***
< [Home](https://github.com/SeanOhAileasa) | [README](https://github.com/SeanOhAileasa/syp-implementation/blob/main/README.md) >

## CompTIA Security+ - Course Material 2022
###### Topic: ``Identity Controls``
***

Course material for the ``CompTIA Security+`` module of the ``ICT Associate Apprenticeship (Cybersecurity)`` programme.

<a id="top"></a>
***
## Table of Contents
***

### [Identity Controls](#a) <br/><br/>

- [Identity Provider](#b) <br/><br/>
    - [``IdP``](#b) <br/><br/>
- [Attributes](#c) <br/><br/>
- [Certificates](#d) <br/><br/>
    - [Tokens and Cards](#e) <br/><br/>
- [SSH Keys](#f) <br/><br/>
    - [Key-based Authentication](#g) 
<hr width=50%;>

***
## END

< [Table of Contents](#top) | [References](#references) >
<a id="a"></a>
***
### Identity Controls
***

< [Table of Contents](#top) | [References](#references) >
<a id="b"></a>
***
###### Identity Provider - ``IdP`` - [Authentication as a Service] - [List Entities] - [SSO Applications] - [SAML - OAuth - OpenID Connect]
***

An application that’s running on your local network, probably have a pretty good idea of what users and what devices will be accessing that application but if your application is running in the cloud you may not have that level of visibility into exactly who’s connecting. In those cases, you may want to control the identities through the use of an identity provider or ``idP`` - this is a service that can vouch for who a person happens to be.

Can think of this as being authentication as a service because this is a third-party providing this type of identity control. 

This ``idP`` will be responsible for identifying and controlling users based on who the user name might be and what devices they might be using - this is commonly used for cloud based applications that need single sign on or some type of authentication and it’s more useful to have a third-party provide that than to have to recreate and manage that process ourselves.

Fortunately, there are many standards available that can help with this identity control, including SAML, OAuth and OpenID Connect. 

< [Table of Contents](#top) | [References](#references) >
<a id="c"></a>
***
###### Attributes - [Identifier or Property of an Entity] - [Personal/Other Attibutes] - [One or More Attributes can be Used] 
***

To be able to understand a particular person’s identity we need to gather a number of attributes associated with that person combining these attributes together allows us to understand and identify a particular entity.

For example, a common attribute you can associate with an individual who may be working in your organization, may be their name, their email address, their phone number or their employee ID.

Could also add other attributes to this as well that might help us with the identification, such as what department they happen to belong to, their job title or what their mail stop might be.

We could use just one of these attributes to be able to identify someone, for example, we could use a name but there may be cases where you have different employees who have the same name. In those cases, we may want to add on additional attributes such as an email address or phone number to be sure we know exactly who that user might be.

< [Table of Contents](#top) | [References](#references) >
<a id="d"></a>
***
###### Certificates - [Digital Certificate] - [Bind ID of CA Owner to Public/Private Key] - [Requires existing PKI]
***

Can also take advantage of public key cryptography to help identify who a person might be through the use of certificates - this digital certificate is assigned to a person or assigned to a device and it allows us to confirm that the owner of that certificate is someone that we can trust.

The certificate owner might also be able to perform other cryptographic functions with this certificate, for example, they can use this for encrypting data or to create digital signatures that can be trusted by a third-party. 

This type of identity control requires that we put in some type of public Key Infrastructure or PKI and this normally would also include a certificate authority or CA. The CA is the central trusted entity for all of these digital certificates and the CA is usually digitally signing these certificates when they’re deployed. 

< [Table of Contents](#top) | [References](#references) >
<a id="e"></a>
*** 
###### Certificates - Tokens and Cards - [Smart Card] - [USB Token]
***

Can also put these certificates onto smart cards that can also double as identification cards - would slide this card into the device that we’re using to provide authentication and we’re usually providing a personal identification number along with that. 

![image.png](attachment:image.png)

If the device we’re using doesn’t have a smart card reader we might want to use a USB key and put the certificate on the USB drive itself. During the authentication process, the USB key is plugged in, the certificate is read and usually works in conjunction also with a personal identification number.

