1. Certification:
Authentication refers to confirming the identity of the declarant based on the declarant's unique identification information. Authentication corresponds to the word identification in English.
The most common authentication method is through username and password, but the authentication method is not limited to this. The following are currently common authentication technologies:
- ID card
- user name and password
- User mobile phone: mobile phone text message, mobile phone QR code scanning, gesture password
- User's email
- Time-series and user-related one-time passwords
- User’s biological characteristics: fingerprint, voice, eye iris
- Big data identification of users
- etc.
In order to confirm the user's identity and prevent forgery, combined authentication (or multi-factor authentication) is often used in situations with high security requirements, that is, multiple authentication methods are used at the same time to verify the user's identity.
2. Authorization
Simply put, authorization generally refers to obtaining the user's delegated permissions. Corresponds to the word authorization in English.
In the field of information security, authorization means that the resource owner appoints an executor and gives the executor a specified range of resource operation permissions so that the executor can perform related operations on the resource. It contains the following four important concepts:
- The resource owner has all the rights to the resource and is generally the owner of the resource.
- Resource executors are delegated to perform resource-related operations.
- Operation permissions, certain operations that can be performed on resources.
- Resources, valuable information or data, etc., are protected securely.
It should be noted that resource owners and executors can be natural persons, that is, ordinary users, but are not limited to natural persons. In the field of information security, resource owners and executors are often applications or machines. For example, when a user logs into a website on a browser, the browser becomes an executor. It obtains the user's authorization after the user logs in, and executes various instructions on behalf of the user, such as shopping, placing orders, paying, transferring money, etc. Wait for operations.
At the same time, the resource owner and executor can be separate entities, or they can be the same. If the two are separate, the resource executor exists as an agent of the resource owner.
There are many and wide ways to implement authorization. Our common bank cards, access cards, keys, and notarial certificates are all ways to implement authorization in real life. Its implementation is mainly accomplished through a shared trust medium. This medium cannot be tampered with or forged at will. In many cases, it needs to be protected to prevent theft.
In the field of Internet application development, the credit media used for authorization mainly include the following:
- Through the session mechanism of the web server, an access session maintains the user's authorization information.
- Through the cookie mechanism of the web browser, a website's cookie maintains the user's authorization information.
- Issue an authorization token. A legal and valid token holds the user’s authorization information.
The first two are common in web development and require browser support.
3. Authentication
Authentication refers to the process of identifying and confirming the authenticity of the identity rights declared by a declarant. Corresponds to the word authentication in English.
Authentication is mainly to verify the authenticity of the declarant's statement. If we start from authorization, it will be easier to understand authentication. Authorization and authentication are two matching upstream and downstream relationships. Authorization first, then authentication. The "right" in the words authorization and authentication is the same concept, which is the delegated right. In implementation, it is the expression of the credit medium.
Therefore, the authentication implementation method has a one-to-one correspondence with the authorization method. Analyze the credit media issued by the authority to confirm its authenticity. The following are some implementation methods of authentication,
- Access card: via access card reader
- Key: through matching lock
- Bank Card: Via Bank Card Identifier
- Session/cookie/token in the field of Internet web development: verify the legality and validity of session/cookie/token
Authentication is a link between the previous and the next. The upstream accepts the authorized output, verifies its authenticity, and then obtains permission. This will prepare for the next step of permission control.
4. Permission control
Permission control refers to configuring a combination of various executable operations as a permission list, and then based on the permissions of the executor, if the operation is within the permission range, execution is allowed, otherwise it is prohibited. Permission control corresponds to access/permission control in English.
Permission control can be understood in two parts: one is permissions and the other is control. Permission is an abstract logical concept, while control is a concrete implementation method.
Let’s look at permission first. This is an abstract concept that is generally predefined and configured to facilitate the specific implementation of control. If the definition of permissions is simple, it can directly correspond to a set of executable operations. Under normal circumstances, permissions are defined based on roles, and roles encapsulate the set of executable operations.
If we take the permission implementation of access control cards as an example, the above two definition methods can be expressed as,
- This is an access control card that has the authority to open all doors in the company.
- This is an access control card with administrator role permissions, so it can open all doors in the company.
It can be seen that permissions, as an abstract concept, separate the executor from the specifically executable operations.
In the above discussion, the output of authentication is permission. Once you have permissions and know what operations can be performed, the next step is to control.
For control, it is based on the authority of the executor to judge the operation performed by the executor and decide to allow or prohibit the execution of the current operation. There are many ways to achieve control in real life.
- Access control: control the switch of the door
- Bike Lock: Control Wheels
- Internet web backend service: control interface access, allow or deny access requests
5. The relationship between authentication, authorization, authentication and permission control
The four links of authentication, authorization, authentication and authority control are a sequential, upstream and downstream relationship.
Authentication-->Authorization-->Authentication-->Permission Control
It should be noted that these four links sometimes occur simultaneously. For example, in the following scenarios,
- Use the access card to open the door: the four links of authentication, authorization, authentication, and authority control are completed in one go, happening simultaneously in an instant
- User's website login: When a user logs in using a username and password, authentication and authorization are completed together, while authentication and permission control occur in subsequent access requests, such as when selecting items or making payments.
In any case, from the perspective of chronological order, these four links are in a relationship that occurs one after another in time.
6. The relationship between authentication and authentication
These two concepts are often confused. The main reason for confusion is, as mentioned above, that many times authentication, authorization, authentication and permission control occur together, so that it is misunderstood that authentication is authentication and authentication is authentication.
In fact, the two are different concepts. Both have the process of confirming identity, but the main difference between the two is that,
- Authentication is to confirm the identity of the declarant and exists as an upstream connection for authorization.
- Authentication is the process of confirming the authenticity of the declarant's statement, which exists as a downstream connection of authorization.
7. Summary
The four concepts discussed in this article are summarized in a table below.
| definition |
English |
Method to realize |
|
| Certification |
Confirm the identity of the declarant |
identification |
Based on the claimant’s unique identifying information |
| Authorize |
Get user's delegated permissions |
authorization |
Issue a trust medium that cannot be tampered with, cannot be forged, and is protected |
| Authentication |
The process of identifying the authenticity of declared permissions. Permission is an abstract logical concept that defines and configures executable operations, while control is a specific implementation method, which controls the permission and prohibition of operations in a certain way. |
authentication |
There is a one-to-one correspondence between authentication and authorization. Analyze the credit medium and confirm its legality and validity. |
| Permission control |
Permission is an abstract logical concept that defines and configures executable operations, while control is a specific implementation method that controls the permission and prohibition of operations in a certain way. |
access/permission control |
There are various ways to implement it, depending on the specific situation. |