1.

Computer Security: Principles and Practice

NIST Definition of Computer Security: Computer security involves measures and controls to ensure the confidentiality,
integrity, and availability of information system assets, including hardware, software, firmware, and the information being
processed, stored, and communicated.
Data and Services:
Confidentiality: Protecting information from unauthorized access or disclosure.
Integrity: Ensuring information is not altered improperly, maintaining its authenticity and non-repudiation.
Availability: Ensuring timely and reliable access to information.
Authenticity: Verifying that information, systems, and users are legitimate.
Accountability: Ensuring actions are traceable to the responsible entity.
Levels of Impact:
Low: Limited adverse effect on operations or individuals.
Moderate: Serious adverse effect on operations or individuals.
High: Severe or catastrophic effect on operations or individuals.
Computer Security Challenges
1. Computer security is not as simple as it might first appear to the novice
2. In developing a particular security mechanism or algorithm, one must always consider potential attacks on those
security features
3. Procedures used to provide particular services are often counterintuitive
4. Physical and logical placement needs to be determined
5. Security mechanisms typically involve more than a particular algorithm or protocol and also require that participants
be in possession of some secret information which raises questions about the creation, distribution, and protection of
that secret information
6. Attackers only need to find a single weakness, while the designer must find and eliminate all weaknesses to achieve
perfect security
7. Security is still too often an afterthought to be incorporated into a system after the design is complete, rather than
being an integral part of the design process
8. Security requires regular and constant monitoring
9. There is a natural tendency on the part of users and system managers to perceive little benefit from security investment
until a security failure occurs
10. Many users and even security administrators view strong security as an impediment to efficient and user-friendly
operation of an information system or use of information

Computer Security Terminology

- Adversary (Threat Agent): An individual or group intent on harmful activities.
- Attack: Any kind of malicious activity that attempts to collect, disrupt, deny, degrade, or destroy information
system resources or the information itself.
- Countermeasure: A device or techniques that has as its objective the impairment of the operational
effectiveness of undesirable or adversarial activity, or the prevention of espionage, sabotage, theft, or
unauthorized access to or use of sensitive information or information systems.
- Risk: A measure of the extent to which an entity is threatened by a potential circumstance or event, and typically
a function of 1) the adverse impacts that would arise if the circumstance or event occurs; and 2) the likelihood of
occurrence.
- Security Policy: A set of criteria for the provision of security services. It defines and constrains the activities of a
data processing facility in order to maintain a condition of security for systems and data.
- System Resource (Asset): A major application, general support system, high impact program, physical plant,
mission critical system, personnel, equipment, or a logically related group of systems.
- Threat: Circumstances or events that could negatively impact operations or assets.
- Vulnerability: Weaknesses in systems that could be exploited by threats
Assets of a Computer System:
- Hardware
- Software
- Data
- Communication facilities and networks

Vulnerabilities, Threats and Attacks:

• Categories of vulnerabilities
• Corrupted (loss of integrity)
• Leaky (loss of confidentiality)
• Unavailable or very slow (loss of availability)
• Threats: Represent potential security harm to an asset. Capable of exploiting vulnerabilities
• Attacks (threats carried out)
• Passive – attempt to learn or make use of information from the system that does not affect system
resources
• Active – attempt to alter system resources or affect their operation
• Insider – initiated by an entity inside the security parameter
• Outsider – initiated from outside the perimeter

Countermeasures: Means used to deal with security attacks. Prevent, Detect, Recover. Residual vulnerabilities may
remain. May itself introduce new vulnerabilities. Goal is to minimize residual level of risk to the assets.

Passive and Active Attacks:

- Passive Attacks: Attempts to learn or make use of information from the system but does not affect system
resources. Eavesdropping on, or monitoring of, transmissions. Goal of attacker is to obtain information that is
being transmitted.
• Two types:
o Release of message contents
o Traffic analysis
- Active Attack: Attempts to alter system resources or affect their operation. Involve some modification of the
data stream or the creation of a false stream
• Four categories:
o Replay
o Masquerade
 o Modification of messages
o Denial of service

Fundamental Security Design Principles:

- Economy of mechanism
- Fail-safe defaults
- Complete mediation
- Open design
- Separation of privilege
- Least privilege
- Least common mechanism
- Psychological acceptability
- Isolation
- Encapsulation
- Modularity
- Layering
- Least astonishment

Attack Surfaces: Consist of the reachable and exploitable vulnerabilities in a system

Attack Surface Categories:
- Network Attack Surface
o Vulnerabilities over an enterprise network, wide-area network, or the Internet
 o Included in this category are network protocol vulnerabilities, such as those used for a denial- of-
service attack, disruption of communications links, and various forms of intruder attacks.
- Software Attack Surface
o Vulnerabilities in application, utility, or operating system code
o Particular focus is Web server software.
- Human Attack Surface
o Vulnerabilities created by personnel or outsiders, such as social engineering, human error, and trusted
insiders.

