计算机网络安全期末考试重点整理.ppt

* This lesson focuses on access control enforcement within a computer system. We can view access control as the central element of computer security. ITU-T Recommendation X.800 defines access control as shown on the slide. The principal objectives of computer security are to prevent unauthorized users from gaining access to resources, to prevent legitimate users from accessing resources in an unauthorized manner, and to enable legitimate users to access resources in an authorized manner. We consider the situation of a population of users and user groups that are able to authenticated to a system and are then assigned access rights to certain resources on the system. * This chapter deals with a narrower, more specific concept of access control which implements a security policy that specifies who or what may have access to each specific system resource and the type of access that is permitted in each instance. Figure 4.1 from the text shows the broader context of access control. In addition to access control, this broader context involves the following entities and functions: ? Authentication: The verification an identity claimed by or for a system entity. ? Authorization: The granting of a right or permission to a system entity to access a system resource. This function determines who is trusted for a given purpose. ? Audit: An independent review and examination of system records and activities in order to test for adequacy of system controls, to ensure compliance with established policy and operational procedures, to detect breaches in security, and to recommend any indicated changes in control, policy and procedures. An access control mechanism mediates between a user (or a process executing on behalf of a user) and system resources, such as files and database. The system must first authenticate a user seeking access. Then, the access control function determines if the specific requested access by this user is permitted. A security administrator maintains an aut