Authentication vs Authorization - Shon Harris book

TheFORCETheFORCE Member Posts: 2,297 ■■■■■■■■□□
In the AIO 6th edition of the Shon Harris book page 203, on the paragraph about Authorization seems that there is an error. The paragraph ends with "Access criteria are the crux of authentication" shouldn't the word "authentication" actually be "authorization"? Or am i missing something here?

Comments

  • OfWolfAndManOfWolfAndMan Member Posts: 923 ■■■■□□□□□□
    In the Infosec world, those words are two different things.

    Authentication: Who are you, and how can you prove you're that person? (Username/Password, PKI, or other forms of authentication)
    Authorization: What do you have access to as that user (i.e. customer = minimal rights, sys admin = access to remote desktop and remote server administration, network admin = access to network equipment, firewalls, load balancers)?
    :study:Reading: Lab Books, Ansible Documentation, Python Cookbook 2018 Goals: More Ansible/Python work for Automation, IPSpace Automation Course [X], Build Jenkins Framework for Network Automation []
  • voodoo26voodoo26 Member Posts: 56 ■■□□□□□□□□
    Authentication is the validation of your identity that user claim
    Authorization is the access rights and resources that user is allowed to access and use
    2014 Goals CISSP COLOR=#008000]Passed[/COLOR, 2015 Goals CISM COLOR=#ff0000]June[/COLOR
  • TheFORCETheFORCE Member Posts: 2,297 ■■■■■■■■□□
    I understand what authorization and what authentication is, my issue is with the sentence... "Access criteria are the crux of authentication" where i think it should be "Access criteria are the crux of authorization" instead. Correct?
  • broli720broli720 Member Posts: 394 ■■■■□□□□□□
    I see where you may have issues with this. Definitely a tricky sentence.
  • aftereffectoraftereffector Member Posts: 525 ■■■■□□□□□□
    I think you're right. Authorization makes more sense in that sentence.
    CCIE Security - this one might take a while...
  • 5502george5502george Member Posts: 264
    Access criteria can be used for both...So yes and no. ;)
  • TheFORCETheFORCE Member Posts: 2,297 ■■■■■■■■□□
    5502george wrote: »
    Access criteria can be used for both...So yes and no. ;)

    How can access criteria be used for both? In order to access something, you need to be authenticated first. Also, just because you are authenticated to something, that automatically does not give you authorization aka access permissions to every resource in a system. Besides that, the entire paragraph is about authorization but the last sentence ends with authentication. I believe that might be an error in the book.
  • Spin LockSpin Lock Member Posts: 142
    TheFORCE wrote: »
    "Access criteria are the crux of authentication" shouldn't the word "authentication" actually be "authorization"? Or am i missing something here?

    No, you're not missing anything. I think you correctly caught a typo/error in AIO. Access criteria is exclusively related to authorization. I'm trying to think of a scenario where access criteria could be used during the authentication process, but I can't think of one nor could I find any information that describes such a link.
  • CyberscumCyberscum Member Posts: 795 ■■■■■□□□□□
    TheFORCE wrote: »
    How can access criteria be used for both? In order to access something, you need to be authenticated first. Also, just because you are authenticated to something, that automatically does not give you authorization aka access permissions to every resource in a system. Besides that, the entire paragraph is about authorization but the last sentence ends with authentication. I believe that might be an error in the book.

    An NFC token can be used for access control and can also be used for authen.
  • 5502george5502george Member Posts: 264
    ^Location is an access criteria and can also be used to authenticate.
  • Spin LockSpin Lock Member Posts: 142
    5502george wrote: »
    ^Location is an access criteria and can also be used to authenticate.

    Ah, yes. That makes sense. Thanks for pointing this out.

    This is why I like folks posting technical questions on this forum - the discussions make you think in ways you might not have otherwise considered.
  • 5502george5502george Member Posts: 264
    Spin Lock wrote: »
    Ah, yes. That makes sense. Thanks for pointing this out.

    This is why I like folks posting technical questions on this forum - the discussions make you think in ways you might not have otherwise considered.

    I agree, but I think people studying for the test might get confused reading contradicting info. But there are always some interesting perspectives out there.

    theFORCE: For the test the lines are very defined. In real life, and basically anything in IT, the lines are always blurred at best.
  • TheFORCETheFORCE Member Posts: 2,297 ■■■■■■■■□□
    Cyberscum wrote: »
    An NFC token can be used for access control and can also be used for authen.
    Location is an access criteria but it is not used for authentication. If there is an environment that uses location to autheticate. Then that environment is not very secure.
  • CyberscumCyberscum Member Posts: 795 ■■■■■□□□□□
    ^^Here something you can read and a "real world example" of how to implement BOTH authorization and authentication with one access criteria.

    http://www.atgi.com/dist/Implementing%20Smart%20Card%20Authentication%20and%20Authorization%20with%20ASP.NET.pdf

    ...As far as your comment, well... try learning about location based authentication before saying its not secure.
  • JDMurrayJDMurray Admin Posts: 13,101 Admin
    Authentication is the verification of claimed identity factors, which are:

    1. Something you know (e.g., password, PIN, pattern)
    2. Something you have (e.g., badge, key, smartphone)
    3. Something you are (e.g., biometrics)
    4. Something you do (e.g., speaking, typing, handwriting, walking gait)
    5. Someplace place you are (e.g., logging in from a specific terminal or GPS coordinates)

    Once the identification credentials are verified to be authentic, authorization assigns access privileges to the identity based on:

    1. The user's preferences (Discretionary Access Control)
    2. The administrator's preferences (Mandatory Access Control)
    3. The user's group preferences (Role Based Access Control)
    4. Other access control factors (e.g., time of day, physical location)
Sign In or Register to comment.