Access Control Flashcards
What are the three fundamental concepts of security?
Confidentiality, integrity and availability, otherwise known as the CIA triad.
What is meant by availability?
The availability of the software/principal being protected.
What is meant by integrity?
The integrity, or the assumed originality, of the message being recieved.
What is meant by confidentiality?
The belief that the message or data has not been read or compromised by any other actors in the network.
What is authentication?
Authentication is the means by which we figure out if a subject is a member of an authorised party that can access an object.
What is an example of “something you know” in authentication?
A password or a PIN number that you remember
What is an example of “something you are” in authentication?
Biometric characteristics, such as a facial scan or fingerprint
What is an example of “something you have” in authentication?
A smart card or a card reader
What is an example of “context location” in authentication?
Being physically close to an object or physically identifiable.
What is a “soft token” in authentication?
A soft token is a one-time password generated upon request to allow you to access the web application.
Soft tokens are powerful because they ensure that you know (the password), you are (being there to receive it) and you have (the device linked to the account).
Online applications tend to use this for two-factor authentication, combining your password and a soft token for a “double-layered wall”.
Why may biometric scans not be secure?
Hackers have proven already that simply being physically close to a seat the victim sat on, they can graft the fingerprints from it and replicate them to access biometric-locked data.
Why may RFID tags be dangerous to use in biometric authentication?
RFID tags solve the problem that fingerprints create, as they are stored on the body, but not in a way that can be easily grafted.
However, that difficulty to graft may inspire violent crime such as simply hacking off the entire hand/body part where the RFID is located to get access to biometrics-locked data.
What are access control models?
Access control models focus on authorisation, to specify who is allowed to do what, and how to update/change those permissions.
This may come in various forms, such as physical protection like gates/turnstiles, firewalls, memory management techniques or denial of access to files in a file system.
How might an access control matrix be modelled?
Typically, we will have a set of subjects S (e.g. {Alice, Bob}), and a set of current objects O (e.g. {file.txt, cat.png}).
The access control matrix M, then, will define the access permissions of our subjects S by the y axis, to the files O defined by the x axis.
How might we scale an access control model for larger subject groups?
We may do this by introducing a role-based access control system, where we instead attribute each role a set of objects, and then each user may be attributed a role.
