Introduction

“Who are you?” and “What can you do?” are not philosophy questions. They are Mathematical Proofs.

• Authentication (AuthN): Proving possession of a secret (Entropy).
• Authorization (AuthZ): Traversing a permission graph (Graph Theory).

---

Part 1: Authentication Physics

Entropy: The Strength of Secrets

A password is only as strong as its Entropy (Bits of Uncertainty). $E = L \times \log_2(R)$

• $L$: Length of password.
• $R$: Range of characters (e.g., 26 lowercase, 62 alphanumeric).

Comparison:

1. “password123” ($L=11, R=36$): $\approx 57$ bits. (Crack time: Minutes).
2. “correct horse battery staple” ($L=27, R=26$): $\approx 127$ bits. (Crack time: Heat Death of Universe).

The Hashing Arms Race

Storing passwords in plain text is criminal. Storing them as MD5 is negligent. We need Slow Hashing.

• MD5/SHA256: Designed for speed. A GPU can compute billions per second.
• Argon2/Bcrypt/Scrypt: Designed to be Memory Hard and Slow.

Physics of Argon2: It fills RAM with random data and reads it back in a specific pattern. GPUs possess massive compute but tiny per-core RAM. This forces the attacker to buy expensive RAM, destroying the economics of cracking.

---

Part 2: Authorization Physics

RBAC: Graph Theory

Role-Based Access Control is a Directed Acyclic Graph (DAG).

• Nodes: Users, Roles, Permissions.
• Edges: User -> Role, Role -> Permission.

The Traversal: To check if User $U$ can do Action $A$: Is there a path from $U$ to $A$? $U \rightarrow Role_{Admin} \rightarrow Perm_{DeleteDB}$ This is efficient ($O(1)$ lookups) but rigid.

ABAC: Boolean Logic Gates

Attribute-Based Access Control is a Logic Circuit. It evaluates Context, not just Graph edges. $Allow = (User.Dept == Resource.Dept) \land (Time > 9am)$ This allows fine-grained control but requires computing a boolean expression for every request.

---

Part 3: State Physics (JWT vs Sessions)

Sessions: Reference by Pointer

A Session ID is a Pointer to a memory address on the Server.

• Pros: Instant revocation (delete the memory).
• Cons: Server must store state (RAM/Redis). Hard to scale horizontally.

JWT: Value by Copy

A JSON Web Token (JWT) is the Data Itself, cryptographically signed.

• Pros: Stateless. Server calculates Signature $= HMAC(Header + Payload, Secret)$.
• Cons: Zombie Tokens. If you ban a user, their JWT is valid until expiration. You cannot revoke it without state (blacklists).

---

Practice Exercises

Exercise 1: Entropy Calculator (Beginner)

Task: Write a script to calculate Entropy of input strings. Action: Compare “Tr0ub4dor&3” vs “my cat likes to eat tuna”. Observation: Length beats Complexity every time.

Exercise 2: Cracking the Hash (Intermediate)

Task: Hash a password with MD5 and Bcrypt (Cost 12). Action: Measure time to hash 1,000 times. Result: MD5 takes 0.001s. Bcrypt takes 300s.

Exercise 3: JWT Anatomy (Advanced)

Task: Create a JWT. Action: Change one character in the Payload. Result: Signature verification fails immediately. Math prevents tampering.

---

Knowledge Check

1. Which has higher entropy: 8 random chars or 4 random words?
2. Why is MD5 bad for passwords?
3. Can you revoke a standard JWT?
4. Is RBAC a Graph or a Tree?
5. What resource does Argon2 target to stop GPUs?

Answers

1. 4 random words. Length dominates the log function.
2. Too Fast. Allows billions of guesses per second.
3. No. It is stateless. You need a stateful blacklist to revoke.
4. Graph (DAG). Roles can inherit from other roles.
5. RAM (Memory). GPUs are memory-constrained relative to compute.

---

Summary

• AuthN: Prove you know the secret (Entropy).
• AuthZ: Prove you have the edge in the graph (RBAC).
• Hashing: Make it slow and memory-heavy (Argon2).

---