AND THE

Universe

AS I SEE IT

tags:

Understanding Access, Authorization, Athentication and Understanding

A semi-technical explanation of common terms used in technology security and cryptography. Without understanding the basic terms it is impossible to intelligently discuss the impications of rules and laws regarding these subjects.

Scenario: Jane works at Big Bank as an account representative. Big Bank has a computer network.

Access = Can I?

Jane has a company computer and an account on the corporate network. Jane has access.

Athorization = May I?

When Jane was hired, her bosses directed IT staff to give her account access to resources on the network. Jane has authorization.

Athentication = Who am I?

Jane logs into the network using an ID and password. Jane proves she is who she says she is, authentication.

 

If Jane goes to the bathroom and Joe the janitor walks into Jane's office and sees her computer open and logged into the network, Joe has access. Joe is not authorized. 

If Jane logs out of her computer before going to the bathroom, Joe can still has access. He is in her office with all the tools to connect to the network. Joe can wake her computer at which point he will see: User = Jane, Password = _____. Jane has access, Jane is authorized, Joe has access via Jane's computer but Joe must authenticate that he is Jane. Entering Jane's secret password authenticates that the user sitting at the computer is the owner of the account.

Jane is forgetful. She locks her computer but keeps her password written on a sticky note on her keyboard. Joe has access, Joe can authenticate he is Jane, but Joe is still not authorized. Joe is committing a crime. Bad Joe.

A "Real World" example is a drivers license. The license is physical proof you have been authorized by a state to let you drive. If the state revokes your license, you still have access but no longer have authorization (even if you still have the physical ID). I can hand you my license but that does not mean you are authorized to drive. Having somebody's password does not authorize you to access a system or network. The picture on the ID authenticates you. If a police officer pulls you over they can check to make sure the driver matches the picture on the license.

 

 

Understanding is ironically hard to understand. In debates over privacy, security, encryption, and the laws that govern these, the three "A" words are often used incorrectly. For example, if police sieze a phone they may claim they need "access" to the phone. They have the phone, they have access.

The need for encyrption, or the strength of the cipher, is inverserly proportional to access. If you are an astronaut whose spaceship is in deepspace and on a crash course with a large Sun, no need to encrypt your daily journal. Nobody will ever have access so there is no need for encryption. The only reason for encryption is to protect against people with access or who may gain access.

Lets jump right into the craziness of cryptography. For ease of understanding forget computers, we will go old school. The "Caesar Cypher", aka a substitution cypher is a very basic (and weak) form of cryptography. Letters in a message are substituted, A become R, B becomes I, C become P... This is pretty easy to crack even without a computer.

An example from Wikikpedia-

Plaintext:  THE QUICK BROWN FOX JUMPS OVER THE LAZY DOG
Ciphertext: QEB NRFZH YOLTK CLU GRJMP LSBO QEB IXWV ALD

You can encrypt a file, a folder, a volume, a drive or an entire system. Each can use a different encryption algorithm and have a different decryption key.

Plaintext:  THE QUICK BROWN FOX JUMPS OVER THE LAZY DOG

Substition cipher

Ciphertext: QEB NRFZH YOLTK CLU GRJMP LSBO QEB IXWV ALD

Reverse each word

Ciphertext: BEQ HZFRN KTLOY ULC PMJRD OBSL BEQ VWXI DLA

Flip the entire thing so you have to look in a mirror

Ciphertext: BEW HZFRN YOLTK ULC PMJRD OBSL BEQ VWXI DLA

A fictional CEO is under investigation. A judge grants a warrant for the police to sieze and search the CEO's computer and compels the CEO to give up the password for the computer. They take the computer so they have access. The warrant gives them authorization.  The CEO's password means they can authenticate themselves as the CEO.

They access the computer and find a text file on the desktop, the file contents are:

Ciphertext: BEW HZFRN YOLTK ULC PMJRD OBSL BEQ VWXI DLA

Nonsense or incrimiating evidence? The police think it is incrimating evidence but don't know why. What do they ask for- access, athorization, athentication... they already have these. What they want is to understand the information. They want the defendent to explain it to them.

Forcing a person to decrypt a device is forcing a person to explain themeselves, possibly to testify against themselves. IANAL (I am not a lawyer), but lawyers and judges aren't necessarily technically savvy. 

The police hire a special team of cryptography experts that break the code. The police now know what the file says: The quick brown fox jumps over the lazy dog. Stumped again. The police guess that quick brown fox is code for Quincy B. Fancy, the name of the CEO. They assume jumps over means to avoid laws or embezzle, and that lazy dog refers to a retirement pension. The CEO is arrested and thrown in prison, before he can defend himself he dies of a heart attack.

Somewhere in the world, a fast-and-loose, sexy and foxy, African-American hooker reads about the death of her her favorte client, listed in her black-book as lazy dog, and remembers the games naked leap-frog they would play, jumping over each other at $300 per hour.

 

Computers have added a lot of complexity to encryption. They can use ridiculously huge numbers, hashes, assymetric encryption, etc. But the principle is the same- encryption is about whether you can understand the data or not.