Computer Security Strategy:

- Security Policy: Format statement of rules and practices that specify are regulate how a system or organization
provides security services to protect sensitive and critical system resources.
- Security Implementation: Involves four complementary courses of action:
 o Preventation
o Detection
o Response
o Recovery
- Assurance: An attribute of an information system that provides grounds for having confidence that the system
operates such that the system’s security policy is enforced.
- Evaluation: Process of examining a computer product or system with respect to certain criteria. Involves testing
and may also involve formal analytic or mathematical techniques.
Standards
• Standards have been developed to cover management practices and the overall architecture of security mechanisms
and services
• The most important of these organizations are:
o National Institute of Standards and Technology (NIST): U.S. federal agency for standards related to
measurement and technology.
o Internet Society (ISOC): Professional society focusing on internet infrastructure standards.
o International Telecommunication Union (ITU-T): A UN agency that coordinates global telecommunication
services.
o International Organization for Standardization (ISO) : Non-governmental organization for international
standardization, including security standards

Symmetric Encryption
• The universal technique for providing confidentiality for transmitted or stored data
• Also referred to as conventional encryption or single-key encryption
• Two requirements for secure use:
• Need a strong encryption algorithm
• Sender and receiver must have obtained copies of the secret key in a secure fashion and must keep the key
secure

Attacking Symmetric Encryption

Cryptanalytic Attacks
Rely on:
Nature of the algorithm
Some knowledge of the general characteristics of the plaintext
Some sample plaintext- ciphertext pairs
Exploits the characteristics of the algorithm to attempt to deduce a specific plaintext or the key being used.
If successful all future and past messages encrypted with that key are compromised.
Brute-Force Attacks
Try all possible keys on some ciphertext until an intelligible translation into plaintext is obtained.
On average half of all possible keys must be tried to achieve success.
Comparison of Three Popular Symmetric Encryption Algorithms

Data Encryption Standard (DES)

- Until recently was the most widely used encryption scheme
o FIPS PUB 46
o Referred to as the Data Encryption Algorithm (DEA)
o Uses 64-bit plaintext block and 56 bits key to produce a 64-bit ciphertext block.
- Strength concerns:
o Concerns about the algorithm itself
▪ DES is the most studied encryption algorithm in existence.
o Concerns about the use of a 56-bit key
▪ The speed of commercial off-the-shelf processors makes this key length woefully inadequate.
Triple DES (3DES)
- Repeats basic DES algorithm three times using either two or three unique keys.
- First standardized for use in financial applications in ANSI standard X9.17 in 1985
- Attractions:
o 168-bit key length overcomes the vulnerability to brute-force attack of DES
o Underlying encryption algorithm is the same as in DES.
- Drawbacks:
o Algorithm is sluggish in software.
o Uses a 64-bit block size.

Advanced Encryption Standard (AES)

Practical Security Issues

- Typically, symmetric encryption is applied to a unit of data larger than a single 64-bit or 128-bit block.
- Electronic code book (ECB) mode is the simplest approach to multiple block encryption.
o Each block of plaintext is encrypted using the same key.
o Cryptanalysts may be able to exploit regularities in the plaintext.
- Modes of operation
o Alternative techniques developed to increase the security of symmetric block encryption for large
sequences.
o Overcomes the weaknesses of ECB.
 Block & Stream Ciphers
- Block Cipher
• Processes the input one block of elements at
a time
• Produces an output block for each input
block
• Can reuse keys
• More common
- Stream Cipher
• Processes the input elements continuously
• Produces output one element at a time
• Primary advantage is that they are almost
always faster and use far less code
• Encrypts plaintext one byte at a time
• Pseudorandom stream is one that is
unpredictable without knowledge of the input
key

Message Authentication
- Protects against active attacks.
- Verifies received message is authentic.
• Contents have not been altered
• From authentic source
• Timely and in correct sequence
- Can use conventional encryption.
• Only sender and receiver share a key

