Notes - MCS
Identification, Authentication and Authorization
Notes - MCS
Identification, Authentication and Authorization
  • Identification, Authentication and Authorization
  • Access Control Models
    • Access types
    • Least privilege principle
    • Access control models
      • Access control kinds
    • Access control kinds
    • Separation of duties
    • Segregation of duties
    • Information flow models
    • Multilevel security
    • Windows mandatory integrity control
    • Clark-Wilson Integrity Model
  • OAuth 2.0 Authorization Framework
    • Goal
    • Roles (RFC 6749)
    • Communication endpoints
    • Application (client)
    • OAuth tokens
    • OAuth flows
      • Code flow
      • Implicit flow
      • Resource owner password flow
      • Client credentials flow
    • Proof Key for Code Exchange (PKCE, RFC 7636)
    • Device authorization grant (RFC 8628)
    • Actual protocol flow
  • Linux Security Mechanisms
    • Mechanisms
    • Linux management privileges
    • Privilege Elevation
    • Capabilities
    • Files extended attributes (xattr)
    • File capabilities
    • Capability transfer across exec
    • Control groups (cgroups)
    • Linux Security Modules (LSM)
    • AppArmor
    • Confinement
  • Authentication Protocols
    • Identity attributes
    • Authentication
    • Authentication interactions
    • Authentication of people
      • Biometrics
      • Token-based OTP generators
      • PAP & CHAP (RFC 1334, 1992, RFC 1994, 1996)
      • S/Key (RFC 2289, 1998)
      • GSM
    • Host authentication
    • Service/server authentication
    • TLS (Transport Layer Security, RFC 8446)
    • SSH (Secure Shell, RFC 4251)
    • Single Sign-On (SSO)
    • Authentication metaprotocols
    • Authentication services
    • Key distribution services
  • PAM (Pluggable Authentication Modules)
    • Motivation
    • PAM
    • PAM APIs
    • Orchestration of PAM actions
    • Module invocation
    • Configuration files
    • PAM orchestration files
    • Scenario 1 – Local authentication
    • Scenario 2 – LDAP auth with local backoff
    • Scenario 3 – MS AD auth with local backoff
  • FIDO and FIDO2 framework
    • FIDO (Fast Identity Online) Alliance
    • Universal 2nd Factor (U2F) protocol
    • WebAuthn
    • Client to Authenticator Protocol (CTAP)
    • Passkeys
  • Authentication with Trusted Third Parties / KDCs
    • Shared-key authentication
    • Key Distribution Center (KDC) concept
    • Kerberos
  • Identity Management
    • Digital Identity
    • Identity Manager (IdM)
    • Identity Provider (IdP)
    • Authoritative source
    • Identity claim
    • Approachs
    • Credential
    • Privacy issues
    • Verifiable credential (VC)
    • Self-Sovereign Identity (SSI)
    • Interoperability
    • eIDAS
  • Anonymity and Privacy
    • Privacy
    • IEEE Digital Privacy Model
    • Privacy with computing technology
    • Privacy and companies
    • Privacy and IAA
    • Identification
    • Authentication
    • Anonymity
    • Microdata privacy issues
    • Microdata privacy enhancing
    • L-Diversity
Powered by GitBook
On this page
  • Context-Based Access Control (CBAC)
  • Chinese Wall policy
  • Attribute-Based Access Control (ABAC)
  • XACML
  • Access control with PEP and PDP
  • Big picture
  • Break-the-glass access control model
  1. Access Control Models

Access control kinds

Context-Based Access Control (CBAC)

Access rights have a historical context.

  • The access rights cannot be determined without reasoning about past access operations.

  • Example:

    • Stateful packet filter firewall.

Chinese Wall policy

  • Conflict groups.

  • Access control policies need to address past access to objects in different members of conflict groups.

Attribute-Based Access Control (ABAC)

Access control decisions are made based on attributes associated with relevant entities.

OASIS XACML architecture.

  • Policy Administration Point (PAP).

    • Where policies are managed.

  • Policy Decision Point (PDP).

    • Where authorization decisions are evaluated and issued.

  • Policy Enforcement Point (PEP).

    • Where access requests to a resource are intercepted and confronted with PDP’s decisions.

  • Policy Information Point (PIP).

    • Provides external information to a PDP.

XACML

Access control with PEP and PDP

A subject sends a request, which is intercepted by the Policy Enforcement Point (PEP).

The PEP sends the authorization request to the Policy Decision Point (PDP).

The PDP evaluates the request against its policies and reaches a decision.

  • Which is returned to the PEP.

  • Policies are retrieved from a Policy Retrieval Point (PRP).

  • Useful attributes are fetched from Policy Information Points (PIP).

  • Policies are managed by the Policy Administration Point (PAP).

Big picture

Break-the-glass access control model

It may be required to overcome the established access limitations.

  • e.g. in a life-threatening situation.

The subject may be presented with a break-the-glass decision upon a denial.

  • Can overcome the denial of their responsibility.

  • Logging is fundamental to prevent abuses.

    • Subject may have to justify action, after using the elevated right.

Last updated 1 year ago