Security is an issue on every level of communication. If you order a bread at the bakery you pay and receive your bread. This face to face approach doesn’t really need any security. What does it matter if your neighbor, in line next to you, overhears you ordering a bread and sees you pay as long as you get your bread? But what if this would be done online and it involves not a bread but a loan or a transfer from your savings account? You wouldn’t want a John Doe messing with the data you need to communicate with your bank, would you?
If (a lot of) money is involved, criminality is or at least tries to be. To prevent burglars from coming into your house you can install anti theft equipment. To prevent third parties from messing with your mail you can send it by registered delivery (as long as you trust your logistics company). You can do the same in the virtual word: online environments like websites or social applications. For example, you could encode a telephone conversation to prevent someone from listening in as cable companies encode their television signals to grant only paying viewers access to the content. When talking about security some basic terms must be clear.
Identity
An identity is a unique value which refers to an entity. A username for instance, is unique on a system and refers to the owner (user). A license plate identifies a car and a book from the library probably has it’s own book id. Id is commonly used to shorten identity or identifier.
Integrity
This is a term which in general is subjective. Integrity is a scale how an entity can be trusted. For example, mail mans are considered to be very integer as they are expected not to read and/or alter letters the they deliver. Because of this, a letter has a high level of integrity. You expect the letter you read was written the way you read it.
Authentication
This is a term reflecting the authenticity of an entity. Is a painting the original or is it a fake? (Note the words ‘the’ and ‘a’). Is a passport counterfeit or is it legal?
Authorization
A certain method to allow or deny privileges to an entity. Examples: If you are a site administrator you are authorized to make changes to the site and if you bought a concert ticket you are granted access to the concert perimeter. “HTTP Error 403: You are not authorized” and “Access denied” are common messages as a result of a failed authorization operation.
Online utilization
Often clearance to something (e.g. access to your e-mails) is granted based on proven authentication of an authorized identity. In the example of ordering a bread face to face, you are sure you pay your money to the baker and you are sure you receive your bread. But what if this would not be face to face? What if you would order your bread online and pay by credit card? How can you be sure you paid the bakery and not mister Thief? How can you be sure mister Thief didn’t listen in and knows your credit card credentials by now? And if you paid the bakery, how can you be sure you receive your bread, which has not been messed with? If you receive anything at all. Every aspect of the four terms mentioned above need to be covered.
Identity is something you can do nothing about. But this can be covered by authentication. The primitive resources to authenticate an identity (verify that someone is who he says to be) are limited. Basically you can rely on three categories:
- Physically: Prove that someone is. Examples are fingerprints, retina scans, voice prints and DNA.
- Property: Prove by possession. Examples are passports and credit cards.
- Knowledge: Prove by memory. Examples are passwords and PIN codes.
In digital telecommunication only property and knowledge based tests can be performed. This is because the physical properties will need to be sampled in order to be transmitted to the checking authority. This sample can be seen as a (long) password, which can be copied, stored, etc and therefore as safe as a password. This is in contradiction to face to face communication, where e.g. finger prints, behavioural habits or facial expressions cannot easily be copied.
Usually only something from the knowledge domain is required for login on the Internet (combination of username and password) and does therefore not always guarantee a satisfying safety level. How more techiques from this field are used will be discussed in the follow up article on security basics. Techniques like SSL, public key/private key, certificates, hashing, etc…
