Key Management: General 19 When multiple individuals are permitted to share the same source authentication information such as a password or cryptographic key, it is sometimes called role-based authentication. See [FIPS140] .

3.4 Authorization

Authorization is concerned with providing an official sanction or permission to perform a security function or activity e.g., accessing a room. Authorization is considered as a security service that is often supported by a cryptographic service. Normally, authorization is granted only after the execution of a successful source authentication 2 service. A non-cryptographic analog of the interaction between source authentication and authorization is the examination of an individual’s credentials to establish their identity the source authentication process; after verifying the individuals identity and verifying that the individual is authorized access to some resource, such as a locked room, the individual is then provided with the key e.g., an authorization key or password that will allow access to that resource. Source authentication can also be used to authorize a role such as a system administrator or audit role, rather than to identify an individual. Once authenticated for a role, an entity is authorized for all the privileges associated with that role.

3.5 Non-repudiation

In key management, non-repudiation is a term associated with digital signature keys and digital certificates that bind the name of the certificate subject to a public key. When non-repudiation is indicated for a digital signature key, it means that the signatures created by that key support not only the usual integrity and source authentication services of digital signatures, but also may depending upon the context of the signature indicate commitment by the certificate subject, in the same sense that a handwritten signature on a document may indicate commitment to a contract. A real determination of non-repudiation is a legal decision with many aspects to be considered. Cryptographic mechanisms can only be used as one element in this decision i.e., a digital signature can only be used to support a non-repudiation decision.

3.6 Support Services

The basic cryptographic security services discussed above often require other supporting services. For example, cryptographic services often require the use of key establishment and random number generation services.

3.7 Combining Services