WEBVTT

00:00.240 --> 00:04.650
The process of authentication requires believe it or not a lot of encryption.

00:04.650 --> 00:06.250
Now think about this for a minute.

00:06.540 --> 00:11.610
Let's come up with a very simple scenario let's say I've got some little client system and I'm wired

00:11.610 --> 00:16.620
over to some kind of server system so if I want to actually authenticate to this guy I'm going to have

00:16.620 --> 00:18.750
to pass it again keep it simple here.

00:18.960 --> 00:20.610
Let's just go with the username and password.

00:20.610 --> 00:26.730
So if I don't have any form of encryption just the process of getting authenticated to this server thing

00:26.730 --> 00:32.880
over here means I'm going to be passing a username and password along my wire or wireless or whatever

00:32.880 --> 00:34.530
it might be in the clear.

00:34.530 --> 00:40.170
I mean it would be really easy for a bad guy to intercept this and to get my username and password which

00:40.170 --> 00:47.220
is what we call a bad thing in this business so when we talk about authentication there's over the years

00:47.220 --> 00:53.610
have been a number of different ways to do authentication which encrypt or protect the credentials of

00:53.610 --> 00:55.530
the person who's trying to be authenticated.

00:55.530 --> 01:00.540
So what I want to do in this episode is kind of do a march through of the different types authentication

01:00.540 --> 01:02.230
methods we've seen over the years.

01:02.280 --> 01:05.880
There are some very old ones which are on the security plus So we've got to know them but I'm going

01:05.880 --> 01:11.970
to take it all the way up to the most modern authentication method so let's go through this one authentication

01:11.970 --> 01:12.900
at a time.

01:12.960 --> 01:18.930
The first type of authentication method I want to talk about is password authentication protocol or

01:18.930 --> 01:19.880
pap.

01:19.980 --> 01:26.670
PAP is while the oldest authentication method that's both on the security plus and well it's the oldest

01:26.670 --> 01:28.990
one I ever used and I'm old.

01:29.010 --> 01:34.020
So anyway PAP is pretty easy so what I've got here in front of me is I've got a client system and I've

01:34.020 --> 01:35.310
got a server system.

01:35.370 --> 01:41.000
So what I want to do here is I want to get authenticated PAP is disturbingly easy with PAP.

01:41.010 --> 01:45.660
All I do is I send my username and password in the clear.

01:45.660 --> 01:51.260
PAP is not anything that we use anymore however make sure you know it for security plus.

01:51.270 --> 01:57.540
Next I want to talk about challenge handshake authentication protocol or chap.

01:57.660 --> 02:01.530
Now chap is also a very old authentication protocol.

02:01.560 --> 02:08.340
In fact it is the first authentication protocol that was used within the PC world to perform some form

02:08.340 --> 02:11.320
of protection to the authentication process.

02:11.340 --> 02:17.280
So to watch champ in action what I have here again is my client system in my server system and this

02:17.280 --> 02:19.930
client system wants to authenticate to the server system.

02:20.100 --> 02:24.000
So again just keep it to usernames and passwords because that's really all chap could do.

02:24.210 --> 02:30.570
First you need to understand that the server and the client already have a password stored in them there's

02:30.570 --> 02:33.000
a key on each one of these devices.

02:33.150 --> 02:39.000
So when he wants to authenticate the first thing he does is sends a hey may I authenticate message over

02:39.000 --> 02:39.990
to the server.

02:40.020 --> 02:44.570
Now the server hears that message and what he does is because he has the key.

02:44.580 --> 02:47.510
He then takes and creates a challenge message.

02:47.500 --> 02:51.510
Now he won't send these because setting the key in the clear would be a bad idea.

02:51.550 --> 02:59.760
But what he does instead is he creates a hash of these two values and then sends the hash along with

02:59.760 --> 03:02.490
the challenge message over to the client.

03:02.490 --> 03:06.200
Now the client because he has the key to be able to put it all back together.

