Chapter 2 - Access Control Flashcards
Access Control
Access control is the general term in information technology that encompasses the various methods used to control who (and what) is permitted to access specific information and perform specific functions.
In simplistic terms, the steps undertaken are something like this:
1. Authentication: Reliably identify the subject.
2. Find out what object the subject wishes to access.
3. Authorisation: Determine whether the subject is allowed to access the object.
4. Access: Permit (or deny) the subject’s access to the object.
5. Accounting: Log the access that was requested.
Identification
Identification is the unproven assertion of an identity.
Authentication
Authentication is the assertion of an identity that is confirmed through some means such as a password (a secret word or phrase) or access token.
Authentication Methods
Conceptually, information systems authenticate users by challenging the user in one or more of three ways:
- What the user knows
- What the user has
- What the user is
Password Storage
Because passwords are supposed
to be secret, they must be stored with a greater degree of protection than other information.
Generally, a password is stored in an encrypted or hashed form
so that someone who has access to the information where passwords are stored will not be able to see users’ passwords. The preferred method for storing passwords is hashing, a method for storing information that makes it impossible for anyone to know the password.
Hashing
Hashing is a cryptographic algorithm where the bits in the password are subjected to a mathematical algorithm that transforms the cleartext password into a hash value. The system stores
only the ciphertext. Then, when a user logs into the system, the system hashes the password that the user typed in and compares it to the stored hash. If the two hashes are equal, then we know that the user typed in the password correctly. If the two hashes are not equal, then the user typed in the wrong password
Possession-based authentication
Possession-based authentication involves the use of a hardware device or nontransferable digital certificate that is required to complete the authentication process. Often known as token authentication, the advantage of possession-based authentication is its improved resistance to compromise over knowledge-based authentication.
- Digital Certificate
- Smart card
- Password Token
- USB token
- Text messages or registered device
Biometric Authentication
Biometrics, which are also considered a form of two-factor or strong authentication, measure a physical or physiological characteristic of the end user in order to identify whether the person requesting entry to an information system or facility is who he or she claims to be.
- Fingerprint
- Palm scan
- Facial scan
- Iris scan
Multi-Factor Authentication
Multi-factor authentication involves the use of two or more authentication methods (knowledge-based, possession-based, or entity-based, which are
described earlier in this section). It is considerably more difficult for an intruder to break into an environment’s authentication when multi-factor authentication is used. This is because the intruder, in addition to knowing a userid and password, must also have in his or her possession the hardware device or body part that is also required for a user to successfully authenticate.
Authentication Issues
Authentication systems request identifying information from
users in order to permit access to legitimate users and deny access to invalid users. Authentication systems don’t always work right, and users don’t always operate them correctly. Some of the significant issues include:
- Password quality
- Forgotten credentials
- Compromised credentials
- Staff terminations