Message Authentication Without Confidentiality

• Message encryption by itself does not provide a secure form of authentication
• It is possible to combine authentication and confidentiality in a single algorithm by encrypting a message plus
its authentication tag
• Typically, message authentication is provided as a separate function from message encryption
• Situations in which message authentication without confidentiality may be preferable include:
• There are a number of applications in which the same message is broadcast to a number of
destinations
• An exchange in which one side has a heavy load and cannot afford the time to decrypt all incoming
messages
• Authentication of a computer program in plaintext is an attractive service
• Thus, there is a place for both authentication and encryption in meeting security requirements
Security of Hash Functions
- There are two approaches to attacking a secure hash function:
o Cryptanalysis: Exploit logical weaknesses in the algorithm.
o Brute-force attack: Strength of hash function depends solely on the length of the has code produced
by the algorithm.
- SHA most widely used hash algorithm.
 - Additional secure hash function applications
o Password: Hash of a password is stored by an operating system.
o Intrusion detection: Store H(F) for each file on a system and secure the hash values.

Public-Key Encryption Structure: Publicly proposed by Diffie and Hellman in 1976, based on mathematical functions,
asymmetric.
• Uses two separate keys
• Public key and private key
• Public key is made public for others to use
- Some form of protocol is needed for distribution.

- Plaintext: Readable message or data that is

fed into the algorithm as input.
- Encryption algorithm: Performs
transformations on the plaintext.
- Public and private key: Pair of keys, one for
encryption, one for decryption
- Ciphertext: Scrambled message produced as
output.
- Decryption key: Produces the original
plaintext.

- User encrypts data using his or her own private

key.
- Anyone who knows the corresponding public
key will be able to decrypt the message.

Applications for Public-Key Cryptosystems

Requirements for PK Cryptosystems

- Computationally easy to create key pairs.
- Useful if either key can be used for each role.
- Computationally infeasible for opponent to otherwise recover original message.
- Computationally easy for sender knowing public key to encrypt messages.
- Computationally easy for receiver knowing private key to decrypt ciphertext.
- Computationally infeasible for opponent to determine private key from public key.
Asymmetric Encryption Algorithms
- RSA (Rivest, Shamir, Adleman): Developed in 1977. Most widely accepted and implemented approach to public-
key encryption. Block cipher in which the plaintext and ciphertext are integers between 0 and n-1 for some n.
- Diffie-Hellman key exchange algorithm: Enables two users to securely reach agreement about a shared secret
that can be used as a secret key for subsequent symmetric encryption of messages. Limited to the exchange of
the keys
- Digital Signature Standard (DSS): Provides only a digital signature function with SHA-1. Cannot be used for
encryption or key exchange.
- Elliptic curve cryptography (ECC): Security like RSA, but with much smaller keys

Digital Signatures
- NIST FIPS PUB 186-4 defines a digital signature as: ” The result of a cryptographic transformation of data that,
when properly implemented, provides a mechanism for verifying origin authentication, data integrity and
signatory non-repudiation.”
- Thus, a digital signature is a data-dependent bit pattern, generated by an agent as a function of a file, message,
or other form of data block.
- FIPS 186-4 specifies the use of one of three digital signature algorithms:
o Digital Signature Algorithm (DSA)
o RSA Digital Signature Algorithm
o Elliptic Curve Digital Signature Algorithm (ECDSA)

Random Numbers
- Uses include generation of:
o Keys for public-key algorithms
o Stream key for symmetric stream
cipher
o Symmetric key for use as a
temporary session key or in creating
a digital envelope.
o Hand shaking to prevent replay
attacks.
o Session key
Random Number Requirements
- Randomness
o Criteria:
▪ Uniform distribution
• Frequency of occurrence of each of the numbers should be approximately the
same.
▪ Independence
• No one value in the sequence can be inferred from the others.
- Unpredictability
o Each number is statistically independent of other numbers in the sequence.
o Opponent should not be able to predict future elements of the sequence on the basis of earlier
elements.

