Authentication And Access Control

Introduction

In the past, authentication was almost synonymous with password systems, but today's authentication system must do more. For instance, in a distributed client server environment, a user might have several client programs running on her desktop, which access, which access server programs on remote computers across a network which is not trusted. In such an environment the server must authenticate that hte client run on behalf of a legitmente user. Further the authentication system should provide "single logon" so that the user does not have to repeatedly enter passwords. An authentication service for computer networks, is an increasingly popular system for meating these coals. While authentication provides proof of identity, it does not describe the privileges an entry processes. So for instance, you are authenticated before you access a database system, but this does not tell the database system which data you are entitle to access. This later function is known as the authorization or access control.

Authentication

Modern computer systems provide services to multiple users and require the ability to accurately identify the user making request. In traditional systems, the user's identity is verified by checking a password typed during the login; the system record the identity and use it to determine what operations may be performed. The process of verifying the user's identity is called authentication. Password-based authentication is not suitable for use on computer networks. Password send across the networks can be intercepted and subsequently used by eavesdroppers to impersonate the user. In addition to the security concern, password based authentication is inconvenient; user does not want to enter password each time they access the network service. this has led to the use of the even weaker authentication on computer networks. To over come these problems we need a stronger authenticatin methods based on cryptography are required. When using authentication based on cryptography, an attacker listing to the network gain no information that would enable it to falsely claim another's identity. Kerberos is the most commonly used example of this type of authentication technology.

How Kerberos Works

The Kerberos Authentication system uses a series of encrypted messages to prove to a verifier that a client is running on behalf of a particular user. The Kerberos protocall is based in part on the Needham and Schroeder authentication protocall, but with changes to support the needs of the environment for which it was developed Amongs these changes are the use of timestamps to reduce the number of messages needed for basic authentication, the addition of "ticket-granting" service to support subsequent authentication without re-entry of a principal's password, and a different approach to cross-relem authentication.

Authentication is critical for security of of computer systems. Without the knowledge of the identity of a principal requesting an operation, it is difficult to decide weather the operation should be allowed. Traditional authentication methods are not suitable for use in computer networks where attacker monitor network trafflc to intercept passwords. The use of strong authentication method that do not disclose password is imperative. The Kerberos authentication system is well suited for authentication of user in such environments.