2. Access Control Flashcards
access control process
identification
authentication
authorisation
what is authentication
prove you are who you claim to be by:
- knowledge (what you know)
- Token (what you have)
- biometrics (what you are)
knowledge based authentication
passwords
passphrases
password bad practices
- reused
- easily guessed
- shared
- written down
- password manager: single point of failure
password entropy
measure of uncertainty
- password of K bits has pow(2, K) possibilities
- password of length L from B chars has pow(B, L) possibilities
- entropy H = log2(pow(B,L))
attacking passwords
- brute force
- try all combinations
- use account lock out to prevent brute force
- need to exfiltrate data before brute force - reverse brute force
- try one password on multiple accounts - dictionary
- contains commonly used passwords
- stored in plain text - rainbow tables
- contains commonly used passwords
- stored in hashes - social engineering
password hardening
- formulate good passwords
- store in password managers to help remember
- use passphrases
- secure storing of passwords
- encrypt password (minimum)
- hashed password (ok..)
- hashed password + salt (best) - enforce security policies
- 2FA
- educate users on best practices and increase awareness
- maintain correct access rights
what are tokens
physical devices to aid authentication
- e tokens
- RFID tags
- used in logistics, prison, but weak to side channel attack - smart cards
- tamper proof
types of biometrics
physical
behavioural
requirements for biometrics
- university
- everyone must have that characteristic trait - distinctiveness
- characteristics should be sufficiently different - permanence
- characteristics should be sufficiently invariant - collectability
- characteristics can be measured quantitatively
acceptability of biometrics
authentication needs to be accepted by end users
- convenience
- duration of authentication
- invasion of privacy
accuracy of biometrics
- false/ true accept rate
- retina scanning
- iris scanning
- facial recognition
- fingerprint
behavioural
how you type/walk
can change over time
people may have similar behaviours
voice recognition
is both behavioural and physical
biometrics advantages
- unique data, difficult to replicate
- fast and convenient
- no issue of missing tokens, forget passwords - scalable
- just add data to DB
biometrics disadvantages
- unrecoverable if compromised
- user cannot change their body - expensive
- privacy concerns
authorisation: types of access control
- discretionary
- owner, group, others - role-based
- principle of least privilege - mandatory
- defined integrity levels
- user integrity level compared when logged in
principle of least privilege
best security privilege
limit privileges to minimum necessary to perform task