2 Access, Authentication and Encryption

Note on Identification, Authentication, Access Control, and Encryption

Page 2: Identification

  • Definition: The process of verifying the identity of a user, process, or device.

    • Purpose: A prerequisite for granting access to resources in an IT system.

    • Function: Presents an identifier to a system to recognize and distinguish entities (e.g., user, process, device).

Page 4: Authentication

  • Definition: Establishing confidence in the identity of users of information systems.

    • Process: Takes a user’s identity from the operating system and passes it to an authentication server for verification.

    • Function: Confirms an entity���s identity or the origin of information.

Page 6: Identification and Authentication

  • Identification Methods:

    • Email or phone number.

  • Authentication Methods:

    • Password.

    • Options for user actions: Log In, Forgot password, Create new account.

Page 7: Authorization

  • Definition: Access privileges granted to a user, program, or process.

    • Management: Implemented through Access Control.

    • Purpose: Granting or denying specific requests to:

      1. Obtain and use information and related processing services.

      2. Enter specific physical facilities (e.g., federal buildings, military establishments).

Page 8: Access Control List

  • Definition: A list of permissions associated with an object.

    • Function: Specifies who or what can access the object and what operations are allowed.

    • Mechanism: Implements access control by enumerating permitted system entities and their access modes.

Page 9: Encryption

  • Definition: Conversion of data into a code.

    • Process: Data is coded before transmission and decoded after.

    • Security: Unauthorized users can access data but cannot decode it without the encryption key.

    • Terminology: Ciphertext refers to data in its encrypted form.

Page 10: Encryption Process

  • Software Functionality: Uses a fixed algorithm and an encryption key to manipulate plaintext.

    • Transmission: Information is sent as ciphertext and translated back into plaintext by the receiver.

    • Security: Accessing data during transmission requires the encryption key to understand the information.

Page 11: Types of Encryption

  • Public Key (Asymmetric) Encryption

  • Private Key (Symmetric) Encryption

Page 12: Private Key Encryption (Symmetric)

  • Security Level: Less secure than public-key method due to reliance on a single secret key for each pair of parties.

Page 14: Private Key Methods

  • Data Encryption Standard (DES): A prevalent shared private key method developed by the US government, based on 56 binary digits.

  • Advanced Encryption Standard: Succeeded DES due to vulnerabilities to brute force attacks.

Page 15: Public Key Encryption (Asymmetric)

  • Definition: Uses a public-private key pair for encryption and/or digital signature.

    • Functionality: Information encrypted with a public key can only be decrypted with the corresponding private key.

Page 17: Uses of Public Key System (Asymmetric)

  • Confidential Communication: Ensures only the holder of the private key can decrypt and read the communication.

Page 18: Authenticity using Digital Signature

  • Process: The sender uses their private key to encode a document, and the recipient uses the sender’s public key to decode it.

    • Assurance: Decoding with the public key verifies the document's authenticity.

Page 19: Digital Certificate

  • Definition: A coded electronic certificate containing:

    1. Holder’s name.

    2. Copy of its public key.

    3. Serial number.

    4. Expiration date.

  • Purpose: Verifies the holder’s identity.

Page 20: Individual Digital Certificate

  • Usage: Identifies a person and includes personal information.

    • Applications: Signing electronic documents and emails, implementing access control for sensitive information.

Page 21: Server Certificates

  • Definition: Identify a server and contain the host name or IP address.

    • Usage: Ensures secure communication of data over a network, especially in Internet Banking transactions.

Page 22: Encryption Certificates

  • Purpose: Used to encrypt messages using the recipient's public key to ensure data confidentiality during transmission.

Page 23: Public Key Infrastructure

  • Definition: A system managing the distribution, authentication, and revocation of digital certificates.

    • Relevance: Essential for internet banking and providers of highly