__________ is verification that the credentials of a user or other system entity are valid.

The four means of authenticating user identity are based on:

• Something the individual knows (password, PIN, answers to prearranged questions)
• Something the individual possesses (smartcard, electronic keycard, physical key)
• Something the individual is (fingerprint, retina, face)
• Something the individual does (dynamic biometrics, voice pattern, handwriting, typing rhythm)

Describes an organization's degree of certainty that a user has presented a credential that refers to his or her identity

• The degree of confidence in the vetting process used to establish the identity of the individual to whom the credential was issued
• The degree of confidence that the individual who uses the credential is the individual to whom the credential was issued

What are the four levels of assurance?

• Level 1: Little to no confidence in the asserted identity's validity
• Level 2: Some confidence in the asserted identity's validity
• Level 3: High confidence in the asserted identity's validity
• Level 4: Very high confidence in the asserted identity's validity

What are the three levels of potential impact on organizations or security should there be a breach of security as defined by FIPS 199?

• Low: An authentication error could be expected to have a limited adverse effect on organizational operations, organizational assets, or individuals
• Moderate: An authentication error could be expected to have a serious adverse effect
• High: An authentication error could be expected to have a severe or catastrophic adverse effect

Define: Password-Based Authentication

• Widely used line of defense against intruders
• User provides name/login and password
• System compares password with the one storedfor that specified login
• The user ID determines that the user is authorized to access the system
• The user ID determines the user's privileges
• The user ID is used in discretionary access control (DAC)

What are passwords vulnerable to?

• Offline dictionary attacks
• Specific account attacks
• Popular password attacks
• Password guessing against single user
• Workstation hijacking
• Exploiting user mistakes
• Exploiting multiple password use
• Electronic monitoring

What is the purpose of salt values?

• Prevents duplicate passwords from being visible in the password file
• Greatly increases the difficulty of offline dictionary attacks. Number of possible passwords increases by 2^(salt length)
• It becomes nearly impossible to find out whether a person with passwords on two or more systems has used the same password on all of them

Define: The original UNIX Password Scheme

• Up to eight printable characters in length
• 12-bit salt used to modify DES encryption into a one-way hash function crypt(3)
• Zero value repeatedly encrypted 25 times
• Outputs 64 bits translated to 11 character sequence
• Now regarded as inadequate
• Still often required for compatibility with existing account management software or multivendor environments

How was the original Unix Password Scheme improved?

• Much stronger hash/salt schemes available for Unix
• Recommended hash function is based on MD5 (up to 48-bit salt, unlimited password length, 128-bit hash, 1000 iteration loop to achieve slowdown)
• OpenBSD uses Blowfish block cipher based hash algorithm called Bcrypt (most secure version of Unix hash/salt scheme, uses 128-bit salt to create 192-bit hash value)

Name four password cracking strategies

• Dictionary attacks
• Rainbow table attacks
• Password crackers that exploit the fact that people choose easily guessable passwords (shorter passwords are easier to crack)
• John the Ripper

Define: Dictionary attack

• Develop a large dictionary of possible passwords and try each against the password file
• Each password must be hashed using each salt value and then compared to stored hash value

Define: Rainbow table attack

• Pre-compute tables of hash values for all salts
• A mammoth table of hash values
• Can be countered by using a sufficiently large hash value and a sufficiently large hash

• Open-source password cracker first developed in 1996
• Uses a combination of brute-force and dictionary techniques

Name four password selection strategies

• User education (tell users the importance of hard to guess passwords and give guidelines)
• Computer generated passwords (strong passwords users don't have to remember)
• Reactive password checking (periodically run system's password cracker to find crackable passwords)
• Complex password policy (user must select password within guidelines)

Name three parts of Proactive Password Checking

• Rule enforcement (specific rules passwords must adhere to)
• Password checker (Compile a large list of prohbited passwords)
• Bloom filter (Build a table based on hash values, check desired password against table)

Adversary attempts to learn the password by some sort of attack that involves the physical proximity of user and adversary

Directed at the user file at the host where passwords, token passcodes, or biometric templates are stored

Adversary repeats a previously captured user response

Adversary attempts to achieve user authentication without access to the remote host or the intervening communications path

An application or physical device masquerades as an authentic application or device for the purpose of capturing a user password, passcode, or biometric

Define: Denial-of-Service

Attempts to disable a user authentication service by flooding the service with numerous authentication attempts

