Domain 5 Flashcards
Identification
Subjects claim an identity, and identification can be as simple as a username for a user.
Authentication
Subjects prove their identity by providing
authentication credentials such as the
matching password for a username.
Authorization
After authenticating subjects, systems
authorize access to objects based on their
proven identity.
Accountability
Auditing logs and audit trails record events including the identity of the subject that performed an action.
identification + authentication + auditing = ACCOUNTABILITY
Primary Authentication Factors
Something you know (pin or password) type 1
Something you have (trusted) type 2
Something you are (biometric) type 3
Multifactor Authentication
includes two or more authentication factors
more secure than using a single authentication factor.
-Passwords are the weakest form of authentication, password policies help increase their security by enforcing complexity and history requirements.
-Smartcards include microprocessors and
cryptographic certificates
- Tokens create onetime passwords
- Biometric methods identify users based on characteristics such as fingerprints.
FAR
False acceptance rate occurs when an invalid subject is authenticated.
Type 2 biometric error (false positive)
FRR
False rejection rate occurs when a valid subject is rejected.
Type 1 biometric error (false negative)
CER
Crossover Error Rate
The crossover error rate identifies the accuracy of a biometric method.
It shows where the false rejection rate is equal to the false acceptance rate.
SSO
Single Sign-On is a mechanism that allows subjects to authenticate once and access multiple objects without authenticating again.
Common SSO methods/standards
— SAML — OAuth 2.0 — OpenID — Kerberos — SESAME — KryptoKnight
SAML
Security Assertion Markup Language
SSO Mechanism
Federated Identity Management
an XML based, open standard data format for exchanging authentication and authorization data between parties, in particular, between an identity provider and a service provider.
Uses tokens
OAuth 2.0
is an open standard for authorization, commonly used as a way for Internet users to log into third party websites using their Microsoft, Google, Facebook, Twitter, One Network etc. accounts without exposing their password.
OpenID
managed through OpenID foundation
is an open standard, It provides decentralized authentication, allowing users to log into multiple unrelated websites with one set of credentials
maintained by a third party service referred to as an OpenID provider.
AAA Protocols
Several protocols provide centralized Authentication, Authorization, and Accounting services.
Network access or remote access systems use AAA protocols
RADIUS
TACACS+
Diameter
RADIUS
AAA protocol
uses UDP and encrypts the password only.
TACAS+
AAA protocol
uses TCP and encrypts the entire session.
Diameter
AAA protocol
is based on RADIUS and improves many of the weaknesses of RADIUS, but Diameter is not compatible with RADIUS.
Identity and access provisioning lifecycle
Refers to account
creation
management
deletion
Authorization Mechanisms
Access control models use many different types of authorization mechanisms, or methods to control who can access specific objects
Implicit Deny
A basic principle of access control is
implicit deny and most authorization
mechanisms use it.
The implicit deny principle ensures that access to an object is denied unless access has been explicitly granted to a subject.
Access Control Matrix
a table that includes subjects, objects, and assigned privileges. When a subject
attempts an action, the system checks the access control matrix to determine if the
subject has the appropriate privileges to perform the action.
Capability Tables
are another way to identify privileges assigned to subjects. They are different from ACLs in that a capability table is focused on subjects (such as users, groups, or roles).
Constrained Interface
use constrained interfaces or restricted interfaces to restrict what users can do or
see based on their privileges. Users with full privileges have access.
Applications constrain the interface using different methods.