Authorization vs. Authentication

• Authentication is the process of proving identity to the system– login

• Authorization happens after authentication. It determines what you have rights to.– Data access, read/write/modify

– Program execution allowed or not

– Ability to search directories

Authentication

• Authentication has proven to be one of the most difficult tasks in system security.– What can be used to uniquely identify a user or group

to the system and still be secure?

Authentication

• Methods– Userid/password

• Easy to implement

• Hard to administer– Difficult requiring users to have adequate passwords

– What is an adequate password?

– Humans have bad memories. What was my password?

– Should there be a time limit on the password?

– ID Cards• Requires some equipment cost

• Doesn’t guarantee the actual user is the one with the card

• What about lost/stolen cards?

Authentication

• Methods– ID Cards / password

• The id card acts as a user id• Adds no more security.• Combines the worst of both the userid/password

system and the ID card system

– Biometrics• Fingerprint

– Expensive hardware (getting cheaper)– What happens when the user gets a cut, or was gardening

over the weekend?

Authentication

• Methods– Biometrics

• Iris Scan– Very expensive equipment– Many false negatives– What happens with contacts?– What about eyes exams?

• Facial Recognition– Very expensive– Has not worked once yet?

• In all forms of authentication some sort of manual bypass is required!– Which allows for social engineering exploits!

Authorization

• There are two major ways of providing authorization– UNIX file permissions– ACL (Access Control List)

• Created by Novel

• Used by Microsoft – with some changes!

• When you have a problem with your machine and you are on a tech support call, do you give your super user / administrator password to the technician?