Authentication vs. Authorization

It is easy to confuse the mechanism of authentication with that of authorization. In many host-based systems (and even some client/server systems), the two mechanisms are performed by the same physical hardware and, in some cases, the same software.

It is important to draw the distinction between these two mechanisms, however, since they can (and, one might argue, should) be performed by separate systems.

What, then, distinguishes these two mechanisms from one another?

Authentication is the mechanism whereby systems may securely identify their users. Authentication systems provide an answers to the questions:

Who is the user?
Is the user really who he/she represents himself to be?

An authentication system may be as simple (and insecure) as a plain-text password challenging system (as found in some older PC-based FTP servers) or as complicated as the Kerberos system described elsewhere in these documents. In all cases, however, authentication systems depend on some unique bit of information known (or available) only to the individual being authenticated and the authentication system -- a shared secret. Such information may be a classical password, some physical property of the individual (fingerprint, retinal vascularization pattern, etc.), or some derived data (as in the case of so-called smartcard systems). In order to verify the identity of a user, the authenticating system typically challenges the user to provide his unique information (his password, fingerprint, etc.) -- if the authenticating system can verify that the shared secret was presented correctly, the user is considered authenticated.

Authorization, by contrast, is the mechanism by which a system determines what level of access a particular authenticated user should have to secured resources controlled by the system. For example, a database management system might be designed so as to provide certain specified individuals with the ability to retrieve information from a database but not the ability to change data stored in the datbase, while giving other individuals the ability to change data. Authorization systems provide answers to the questions:

Is user X authorized to access resource R?
Is user X authorized to perform operation P?
Is user X authorized to perform operation P on resource R?

Authentication and authorization are somewhat tightly-coupled mechanisms -- authorization systems depend on secure authentication systems to ensure that users are who they claim to be and thus prevent unauthorized users from gaining access to secured resources.

Figure I, below, graphically depicts the interactions between arbitrary authentication and authorization systems and a typical client/server application.

FOUR-BLOCK DIAGRAM OF CLIENT/SERVER AUTHENTICATION AND AUTHORIZATION

Figure I

In the diagram above, a user working at a client system interacts with the authentication system to prove his identity and then carries on a conversation with a server system. The server system, in turn, interacts with an authorization system to determine what rights and privileges the client's user should be granted.

注：AC 是 authentication center 的缩写

CA 是 Certificate Authority 的缩写

翻译

认证与授权

认证与授权机制非常容易混淆，在很多基于主机（host-based system）的系统中（甚至是在一些CS系统中），这两种机制用相同的物理硬件实现，在某些情况下，也可以用相同的软件实现。

阅读(884) | 评论(0) | 转发(0) |

上一篇：教你如何把打印稿变成电子稿

下一篇：RHEL5.4 DNS服务器配置详解(一)

给主人留下些什么吧！~~

感谢所有关心和支持过ChinaUnix的朋友们

16024965号-6