Week 4 Notes - Access Control & Security
Document Details
Uploaded by Deleted User
Tags
Summary
These notes discuss access control, encompassing identification, authentication, and authorization. Password security and biometrics are highlighted, and the importance of strong passwords are explained, along with different types of security attacks.
Full Transcript
Week 4 notes - **Access Control Overview:** It involves three stages: - **Identification** (claiming an identity) - **Authentication** (proving you are that identity) - **Authorization** (checking permissions for specific actions or data). - **Authentication Factor...
Week 4 notes - **Access Control Overview:** It involves three stages: - **Identification** (claiming an identity) - **Authentication** (proving you are that identity) - **Authorization** (checking permissions for specific actions or data). - **Authentication Factors:** These include: - something you **know** (e.g., passwords) - something you **have** (e.g., access cards) - something you **are** (e.g., biometrics like fingerprints or voice) - **Multifactor Authentication (MFA):** Uses two or more of these factors for enhanced security, though it may impact usability. The choice depends on prioritizing either **security** or **ease of use**. **Password security** - **Password Security:** Challenges in password **generation** (balancing strength and memorability), with strength is often measured by **entropy**. Common passwords can skew this calculation, so **Shannon\'s entropy** model helps estimate the difficulty of guessing predictable passwords. - **Storage:** Uses **hashing** and **salts** to protect passwords, preventing direct storage of plain text. - A salt is a long pseudo-random string (generated using a cryptographically secure pseudorandom generator) which is prepended or appended to a password before it is hashed. - This means that if two or more users have the same password, they will have a different password hash due to the inclusion of a salt. - **Attacks:** Include **brute force**, **dictionary attacks**, and use of **pre-computed hash tables**. Strategies like using **random salts** can mitigate risks. - **Guidance:** Emphasizes using **three random words** for memorable and strong passwords. **Biometrics** - Physical biometrics: - Facial identification, fingerprint recognition, etc. - Behavioural biometrics: - How a user types etc. - Identification Mode: - Using biometrics to find a user in a database - Verification Mode: - User matches with a stored template of biometric recognition. - Limitations of fingerprint biometrics include: - Fingerprints can change due to cuts or other damage. - Wet fingerprints or sensors can cause issues with recognition. - Fingerprints can be faked using materials like gummy bears or lifted from surfaces. - \"Liveliness detection\" aims to ensure the fingerprint comes from a live person. - Growing field of interest in \"behavioural biometrics,\" e.g., how a person types. - Concerns around biometrics: - Privacy concerns over storing sensitive biometric data. - Failure to capture can occur during enrolment or verification, impacting usability. - False accept and false reject rates must be balanced with system usability and cost. - Machine learning in biometrics raises concerns about diversity in training sets. **Authorisations** - Authorization determines if a user is permitted to complete a specific task after gaining system access. - Differentiates authorization from identification and authentication. - Traditional access control model by Lampson: - Four entities: subject (user/process), access request, object (resource), and reference monitor. - Reference monitor checks if the user has the correct authorization for the object. - Authorization can be assigned at the subject or object level. - Basic access modes: observe and alter, but richer sets exist. - Principle of Least Privilege: - Users should only be given the minimum access necessary to perform their job. - Reduces the risk of information disclosure and privilege escalation attacks. - Privilege escalation attacks: - Vertical escalation: gaining access to a higher privilege account (e.g., from regular user to HR). - Horizontal escalation: accessing similar functions but different data (e.g., accessing another user's bank account). - Real-world privilege escalation attacks occur, often through methods like password guessing or SQL injection.