chapter 4
Compensate
means to make up for something. Compensative access controls provide options to other controls to bolster enforcement in support of a security policy.
role-based access control (RBAC)
model uses a centrally administrated set of controls to determine how subjects and objects interact.
RSA
named after its inventors Ron Rivest, Adi Shamir, and Leonard Adleman, is a public key algorithm that is the most popular when it comes to asymmetric algorithms. RSA is a worldwide de facto standard and can be used for digital signatures, key exchange, and encryption. It was developed in 1978 at MIT and provides authentication as well as key encryption. The security of this algorithm comes from the difficulty of factoring large numbers into their original prime numbers.
Direct access control (DAC grants)
or restricts object access determined by the object's owner. As the name implies, controls are discretionary because an object owner with certain access permissions can pass on those permissions to another subject.
Nulling
out applies a null value to a particular field, which completely prevents visibility of the data.
• Kerberos Authentication
protocol that uses a Key Distribution Center (KDC) and tickets, and is based on symmetric key cryptography
SESAME Authentication
protocol that uses a Privileged Attribute Server (PAS) and Privileged Attribute Certs (PACs) and is based on symmetric and asymmetric cryptography.
Triple-DES
We went from DES to Triple-DES (3DES), so it might seem we skipped Double-DES. We did. Double-DES has a key length of 112 bits, but there is a specific attack against Double-DES that reduces its work factor to about the same as DES. Thus, it is no more secure than DES. Move on to 3DES. Many successful attacks against DES and the realization that the useful lifetime of DES was about up brought much support for 3DES. NIST knew that a new standard had to be created, which ended up being AES, but a quick fix was needed in the meantime to provide more protection for sensitive data. The result: 3DES (also known as TDEA—Triple Data Encryption Algorithm).
Shuffling
derives a substitution set from the same column of data that a user wants to mask. This technique works well for financial information in a test database, for example.
Security
domains Resources working under the same security policy and managed by the same group
Identification
enforces the rules established by the authorization policy. A subject requests access to a system resource. Every time the subject requests access to a resource, the access controls determine whether to grant or deny access. For example, the authorization policy determines what activities a user can perform on a resource.
Social steganography
hides information in plain sight by creating a message that can be read a certain way by some to get the message. Others who view it in a normal way will not see the message.
Behavioral characteristics -
include patterns of behavior, such as gestures, voice, typing rhythm, or the way a user walks
access control model
is a framework that dictates how subjects access objects. It uses access control technologies and security mechanisms to enforce the rules and objectives of the model.
one-time password-generating token
is a hardware device that uses cryptography to generate a one-time password.
digital signature
is a hash value that has been encrypted with the sender's private key. The act of signing means encrypting the message's hash value with a private key
Cryptography
is a method of storing and transmitting data in a form that only those it is intended for can read and process.
object
is a passive entity that contains information or needed functionality. An object can be a computer, database, file, computer program, directory, or field contained in a table within a database. When you look up information in a database, you are the active subject and the database is the passive object.
El Gamal
is a public key algorithm that can be used for digital signatures, encryption, and key exchange. It is based not on the difficulty of factoring large numbers but on calculating discrete logarithms in a finite field. El Gamal is actually an extension of the Diffie-Hellman algorithm.
IPsec
is a suite of protocols developed to achieve secure services over networks. IPsec services allow for authentication, integrity, access control, and confidentiality. With IPsec, remote sites can exchange encrypted and verified information.
one-time password
is an automatically generated numeric or alphanumeric string of characters that authenticates a user for one transaction of one session only.
diffusion
is carried out by using transposition. means that a single plaintext bit has influence over several of the ciphertext bits. Changing a plaintext value should change many ciphertext values, not just one.
Confusion
is commonly carried out through substitution. pertains to making the relationship between the key and resulting ciphertext as complex as possible so the key cannot be uncovered from the ciphertext.
need-to-know principle
is like the least-privilege principle. It is based on the concept that individuals should be given access only to the information they absolutely require in order to perform their job duties. Giving any more rights to a user just asks for headaches and the possibility of that user abusing the permissions assigned to him.
Block Ciphers
is used for encryption and decryption purposes, the message is divided into blocks of bits. These blocks are then put through mathematical functions, one block at a time.
SHA
is used to ensure the integrity of the message, and the other algorithms are used to digitally sign the message.
Pretty Good Privacy (PGP)
was designed by Phil Zimmerman as a freeware e-mail security program and was released in 1991. It was the first widespread public key encryption program. PGP is a complete cryptosystem that uses cryptographic protection to protect e-mail and files.
Pretty Good Privacy (PGP)
which is a computer program that provides cryptographic privacy and authentication to increase the security of email communications.
Internet Key Exchange (IKE)
which is a fundamental component of IPsec Virtual Private Networks (VPNs).
Secure Socket Layer (SSL)
which is a means of implementing cryptography into a web browser.
