 OVERVIEW
672 5.6.1.2 THE MODEL OF TRUST IN RADIUS 674 5.6.1.3 RADIUS
AUTHENTICATION REQUESTS FROM EDGE DEVICES 676 5.6.1.4 RADIUS AND EAP
PASS-THROUGH AUTHENTICATION. 678 5.6.2 TACACS+ 682 5.6.2.1 OVERVIEW
683 5.6.2.2 TACACS+ CHANNEL PROTECTION 684 5.6.2.3 TACACS+
AUTHENTICATION PROCESS 684 APPENDICES A REFERENCES 691 PRINTED
REFERENCES 691 ONLINE REFERENCES 692 B LAB CONFIGURATION 701 C INDICES
OF TABLES AND FIGURES 705 INDEX OF TABLES 705 INDEX OF FIGURES 709 INDEX
713 |
| any_adam_object | 1 |
| any_adam_object_boolean | 1 |
| author | Todorov, Dobromir |
| author_facet | Todorov, Dobromir |
| author_role | aut |
| author_sort | Todorov, Dobromir |
| author_variant | d t dt |
| building | Verbundindex |
| bvnumber | BV022529372 |
| callnumber-first | T - Technology |
| callnumber-label | TK5105 |
| callnumber-raw | TK5105.59 |
| callnumber-search | TK5105.59 |
| callnumber-sort | TK 45105.59 |
| callnumber-subject | TK - Electrical and Nuclear Engineering |
| classification_rvk | ST 276 ST 277 |
| ctrlnum | (OCoLC)77716961 (DE-599)BVBBV022529372 |
| dewey-full | 005.8 |
| dewey-hundreds | 000 - Computer science, information, general works |
| dewey-ones | 005 - Computer programming, programs, data, security |
| dewey-raw | 005.8 |
| dewey-search | 005.8 |
| dewey-sort | 15.8 |
| dewey-tens | 000 - Computer science, information, general works |
| discipline | Informatik |
| discipline_str_mv | Informatik |
| format | Book |
| fullrecord | <?xml version="1.0" encoding="UTF-8"?><collection xmlns="http://www.loc.gov/MARC21/slim"><record><leader>02139nam a2200541zc 4500</leader><controlfield tag="001">BV022529372</controlfield><controlfield tag="003">DE-604</controlfield><controlfield tag="005">20100505 </controlfield><controlfield tag="007">t</controlfield><controlfield tag="008">070725s2007 xxuad|| |||| 00||| eng d</controlfield><datafield tag="010" ind1=" " ind2=" "><subfield code="a">2007060355</subfield></datafield><datafield tag="020" ind1=" " ind2=" "><subfield code="a">9781420052190</subfield><subfield code="9">978-1-4200-5219-0</subfield></datafield><datafield tag="035" ind1=" " ind2=" "><subfield code="a">(OCoLC)77716961</subfield></datafield><datafield tag="035" ind1=" " ind2=" "><subfield code="a">(DE-599)BVBBV022529372</subfield></datafield><datafield tag="040" ind1=" " ind2=" "><subfield code="a">DE-604</subfield><subfield code="b">ger</subfield><subfield code="e">aacr</subfield></datafield><datafield tag="041" ind1="0" ind2=" "><subfield code="a">eng</subfield></datafield><datafield tag="044" ind1=" " ind2=" "><subfield code="a">xxu</subfield><subfield code="c">US</subfield></datafield><datafield tag="049" ind1=" " ind2=" "><subfield code="a">DE-29T</subfield><subfield code="a">DE-703</subfield><subfield code="a">DE-355</subfield></datafield><datafield tag="050" ind1=" " ind2="0"><subfield code="a">TK5105.59</subfield></datafield><datafield tag="082" ind1="0" ind2=" "><subfield code="a">005.8</subfield></datafield><datafield tag="084" ind1=" " ind2=" "><subfield code="a">ST 276</subfield><subfield code="0">(DE-625)143642:</subfield><subfield code="2">rvk</subfield></datafield><datafield tag="084" ind1=" " ind2=" "><subfield code="a">ST 277</subfield><subfield code="0">(DE-625)143643:</subfield><subfield code="2">rvk</subfield></datafield><datafield tag="100" ind1="1" ind2=" "><subfield code="a">Todorov, Dobromir</subfield><subfield code="e">Verfasser</subfield><subfield code="4">aut</subfield></datafield><datafield tag="245" ind1="1" ind2="0"><subfield code="a">Mechanics of user identification and authentication</subfield><subfield code="b">fundamentals of identity management</subfield><subfield code="c">Dobromir Todorov</subfield></datafield><datafield tag="264" ind1=" " ind2="1"><subfield code="a">Boca Raton [u.a.]</subfield><subfield code="b">Auerbach</subfield><subfield code="c">2007</subfield></datafield><datafield tag="300" ind1=" " ind2=" "><subfield code="a">XXV, 728 S.