Chapter 2 - Toolbox: Authentication, Access Control and Cryptography Flashcards
Identification
the act of asserting who a person is.
Authentication
the act of proving that asserted identity: that the person is who she says she is.
Salt
user-specific component joined to an encrypted password to distinguish identical passwords
Rainbow table:
precomputed list of popular values, such as passwords
exhaustive or brute force attack
the attacker tries all possible passwords,
usually in some automated fashion.
Biometrics
biological properties, based on some physical characteristic of the human body.
Sensitivity
measures the degree to which the screen selects those whose names correctly match the person sought
Specificity
measures the proportion of negative results among
all people who are not sought.
Accuracy or efficacy
measures the degree to which the test
or screen correctly flags the condition or situation
Prevalence
tells us how common a certain condition
or situation is.
positive predictive value of a test
a number that expresses how many times a positive match actually represents the identification of the sought person
receiver operating characteristic (ROC) curve
a graphical representation of the trade-off between the false negative and false positive rates.
passive token
do nothing, the contents of the token never
change.
active token
can have some variability or interaction with its surroundings
static token
The value remains fixed. most useful for onsite authentication
Skimming
the use of a device to copy authentication data surreptitiously and relay it to an attacker
dynamic token
have computing power on the token to change their internal state.
federated identity management scheme
unifies the identification and authentication
process for a group of systems.
multifactor authentication
Combining authentication information
two-factor authentication
Two forms of authentication are presumed to be better than one, assuming of course that the two forms are
strong.
basic access control paradigm
A subject is permitted to access an object in a particular mode, and only such authorized accesses are allowed.
granularity
the fineness or specificity of access control
audit log
Systems also record which accesses have
been permitted,
Limited privilege
the act of restraining users and processes so that any harm they can do is not catastrophic
Reference monitor
access control that is always invoked, tamperproof, and verifiable