CHAP. 17
static password
A password that is the same for each login
Service Provisioning Markup Language (SPML)
An open standard for exchanging authorization information between cooperating organizations.
List Types of Passwords:
Standard word Passwords Combination pw Static pw Complex pw Passphrase pw Cognitive pw One-Time pw (OTPs) Graphical pw Numeric pw
Lightweight Directory Access Protocol (LDAP)
A common directory service standard that is based on the earlier standard X.500.
clipping level
A configured baseline threshold above which violations will be recorded.
access control policy
A defined method for identifying and authenticating users and the level of access that is granted to the users.
combination password
A password type that uses a mix of dictionary words, usually two unrelated words.
false acceptance rate (FAR)
A measurement of the percentage of invalid users that will be falsely accepted by the system. This is called a Type II error. Type II errors are more dangerous than Type I errors.
false rejection rate (FRR)
A measurement of valid users that will be falsely rejected by the system. This is called a Type I error.
standard word password
A password that consists of a single word that often includes a mixture of upper- and lowercase letters.
one-time password
A password that is only used once to log in to an access control system. Also called a dynamic password.
complex password
A password type that forces a user to include a mixture of upperand lowercase letters, numbers, and special characters
cognitive password
A password type that is a piece of information that can be used to verify an individual's identity. This information is provided to the system by answering a series of questions based on the user's life, such as favorite color, pet's name, mother's maiden name, and so on.
federated identity
A portable identity that can be used across businesses and domains
attestation
A process that allows changes to a user's computer to be detected by authorized parties.
fingerprint scan
A scan that records the ridges of a finger for matching.
Public Key Infrastructure (PKI)
A security framework that includes systems, software, and communication protocols that distribute, manage, and control public key cryptography.
principle of least privilege
A security principle which requires that a user or process be given only the minimum access privilege needed to perform a particular task.
Extensible Access Control Markup Language (XACML)
A standard for an access control policy language using XML.
open authorization (OAUTH)
A standard for authorization that allows users to share private resources on one site to another site without using credentials.
single sign-on (SSO)
A system in which a user enters login credentials once and can access all resources in the network.
Kerberos
A ticket-based authentication and authorization system used in UNIX and Active Directory.
Active Directory (AD)
A tool that organizes directories into forests and trees. AD tools are used to manage and organize everything in an organization, including users and devices. This is where security is implemented and its implementation is made more efficient through the use of Group Policy.
Shibboleth
An SSO system that allows the use of common credentials among sites that are a part of the federation. It is based on Security Assertion Markup Language (SAML).
policy enforcement point (PEP)
An XACML entity that protects a resource that a subject (a user or an application) is attempting to access.
policy decision point (PDP)
An XACML entity that retrieves all applicable polices in XACML and compares the request with the policies.
Security Assertion Markup Language (SAML)
An XML-based open standard data format for exchanging authentication and authorization data between parties, particularly between an identity provider and a service provider.
Remote Access Dial-In User Service (RADIUS)
An authentication framework that allows for centralized authentication functions for all network access devices.
OpenID (OID)
An open standard and decentralized protocol by the nonprofit OpenID Foundation that allows users to be authenticated by certain cooperating sites.
cross-certification
Certification topology that establishes trust relationships between CAs so that the participating CAs can rely on the other participants' digital certificates and public keys.
what are the 2 parts of AUTHENTICATION?
Identification & Authentication
graphical passwords
Passwords that use graphics as part of the authentication mechanism. Also called CAPTCHA passwords.
authentication
The act of validating a user with a unique identifier by providing the appropriate credentials.
separation of duties
The concept that sensitive operations should be divided among multiple users so that no one user has the rights and access to carry out a sensitive operation alone. This security measure ensures that one person is not capable of compromising organizational security. It prevents fraud by distributing tasks and their associated rights and privileges between more than one user.
identity propagation
The passing or sharing of a user's or device's authenticated identity information from one part of a multitier system to another.
crossover error rate (CER)
The point at which FRR equals FAR. Expressed as a percentage, this is the most important metric.
passphrase password
password that requires the use of a long phrase. Because of the password's length, it is easier to remember but much harder to attack, both of which are definite advantages. Incorporating upper- and lowercase letters, numbers, and special characters in this type of password can significantly increase authentication security