Chapter 2 - Toolbox: Authentication, Access Control and Cryptography Flashcards
Identification
the act of asserting who a person is.
Authentication
the act of proving that asserted identity: that the person is who she says she is.
Salt
user-specific component joined to an encrypted password to distinguish identical passwords
Rainbow table:
precomputed list of popular values, such as passwords
exhaustive or brute force attack
the attacker tries all possible passwords,
usually in some automated fashion.
Biometrics
biological properties, based on some physical characteristic of the human body.
Sensitivity
measures the degree to which the screen selects those whose names correctly match the person sought
Specificity
measures the proportion of negative results among
all people who are not sought.
Accuracy or efficacy
measures the degree to which the test
or screen correctly flags the condition or situation
Prevalence
tells us how common a certain condition
or situation is.
positive predictive value of a test
a number that expresses how many times a positive match actually represents the identification of the sought person
receiver operating characteristic (ROC) curve
a graphical representation of the trade-off between the false negative and false positive rates.
passive token
do nothing, the contents of the token never
change.
active token
can have some variability or interaction with its surroundings
static token
The value remains fixed. most useful for onsite authentication
Skimming
the use of a device to copy authentication data surreptitiously and relay it to an attacker
dynamic token
have computing power on the token to change their internal state.
federated identity management scheme
unifies the identification and authentication
process for a group of systems.
multifactor authentication
Combining authentication information
two-factor authentication
Two forms of authentication are presumed to be better than one, assuming of course that the two forms are
strong.
basic access control paradigm
A subject is permitted to access an object in a particular mode, and only such authorized accesses are allowed.
granularity
the fineness or specificity of access control
audit log
Systems also record which accesses have
been permitted,
Limited privilege
the act of restraining users and processes so that any harm they can do is not catastrophic
Reference monitor
access control that is always invoked, tamperproof, and verifiable
access control matrix
a table in which each row represents a subject, each column represents an object, and each entry is the set of access rights for that subject to that object.
access control list
representation corresponds to columns of the access control matrix. There is one such list for each object, and the list shows all subjects who should have access to the object and what their access is.
privilege list/ directory
a row of the access matrix, showing all those privileges or access rights for a given subject
capability
an unforgeable token that gives the possessor
certain rights to an object. Single- or multi-use ticket to
access an object or service
transfer or propagate
subject having this right can pass copies of capabilities to other subjects.
domain
the collection of objects to which the process has access
procedure-oriented protection
can perform actions specific to a particular object in implementing access control.
Role-based access control
lets us associate privileges with groups, such as all administrators can do this or candlestick makers are forbidden to do that. Recognizes common
needs of all members of a set of subjects.
Encryption or cryptography, encode, encipher
the name means secret writing—is probably the strongest defense in the arsenal of computer security protection. Conceals data against
unauthorized access.
decryption, decode, decipher
transforming an encrypted message back into its normal, original form
cryptosystem.
A system for encryption and decryption
Ciphertext:
encrypted material
plaintext:
material in intelligible form
algorithms
A cryptosystem involves a set of rules for how to encrypt the plaintext and decrypt
the ciphertext.
key
algorithms, often use a device so that the resulting ciphertext depends on the original plaintext message,
symmetric or single-key or secret key encryption
the same key, K, is used both to encrypt a message and later to decrypt it.
asymmetric or public key
At other times, encryption and decryption keys come in pairs. Then, a decryption key, KD, inverts the encryption of key KE
keyless cipher
An encryption scheme that does not require the use of a key
cryptanalyst
studies encryption and encrypted messages, hoping to find the hidden meanings Normally, works on behalf of an unauthorized interceptor
cryptographer
attempt to translate coded material back to its original form. Normally, works on behalf of a legitimate sender or receiver,
cryptology
the research into and study of encryption and decryption; it includes both cryptography and cryptanalysis
breakable
given enough time and data, an analyst can determine the algorithm
work factor
The difficulty of breaking an encryption
key management
It involves storing, safeguarding ,and activating keys.
stream encryption
each bit, or perhaps each byte, of the data
stream is encrypted separately.
block cipher
encrypts a group of plaintext symbols as a single
block.
Rijndael
a fast algorithm that can easily be implemented on simple processors
The Rivest–Shamir–Adelman (RSA) cryptosystem
a public key system. Based on an underlying hard problem and named after its three inventors
Man-in-the-middle failure
an unauthorized third party intercedes in an activity presumed to be exclusively between two people
nonce,
a random value meaningless in and of itself, to show activity (liveness) and originality (not a replay).
collision
Two inputs that produce the same output
parity check
The simplest error detection code
cyclic redundancy
detects errors in recording and playback
error correction codes
can detect multiple-bit errors (two or more bits changed in a data group) and may be able to pinpoint the changed bits (which are the bits to reset to correct the modification).
seal a file
cryptography can be used to encase a file so that any change becomes apparent.
hash or checksum or message digest
One technique for providing the seal is to compute
a function,
one-way functions
Functions, which are much easier to compute than their inverses.
cryptographic checksum
a cryptographic function that produces a checksum.
It is a digest function using a cryptographic key that is presumably known only to the originator and the proper recipient of the data.
digital signature
a protocol that produces the same effect as a real signature: It is a mark that only the sender can make
but that other people can easily recognize as belonging to the sender.
