Enterprise security systems use the βAAAβ framework:
Component
Question
This Lab
Production Example
Authentication
Who are you?
Card ID lookup
OAuth login, biometrics
Authorization
What can you do?
Access level check
RBAC, ABAC policies
Accounting
What did you do?
Audit log
SIEM, CloudTrail
All three are essential. Authentication without authorization means everyone gets full access. Authorization without accounting means you cannot investigate incidents.
Show code
{const container =document.getElementById('kc-auth-7');if (container &&typeof InlineKnowledgeCheck !=='undefined') { container.innerHTML=''; container.appendChild(InlineKnowledgeCheck.create({question:"A company implements strong authentication (fingerprint + badge) and detailed audit logging, but every authenticated user gets full admin access. Which 'A' of AAA is missing, and what is the risk?",options: [ {text:"Authentication is missing - fingerprints can be spoofed",correct:false,feedback:"Incorrect. The scenario explicitly states fingerprint + badge authentication is in place. While no authentication is perfect, the described system has authentication."}, {text:"Authorization is missing - any authenticated user can do anything, violating least privilege",correct:true,feedback:"Correct! Without authorization, the receptionist has the same access as the CEO. This violates the principle of least privilege and means one compromised account grants full system access. The logs will record who did damage, but cannot prevent it."}, {text:"Accounting is missing - the system cannot track who did what",correct:false,feedback:"Incorrect. The scenario mentions detailed audit logging, which IS accounting. The problem is that everyone can do everything, so logs show damage but cannot prevent it."}, {text:"All three are present - the security posture is acceptable",correct:false,feedback:"Incorrect. The scenario specifically says every authenticated user gets full admin access, meaning authorization (permission checking) is not implemented."} ],difficulty:"easy",topic:"aaa-framework" })); }}
Show code
{const container =document.getElementById('kc-auth-16');if (container &&typeof InlineKnowledgeCheck !=='undefined') { container.innerHTML=''; container.appendChild(InlineKnowledgeCheck.create({question:"An IoT gateway authenticates sensors using challenge-response. The gateway sends random nonce 'N=0x8F2A', sensor responds with H(N || SECRET). An attacker captures: (N1=0x1234, R1=0xABCD), (N2=0x5678, R2=0xEF01), (N3=0x1234, R3=0xABCD). The attacker replays R1 when they see N1 again. Why does this attack work?",options: [ {text:"The attack fails - replayed responses are invalid without regenerating the hash",correct:false,feedback:"Incorrect. The attacker observed that nonce 0x1234 was reused (N1=N3 both 0x1234), meaning the gateway's random number generator is broken or predictable. If the nonce repeats, the valid response also repeats. Replay works because identical challenges have identical valid responses."}, {text:"Challenge-response is vulnerable to replay - use time-based tokens instead",correct:false,feedback:"Incorrect. Challenge-response is NOT inherently vulnerable to replay if implemented correctly. The issue here is nonce reuse. Each nonce must be cryptographically random and never repeat. Time-based tokens don't solve this - they just move the reuse problem to time windows."}, {text:"The gateway reused nonce 0x1234, allowing the attacker to replay the previously-valid response",correct:true,feedback:"Correct! The security of challenge-response relies on nonces NEVER repeating. Once N1=N3, the attacker knows R1=R3. Good implementations use cryptographic RNGs with sufficient entropy and track recent nonces. Some protocols also include sequence numbers or timestamps in the hash to prevent replay even if nonces accidentally repeat."}, {text:"The secret is too short - longer secrets prevent replay attacks",correct:false,feedback:"Incorrect. Secret length affects brute-force resistance, not replay vulnerability. The problem is nonce reuse. Even with a 256-bit secret, if the same challenge appears twice, the same valid response appears twice."} ],difficulty:"hard",topic:"challenge-response-authentication" })); }}
WarningCommon Security Mistakes Demonstrated
This lab intentionally shows what NOT to do in production:
Lab Shortcut
Production Requirement
Hardcoded credentials
Store in secure element (ATECC608B, TPM)
Plain text card IDs
Encrypted credential storage
In-memory audit log
Persistent, tamper-evident logging
Single-factor auth
Multi-factor authentication (MFA)
Local database
Centralized identity provider (LDAP, Active Directory)
No encryption
TLS for all communications
Show code
{const container =document.getElementById('kc-auth-8');if (container &&typeof InlineKnowledgeCheck !=='undefined') { container.innerHTML=''; container.appendChild(InlineKnowledgeCheck.create({question:"An IoT device manufacturer stores device credentials (WiFi password, API keys) in the firmware binary. A hacker extracts the firmware from one device. What can they now access?",options: [ {text:"Only that one device - credentials are per-device",correct:false,feedback:"Incorrect. The scenario describes credentials baked into firmware, which is shared across all devices of that model. Extracting from one device exposes credentials for potentially millions of devices."}, {text:"All devices using that firmware - hardcoded credentials are a fleet-wide vulnerability",correct:true,feedback:"Correct! This is why hardcoded credentials are catastrophic. The Mirai botnet exploited exactly this flaw - default credentials in device firmware allowed attackers to compromise millions of IoT devices. Production devices should use per-device provisioning with secure elements."}, {text:"Nothing useful - firmware is encrypted and cannot be read",correct:false,feedback:"Incorrect. Most IoT firmware is not encrypted, and even encrypted firmware can often be decrypted through side-channel attacks or by extracting keys from the device's secure boot process."}, {text:"Only the WiFi network - API keys require additional authentication",correct:false,feedback:"Incorrect. If API keys are in firmware, extracting them gives full API access. There is no 'additional authentication' if the key itself is the authentication mechanism."} ],difficulty:"medium",topic:"device-identity" })); }}