Random versus Pseudorandom

- Cryptographic applications typically make use of algorithmic techniques for random number generation.
o Algorithms are deterministic and therefore produce sequences of numbers that are not.
- Pseudorandom Numbers are:
o Sequences produces that statistical randomness tests.
o Likely to be predictable.
- True random number generator (TRNG):
o Uses a nondeterministic source to produce randomness.
o Most operate by measuring unpredictable natural processes.
▪ e.g., radiation, gas discharge, leaky capacitors
o Increasingly provided on modern processors

Practical Application: Encryption of Stored Data

NIST SP 800-63-3 (Digital Authentication Guideline, October 2016) defines digital user authentication as: “The process of
establishing confidence in user identities that are presented electronically to an information system.”
The four means of authenticating user identity are based on:
- Something the individual knows.
o Password, PIN, answers to prearranged questions
- Something the individual possesses.
o Smartcard, electronic keycard, physical key
- Something the individual is (static biometrics)
o Fingerprint, retina, face
- Something the individual does (dynamic biometrics)
o Voice pattern, handwriting, typing rhythm.

Risk Assessment for User Authentication

- There are three separate concepts:
o Assurance Level
o Potential impact
o Areas of risk

Assurance Level
- Describes an organization’s degree of certainty that a user has presented a credential that refers to his or her
identity.
- More specifically is defined as:
o The degree of confidence in the vetting process used to establish the identity of the individual to whom
the credential was issued.
o The degree of confidence that the individual who uses the credential is the individual to whom the
credential was issued.
- Four levels of assurance
o Level 1: Little or no confidence in the asserted identity's validity
 o Level 2: Some confidence in the asserted identity’s validity
o Level 3: High confidence in the asserted identity's validity
o Level 4: Very high confidence in the asserted identity’s validity

Potential Impact
• FIPS 199 defines three levels of potential impact on organizations or individuals should there be a breach of security:
o Low: An authentication error could be expected to have a limited adverse effect on organizational operations,
organizational assets, or individuals
o Moderate: An authentication error could be expected to have a serious adverse effect
o High: An authentication error could be expected to have a severe or catastrophic adverse effect

Maximum Potential Impacts for Each Assurance Level

Password-Based Authentication
• Widely used line of defense against intruders
o User provides name/login and password
o System compares password with the one stored for that specified login
• The user ID:
o Determines that the user is authorized to access the system
o Determines the user’s privileges
o Is used in discretionary access control

Password Vulnerabilities
Offline dictionary attack Workstation hijacking
Specific account attack Exploiting user mistakes
Password guessing against single user. Electronic monitoring
Popular password attack Exploiting multiple password use

UNIX Implementation
Original scheme
• Up to eight printable characters in length
• 12-bit salt used to modify DES encryption into a one-way hash function
• Zero value repeatedly encrypted 25 times
• Output translated to 11-character sequence
Now regarded as inadequate
• Still often required for compatibility with existing account management software or multivendor
environment
Improved Implementations
Much stronger hash/salt schemes available for Unix
Recommended hash function is based on MD5.
•Salt of up to 48-bits
•Password length is unlimited
•Produces 128-bit hash
•Uses an inner loop with 1000 iterations to achieve slowdown
OpenBSD uses Blowfish block cipher-based hash algorithm called Bcrypt.
•Most secure version of Unix hash/salt scheme
•Uses 128-bit salt to create 192-bit hash value

Password Cracking
Dictionary attacks
• Develop a large dictionary of possible passwords and try each against the password file
• Each password must be hashed using each salt value and then compared to stored hash values
Rainbow table attacks
• Pre-compute tables of hash values for all salts
• A mammoth table of hash values
• Can be countered by using a sufficiently large salt value and a sufficiently large hash length
Password crackers exploit the fact that people choose easily guessable passwords.
• Shorter password lengths are also easier to crack
John the Ripper
• Open-source password cracker first developed in in 1996
• Uses a combination of brute-force and dictionary techniques

Modern Approaches
• Complex password policy: Forcing users to pick stronger passwords
• However, password-cracking techniques have also improved
o the processing capacity available for password cracking has increased dramatically
o the use of sophisticated algorithms to generate potential passwords
o Studying examples and structures of actual passwords in use
Password Selection Strategies
User education: Users can be told the importance of using hard to guess passwords and can be provided with
guidelines for selecting strong passwords.
Computer generated passwords: Users have trouble remembering them.
Reactive password checking: System periodically runs its own password cracker to find guessable passwords.
Complex password policy: User is allowed to select their own password; however, the system checks to see if
the password is allowable, and if not, rejects it. Goal is to eliminate guessable passwords while allowing the user
to select a password that is memorable.

