Information Security – Cybersecurity Notes
UoPX Advanced Cybersecurity Certification
Implementing Identity Management
Centralized Access Control
o Implies that all authorization verification is performed by a single entity within a
system
o Requires a small team, administrative overhead is lower, all changes are made in a
single system
Decentralized Access Control
o distributed - implies that various entities throughout the system perform
authorization verification
o Requires multiple teams/individuals - administrative overhead is higher because
changes must be made across numerous systems
SSO - Single Sign-On
o Is a centralized access control technique - allows a subject to be authenticated
once on a system to access multiple resources
o Convenient for users - increase security
o Users don't have to remember multiple UID/PID
o Reduces # of accounts per subject against multiple devices
LDAP and Centralized Access Control
o Directory Service is a centralized db that includes information about subjects and
objects
o LDAP is Lightweight Directory Access Protocol
o Subjects authenticate to the directory service
o Multiple domains/trusts are used
o Security domain is a collection of subjects and objects that share a common
security policy
o Individual domains can operate separately
o Trusts are established between domains to create a security bridge
Can be one-way or two-way
LDAP and PKI's
1
, Information Security – Cybersecurity Notes
UoPX Advanced Cybersecurity Certification
o Public Key Infrastructure uses LDAP when integrating digital certificates into
transmission
o LDAP and centralized access control systems can be used to support SSO
capabilities
Kerberos - ticket authentication is a mechanism that employs a 3rd party entity to prove
identification and authentication
o Key Distribution Center
KDC - trusted 3rd party that provides authentication services
Uses symmetric key cryptography to authenticate
Clients/servers are registered in the KDC - it maintains the secret keys
o Kerberos Authentication Server
Authentication sever hosts the functions for KDC
TGS - ticket granting service and an authentication service (AS)
AS verifies or rejects the authenticity and timeliness of tickets
o Ticket-Granting Ticket
Provides proof that the subject has authenticated through a KDC and is
authorized to request tickets
Encrypted and includes symmetric key, expiration time and users IP
address
o Ticket
An encrypted message that provides proof that the subject is authorized to
access an object
Known as a Service Ticket
o Logon Process
User types a username/password into the client
Client encrypts the username with AES for transmission to the KDC
KDC verifies the username against a database of known credentials
KDC generates a symmetric key that will be used by the client and
Kerberos server
2
UoPX Advanced Cybersecurity Certification
Implementing Identity Management
Centralized Access Control
o Implies that all authorization verification is performed by a single entity within a
system
o Requires a small team, administrative overhead is lower, all changes are made in a
single system
Decentralized Access Control
o distributed - implies that various entities throughout the system perform
authorization verification
o Requires multiple teams/individuals - administrative overhead is higher because
changes must be made across numerous systems
SSO - Single Sign-On
o Is a centralized access control technique - allows a subject to be authenticated
once on a system to access multiple resources
o Convenient for users - increase security
o Users don't have to remember multiple UID/PID
o Reduces # of accounts per subject against multiple devices
LDAP and Centralized Access Control
o Directory Service is a centralized db that includes information about subjects and
objects
o LDAP is Lightweight Directory Access Protocol
o Subjects authenticate to the directory service
o Multiple domains/trusts are used
o Security domain is a collection of subjects and objects that share a common
security policy
o Individual domains can operate separately
o Trusts are established between domains to create a security bridge
Can be one-way or two-way
LDAP and PKI's
1
, Information Security – Cybersecurity Notes
UoPX Advanced Cybersecurity Certification
o Public Key Infrastructure uses LDAP when integrating digital certificates into
transmission
o LDAP and centralized access control systems can be used to support SSO
capabilities
Kerberos - ticket authentication is a mechanism that employs a 3rd party entity to prove
identification and authentication
o Key Distribution Center
KDC - trusted 3rd party that provides authentication services
Uses symmetric key cryptography to authenticate
Clients/servers are registered in the KDC - it maintains the secret keys
o Kerberos Authentication Server
Authentication sever hosts the functions for KDC
TGS - ticket granting service and an authentication service (AS)
AS verifies or rejects the authenticity and timeliness of tickets
o Ticket-Granting Ticket
Provides proof that the subject has authenticated through a KDC and is
authorized to request tickets
Encrypted and includes symmetric key, expiration time and users IP
address
o Ticket
An encrypted message that provides proof that the subject is authorized to
access an object
Known as a Service Ticket
o Logon Process
User types a username/password into the client
Client encrypts the username with AES for transmission to the KDC
KDC verifies the username against a database of known credentials
KDC generates a symmetric key that will be used by the client and
Kerberos server
2
