Chapter 5: Identity and Access Management Flashcards
Subject
Person, Process or Program
Object
A resource (file, printer, etc…)
Access Controls
Are security features that control how people can interact with systems and resourcesLogical, Administrative and Physical.
IAAA of Access Control
Identification - Make a Claim (userid etc)Authentication - Provide support (proof) of your claimAuthorization - What rights and permission you haveAuditing - Accountability matching actions to subjects
Identification
Public Information (usually we aren’t concerned with protecting identities)Identification must be unique for accountabilityStandard naming schemes should be usedIdentifier should not indicate extra information about user (like job position)-User ID-Account Number-RFID-IP or MAC address
Authentification 3 types
Proving your identityType 1: Something you know - Password, Graphic Images…etcType 2: Something you have - Tokens, Smart Cards, CertsType 3: Something you are - Bio metrics
Biometric Concerns
AccuracyType I Error: False Rejection–A legitimate user is barred from access. Is caused when a system identifies too much information. This causes excessive overhead.Type II Error: False Acceptance—An impostor is allowed access. This is a security threat and comes when a system doesn’t evaluate enough informationAs FRR goes down, FAR goes up and vice versaThe level at which the two meet is called CER (Crossover Error Rate). The lower the number, the more accurate the systemIris Scans are the most accurate*** iris can reveal heath info
Strong Authentication
2 or more biometrics is best stand aloneStrong Authentication is the combination of 2 or more of these and is encouraged!Strong Authentication provides a higher level of assurance* Strong Authentication is also called multi-factor authentication*Watch out! Most people want to choose biometrics as the best authentication, but any one source can be compromised. Always look for more than one type!Mutual Authentication is beneficial
Authorization
The concept of ensuring that someone who is authenticated is allowed access to a resource. Authorization is a preventative controlRace conditions would try to cause authorization happen before authentication
Asynchronuous token Devices
Asynchronous/ Challenge ResponseUser logs inAuthentication returns a challenge to the userUser types challenge string into token device and presses enter.Token devices returns a replyOnly that specific user’s token device could respond with the expected reply.More Complex than synchronousMay provide better protection against sniffing
Memory Cards
NOT a smart cardHolds information, does NOT processA memory card holds authentication info, usually you’ll want to pair this with a PIN… WHY?A credit card or ATM card is a type of memory card, so is a key/swipe card Usually insecure, easily copied.*
Smart Card (191)
Much more secure than memory cardsCan actually process informationIncludes a microprocessor and ICsCan provide two factor authentication, as you the card can store authentication protected by a pin. (so you need the card, and you need to know something)Two typesContact ContactlessThere are attacks against smart cards1. Fault generation – manipulate environmental controls and measure errors in order to reverse engineer logic2. Side Channel Attacks – Measure the cards while they workDifferential power analysis – measure power emissionsElectromagnetic analysis – example frequencies emitted3. Micro probing* - using needles to vibrations to remove the outer protection on the cards circuits. Then tap into ROMS if possible or “die” ROMS to read data.
Single Sign on Pros/Cons
ProsEase of use for end usersCentralized ControlEase of administrationConsSingle point of failureStandards necessaryKeys to the kingdom
SSO Technologies
Kerberos, SESAME, LDAP, Microsoft Active Directory
Kerberos
A network authentication protocol designed from MITs project Athena. Kerberos tries to ensure authentication security in an insecure environmentUsed in Windows2000+ and some UnixAllows for single sign onNever transfers passwordsUses Symmetric encryption to verify IdentificationsAvoids replay attacks