Certification and authentication are used to protect access to resources in general, by ensuring that only those authorized to have them can get them. An entity (e.g., person, host, software agent) is given some kind of certification of their identity or membership in a particular group (e.g., “Fred Smith,” “employee of company X,” “all computers in department Y”). The entity has to offer this certificate in order to be authenticated and given access to the resources being protected.
A typical example of certification in practice is restricting FTP sites to a selected list of hosts on the network. A remote host has to provide its IP address when requesting an FTP connection to the site. The restricted FTP site looks up the IP address in its access table to see if the remote host is certified to access the files on this server. The IP address, then, is acting as an access certificate for this transaction, and the FTP server authenticates the remote host by checking the IP address against its access table. In encrypted data transfers, the encryption key is also acting as a sort of certificate for the receiving party, indicating that they have authority to read the information being sent.
If you look closely at our
example in Example 5.1, you’ll notice that the agent doesn’t make any attempt to check who is at the other end of the socket that it opens. In some applications, this might not be a problem. But let’s ...