Still having trouble with a few things after moving through the third round of going through questions. Wait, maybe that was the 4th. Yeah, the 4th. Also, this took about 3 days to write I think? Maybe longer. Wait, I might have started on Wed night. Anyway, as I was saying on twitter:
So, I still have a some learning to do. I can honestly say that this is a lot more work that I realized it would be however I think in the end it will be worth it. It’s one cert but hopefully employers realize what all goes into it and how much you have to know going into the test. Tonight im going back over some authentication stuff. While I’m starting to get the hang of how some of it works, I’m not quite the expert that I would like to be before even thinking about taking the test. In addition with cloud computing being what it is these days, authentication, encryption and hashing is going to become more and more important as more sensitive data goes out of a firewall and through a VPN tunnel to connect to Azure or AWS hardware. Another note, as MSFT has done away with the Server certification program for 2019 I’m personally hoping that they move newer editions to being an Azure only based function because for Systems Admin types or (hopefuls, in my case) its frustrating to think that we may be required to understand Windows Server for Azure but also understand how AWS works incase a company goes off prem and decides to go with Amazon for hosting. I understand using AWS for web servers but its an administrative nightmare for anyone actually invested in MSFT tech in the IT job market.
Anyway, lets get into some questions.
This one was a tough one for me and I’m not sure why it took me this long to blog it however I found SSL Authority to be quite helpful. There are variables to this and I can pretty much promise ill be expected to know all of this and here is the important part
What information can be gathered from an SSL Certificate Consumers have access to a lot of information related to TLS/SSL certificates right in their browsers. While not all consumers are terribly interested in the in-depth information available at the click of a mouse, it is important to be aware of what public details are discoverable through an SSL certificate.
- Issuing certificate authority (CA)
- Validity period (as well as certificate revocation list, or CRL, data)
- Domain it was issued to
- Company operating the website
- Key usage
- Info on algorithms and hash-based cryptography
I’m kind of surprised to see the words ‘OID’ not specifically mentioned and that algorithms and hashes are. So now we have to figure out what they mean by OID: Object Identifiers (OID) in PKI
From the website:
You can also run this PowerShell command:
“Get-ADObject (‘CN=OID,CN=Public Key Services,CN=Services,’+(Get-ADRootDSE).configurationNamingContext) -Properties msPKI-Cert-Template-OID”
This is the output from one of my labs:
DistinguishedName: CN=OID,CN=Public Key Services,CN=Services,CN=Configuration,DC=Contoso,DC=org msPKI-Cert-Template-OID : 220.127.116.11.4.1.318.104.22.16825710.4393146.2181807.13924342.9568199.8
Now thats really confusing but if you look at the output we see a GUID for the certificate and the issuing authority being, im assuming, Public Key Services and the domain it was issued to being Contoso.org with a GUID of, that big long number. How they are pulling hashing and encryption info out of that, I’m still not sure and I’m hoping to not see it on the test because that is a pretty large rabbit hole. So for now, I’ve got this question down of an OID that is an entire wheelhouse of things. It does seem like it would have info on the CSR like date of request and a validity period but it does not appear to have that per this PS information but according to the info from SSL authority you can but their website isn’t great. However, with this, SSL and SSL Certificates Explained For Beginners, we are really getting somewhere however it still isn’t showing what’s supposed to be on an SSL/TLS cert when you view it. Thankfully, I found this from Global Sign on a functioning website that’s actually helpful: How to View SSL Certificate Details in Each Browser and What You Can Learn and it goes through several types of browsers and was to view the info that is much easier to view than looking at fucking Powershell output and ill give you that its fun to look at but its not really helpful in the real world.
I mean, I could memorize it and say its the top three but that’s not exactly helpful for a host of reasons. The other part about this is that I probably covered this before. Wow, The more time I spend with this the more I realize that Security+ is just as hard as my first MCSA. So anyway, this seems like a very important questions lets make a list here:
- S/MIME – allows you to digitally sign your emails to verify you as the legitimate sender of the message, making it an effective weapon against many phishing attacks out there. Does use a PKI
- TLS – for sure uses a PKI, there is no way to be confused about this one
- SFTP – This one is a little tricker to find info for but it can use SSL keys from a PKI: GoAnywhere Managed File Transfer supports the use of SFTP to secure, automate, and audit file transfers. You can authenticate users with a passwords and SSH keys, meaning you can choose one, the other, or both to satisfy your IT security requirements. With our SFTP client, you can also deliver and retrieve files from your SFTP server through an encrypted tunnel, transfer multiple encrypted files per connection, set up alerts for failed transfers, and more.
