Skip to content.
|Networking government in New Zealand.
 
You are here: Home » Services » SEEMail » S.E.E. PKI: Paper 3 - Authentication Mechanisms » 5 Terminology

5 Terminology

5.1 Definition of terms

5.1.1 For the purposes of this document, authentication is the confident identification of a person or computer to another person or computer (for instance, to allow only approved persons to access a protected web page or to verify the originator of an e-mail). It is a necessary first step to authorisation. The uses of authentication are discussed in more detail in section 6.

5.1.2 Authorisation is the process of permitting access to a computer or application by a person or another computer.

5.1.3 An authentication mechanism is the process or technology used to authenticate a person or system. Common mechanisms in use today include username/password, digital certificates, Kerberos, and proprietary systems such as SecurID.

5.1.4 An authentication infrastructure is a set of systems, procedures, policies and governance arrangements which together provide authentication services. For example, The Treasury's CFISnet system requires end-users to have digital certificates with the private keys on smart cards. These can be supplied by a number of approved Certification Authorities (CAs), but must satisfy the policies and procedures mandated by the Treasury. These components together provide the CFISnet authentication infrastructure.

5.1.5 An authentication mechanism contributes towards a number of security objectives, including integrity, confidentiality and non-repudiation. These may be briefly defined as follows:

  • Integrity: information is not subject to unauthorised modification.

  • Confidentiality: information is made available only to those who are authorised to access it.

  • Non-repudiation: the sender of a message/transaction cannot subsequently deny having sent it. (Strictly speaking, the term non-repudiation also covers the requirement that the recipient cannot deny having received a message or transaction. However, the authentication mechanisms covered in this document do not necessarily provide this latter capability.)

5.2 Avoiding proliferation of authentication mechanisms

5.2.1 Users do not like having to remember many different usernames and passwords for different systems, nor do they like managing password changes among different systems (the same is true for the use of any authentication mechanism).

5.2.2 It is not cost efficient to use many different authentication infrastructures within government.

5.2.3 There is unlikely to be a single authentication infrastructure that is appropriate for all applications. This document is focussed on proposing a limited set of mechanisms that are appropriate up to the level of IN CONFIDENCE and SENSITIVE and recommends a particular authentication infrastructure to meet most authentication needs in this area. It should be noted that, in line with the objective of matching the strength of authentication to the sensitivity of the information involved, it will be simpler and more cost effective in many cases to use a simple authentication method such as passwords.


[ Previous | Next ]