CISSP Note(Ch3 Access Control)

Authentication factors

what a person knows, has, or is
Biometrics: most effective and accurate methods of verifying identification.
Password: Passwords are the weakestform of authentication and can be easily sniffed as they travel over a network
Cognitive Password (感知密碼): fact- or opinion-based information used to verify an individual’s
identity. A user is enrolled by answering several questions based on her life experiences. Ex: mother's name, CAPTCHA

Access Control and Markup Languages

SPML(Service Provisioning Markup Language): allows for the exchange of provisioning data between applications, which could reside in one organization or many. SPML allows for the automation of user management (account creation, amendments, revocation) and access entitlement configuration related to electronically published services across multiple provisioning systems.

SAML (Security Assertion Markup Language): allows the exchange of authentication and authorization data to be shared between security domains

XACML(Extensible Access Control Markup Language): used to express security policies and access rights to assets provided through web services and other enterprise applications

FRR, RAR, CER

Type I error (false rejection rate) => FRR

Type II error (false acceptance rate) =>FAR

crossover error rate (CER): represents the point at which the false rejection rate equals the false acceptance rate. This rating is the most important measurement when determining the system’s accuracy. => 職越小準確性越高

The goal is to obtain low numbers for each type of error, but Type II errors are the most dangerous and thus the most important to avoid.

digital signature

uses a private key to encrypt a hash value (message digest).

Authorization Creep

As employees work at a company over time and move from one department to another, they often are assigned more and more access rights and permissions.

Main Components in Kerberos

Key Distribution Center (KDC): holds all users’ and services’ secret keys. It provides an authentication service, as well as key distribution functionality.

ticket granting service (TGS) : A ticket is generated by TGS on the KDC and given to a

principal when that principal, let’s say a user, needs to authenticate to another principal, let’s say a print server.

Examples of Single Sign-On Technologies

Kerberos : use symmetric algorithm

SESAME: use symmetric and asymmetric algorithm

Security domains: Resources working under the same security policy and managed by the same group

Directory services: Technology that allows resources to be named in a standardized manner and access control to be maintained centrally

Thin clients: Terminals that rely upon a central server for access control, processing, and storage

Access Control Models

1. Discretionary Access Control (DAC): enables the owner of the resource to specify which subjects can access specific resources. The most common implementation of DAC is through ACLs, which are dictated and set by the owners and enforced by the operating system.

2. Mandatory Access Control(MAC): users do not have the discretion of determining who can access objects as in a DAC model.In most systems based upon the MAC model, a user cannot install software, change file permissions, add new users, etc. The system can be used by the user for very focused and specific purposes. The rules for how subjects access objects are made by the organization’s security policy, configured by the security administrator, enforced by the operating system, and supported by security technologies. 

3. Role -Based Access Control(RBAC): role is defined in terms of the operations and tasks the role

will carry out, whereas a DAC model outlines which subjects can access what objects based upon the individual user identity