Security Concepts: Difference between revisions
(→Trust) |
|||
Line 20: | Line 20: | ||
=Trust= | =Trust= | ||
A claimed identity is useless if it is not trusted by the party. | A claimed identity is useless if it is not trusted by the party. | ||
==Zero-to-One and the First Key Problem== | |||
There is always a moment in the processing of establishing trust when the entity that seeks attestation cannot present any trusted certificate yet, because it doesn't have one. This is the zero-to-one problem. Usually, the entity presents some sort of hardware identity, also referred to as [[#Platform_Identity|platform identity]], which could be theoretically verified against an inventory. | |||
=Public Key Cryptography= | =Public Key Cryptography= |
Revision as of 21:11, 12 May 2022
Internal
Identity
The identity could be that of a human using the computer and running programs, or of a automation system. In the first case we qualify the identity as "end-user" or "user" identity, and in the second case we use the terms "system account" or "service account" identity. The identity can be proven by a certificate or by other means, such as providing a password.
Established Identity
Desired Identity
End User Identity
A human user.
Service Account Identity
System Account Identity
Trust
A claimed identity is useless if it is not trusted by the party.
Zero-to-One and the First Key Problem
There is always a moment in the processing of establishing trust when the entity that seeks attestation cannot present any trusted certificate yet, because it doesn't have one. This is the zero-to-one problem. Usually, the entity presents some sort of hardware identity, also referred to as platform identity, which could be theoretically verified against an inventory.
Public Key Cryptography
Public Key Cryptography, also known as asymmetrical cryptography
Public Key
Private Key
Key Residency Attestation
Certificate
Certificates are used to prove identities.
Certificate Authority
Certificate Signing Request (CSR)
Authentication
Authentication is the process of identifying a subject and verifying the authenticity of the identification information.
The most common authentication mechanism is username/password. Other mechanisms are available: public key, shared key, smart cards, etc.
In the context of JEE declarative security, the result of a successful authentication is called a principal.
Related subjects: Basic and Digest HTTP Authentication.
Authorization
Authorization is the mechanism for granting or denying access to a resource based on identity.
In JEE, this is usually implemented by matching a principal with a set of actions they are or are not allowed to perform. This mapping is referred as a role.
Encryption
TODO https://home.feodorov.com:9443/wiki/Wiki.jsp?page=CryptographicAlgorithms#EncryptionAndDecryption
SSL/TLS
SSO
TODO https://home.feodorov.com:9443/wiki/Wiki.jsp?page=SingleSign-On
LDAP
TODO https://home.feodorov.com:9443/wiki/Wiki.jsp?page=LDAP
Security Protocols
Authentication Protocols
Authorization Delegation Protocols
Others
To Process
Identity Federation and Single Sign-On are related concepts.
Single Sign-On (SSO) systems allow a single user authentication process across multiple IT systems and organizations. SSO is a subset of federated identity management, as it relates only to authentication and technical interoperability.
User's presence in the system - means that the user identity is associated with the thread that is processing the user's request, and in a way, it is the user that "drives" the thread. The identity is associated with the thread in the form of a security context.
Authentication. The whole point of an authentication protocol is to tell whether the user is present in the system.
Identity Provider (IdP) and Relying Party (RP).
Authentication protocols, single sign-on, SAML.
Authorization.