Site home page
(news and notices)

Get alerts when Linktionary is updated

Book updates and addendums

Get info about the Encyclopedia of Networking and Telecommunicatons, 3rd edition (2001)

Download the electronic version of the Encyclopedia of Networking, 2nd edition (1996). It's free!

Contribute to this site

Electronic licensing info

 

  

Authentication and Authorization

Related Entries    Web Links    New/Updated Information

  
Search Linktionary (powered by FreeFind)

Note: Many topics at this site are reduced versions of the text in "The Encyclopedia of Networking and Telecommunications." Search results will not be as extensive as a search of the book's CD-ROM.

According to RFC 2828 (Internet Security Glossary, May 2000), authentication is "the process of verifying an identity claimed by or for a system entity." The key word here is verify, and the correct terminology is to say that "an authentication system verifies an identity."

Authentication can provide assurance that users (or systems) are who they say they are. Authorization refers to a user's ability to access resources on a network, usually based on user account rights and privileges. Refer to "Access Control" for details about how authenticated users are allowed to access system resources.

Authentication may be performed directly on the computer that the user is attempting to access, but in distributed environments, the user account and security information are usually stored and managed by a special security server. When a user logs on, the username and password are verified with the security server. Done properly, passwords are never sent across the wire. It is essential that the user's password be kept private and never cross the network, especially as readable text where eavesdroppers could easily capture the information and use it to access secure systems by masquerading as the user. Instead, unique handshake schemes are used to authenticate users in a secure way as discussed here.

While stand-alone security servers provide many benefits (centralized security and security management), authenticating users in distributed environments presents a number of interesting challenges.

This topic continues in "The Encyclopedia of Networking and Telecommunications" with a discussion of the following:

  • Authentication examples
  • Trust models
  • Single sign-on
  • Mutual authentication and strong authentication
  • Authentication protocols
  • Two-factor authentication, Kerberos, certificates, public keys, and PKI (public-key infrastructure)

IETF Working Groups and RFCs related to Authentication

There are several IETF working groups related to authentication, authorization, and accounting. These are listed here. Refer to these groups for more information, including working documents and a list of related RFCs.

IETF Working Group: Authentication, Authorization, and Accounting (AAA). This group is working on base protocols related to a network access server, Mobile IP, and roaming.

http://www.ietf.org/html.charters/aaa-charter.html

IETF Working Group: One Time Password Authentication (OTP)

http://www.ietf.org/html.charters/otp-charter.html

IETF Working Group: Common Authentication Technology (CAT). This group has worked on Kerberos services and security APIs.

http://www.ietf.org/html.charters/cat-charter.html

A number of Internet RFC are worth investigating to further your knowledge of this topic. The most important are listed below.

  • RFC 1507 (DASS - Distributed Authentication Security Service, September 1993)

  • RFC 1510 (The Kerberos Network Authentication Service (V5, September 1993)

  • RFC 1511 (Common Authentication Technology Overview, September 1993)

    • RFC 1704 (On Internet Authentication, October 1994)
  • RFC 1994 (Challenge Handshake Authentication Protocol, August 1996)

  • RFC 2084 (Considerations for Web Transaction Security, January 1997)

  • RFC 2222 (Simple Authentication and Security Layer, October 1997)

  • RFC 2284 (PPP Extensible Authentication Protocol, March 1998)

  • RFC 2289 (A One-Time-Password System, February 1998)

  • RFC 2401 (Security Architecture for the Internet Protocol, November 1998)

  • RFC 2444 (The One-Time-Password SASL Mechanism, October 1998)

  • RFC 2716 (PPP EAP TLS Authentication Protocol, October 1999)

  • RFC 2828 (Internet Security Glossary, May 2000)

  • RFC 2903 (Generic AAA Architecture, August 2000)

  • RFC 2904 (AAA Authorization Framework, August 2000)

  • RFC 2905 (AAA Authorization Application Examples, August 2000)

  • RFC 2945 (The SRP Authentication and Key Exchange System, September 2000)



Copyright (c) 2001 Tom Sheldon and Big Sur Multimedia.
All rights reserved under Pan American and International copyright conventions.