Page 305 - DCAP103_Principle of operating system
P. 305
Principles of Operating Systems
Notes The Cryptography API contains functions that allow applications to encrypt
or digitally sign data in a flexible manner, while providing protection for the
user’s sensitive private key data.
9.5 User Authentication
When things go wrong it is useful to be able to identify the people involved, both the possible
victims and those who may have caused the problem. This is as true on computer networks as
anywhere else. The aim should be to have all users of JANET identify themselves whenever
they are on the network, but in a few situations the cost or inconvenience of achieving this
may be unreasonable. Why identify users? The JANET Security Policy requires that connected
organizations exercise ‘responsibility about giving, controlling and accounting for access to
JANET’. The Policy does not mandate that everyone accessing the network must log on to it,
but lets each organization to decide how to control network access responsibly. Likewise, the
law of the land and the expectations of society do not insist that every action be traceable to an
individual. There is no legal requirement to identify or record every logon, e-mail, web request
or mouse click. However activity on a network can almost always be traced to an organization
that owns an Internet domain or address. Organizations are expected to behave responsibly and
will be blamed if they are not seen to do so. For example:
• JISC (Joint Information Systems Committee) may, in extreme cases, suspend or withdraw
the right to connect to JANET if an organization’s behaviour represents a serious threat
to other users of the network;
• Other users may be reluctant to accept communications from an organization that does
not deal promptly and effectively with problems, for example some JANET sites have
found themselves on blacklists that prevent them exchanging e-mail with others;
• In a few circumstances, the courts may fine an organization or imprison its directors if
crimes were committed as a result of their negligence, in other words, if they have not
taken reasonable care to avoid causing foreseeable harm;
• More often, courts may require organizations to pay damages to individuals or businesses
who have suffered loss or harm because of their negligence;
• Society and the press may publicly blame an organization that fails to meet the standards
expected of it. JISC’s Legal Information Service (JISCLegal) publishes an article on the legal
liability of universities and colleges at—Organizations should consider the risk of misuse
when deciding if any groups of users and systems do not need individual identification.
An individual account should only take a few minutes to set up. If the user only needs it
for a few seconds then creating and deleting an account may be an unreasonable overhead.
However, the convenience of not setting up and managing individual accounts cannot
justify a significantly increased risk of harm to others and the organization. Harm can
be caused by hacking, malicious messages, downloading illegal material and many other
types of activity, the scope for which will normally be less where an individual’s access
is limited to a few systems, rather than the whole Internet. However, if critical internal
systems may be accessed then the potential harm should not be underestimated. How to
identify users the most common way for individuals to identify themselves is to log on
when they sit down at a terminal; however, this is not the only option. If users have to
prove their identity to get into a workstation room or borrow a laptop then a record can
be kept of who used which computer when. Some organizations let anyone see a limited
set of web pages but require a login to gain access to other sites or services. However they
298 LOVELY PROFESSIONAL UNIVERSITY
