Identification, Authentication and Authorization

Authentication

Definition

Proof that an identity has a claimed identity attribute.

Proof Type

  • Something known.

    • A secret memorized.

  • Something we have.

    • An object/token.

  • Something we are.

    • Biometry.

Multi-factor authentication: join or consecutive use of different proof types.

Goals

Authenticate interactors.

  • People, services, servers, hosts, networks, etc.

Enable the enforcement of authorization policies and mechanisms.

  • Authorization -> authentication.

Facilitate the exploitation of other security-related protocols.

  • e.g. key distribution for secure communication.

Requirements

Trustworthiness

How good is it in proving the identity of an entity?

How difficult is it to be deceived?

Level of Assurance (LoA) (NIST, eIDAS, ISO 29115).

  • LoA 1 - Little or no confidence in the asserted identity.

  • LoA 2 - Some confidence in the asserted identity.

  • LoA 3 - High confidence in the asserted identity.

  • LoA 4 - Very high confidence in the asserted identity.

Secrecy

No disclosure of secrets used by legitimate entities.

Robustness

Prevent attacks on the protocol data exchanges.

Prevent on-line DoS attack scenarios.

Prevent off-line dictionary attacks.

Simplicity

It should be as simple as possible to prevent entities from choosing dangerous shortcuts.

Deal with vulnerabilities introduced by people

They have a natural tendency to facilitate or to take shortcuts.

Entities and deployment model

Entities

  • People

  • Hosts

  • Networks

  • Services/ servers

Deployment model

Along the time.

  • Only when interaction starts.

  • Continuously along the interaction.

Directionality.

  • Unidirectional.

  • Bidirectional.

PreviousIdentity attributesNextAuthentication interactions

Last updated