aboutsummaryrefslogtreecommitdiff
path: root/en_GB/Introduction to Information Security
diff options
context:
space:
mode:
Diffstat (limited to 'en_GB/Introduction to Information Security')
-rw-r--r--en_GB/Introduction to Information Security/introduction_to_information_security.md41
1 files changed, 25 insertions, 16 deletions
diff --git a/en_GB/Introduction to Information Security/introduction_to_information_security.md b/en_GB/Introduction to Information Security/introduction_to_information_security.md
index 7269b89..67dd769 100644
--- a/en_GB/Introduction to Information Security/introduction_to_information_security.md
+++ b/en_GB/Introduction to Information Security/introduction_to_information_security.md
@@ -4,15 +4,15 @@
### Security objectives
-- Confidentiality
+- Confidentiality
Contents of objects cannot be read by third parties.
-- Integrity
+- Integrity
Whether or not a message has been modified between origin and receiver.
-- Availability
+- Availability
Guaranteed access to the information for permitted parties.
-- Access Control
+- Access Control
Only permitted parties are allowed to access the information.
-- Non-repudiation
+- Non-repudiation
Proof that an entity was involved in some event.
### CIA
@@ -26,18 +26,18 @@
- Confidentiality
- Integrity
- Availability
-- Utility
+- Utility
Ensures that the information is useful and insensitive to e.g. lost keys.
-- Possession or Control
+- Possession or Control
Be sure that the possessor is in control of the information at all times.
-- Authenticity
+- Authenticity
Verification of claimed identities. Notice: In most cases, this just proves entities (e.g. machines), not humans.
Also, there must be a point in time where authentication starts. If this step is taken automatically by a machine (e.g. session start),
there is no valid inference to the actual human.
### Secrecy
-Confidentiality+.
+Confidentiality+.
Not only provides hidden contents, but also hides the fact that there is content at all.
### Strategy
@@ -80,18 +80,18 @@ As a user, you can be authenticated on the basis of
### Password protection
-- No expiry dates
+- No expiry dates
Studies have shown that this results in worse passwords.
-- No restrictions in password alphabet
+- No restrictions in password alphabet
Studies have shown that this leads to less possibilities in exhaustive guessing and therefore leads to worse passwords.
-- Set a minimum length instead
+- Set a minimum length instead
Has a higher impact than complexity. Set the maximum to at least 64.
- No hints
-- Show passwords while typing
+- Show passwords while typing
Doing the opposite motivates the user to choose shorter passwords.
-- Allow passwords to be pasted
+- Allow passwords to be pasted
This enables secure password managers to be used.
-- Forbid commonly used passwords
+- Forbid commonly used passwords
Makes dictionary attacks difficult.
- Limit number of failed password attempts
@@ -107,6 +107,7 @@ As a user, you can be authenticated on the basis of
#### False match rate (FMR)
How often is a false match attempt successful, which it should not be? Best case: $\text{FMR} = 0$.
+It can be interpreted as a measure of quality of the specific scheme. The lower the value, the better.
$\text{FMR} = \frac{\text{\# successful false matches}}{\text{\# attempted false matches}}$
@@ -165,6 +166,14 @@ Probability of some sample to match at least one of the entries in the database.
$\text{FPIR} = (1 - \text{FTA}) \times (1 - (1 - \text{FMR})^{n})$
+#### Biometrics in remote authentication
+
+*FPIR* scales up with increased *n* (database size), which makes it unusable in remote authentication with large databases.
+
+##### Examples
+
+Using a biometric scheme with $\text{FMR} = 0.01\%$ and a database of size $\text{n} = 80000$ results in $\text{FPIR} = (1 - 0) \times (1 - (1 - 0.0001)^{80000}) = 99.97\%$.
+
## Threat scenarios
No security issues without threat models! E.g. a password is considered safe without any provided threat model.
@@ -188,5 +197,5 @@ Victim enters his password and the attacker captures the data forwarded by the f
#### Countermeasures
- System authentication to the user
-- Display number of failed logins
+- Display number of failed logins
Indicates compromised password to the user.