Week 4 Notes - Access Control & Security

Week 4 notes - **Access Control Overview:** It involves three stages: - **Identification** (claiming an identity) - **Authentication** (proving you are that identity) - **Authorization** (checking permissions for specific actions or data). - **Authentication Factors:** These include: - something you **know** (e.g., passwords) - something you **have** (e.g., access cards) - something you **are** (e.g., biometrics like fingerprints or voice) - **Multifactor Authentication (MFA):** Uses two or more of these factors for enhanced security, though it may impact usability. The choice depends on prioritizing either **security** or **ease of use**. **Password security** - **Password Security:** Challenges in password **generation** (balancing strength and memorability), with strength is often measured by **entropy**. Common passwords can skew this calculation, so **Shannon\'s entropy** model helps estimate the difficulty of guessing predictable passwords. - **Storage:** Uses **hashing** and **salts** to protect passwords, preventing direct storage of plain text. - A salt is a long pseudo-random string (generated using a cryptographically secure pseudorandom generator) which is prepended or appended to a password before it is hashed. - This means that if two or more users have the same password, they will have a different password hash due to the inclusion of a salt. - **Attacks:** Include **brute force**, **dictionary attacks**, and use of **pre-computed hash tables**. Strategies like using **random salts** can mitigate risks. - **Guidance:** Emphasizes using **three random words** for memorable and strong passwords. **Biometrics** - Physical biometrics: - Facial identification, fingerprint recognition, etc. - Behavioural biometrics: - How a user types etc. - Identification Mode: - Using biometrics to find a user in a database - Verification Mode: - User matches with a stored template of biometric recognition. - Limitations of fingerprint biometrics include: - Fingerprints can change due to cuts or other damage. - Wet fingerprints or sensors can cause issues with recognition. - Fingerprints can be faked using materials like gummy bears or lifted from surfaces. - \"Liveliness detection\" aims to ensure the fingerprint comes from a live person. - Growing field of interest in \"behavioural biometrics,\" e.g., how a person types. - Concerns around biometrics: - Privacy concerns over storing sensitive biometric data. - Failure to capture can occur during enrolment or verification, impacting usability. - False accept and false reject rates must be balanced with system usability and cost. - Machine learning in biometrics raises concerns about diversity in training sets. **Authorisations** - Authorization determines if a user is permitted to complete a specific task after gaining system access. - Differentiates authorization from identification and authentication. - Traditional access control model by Lampson: - Four entities: subject (user/process), access request, object (resource), and reference monitor. - Reference monitor checks if the user has the correct authorization for the object. - Authorization can be assigned at the subject or object level. - Basic access modes: observe and alter, but richer sets exist. - Principle of Least Privilege: - Users should only be given the minimum access necessary to perform their job. - Reduces the risk of information disclosure and privilege escalation attacks. - Privilege escalation attacks: - Vertical escalation: gaining access to a higher privilege account (e.g., from regular user to HR). - Horizontal escalation: accessing similar functions but different data (e.g., accessing another user's bank account). - Real-world privilege escalation attacks occur, often through methods like password guessing or SQL injection.

Week 4 Notes - Access Control & Security

Document Details

Tags

Related

Summary

Full Transcript

Upgrade to continue