Information Security

1. Evolution of Access Control (AC) Access Control determines who can access what and perform which operations. The Key Phases: MAC (Mandatory Access Control): Fixed centralized management. High security, low flexibility (e.g., military). DAC (Discretionary Access Control): Owner-based sharing. High flexibility, low consistency (e.g., file systems). RBAC (Role-Based Access Control): Permissions mapped to roles. Simplifies management for enterprise structures. ABAC (Attribute-Based Access Control): Permissions calculated dynamically based on attributes of users, resources, and environment. Trend: Moving from static/coarse-grained to dynamic/fine-grained control. Hybrid RBAC-ABAC is the current industry trend. ...

Overview Modern cryptography handles information in three main forms: Digest: Primarily used for data validation (e.g., storing passwords). A digest is a one-way hash. Hash functions are characterized by their sensitivity (even tiny changes produce totally different results) and irreversibility. Common algorithms include MD5 and SHA-256. Encryption: Used to ensure secure transmission so that only authorized parties can access the real message. Unlike digests, encrypted data can be decrypted back to plaintext. Keys are categorized into symmetric and asymmetric (public/private). Common algorithms include AES and RSA. Signature: Used to ensure the integrity and authenticity of plaintext messages. For example, a JWT contains a signature to guarantee that the payload was not tampered with. Signatures do not guarantee privacy; the message itself is often public. In summary: ...

Overview In the movie The Imitation Game (based on real events), the scientist Alan Turing led his team to crack the German communications encryption device “Enigma” after two years of intense effort. This feat laid a solid foundation for the victory in World War II. Today, we will discuss the data encryption technology behind such communications. Data confidentiality refers to encryption and decryption. In academic terms: using an algorithm to change the original form of information so that even if an attacker steals the information, they cannot understand it without the corresponding decryption method. Confidentiality can be applied in three stages: ...

Overview In the previous article, we discussed the process of authorization. After the server completes authorization for the client, it issues a corresponding credential. When the client accesses the server with this credential, the server knows who you are and what permissions you have. In this chapter, we will discuss common credential management technologies. In software architecture, there have been two different ideas regarding how credentials are stored and transmitted, reflecting two different architectural approaches: ...

Overview In security systems, Authorization is part of the “4A” framework (Account, Authentication, Authorization, and Audit). To build a reliable security module, it is best to follow industry standards. Authorization involves: Control of the Process: Protocols like OAuth2, SAML2, or CAS. Control of the Outcome: Models like RBAC or ABAC. The mainstream approach for most applications is a combination of OAuth2 + RBAC. RBAC (Role-Based Access Control) RBAC maps permissions to Roles, and then assigns roles to Users. This decouples users from specific permissions, making management much simpler. ...

Overview Almost all systems face issues related to security authentication, but security-related problems are quite troublesome. Because they do not generate direct business value and are complex and tedious to handle, they are often easily overlooked. Many major security risks that arise later are often caused by a lack of attention in the early stages. Fortunately, security issues are universal, and the problems everyone faces are almost identical. Therefore, industry standards can be formulated to regulate handling, and specialized infrastructure (e.g., AD, LDAP, etc.) can even be extracted to specifically solve these common problems. In short, security issues are very complex and troublesome. For the vast majority of 99% of systems, do not think about inventing or innovating in the field of security issues; it’s easy to fall into traps. Moreover, industry-standard solutions are already very mature and have undergone long-term verification. Therefore, in the field of security, down-to-earth adherence to specifications and standards is the best security design. ...