Domain 5 - Identity and Access Management Flashcards
Type 3 Authentication Method
Something you are
- Enrollment in biometric system should take 2 minutes or less
- Throughput of biometric system should take 6-10 seconds or less
FRR
False Reject Rate
Type 1 Error
Type 1 Error
False Reject Rate, FRR
FAR
False Accept Rate
Type 2 Error
Type 2 Error
False Accept Rate, FAR
CER
Crossover Error Rate
- The point where the FRR and FAR are equal
Fingerprint Scans
- Data is called ‘finger print minutiae’
- Includes whorls, ridges, bifurcation
Retina Scan
- Laser scan of the capillaries that feed the retina of the back of the eye
- Laser must actually enter the eye
- PRIVACY CONCERNS
- Exchange of bodily fluid
- Can determine health information (pregnancy, diabetes, etc)
Iris Scan
- Passive biometric control
- Camera takes a picture of the iris, authentication system compares the photo when authenticating
- Works through contact lenses/glasses
- High accuracy
- No exchange of bodily fluids
- Iris pattern is LIFE-LONG and never changes
Hand Geometry (authentication)
- Measures specific points taken on the subject’s hands
- Takes up very little space to store in database (~9 bytes per entry)
Type 1 Authentication Method
Something you know
- Passwords, passphases, etc
Type 2 Authentication Method
Something you have
- Synchronous/asynchronous token
Synchronous Dynamic Token
- Displays dynamic tokens on set time intervals
- Synchronized with a central server
Asynchronous Dynamic Token
- Not synchronized with a central server
- Smart cards, etc…
Centralized Access Control
- One logical access control database
- Can be used to provide SSO
- Centrally provided AAA
- Systems authenticate via third-party auth servers
Decentralized Access Control
- Allows IT administration to occur closer to the mission/ops of the organization
- Useful when organization spans multiple locations
- Local sites support and maintain independent systems, access control databases, and data
- Also called DISTRIBUTED ACCESS CONTROL
KERBEROS (components)
- Principal
- Realm
- Ticket
- Credentials
- KDC (key distribution center)
- TGS (ticket granting server)
- TGT (ticket granting ticket)
- C/S (client/server)
KERBEROS strengths
- Mutual authentication of client/server
- Mitigates replay attacks via the use of TIMESTAMPS
- Stateless (credentials issued by KDC or TGS are good for the credential’s lifetime)
KERBEROS weaknesses
- KDC stores the keys of ALL principals
- KDC and TGS are single points of failure
- In KERBEROS 4, any user may request a session key for another user
- Plaintexts still exist on the local host
SESAME
Secure European System for Applications in a Multi-vendor Environment
- SSO system that supports heterogeneous environments
- A “sequel” to KERBEROS
- Adds PKI
- Uses PACs in place of tickets
PAP
Password Authentication Protocol
- RFC 1334
- NOT a strong authentication method
- Clear-text
- Vulnerable to sniffing
CHAP
Challenge Handshake Authentication Protocol
- RFC 1994
- Provides protection against PLAYBACK attacks
- Uses a central location that challenges remote users
- Depends on a “secret” known only to the authenticator and the peer
Discretionary Access Control
- Subjects have FULL CONTROL of objects they have created or been given access to, including SHARING the objects with other subjects
- Subjects are empowered and control their data
- UNIX/Windows use DAC for their file systems
- Subjects grant other subjects access to their files, change their attributes, alter them, delete them, etc
Mandatory Access Control
- CONFIDENTIALITY
- Bell-LaPadula
- Difficult and expensive to implement
- System-enforced access control based on a subject’s CLEARANCE level and an object’s label
- Subjects and objects have CLEARANCES and LABELS (top secret, secret, confidential, etc)
- Subject may access an object ONLY if the subject’s clearance level is equal to or greater than the object’s label
Non-Discretionary Access Control
- RBAC
- Access based on the ROLE of a subject