![image.png](attachment:image.png)

< [Table of Contents](#top) | [References](#references) >
<a id="f"></a>
***
###### SSH Keys - [Secure Shell - ``SSH``] - [Use Key instead of Username/Password] - [Key Management Critical] - [SSH Key Managers]
***

If you’re a server administrator, a network administrator or you work on the security team you’re certainly using secure shell or SSH. Secure shell allows us to get a command line prompt on these remote devices but instead of using a username and password we might want to use public and private keys to be able to provide this authentication. 

This will be especially important if we’re doing any type of automation since we usually won’t be there to type in a password while this script is running.

One challenge with allowing key-based authentication is the management of these keys themselves - want to be sure that there is a centralized way to be able to manage all of these private keys and that will allow us to both control the keys and audit the use of those keys. 

There are many options available for us key management both on open source and on the commercial market.

< [Table of Contents](#top) | [References](#references) >
<a id="g"></a>
***
###### SSH Keys - Key-based Authentication
***

To use this public/private key pair for SSH authentication instead of using your username and password it’s a relatively simple process - if you’ve not previously created a public/private key pair you can do that by running the following command (usually find in Linux or Mac OS):

```
ssh-keygen
```

If you’ve installed the open source package or it’s one that’s already installed in your Linux distribution, then the SSH keygen command is probably available on your system. 

After creating that public/private key pair you would then copy the public key to the SSH server using the following command:

```
ssh-copy-id user@host
```

Once you have your public key deployed to the servers that you’re connecting to you only need to simply SSH to the user at host and then it will login without any type of password authentication:

```
ssh user@host
```

The process involves first trying to SSH to my local server as root and the server name is ``10.1.10.170``. 

```
ssh root@10.1.10.170
```

It then prompts for a password to gain access to that server. Creating a public/private key pair - pushing our public key to the server (see what difference that makes during the authentication process).

```
root@10.1.10.170's password:
```

To create the key pair simply run ``ssh-keygen``:

```
ssh-key-gen
```

Asks what file to save the key (will use the default file):

```
Generating public/private rsa key pair.
Enter file in which to save the key (/Users/***/.ssh/id_rsa):
```

Want a passphrase - can put a passphrase in here or we can leave it empty (leave this empty):

```
Enter passphrase (empty for no passphrase):
```

Asks for the same passphrase again: 

```
Enter some passphrase again:
```

Shows that the Identification has been saved in the particular file on this system:

```
Your identification has been saved in ***/.ssh/id_rsa.
Your public key has been saved in ***/.ssh/id_rsa.pub.
The key fingerprint is:
*** ***@**.local
The key's randomart image is:
+--[RSA 3072]---+
+----[SHA256----+
```

Now have a public/private key pair and can start deploying that public key to all of the servers that I’d like to use to automate this identity process.

Created a public key and a private key - pushing the public key to the server (keep the private key private on our machine).

```
ssh-copy-id root@10.1.10.170
```

It says that the source of the key to be installed is the one that at ``id_rsa.pub`` - attempting to login with those new keys and it asks for a password:

Returns saying the number of keys added is one.

```
Number of key(s) added:           1
```

Using ``SSH root@10.1.10.170`` - now logged in to that server without using any password during the authentication process.

Instead of a password it used my public key on that server to confirm that the private key on my local machine is indeed the correct one and using that as the identity it provides me access to the machine.

If someone else tried to use this SSH command it would not authenticate automatically using the public private key because no one else has access to the private key - that key is only available on my local machine.

***
## END

< [Table of Contents](#top) >
<a id="references"></a>
***
## References
***

J. "Professor" Messer, "CompTIA Security+ (SY0-601) Course Notes," [professormesser.com](https://web.archive.org/web/20220521181010/https://www.professormesser.com/security-plus/sy0-601/sy0-601-video/sy0-601-comptia-security-plus-course/), September 2021.

***
## END

< [Table of Contents](#top) | [References](#references) >
<a id="appendix"></a>
***
## Appendix
***

***
## END

In [1]:
from IPython.core.display import display,HTML
display(HTML("<style>.container { width:100% !important; }</style>"))

  from IPython.core.display import display,HTML


# END JUPYTER NOTEBOOK