Resource Protection (College Board AP® Computer Science Principles): Revision Note
Authentication and access control
What is authentication?
Authentication is the process of verifying that a user is who they claim to be before granting access to a system, account, or resource
Authentication protects against unauthorized access by ensuring only legitimate users can use protected resources
The most common form of authentication is the password, but more secure systems use multiple methods
Strong passwords
A strong password is one that is:
Memorable for the user so they don't need to write it down
Not easily guessable by another person or an automated system
Long enough that brute-force attacks would take too long to succeed
Practical guidelines:
Use a mix of letters (upper and lower case), numbers, and symbols
Avoid common words, names, dates of birth, and predictable patterns
Use a different password for each account so that one compromised account does not put others at risk
Multi-factor authentication
Multi-factor authentication (MFA) requires the user to provide multiple types of evidence to verify their identity
The factors typically come from different categories:
Something the user knows (e.g., a password)
Something the user has (e.g., a phone receiving a verification code)
Something the user is (e.g., a fingerprint or face scan)
MFA adds layers of security, so even if one factor is compromised, an attacker still cannot gain access
Permissions and access settings
Within an application, permission settings control what each user can see and do
Examples:
File permissions can restrict who can read, edit, or delete a document
App settings can control what data an app may access on the device (e.g., camera, location, contacts)
Users should regularly review and adjust permissions to limit unnecessary access
Encryption and secure communications
What is encryption?
Encryption is the process of encoding data so that only authorized parties can read it
Encrypted data appears as scrambled text and can only be decoded with the correct key
Decryption is the process of decoding the data
Symmetric and public key encryption
Symmetric encryption uses the same key to encrypt and decrypt the data
Faster and simpler, but both parties must share the key securely before communicating
Public key encryption uses a pair of keys: a public key (shared openly) and a private key (kept secret)
The public key encrypts the data; only the matching private key can decrypt it
This solves the problem of sharing a key over an insecure channel
Certificate authorities
A certificate authority is a trusted organization that issues digital certificates verifying that a public key belongs to the entity claiming it
When a browser visits a secure website, it uses certificates to confirm the site is genuine before establishing an encrypted connection
This validation prevents attackers from impersonating legitimate websites
Encryption type | How it works | Common use |
|---|---|---|
Symmetric | Same key encrypts and decrypts | Encrypting files on a single device |
Public key | Public key encrypts; private key decrypts | Secure web browsing (HTTPS), email encryption |
Malware and threats
What is malware?
Malware is malicious software designed to gain unauthorized access to a system, damage data, or interfere with normal operation
A computer virus is a malicious program that can copy itself and gain access to a computer in an unauthorized way
Computer viruses often attach themselves to legitimate programs and start running independently on a computer
Protecting against malware
Anti-malware software performs scanning to detect and remove threats by comparing files against known malware patterns
Keeping software up to date so known vulnerabilities cannot be exploited is a known protective practice
System maintenance and security updates
Why are security updates important?
Software updates fix errors and security vulnerabilities (also called exploits) that attackers could otherwise use to gain unauthorized access
New vulnerabilities are discovered all the time, so updates are an ongoing necessity
Failing to update software leaves devices exposed to known attacks
What updates typically include
Patches that fix recently discovered security vulnerabilities
Bug fixes that resolve errors or unexpected behavior in the software
New features and performance improvements
Operating systems, browsers, and applications all require regular updates to remain secure
Examiner Tips and Tricks
When an exam question describes a scenario where an attacker has gained access despite a strong password, the answer often involves multi-factor authentication; remember that strong passwords are necessary but not sufficient on their own.
For the CPT, if your program stores any user data, consider mentioning in your written response how you would protect it (e.g., requiring authentication, encrypting sensitive information) to show awareness of data protection responsibilities.
Worked Example
A user wants to log in to an online banking site. After entering their password, they receive a code on their phone that they must also enter before access is granted. Which of the following best describes the authentication method being used?
(A) Symmetric encryption
(B) Multi-factor authentication
(C) A certificate authority
(D) A rogue access point
[1]
Answer:
(B) Multi-factor authentication [1 mark]
The user is providing two different types of evidence (something they know — the password — and something they have — the phone), which is the defining feature of multi-factor authentication.
Unlock more, it's free!
Join the 100,000+ Students that ❤️ Save My Exams
the (exam) results speak for themselves:
Was this revision note helpful?
