Authentication: From Passwords to Public Keys
by Aleksandar Stancin - for Help Net Security
Author: Richard E. Smith
Pages: 576
Publisher: Addison-Wesley
ISBN: 0201-61599-1



Available for download is chapter 1 entitled "The authentication landscape".

Introduction

Authentication is allowing the authorized user to gain access to otherwise restricted or not, system resources. It's all about access control. How to recognize, authenticate, and allow through authorized user, and to banish the fiendish one from this plane of existance. It's been with us from the very early dawn of mankind, starting from the caveman and it's primitive community. Even they had to develop a way of discerning friends from foes, in order to survive. Couple of thousand years later, and we are still in the same position. Not much evolution there, eh? But the authentication mechanisms have evolved far beyond the scope of one time passwords and secret phrases. As every day passes by, things that we used to see in SF flicks start to enter widespread use, things like biometrics, for example. But, the old threat is still here. How to establish trust and verify it. Well, as far as IT business is concerned, I have a book sitting in front of me, that just might give you a clue of what I'm talking about and even more. Those of you who can already guess the title, will be granted access to the remaining part of this review. Just to successfully authenticate you...

Open, sesame!

Authentication is written by Richard E. Smith, author of Internet Cryptography (Addison Wesley, 1997.), and as it clearly says on the book's cover, a researcher and an information security architect at Secure Computing Corporation - a true insider in the world of cryptography and authentication. He has assorted and put together for us a book on that very subject, spreading on some 500+ pages, filled with enough details to get you started. But first, lets jump into the lava pool in order to smell the logins and various procedures and what makes them tick a bit better.

As you're probably aware by now that all my reviews have a pattern to go along with, the following bit will not surprise you at all. Because, lo and behold, what follows is the brief run-through of the book's contents. As the book is focused on the problem of authentication, or properly identifying authorized users from those that are not, you'd be surprised of the topics mentioned in it. Not. :) But, let's not get too hasty. The book itself is divided into 15 neatly organized chapters, followed by chapter notes, bibliography, web and vendor resources as mentioned in it and finally a glossary and the index.

Unfortunately, I have to become a bit boring now, as the usual collection of chapter contents is about to follow. It is highly informative, but also seems so plain dull in comparison, so, you could call it necessary evil in a way...

Chapter 1 goes to the very beginning, the origin of passwords, some historical notes, quickly picking up the pace to discuss attacks against them, and basic elements of authentication mechanism.

Chapter 2 pops up the question of reusable passwords, more details about the Unix password system, the story behind /etc/passwd and /etc/shadow and again proceeds to the flaws and possible attacks, including dictionary attacks, and the matter of randomness in them.

Chapter 3 is a bit different story than previous two as it goes more into the matter of people, human socitey and its cultural impacts on creating and using passwords. This one deals with the human factor behind the passwords, and again, comes along with a nice summary with both pros and cons.

Chapter 4 is about design patterns in an authentication system, local and remote, as well as administrative requirements and physical security.

Chapter 5 goes further in the matter of local authentication, as mentioned in the previous chapter, and evolves the subject to a higher level of discussion.

Chapter 6 is THE chapter. It discusses picking PIN's and passwords, and how to do it right, finding the right compromise between usability and security. It provides guides for picking the right passwords, sharing them and storage. Why 'THE' chapter? Because, how ever simple it may be, statistics show that a lot of security incidents occur becuse of too easy guessable passwords and improper storage. It would be a good start for every new computer user to read this one.

Chapter 7 jumps into the domain of Biometrics. Interesting one, indeed. You'll find all the basics and theory behind it covered as well as implementation and problems.

Chapter 8 goes deeper into the problem of authentication by address. Usually a tricky one, in the days of IP spoofing, and problematic r* commands. A lot of real life experience and problems are covered, a useful chapter indeed.

Chapters 9, 10 and 11 (yes, I just had to speed it up a bit:)) cover authentication tokens, including discussion of active/passive tokens, attacks against them, challenge response passwords and indirect authentication. The latter deals with the Radius protocol and other indirect methods.

Chapter 12 deals with Kerberos and Windows 2000. Kerberos had a fine idea behind it, but eventually gone in the wrong way a bit, and the implementation was everything but flawless. Still, it is a good example, and here covered in depth. Everything is explained, from key distribution centres to attacks against the kerberos network.

Chapters 13, 14 and 15 discuss public keys, public key certificates and private key security. From RSA public keys, to SSL, creating certificates, and PKI's to private keys and smart cards. And a nice summary table at the end to go along...

So, as you can see, it starts slowly and picks up the pace, going into more advanced areas. It's advisable to read it from the beginning, you'll easily skim through the areas you're already familiar with.

What do I make of it?

For one, I can hold a grudge against the system of endnotes this book follows, instead of commonly used footnotes. I find it very distracting having to go to the end of the book all the time. It's not much, but it irritates. It's easier to follow footnotes than this. That aside, I can't really say anything bad about it.

Sure, the subject of Authentication does not have mass appeal, and if you select this book for reading and you're not much interested in it, you'll probably find it a bit boring. But, like I said, this is not you're average Barbara Cartland book, it has a targeted audience. Come to think of it, so does the work of B. Cartland... Like all such books, with it's limited appeal, it will find it's way and use for those that look for something about authentication.

What you will find is information you might require about authentication mechanisms there are, weather you are a manager, a plain user, or a system administrator. Every chapter is concluded with a nice summary table of discussed contents, including possible attacks and defenses against the mechanisms in question. That is one of the nifty features of this book, allowing you to quickly orientate and find what suits your needs, and what possible compromises you have to make. The book is focused on everyday examples the author has came across, also discussing concepts behind them. In order to fully understand this book, you'll have to be familiar with some topics, but you needn't worry, as it does not require any larger amount of technical knowledge on your behalf. It's written simply, and very easy to follow and understand. Many issues are discussed by using diagrams and examples which allows the author to bring in some technical information and make it easier for the average reader to follow. Not everybody has a PhD in mathematics. And, since I mentioned it, you can't escape maths in a book of this kind, but the author has managed to keep it simple and minimized.

I can recommend it as a good starting point for all interested, as it will prove to be more than sufficient for all network professionals and those aspiring to become one, but also to an average user looking for some information written in plain English.



Spotlight

Operation Pawn Storm: Varied targets and attack vectors, next-level spear-phishing tactics

Posted on 23 October 2014.  |  Targets of the spear phishing emails included staff at the Ministry of Defense in France, in the Vatican Embassy in Iraq, military officials from a number of countries, and more.


Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.
  



Daily digest

Receive a daily digest of the latest security news.
  

DON'T
MISS

Fri, Oct 24th
    COPYRIGHT 1998-2014 BY HELP NET SECURITY.   // READ OUR PRIVACY POLICY // ABOUT US // ADVERTISE //