Scribd
Upload
9 views8 pages

Is Exam

Uploaded by

Hajra bibi
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
9 views8 pages

Is Exam

Uploaded by

Hajra bibi
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 8

Chapter 3 :

Here's a detailed explanation:

Definition of User Authentication

User authentication is the process of verifying the identity of a user, typically through a combination
of credentials, such as a username and password.

User Authentication Model for Electronic User Authentication

1. Identification: User claims an identity.

2. Authentication: User provides evidence to prove their identity.

3. Authorization: User is granted access to resources based on their identity.

Means of User Authentication

1. Knowledge-based: Something the user knows (password, PIN).

2. Possession-based: Something the user has (smart card, token).

3. Biometric: Something the user is (fingerprint, facial recognition).

Risk Assessment for User Authentication

1. Identity Theft: Unauthorized access to sensitive information.

2. Password Cracking: Automated tools guess passwords.

3. Phishing: Tricking users into revealing passwords.

4. Session Hijacking: Unauthorized access to user sessions.

Password Authentication
1. Definition: A secret word or phrase used to authenticate a user.

2. Advantages: Easy to implement, widely accepted.

3. Disadvantages: Vulnerable to attacks (guessing, cracking, phishing).

Password Weak Points

1. Weak Passwords: Easily guessable or crackable passwords.

2. Password Reuse: Using the same password across multiple accounts.

3. Password Storage: Insecure storage of passwords.

Countermeasures for Password Weak Points

1. Password Policies: Enforce strong password requirements (length, complexity).

2. Multi-Factor Authentication: Require additional forms of verification (biometric, token).

3. Password Managers: Use a secure password manager to generate and store unique passwords.

4. Regular Password Updates: Require users to update their passwords regularly.

Use of Hashed Passwords

1. Definition: A hashed password is a password that has been transformed into a fixed-length string
of characters using a one-way mathematical algorithm.

2. Advantages: Hashed passwords are more secure than plaintext passwords because they are more
resistant to unauthorized access.

3. How it Works: When a user creates a password, the password is hashed and stored in a database.
When the user attempts to log in, the entered password is hashed and compared to the stored hash.
If the two hashes match, the user is authenticated.

Hashing algorithms commonly used for password storage include:


1. SHA-256 (Secure Hash Algorithm 256)

2.PBKDF2 (Password-Based Key Derivation Function 2)

3. Argon2

Chapter 4:

Here are the detailed explanations:

Access Control

Access control is a security mechanism that regulates and manages access to resources, such as
computer systems, networks, and data.

Principle

The principle of access control is to grant access to resources based on user identity, group
membership, and permissions.

Policy

The policy of access control outlines the rules and guidelines for granting access to resources. It
defines who can access what resources, under what conditions.

Requirement

The requirements of access control include:

1. Authentication: Verifying the identity of users and systems.

2. Access control lists: Maintaining a list of who can access what resources.

Element

The elements of access control include:


1. Users: Individuals who request access to resources.

2. Groups: Collections of users with similar access needs.

3. Resources: The resources that users want to access.

Discretionary

Discretionary access control means that the resource owner has the authority to decide who can
access their resources.

Structure

The structure of access control is a hierarchical system with:

1. Users: At the bottom of the hierarchy.

2. Groups: In the middle of the hierarchy.

3. Resources: At the top of the hierarchy.

Model

The model of access control is a framework that outlines how access control decisions are made.

Command

The commands of access control include:

1. Grant: Giving access to a user or group.

2. Revoke: Taking away access from a user or group.

3. Modify: Changing access permissions.

Function

The function of access control is to regulate and manage access to resources based on user identity,
group membership, and permissions.
Chapter 5

I'll break down each topic:

Database System

A database system is a software system that allows you to store, manage, and retrieve data in a
structured and controlled manner.

Database

A database is a collection of organized data that is stored in a way that allows for efficient retrieval
and manipulation.

Database Security

Database security refers to the practices and measures taken to protect a database from
unauthorized access, use, disclosure, disruption, modification, or destruction.

Relational Database

A relational database is a type of database that organizes data into tables with well-defined
relationships between them.

Relational Database Elements

1. Tables: Collections of related data.

2. Rows: Individual entries in a table.


3. Columns: Individual fields in a table.

4. Primary Key: Unique identifier for each row.

5. Foreign Key: Links rows between tables.

Relational Database Example

A university database with tables for students, courses, and grades.

Structure Query Language (SQL)

A programming language for managing relational databases.

SQL Injection

Attacks that inject malicious SQL code to manipulate database queries.

SQL Attacks

Types of attacks that target databases, including SQL injection, cross-site scripting (XSS), and cross-
site request forgery (CSRF).

Simple SQL Injection Attack

Injecting malicious SQL code as user input to manipulate database queries.

Typical Injection Attack

An attacker injects malicious SQL code into a login form to bypass authentication.
In-Band Attacks

Attacks that use the same communication channel as the legitimate traffic.

Database Access Control

Controlling access to the database based on user identity, group membership, and permissions.

Inferential Attack

Gathering sensitive information from non-sensitive data.

Out-of-Band Attack

Attacks that use a different communication channel than the legitimate traffic.

SQLi Countermeasure

Measures to prevent SQL injection attacks, such as:

1. Input validation

2. Parameterized queries

3. Limiting database privileges

SQLi Access Control


Controlling access to the database to prevent SQL injection attacks.

Cascading Authorizations

Authorizations that are inherited from a higher-level entity to a lower-level entity.

Role-Based Access Control

Controlling access to resources based on user roles.

Inference Example

Inferring a user's salary range from publicly available data.

Countermeasure

Measures to prevent inference attacks, such as:

1. Data anonymization

2. Data aggregation

3. Limiting data access

You might also like