Data Protection and Security

   

VII

Identification and Entity Authentication

    

VII.I

Introduction

    
   
 

There are two types of authentication:

  • entity authentication is to allow one party (the verifier) to gain assurance that the identity of another (the claimant) is as declared, thereby preventing impersonation.
  • message authentication techniques, on the other hand, try to create and verify authentic messages (was already discussed).

Another major difference between these two is that message authentication itself does not provide any timeliness guarantees whereas entity authentication confirms the identity in real-time while the verifying entity awaits.

In security, one of the primary purposes is to facilitate access control to a resource, when an access privilege is linked to a particular identity i.e. local or remote access to computer accounts. This is sometimes called authorization. Most of the time, authorization follows authentication. We have seen authorization in chapter 5.

Note that sometimes for authorization, authentication is not used. Instead, a security credential is declared. For example, to get on a bus, you do not need to authenticate yourself, you need to issue the bus ticket to the bus driver for this purpose.

Entity authentication or authentication in short is the main topic we will cover in this chapter. There is a difference between the terms Identification and Authentication:

Identification: Who are you?
Authentication: Prove it, are you who say you are?

In other words, authentication is the process of identity verification.

Broadly speaking, entity authentication can be implemented by three different techniques:

1. Smartcards (What you have)
2. Biometrics (What you are)
3. Passwords (What you know)

These techniques sometimes can be used together for improving security. If two of them used together, this is called two-factor authentication. Three-factor authentication is also possible.

In multifactor authentication, sometimes the location (Where you are) information is also used as one additional component. Since this fourth technique is rarely used solely for authentication, it is not included in the list above.

 

    

VII.I.I Q

[+] Question

[-] Question

In which applications authentication is a prerequisite for authorization? Why?

    
   
       
 
«previous session [1] next session »
   
       
 
«proceed to previous section proceed to next section »
  chapter index