Chapter 4 Access Control, Authentication, Authorization Flashcards
What is Access Control?
131
the act of allowing only authorized users into a system, and keeping people you don’t want in out.
Identification vs. Authentication
131
Identification is finding out who someone is. Authentication is proving it.
5 different forms of authentication
131
Something you know: password or PIN
something you have: smart card or token
Something you are: biometrics
Something you do: an action you take to complete authentication
Somewhere you are: geolocation (not so likely anymore)
Single-Factor Authentication
132
Just one form of authentication. Usually like a username and password.
Multifactor Authentication
133
Whenever you use more than one method of authentication
Layered Security and Defense In Depth
133
it essentially just means you should have more than one type of security present.
Tokens
135
Authenticate the user. Essentially just a sliver of information that tells the computer who you are.
Federations
135
A collection of networked computers that agree on communication standards
IM programs are an example of this
Transitive Access
136
When A trusts B and B trusts C, A and C might implicitly trust each other. This is taken care of with transitive trusts.
PAP
139
Password Authentication Protocol
-Legacy system that sends username and password to an authentication server in plain text.
SPAP
139
Shiva PAP
- Main difference between this and PAP is that the username and password are encrypted
- It is less secure than CHAP and is susceptible to replay attacks.
CHAP (139)
Challenge Handshake Authentication Protocol
- The connecting machine needs to generate a random number (usually a hash) and sends it to the server.
- The server will periodically ask for that number again, which prevents man-in-the-middle attacks.
TOTP
139
Time-Based One Time Password
- Uses a time-based factor to create unique passwords.
- Google Authenticator is a good example
HOTP
139
HMAC-Based OTP
-Uses Hash Message Authentication Code to authenticate
Password Length and Complexity
account policy enforcement, page 139
On Windows, enabling password complexity requires:
- Cannot contain parts of username over 3 consecutive characters
- Must be at least eight characters long
- Must contain an element from 3 of the following
- A-Z
- a-z
- 0-9
- !$%