Andrea Atzeni (Dipartimento di Automatica e Informatica, Politecnico di Torino, Italy) and Antonio Lioy (Dipartimento di Automatica e Informatica, Politecnico di Torino, Italy)
DOI: 10.4018/978-1-4666-5888-2.ch416
OnDemand PDF Download:
List Price: $37.50

Chapter Preview



In a world where computer systems are increasingly pervasive, connected and integrated, where the diffusion of electronic devices with different forms, dimensions and purposes is constantly growing, the right to protect the information exchanged through computer networks is an urgent and general need: this is known as computer and network security.

“Security” may mean different things for different people, but very often it cannot be achieved without some form of authentication. In particular, authentication is a cornerstone for many security operations, namely those which imply access restrictions, like access to personal data, separation among application of different users, process integrity and so on.

A general definition of authentication is “the process of determining whether someone or something is, in fact, who or what it is declared to be.” In the following, we will introduce why this concept is important for the computer security field. Then, we will describe salient properties of authentication. These properties lead to an authentication taxonomy, which will be discussed with emphasis on parameters suitable for classifying different kinds of authentication. Furthermore, we will mention requirements for the authentication techniques, as well as security considerations for each authentication possibility, trying to give a comprehensive and synthetic overview of important aspects of the authentication process in practice.



Authentication is a cornerstone of computer security. It is often described as the composition of three properties: confidentiality, integrity, and availability:

  • Confidentiality is the “property that sensitive information is not disclosed to unauthorized individuals, entities or processes.” (NIST, 2007);

  • Integrity is “the property that sensitive data has not been modified or deleted in an unauthorized and undetected manner” (NIST, 2007), or even “the property whereby an entity has not been modified in an unauthorized manner” (CNSS, 2010);

  • Availability is “the property of being accessible and useable upon demand by an authorized entity” (CNSS, 2010)

According to these definitions, confidentiality and integrity need a mechanism for controlling access to data and services. Confidentiality needs it to restrict information access and disclosure only to legitimate parties while integrity uses authentication to discern between proper (i.e. authorized) and unauthorized information manipulation, such as modification or destruction. Depending on the actual implementation, there can be the nice side effect of achieving also the non repudiation property, i.e. a party cannot deny being the author of a specific action.

Access control implementation requires both authorization and authentication. Typically, authentication precedes authorization. Although they may seem to be always combined, they are different concepts: authentication is the verification of a claimed identity while authorization is the process to verify if an entity has the right to perform a specific action on a service or resource.. For discussions and differences about authentication and authorization see (Lopez et al., 2004).


Main Focus Of The Article

In this article we describe the authentication concept through its categorization on the base of different facets:

  • The entity to be authenticated;

  • The number of entities authenticated in the process (just one or all the involved parties);

  • The meachnism (or factor) used in the authentication process;

  • The mathematical principles exploited for authentication (i.e. the underlying cryptographic technique);

  • The number of parties involved in the authentication process.

We will discuss authentication aspects along each of these dimensions.

Key Terms in this Chapter

Traceability: The ability to know the actions an entity has performed by means of recorded information.

Public Key Infrastructure (PKI): A set of technological means and management procedures that allows a third party to guarantee one entity identity.

Data Authentication: The authentication process that results in the proof of the origin of a chunk of data.

Diffie-Hellman Key Exchange: A method that allows two parties without prior knowledge to jointly establish a shared secret key over an insecure communications channel and so encrypt subsequent communication.

Authorization: The process of granting of permission (e.g. file access, download of a video, allow access to a building) on the basis of authenticated identification.

Anonymous Credentials: A set of attributes that allow a particular (and slightly paradoxical) type of authentication that results in the assurance of communicating with a specific party, without knowing its identity.

Security: A process, not a product. In particular, the set of products, services, organization rules and individual behaviors that protect the ICT system of a company.

Single Sign-On (SSO): The property of an access control system to allow access to different resources after a single successful authentication.

Peer Authentication: The authentication process that results in the identity proof of a communicating entity.

Brute-Force Attack: An attempt to discover authentication credential trying all possible alternatives.

Digital Signature: A message digest encrypted with a private key, used as an electronic means of authentication.

Non-Repudiation: The ability to ensure a party cannot deny to be the author of a specific action (e.g. writing, sending, storing) an a specific object (e.g. a document, a network packet, a server, …). This can also be seen as an authenticated traceability.

Dictionary Attack: An attempt to discover authentication credentials trying common alternatives (ideally present in a “dictionary”).

Message Digest: A string of digits created applying a formula called a one-way hash function on a target message.

Complete Chapter List

Search this Book: