CISSP考试指南笔记：5.3 身份标识、身份验证、授权与可问责性

Identification describes a method by which a subject (user, program, or process) claims to have a specific identity (username, account number, or e-mail address).

Authentication is the process by which a system verifies the identity of the subject, usually by requiring a piece of information that only the claimed identity should have. This piece could be a password, passphrase, cryptographic key, personal identification number (PIN), anatomical attribute, or token. Together, the identification and authentication information (for example, username and password) make up the subject’s credentials.These credentials are compared to information that has been previously stored for this subject. If these credentials match the stored information, the subject is authenticated.

Once the subject provides its credentials and is properly authenticated, the system it is trying to access needs to determine if this subject has been given the necessary rights and privileges to carry out the requested actions. The system will look at some type of access control matrix or compare security labels to verify that this subject may indeed access the requested resource and perform the actions it is attempting. If the system determines that the subject may access the resource, it authorizes the subject.

The subject needs to be held accountable for the actions taken within a system or domain. The only way to ensure accountability is if the subject is uniquely identified and the subject’s actions are recorded.

Logical access controls are technical tools used for identification, authentication, authorization, and accountability.

Identification and Authentication

Three general factors can be used for authentication: something a person knows, something a person has, and something a person is. These factors are also commonly called authentication by knowledge, authentication by ownership, and authentication by characteristic.

Strong authentication contains two or all of these three methods: something a person knows, has, or is.

剩余内容请看本人公众号debugeeker, 链接为CISSP考试指南笔记：5.3 身份标识、身份验证、授权与可问责性