Please enable JavaScript.
Coggle requires JavaScript to display documents.
Domain 5 - Identity and Access Management (Access Control Techniques (AC…
Domain 5 -
Identity and Access Management
Authentication Methods
Type 1: Something you Know
Passwords
Static Passwords
Passphrases
One-time Passwords
Dynamic Passwords
Strong authentication
(multifactor authentication)
Password guessing
Account log-outs
Clipping level
Password Hashes
password cracking
Dictionary Attacks
Brute Force
Rainbow Tables
Hybrid Attack
(changes of characters, e.g. A -
)
Salts
(random 'salt' value leads to different hash for same password)
Replay attacks
Type 2: Something you Have
Asynchronus Dynamic Token
Challenge-response token
e.g. Bank money transfer with smartcard
Synchronous Dynamic Token
Counter-based
Software-based
(soft token)
Hardware-based
(e.g. RSA SecurID)
Time-based
Type 3: Something you Are
Biometric Fairness
(not everyone has fingers, eyes)
Psychological Comfort
(no unnecessary stress)
Safety
(e.g. no exchange of body fluids)
Biometric Enrollment and Throughput
Accuracy
FRR
(False Rejection Rate) Type I Error
FAR
(False Acceptance Rate) Type II Error
CER
(Crossover Error Rate) Overall Accuracy
Types of Biometric Control
Fingerprints
Retina Scan
Iris Scan
Hand Geometry
Keyboard Dynamics
Dynamic Signature
Voiceprint
Facial Scan
Someplace you are
e.g. Credit card companies checking location
Access Control Techniques
Centralized AC
Decentralized AC
SSO
(Single Sign On)
Session Mgmt
(timeout and screensavers)
Access Provisioning Lifecycle
Check compliance with password policy
Notify users to change password before expiration
identify/delete inactive user accounts
Access Aggregation
(user gains access to more systems)
Authorization Creep
(user gains more access without shredding old ones)
FIdM
Federated Identity Management
SSO from cross-organization to Internet scale
e.g. FOAF concept
SAML
(Security Association Markup Language)
XML-based framework for exchanging security information
goal: enable web SSO
IDaaS
Identity as a Service
Credential Management Service
secure password generation
secure password storage
credential check-in/out
automatic password rotation
LDAP
Lightweight Directory Access Protocoll
open application layer protocol for interfacing and querying directory service information provided by network operating systems
clear text or encrypted
Kerberos
(third-party authentication service in networks)
symmetric encryption, mutual authentication of client and server
Principle
KDC
(Key Distribution Center)
TGS
(Ticket Granting Service)
AC Protocols and Frameworks
RADIUS
(Remote Authentication Dial In User Service)
third-party authentication system
AAA system
Diameter
RADIUS'successor
TACAS / TACAS+
(Terminal Access Controller Access Control System)
centralized AC system
PAP
(Password Authentication Protocol)
password sent via network in plain text
weak authentication method
CHAP
(Challenge Handshake Authentication Protocol)
protection against playback attacks
Microsoft Windows Active Directory Domains
transitive trust relationship
intransitive trust relationship
based on Kerberos Authentication Protocol
each domain has separate authentication process/space
SESAME
(Secure European System for Applications in a Multi-Vendor Environment)
SSO system
supports heterogeneous environments
kind of a sequel of Kerberos
public key encryption (asymmetric)
uses PAC (Privilege Attribute Certificates)
Access Control Models
DAC
(Discretionary AC)
subject has full control of objects they have created/assigned to
e.g. Windows
MAC
(Mandatory AC)
system-enforced AC based on subject's clearance and object's label
expensive/difficult to implement
NDAC
(Non-discretionary)
= RBAC (role-based)
subject assigned to role
role has authorization for xyz
Rule-based AC
e.g. IF/THEN statement
e.g. IF user authorized to surf AND website on safe list THAN
Content and Context-Dependent AC
Content-dependent = additional criteria beyond identification/authentication
Context-dependent = additional context such as time window, location
3 AAA
Authentication
Authorization
Accountability