Authentication & Acess Control

Question 1

What are the differences between identification and authentication?

Answer 1

When an entity identifies itself, it declares its identity

In Authentication, otherwise, the entity provides a proof that verifies its identity

Question 2

What are the factors of authentication?

Answer 2

Something that the entity knows

Something that the entity has

Something that the entity is

Question 3

What are some of the examples of the to know factor of authentication?

Answer 3

Password, Bing, secret handshake

Question 4

What are some examples of the to have factor of authentication

Answer 4

Door key, smart card, token

Question 5

What are some examples of the to be factor of authentication

Answer 5

Face, voice, fingerprints

Question 6

What are the advantages and disadvantages of the to know factor?

Answer 6

Advantages: Low-cost, easy off deployment, low technical barrier

Disadvantages: Secrets can be stolen or snooped, guest, cracked

Question 7

Based on the to know factor, how do we get to meaningful counter measures against possible attacks?

Answer 7

First, we need to estimate the most likely attack in this scenario. Accordingly choose the counter measures that are worth asking user to adhere to, relating also the cost of implementing it.

Question 8

What are the advantages and disadvantages of the to have factor?

Answer 8

Advantages, human factor, relatively low cost, good level of security

Disadvantages, hard to deploy, can be lost or stolen

Question 9

What are the advantages and disadvantages of the to be factor?

Answer 9

Advantages; high-level of security, requires no extra hardware to carry around

Disadvantages: hard to deploy, probabilistic matching, invasive measurement, can be cloned, privacy sensory, users with disabilities

Question 10

What is the access control? Who does it and what are the requirements for it?

Answer 10

Access access control is a binary decision to allow or deny

The one that implement it is the reference monitor which enforces access control policies. The requirements for the reference monitor are: tamper proof, cannot be bypassed, small enough to be verified/tested

The reference monitor does therefore the authentication (verifies the identity of the user making the request) and the authorization (decision whether axis is granted or denied)

Question 11

Requests to reference monitor come directly from the user or a user identity

True or false

Answer 11

False

Request to reference monitor do not come directly from user or a user identity, but from a process

Question 12

How is called the active entity making a request within the system?

Answer 12

It is called the subject

Question 13

What is the difference between a user and a subject?

Answer 13

A user is a person, whether a subject is a process running under a given user identity

Question 14

What are the acces control models?

Answer 14

Discretionary access control (DAC)

Mandatory access control (MAC)

Role-based access control (RBAC)

Question 15

Describe how a DAC works

Answer 15

Resource owner discretionarily decides its access privileges

Off the shelf OSs implement DAC

Question 16

Give an example of a DAC

Answer 16

Stefano create a file and assign Frederico the privilege of reading it

Question 17

In the general manner, a DAC system needs to model which entities?

Answer 17

The subjects, who can exercise privileges, the objects, on which privileges are exercised, and the actions, which can be exercised

Question 18

What are the common implementations of DAC systems?

Answer 18

Reproduction of HRU models

Access matrix in the sparse matrix

Authorization table

Access control list

Capability lists

Question 19

What is the difference between access control and capability lists in the implementation of DAC systems?

Answer 19

The access control lists focus on the object, this way, each column of the table contains a subject and its possible actions for a given object listed in the lines

The capability list otherwise focused on the subject. Therefore, every subject is enumerated in a given line, and every column informs the object, and the actions the user can perform on it.

Question 20

What are the general DAC shortcomings?

Answer 20

Cannot prove safety

Control access to objects, but not to the inside object

Problems of scalability and management

Question 21

What is the main idea behind MAC systems?

Answer 21

Do not let owners assign privileges. Previlages are set by a security administrator.