Authentication vs Authorization: Security Concepts Explained
Classified in Computers
Written on in
English with a size of 2.6 KB
Authentication vs. Authorization: Key Differences
Authentication is the process of verifying that an entity is who they claim to be. Authorization refers to the rules that determine what an authenticated user is permitted to do. For example, Adam may be authorized to create and delete databases, while Usama is only authorized to read them.
These two concepts are orthogonal and independent, yet both are central to security design. Failure to implement either correctly creates vulnerabilities.
Alternative Perspectives on Identity
- Authentication binds a principal to an internal identity representation.
- Authentication verifies an external entity using factors such as what the entity knows, has, or is.
- Authorization verifies the role of an entity to determine if they have access to a specific resource. Authorization occurs only after successful authentication.
Example: The login process is authentication, while granting a customer access to an admin section is authorization.
Methods for Server-Side State Management
Servers can maintain state on the browser using the following methods:
- Cookies
- Sessions
- Hidden fields
- Query strings
Statistical Models for Password Guessing Detection
A threshold metric statistical model is typically used to detect password guessing. This model defines a minimum (m) and maximum (n) number of expected events. If the number of events over a specific period falls outside this range, the behavior is deemed anomalous.
Determining the threshold is complex, as it must account for user characteristics and sophistication. For instance, geographic location and keyboard layouts can influence expected event rates, and improper threshold settings can lead to false alarms.
Security Mechanism Clarifications
Is a Manipulation Detection Code (MDC) based on timestamps?
False. Mechanisms using MDCs apply a function to a file to generate a signature block. If the recomputed signature differs from the stored block, the file has been altered. This relies on the selection of robust cryptographic checksums.
Mandatory Access Control (MAC) Implementation
False. In a Mandatory Access Control policy, individual employees do not have the ability to grant access to their files. For example, a corporate employee cannot unilaterally grant a customer service representative access to sensitive financial data.