</subfield><subfield code="b">Ill., graph. Darst.</subfield></datafield><datafield tag="336" ind1=" " ind2=" "><subfield code="b">txt</subfield><subfield code="2">rdacontent</subfield></datafield><datafield tag="337" ind1=" " ind2=" "><subfield code="b">n</subfield><subfield code="2">rdamedia</subfield></datafield><datafield tag="338" ind1=" " ind2=" "><subfield code="b">nc</subfield><subfield code="2">rdacarrier</subfield></datafield><datafield tag="500" ind1=" " ind2=" "><subfield code="a">Includes bibliographical references and index</subfield></datafield><datafield tag="650" ind1=" " ind2="4"><subfield code="a">Authentification</subfield></datafield><datafield tag="650" ind1=" " ind2="4"><subfield code="a">Ordinateurs - Accès - Contrôle</subfield></datafield><datafield tag="650" ind1=" " ind2="4"><subfield code="a">Réseaux d'ordinateurs - Sécurité - Mesures</subfield></datafield><datafield tag="650" ind1=" " ind2="4"><subfield code="a">Systèmes d'exploitation (Ordinateurs) - Sécurité - Mesures</subfield></datafield><datafield tag="650" ind1=" " ind2="4"><subfield code="a">Systèmes informatiques - Sécurité - Mesures</subfield></datafield><datafield tag="650" ind1=" " ind2="4"><subfield code="a">Sécurité informatique</subfield></datafield><datafield tag="650" ind1=" " ind2="4"><subfield code="a">Computer networks</subfield><subfield code="x">Security measures</subfield></datafield><datafield tag="650" ind1=" " ind2="4"><subfield code="a">Computers</subfield><subfield code="x">Access control</subfield></datafield><datafield tag="650" ind1=" " ind2="4"><subfield code="a">Computer security</subfield></datafield><datafield tag="650" ind1="0" ind2="7"><subfield code="a">Computersicherheit</subfield><subfield code="0">(DE-588)4274324-2</subfield><subfield code="2">gnd</subfield><subfield code="9">rswk-swf</subfield></datafield><datafield tag="650" ind1="0" ind2="7"><subfield code="a">Authentifikation</subfield><subfield code="0">(DE-588)4330656-1</subfield><subfield code="2">gnd</subfield><subfield code="9">rswk-swf</subfield></datafield><datafield tag="650" ind1="0" ind2="7"><subfield code="a">Zugriffskontrolle</subfield><subfield code="0">(DE-588)4293034-0</subfield><subfield code="2">gnd</subfield><subfield code="9">rswk-swf</subfield></datafield><datafield tag="689" ind1="0" ind2="0"><subfield code="a">Computersicherheit</subfield><subfield code="0">(DE-588)4274324-2</subfield><subfield code="D">s</subfield></datafield><datafield tag="689" ind1="0" ind2="1"><subfield code="a">Zugriffskontrolle</subfield><subfield code="0">(DE-588)4293034-0</subfield><subfield code="D">s</subfield></datafield><datafield tag="689" ind1="0" ind2="2"><subfield code="a">Authentifikation</subfield><subfield code="0">(DE-588)4330656-1</subfield><subfield code="D">s</subfield></datafield><datafield tag="689" ind1="0" ind2=" "><subfield code="5">DE-604</subfield></datafield><datafield tag="856" ind1="4" ind2="2"><subfield code="m">GBV Datenaustausch</subfield><subfield code="q">application/pdf</subfield><subfield code="u">http://bvbr.bib-bvb.de:8991/F?func=service&doc_library=BVB01&local_base=BVB01&doc_number=015736001&sequence=000001&line_number=0001&func_code=DB_RECORDS&service_type=MEDIA</subfield><subfield code="3">Inhaltsverzeichnis</subfield></datafield><datafield tag="999" ind1=" " ind2=" "><subfield code="a">oai:aleph.bib-bvb.de:BVB01-015736001</subfield></datafield></record></collection> |
| id | DE-604.BV022529372 |
| illustrated | Illustrated |
| index_date | 2024-07-02T18:06:04Z |
| indexdate | 2024-07-09T20:59:35Z |
| institution | BVB |
| isbn | 9781420052190 |
| language | English |
| lccn | 2007060355 |
| oai_aleph_id | oai:aleph.bib-bvb.de:BVB01-015736001 |
| oclc_num | 77716961 |
| open_access_boolean | |
| owner | DE-29T DE-703 DE-355 DE-BY-UBR |
| owner_facet | DE-29T DE-703 DE-355 DE-BY-UBR |
| physical | XXV, 728 S. Ill., graph. Darst. |
| publishDate | 2007 |
