From 7b7a4569214fa99449fd5f838068aded4a49be8e Mon Sep 17 00:00:00 2001
From: Jet Hughes <hugje043@student.otago.ac.nz>
Date: Fri, 29 Jul 2022 13:33:29 +1200
Subject: [PATCH] vault backup: 2022-07-29 13:33:29

---
 ...-authentication-authorisation-passwords.md | 44 +++++++++++++++++++
 content/notes/comp-210.md                     | 10 -----
 2 files changed, 44 insertions(+), 10 deletions(-)
 create mode 100644 content/notes/04-authentication-authorisation-passwords.md

diff --git a/content/notes/04-authentication-authorisation-passwords.md b/content/notes/04-authentication-authorisation-passwords.md
new file mode 100644
index 000000000..70a9c165d
--- /dev/null
+++ b/content/notes/04-authentication-authorisation-passwords.md
@@ -0,0 +1,44 @@
+---
+title: "04-authentication-authorisation-passwords"
+aliases: 
+tags: 
+- lecture
+- comp210
+---
+
+# Authentication
+- proof of identity
+- need to be sure a user is who they say they are before you can trust them
+- usually done via a unique identifier
+	- unique username
+- and a secret that is only known by the authorised user
+	- password
+	- biometrics
+	- 2fa code
+
+## MFA
+- many secrets
+- protects user/system in the case that a password is disclosed
+- additional secrets generated at the time of use.
+	- short lived
+	- if found - attackers have a small windoe to exploit
+- e.g.,
+	- sms message
+	- authenticator app
+
+# Authorisation
+- verifying that a user is allowed to access the operation that they are attempting to access
+- requires explicit check in the system for restricted operatons
+	- some code that check if the roles assigned to the authenticaed user intersect the roles required for the current operation
+- use is assigned a **role** that defines the operations they are allowed to perform
+- e.g.
+	- custoemer - can view products, and see retail prices
+	- sales rep - can view products and see retail and cost prices
+	- manager - can add/delete/modify products
+	- admin - can change system configuration. can assign roles to users
+
+# Authentication and Authorisation
+- one is useless without the other
+- many security vulnerabilities are caused by inexperienced/incompetent programmer creating systems that only have one or the other
+- authenticaion without authorisation can lead to *path traversal* flaws
+- authorisation without authenticaion is the equivalent of blindly trusting your users.
\ No newline at end of file
diff --git a/content/notes/comp-210.md b/content/notes/comp-210.md
index 879a3ac90..337f8ca9f 100644
--- a/content/notes/comp-210.md
+++ b/content/notes/comp-210.md
@@ -18,16 +18,6 @@ No final exam
 - [mccumber-cube](notes/mccumber-cube.md)
 - [access-security-tradeoff](notes/access-security-tradeoff.md)
 - [cia-triad](notes/cia-triad.md)
-- 
-
-- 
-- Risks
-- Ethics and Privacy
-- Cyrptography
-- Physical security
-- Electronic Forensics
-- Authentication
-- Pen-Testing
 
 # Lectures
 - [01-big-picture](notes/01-big-picture.md)