03:06.330 --> 03:08.250
He can generate that hash.

03:08.250 --> 03:14.220
So he'll go ahead generate that hash send it back to the server and the end result of this is just by

03:14.220 --> 03:15.520
comparing hashes.

03:15.570 --> 03:19.250
They can confirm whether they have the same key or not.

03:19.260 --> 03:22.290
Now the beautiful part chap is that no passwords are being passed.

03:22.290 --> 03:24.100
It's really just hashes.

03:24.180 --> 03:30.210
So there are small problems with it but in general chap has been around for a long time and we still

03:30.210 --> 03:32.430
see it used in a few situations.

03:32.430 --> 03:37.890
Next is enty land manager and land manager has been around.

03:37.900 --> 03:44.550
Well pretty much as long as there's been authentication in Windows now the land manager isn't used in

03:44.550 --> 03:48.690
the more advanced windows authentication methods that's Kerberos which we're going to be talking about

03:48.690 --> 03:55.040
here shortly but we still use and Thailand manager when we're having two window systems in a workgroup

03:55.050 --> 03:59.460
that are logging into each other so as long as you don't have a domain controller even the most modern

03:59.460 --> 04:06.180
version of Windows still does and LAN Manager Oh and by the way we're up to the land manager version

04:06.210 --> 04:06.600
too.

04:06.600 --> 04:09.120
So let's watch this take place.

04:09.210 --> 04:12.090
Now if you were watching CHEP this is going to look really kind of similar.

04:12.090 --> 04:15.070
So here we have our client and here we have a server.

04:15.150 --> 04:18.960
Now in this case the key is going to be these red blocks.

04:18.960 --> 04:25.110
Now what we want to do is authenticate this client to that server but we don't want to pass our key

04:25.110 --> 04:25.800
out in the clear.

04:25.800 --> 04:30.750
So what we're going to do is we're going to start an initial hello hello kind of thing and make sure

04:30.840 --> 04:35.700
each person is there and what we're going to do it's a little bit different this time is that each side

04:35.700 --> 04:42.740
is going to have a challenge message and then that challenge message is then hashed and now we have

04:42.830 --> 04:48.860
each side challenging the other side and through some pretty interesting mathematical mumbo jumbo you

04:48.860 --> 04:54.200
can actually generate the key and verify that we have the same key going through that process itself.

04:54.350 --> 05:00.650
So any land manager really is kind of like double CHEP where we both have the client and the server

05:00.650 --> 05:02.210
authenticating with each other.

05:02.210 --> 05:07.070
Now let's talk about the famous Kerberos authentication protocol.

05:07.160 --> 05:14.060
Kerberos is a very interesting authentication method because it's really only used in one place and

05:14.060 --> 05:17.930
that is authenticating to Windows domain controllers.

05:17.930 --> 05:20.220
So that means a lot of people use it.

05:20.240 --> 05:25.460
So even though it's pretty much only used by Microsoft to logon to domain controllers the widespread

05:25.460 --> 05:32.540
popularity of Windows domain networks means just about all of us use kerberos So let's watch Kerberos

05:32.540 --> 05:33.400
in action now.

05:33.590 --> 05:35.900
First of all what I have here are three computers.

05:36.020 --> 05:41.920
Here's my client computer and this is just a file server it's got some folders I want to access to.

05:42.050 --> 05:45.200
But here in the middle is a domain controller.

05:45.200 --> 05:51.920
Now when we're talking Kerberos the domain controller is known as the KDC or the key distribution center.

05:52.100 --> 05:56.610
But within that domain controller there's really two main functions.

05:56.690 --> 06:01.070
There's the authentication service and then there's the ticket granting service.

06:01.070 --> 06:07.730
Now these guys are listening in on TCAP and UDP port 88 listening for Kerberos stuff to happen.

06:07.720 --> 06:14.060
So let's watch this take place now the first thing I do when I come in the morning is I log into the

06:14.060 --> 06:20.930
domain on my computer so when I do my initial log in I will go through and do a nicely encrypted hash

06:21.000 --> 06:21.780
log in.

