Authentication and Authorization

By | July 8, 2009

We generally get confused between this two terms. This two technologies are the basis of the security mechanisms. In many host-based systems, both the mechanisms are performed by the physical hardware and by the software in some cases.

There is a big difference between these two technologies.

Authentication: It is the mechanism to know that the identity is the same identity that he claims to be. The system securely identify their users.

It generally answers two Questions:
Who is the user?
Is the User really the Person he claims to be?

This system can be simple password  dependent system or can be complicated as the Kerberos system. In any case the Authentication system depends on some unique information which is know to the individual only to be authenticated and the authentication system.

This information can be anything between password, Some physical property like finger print, retinal pattern etc or some derived data. In this system the System challenges the user to provide the unique information. If the system can verify the data provided then the user is considered as authenticated.


Authorization :This mechanism varies from the earlier mechanism.
Once the user is identified the Authorization come into picture. In this mechanism the system can identify that what kind of user has logged onto the system i.e what level of access a particular authenticated user has. For example a simple Windows XP operating system can have many users logging onto a system with different user accounts such as Admin, guest or some personalized logins. Every user accounts has different rights and authorities which is defined by the system.

Authorization is the mechanism which answers the following questions:

Is the User authorized to access Resource R
Is the User authorized to perform operation P
Is the User authorized to perform operation P on resource R.

These two mechanism are tightly coupled mechanisms with each other.