This is the next part of the 5 questions that one of which took about a week to do and I still feel like I should go back over the authentication portion of the AES modes but ill get to that. I mean, it was basically a post on one topic which I haven’t really done since my 2012 MCSA and I enjoyed it. It took along time but I had fun. Which I suppose its more fun to act like a weird teenager than study? Am I, the weird one here? Not sure. So here we go,
So at this point, not a lot of questions for me on this because SHA is basically good for almost everything but I’m not real sure on what the hell RC4 is or why HMAC is bad for TLS certificates and I would like to know. I would also like to know what version of SHA works with this. Yes, I realize I’m drilling down at this point but to be honest, I would really like to pass this test and beyond that I think learning is fun and it seems to provide for some manor of social security in the form of being employable.
Ok so the first one RC4 was developed in 1987 (making it older than MD5 which was introduced in 1991) and no longer is acceptable for use basically anywhere (RC4 cipher is no longer supported in Internet Explorer 11 or Microsoft Edge) and should be generally avoided.
Now moving on to HMAC and while looking for info I came across this OWASP doc about TLS that looks really handy Overview of TLS v1.3
Anyway, back to TLS, x.509 certs and HMAC/SHA. Now, it looks like this doesn’t apply to TLS 1.3 but 1.2 and older does use HMAC-SHA for data integrity and that’s basically the only info I can find. the Data Integrity grab is from the wiki on TLS and the other one on validataing an intermdeiate certificate (different from data validation, I think?) is from the X.509 Certificate wiki
Either way, encryption and hashing is a weird thing and I get that SHA is the answer even though there are not very clearly defined parameters as to why.
This seems tricky because you think a certificate has to be signed by a public CA so you want to pick that and when looking around I’m not finding any info on other types of certificates that public CAs offer. For example, poking around the GlobalSign website, I find no info on anything and it would appear they are all X.509. Its also worth noting that an X.509 certificate is checked when accepted by the end users browser by the public signing authority so a private CRL isn’t necessary. This is different from Kerberos in that you have to have an internal KDC to validate authentication. Honestly, I should get more into understanding token generation and so forth in Kerberos for me to fully understand that but its mentioned on the wiki for CRL. So the answers wording is a little tricky but haha at the end of the day an x.509 cert and TLS is the most modern security for info exchange that a website can offer.
This one, I’m obviously completely unclear on but lets give it a go as to explaining this. This isnt AES or TLS but rather internal validation when connecting to a WAP.
Lets start with the basics this is an IAS server, better read up on that, ok so its a Windows Server configured as an NPS server with Radius on it. The thing that gets confusing here is that the correct answer is always the last one for some reason. Like I think EAP and PEAP are set up on the NPS are the MSCHAP is set up on the WAP. This answer is actually very clear and in a document on MSFT DOCs. Deploy Password-Based 802.1X Authenticated Wireless Access
EAP, PEAP, and PEAP-MS-CHAP v2
Extensible Authentication Protocol (EAP) extends Point-to-Point Protocol (PPP) by allowing additional authentication methods that use credential and information exchanges of arbitrary lengths. With EAP authentication, both the network access client and the authenticator (such as the NPS) must support the same EAP type for successful authentication to occur. Windows Server 2016 includes an EAP infrastructure, supports two EAP types, and the ability to pass EAP messages to NPSs. By using EAP, you can support additional authentication schemes, known as EAP types. The EAP types that are supported by Windows Server 2016 are:
- Transport Layer Security (TLS)
- Microsoft Challenge Handshake Authentication Protocol version 2 (MS-CHAP v2)
Strong EAP types (such as those that are based on certificates) offer better security against brute-force attacks, dictionary attacks, and password guessing attacks than password-based authentication protocols (such as CHAP or MS-CHAP version 1).
Protected EAP (PEAP) uses TLS to create an encrypted channel between an authenticating PEAP client, such as a wireless computer, and a PEAP authenticator, such as an NPS or other RADIUS servers. PEAP does not specify an authentication method, but it provides additional security for other EAP authentication protocols (such as EAP-MS-CHAP v2) that can operate through the TLS encrypted channel provided by PEAP. PEAP is used as an authentication method for access clients that are connecting to your organization’s network through the following types of network access servers (NASs):
- 802.1X-capable wireless access points
- 802.1X-capable authenticating switches
- Computers running Windows Server 2016 and the Remote Access Service (RAS) that are configured as virtual private network (VPN) servers, DirectAccess Servers, or both
- Computers running Windows Server 2016 and Remote Desktop Services
PEAP-MS-CHAP v2 is easier to deploy than EAP-TLS because user authentication is performed by using password-based credentials (user name and password), instead of certificates or smart cards. Only NPS or other RADIUS servers are required to have a certificate. The NPS certificate is used by the NPS during the authentication process to prove its identity to PEAP clients.
This guide provides instructions to configure your wireless clients and your NPS(s) to use PEAP-MS-CHAP v2 for 802.1X authenticated access.
So anyway, you you have to put MS-CHAP on the access point and the back end framework of EAP-PEAP handles the rest.
All right, well I think thats all for tonight. Wait, no theres one more.
My first thought when I look at my answer is that EPA-TLS doesn’t really make any sense. Lie I’m not sure that’s a real thing. Like it seems like more stuff should be involved that simply EAP rolled into TLS, which should use an x.509 certificate and how are you verifying that? Anyway, there’s a MSFT article Certificate requirements when you use EAP-TLS or PEAP with EAP-TLS and it looks like the kicker is with TLS the certificate is stored locally on the machine and with EAP-PEAP that they are calling PEAP, its on the server and tied to an AD account.
Ok, so that really is all for the night. I learned a lot and I feel like I’m finally making headway on this stuff and learning information that I can use to answer questions that are not covered on this pretest and I have a feeling that will be most of the questions on the actual test. Now lets hope I hear something positive back from that interview because things are kind of crazy with my current employer due to virus concerns. Great time to be looking for a job with the economy tanked but I’m sure I’ll be ok either way. If not good old nihilism kicks in.