What is Authentication

Authentication

We can understand the importance of authentication by going back to the discussion we had about what a trusted computing base does. So we have resources that need to be protected and we can do that by having a trusted computing base that is a reference monitor. Every request that comes for a resource has to be monitored. And when you monitor the request, the question you have is, should this request be able to access the resource for which that is the target of this request? To answer that question we really have to establish who is the request coming from. The source of the request is, we're going to be able to identify that because weAuthentication have authentication in the system. So let's look a little bit more closely at what authentication really is. Authentication, we said we have to establish the source of the request. So we have to ask the question, who are you, if you happen to be the source? And of course, you can't just claim to be anybody. When you're going to claim that you are Alice, you have to provide some evidence to us that is going to convince us that you really are Alice. So authentication is knowing the identity of the source and establishing that it indeed is that person who is making that claim about the identity. So once we establish the source of a request, convince ourselves that the user is who he or she claims to be, the next part is authorization. So in authorization we're really establishing whether the source of the request does have the permissions necessary for the resource that they want to access. 

Authentication

So this permission check is the authorization process and once authentication and authorization is done, of course then we allow access to the resource when permitted and the source of the request is able to make use of the resources. So let's dig a little bit deeper into this question about what is authentication? We just discussed that the operating system or the trusted computing base, OS is that plus more perhaps. So the OS of the trusted computing base needs to know who is making a request for the resource that is protected. So access to that resource has to be secured. So we know that in a computer system a request actually comes from a process. This process may be running one of your services, your browser, a mail client, whatever it is. So processes making the request, but we know that processes are run on behalf of users. So a given process that is making a request must be running on behalf on a certain user. We call the user also a subject or a principal. These are the active entities that actually initiate request or cause actions. So these terms are used interchangeably, but we'll stick with user. So process runs on behalf of a user. Authentication, which is our topic, essentially is going to help us answer this question that we have, is that if a process is making a request to know who's making the request, what user is making the request, we must answer the question on whose behalf is the process running? 

Authentication

So the requesting process makes the request by making a system call. It comes through the operating system, but on whose behalf is it making that call? To establish the user on whose behalf the process is running, of course we have to start with authentication. In the beginning, when a user comes to the system, the user is going to authenticate himself or herself. So that's how we, for example, start a login session. You login to the system, or start the session that's going to launch one or more processes that you need to run, and then in the end the session is going to be over. So when you start the login session, prior to launching the process that is making the request, of course you're going to make a claim about your identity.