INVITATION TO CYBERSECURITY 186 Authentication is verifying an identity. In the real world, people know one another through personal interactions. We recognize each other based on the way we look, speak, and act. When we need to be authenticated to strangers, like at the airport, identification cards (IDs) issued by trusted authorities that include the person’s name, photograph, and sometimes signature are used. The goal of authentication is to get the correct answer to the question, “Are you who you say you are?” In cyberspace, computers, not humans, perform the work of verifying identities. Authentication is controlled by an authentication mechanism which mediates access to the requested computing resource. The resource could be a computer system, a computer program, or data. The authentication mechanism is the gatekeeper, and is analogous to a security guard who verifies identities before permitting people to enter a secure space. The authentication question is asked and answered frequently in cyberspace, like when logging into a computer and logging onto websites. Email is a good example. Email providers have many users, and when a person checks their email, the email provider needs to know which email records to serve—people should have access to only their own email messages. Therefore, email providers must authenticate users before granting them access to emails. In cyberspace, all interactions are digital. Because all digital artifacts can be perfectly replicated, verifying identities in cyberspace is a tricky problem and impersonation is a real threat. While cyberspace seems like an anonymous world, most interactions involve some form of authentication. Even when a person is browsing the web anonymously, they likely had to first log in to their smartphone or laptop. Plus, while surfing, their browser authenticates the web servers they connect to even if the user is not authenticated in return. Authenticating web servers is important for protecting users because it ensures they are interacting with real, not imposter, websites. We saw how this works in Chapter 7 with the public key infrastructure (PKI). How did Alice know whether the public key that was sent to her belonged to Bob or someone else? This is the same authentication problem web browsers face when connecting to web servers. How can they be sure they are connected to the real news, ecommerce, or social media server and not to a fake website? PKI solves this problem by using certificate authorities (CAs) to verify identities. This is similar to how IDs are used in physical space. For any authentication system, two opposite errors are possible. The first is the false positive error. A false positive error is when the wrong person passes authentication. The other is the false negative error. A false negative error is when the right person fails authentication. Both errors are damaging. False positives allow impersonation and unauthorized access which is a breakdown of cybersecurity. False negatives prevent the right people from accessing their resources which is a breakdown of the availability goal of the CIA triad. These errors are in tension because attempts to minimize one likely
RkJQdWJsaXNoZXIy MTM4ODY=