Define: False Match Rate (FMR or FAR, false accept rate)

• The probability that the system incorrectly matches the input pattern to a non-matching template in the database
• Measures the percent of invalid inputs that are incorrectly accepted
• In the case of similarity scale, if the person is an imposter in reality, but the matching score is higher than the threshold, he is treated as genuine. This increases the FMR, which thus also depends upon the threshold value

Define: False non-match rate (FNMR also called FRRR, false reject rate)

• The probability that the system fails to detect a match between input pattern and the matching template in the database
• It measures the percent of valid inputs that are incorrectly rejected

Identifiers should be assigned carefully because authenticated identities are the basis for other security services (T/F)

Enrollment creates an association between a user and the user's biometric characteristics (T/F)

Memory cards store and process data (T/F)

Depending on the application, user authentication on a biometric system involves either verification or identification (T/F)

User authentication is the basis for most types of access control and for user accountability (T/F)

User authentication is a procedure that allows communicating parties to verify that the contents of a received message have not been altered and that the source is authentic (T/F)

A __________ attack involves an adversary repeating a previously captured user response

• client
• replay
• trojan horse
• eavesdropping

A _________ is a password guessing program

• password salt
• password hash
• password biometric
• password cracker

To counter threats to remote user authentication, systems generally rely on some form of __________ protocol

• trojan horse
• eavesdropping
• denial-of-service
• challenge-response

The ___________ strategy is when users are told the importance of using hard to guess passwords and provided with guidelines for selecting strong passwords

• computer-generated password
• proactive password checking
• user education
• reactive password checking

Recognition by fingerprint, retina, and face are examples of ___________

• dynamic biometrics
• token authentication
• face recognition
• static biometrics

An institution that issues debit cards to cardholders and is responsible for the cardholder's account and authorizing transactions is the ___________

• issuer
• auditor
• processor
• cardholder

Each individual who is included in the database of authorized users must first be __________ in the system

• verified
• authenticated
• enrolled
• identified

A ________ strategy is one in which the system periodically runs its own password cracker to find guessable passwords

• proactive password checking
• user education
• reactive password checking
• computer-generated password

reactive password checking

The overall scheme of Kerberos is that of a trusted third-party authentication service (T/F)

The approach taken by Kerberos is using authentication software tied to a secure authentication server (T/F)

The authentication server shares a unique secret key with each server (T/F)

The ticket-granting ticket is not reusable (T/F)

The ticket-granting ticket is encrypted with a secret key known only to the AS and the TGS (T/F)

Kerberos does not support interrealm authentication (T/F)

X.509 provides a format for use in revoking a key before it expires (T/F)

The principal objective for developing a PKI is to enable secure, convenient, and efficient acquisition of private keys (T/F)

__________ requires that a user prove his or her identity for each service invoked and, optionally, requires servers to prove their identity to clients

• FIM
• PKI
• X.509
• Kerberos

The _________ consists of two dates: the first and last on which the certificate is valid.

• version
• period of validity
• unique identifier
• extension

________ is the process in which a CA issues a certificate for a user's public key and returns that certificate to the user's client system and/or posts that certificate in a repository

• Registration
• Initialization
• Certification
• Authorization

________ certificates are used in most network security applications, including IP security, secure sockets layer, secure electronic transactions, and S/MIME

• FIM
• PKI
• SCA
• X.509

An integer value unique within the issuing CA that is unambiguously associated with the certificate is the _________

• serial number
• issuer name
• subject's public-key information
• issuer unique identifier

_________ is the process whereby a user first makes itself known to a CA prior to that CA issuing a certificate or certificates for that user

• Authorization
• Registration
• Initialization
• Certification

Kerberos uses the _________ encryption algorithm

• DES
• AES
• PKI
• TGS

External devices such as firewalls cannot provide access control services (T/F)

The default set of rights should always follow the rule of least privilege or read-only access (T/F)

A constraint is a defined relationship among roles or a condition related to roles (T/F)

An access right describes the way in which a subject may access an object (T/F)

The principal objectives of computer security are to prevent unauthorized users from gaining access to resources, to prevent legitimate users from accessing resources in an unauthorized manner, and to enable legitimate users to access resources in an authorized manner (T/F)

An ABAC model can define authorizations that express conditions on properties of both the resource and the subject (T/F)

An auditing function monitors and keeps a record of user accesses to system resources (T/F)

