Access Control and Identity Management Flashcards
AAA Model
Authentication
Authorization
Accounting
POLA/POLP
Principles of Least Access
Principles of Least Privilege
Identification
Process of IDing an entity for authentication
User ID guidelines:
* Uniqueness
* Non-descriptive (doesn’t say job)
* Issuance secure (process of getting ID)
Most common forms:
* User Name, User ID, Acct Number
Authentication
Verifies users ID One or more of three factors: * Something you know ** Passwords/PINs * Something you have ** ATM Card, CAC, Tokens * Something you are
Authentication Tokens Types
Passive or Stored Value * Storage device that store some kind of key * Magnetic strip or bar code * Static password Active * Processor that computes one-time password * Synchronous Dynamic Token * Asynchronous Dynamic Token
Type 1 Authentication Methods
Something you know
Passwords/PINs
Type 2 Authentication Methods
Something you have
ATM card, CAC, Tokens
Type 3 Authentication Methods
Something you are
Biometrics
CER
Crossover Error Rate
Least amount of both False Reject Rate and False Accept Rate
Strong Authentication
Multiple types of the same factor
Eg. Two “somethings you have”
SSO
Single Sign On
Authenticate only once
Eg uses SSO: Kerberos, SESAME, directory services
Kerberos
Principal - device on network Realm - like a domain KDC (Key Distribution Center) * AS (Authentication Server) * TGS (Ticket-Granting Server) * TGT (Ticket-Granting Ticket) * RTGS (Remote Ticket-Granting Service)
X.500 Standard
For Directory Services
Directory Services
Logical means of organizing resources
ACLs to control access to resources
LDAP
Lightweight Directory Access Protocol
Standardized directory access protocol Allows queries to be made of directories X.500 Standard Port 389 Port 636 for LDAP over TLS/SSL