Authentication versus Authorization

Authentication is only the start of the Authorization process. A centralized user registry, enforced by strong cryptography must be enhanced by data local to the application in order to properly allow or deny access to specific operations on resources. Here is a real world example that should make things clearer: getting into a location in the USA that serves alcoholic beverages over the counter.

Line to get into the Club

If you go out to a nightclub, you present your state issued driver’s license to the bouncer at the door. The bouncer confirms you age by first looking at the license, mentally checking it against the image he knows of what a valid Massachusetts Driver’s license looks like, and deciding if it is fake or not. Assuming he accepts the license as real, he looks at the picture and compares it to the face of the person that handed it to him. If the two images match, he then looks at the date of birth to see if it occurred more than 21 years prior. Assuming both those checks happen, he lets you in.

ID form that fails validity check.

What has he done? First he confirms the validity of the document. He makes an authentication check. And then he makes an authorization check. Authorization cannot proceed without proper authentication.

Now, you go back the next night, and there is a guest list. The bouncer does not recognize you, so you go through the license validation process again. But, there is an additional check: is your name on the guest list? If not, it doesn’t matter if you can legally enter the bar due to your age, you are turned away.

Private function. Must be on the guess list to enter

The bar didn’t issue the driver’s license. But it did accept it as proof of authentication. The first night, only the additional attribute of age, calculated from Date-of-birth, was used to make the authorization decision. But the second night, the additional attribute of membership in the “guest-list” group also contributed.

As you are turned away, you see your brother walk into the bar. He got in because he tends bar there. He is in the group “Employees.” In order to get into that group, he had to pass an even stricter set of checks: proof of right-to-work in the USA, and ability to perform bar tending duties.

“Hey, Tommie, let him in, he’s my brother” and you are once again permitted to enter the bar. What is this group? Lets call it “Friends and family.” There are other groups that can get you in, too, like “Liquor Distributor”, “Plumber” as well as “Police Officer” and “Health Inspector.”

On Weekends, there is a cover charge. You might meet all the other criteria, but if you lack the $25 fee, you are not getting in. Unless it is one of those certain nights where just being female will get you in, as the bar runs “Ladies Night.”

Doorman checking ID

There are several layers of policy at work here: The doorman makes the decision on whom does or does not get in. The policy comes from several places. The drinking age of 21 comes from state law. The Health inspector comes from the county, and the police officer comes from the city. Employees are hired by the manager. Ladies night is put together by the manager. The guest list is compiled from numerous people, some of whom don’t work for the bar. The money is issued from the federal government, but the cover charge is set up by the event coordinator, and she also hires the band.

Authentication is verified locally based on a centrally issued certificate, linked to the identity of the person that holds it. Other attributes are deduced from that certificate, and are compared with local policies. Authorization is based on the result of this comparison.

In some cases, strict authentication is not required. We take the police officer at his word based on his uniform and badge. Yes, those can be forged. If we at all doubt the veracity of the claim, we can call the police station and confirm his identity.

These gentlemen are always allowed through the door.

“Female” does not require authentication. It is an attribute fairly readily deduced from appearance. It, too, can be forged, but the cost of letting some one in with a forged Gender attribute is relatively low, and the cost of forging it is quite high. Yes, the bouncer could check the driver’s license to see what value is in there for “sex” but he most likely won’t.

The distinction between authentication and authorization is very often blurred. I hope you this real world analogy to clarify the structure of access control in your own discussions.

Leave a Reply

Your email address will not be published. Required fields are marked *