- SAML – so here is the thing with this one, it retains OAUTH credentials and passes it on as a SSO data and OAUTH supports SSL Certificates from a PKI
- SIP– this is a voip protocol and the only way to secure it is basically running it through a VPN
- IPSec – this is basically a VPN and there is a ton of information about this out there. It seems like it can use SSL but naitvely the key pairs are between machines that have them rather than needing to issue a CSR
- Kerberos – uses a KDC to authenticate each user and is a slightly different thing than a PKI as this is authenticating communication between two machines rather than being just use a token granting access to a network for user.
Wow, that was a lot of information and I’m slowly realizing how much stuff I’m missing out on by not chasing down all these rabbits however I can say that I do appreciate using a learning curve to slowly gain a complete picture rather than try to grasp everything at once about a singular subject.
All right, welp, Im not getting this post done tonight but lets move on to the next question.
I covered this in a previous post but I wanted to again, state which of the variables that the answers worked with:
- LDAP – Mutual authentication = No | SSO = (not by its self link) | Smart Cards = not a definite answer but appears to be a no|
- NTLM – Mutual authentication = no | SSO = no | Smart Cards = | yes Discover how smart cards work
- Kerberos – Mutual authentication = yes | SSO = yes | Smart Cards = yes |
- MSCHAP – Mutual authentication = yes | SSO = no | Smart Cards = no |
Ok, that was the most time I’ve spent on any single item so far but I have to say that all the reading was worth it because I understand all of the protocols listed much better.
I’m not sure that this is really makes any sense. If the PC’s are set up on a domain and it can’t connect to the domain on older versions of windows it may have issues. Logon certificate issues seems odd though. I searched for specifics and I couldn’t find a thing.
My worry here is not what uses TLS but what the other ones use and on top of that, I find PEAP confusing at this point! So lets start with some info on PEAP.
I’m going to start by digging through websites and this one: protocol/EAP PEAP I found particularly helpful, stating:
Ultimately, PEAPv0/EAP-MSCHAPv2 is the only form of PEAP that most people will ever know. PEAP is so successful in the market place that even Funk Software, the inventor and backer of EAP-TTLS, had no choice but to support PEAP in their server and client software for wireless networks.
The quest continues though because I really have got to nail down all of these protocols and I found some helpful info in this: Very confused on authentication concepts : EAP, PEAP, EAP-MSCHAPv2
- 1) EAP is basically a framework and is used as transport the authentication protocol. Can be used for wireless and wired networks. It is NOT an authentication method on its own. So you can authenticate as you want, password, MD5, certificates, biometric….
- 2) If you use EAP-MSCHAPv2, it means that your clients doesn’t need to have a certificate, but your authentication server (NPS) has a certificate. Passwords from the clients are send using hashes to the authentication server. To protect these password hashes being send over the network, you can use PEAP which act as a TLS/SSL tunnel to protect the authentication traffic.
- 3) Only the authentication server (NPS) needs a certificate. EAP-MSCHAPv2 is a password based authentication method.
- 4) You can use PEAP-EAP-MSCHAPv2 which uses a certificate on the authentication server (NPS) and a password for clients. You can use PEAP-EAP-TLS which use a certificate on the authentication server and a certificate on the client. PEAP is used to protect to authentication traffic.
I also found this interesting Configuring RADIUS Authentication with WPA2-Enterprise:
- Example RADIUS Configuration (Windows NPS + AD)
- The following example configuration outlines how to set up Windows NPS as a RADIUS server, with Active Directory acting as a userbase:
- Add the Network Policy Server (NPS) role to Windows Server.
- Add a trusted certificate to NPS.
- Add APs as RADIUS clients on the NPS server.
- Configure a policy in NPS to support PEAP-MSCHAPv2.
