Data Protection and Security

   

I

Introduction to Information Security

   

I.II

Common Information Security Targets

    
   
 

Authentication and Authorization

Another common information security target is authentication, determining whether someone or something is, in fact, who or what it is declared to be. Usually authentication is followed by authorization, giving the permission to do something.

The term "identification" has not the same meaning as "authentication". Identification answers the question "who are you?" whereas Authentication answers "Prove it, are you who you say you are?". Therefore we can also say that authentication is the process of identification verification.

There are two types of authentication:

  1. Entity authentication

  2. Message authentication

Entity authentication is a real-time process where there is no meaningful message other than the declaration itself. On the other hand, the goal of message authentication is to authenticate the source of the message received which does not need to be a synchronous process. Practically speaking, message authentication implies also message integrity since without the integrity protection it is meaningless to authenticate the source of the message.

Note that access control is another term used in this space. It has a very similar meaning to authorization control when the users or processes (subjects) are authorized or not to have an access to something (objects).

  


Figure I.II-I

Identification-Authentication-Authorization flow.
[click to enlarge]
   

I.II.Q

[+] Question

[-] Question

Is it strictly necessary to authenticate the real identity of someone before the authorization?

    
   
       
 
«previous session [1] [2] [3] [4] [5] [6] next session »
   
       
 
«return to previous section proceed to next section »
  concepts »