Proactive Password Checking

• Rule enforcement: Specific rules that passwords must adhere to
• Password checker: Compile a large dictionary of passwords not to use
• Bloom filter: Used to build a table based on hash values o Check desired password against this table

Memory Cards
• Can store but do not process data
• The most common is the magnetic stripe card
• Can include an internal electronic memory
• Can be used alone for physical access
o Hotel room
o ATM
• Provides significantly greater security when combined with a password or PIN
• Draw backs of memory cards include:
o Requires a special reader
o Loss of token
o User dissatisfaction

Smart Tokens
• Physical characteristics:
o Include an embedded microprocessor
o A smart token that looks like a bank card
o Can look like calculators, keys, small portable objects
• User interface:
o Manual interfaces include a keypad and display for human/token interaction
• Electronic interface
o A smart card or other token requires an electronic interface to communicate with a compatible
reader/writer
o Contact and contactless interfaces
 • Authentication protocol:
o Classified into three categories:
• Static
• Dynamic password generator
• Challenge-response
Smart Cards
• Most important category of smart token
o Has the appearance of a credit card
o Has an electronic interface
o May use any of the smart token protocols
• Contain:
o An entire microprocessor
• Processor • Memory • I/Oports
• Typically include three types of memory:
o Read-only memory (ROM)
• Stores data that does not change during the card’s life
o Electrically erasable programmable ROM (EEPROM)
• Holds application data and programs
o Random access memory (RAM)
• Holds temporary data generated when applications are executed

Electronic Identity Cards (eID)

Use of a smart card as a national identity card for citizens
Can serve the same purposes as other national ID cards, and similar cards such as a driver’s license,
for access to government and commercial services.
Can provide stronger proof of identity and can be used in a wider variety of applications.
In effect, is a smart card that has been verified by the national government as valid and authentic.
Most advanced deployment is the German card neuer Personalausweis
 Has human-readable data printed on its surface
•Personal data
•Document number
•Card access number (CAN)
•Machine readable zone (MRZ)

Password Authenticated Connection Establishment (PACE)

Ensures that the contactless RF chip in the eID card cannot be read without explicit access control.
For online applications, access is established by the user entering the 6- digit PIN (which should only be known
to the holder of the card)
For offline applications, either the MRZ printed on the back of the card, or the six-digit card access number
(CAN) printed on the front is used.
Biometric Authentication
• Attempts to authenticate an individual based on unique physical characteristics
• Based on pattern recognition
• Is technically complex and expensive when compared to passwords and tokens
• Physical characteristics used include:
o Facial characteristics
o Fingerprints
o Hand geometry o Retinal pattern o Iris o Signature o Voice

Remote User Authentication

• Authentication over a network, the Internet,
or a communications link is more complex
• Additional security threats such as:
o Eavesdropping, capturing a
password, replaying an
authentication sequence that has
been observed
• Generally, rely on some form of a challenge-
response protocol to counter threat
Authentication Security Issues
Denial-of-Service: Attempts to disable a user authentication service by flooding the service with numerous
authentication attempts.
Trojan Horse: An application or physical device masquerades as an authentic application or device for the purpose of
capturing a user password, passcode, or biometric.
Eavesdropping: Adversary attempts to learn the password by some sort of attack that involves the physical proximity of
user and adversary
Client Attacks: Adversary attempts to achieve user authentication without access to the remote host or the intervening
communications path.
Host Attacks: Directed at the user file at the host where passwords, token passcodes, or biometric templates are stored.
Replay: Adversary repeats a previously captured user response
Access Control Definitions
Access control is the process of regulating access to resources based on security policies, ensuring that only authorized
users or systems can access or use them. NISTIR 7298 defines it as granting or denying requests to obtain information or
enter facilities, while RFC 4949 views it as regulating system resource use by authorized entities according to a security
policy. The main goals are to prevent unauthorized access, prevent misuse by legitimate users, and enable authorized
users to access resources appropriately.

