Upload
daniela-marion-murphy
View
215
Download
0
Embed Size (px)
Citation preview
Authorization vs. Authentication
• Authentication is the process of proving identity to the system– login
• Authorization happens after authentication. It determines what you have rights to.– Data access, read/write/modify
– Program execution allowed or not
– Ability to search directories
Authentication
• Authentication has proven to be one of the most difficult tasks in system security.– What can be used to uniquely identify a user or group
to the system and still be secure?
Authentication
• Methods– Userid/password
• Easy to implement
• Hard to administer– Difficult requiring users to have adequate passwords
– What is an adequate password?
– Humans have bad memories. What was my password?
– Should there be a time limit on the password?
– ID Cards• Requires some equipment cost
• Doesn’t guarantee the actual user is the one with the card
• What about lost/stolen cards?
Authentication
• Methods– ID Cards / password
• The id card acts as a user id• Adds no more security.• Combines the worst of both the userid/password
system and the ID card system
– Biometrics• Fingerprint
– Expensive hardware (getting cheaper)– What happens when the user gets a cut, or was gardening
over the weekend?
Authentication
• Methods– Biometrics
• Iris Scan– Very expensive equipment– Many false negatives– What happens with contacts?– What about eyes exams?
• Facial Recognition– Very expensive– Has not worked once yet?
• In all forms of authentication some sort of manual bypass is required!– Which allows for social engineering exploits!
Authorization
• There are two major ways of providing authorization– UNIX file permissions– ACL (Access Control List)
• Created by Novel
• Used by Microsoft – with some changes!
• When you have a problem with your machine and you are on a tech support call, do you give your super user / administrator password to the technician?