IS 430 Chapter 2 Slides

Authentication

Proving someone is who they say they are.

Identity

a claimed role or person

Authorization

determination if someone is allowed to access or do something

Methods of authentication

Something you know (knowledge)

Something you are (biometric)

Something you have (token)

Attacks on "something you know"

Passwords

Security questions

Dictionary attacks

Inferring passwords

Guessing

Brute force attack

Rainbow tables

Problems with biometrics

Intrusive

Expensive

Single point of failure

Sampling error

False readings

Speed

Forgery

multifactor authentication

Using two or three things from separate categories

Access Policies Goals

Check every access

Enforce least privilege

Very acceptable usage

Federated identity management

union of separate identification and authentication systems. One profile with one authentication method. Separate systems share access to the authenticated identity database.

Single sign on

Log in once per sessions. Maintains your identities and authentication codes for all different processes you access.

Difference between Federated IM and Single on

FIM involves a single identity management module that replaces identification and authentication in all other systems.

With Single on, systems still call for individual identification and authentication but the umbrella task performs those interactions on behalf of the user.

T/F Single sign on takes over sign-on and authentication to several independent systems for a user.

True

Reference monitor

access control notion that is always invoked, tamper-proof, verifiable

Access Control Directory

Every file has unique owner with control access rights. Each user has a filer directory which lists all files to which user has access to.

Difficulties with Access Control Directory

1) List becomes too large if many shared objects are accessible to all users.

2) Revocation of access.

3) pseudonyms. A and B have two diff files names F, both want to allow access by S.

Access control matrix

a table in which each row represents a subject, each column represents an object, and each entry is the set of access rights for that subject to that object

Access Control List

corresponds to columns of access of control matrix. There is one such list for each object and list shows all subjects who should have access to the object and what their access is.

Procedural access control

each object is "hidden" behind a controller that accesses it

Role-Based Access Control (RBAC)

User are assigned certain roles

Usage controls

Adds purpose to object subject and actions

Privilege List

row of access matrix, showing all those privileges or access rights for a given subject.

Advantage: Revocation.

Capability

unforgeable token that gives possessor certain rights to an object.

ticket giving permission to a subject to have certain type of access to an object.

Propogate

One possible access right, subject can pass copies of capabilities to other subjects.

Domain

Collection of objects to which process has access.

Problems address by encryption

Attacker wants to:

Block the message

Intercept the message

Modify the message

Fabricate the message

cryptosystem

a system for encryption and decryption

plaintext

material in intelligible form

Ciphertext

The encrypted message

Symmetric encryption

One key encrypts and decrypts

asymmetric key

one key encrypts, different key decrypts

Cryptography

using encryption to conceal text

Steam Cipher

each bit, or byte of the data steam is encrypted separately

advantage: can be applies immediately to whatever data items are ready to transmit. (can be expensive)

Block Cipher

encrypts a group of plaintext symbols as one block

Stream Advantages

Speed of transformation

Low error propagation

Steam Disadvantages

Low diffusion

Susceptibility to malicious insertions and modifications

Block advantages

High Diffusion

Immunity to insertion of symbol

Block Disadvantages

Slowness of encryption

padding

error propagation

DES (Data Encryption Standard)

Cryptographic standard. Developed in 1970s by IBM for NIST.

Careful and complex combination of two fundamental building blocks of encryption: substitution and transposition. 56 bit key

Inadequate for high security apps

Double DES

two 56 bit keys.

Two-key triple DES

Two 56-bit keys

Three-key triple DES

Three 56-bit keys

AES (Advanced Encryption Standard)

Developed in 1999 by cryptographers.

Asymmetric Cryptography

In this Cryptography a Key Pair - Private and Public Key is used. Private Key is kept secret and the Public Key is Widely distributed.

Secret key (Symmetric)

1 key

56-112 (DES) 128-356 (AES)

Must be kept secret

Must be out-of band

Fast Speed

Public Key (Asymmetric)

2 keys

Unlimited key size

One key must be kept secret; other freely exposed

public key can be used to distribute other keys

Slow speed (10,000 times slower)

Error Detecting Codes

Block of data has been modified

Simple error detecting codes

Parity checks

Cyclic redundancy checks

Parity check

extra bit is added onto each byte of data similar to check digits.

even 0

odd 1

Cyclic Redundancy Check (CRC)

checks detects errors in recording and playback

Cryptographic error detecting codes

One-way hash functions

Cryptographic check sums

Digital Signatures

one-way hash function

a function that is easy to compute on every input, but hard to invert given the image of a random input.

Properties of digital signatures

Non-repudiation

Authenticity

Certificate

a public key and identity bound together and signed by a certificate authority

Certificate Authority

authority that users trust to accurately verify identities before generating certificates that bind those identities to keys.

Secret key

Protecting confidentiality and integrity of data at rest or in transit

public key

Exchanging encryption keys

Signing data to show authenticity and proof of origin

Error detection codes

Detect change in data

Cryptographic Hash Function

Detect changes in data, using function only data owner can computer

Error correction codes

Detect and repair errors in data

Digital signatures

Attest to authenticity of data

Digital certificates

Allow parties to exchange cryptographic keys with confidence of identities of both parties