Index > Authentication > 2021-01-25: Intro

Module Zero: “Innit”

“The course is somewhat theoretical”

Course Outline:

• Security Models and Trust
• Quantum and Post-Quantum Cryptography
• Access control models
  • DAC and AD
  • MAC and SELinux
• Single-factor and multi-factor auth methods

Why study this?

• Learn how to implement and attack auth mechanisms
• CISSP is auth-heavy

Course background:

• Networking
• System administration
• Basic programming
• Cryptography
• Linear Algebra
  • Prof. recommends https://www.khanacademy.org/math/linear-algebra

Course Structure - one module roughly corresponds to two weeks. Prof. won’t lecture on wednesdays, those will be for group time. To make up for the lost lecture time, there are videos (none over 30 minutes long).

Prof. has had the course approved as a writing intensive class.

70% of the final grade is from group work. The peer-evaluation creates a “multiplier” that the prof. uses to scale that 70%.

“Communicate Early and Often”

Late assignments are not accepted.

IAAA

• Identification
  • claiming an identity
• Authentication
  • Measuring a feature of the supplicant
  • seeing if it matches a model of the identity
• Authorization
  • The level of access granted to a specific identity
• Accountability
  • Recording all interactions between the supplication, the authenticator, and the resource

Access Control

• DAC: Discretionary
  • The resource owner sets the permissions
• MAC: Mandatory
  • The policy document sets the permissions
• RBAC: Role based
  • IT, but not sales
• RBAC: Rule based
  • Users with these attributes

Controls

Control Types

• technical
• administrative
• physical

Control “Functions”

• Deterrent
  • Discourages the attempted violation of policies
  • Guard dogs are scary
• Directive
  • Directs, confines, or controls the actions of the supplicant
  • Security guards make sure things go to plan
• Preventive
  • Prevents the violation of policies
  • Guard dogs pushing back the intruder
• Detective
  • Detect a violation
  • Motion sensor
• Corrective
  • Restores things to normal after a violation
  • short-term
• Compensating
  • what you settle for when you can’t have a guard dog
• Recovery
  • Repairing and restoring after a violation

I need to look more into compensating controls

Corrective is like business continuity - keep going under non-ideal circumstances. Recovery is like disaster recovery - it gets things back to ideal conditions.

---

Index > Authentication > 2021-01-25: Intro