Access Control Principles

• In a broad sense, all of computer security is concerned with access control
• RFC 4949 defines computer security as: “measures that implement and assure security services in a computer system,
particularly those that assure access control service”

Access Control Policies

• Discretionary Access control (DAC): Controls access based on the identity of the requestor and on access rules
(authorizations) stating what requestors are (or are not) allowed to do
• Mandatory Access control (MAC): Controls access based on comparing security labels with security clearances
• Role-based Access control (RBAC): Controls access based on the roles that users have within the system and on rules
stating what accesses are allowed to users in given roles
• Attribute-based Access control (ABAC): Controls access based on attributes of the user, the resource to be accessed,
and current environmental conditions
Subjects, Objects, and Access Rights

Discretionary Access Control (DAC)

• Scheme in which an entity may be granted Access rights that permit the entity, by its own violation, to enable another
entity to Access some resource
• Often provided using an access matrix
o One dimension consists of identified subjects that may attempt data access to the resources
o the other dimension lists the objects that may be accessed
• Each entry in the matrix indicates the access rights of a particular subject for a particular object

Protection Domains
• Set of objects together with access rights to those objects
• More flexibility when associating capabilities with protection domains
• In terms of the access matrix, a row defines a protection domain
• User can spawn processes with a subset of the Access rights of the user
• Association between a process and a domain can be static or dynamic
• In user mode certain areas of memory are protected from use and certain instructions may not be executed
• In kernel mode privileged instructions may be executed and protected areas of memory may be accessed

UNIX File Access Control

UNIX files are administered using inodes (index nodes)
• Control structures with key information needed for a particular file
• Several file names may be associated with a single inode
 • An active inode is associated with exactly one file
• File attributes, permissions and control information are sorted in the inode
• On the disk there is an inode table, or inode list, that contains the inodes of all the files in the file system
• When a file is opened its inode is brought into main memory and stored in a memory resident inode table
Directories are structured in a hierarchical tree.
• May contain files and/or other directories
• Contains file names plus pointers to associated inodes

UNIX
File Access Control
Unique user identification number (user ID)
Member of a primary group identified by a group ID.
Belongs to a specific group.
12 protection bits
Specify read, write, and execute permission for the
owner of the file, members of the group and all other
users.
The owner ID, group ID, and protection bits are part of
the file’s inode.

Traditional UNIX File Access Control

“Set user ID” (SetUID)
“Set group ID” (SetGID)
System temporarily uses rights of the file owner/group in addition to the real user’s rights when making Access
control decisions.
Enables privileged programs to access files/resources not generally accessible.
Sticky bit: When applied to a directory it specifies that only the owner of any file in the directory can rename, move, or
delete that file.
Superuser: Is exempt from usual access control restrictions. Has system-wide Access

Access Control Lists (ACLs) in UNIX

Modern UNIX systems support ACLs.
•FreeBSD, OpenBSD, Linux, Solaris
FreeBSD
•Setfacl command assigns a list of UNIX user IDs and groups
•Any number of users and groups can be associated with a file
•Read, write, execute protection bits
•A file does not need to have an ACL
•Includes an additional protection bit that indicates whether the file has an extended ACL
When a process requests access to a file system object two steps are performed:
•Step 1 selects the most appropriate ACL
•Step 2 checks if the matching entry contains sufficient permissions
Constraints - RBAC
• Provide a means of adapting RBAC to the specifics of administrative and security policies of an organization
• A defined relationship among roles or a condition related to roles
• Types:
Mutually exclusive roles
•A user can only be assigned to one role in the set (either during a session or statically)
•Any permission (access right) can be granted to only one role in the set
Cardinality
•Setting a maximum number with respect to roles
Prerequisite roles
•Dictates that a user can only be assigned to a particular role if it is already assigned to some other
specified role

Attribute-Based Access Control (ABAC)

Can define authorizations that express conditions on properties of both the resource and the subject
Strength is its flexibility and expressive power
Main obstacle to its adoption in real systems has been concern about the performance impact of evaluating
predicates on both resource and user properties for each access
Web services have been pioneering technologies through the introduction of the eXtensible Access Control
Markup Language (XAMCL)
There is considerable interest in applying the model to cloud services
ABAC Model: Attributes
Subject attributes
• A subject is anactive entity that causes information to flow among objects or changes the system state
• Attributes define the identity and characteristics of the subject
Object attributes
• An object (or resource) is a passive information system-related entity containing or receiving information
• Objects have attributes that can be leverages to make access control decisions
Environment attributes
• Describe the operational, technical, and even situational environment orcontext in which the information
access occurs
• These attributes have so far been largely ignored in most access control policies
ABAC
Distinguishable because it controls access to objects by evaluating rules against the attributes of entities, operations,
and the environment relevant to a request
Relies upon the evaluation of attributes of the subject, attributes of the object, and a formal relationship or access
control ruledefining the allowable operations for subjectobject attribute combinations in a given environment
Systems are capable of enforcing DAC, RBAC, and MAC concepts
Allows an unlimited number of attributes to be combined to satisfy any access control rule