- (Optional for machine auth) Deploy PEAP-MSCHAPv2 wireless network settings to domain member computers using Group Policy
So so now we have learned a ton of info about PEAP and the thing that sucks about this is I’m going to keep going into this much detail on this stuff until I really get it down because given that I’ve been reading material thats 10 years old, there isnt exactly a rush to get this down before the next thing comes out. I also find it helpful and relevant. Anyway, lets check the wiki and get some highlights and from there and move on, for now. However, I want to take a closer look at radius and PEAP after this one.
Protected Extensible Authentication Protocol: Protected Extensible Authentication Protocol, also known as Protected EAP or simply PEAP, is a protocol that encapsulates the Extensible Authentication Protocol (EAP) within an encrypted and authenticated Transport Layer Security (TLS) tunnel. The purpose was to correct deficiencies in EAP; EAP assumed a protected communication channel, such as that provided by physical security, so facilities for protection of the EAP conversation were not provided.
PEAP is similar in design to EAP-TTLS, requiring only a server-side PKI certificate to create a secure TLS tunnel to protect user authentication, and uses server-side public key certificates to authenticate the server. It then creates an encrypted TLS tunnel between the client and the authentication server. In most configurations, the keys for this encryption are transported using the server’s public key. The ensuing exchange of authentication information inside the tunnel to authenticate the client is then encrypted and user credentials are safe from eavesdropping.
MS-CHAPv2 is an old authentication protocol which Microsoft introduced with NT4.0 SP4 and Windows 98. PEAPv0/EAP-MSCHAPv2 is the most common form of PEAP in use, and what is usually referred to as PEAP. The inner authentication protocol is Microsoft’s Challenge Handshake Authentication Protocol, meaning it allows authentication to databases that support the MS-CHAPv2 format, including Microsoft NT and Microsoft Active Directory. Behind EAP-TLS, PEAPv0/EAP-MSCHAPv2 is the second most widely supported EAP standard in the world. There are client and server implementations of it from various vendors, including support in all recent releases from Microsoft, Apple Computer and Cisco. Other implementations exist, such as the xsupplicant from the Open1x.org project, and wpa_supplicant. As with other 802.1X and EAP types, dynamic encryption can be used with PEAP. A CA certificate must be used at each client to authenticate the server to each client before the client submits authentication credentials. If the CA certificate is not validated, in general it is trivial to introduce a fake Wireless Access Point which then allows gathering of MS-CHAPv2 handshakes. Several weaknesses have been found in MS-CHAPv2, some of which severely reduce the complexity of brute-force attacks making them feasible with modern hardware
It turns out that looking for PEAP and Radius info is kind of sketchy. As I understand it though you set up a Radius server, NAP server in Windows, set the access points to Radius clients and verify the machines on the back end. Not sure at this point if a local certificate is required or installed by GP based on MAC or how that works. Anyway, I’m now looking at this 802.1X Overview and EAP Types:
EAP-TLS (Transport Layer Security) provides for certificate-based and mutual authentication of the client and the network. It relies on client-side and server-side certificates to perform authentication and can be used to dynamically generate user-based and session-based WEP keys to secure subsequent communications between the WLAN client and the access point. One drawback of EAP-TLS is that certificates must be managed on both the client and server side. For a large WLAN installation, this could be a very cumbersome task.
PEAP (Protected Extensible Authentication Protocol) provides a method to transport securely authentication data, including legacy password-based protocols, via 802.11 Wi-Fi networks. PEAP accomplishes this by using tunneling between PEAP clients and an authentication server. Like the competing standard Tunneled Transport Layer Security (TTLS), PEAP authenticates Wi-Fi LAN clients using only server-side certificates, thus simplifying the implementation and administration of a secure Wi-Fi LAN. Microsoft, Cisco, and RSA Security developed PEAP.
TLS, while very secure, requires client certificates to be installed on each Wi-Fi workstation. Maintenance of a PKI infrastructure requires additional administrative expertise and time in addition to that of maintaining the WLAN itself.
So, if you use TLS then you have to find a way to push WEP keys to workstations. Which is generally done by deploy PEAP-MSCHAPv2 and then pushing them via AD. So that’s confusing. Ok, I’m moving on at this point because I have spent a lot of time on this, no promises that I wont come back to it. Anyway, here’s a link from a vendor I found helpful: How To Set Radius Server (NPS) When Using WPA-EAP, WPA2-EAP Or WPA2-AUTO-EAP
To be honest though, I’m walking away from this which a much clearer understand of each of those things, so I guess, goal accomplished?
