Authentication and Authorization
2009-09-01 18:45
274 查看
Authentication
An authentication system is how you identify yourself to the computer. The goal behind an authentication system is to verify that the user is actually who they say they are.
There are many ways of authenticating a user. Any combination of the following are good examples.
Password based authenticationRequires the user to know some predetermined quantity (their password).
Advantages: Easy to impliemnt, requires no special equipemnt.
Disadvantages: Easy to forget password. User can tell another user their password. Password can be written down. Password can be reused.
Device based authenticationRequires the user to posses some item such as a key, mag strip, card, s/key device, etc.
Advantages: Difficult to copy. Cannot forget password. If used with a PIN is near useless if stolen.
Disadvantages: Must have device to use service so the user might forget it at home. Easy target for theft. Still doesn't actually actively identify the user.
Biometric Authentication
My voice is my passport. Verify me. This is from the movie sneakers and demonstrates one type of biometric authentication device. It identifies some physical charactistic of the user that cannot be seperated from their body.
Retina Scanners:
Advantages: Accurately identifies the user when it works.
Disadvantages: New technology that is still evolving. Not perfect yet.
Hand Scanners:
Advantages: Difficult to seperate from the user. Accurately identifies the user.
Disadvantages: Getting your hand stolen to break into a vault sucks a lot more than getting your ID card stolen.
Authorization
Once the system knows who the user is through authentication, authorization is how the system decides what the user can do.
A good example of this is using group permissions or the difference between a normal user and the superuser on a unix system.
There are other more compicated ACL (Access Control Lists) available to decide what a user can do and how they can do it. Most unix systems don't impliment this very well (if at all.)
from: http://www.acm.uiuc.edu/workshops/security/auth.html
An authentication system is how you identify yourself to the computer. The goal behind an authentication system is to verify that the user is actually who they say they are.
There are many ways of authenticating a user. Any combination of the following are good examples.
Password based authenticationRequires the user to know some predetermined quantity (their password).
Advantages: Easy to impliemnt, requires no special equipemnt.
Disadvantages: Easy to forget password. User can tell another user their password. Password can be written down. Password can be reused.
Device based authenticationRequires the user to posses some item such as a key, mag strip, card, s/key device, etc.
Advantages: Difficult to copy. Cannot forget password. If used with a PIN is near useless if stolen.
Disadvantages: Must have device to use service so the user might forget it at home. Easy target for theft. Still doesn't actually actively identify the user.
Biometric Authentication
My voice is my passport. Verify me. This is from the movie sneakers and demonstrates one type of biometric authentication device. It identifies some physical charactistic of the user that cannot be seperated from their body.
Retina Scanners:
Advantages: Accurately identifies the user when it works.
Disadvantages: New technology that is still evolving. Not perfect yet.
Hand Scanners:
Advantages: Difficult to seperate from the user. Accurately identifies the user.
Disadvantages: Getting your hand stolen to break into a vault sucks a lot more than getting your ID card stolen.
Authorization
Once the system knows who the user is through authentication, authorization is how the system decides what the user can do.
A good example of this is using group permissions or the difference between a normal user and the superuser on a unix system.
There are other more compicated ACL (Access Control Lists) available to decide what a user can do and how they can do it. Most unix systems don't impliment this very well (if at all.)
from: http://www.acm.uiuc.edu/workshops/security/auth.html
相关文章推荐
- Authentication and Authorization
- Yii - 验证和授权(Authentication and Authorization)
- Authentication and Authorization for ASP.Net Application
- How-to: Enable User Authentication and Authorization in Apache HBase
- Claims-Based Authentication and Authorization
- IIS authentication and authorization
- Building Secure ASP.NET Applications: Authentication, Authorization, and Secure Communication
- Building Secure ASP.NET Applications: Authentication, Authorization, and Secure Communication
- 【主流身份管理技术辨析】Authentication and Authorization: OpenID vs OAuth2 vs SAML
- How-to: Enable User Authentication and Authorization in Apache HBase
- Authentication and Authorization in ASP.NET Web API
- [Java EE][Security] - Understanding Security Realms - 2. DB authentication and authorization
- Riaservice 验证和授权(Authentication and Authorization)(转载)
- Akka(42): Http:身份验证 - authentication, authorization and use of raw headers
- (待翻译)Building Secure ASP.NET Applications: Authentication, Authorization, and Secure Communication
- ASP.NET authentication and authorization
- JAAS最经典的文章:USER AUTHENTICATION AND AUTHORIZATION IN THE JAVA(TM) PLATFORM
- Authentication and Authorization in the Google Data Protocol
- Building Secure ASP.NET Applications: Authentication, Authorization, and Secure Communication
- Akka(42): Http:身份验证 - authentication, authorization and use of raw headers