_________ implements a security policy that specifies who or what may have access to each specific system resource and the type of access that is permitted in each instance

• system control
• audit control
• access control
• resource control

_______ provide a means of adapting RBAC to the specifics of administrative and security policies in an organization

• constraints
• cardinality
• mutually exclusive roles
• prerequisites

Subject attributes, object attributes, and environment attributes are the three types of attributes in the ________ model

• ABAC
• DSD
• RBAC
• SSD

A ________ is an entity capable of accessing objects

• group
• subject
• object
• owner

________ is based on the roles the users assume in a system rather than the user's identity

• URAC
• DAC
• MAC
• RBAC

_________ is the traditional method of implementing access control

• RBAC
• MAC
• MBAC
• DAC

A _________ is a named job function within the organization that controls this computer system

• permission
• session
• role
• user

________ refers to setting a maximum number with respect to roles

• Exclusive
• Cardinality
• Prerequisite
• Hierarchy

• The process of granting or denying specific requests to: (1) obtain and use information and related information processing services; and (2) enter specific physical facilities
• A process by which use of system resources is regulated according to a security policy and is permitted only by authorized entities (users, programs, processes, or other systems) according to that policy

Define: Computer security

Measures that implement and assure security services in a computer system, particularly those that assure access control service

Verification that the credentials of a user or other system entity are valid

• The granting of a right or permission to a system entity to access a system resource
• This function determines who is trusted for a given purpose

• An independent review and examination of system records and activities in order to test for adequacy of system controls, to ensure compliance with established policy and operational procedures, and to detect breaches in security, and to recommend any indicated changes in control, policy, and procedures

Define: discretionary access control (DAC)

• Controls access based on the identity of the requestor and on access rules (authorizations) stating what requestors are (or are not) allowed to do
• Scheme in which an entity may be granted access rights that permit the entity, by its own volation, to enable another entity to access some resource
• Often provided using an access matrix
• Each entry in the matrix indicates the access rights of a particular subject for a particular object

Define: Role-based access control (RBAC)

• Controls access based on the roles that users have within the system and on rules stating what accesses are allowed to users in given roles
• Define a role as a job function within an organization
• Access rights given to roles and not individuals
• Relationship of users to roles is many to many, as is the relationship of roles to resources, or system objects. (Provides a flexibility and granularity of assignment not found in conventional DAC schemes)

Define: Mandatory access control (MAC)

Controls access based on comparing security labels with security clearances

Define: Attribute-based access control (ABAC)

• Controls access based on attributes of the user, the resource to be accessed, and current environmental conditions
• Can define authorizations that express conditions on properties of both the resource and the subject
• Strength in its flexibility and expressive power
• Main obstacle to its adoption in real systems is performance cost
• Web services have been pioneering technologies for implementing ABAC models, though the introduction of the eXtensible Access Control Markup Language (XAMCL)
• There is considerable interest in applying the ABAC model to cloud services

Define: subject, in regards to access rights

An entity capable of accessing objects

What are the three classes of subjects, in regards to access rights?

• owner
• group
• world

Define: object, in regards to access rights?

• A resource to which access is controlled
• Entity used to contain and/or receive information

What could access rights include?

• Read
• Write
• Execute
• Delete
• Create
• Search

Define: Extended Access Control Matrix

• a general model for DAC
• assumes a set of subjects, a set of objects, and a set of rules that govern the access of subjects to objects
• extend the universe of objects to include process, devices, memory locations or regions, and subjects
• evaluates each request by a subject to access an object to determine if the access right exists

Define: Protection Domains

• Set of objects together with access rights to those objects
• More flexibility when associating capabilities with protection domains
• In terms of the access matrix, a row defines a protection domain
• User can spawn processes with a subset of the access rights of the user
• Association between a process and a domain can be static or dynamic
• In user mode certain areas of memory are protected from use and certain instructions may not be executed
• In kernel mode privileged instructions may be executed and protected areas of memory may be accessed

In UNIX File Access Control, files are administered using ________

In UNIX File Access Control, directories are structured in a ____________

What is the sticky bit in UNIX File Access Control?

