Domain 5: Identity and Access Management Flashcards
Mandatory Access Control
- System-enforced access control based on subject’s clearance and object’s labels. Subjects and Objects have clearances and labels, respectively, such as confidential, secret, and top secret.
- A subject may access an object only if the subject’s clearance is equal to or greater than the object’s label.
- Subjects cannot share objects with other subjects who lack the proper clearance, or “write down” objects to a lower classification level such as from top secret to secret).
Password Salting
Allows one password to hash multiple ways.
A salt value ensures that the same password will encrypt differently when used by different users.
Some systems (like modern UNIX/Linux systems) combine a salt with a password before hashing.
Synchronous Dynamic Token
Time or counters are synchronized with an authentication server. The authentication server expects a certain value based on time or count, as part of the authentication scheme.
Implemented in hardware (RSA SecureID) and software (Google / Microsoft Authenticator).
Asynchronous Dynamic Token
Not synchronized with a central server. Most common variety is challenge-response tokens:
o Systems produce a challenge, or input for the token device
o The user manually enters the information into the device along with their PIN, and the device produces an output
o Output is then sent to the system
Open Authorization (OAuth) - 4 Roles
An open protocol to allow secure authorization in a simple and standard method from web, mobile and desktop applications.
Four key roles:
- Resource owner: Any entity that grants access to a protected resource, such as an information system or dataset.
- Resource server: Any server hosting the protected resource, which accepts and responds to access requests.
- Client: Any application making requests for access to protected resources.
- Authorization server: Any server issuing access tokens to clients after successful authentication; tokens are used across the federated system to gain access.
OpenID Connect (OIDC)
Authentication functions built on top of OAuth version 2.0 and federates identity management.
Security Assertion Markup Language (SAML) - 3 Roles & 4 Components
An eXtensible Markup Language (XML)-based framework to format messages regarding identities, resources, and access information like authentication and authorization. Current version: 2.0.
Three roles: User Agent (UA), Service Provider (SP), and Identity Provider (IdP)
Four Components:
• Assertions define SAML attributes - how authentication and authorization message protocols or frameworks are to be used by the services.
• Bindings define the request-response pairs to be used by the three roles to communicate.
• Protocols include HTTP and simple object access protocol (SOAP), which are used to package and exchange messages between roles.
• Profiles are the combination of assertions, bindings, and protocols in use within a specific SAML implementation.
Kerberos
Third-party authentication service that may be used to support SSO.
- Uses secret key encryption.
- Provides mutual authentication of both clients and servers.
- Protects against network sniffing and replay attacks.
