Atomic Authorization
Encyclopedia
Atomic authorization is the act of securing authorization
rights independently from the intermediary applications that utilize them and the parties to which they apply. More formally, in the field of computer security
, to atomically authorize is to define policy
that permits access
to a specific resource, such that the authenticity
of such policy may be independently verified without reliance the application that enforces the policy or the individuals who utilize the application. Resources include access to individual data
, computer programs
, computer hardware
, computer networks
, and physical access
.
to issue authorization policy with a cryptographic guarantee of integrity
. Because it is secured independently of the application which utilizes it, atomic authorization policy is equivalent in strength to strong authentication policy.
For an application using strong (N-factor) authentication, traditional authorization techniques pose a security vulnerability. The application must rely upon technologies like database
queries or directory
lookups, which are protected using single-factor authentication, for authorization information and management. Any application specific hardening of non-atomic authorization methods increases the complexity of identity management
and issuing credential
s, but does not further legitimize the authorization decisions that the application makes.
Authorization
Authorization is the function of specifying access rights to resources, which is related to information security and computer security in general and to access control in particular. More formally, "to authorize" is to define access policy...
rights independently from the intermediary applications that utilize them and the parties to which they apply. More formally, in the field of computer security
Computer security
Computer security is a branch of computer technology known as information security as applied to computers and networks. The objective of computer security includes protection of information and property from theft, corruption, or natural disaster, while allowing the information and property to...
, to atomically authorize is to define policy
Policy
A policy is typically described as a principle or rule to guide decisions and achieve rational outcome. The term is not normally used to denote what is actually done, this is normally referred to as either procedure or protocol...
that permits access
Access control
Access control refers to exerting control over who can interact with a resource. Often but not always, this involves an authority, who does the controlling. The resource can be a given building, group of buildings, or computer-based information system...
to a specific resource, such that the authenticity
Authentication
Authentication is the act of confirming the truth of an attribute of a datum or entity...
of such policy may be independently verified without reliance the application that enforces the policy or the individuals who utilize the application. Resources include access to individual data
Data
The term data refers to qualitative or quantitative attributes of a variable or set of variables. Data are typically the results of measurements and can be the basis of graphs, images, or observations of a set of variables. Data are often viewed as the lowest level of abstraction from which...
, computer programs
Computer program
A computer program is a sequence of instructions written to perform a specified task with a computer. A computer requires programs to function, typically executing the program's instructions in a central processor. The program has an executable form that the computer can use directly to execute...
, computer hardware
Computer hardware
Personal computer hardware are component devices which are typically installed into or peripheral to a computer case to create a personal computer upon which system software is installed including a firmware interface such as a BIOS and an operating system which supports application software that...
, computer networks
Computer network
A computer network, often simply referred to as a network, is a collection of hardware components and computers interconnected by communication channels that allow sharing of resources and information....
, and physical access
Physical security
Physical security describes measures that are designed to deny access to unauthorized personnel from physically accessing a building, facility, resource, or stored information; and guidance on how to design structures to resist potentially hostile acts...
.
Traditional vs. atomic authorization
In traditional (non-atomic) authorization, policy is defined and secured at an application level. That is, outside the context of the application, there is no mechanism to verify the legitimacy of traditional authorization policy. Atomic authorization requires a trusted third partyTrusted third party
In cryptography, a trusted third party is an entity which facilitates interactions between two parties who both trust the third party; The Third Party reviews all critical transaction communications between the parties, based on the ease of creating fraudulent digital content. In TTP models, the...
to issue authorization policy with a cryptographic guarantee of integrity
Digital signature
A digital signature or digital signature scheme is a mathematical scheme for demonstrating the authenticity of a digital message or document. A valid digital signature gives a recipient reason to believe that the message was created by a known sender, and that it was not altered in transit...
. Because it is secured independently of the application which utilizes it, atomic authorization policy is equivalent in strength to strong authentication policy.
For an application using strong (N-factor) authentication, traditional authorization techniques pose a security vulnerability. The application must rely upon technologies like database
Database
A database is an organized collection of data for one or more purposes, usually in digital form. The data are typically organized to model relevant aspects of reality , in a way that supports processes requiring this information...
queries or directory
Directory service
A directory service is the software system that stores, organizes and provides access to information in a directory. In software engineering, a directory is a map between names and values. It allows the lookup of values given a name, similar to a dictionary...
lookups, which are protected using single-factor authentication, for authorization information and management. Any application specific hardening of non-atomic authorization methods increases the complexity of identity management
Identity management
Identity management is a broad administrative area that deals with identifying individuals in a system and controlling access to the resources in that system by placing restrictions on the established identities of the individuals.Identity management is multidisciplinary and covers many...
and issuing credential
Credential
A credential is an attestation of qualification, competence, or authority issued to an individual by a third party with a relevant or de facto authority or assumed competence to do so....
s, but does not further legitimize the authorization decisions that the application makes.
See also
- Security engineeringSecurity engineeringSecurity engineering is a specialized field of engineering that focuses on the security aspects in the design of systems that need to be able to deal robustly with possible sources of disruption, ranging from natural disasters to malicious acts...
- Computer securityComputer securityComputer security is a branch of computer technology known as information security as applied to computers and networks. The objective of computer security includes protection of information and property from theft, corruption, or natural disaster, while allowing the information and property to...
- AuthenticationAuthenticationAuthentication is the act of confirming the truth of an attribute of a datum or entity...
- Access controlAccess controlAccess control refers to exerting control over who can interact with a resource. Often but not always, this involves an authority, who does the controlling. The resource can be a given building, group of buildings, or computer-based information system...