COMP2120›Key management, authentication and access control

Information SecurityTopic 7 of 15Regular Notes

Key management, authentication and access control

2 minread

378words

Beginnerlevel

🔑 1. Key Management

🧠 What is it?

Key Management refers to the generation, distribution, storage, rotation, protection, and destruction of cryptographic keys.

Cryptographic systems (like encryption and digital signatures) rely heavily on keys, so if key management is weak, the whole system is weak.

🔧 Key Management Tasks:

Task	Description
Key Generation	Creating strong, random keys securely
Key Distribution	Securely sending keys to others (e.g., using asymmetric encryption)
Key Storage	Storing keys safely (e.g., hardware security modules - HSMs)
Key Rotation	Replacing old keys periodically to reduce risk
Key Revocation	Disabling compromised or expired keys
Key Destruction	Securely erasing keys no longer in use

🛠 Tools & Technologies:

Key Management Systems (KMS) like AWS KMS, Azure Key Vault
Public Key Infrastructure (PKI) for managing digital certificates and keys

👤 2. Authentication

🧠 What is it?

Authentication is the process of verifying the identity of a user, system, or device.

Types of Authentication:

Type	Example
Knowledge-based	Passwords, PINs
Possession-based	Smart cards, tokens
Biometric (inherence)	Fingerprint, face scan
Multi-Factor (MFA)	Combination of two or more

🔐 MFA Example: Password + OTP (One-Time Password) on phone

🧪 Authentication Factors:

Something you know – Password
Something you have – OTP device, phone
Something you are – Biometric (fingerprint, iris, voice)

🚪 3. Access Control

🧠 What is it?

Access Control is the mechanism used to restrict access to resources (files, systems, data) based on identity and permissions.

It answers the question: “Now that we know who you are, what can you do?”

🛠 Types of Access Control:

Type	Description	Example
DAC (Discretionary Access Control)	Resource owner sets permissions	Windows file sharing
MAC (Mandatory Access Control)	System-enforced labels and policies	Military systems
RBAC (Role-Based Access Control)	Access based on roles assigned	Employees grouped as Admin, User, HR
ABAC (Attribute-Based Access Control)	Access based on attributes (e.g., job title, time of access)	Dynamic cloud permissions

🔁 Access Control Elements:

Component	Description
Subjects	Users or processes requesting access
Objects	Resources like files, databases, or systems
Access Rights	Read, write, execute, delete, etc.

✅ Summary Table

Concept	What It Does	Example Tools / Use Cases
Key Management	Handles cryptographic keys securely	PKI, AWS KMS, HSMs
Authentication	Verifies identity	Passwords, Biometrics, 2FA
Access Control	Defines and enforces permissions	RBAC, ACLs, IAM in cloud platforms

Previous topic 6

Hash functions and digital signatures

Next topic 8

Software security: Vulnerabilities and protections

Past Papers

Open this section to load past papers

Click on Show Past Papers to see past papers.

COMP2120›Key management, authentication and access control

Information SecurityTopic 7 of 15Regular Notes

Key management, authentication and access control

2 minread

378words

Beginnerlevel

🔑 1. Key Management

🧠 What is it?

Key Management refers to the generation, distribution, storage, rotation, protection, and destruction of cryptographic keys.

Cryptographic systems (like encryption and digital signatures) rely heavily on keys, so if key management is weak, the whole system is weak.

🔧 Key Management Tasks:

Task	Description
Key Generation	Creating strong, random keys securely
Key Distribution	Securely sending keys to others (e.g., using asymmetric encryption)
Key Storage	Storing keys safely (e.g., hardware security modules - HSMs)
Key Rotation	Replacing old keys periodically to reduce risk
Key Revocation	Disabling compromised or expired keys
Key Destruction	Securely erasing keys no longer in use

🛠 Tools & Technologies:

Key Management Systems (KMS) like AWS KMS, Azure Key Vault
Public Key Infrastructure (PKI) for managing digital certificates and keys

👤 2. Authentication

🧠 What is it?

Authentication is the process of verifying the identity of a user, system, or device.

Types of Authentication:

Type	Example
Knowledge-based	Passwords, PINs
Possession-based	Smart cards, tokens
Biometric (inherence)	Fingerprint, face scan
Multi-Factor (MFA)	Combination of two or more

🔐 MFA Example: Password + OTP (One-Time Password) on phone

🧪 Authentication Factors:

Something you know – Password
Something you have – OTP device, phone
Something you are – Biometric (fingerprint, iris, voice)

🚪 3. Access Control

🧠 What is it?

Access Control is the mechanism used to restrict access to resources (files, systems, data) based on identity and permissions.

It answers the question: “Now that we know who you are, what can you do?”

🛠 Types of Access Control:

Type	Description	Example
DAC (Discretionary Access Control)	Resource owner sets permissions	Windows file sharing
MAC (Mandatory Access Control)	System-enforced labels and policies	Military systems
RBAC (Role-Based Access Control)	Access based on roles assigned	Employees grouped as Admin, User, HR
ABAC (Attribute-Based Access Control)	Access based on attributes (e.g., job title, time of access)	Dynamic cloud permissions

🔁 Access Control Elements:

Component	Description
Subjects	Users or processes requesting access
Objects	Resources like files, databases, or systems
Access Rights	Read, write, execute, delete, etc.

✅ Summary Table

Concept	What It Does	Example Tools / Use Cases
Key Management	Handles cryptographic keys securely	PKI, AWS KMS, HSMs
Authentication	Verifies identity	Passwords, Biometrics, 2FA
Access Control	Defines and enforces permissions	RBAC, ACLs, IAM in cloud platforms

Previous topic 6

Hash functions and digital signatures

Next topic 8

Software security: Vulnerabilities and protections

Past Papers

Open this section to load past papers

Click on Show Past Papers to see past papers.