Security Goals 安全测试 知识介绍.pptVIP

Physical Security: Badges. Must be checked. No piggybacking to be nice. Locks on doors. Screensavers with passwords. Will illustrate each of these concepts through running examples… (Phone call example… But what about email? Sender name could easily be “spoofed.”) Will provide one example of each general “way” to achieve authentication, and will provide more details on all “ways” in the section of the course on common attacks and defenses. Some security professionals distinguish between Identification and Authentication. Identification is the “public” part of the authentication process (entering username, or biometric scan). Authentication is the “private” part of the authentication process (entering password or PIN). One-time-passwords can be used to address the second “con.” Smart cards, ATM cards, and other tokens store “secrets.” (A “secret” is a sequence of bits, 0s and 1s, only know to the card/token and the system into which it is inserted.) Iris scan: camera take picture of iris features Retinal scan: beam of light projected into eye and scans retinal blood-vessel pattern. Eye put up to device, and puff of air blown into eye. Signature dynamics: physical motions (pressure/speed) translated into characteristic electrical signals that re unique to the person writing signature. Key management: user’s can’t get another thumbprint if their “key” is compromised! Other Cons: people change over time (my face may not be exactly the same over ten years) (See CISSP All-In-One page 131) Methods can be combined: consider a typical ATM transaction. A user is authenticated based on something he/she HAS (the ATM card), and something he/she KNOWS (the PIN). Also called “two-factor” authentication. In the ATM example, authorization asks the question (once the user John Doe has been authenticated), “Does John Doe have permission to withdraw $200?” It depends on the amount of money that John Doe has in his bank account (must be = $200), and the amou