Practice Cryptography!

Even with all of the cryptologic and cryptographic technology that has existed in the world for the past 60 years, we still don't really know what encryption is good for or how to use it -- or, more importantly, why it's important. Maybe it's time for people and coders to actually start practicing how to use it, like any other skill.

Friday, March 24, 2006

 

Back to Basics: Authentication

Okay, so it's time to go back to basics as to just what authentication really is, and try to recognize some things that aren't usually looked at. Please bear with me if you already know this topic; you might find some stuff out that you otherwise wouldn't think of. (And if you comment in reply to this post, I might learn something.)

First off: Authentication is the process of ensuring that a given identity has performed a given task. (We 'authenticate' documents, for example, by verifying that the signature matches, by verifying notary seals, and so on.)

However, 'authentication' is not the same thing as 'authorization'. Just because I sign a contract selling a corporation that I have no interest in to someone else for $1 doesn't mean that I'm authorized to do that. Sure, the document can be authenticated as being from me... but since I'm not authorized to perform the action that I purported to perform, that action is invalid.

'authentication' is intimately tied to 'identity' -- it is our identities that are authenticated and evaluated for authorization. We each hold many identities, as I've said before... and each identity is valid for actions within the context that it is valid within.

Now, the entire process of authentication (verifying that I was born and that it is me who is actually performing an action) is very cumbersome. I'd have to show my birth certificate, social security card, and anything else that I have that might prove that I am who I say I am. This is the concept of the 'credential'.

A credential is a document which is issued by a trusted authority, which authority's signature or manufacturing process or whathaveyou can be authenticated. The act of trusting that authority is 'authorizing' that authority to issue a credential. Confused yet?

My driver's license is a credential. My passport is a credential. My birth certificate and name change order are credentials.

However, these are all "things that I have"... which is one type of credential. Showing these is only showing 1 type -- which could get hairy if my documents are all stolen from me, and someone else who looked just like me attempted to use them to pass himself off as me, basically forging an authentication as me.

This is where two other types of authentication come into play: 'something you know' (some secret you know, such as your bank card's PIN, or how to sign your signature), and 'something you are' (something that is integral to your body -- fingerprints, retinal blood vessel patterns, DNA chains, etc).

An authentication mechanism that combines two of these factors is called "two-factor authentication"; one that combines all three is called "three-factor authentication".

But even then, just because I authenticate does not mean that I'm authorized to perform a certain action. (This is something that programmers need to understand -- even though I can authenticate, just the fact that I'm in the database does not mean I'm automatically allowed to do anything.)

Now, things on the web have historically come down to one (or a half-assed two) factor authentication -- I know my username and password, both pieces of information [thus, 'things that I know']. For X.509 client purposes, I have a certificate which may or may not be password-protected ['something I have']. But how do I get into these databases for possible authentication, anyway?

Normally, I have to prove my identity to some agent that is accepted (authenticated and authorized) by a credential-issuing authority. This system has flaws, obviously... such an agent is only human, and any person can be bribed into creating a false credential. A false credential can be used to gain another credential. And so on.

So. The basic point of this is "just because someone can authenticate doesn't mean that they should be allowed to do what they're requesting to do." Many intranet developers forget this. Many intranet developers just think "oh, they're in the database, they're okay to see the internal memos and such". But what happens when, say, a third-party company decides that they're going to form a two-way trust relationship with your authentication system? Suddenly, anyone in that other company can authenticate, as well -- which may NOT be appropriate.

Comments: Post a Comment



<< Home

Archives

2006-02-12   2006-02-19   2006-02-26   2006-03-05   2006-03-12   2006-03-19   2006-03-26   2006-04-02   2006-04-09   2006-04-16   2006-04-23   2006-07-23   2008-01-13   2008-01-20   2008-02-03   2008-02-17   2008-03-16   2008-04-06   2008-05-11  

This page is powered by Blogger. Isn't yours?