• When applied to a directory, it specifies that only the owner of any file in the directory can rename, move, or delete that file
• Not used with files anymore

Modern UNIX systems support ACLs (T/F)

Define: User, in relation to RBAC

An individual that has access to this computer system

Define: Role, in relation to RBAC

A named job function within the organization that controls this computer system

Define: Permission, in relation to RBAC

An approval of a particular mode of access to one or more objects

Define: Session, in relation to RBAC

A mapping between a user and an activated subset of the set of roles to which the user is assigned

Define: Constraints, in relation to RBAC2

• Provide a means of adapting RBAC to the specifics of administrative and security policies of an organization
• Relationship among roles or a condition related to roles

List and define three types of constraints in RBAC2

Mutually exclusive roles:

• A user can only be assigned to one role in the set (either during a session or statically)
• Any permission (access right) can be granted to only one role in the set

Cardinality:

• Setting a maximum number with respect to roles

Prerequisite roles:

• Dictates that a user can only be assigned to a particular role if it is already assigned to some other specified role

List and define attributes of the ABAC model

Subject attributes:

• A subject is an active entity that causes information to flow among objects or changes the system state
• Attributes define the identity and characteristics of the subject

Object attributes:

• An object (or resource) is a passive information system-related entity containing or receiving information
• Objects have attributes that can be leverages to make access control decisions

Environment attributes:

• Describe the operational, technical, and even situational environment or context in which the information access occurs
• These attributes have so far been largely ignored in most access control policies

Define: policies, in relation to the ABAC model

• A set of rules and relationships that govern allowable behavior within an organization, based on the privileges of subjects and how resources or objects are to be protected under which environment conditions
• Typically written from the perspective of the object that needs protecting and the privileges available to subjects
• Privileges represent the authorized behavior of a subject and are defined by an authority and embodied in a policy
• Other terms commonly used instead of privileges are: rights, authorizations, and entitlements

Why have database security not kept pace with the increased reliance on databases?

• There is a dramatic imabalance between the complexity of modern database management systems (DBMS) and the security technique used to protect these systems
• Databases have a sophisticated interaction protocol, Structured Query Language (SQL) which is complex
• Effective database security requires a strategy based on a full understanding of security vulnerabilities of SQL
• The typical organization lacks full-time database security personnel
• Most enterprise environments consist of a heterogeneous mixture of database platforms, enterprise platforms, and OS platforms, creating an additional complexity hurdle for security personnel
• The increasing reliance on cloud technology to host part or all of the corporate database

• Structured collection of data stored for use by one or more applications
• Contains the relationships between data items and groups of data items
• Can sometimes contain sensitive data that needs to be secured

Provides a uniform interface to the database for users and applications

Define: database management system (DBMS)

• Suite of programs for constructing and maintaining the database
• Offers ad hoc query facilities to multiple users and applications

Because of their complexity and criticality, security requirements generated by database systems that are beyond the capability of typical OS-based security mechanisms or stand-alone security packages. How so?

• Operating system security mechanisms typically control read and write access to entire files
• A DBMS typically allows access to specific records or fields in a file. It also usually enables access controls to be specified over a wider range of commands, such as select, insert, update, or delete specified items in the database

What are some defining characteristics of Relational Databases?

• Table of data consisting of rows and columns (each column holds a particular type of data, each row contains a specific value for each column, and it ideally has one column where all values are unique, forming an identifier/key for that row)
• Enables the creation of multiple tables linked together by a unique identifier that is present in all tables
• Uses a relational query language to access the database

Define the Relational Database Elements

• Relation: table/file
• Tuple: row/record
• Attribute: column/field

Define: Primary key, in relation to relational databases

• Uniquely identifies a row
• Consists of one or more column names

Define: Foreign key, in relation to relational databases

Links one table to attributes in another

Define: View/virtual table, in relation to relational databases

• Result of a query that returns selected rows and columns from one or more tables
• Views are often used for security purposes

Define: Structured Query Language (SQL)

• Standardized language to define schema, manipulate, and query data in a relational database
• Several similar versions of ANSI/ISO standard
• All follow the same basic syntax and semantics

What can SQL statements be used to do?

