[cap-talk] Definition of Authentication on wiki.erights.org

Karp, Alan H alan.karp at hp.com
Tue Sep 8 08:43:42 PDT 2009 

David-Sarah Hopwood wrote:
> 
> I agree with most of this, but I find both the term and the definition
> of "subject authentication" a bit imprecise.

So do I, but imprecise is better than confusing :)
> 
> When using authentication for access control, typically we
> have a program, such as a shell, that is designed to act on
> behalf of a principal. The local login procedure involves some
> part of the system TCB displaying a login prompt; there is also a
> channel from the computer's keyboard, or some other authentication
> device such as a smartcard reader, to that part of the TCB. A
> principal name (called a "username") is typed in, followed by a
> password, and/or a smartcard is inserted. If that is sufficient
> to authenticate the named principal, then the TCB creates a new
> subject that is an instance of the shell program, and grants it
> the permissions associated with the named principal, which results
> in it having the authority derived from those permissions.

This step is what I call "entering the system," which is used to establish a channel between the person at the keyboard and the "user agent (power box)," a person's embodiment in the computer.  
> 
> Notice that nothing here established anyone's identity. We do not
> know who to throw in jail; we *only* know which username/password or
> smartcard was used (and we don't know whether whoever used it was
> still at the computer when some subject associated with the login
> session did something jailworthy, or whether whoever was at the
> computer, if anyone, should be held responsible for the actions of
> that subject).

Exactly.  Identification is done when setting up the account.  That's the time you check drivers' licenses and tell people not to share their passwords because they are responsible for all actions taken with them.
> 
> Also notice that we didn't grant permissions or authority to any
> principal, nor did we authenticate any subject. Those would be
> type errors, or category mistakes, in our modelling of the system.
> We can only grant permissions (and hence authority) to subjects,
> and we can only authenticate principals. The granting of the
> permissions associated with the principal to the shell subject
> on the basis of the principal having been authenticated, is an
> *authorization* step performed by the TCB; it is not itself
> authentication.
>
Exactly.  Identification, authentication, and authorization are distinct steps.

The analogy in a Unix system is

Identification: Setting up an account.
Authentication: How you know to let a process use the privileges granted to an account.
Authorization:  Adding an entry to an access control list.
Access Check:   Checking the ACL before honoring a request.

________________________
Alan Karp
Principal Scientist
Virus Safe Computing Initiative
Hewlett-Packard Laboratories
1501 Page Mill Road
Palo Alto, CA 94304
(650) 857-3967, fax (650) 857-7029
http://www.hpl.hp.com/personal/Alan_Karp

More information about the cap-talk mailing list