The model aaa stands for authentication, authorization and accoutning. In real, they are four not three. There is something called Identification and comes before the authentication. In order to access data or resources, users need to be identified and authenticated.
Identification : by name or username
If someone need to enter a restricted area for a private or public place, the guard or receptionist ask the first question " who are you ?" or "may I know with whom am I talking ?" and so on.... All these questions mean identify yourself
What is the receptionist asking the visitor is his identity, when the visitor replies by introducing himself (example I am Mr. X) or saying his name, he is identifying himself to the receptionist. This is the identification process.
Logging on the a computer, also needs identification. The identification is done when the employee writes his username to login. Whether the username exists or do not exists in the Active Directory, or in the SAM database; that person is identifying himself to the system. If the system recognizes the name, it will go to a further step which is the authentication. If the system didn't recognizes the name, it cannot move to the further step, and the employee will be denied access
Authentication is to prove the identity
Sometimes the receptionist might ask the visitor to see his identity card or his driving license or other ID cards with photos. In other terms the receptionist is asking the visitor, can I see an ID that proves that your are Mr X. This process is called authentication. The receptionist is asking Mr. John to authenticate himself by showing ID card, Mr John authenticated himself by providing the receptionist with his ID card.
Let's talk now about a user logging in to a system .The user will enter first his username, the system he is accessing will look in his database to see if there is a record for this username. What happened here, is that the user identified himself to the system, but the system saw that is user is not in the registered allowed users, so the system rejected this access.
Now let's say the username exists in the list of users, Before allowing access , the system will ask the user "can you proof your identity ? or can you proof that you are the person you are claiming to be ?" Here the username must authenticate himself. One type of authentication is the password. The system has already in his database the password for this user (or a hash for this password, we can talk about it later). If the username enter the correct password, meaning that he entered the password that the system has for this username, then authentication succeeded, and the user is allowed access. The system thinks that this user is not lying about his identity because he entered the correct password. If the user did not enter the correct password, the system will think that this user may not be the person who is claiming to be.
Because each company follow the same standards of username writing, employees can know each others usernames. One common standard is the first letter of the given name with the family name. Another common standard is firstname.lastname and so on...
So an employee can easily guess what is the username for each of the other employees. So a user can identify himself to the system as the general manager (by writing the general manager username), but the system will ask this fake general manager to prove his identity , he must enter the general manager's password. But this password is owned and known only by the general manager. As the bad employee doesn't have the appropriate password, the authentication will fail, and he will be blocked access to the system
No comments:
Post a Comment