Scribd
Upload
33 views13 pages

KFA SCT 115 Security Computing Week 04

The document covers key concepts in authentication, access control, and cryptography, emphasizing the importance of verifying identity and controlling access to resources. It discusses various authentication mechanisms, password security, and the principles of cryptography, including encryption and decryption processes. Additionally, it highlights the significance of managing access rights and protecting data from unauthorized access.

Uploaded by

Prashant Sapkota
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
33 views13 pages

KFA SCT 115 Security Computing Week 04

The document covers key concepts in authentication, access control, and cryptography, emphasizing the importance of verifying identity and controlling access to resources. It discusses various authentication mechanisms, password security, and the principles of cryptography, including encryption and decryption processes. Additionally, it highlights the significance of managing access rights and protecting data from unauthorized access.

Uploaded by

Prashant Sapkota
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 13

SECURITY

COMPUTING
W E E K 0 4 : A U T H E N T I C AT I O N , A C C E S S C O N T R O L , A N D
C RY P TO G RA P H Y
DELIVERED BY:

Yojan Dhakal | Lead IS Auditor Aaditya Khati| SOC Manager

IS Audit Practitioner @CryptoGen Nepal Team Lead @CryptoGen Nepal

ISO 27001 | CEH Practical| AZ 900 | CSFPC CEH | CPISI | AZ 900 | LRSA | LRPA | LRSE
NSE 1 | NSE 2 | LogPoint Certified Admin & LRDE | LogPoint Certified Admin | CCNA CyberOps
Analyst CPE | F5 Delivery Engineer | Tenable Certified

AP @KFA Practical Contributor @KFA


AUTHENTICATION, ACCESS CONTROL, AND
CRYPTOGRAPHY
• Authentication, capabilities, and limitations
• The three bases of authentication: knowledge, characteristics,
possessions
• Strength of an authentication mechanism
• Implementation of access control
• Employing encryption
• Symmetric and asymmetric encryption
• Message digests
• Signatures and certificates
AUTHENTICATION
❑ Basis of computer security is controlled access: someone is authorized to take some action on something
❑ For implementing Access Controls, we need to ascertain who “Someone” is
❑ Authentication is confirming someone’s identity;
❑ Authentication is the is the act of proving that asserted identity:
that the person is who she says she is.
❑ Identification is the act of asserting who a person is.
❑ Identity is more than just your name, e.g., Email Addresses, Bank
account Numbers, etcetera
AUTHENTICATION MECHANISMS
❑ Something the user knows. Passwords, PIN numbers, passphrases, a secret handshake, and mother’s
maiden name are examples of what a user may know.
❑ Something the user is. These authenticators, called biometrics, are based on a physical characteristic of the
user, such as a fingerprint, the pattern of a person’s voice, or a face
❑ Something the user has. Identity badges, physical keys, a driver’s license, or a uniform are common
examples of things people have that make them recognizable.
❑ Somewhere you are, Physical location, Ip address
❑ Something you do, handwriting, typing patterns, body movements.
PASSWORD USE
Password Attacks
• No password, the same as the user ID, is, or is derived from, the user’s name, contained in a
complete English word list

• Contained in a complete English dictionary with


capitalizations or substitution
• Obtained by brute force, trying all possible combinations
of alphabetic characters
• Obtained by brute force, trying all possible combinations
from the full character set

Every password can be guessed; password strength is


determined by how many guesses are required.
PASSWORD CONCEALMENT
❑ The operating system authenticates a user by asking for a name and password, which it then has to
validate, most likely by comparing to a value stored in a table
❑ Sometimes the operating system performs some form of be one-way scrambling that is not really
encryption.
❑ A salt is an extra data field different for each user, perhaps the date the account was created or a part
of the user’s name.
❑ If passwords are words consisting of the 26 characters A–Z and can
be of any length from 1 to 8 characters, there are 26^1 passwords of 1
character, 26^2 passwords of 2 characters….. and 26^8 passwords
of 8
CHOOSING A GOOD PASSWORD
❑ Use characters other than just a–z. Adding digits expands the number of possibilities to 36.
❑ Choose long passwords
❑ Avoid actual names or words
❑ Use a string you can remember, Password-cracking tools also test
❑ replacements like 0 (zero) for o or O (letter “oh”) and 1 (one) for l (letter “ell”) or $ for S (letter “ess”)
❑ Use variants for multiple passwords
❑ Change the password regularly
❑ Don’t write it down, Don’t tell anyone else.
FALSE POSITIVES/NEGATIVES
❑ False positive - Accepted when it should be Rejected incorrectly confirming an identity.
❑ False Negative - Rejected when it should Accepted. incorrectly denying an identity.
ACCESS CONTROL
Access Control refers to limiting who can access what in what ways
❑ Subjects are human users, often represented by surrogate programs running on behalf of the users.
❑ Objects are things on which an action can be performed: Files, tables, programs, memory objects,
hardware devices, strings, data fields, network connections.
❑ Access modes are any controllable actions of subjects on objects, including, but not limited to, read, write,
modify, delete, execute, create, destroy, copy, export, import, and so forth.
CRYPTOGRAPHY
Cryptography conceals data against unauthorized access. Well-disguised data cannot easily be read, modified,
or fabricated.
❑ Consider the steps involved in sending messages from a sender, S, to a recipient, R.
❑ If S entrusts the message to T, who then delivers it to R, T then becomes the transmission medium.
❑ If an outsider, O, wants to access the message (to read, change, or even destroy it), we call O an interceptor
or intruder.
❑ Any time after S transmits the message via T, it is vulnerable to exploitation, and O might try to access it in
any of the following ways:
• Block it, by preventing its reaching R, thereby affecting the availability of the message
• Intercept it, by reading or listening to the message, thereby affecting the confidentiality of the
message
• Modify it, by seizing the message and changing it in some way, affecting the message’s integrity
• Fabricate an authentic-looking message, arranging for it to be delivered as if it came from S, thereby
also affecting the integrity of the message
CRYPTOGRAPHY
A system for encryption and decryption is called a cryptosystem.
❑ Encryption is the process of encoding a message so that its meaning is not obvious; decryption is the reverse process
• The terms encode and decode or encipher and decipher are used instead of encrypt and decrypt
❑ The original form of a message is known as plaintext, and the encrypted form is called ciphertext.
❑ A cryptosystem involves a set of rules for how to encrypt the plaintext and decrypt the
❑ ciphertext. The encryption and decryption rules, called algorithms
WEEK 04
END OF SLIDE

You might also like