Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Thanks for the feedback folks. Did one more rev and clean it up. Thanks for the suggestion.


There are also some very important facets to Information security that you are missing. You describe security as being "based on knowing, doing, or owning something that no one else can". But this is not quite right. You are speaking to only one aspect of security - confidentiality. There is also integrity and availability. Additionally, you are only speaking to the authentication aspect of confidentiality. Your "knowing, doing, or owning" could be more succinctly described as authorization based off of "something you know, something you have, or something you are" which are the 3 main ways that someone could be identified as you they claim to be. Your signature example would generally fall under something you are - but an argument could be made for it being something you know as well.

EDIT:

You also described Public key cryptography as having "2 different keys. One allows for encryption and the other for decryption. In this case, the decryption key is public so everyone can decrypt." This misses the mark a little bit. The public key could be used to encrypt as well, so that only the holder of the private key can read the information. Using the private key to encrypt is generally used in digital signatures so that the recipient can verify that the sender is who they claim to be. This scenario doesn't attempt to keep the data secret, because anyone with access to the public key can decrypt the data.


Yeah. I had hoped to scope the conversation down to authentication quickly, because, yes, security means a lot of things. I clearly didn't do that well.

You distinguish between "knowing, doing, or owning" and "something you know, something you have, or something you are"? I guess there might be a slight difference between doing and something you are, but I'm not sure I see the difference?

re. Public Key Crypto. Yes. Using the public key to decrypt and the private key to encrypt is how to use Public Key for author verification and you can reverse it for encryption. One validates the author and the other protects the data.

You are right to say that a better way of saying the sentence would be: "in the case of digital signatures, the public key is used to decrypt thus everyone can decrypt."

Thanks for helping me with this. Will have to be more more clear next time I write something.


The something you are (which generally doesn't apply to web-based authentication) are biometrics. So something you are - the pattern of blood vessels in your retina - is something very different from something you "do". The fact that you have "muscle memory" that allows you to sign your name a certain way would again be "something you are". I can't pass that on to someone else - only I can do it.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: