Authentication factors
what a person knows, has, or is
Biometrics: most effective and accurate methods of verifying identification.
Password: Passwords are the weakestform of authentication and can be easily sniffed as they travel over a network
Cognitive Password (感知密碼): fact- or opinion-based information used to verify an individual’s
identity. A user is enrolled by answering several questions based on her life experiences. Ex: mother's name, CAPTCHA
Biometrics: most effective and accurate methods of verifying identification.
Password: Passwords are the weakestform of authentication and can be easily sniffed as they travel over a network
Cognitive Password (感知密碼): fact- or opinion-based information used to verify an individual’s
identity. A user is enrolled by answering several questions based on her life experiences. Ex: mother's name, CAPTCHA
Access Control and Markup Languages
SPML(Service Provisioning Markup Language): allows for the exchange of provisioning data between applications, which could reside in one organization or many. SPML allows for the automation of user management (account creation, amendments, revocation) and access entitlement configuration related to electronically published services across multiple provisioning systems.
SAML (Security Assertion Markup Language): allows the exchange of authentication and authorization data to be shared between security domains
XACML(Extensible Access Control Markup Language): used to express security policies and access rights to assets provided through web services and other enterprise applications
FRR, RAR, CER
Type I error (false rejection rate) => FRR
Type II error (false acceptance rate) =>FAR
crossover error rate (CER): represents the point at which the false rejection rate equals the false acceptance rate. This rating is the most important measurement when determining the system’s accuracy. => 職越小準確性越高
The goal is to obtain low numbers for each type of error, but Type II errors are the most dangerous and thus the most important to avoid.
digital signature
uses a private key to encrypt a hash value (message digest).
Authorization Creep
As employees work at a company over time and move from one department to another, they often are assigned more and more access rights and permissions.
Main Components in Kerberos
Key Distribution Center (KDC): holds all users’ and services’ secret keys. It provides an authentication service, as well as key distribution functionality.
ticket granting service (TGS) : A ticket is generated by TGS on the KDC and given to a
principal when that principal, let’s say a user, needs to authenticate to another principal, let’s say a print server.
Examples of Single Sign-On Technologies
Kerberos : use symmetric algorithm
SESAME: use symmetric and asymmetric algorithm
Security domains: Resources working under the same security policy and managed by the same group
Directory services: Technology that allows resources to be named in a standardized manner and access control to be maintained centrally
Thin clients: Terminals that rely upon a central server for access control, processing, and storage
Access Control Models
1. Discretionary Access Control (DAC): enables the owner of the resource to specify which subjects can access specific resources. The most common implementation of DAC is through ACLs, which are dictated and set by the owners and enforced by the operating system.
2. Mandatory Access Control(MAC): users do not have the discretion of determining who can access objects as in a DAC model.In most systems based upon the MAC model, a user cannot install software, change file permissions, add new users, etc. The system can be used by the user for very focused and specific purposes. The rules for how subjects access objects are made by the organization’s security policy, configured by the security administrator, enforced by the operating system, and supported by security technologies.
3. Role -Based Access Control(RBAC): role is defined in terms of the operations and tasks the role
will carry out, whereas a DAC model outlines which subjects can access what objects based upon the individual user identity
沒有留言:
張貼留言