Documente Academic
Documente Profesional
Documente Cultură
• Digital Identity
• Digital identity is the network or Internet equivalent to the real identity of a person
or entity
• Is information on an entity used by computer system to represent an external
agent., where agent may be a person, organization, application, or device
• Example – Username and password, DOB, Purchasing history, Electronic
transactions etc.
User 1 User 2
Attribute (Department Technical Role) :Developer Attribute (Department Technical Role): NOC Admin
Trait (Biometric) :n/a Trait (Biometric): Fingerprints for Server Room Access
• Passwords are the weakest form of authentication and can easily be sniffed.
• Solution – Digital Signatures (Private Key)
• Digital signature is a technology that uses a private key to encrypt a hash
value (message digest).
• The act of encrypting this hash value with a private key is called digitally signing a
message
• A private key is a secret value that is in the possession of one person, and
one person only
• A digital signature attached to a message proves the message originated
from a specific source and that the message itself was not changed while in
transit.
• Memory card is a storage device that can hold user information used
for authentication
• During authentication, user needs to type in a user ID or PIN and
present the memory card, and if the data that the user entered
matches the data on the memory card, the user is successfully
authenticated (Strong Auth.)
• Example – Swipe cards, ATM cards etc
• Memory card provides a more secure authentication method than
using a password
• But they add cost as they require reader to process the information
• The contact smart card has a gold seal (integrated chip) on the face of
the card and an external terminal
• The contactless smart card has an antenna wire that surrounds the
perimeter of the card
• Authentication (Who you are) and authorization (What you can do)
comprise a two-step process that determines whether an individual is
allowed to access a particular resource
• First step - The individual must prove to the system that he is who he
claims to be
• Second step - After successful authentication, the system must
establish whether the user is authorized to access the particular
resource and what actions he is permitted to perform on that
resource.
2. Google creates SAML & User 3. Browser opens SSO URL &
Google redirects browser to SSO URL ABC corp. authenticates user. ABC Corp.
(Coming
(Service (identity
5. Browser sends SAML From 4. ABC corp. sends back
Provider) provider)
encoded response to Google Browser) encoded SAML response.
6. Google verifies response &
authenticates user to Gmail.
Top Secret
No read down
No write up
Secret
Confidential
Unclassified
• Users do not have the discretion of determining who can access objects.
• MAC model greatly reduces the amount of rights, permissions, and
functionality a user has for security purposes.
• Systems having MAC are very specialized and are in place to protect
highly classified data.
• MAC works on security clearance model.
• The only OS to support MAC is SE-Linux.
• It uses specific rules that indicate what can and cannot happen between a
subject and an object.
• Based on the simple concept of “if X then Y”
• Rule-based access control is not necessarily identity-based.
• A type of compulsory control, because the administrator sets the rules and
the users cannot modify these controls.
• Rule Based is not identity based : A company may have a policy that
dictates that e-mail attachments can only be 5MB or smaller. This rule
affects all users.
• If rule based was identity based : If rule-based was identity-based, it
would mean that Sue can accept attachments of 10MB and smaller, Bob
can accept attachments 2MB and smaller, and Don can only accept
attachments 1MB and smaller.
• An attacker can use a program that presents to the user a fake logon
screen, which often tricks the user into attempting to log on.
• The user is asked for a username and password, which are stored for
the attacker to access at a later time. A fake error message can appear,
indicating that the user mistyped his credentials.
• At this point, the fake logon program exits and hands control over to the
operating system, which prompts the user for a username and password.
• The user assumes he mistyped his information and doesn’t give it a
second thought, but an attacker now knows the user’s credentials.