Secure Shell (SSH),
which is a protocol that provides a secure remote access connection to network devices.
Security Key Fob -
A security key fob is a device that is small enough to attach to a key ring. It uses a process called two-factor authentication, which is more secure than a username and password combination.
Smart Card Security - .
A smart card is a small plastic card, about the size of a credit card, with a small chip embedded in it. The chip is an intelligent data carrier, capable of processing, storing, and safeguarding data
Advanced Encryption Standard (AES)
After DES was was cracked, NIST decided a new standard, the Advanced Encryption Standard (AES), needed to be put into place. In January 1997, NIST announced its request for AES candidates and outlined the requirements in FIPS PUB 197. AES was to be a symmetric block cipher supporting key sizes of 128, 192, and 256 bits. The number of rounds depends upon the size of the block and the key length: • If both the key and block size are 128 bits, there are 10 rounds. • If both the key and block size are 192 bits, there are 12 rounds. • If both the key and block size are 256 bits, there are 14 rounds.
Authorization :
Although authentication and authorization are quite different, together they comprise a two-step process that determines whether an individual is allowed to access a particular resource. Authorization is a key component to every operations system.
Data Encryption Standard
Data Encryption Standard (DES) has had a long and rich history within the computer community. The National Institute of Standards and Technology (NIST) researched the need for the protection of sensitive but unclassified data during the 1960s and initiated a cryptography program in the early 1970s. NIST invited vendors to submit data encryption algorithms to be used as a cryptographic standard. IBM had already been developing encryption algorithms to protect financial transactions. In 1974, IBM's 128-bit algorithm, named Lucifer, was submitted and accepted. The NSA modified this algorithm to use a key size of 64 bits (with 8 bits used for parity, resulting in an effective key length of 56 bits) instead of the original 128 bits, and named it the Data Encryption Algorithm (DEA).
Discretionary -
Identity-based, Owner controlled
Role-based -
Necessary Operations (best option because this type of person (employee in pay roll department) want to access payrole document. Of course they should)
Mandatory -
No Discretion
Directory services
Technology that allows resources to be named in a standardized manner and access control to be maintained centrally
Thin clients
Terminals that rely upon a central server for access control, processing, and storage
certificate authority (CA).
The certificate is created and signed (digital signature) by a trusted third party.
The Diffie-Hellman Algorithm
The first group to address the shortfalls of symmetric key cryptography decided to attack the issue of secure distribution of the symmetric key. Whitfield Diffie and Martin Hellman worked on this problem and ended up developing the first asymmetric key agreement algorithm, called, naturally, Diffie-Hellman.
Access controls
are security features that control how users and systems communicate and interact with other systems and resources.
Administrative access controls
are the policies and procedures defined by organizations to implement and enforce all aspects of controlling unauthorized access. Administrative controls focus on personnel and business practices.
Steganography
conceals data (the message) in another file such as a graphic, audio, or other text file. The advantage of steganography over cryptography is that the secret message does not attract any special attention. No one would ever know that a picture actually contained a secret message by viewing the file either electronically or in hardcopy.
Public key infrastructure (PKI)
consists of programs, data formats, procedures, communication protocols, security policies, and public key cryptographic mechanisms working in a comprehensive manner to enable a wide range of dispersed people to communicate in a secure and predictable fashion.
Logical access
controls are the hardware and software solutions used to manage access to resources and systems.
Authorization
controls what a user can and cannot do on the network after successful authentication. After a user proves his or her identity, the system checks to see what network resources the user can access and what the user can do with the resources. As shown in the figure, authorization answers the question, "What read, copy, create, and delete privileges does the user have?"
Diffie-Hellman -
provides an electronic exchange method to share the secret key. Secure protocols, such as Secure Sockets Layer (SSL), Transport Layer Security (TLS), Secure Shell (SSH), and Internet Protocol Security (IPsec), use Diffie-Hellman. ElGamal - uses the U.S. government standard for digital signatures. This algorithm is free for use because no one holds the patent.
Substitution
replaces data with authentic looking values to apply anonymity to the data records.
Data masking technology
secures data by replacing sensitive information with a non-sensitive version. The non-sensitive version looks and acts like the original.
trusted third party (the CA)
that allows people who have never met to authenticate to each other and to communicate in a secure method.
Physiological characteristics -
these include fingerprints, DNA, face, hands, retina, or ear features
Accountability
traces an action back to a person or process making the change to a system, collects this information, and reports the usage data.
asymmetric algorithms
use asymmetric keys (also called public and private keys).
symmetric algorithms
use symmetric keys (also called secret keys),
Elliptic Curve Cryptography (ECC) -
uses elliptic curves as part of the algorithm. In the U.S., the National Security Agency uses ECC for digital signature generation and key exchange.
RSA (Rivest-Shamir-Adleman) -
uses the product of two very large prime numbers with an equal length of between 100 and 200 digits. Browsers use RSA to establish a secure connection.