Sunday, 6 March 2016

Access Control

In Access Control, first step is Authentication followed by Authorization.

Authentication - Login ID & Password
Authorization  -  Checking of User is authorized to perform X activity.

Subject can be Program,Process, Server, Database, User which is trying to access Object such as Printer,Files,Folders,database.

Who is accessing - Subject
What is being accessed - Object

Security Principles :  (Remember it as CIA )

Confidentiality - Assurance that information is not disclosed to unauthorized individual/program/process

Integrity -   Protecting data from being altered.

Availability - Ensuring continuity of availability of resources

Identification - Authentication - Authorization - Accountability :

1. Identification   - Username / Account number
2. Authentication - Password / Pass-phrase / Cryptographic key / PIN No. / Token
    (After providing above information Subject is Authenticated )
3. Authorization   - System checks if Subject is authorized to access resource
4. Accountability -  Only way to ensure accountability is if subject is uniquely identified and actions are recorded  ( Logging should be implemented )

Race Condition :

Ex. Attacker could force authorization to be forced before authentication step.

Image result for race condition

Three factors of Authentication :

  1. Something a person knows - Authentication By Knowledge - Passwords/PIN/ Combination to lock
  2. Something a person has - Authentication by ownership - Key, Swipe card, access card, badge
  3. Something a person is  - Authentication by Characteristic - Physical attribute, biometrics

Strong Authentication = Multi-authentication  = Three factor authentication

No comments:

Post a Comment