• Create tables
• Insert and delete data in tables
• Create views
• Retrieve data with query statements

Define: SQL Injection Attacks (SQLi)

• One of the most prevalent and dangerous network-based security threats
• Designed to exploit the nature of Web application pages
• Sends malicious SQL commands to the database server
• Most common attack goal is bulk extraction of data
• Depending on the environment, SQL injection can also be exploited to modify or delete data, execute arbitrary operating system commands, launch denial-of-service (DoS) attacks
• Attack is viable when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed, and thereby unexpectedly executed

Name the SQLi Attack Avenues

• User input: attackers inject SQL commands by providing suitable crafted user input
• Server variables: attackers can forge the values that are placed in HTTP and network headers and exploit this vulnerability by placing data directly into the headers
• Second-order injection: A malicious user could rely on data already present in the system or database to trigger an SQL injection attack, so when the attack occurs, the input that modifies the query to cause an attack does not come from the user, but from the system itself
• Cookies: An attacker could alter cookies such that when the application server builds an SQL-query based on the cookie's content, the structure and function of the query is modified
• Physical user input: Applying user input that constructs an attack outside the realm of web requests

Define: Inband Attacks, in relation to SQLi Attacks

• Uses the same communication channel for injecting SQL code and retrieving results
• The retrieved data are presented directly in application Web page

What do Inband Attacks include?

• Tautology: This form of attack injects code in one or more conditional statements so that they always evaluate to true
• End-of-line comment: After injecting code into a particular field, legitimate code that follows are nullified through usage of end of line comments
• Piggybacked queries: the attacker adds additional queries beyond the intended query, piggy-backing the attack on top of a legitimate request

Define: Inferential Attack in relation to SQLi attacks

There is no actual transfer of data, but the attacker is able to reconstruct the information by sending particular requests and observing the resulting behavior of the Website/database server

What do SQLi Inferential Attacks include?

• Illegally/logically incorrect queries: This attack lets an attacker gather important information about the type and structure of the backend database of a Web application. The attack is considered a preliminary, information-gathering step for other attacks
• Blind SQL injection: Allows attackers to infer the data present in a database system even when the system is sufficiently secure to not display any erroneous information back to the attacker

Define: Out-of-Band Attack in relation to SQLi Attacks

• Data are retrieved using a different channel (an email with the results of the query is generated and sent to the tester).
• This can be used when there are limitations on information retrieval, but outbound connectivity from database server is lax

What are three types of SQLi Countermeasures?

• Defensive coding: manual defensive coding practices, parameterized query insertion, SQL DOM
• Detection: signature based, anomaly based, code analysis
• Run-time prevention: check queries at runtime to see if they conform to a model of expected queries

What does a database access control system determine?

• If the user has access to the entire database or just portions of it
• What access rights the user has (create, insert, delete, update, read, write)

What administrative policies can database access control support?

• Centralized administration: small number of privileged users may grant and revoke access rights
• Ownership-based administration: the creator of a table may grant and revoke access rights to the table
• Decentralized administration: the owner of the table may grant and revoke authorization rights to other users, allowing them to grant and revoke access rights to the table

What are the two commands for managing access rights?

• Grant: Used to grant one or more access rights or can be used to assign a user to a role
• Revoke: Revokes the access right

Give the syntax of a GRANT command

GRANT {privileges | role}

ON [table]

TO {user | role | PUBLIC}

[IDENTIFIED BY password]

[WITH GRANT OPTION]

Ex: GRANT SELECT ON ANY TABLE TO ricflair

What are the access rights of SQL access controls?

• Select: Grantee may read entire database, individual tables, or specific columns in a table
• Insert: Grantee may insert rows in a table or insert rows with values for specific columns in a table
• Update: Semantics is similar to INSERT
• Delete: Grantee may delete rows from a table
• References: Grantee is allowed to define foreign keys in another table that refer to the specified columns

What is the syntax of a REVOKE command?

REVOKE {privileges | role}

ON [table]

FROM {user | role | PUBLIC}

Ex: REVOKE SELECT ON ANY TABLE FROM ricflair

When a user revokes an access right, any cascaded access right is also revoked, unless that access right would exist even if the original grant from A had never occurred (T/F)

What are three categories of database users?

• Application owner: an end user who owns database objects as part of an application
• End user: an end user who operates on database objects via a particular application, but does not own any of the database objects
• Administrator: User who has administrative responsibility for part or all of the database

Define: Inference, in regards to database security

The process of performing authorized queries and deducing unauthorized information from the legitimate responses received. The information transfer path by which unauthorized data is obtained is referred to as an inference channel.

What two inference techniques can be used to derive additional information?

• analyzing functional dependencies between attributes within a table or across tables
• merging views with the same constraints

Encryption is the last line of defense in database security (T/F)

What are disadvantages to encryption in database security?

