GitHub/quartz
1
0
Fork 2
mirror of https://github.com/jackyzha0/quartz.git synced 2025-12-24 21:34:06 -06:00
Code Issues Actions Packages Projects Releases Wiki Activity

vault backup: 2022-07-29 13:33:29

Browse Source
This commit is contained in:
Jet Hughes 2022-07-29 13:33:29 +12:00
parent 7ce5a39e15
commit 7b7a456921
2 changed files with 44 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

44
content/notes/04-authentication-authorisation-passwords.md Normal file
View File

@ -0,0 +1,44 @@
---
title: "04-authentication-authorisation-passwords"
aliases:
tags:
- lecture
- comp210
---
# Authentication
- proof of identity
- need to be sure a user is who they say they are before you can trust them
- usually done via a unique identifier
- unique username
- and a secret that is only known by the authorised user
- password
- biometrics
- 2fa code
## MFA
- many secrets
- protects user/system in the case that a password is disclosed
- additional secrets generated at the time of use.
- short lived
- if found - attackers have a small windoe to exploit
- e.g.,
- sms message
- authenticator app
# Authorisation
- verifying that a user is allowed to access the operation that they are attempting to access
- requires explicit check in the system for restricted operatons
- some code that check if the roles assigned to the authenticaed user intersect the roles required for the current operation
- use is assigned a **role** that defines the operations they are allowed to perform
- e.g.
- custoemer - can view products, and see retail prices
- sales rep - can view products and see retail and cost prices
- manager - can add/delete/modify products
- admin - can change system configuration. can assign roles to users
# Authentication and Authorisation
- one is useless without the other
- many security vulnerabilities are caused by inexperienced/incompetent programmer creating systems that only have one or the other
- authenticaion without authorisation can lead to *path traversal* flaws
- authorisation without authenticaion is the equivalent of blindly trusting your users.

10
content/notes/comp-210.md
View File

@ -18,16 +18,6 @@ No final exam
- [mccumber-cube](notes/mccumber-cube.md)
- [access-security-tradeoff](notes/access-security-tradeoff.md)
- [cia-triad](notes/cia-triad.md)
-
-
- Risks
- Ethics and Privacy
- Cyrptography
- Physical security
- Electronic Forensics
- Authentication
- Pen-Testing
# Lectures
- [01-big-picture](notes/01-big-picture.md)