2. Access Control

Question 1

access control process

Answer 1

identification
authentication
authorisation

Question 2

what is authentication

Answer 2

prove you are who you claim to be by:

1. knowledge (what you know)
2. Token (what you have)
3. biometrics (what you are)

Question 3

knowledge based authentication

Answer 3

passwords

passphrases

Question 4

password bad practices

Answer 4

1. reused
2. easily guessed
3. shared
4. written down
5. password manager: single point of failure

Question 5

password entropy

Answer 5

measure of uncertainty

• password of K bits has pow(2, K) possibilities
• password of length L from B chars has pow(B, L) possibilities
• entropy H = log2(pow(B,L))

Question 6

attacking passwords

Answer 6

1. brute force
   - try all combinations
   - use account lock out to prevent brute force
   - need to exfiltrate data before brute force
2. reverse brute force
   - try one password on multiple accounts
3. dictionary
   - contains commonly used passwords
   - stored in plain text
4. rainbow tables
   - contains commonly used passwords
   - stored in hashes
5. social engineering

Question 7

password hardening

Answer 7

1. formulate good passwords
2. store in password managers to help remember
3. use passphrases
4. secure storing of passwords
   - encrypt password (minimum)
   - hashed password (ok..)
   - hashed password + salt (best)
5. enforce security policies
6. 2FA
7. educate users on best practices and increase awareness
8. maintain correct access rights

Question 8

what are tokens

Answer 8

physical devices to aid authentication

1. e tokens
2. RFID tags
   - used in logistics, prison, but weak to side channel attack
3. smart cards
   - tamper proof

Question 9

types of biometrics

Answer 9

physical

behavioural

Question 10

requirements for biometrics

Answer 10

1. university
   - everyone must have that characteristic trait
2. distinctiveness
   - characteristics should be sufficiently different
3. permanence
   - characteristics should be sufficiently invariant
4. collectability
   - characteristics can be measured quantitatively

Question 11

acceptability of biometrics

Answer 11

authentication needs to be accepted by end users

• convenience
• duration of authentication
• invasion of privacy

Question 12

accuracy of biometrics

Answer 12

1. false/ true accept rate
2. retina scanning
3. iris scanning
4. facial recognition
5. fingerprint

Question 13

behavioural

Answer 13

how you type/walk
can change over time
people may have similar behaviours

Question 14

voice recognition

Answer 14

is both behavioural and physical

Question 15

biometrics advantages

Answer 15

1. unique data, difficult to replicate
2. fast and convenient
   - no issue of missing tokens, forget passwords
3. scalable
   - just add data to DB

Question 16

biometrics disadvantages

Answer 16

1. unrecoverable if compromised
   - user cannot change their body
2. expensive
3. privacy concerns

Question 17

authorisation: types of access control

Answer 17

1. discretionary
   - owner, group, others
2. role-based
   - principle of least privilege
3. mandatory
   - defined integrity levels
   - user integrity level compared when logged in

Question 18

principle of least privilege

Answer 18

best security privilege

limit privileges to minimum necessary to perform task