1388.2 Connecting to Real-World Systems
NoteFrom Lab to Production
Lab Implementation
Production Equivalent
RFID card IDs
Smart cards with cryptographic challenge-response
Hardcoded user database
LDAP/Active Directory integration
Serial monitor
Secure management API (TLS + client certificates)
LED indicators
Security Operations Center (SOC) dashboards
Buzzer alerts
SIEM integration, SMS/email notifications
Simple lockout
Adaptive authentication with risk scoring
Role hierarchy
Attribute-Based Access Control (ABAC)
Real-world systems this lab concepts apply to: - Corporate badge access (HID, SALTO) - Data center entry (biometric + card + PIN) - AWS IAM policies (principals, resources, actions) - Kubernetes RBAC (roles, bindings, service accounts) - OAuth 2.0 / OpenID Connect (tokens, scopes, claims)
Show code
{const container =document.getElementById('kc-auth-9');if (container &&typeof InlineKnowledgeCheck !=='undefined') { container.innerHTML=''; container.appendChild(InlineKnowledgeCheck.create({question:"A fleet of 10,000 industrial sensors needs authentication to the cloud platform. Each sensor has a unique X.509 certificate stored in a hardware secure element. When a sensor connects, what proves its identity?",options: [ {text:"The sensor's MAC address and IP address combination",correct:false,feedback:"Incorrect. MAC addresses can be spoofed, and IP addresses are dynamically assigned. Neither provides cryptographic proof of identity. They are identifiers, not authenticators."}, {text:"The sensor proves it possesses the private key corresponding to its certificate during TLS handshake",correct:true,feedback:"Correct! X.509 certificate authentication works through challenge-response during TLS mutual authentication (mTLS). The sensor signs a challenge with its private key, which never leaves the secure element. The server verifies using the public key in the certificate. This is the gold standard for IoT device identity."}, {text:"The sensor sends its certificate serial number to the server for lookup",correct:false,feedback:"Incorrect. Simply sending a serial number proves nothing - an attacker could replay it. The cryptographic proof comes from demonstrating possession of the private key, which only the legitimate device has."}, {text:"The secure element transmits a shared secret to the cloud platform",correct:false,feedback:"Incorrect. Certificate-based authentication uses asymmetric cryptography (public/private key pairs), not shared secrets. The private key never leaves the secure element and is never transmitted."} ],difficulty:"hard",topic:"certificate-authentication" })); }}
Show code
{const container =document.getElementById('kc-auth-17');if (container &&typeof InlineKnowledgeCheck !=='undefined') { container.innerHTML=''; container.appendChild(InlineKnowledgeCheck.create({question:"An IoT platform uses mutual TLS (mTLS) where both device and server present certificates. During handshake, the server validates the device's certificate, but the device does NOT validate the server's certificate due to a configuration error. An attacker performs a man-in-the-middle attack. What can they do?",options: [ {text:"Nothing - mTLS prevents MITM attacks even if only one side validates",correct:false,feedback:"Incorrect. 'Mutual' means both sides authenticate. If the device doesn't verify the server's certificate, it will happily connect to an attacker's server that presents any certificate. The attacker can impersonate the legitimate server."}, {text:"Steal the device's private key since TLS encryption is compromised",correct:false,feedback:"Incorrect. The device's private key never leaves the secure element, even during mTLS handshake. The handshake proves possession without transmitting the key. The issue is that the device will connect to a fake server, not that its key is exposed."}, {text:"Impersonate the server, intercept all device communications, and potentially send malicious commands",correct:true,feedback:"Correct! Without server certificate validation, the device cannot distinguish the real server from an attacker's fake server. The attacker can perform a MITM attack, establishing one mTLS connection with the device (using a self-signed cert) and another with the real server, decrypting and inspecting/modifying all traffic. This is why BOTH sides must validate certificates in mTLS."}, {text:"Read encrypted traffic but cannot modify it due to TLS integrity protection",correct:false,feedback:"Incorrect. If the device accepts the attacker's server certificate, the attacker establishes a legitimate TLS session with the device using their own keys. They decrypt everything. Integrity protection works within a TLS session, but the device has a session with the attacker, not the real server."} ],difficulty:"hard",topic:"mutual-tls-authentication" })); }}
1388.3 Whatβs Next
After understanding these core authentication concepts, you can: