Thanks to the modern technology, more users take the advantage of sharing resources from multiple systems. Authentication, authorization and access management issues are very important nowadays. Authentication is considered one of the great ideas in computer security. We would like to focus on this issue and introduce it to you in an easily understandable way.
Authentication is a process which a user gains the right to identify himself. It is like you report your name to others and they recognize your name as they recognize you. Techniques to authenticate a user can be passwords, biometric techniques, smart cards, certificates, etc. Usually within one institute, a user may have a single identity; however, if a user has rights to identify himself in several different organizations or systems, more than one identity from a person may cause problems.
Envision going to your local grocery store to buy some items. The cashier may or may not know you. If they do not know you, trust is not guaranteed, so money will be asked for on the spot. If however, the cashier knows you (and you've been a regular paying customer) then trust is much higher. If you don't have enough money to pay for the groceries, the cashier may let it slide, knowing that you'll come back and pay up the balance. The cashier essentially authenticates you -- recognizes who you are, and gives you certain abilties (such as to defer payment).
Authorization is the process to determine whether an identity can perform some action such as accessing a resource. Such identities can associate with many attributes and the system makes the decision based on these attributes. In our "access control" article, we will introduce you to an access matrix which invokes these attributes from a user to create a control system. Objects in this matrix can be a file, a system or a virtual machine. A subject is a user and the matrix between objects and subjects are the attributes. The attributes are the rights such as read, write and execute. Different systems use different mechanisms but they all enforce the same authentication policy. For example, UNIX system only allow three kinds of rights such as read, write and execute while other system such as windows NT has mechanism offering rights to remove or list.
In addition to access control, we introduce you to information flow control. Even though the access control list shows that you have certain rights to access the resource, you may not actually perform the action because you may be in some restricted area. To protect high security documents or systems from being accessed by regular users in the lower security level, we use the idea of information flow control. Information flow control protects the information of the object being accessed by people who are in the lower security level. We can implement a bit-vector or a security class to prevent the information flow to a lesser secure area.
One of the easiest ways to set up an authentication is to use a user's username and password. We as students use this method to access our student account in school. Libraries set up systems to have access control locally and still the same, users have to have their own user-names and passwords to access certain resource within the libraries. We use a high-security cryptographic system called Pretty Good Privacy (PGP) to exchange electronic-mail messages over the Internet. In our article, we also introduce Kerberos to you. Kerberos is a distributed authentication service and it solves the security problem between computer servers and clients.
Depending on how secure we want to interact with another party or another system, we may choose different mechanisms or even intertwine several different mechanisms to enforce our security policy. Here we introduce the issue of authentication as the great idea of information security and we discuss the importance of these policies and mechanisms.