1. |
AAA(A): Introduction |
|
2 hours |
|
Explanation of the key tenets of AAA, as well as the elusive fourth "A": Auditing. Topics covered include:
- AAA - broken down to its constituents
- Auditing
- AAA deployments: Push
- AAA deployments: Pull
- AAA in roaming deployments
- Single Sign On
- Multi-Factor Authentication
- AAA elements and building blocks
|
2. |
Cryptography: A primer |
|
2 hours |
|
Basic foundations of cryptogrpahy used in AAA - symmetric and assymetric encryption and authentication
- Encryption algorithms: Stream and Block ciphers
- Hash functions
- Symmetric Encryption algorithms as authenticators
- Asymmetric (PKI) Encryption - Diffie Hellman and RSA
- Asymmetric encryption algorithms as authenticators
|
3. |
Legacy Authentication: UNIX |
|
1 hours |
|
Discussing the evolution of UNIX authentication, from the venerable /etc/passwd file, through the shadow file, culminating in NIS and PAM. Topics include:
- /etc/passwd - world readable, DES encryption
- /etc/shadow - better security, better encrypion
- Distributed authentication through YP and NIS
- Pluggable Authentication Module
- PAM Modules - deployment and configuration
|
4. |
Legacy Authentication: Windows |
|
1 hours |
|
Discussing the evolution of Windows authentication, from the old and insecure protocols of LAN Manager to NTLMv2.
- Windows Security Accounts Manager (SAM) database
- The Windows Registry
- Encrypting passwords
- The Lan Manager Hash
- NTLM and NTLMv2
- NTLM over HTTP
|
Day 2 |
|
Explaining the ideas behind Kerberos (RFC1534) and its Windows implementation. Topics include:
- Centralized security
- Kerberos Authentication Servers
- Tokens and Tickets
- Kerberos at the packet level
|
|
Explaining the need for centralized directories, and the implementations of DAP and LDAP, down to the packet level
- LDAP fundamentals
- RFCs: 4510 through 4518 and X.500
- Accessing directories
- LDAP Tools
- LDAP at the packet level
- LDAP + Kerberos = AD
|
6. |
RADIUS and Diameter |
|
2 hours |
|
Explaining the authentication frameworks of the Remote Authentication Dial-In Users Service (RADIUS) and its successor, DIAMETER
|
|
The Extensible Authentication Protocol, and its various sub protocols:
- Extending Authentication
- EAP-MD5
- EAP-TLS
- EAP and RADIUS interoperability
- PEAP
- EAPoL: 802.1x
|