Important Security Terminology
There are four main concepts of data security. They are pervasive throughout different models and serve as a basis for constructing a secure system. These concepts are authentication, authorization, integrity, and encryption.
Authentication is verifying who you are. There are numerous ways to implement authentication; each has pros and cons. The most widely implemented authentication mechanism is by password. Various other authentication mechanisms are as follows:
Digital Certificate, such as those used in the X.509 format. This is when a message is encrypted with a private key. The message can be decrypted by a public key and validated against a certificate of authority. Unfortunately, the private key is usually protected by a symmetrically encrypted key, specifically, a password.
Hardware token, such as SecurID. The hardware token generates a random number at a specified time interval using a proprietary algorithm. This number is synchronized with an authenticating server, and combined with a personal PIN composed of alphanumeric characters. The randomly generated number expires after the next number is generated preventing its reuse.
Biometric Technologies such as voice pattern recognition, Iris/Retina scanning, and fingerprinting are the new wave of authentication technologies. Problems such as losing or forgetting your hardware token, password, or digital certificate become a thing of the past.
Authorization is granting or denying access to a service based on who you say you are. Authorization is often tightly integrated with authentication, and thus often confused with authentication. Authorization depends on being able to authenticate an identity, but checks that identity against an access control list to grant or deny access.
The access control list can be stored in a configuration in a file, in non-volatile RAM, or in a distributed database such as LDAP, Active Directory, or NetWare Directory Services.
Integrity is the process of validating that the data provided by an authenticated source has not been changed. This is often done by running an algorithm over a set of selected data to produce a hash or message digest. This value is then protected by encrypting it and attaching it to the original data. The process of computing the hash, encrypting it, and attaching it to the original data is called digitally signing data.
To validate that the integrity has not been compromised, a new hash or message digest is computed and compared to the decrypted value. If they match, there is no way the data could have been modified without the key used to protect the data originally. Theoretically, only the original person/company would have access to that key. This allows you to validate the digital signature on the data.
Encryption is the process of transforming the data so that the original meaning remains confidential. Often the unprocessed data is called clear text, and the processed data is called cipher text. The reverse of encrypting a message is decryption, transforming a processed set of data back to its original clear text form. The value used in the transformation process is known as the encryption key.