ABAC Policies
A policy is a set of rules and relationships that govern allowable behavior within an organization, based on the privileges of
subjects and how resources or objects are to be protected under which environment conditions
Typically written from the perspective of the object that needs protecting and the privileges available to subjects
Privileges represent the authorized behavior of a subject and are defined by an authority and embodied in a policy
Other terms commonly used instead of privileges are: rights, authorizations, and entitlements

Identity, Credential, and Access Management (ICAM)

• A comprehensive approach to managing and implementing digital identities, credentials, and access control
• Developed by the U.S. government
• Designed to:
o Create trusted digital identity representations of individuals and nonperson entities (NPEs)
o Bind those identities to credentials that may serve as a proxy for the individual of NPE in access transactions
• A credential is an object or data structure that authoritatively binds an identity to a token possessed
and controlled by a subscriber
o Use the credentials to provide authorized access to an agency’s resources

Identity Management
Concerned with assigning attributes to a digital identity and connecting that digital identity to an individual or NPE
Goal is to establish a trustworthy digital identity that is independent of a specific application or context
Most common approach to access control for applications and programs is to create a digital representation of an
identity for the specific use of the application or program
Maintenance and protection of the identity itself is treated as secondary to the mission associated with the application
Final element is lifecycle management which includes:
•Mechanisms, policies, and procedures for protecting personal identity information
•Controlling access to identity data
•Techniques for sharing authoritative identity data with applications that need it
•Revocation of an enterprise identity

Credential Management
The management of thelife cycle of the credential
Examples of credentials are smart cards, private/public cryptographic keys, and digital certificates
Encompasses five logical components:
An authorized individual sponsors an individual or entity for a credential to establish the need for the credential The
sponsored individual enrolls for the credential
• Process typically consists of identity proofing and the capture of biographic and biometric data
• This step may also involve incorporating authoritative attribute data, maintained by the identity management
component
A credential is produced
• Depending on the credential type, production may involve encryption, the use of a digital signature, the production of a
smart card or other functions The credential is issued to the individual or NPE
A credential must be maintained over its life cycle
• Might include revocation, reissuance/replacement, reenrollment, expiration, personal identification number (PIN) reset,
suspension, or reinstatement

Access Management
Deals with the management and control of the ways entities are granted access to resources
Covers both logical and physical access
May be internal to a system or an external element
Purpose is to ensure that the proper identity verification is made when an individual
attempts to access a security sensitive building, computer systems, or data
Three support elements are needed for an enterprisewide access control facility:
• Resource management
• Privilege management
• Policy management

Three support elements are needed for an enterprise-wide access control facility:
Resource Management:
• Concerned with defining rules for a resource that requires access control
• Rules would include credential requirements and what user attributes, resource attributes, and environmental
conditions are required for access of a given resource for a given function
Privilege management
• Concerned with establishing and maintaining the entitlement or privilege attributes that comprise an
individual’s access profile
• These attributes represent features of an individual that can be used as the basis for determining access
decisions to both physical and logical resources
• Privileges are considered attributes that can be linked to a digital identity
Policy management:
• Governs what is allowable and unallowable in an access transaction
Identity Federation
• Term used to describe the technology, standards, policies, and processes that allow an organization to trust digital
identities, identity attributes, and credentials created and issued by another organization
• Addresses two questions:
o How do you trust identities of individuals from external organizations who need access to your systems
o How do you vouch for identities of individuals in your organization when they need to collaborate with external
organizations

Open Identity Trust Framework

OpenID: An open standard that allows users to be authenticated by certain cooperating sites using a third party service
OIDF: OpenID Foundation is an international nonprofit organization of individuals and companies committed to enabling,
promoting, and protecting OpenID technologies
ICF: Information Card Foundation is a nonprofit community of companies and individuals working together to evolve the
Information Card ecosystem
OITF: Open Identity Trust Framework is a standardized, open specification of a trust framework for identity and attribute
exchange, developed jointly by OIDF and ICF
OIX: Open Identity Exchange Corporation is an independent, neutral, international provider of certification trust
frameworks conforming to the OITF model
AXN: Attribute Exchange Network is an online Internet-scale gateway for identity service providers and relying parties to
efficiently access user asserted, permissioned, and verified online identity attributes in high volumes at affordable costs