You may have realized that I just spend a ton of time, like 3 days in fact, reading about PEAP which is a rabbit hole of other stuff and I haven’t been on an adventure hunt like that in a long time. Looking at this one now, and realizing what we learned previously with:SAML – so here is the thing with this one, it retains OAUTH credentials and passes it on as a SSO data and OAUTH supports SSL Certificates from a PKI
And realizing exactly what the other stuff does, OAUTH is the only thing that makes sense at all.
I got this one right but I wanted to go over each authentication type and what kind of key exchanges each one is using. You know, lets start with basics here because I really got up and running pretty fast on some of this stuff and this might be helpful: Hashing Algorithms
Ok so, that only covers SHA-2 and that’s not really helpful but it does have links and I’m going to dig through those and I didn’t find any thing super helpful so lets dive into these individually. There is one other thing that I would like to find some basic info on to cover a fuckin gin, asymmetric vs symmetric keys because I don’t really understand it: Symmetric vs. Asymmetric Encryption – What are differences?
I still don’t understand the diagram on the asymmetric system because it looks like the two keys just bump into each other and magic happens. Which has been my issue since I really started reading about such things but in any case there is still a pair of keys. Maybe more, im not really sure haha but it looks like it still somehow is sending a private key? I know its not because it has to be on a server but where does it come from. Anyway, this link: Symmetric Encryption, Asymmetric Encryption, and Hashing is also helpful but maybe I can find another answer as to ‘where do babies come from’
I found this to be helpful: A Deep Dive on End-to-End Encryption: How Do Public Key Encryption Systems Work? but I would still like to walk through the who process so lets try and find an example of a RSA key gen situation: ssh-keygen – Generate a New SSH Keyok, now this suddenly makes sense, you have to generate keys to use, create a file that has an associated password and they don’t simply randomly appear on a server that has a signed PKI certificate from like godady or something. However that does add an additional layer of complications. I think I’ll eventually get this sorted though
- RSA – A user of RSA creates and then publishes a public key based on two large prime numbers, along with an auxiliary value. The prime numbers must be kept secret. Anyone can use the public key to encrypt a message, but only someone with knowledge of the prime numbers can decode the message. Breaking RSA encryption is known as the RSA problem. Whether it is as difficult as the factoring problem is an open question. There are no published methods to defeat the system if a large enough key is used. So its asymmetric
- 3DES – Triple DES (3DES or TDES), officially the Triple Data Encryption Algorithm (TDEA or Triple DEA), is a symmetric-key block cipher, which applies the DES cipher algorithm three times to each data block. The Data Encryption Standard’s (DES) 56-bit key is no longer considered adequate in the face of modern cryptanalytic techniques and supercomputing power. However, an adapted version of DES, Triple DES (3DES), uses the same algorithm to produce a more secure encryption. So 1 key that is passed with the file with varying degrees of hashing associated, as I understand it. I added a link that’s pretty in depth beyond what the wiki pages offers but im still not certian I understand the key exchange as its not symmetric or asymmetric
- DSA – DSA algorithm works in the framework of public-key cryptosystems and is based on the algebraic properties of modular exponentiation, together with the discrete logarithm problem, which is considered to be computationally intractable. The algorithm uses a key pair consisting of a public key and a private key. The private key is used to generate a digital signature for a message, and such a signature can be verified by using the signer’s corresponding public key. The digital signature provides message authentication (the receiver can verify the origin of the message), integrity (the receiver can verify that the message has not been modified since it was signed) and non-repudiation (the sender cannot falsely claim that they have not signed the message). So its symmetric and the definition does help to clear up information around the issues of key exchanges
- SHA-2 – is considered symmetric
I hate these things and have trouble remembering them so lets define them
- ALE – Annualized loss expectancy
- ARO – Annual Rate Of Occurrence
- SLE – Single Loss Expectancy
- ROI – Return on Investment
- RPO – Recovery Point Objective
- RTO – Recovery Time Objective
Once you realize what they stand for and are creative enough to look at the letters and figure it out its super easy haha
Man, I don’t remember the last time I did this much research for one post. This took several days and I learned a ton. Do I remember every thing in this. Not sure but I think so? Anyway, that’s all for now and im sure that there will probably be more on encryption/hashing/authentication to come.