In Access Control, first step is Authentication followed by Authorization.
Authentication - Login ID & Password
Authorization - Checking of User is authorized to perform X activity.
Subject can be Program,Process, Server, Database, User which is trying to access Object such as Printer,Files,Folders,database.
Who is accessing - Subject
What is being accessed - Object
Security Principles : (Remember it as CIA )
Confidentiality - Assurance that information is not disclosed to unauthorized individual/program/process
Integrity - Protecting data from being altered.
Availability - Ensuring continuity of availability of resources
Identification - Authentication - Authorization - Accountability :
1. Identification - Username / Account number
2. Authentication - Password / Pass-phrase / Cryptographic key / PIN No. / Token
(After providing above information Subject is Authenticated )
3. Authorization - System checks if Subject is authorized to access resource
4. Accountability - Only way to ensure accountability is if subject is uniquely identified and actions are recorded ( Logging should be implemented )
Race Condition :
Ex. Attacker could force authorization to be forced before authentication step.
Three factors of Authentication :
- Something a person knows - Authentication By Knowledge - Passwords/PIN/ Combination to lock
- Something a person has - Authentication by ownership - Key, Swipe card, access card, badge
- Something a person is - Authentication by Characteristic - Physical attribute, biometrics
Strong Authentication = Multi-authentication = Three factor authentication