Page 238 - DCAP311_DCAP607_WIRELESS_NETWORKS
P. 238
Wireless Networks
Notes This makes it possible to store symmetric keys on SIM cards and, along with simple cryptographic
software modules, to turn the mobile device into a seeded OTP generator. The generated OTPs
can be used as credentials for out-of-band, multifactor authentication.
Furthermore, with wireless data plans, mobile devices can communicate directly with
authentication systems by using wireless PKI. In this case, SIM cards provide secure storage of
users' private PKI keys. The private keys then can be used to facilitate strong authentication—
implemented with corresponding certificates to facilitate digital signatures—and, in some cases,
to facilitate client-authenticated SSL. Some of the projected applications of this approach include
mobile banking, contactless/proximity mobile payments, identity and credential verification,
and so on. At some point, mobile devices might become the most ubiquitous form of mobile
digital identities for consumers.
14.1.7 Authentication vs. Authorization
It is easy to confuse the mechanism of authentication with that of authorization. In many host-
based systems (and even some client/server systems), the two mechanisms are performed by the
same physical hardware and, in some cases, the same software.
It is important to draw the distinction between these two mechanisms, however, since
they can (and, one might argue, should) be performed by separate systems.
What, then, distinguishes these two mechanisms from one another?
Authentication is the mechanism whereby systems may securely identify their users.
Authentication systems provide an answers to the questions:
z z Who is the user?
z z Is the user really who he/she represents himself to be?
An authentication system may be as simple (and insecure) as a plain-text password challenging
system (as found in some older PC-based FTP servers) or as complicated as the Kerberos system
described elsewhere in these documents. In all cases, however, authentication systems depend on
some unique bit of information known (or available) only to the individual being authenticated
and the authentication system -- a shared secret. Such information may be a classical password,
some physical property of the individual (fingerprint, retinal vascularization pattern, etc.), or
some derived data (as in the case of so-called smartcardsystems). In order to verify the identity of
a user, the authenticating system typically challenges the user to provide his unique information
(his password, fingerprint, etc.) -- if the authenticating system can verify that the shared secret
was presented correctly, the user is considered authenticated.
Authorization, by contrast, is the mechanism by which a system determines what level of access
a particular authenticated user should have to secured resources controlled by the system. For
example, a database management system might be designed so as to provide certain specified
individuals with the ability to retrieve information from a database but not the ability to change
data stored in the datbase, while giving other individuals the ability to change data. Authorization
systems provide answers to the questions:
z z Is user X authorized to access resource R?
z z Is user X authorized to perform operation P?
z z Is user X authorized to perform operation P on resource R?
Authentication and authorization are somewhat tightly-coupled mechanisms -- authorization
systems depend on secure authentication systems to ensure that users are who they claim to be
and thus prevent unauthorized users from gaining access to secured resources.
Figure 14.6, below, graphically depicts the interactions between arbitrary authentication and
authorization systems and a typical client/server application.
232 LOVELY PROFESSIONAL UNIVERSITY
