Chapter 13 Managing Identity and Authentication Flashcards
What is identification?
The process of a subject claiming or professing an identity. A subject must provide an identity to begin the authentication, authorization, and accounting process. Could involve typing a username, swiping a smartcard, speaking a phrase, or providing a body part for biometrics.
What is authentication?
Verifying a subject’s identity by comparing one or more factors against a database of valid identities. This information needs to be protected (ie hashed).
Identifcation and authentication occur together as a two-set process.
Each authentication technique has benefits and drawbacks, and so each mechanism should be evaluated based on the environment where it is being deployed.
What is the difference between subjects and objects?
Access control is more than controlling which users can access while files or services. It is about the relationship between entities. Access is the transfer of information from an object to a subject.
–Subject is an active entity that accesses a passive object to receive information from, or data about, an objects. Subjects can be users, programs, processes, services, computers, or anything that can access a resource. When authorized, subjects can modify objects.
–Objects are passive entities that provide information to active objects. These include files, databases, computers, programs, processes, services, printers, and storage media.
Can think of subjects as users and files as objects. However, subjects are more than users and objects are more than files.
Some things can be both an object and subject. Key is that the subject is always the active entity that receives information about, or data from, a passive object. Example: when a user queries a web application to retrieve a Web page, the application is an object. however, the application becomes he subject when it queries the user’s computer to retrieve a cookie.
What is authorization, accountability, and auditing?
Authorization is granting access to objects based on proven identities. Indicates who is trusted to perform an operation.
Accountability is holding users and other subjects accountable for their actions via auditing, logging, and monitoring. Accountability requires identification and authentication but not authorization.
Auditing tracks subjects and records when they access objects, creating an audit trail in one or more logs.
Audit logs also provide nonrepudiation.
What are authentication factors?
Primary:
Something you know: Memorized secrets. Aka Type 1 authentication factor
Something you have: Physical devices such as smartcards, hardware tokens, memory cards, or USB drive. Aka Type 2 authentication factor.
Something you are: Biometrics. Aka type 3 authentication factor.
Secondary:
Somewhere you are: based on use of a specific computer, an IP address or a phone number.
Somewhere you are not: Use of geolocation to detect suspicious activity
Context aware Authenication: MDM can look at location, time of day, and mobile device.
Somethiing you do: gestures or finger swipes
What does NIST say about passwords? What about DCI PSS?
There is NIST SP-800-63B and PCI DSS.
NiST says:
–passwords should never be stored or transmitted in cleartext
–Passwords should not expire
–Users should not be required to use special characters
–Users should be able to copy and paste passwords, so they can use password managers
–Users should be able to use all characters
–Length should be between 8-64 characters
–Password systems should screen for commonly used passwords
DCI PSS says:
–Passwords expire at least every 90 days
–Should be at least seven characters long
What is a smart card?
Credit card-sized device with an integrated circuit chip. usually have a microprocessor and one or more certificates.
What is a token?
Password-generating device that users carry with them. Generally shows a six- to eight-digit token. An authentication server stores the details of the token, so that at any moment, it knows what number is displayed.
Synchronous dynamic password tokens are time-based and synchronized with an authentication server. They generate a PIN periodically, typically 30-60 seconds. This requires both the token and server to have an accurate timie. a common way to do this is by requiring a user to enter a username, static password, and/or PIN.
An asynchronous dynamic password does not use a clock. Instead, the token generates PINs based on an algorithim and an incrementing counter. When using the counter, it creates a dynamic one-time PIN that remains until actually used. Some create a onetime PIN when. you enter a PIN into the authentication server.
Some organizations use the same concept but do so with software running on a user device, such as the Symantec VIP Access app.
What are fingerprints?
Visible patterns on the fingers and thumbs. Have loops, whorls, ridges, and bifurcations (aka minutiae). Usually takes less than a minute to register.
What are face scans?
Use the geometric patterns of faces for detection and recognition.
What are retina scans?
Focus on the pattern of blood vessels at the back of the eye. Most accurate form of biometric authentication, but can reveal medical conditions, and require the user to be three inches away.
What are iris scans?
Focus on the colored area around the pupils. Second-most accurate, and can be done from 6-12 meters away, but lighting, glasses, and contact lens can fool them.
What are palm scans?
Use near-infrared light to measure vein patterns in the palm. Nearly as unique as fingerprints.
What is voice pattern recognition?
User speaks a specific phrase, which is recorded by the authentication system. Do not use them alone.
Not the same think as speech recognition. Voice pattern recognition differentiates between voices for identification and authentication, while speech recognition differentiates between words with any person’s voice.
What are Biometric Factor Error Ratings?
False rejection rate: The ratio of false rejections to valid authentications. Type 1 error.
False acceptance rate: The ratio of false positives to valid authentications. Type 2 error.
The crossover error rate is when the FRR and FAR percentages are equal.