Part 1: General - Computer Security Resource Center - National ...
Part 1: General - Computer Security Resource Center - National ...
Part 1: General - Computer Security Resource Center - National ...
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
March, 2007<br />
3.4 Authorization<br />
Authorization is concerned with providing an official sanction or permission to perform a<br />
security function or activity. Normally, authorization is granted following a process of<br />
authentication. A non-cryptographic analog of the interaction between authentication and<br />
authorization is the examination of an individual’s credentials to establish their identity<br />
(authentication); upon proving identity, the individual is then provided with the key or password<br />
that will allow access to some resource, such as a locked room (authorization). Authentication<br />
can be used to authorize a role rather than to identify an individual. Once authenticated to a role,<br />
an entity is authorized for all the privileges associated with the role.<br />
3.5 Non-repudiation<br />
Non-repudiation is a service that is used to provide assurance of the integrity and origin of data<br />
in such a way that the integrity and origin can be verified by a third party. This service prevents<br />
an entity from successfully denying involvement in a previous action. Non-repudiation is<br />
supported cryptographically by the use of a digital signature that is calculated by a private key<br />
known only by the entity that computes the digital signature.<br />
3.6 Support Services<br />
Cryptographic security services often require supporting services. For example, cryptographic<br />
services often require the use of key establishment and random number generation services.<br />
3.7 Combining Services<br />
In many applications, a combination of cryptographic services (confidentiality, data integrity,<br />
authentication, authorization, and non-repudiation) is desired. Designers of secure systems often<br />
begin by considering which security services are needed to protect the information contained<br />
within and processed by the system. After these services have been determined, the designer then<br />
considers what mechanisms will best provide these services. Not all mechanisms are<br />
cryptographic in nature. For example, physical security may be used to protect the confidentiality<br />
of certain types of data, and identification badges or biometric identification devices may be used<br />
for entity authentication. However, cryptographic mechanisms consisting of algorithms, keys,<br />
and other keying material often provide the most cost-effective means of protecting the security<br />
of information. This is particularly true in applications where the information would otherwise be<br />
exposed to unauthorized entities.<br />
When properly implemented, some cryptographic algorithms provide multiple services. The<br />
following examples illustrate this case:<br />
1. A message authentication code (Section 4.2.3) can provide authentication as well as data<br />
integrity if the symmetric keys are unique to each pair of users.<br />
2. A digital signature algorithm (Section 4.2.4) can provide authentication and data<br />
integrity, as well as non-repudiation.<br />
3. Certain modes of encryption can provide confidentiality, data integrity, and<br />
authentication when properly implemented. These modes should be specifically designed<br />
to provide these services.<br />
31