random memes }

Security in numbers

Security, and more specifically - access control, is all about numbers.

To obtain an object out of secure storage, you need a key. In the software world, this key usually has two parts.

The first part of the key goes by various combinations of modifiers: access, authorization, ticket, token, identity, and security. At base, this key identifies who you are, and is usually deriven from a username/password. The username/password is also just a (big) number, encoded in ASCII (usually). If guessing the first key is hard enough, then the storage is considered secure.

The second part of the key identifies the object within storage, and for ease of use is usually the same for all users. This is the equivalent of a pathname in a filesystem, or an HTTP link (or URL).

But in the end, when put together, the key is simply a big number. If you have the right number, you get access to the stored object. As long as guessing that number is impractical, the storage is secure.

This leads to a very simple notion for secure web-scale storage.