• Key management: authorized users must have access to the decryption key for the data for which they have access
• Inflexibility: when part or all of the database is encrypted, it becomes more difficult to perform record searching

• Initially developed at MIT
• Is a software utility available in both the public domain and in commercially supported versions
• Issued as an Internet standard and is the defacto standard for remote authentication
• Overall scheme is that of a trusted third party authentication service
• Requires that a user prove his or her identity for each service invoked and requires servers to prove their identity to clients

Describe the Kerberos Protocol

• Involve clients, application servers, and a Kerberos server: designed to counter a variety of threats to the security of a client/server dialogue, obvious security risk is impersonation, servers must be able to confirm the identities of clients who request service
• Use an Authentication Server (AS): User initially negotiates with AS for identity verification, AS verifies identity and then passes information on to an application server which will then accept service requests from the client
• Need to find a way to do this in a secure way: If client sends user's password to the AS over the network, an opponent could observe the password. An opponent could impersonate the AS and send a false validation

Contains the minimum functionality for an RBAC system

Includes the RBAC0 functionality and adds role hierarchies, which enables one role to inherit permissions from another role

Includes RBAC0 and adds constraints, which restrict the ways in which the components of an RBAC system may be configured

Contains the functionality of RBAC0, RBAC1, and RBAC2 (minimum RBAC functionality, role hierarchies, and constraints)

Name two approaches to inference detection

• Inference detection during database design: Approach removes an inference channel by altering the database structure or by changing the access control rule to prevent inference. Techniques in this category often result in unnecessarily stricter access controls that reduce availability.
• Inference detection at query time: Approach seeks to eliminate an inference channel violation during a query or series of queries. If an inference channel is detected, the query is denied or altered.

What does a Kerberos environment consist of?

• A kerberos server
• A number of clients, all registered with server
• A number of application servers, sharing keys with server

Networks of clients and servers under different administrative organizations generally constitute different ___________

What happens in Kerberos if there are multiple realms?

• Their Kerberos servers must share a secret key and trust the Kerberos server in the other realm to authenticate its users
• Participating servers in the second realm must also be willing to trust the Kerberos server in the first realm

The first version of Kerberos that was widely used was version _, published in _________

What improvements were found in Kerberos version 5?

• An encrypted message is tagged with an encryption algorithm identifier. This enables users to configure Kerberos to use an algorithm other than DES
• Supports authentication forwarding, which enables a client to access a server and have that server access another server on behalf of the client and supports a method for interrealm authentication that requires fewer secure key exchanges than in version 4

How does Kerberos affect performance in larger client-server installations?

• Very little performance impact in a large-scale environment if the system is properly configured
• Kerberos security is best assured by placing the Kerberos server on a separate, isolated machine
• Motivation for multiple realms is administrative, not performance related

What four general schemes have been proposed for the distribution of public keys?

• Public announcement
• Publicly available directory
• Public-key authority
• Public-key certificates

Define: X.509 Certificates

• Part of the X.500 series of recommendations that define a directory service
• Defines a framework for the provision of authentication services by the X.500 directory to its users
• Each certificate contains the public key of a user and is signed with the private key of a trusted certification authority
• X.509 defines alternative authentication protocols based on the use of public-key certificates

X.509 was initially issued in _____ with the latest revision in ______

X.509 is based on the use of ___________ and ____________

public-key cryptography, digital signatures

What algorithm does X.509 recommend?

X.509 dictates a specific hash algorithm (T/F)

X.509 certificates are the most widely accepted format for public-key certificates (T/F)

What are some certificates are used in most network security applications?

• IP security (IPSEC)
• Secure sockets layer (SSL)
• Secure electronic transactins (SET)
• S/MIME
• eBusiness applications

Certificates created by a trusted Certification Authority (CA) should have which elements?

• Version
• Serial number
• Signature algorithm identifier
• Issuer name
• Period of validity
• Subject name
• Subject's public-key information
• Issuer unique identifier
• Subject unique identifier
• Extensions
• Signature

User certificates generated by a CA have what characteristics?

• Any user with access to the public key of the CA can verify the user public key that was certified
• No party other than the certification authority can modify the certificate without this being detected

Is the granting of a right or permission to a system entity to access a system resource?

Which is the general term used to specify an entity capable of accessing objects?

What is based on the roles the users assume in a system rather than the user's identity?

What are the three common techniques for verifying a person's identity and access privileges?