06:21.920 --> 06:28.540
But once that log in takes place the authentication service then provides me this little guy.

06:28.580 --> 06:31.970
This is a ticket granting ticket.

06:31.970 --> 06:40.070
The TGT shows that I am authenticated to the domain and I'm not authorized yet but I'm authenticated

06:40.070 --> 06:41.030
to the domain.

06:41.040 --> 06:48.070
Now if you're a Windows person this TGT has a more common name we call it the CID or security identifier.

06:48.230 --> 06:52.790
And anybody who works on Windows systems has probably seen the said when you've actually seen the Kerberos

06:52.910 --> 06:53.590
TGT.

06:53.600 --> 06:54.630
Pretty cool huh.

06:55.100 --> 06:55.530
All right.

06:55.640 --> 07:00.020
So I'm authenticated to the network but I'm not authorized to any resources.

07:00.110 --> 07:06.320
So if I actually want to get to something what I'll do is I'll take my TGT and I will take it back to

07:06.320 --> 07:07.560
the domain controller.

07:07.610 --> 07:13.970
But in this case I'm going over to the ticket granting service now the ticket granting service knows

07:14.180 --> 07:18.320
what I'm allowed to access all over the domain so he'll take this.

07:18.330 --> 07:19.980
I keep a copy for myself.

07:20.180 --> 07:24.710
He'll take this and he will generate me a session key.

07:24.710 --> 07:28.330
So this session key and actually works through the server as well.

07:28.400 --> 07:32.800
The session key allows me to access one particular set of resources.

07:32.810 --> 07:36.170
So for me to access one server I'll have a session key.

07:36.170 --> 07:41.270
Now if I need to go anywhere else on the domain I'm going to have to go through this process again and

07:41.270 --> 07:43.810
a new session key is derived every time.

07:43.810 --> 07:47.540
So these are the basics of how Kerberos works.

07:47.570 --> 07:48.710
It's really pretty cool.

07:48.710 --> 07:52.830
The last thing I'd like to talk about is security assertion.

07:52.880 --> 07:58.040
Markup Language and lightweight directory access protocol.

07:58.040 --> 08:04.240
Now the security assertion markup language and the lightweight directory access protocol Well they're

08:04.250 --> 08:10.220
not really authentication methods but they tie in so closely that I feel that this is the right place

08:10.220 --> 08:12.760
to talk about and so let's get up real quick.

08:12.770 --> 08:21.070
First the security assertion markup language better known as Sammul is used exclusively for web applications

08:21.080 --> 08:27.200
so if you're developing a web application and you want people to be able to log into that application

08:27.650 --> 08:31.010
this is what you Sammael is an incredibly powerful tool.

08:31.100 --> 08:36.560
And if you've ever logged into almost any web application there's a good chance you've already used

08:36.560 --> 08:38.180
it and you didn't even know it.

08:38.920 --> 08:45.630
The other one is lightweight directory access protocol better known as El damp when you're authenticating

08:45.630 --> 08:46.450
to something.

08:46.530 --> 08:53.110
There's usually some process where somebody has to access someone else's directory.

08:53.130 --> 08:59.910
Now in Windows we have active directory but we see this all over the place so el Dabb isn't really authentication

08:59.940 --> 09:06.210
but more of a structured language that allows one computer to go into somebody else's directory and

09:06.210 --> 09:09.530
query it and update it and do whatever it needs to do.

09:09.810 --> 09:12.480
So we see elde app used a lot.

09:12.480 --> 09:19.620
In fact the main process by which we access resources within Windows is based heavily on eldership.

09:19.620 --> 09:22.210
Now the nice part about this is that's all you really need to know.

09:22.230 --> 09:28.350
Well except for one more thing elde app uses TZP and UDP port 389.

09:28.350 --> 09:36.650
Make sure you know it for the test.