Explain the difference between authentication and authorizat

Explain the difference between authentication and authorization.

2. Identify and describe the three basic authentication factors.

3. Describe the five basic attacks on authentication systems.

4. Describe how password hashing works

a. Provide screenshots of using md5sum in your group VM under your account

5. Why can’t an attacker masquerade by using a hashed password?

6. Explain how biometric systems are vulnerable to the five generic attacks on authentication systems.

a. Clone or borrow credential

b. Sniff credential

c. Trial and error guessing

d. Denial of service

e. Retrieve from backup

Solution

Authentication

Authentication is the process of verifying the identity of a user by obtaining some sort of credentials and using those credentials to verify the user\'s identity. If the credentials are valid, the authorization process starts. Authentication process always proceeds to Authorization process.

Authorization

Authorization is the process of allowing an authenticated users to access the resources by checking whether the user has access rights to the system. Authorization helps you to control access rights by granting or denying specific permissions to an authenticated user.

----------------
Authentication factors classically fall into three categories:

Knowledge factors include things a user must know in order to log in: User names, IDs, passwords and personal identification numbers (PINs) all fall into this category.
Possession factors include anything a user must have in his possession to log in. This category includes one-time password tokens (OTP tokens), key fobs, smartphones with OTP apps, employee ID cards and SIM cards.
Inherence factors include any biological traits the user has that are confirmed for log in. This category includes the scope of biometrics such as retina scans, iris scans, fingerprint scans, finger vein scans, facial recognition, voice recognition, hand geometry and even earlobe geometry.
-----------
Clone or borrow the credential or token - copy of the credential itself and uses it to log in. Sniff the credential - intercepts and copies it while being transmitted to the login process. Trial-and-error guessing - simply guess several words or names. Denial of service - attack either damages the system or blocks access to it by others. Retrieve from backup - find the authentication database or other information on a backup copy of the hard drive

------

Cryptographic hash functions have different mathematical foundations, but they have the same property: they\'re easy to compute going forward (calculate H(x) given x), but practically impossible to compute going backward (given y, calculate x such that H(x) = y). In fact, one of the signs of a good cryptographic hash function is that there is no better way to find x than trying them all and computing H(x) until you find a match.

Another important property of hash functions is that two different inputs have different hashes. So if H(x1) = H(x2), we can conclude that x1 = x2. Mathematically speaking, this is impossible — if the inputs are longer than the length of the hash, there have to be collisions. But with a good cryptographic hash function, there is no known way of finding a collision with all the computing resources in the world.

If you want to understand more about cryptographic hash functions, read this answer by Thomas Pornin. Go on, I\'ll wait.