Notes - MCS
Identification, Authentication and Authorization
Notes - MCS
Identification, Authentication and Authorization
  • Identification, Authentication and Authorization
  • Access Control Models
    • Access types
    • Least privilege principle
    • Access control models
      • Access control kinds
    • Access control kinds
    • Separation of duties
    • Segregation of duties
    • Information flow models
    • Multilevel security
    • Windows mandatory integrity control
    • Clark-Wilson Integrity Model
  • OAuth 2.0 Authorization Framework
    • Goal
    • Roles (RFC 6749)
    • Communication endpoints
    • Application (client)
    • OAuth tokens
    • OAuth flows
      • Code flow
      • Implicit flow
      • Resource owner password flow
      • Client credentials flow
    • Proof Key for Code Exchange (PKCE, RFC 7636)
    • Device authorization grant (RFC 8628)
    • Actual protocol flow
  • Linux Security Mechanisms
    • Mechanisms
    • Linux management privileges
    • Privilege Elevation
    • Capabilities
    • Files extended attributes (xattr)
    • File capabilities
    • Capability transfer across exec
    • Control groups (cgroups)
    • Linux Security Modules (LSM)
    • AppArmor
    • Confinement
  • Authentication Protocols
    • Identity attributes
    • Authentication
    • Authentication interactions
    • Authentication of people
      • Biometrics
      • Token-based OTP generators
      • PAP & CHAP (RFC 1334, 1992, RFC 1994, 1996)
      • S/Key (RFC 2289, 1998)
      • GSM
    • Host authentication
    • Service/server authentication
    • TLS (Transport Layer Security, RFC 8446)
    • SSH (Secure Shell, RFC 4251)
    • Single Sign-On (SSO)
    • Authentication metaprotocols
    • Authentication services
    • Key distribution services
  • PAM (Pluggable Authentication Modules)
    • Motivation
    • PAM
    • PAM APIs
    • Orchestration of PAM actions
    • Module invocation
    • Configuration files
    • PAM orchestration files
    • Scenario 1 – Local authentication
    • Scenario 2 – LDAP auth with local backoff
    • Scenario 3 – MS AD auth with local backoff
  • FIDO and FIDO2 framework
    • FIDO (Fast Identity Online) Alliance
    • Universal 2nd Factor (U2F) protocol
    • WebAuthn
    • Client to Authenticator Protocol (CTAP)
    • Passkeys
  • Authentication with Trusted Third Parties / KDCs
    • Shared-key authentication
    • Key Distribution Center (KDC) concept
    • Kerberos
  • Identity Management
    • Digital Identity
    • Identity Manager (IdM)
    • Identity Provider (IdP)
    • Authoritative source
    • Identity claim
    • Approachs
    • Credential
    • Privacy issues
    • Verifiable credential (VC)
    • Self-Sovereign Identity (SSI)
    • Interoperability
    • eIDAS
  • Anonymity and Privacy
    • Privacy
    • IEEE Digital Privacy Model
    • Privacy with computing technology
    • Privacy and companies
    • Privacy and IAA
    • Identification
    • Authentication
    • Anonymity
    • Microdata privacy issues
    • Microdata privacy enhancing
    • L-Diversity
Powered by GitBook
On this page
  • Definition
  • Proof Type
  • Goals
  • Requirements
  • Trustworthiness
  • Secrecy
  • Robustness
  • Simplicity
  • Deal with vulnerabilities introduced by people
  • Entities and deployment model
  • Entities
  • Deployment model
  1. Authentication Protocols

Authentication

Definition

Proof that an identity has a claimed identity attribute.

Proof Type

  • Something known.

    • A secret memorized.

  • Something we have.

    • An object/token.

  • Something we are.

    • Biometry.

Multi-factor authentication: join or consecutive use of different proof types.

Goals

Authenticate interactors.

  • People, services, servers, hosts, networks, etc.

Enable the enforcement of authorization policies and mechanisms.

  • Authorization -> authentication.

Facilitate the exploitation of other security-related protocols.

  • e.g. key distribution for secure communication.

Requirements

Trustworthiness

How good is it in proving the identity of an entity?

How difficult is it to be deceived?

Level of Assurance (LoA) (NIST, eIDAS, ISO 29115).

  • LoA 1 - Little or no confidence in the asserted identity.

  • LoA 2 - Some confidence in the asserted identity.

  • LoA 3 - High confidence in the asserted identity.

  • LoA 4 - Very high confidence in the asserted identity.

Secrecy

No disclosure of secrets used by legitimate entities.

Robustness

Prevent attacks on the protocol data exchanges.

Prevent on-line DoS attack scenarios.

Prevent off-line dictionary attacks.

Simplicity

It should be as simple as possible to prevent entities from choosing dangerous shortcuts.

Deal with vulnerabilities introduced by people

They have a natural tendency to facilitate or to take shortcuts.

Entities and deployment model

Entities

  • People

  • Hosts

  • Networks

  • Services/ servers

Deployment model

Along the time.

  • Only when interaction starts.

  • Continuously along the interaction.

Directionality.

  • Unidirectional.

  • Bidirectional.

Last updated 1 year ago