Note on Identification, Authentication, Access Control, and Encryption

Page 2: Identification

• Definition: The process of verifying the identity of a user, process, or device.

  • Purpose: A prerequisite for granting access to resources in an IT system.

  • Function: Presents an identifier to a system to recognize and distinguish entities (e.g., user, process, device).

Page 4: Authentication

• Definition: Establishing confidence in the identity of users of information systems.

  • Process: Takes a user’s identity from the operating system and passes it to an authentication server for verification.

  • Function: Confirms an entity���s identity or the origin of information.

Page 6: Identification and Authentication

• Identification Methods:

  • Email or phone number.

• Authentication Methods:

  • Password.

  • Options for user actions: Log In, Forgot password, Create new account.

Page 7: Authorization

• Definition: Access privileges granted to a user, program, or process.

  • Management: Implemented through Access Control.

  • Purpose: Granting or denying specific requests to:

    1. Obtain and use information and related processing services.

    2. Enter specific physical facilities (e.g., federal buildings, military establishments).

Page 8: Access Control List

• Definition: A list of permissions associated with an object.

  • Function: Specifies who or what can access the object and what operations are allowed.

  • Mechanism: Implements access control by enumerating permitted system entities and their access modes.

Page 9: Encryption

• Definition: Conversion of data into a code.

  • Process: Data is coded before transmission and decoded after.

  • Security: Unauthorized users can access data but cannot decode it without the encryption key.

  • Terminology: Ciphertext refers to data in its encrypted form.

Page 10: Encryption Process

• Software Functionality: Uses a fixed algorithm and an encryption key to manipulate plaintext.

  • Transmission: Information is sent as ciphertext and translated back into plaintext by the receiver.

  • Security: Accessing data during transmission requires the encryption key to understand the information.

Page 11: Types of Encryption

• Public Key (Asymmetric) Encryption

• Private Key (Symmetric) Encryption

Page 12: Private Key Encryption (Symmetric)

• Security Level: Less secure than public-key method due to reliance on a single secret key for each pair of parties.

Page 14: Private Key Methods

• Data Encryption Standard (DES): A prevalent shared private key method developed by the US government, based on 56 binary digits.

• Advanced Encryption Standard: Succeeded DES due to vulnerabilities to brute force attacks.

Page 15: Public Key Encryption (Asymmetric)

• Definition: Uses a public-private key pair for encryption and/or digital signature.

  • Functionality: Information encrypted with a public key can only be decrypted with the corresponding private key.

Page 17: Uses of Public Key System (Asymmetric)

• Confidential Communication: Ensures only the holder of the private key can decrypt and read the communication.

Page 18: Authenticity using Digital Signature

• Process: The sender uses their private key to encode a document, and the recipient uses the sender’s public key to decode it.

  • Assurance: Decoding with the public key verifies the document's authenticity.

Page 19: Digital Certificate

• Definition: A coded electronic certificate containing:

  1. Holder’s name.

  2. Copy of its public key.

  3. Serial number.

  4. Expiration date.

• Purpose: Verifies the holder’s identity.

Page 20: Individual Digital Certificate

• Usage: Identifies a person and includes personal information.

  • Applications: Signing electronic documents and emails, implementing access control for sensitive information.

Page 21: Server Certificates

• Definition: Identify a server and contain the host name or IP address.

  • Usage: Ensures secure communication of data over a network, especially in Internet Banking transactions.

Page 22: Encryption Certificates

• Purpose: Used to encrypt messages using the recipient's public key to ensure data confidentiality during transmission.

Page 23: Public Key Infrastructure

• Definition: A system managing the distribution, authentication, and revocation of digital certificates.

  • Relevance: Essential for internet banking and providers of highly