| publishDateSearch | 2007 |
| publishDateSort | 2007 |
| publisher | Auerbach |
| record_format | marc |
| spelling | Todorov, Dobromir Verfasser aut Mechanics of user identification and authentication fundamentals of identity management Dobromir Todorov Boca Raton [u.a.] Auerbach 2007 XXV, 728 S. Ill., graph. Darst. txt rdacontent n rdamedia nc rdacarrier Includes bibliographical references and index Authentification Ordinateurs - Accès - Contrôle Réseaux d'ordinateurs - Sécurité - Mesures Systèmes d'exploitation (Ordinateurs) - Sécurité - Mesures Systèmes informatiques - Sécurité - Mesures Sécurité informatique Computer networks Security measures Computers Access control Computer security Computersicherheit (DE-588)4274324-2 gnd rswk-swf Authentifikation (DE-588)4330656-1 gnd rswk-swf Zugriffskontrolle (DE-588)4293034-0 gnd rswk-swf Computersicherheit (DE-588)4274324-2 s Zugriffskontrolle (DE-588)4293034-0 s Authentifikation (DE-588)4330656-1 s DE-604 GBV Datenaustausch application/pdf http://bvbr.bib-bvb.de:8991/F?func=service&doc_library=BVB01&local_base=BVB01&doc_number=015736001&sequence=000001&line_number=0001&func_code=DB_RECORDS&service_type=MEDIA Inhaltsverzeichnis |
| spellingShingle | Todorov, Dobromir Mechanics of user identification and authentication fundamentals of identity management Authentification Ordinateurs - Accès - Contrôle Réseaux d'ordinateurs - Sécurité - Mesures Systèmes d'exploitation (Ordinateurs) - Sécurité - Mesures Systèmes informatiques - Sécurité - Mesures Sécurité informatique Computer networks Security measures Computers Access control Computer security Computersicherheit (DE-588)4274324-2 gnd Authentifikation (DE-588)4330656-1 gnd Zugriffskontrolle (DE-588)4293034-0 gnd |
| subject_GND | (DE-588)4274324-2 (DE-588)4330656-1 (DE-588)4293034-0 |
| title | Mechanics of user identification and authentication fundamentals of identity management |
| title_auth | Mechanics of user identification and authentication fundamentals of identity management |
| title_exact_search | Mechanics of user identification and authentication fundamentals of identity management |
| title_exact_search_txtP | Mechanics of user identification and authentication fundamentals of identity management |
| title_full | Mechanics of user identification and authentication fundamentals of identity management Dobromir Todorov |
| title_fullStr | Mechanics of user identification and authentication fundamentals of identity management Dobromir Todorov |
| title_full_unstemmed | Mechanics of user identification and authentication fundamentals of identity management Dobromir Todorov |
| title_short | Mechanics of user identification and authentication |
| title_sort | mechanics of user identification and authentication fundamentals of identity management |
| title_sub | fundamentals of identity management |
| topic | Authentification Ordinateurs - Accès - Contrôle Réseaux d'ordinateurs - Sécurité - Mesures Systèmes d'exploitation (Ordinateurs) - Sécurité - Mesures Systèmes informatiques - Sécurité - Mesures Sécurité informatique Computer networks Security measures Computers Access control Computer security Computersicherheit (DE-588)4274324-2 gnd Authentifikation (DE-588)4330656-1 gnd Zugriffskontrolle (DE-588)4293034-0 gnd |
| topic_facet | Authentification Ordinateurs - Accès - Contrôle Réseaux d'ordinateurs - Sécurité - Mesures Systèmes d'exploitation (Ordinateurs) - Sécurité - Mesures Systèmes informatiques - Sécurité - Mesures Sécurité informatique Computer networks Security measures Computers Access control Computer security Computersicherheit Authentifikation Zugriffskontrolle |
| url | http://bvbr.bib-bvb.de:8991/F?func=service&doc_library=BVB01&local_base=BVB01&doc_number=015736001&sequence=000001&line_number=0001&func_code=DB_RECORDS&service_type=MEDIA |
| work_keys_str_mv | AT todorovdobromir mechanicsofuseridentificationandauthenticationfundamentalsofidentitymanagement |