2 Authentication - Access Control & Cryptography
2 Authentication - Access Control & Cryptography
2 Authentication - Access Control & Cryptography
SECURITY IN
COMPUTING,
FIFTH EDITION
Chapter 2: Toolbox: Authentication, Access
Control, and Cryptography
2
Authentication
• The act of proving that a
user is who she says she is
• Methods:
• Something the user knows
• Something the user is
• Something user has
3
Password Storage
Plaintext Concealed
6
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
8
Biometrics are still inadequate for extremely sensitive applications, but their
convenience makes them a great alternative to weak passwords.
9
Single Sign-On
Single sign-on lets a user log on once per session but access many different
applications/systems.
It often works in conjunction with federated identity management, with the federated
identity provider acting as the source of authentication for all the applications.
12
Access Policies
• Goals:
• Check every access
• Enforce least privilege
• Verify acceptable usage
• Track users’ access
• Enforce at appropriate
granularity
• Use audit logging to
track accesses
13
Reference Monitor
15
Encryption Terminology
• Sender
• Recipient
• Transmission medium
• Interceptor/intruder
• Encrypt, encode, or encipher
• Decrypt, decode, or decipher
• Cryptosystem
• Plaintext
• Ciphertext
20
A history of encryption
21
Encryption/Decryption Process
22
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
23
Stream Ciphers
24
Block Ciphers
25
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
31
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
32
Parity Check
34
• A certificate authority is an
authority that users trust to
accurately verify identities
before generating
certificates that bind those
identities to keys.
36
Summary
• Users can authenticate using something they know,
something they are, or something they have
• Systems may use a variety of mechanisms to implement
access control
• Encryption helps prevent attackers from revealing,
modifying, or fabricating messages
• Symmetric and asymmetric encryption have
complementary strengths and weaknesses
• Certificates bind identities to digital signatures