Home

Welcome to the Mechanics of User Identification and 

Authentication Companion Web Site!

The full Table of Contents can be found here.

The book contains many case studies (for details, please see the ToC), and for most of them there is an associated network traffic capture file. The captures can be found here. You may also want to check the topology diagram for the lab used to generate the captures.

Our goal has been to provide the readers with a high quality product. Unfortunately, due to the large amount of undocumented information, as well as due to our human nature, we may have missed a few balls - so please check out the errata.

For an overview of the book, please see below.

Security and Protection of Information 2009, Brno, Czech Republic

On the 5th of May 2009, Dobromir Todorov gave a presentation at the Security and Protection of Information 2009 Conference in Brno, Czech Republic. His session was entitled Security for Unified Communications. You can download the presentation here.

RSA Security Conference Europe 2008, London ExCel

Dobromir Todorov gave a session at the RSA Security Conference Europe 2008. His session was entitled Unified Security for Unified Communications. You can download the presentation here.

RSA Security Conference Europe 2007, London ExCel

Dobromir Todorov delivered a session on User Identification and Authentication at the RSA Security Conference Europe. The session is available here.

Mechanics of User Identification and Authentication Brochure

A brochure outlining the content of the book and the ordering process can be downloaded here.

Book Overview

Information Technologies are a vital tool for today's business: they provide access to information. Information is an asset and needs to be protected.

User authentication is an important part of an organisation's controlled access to resources; it is so important that if compromised, virtually all other protection mechanisms will be rendered useless. Yet very often there is lack of understanding of what user authentication is, what the goals of user authentication are, as well as what the potential approaches todesigning and delivering secure user authentication solutions are. This book presents the philosophy of user identification and authentication and access control in general, and maps many of the popular user authentication technologies to the access control needs of today's organisations.

Rationale

User Authentication is an essential part of information security. Users authenticate as they access their computer systems at work or at home every day. Yet there seems to be ignorance in regards to why and how they are actually being authenticated, what the security level of the authentication mechanism that they are using is, and what are the potential impacts of selecting one authentication mechanism or another.

There aren't many printed or online resources that discuss authentication technologies per se. The few out there concentrate on either authentication mechanisms provided by specific products or services, or on the theory behind user authentication with complete detachment from industry solutions. Neither the Internet, nor enterprise infrastructures are comprised of just one product or service. Authentication services are very often based on standards, and support heterogeneous infrastructures, systems and user access.

The lack of structured information has often led to misunderstanding and myths about specific products, services or technologies. This certainly doesn't help the end user, or the security professional, and may pose threats to the business and the overall protection of information resources. There is a lot of information on the Internet on how to attack information systems, and there are hacker tools as well. However unsystematic this information may be, and however unprofessional the tools, there is still more information that can benefit the attackers than the enterprise infrastructure architect, consultant or engineer. Security and network infrastructure professionals deserve to have at least as much information as is available to the potential attackers of his information system.

Finally, if an IT professional wants to understand how to design a secure authentication strategy, or whether a specific authentication mechanism presents specific risks, the only option seems to be to try and read a large amount of books, online resources and RFCs, and even then the answer may still be missing either because the information sources don't provide a systematic view of the subject, or because there is too much information.

Approach

Mechanics of User Identification and Authentication is a book that tries to

summarise a vast amount of information about User Authentication into a single book. The content is based on the following concepts:

• Balance between Philosophy and Reference Information: this is intended to be more of a handbook that an actual narrative text that reader will read from beginning to the end. Chapter 1 is fundamental and is likely to be read by all readers. Many readers will read Chapter 2 or Chapter 3. Chapters 4 and 5 present authentication standards, and are more likely to be used as a reference

• Specific versus General: the book tries to be very specific about technical details whenever possible but without becoming so specific that the reader cannot see the broader application of the technology in question

• Standards versus Proprietary Solutions: an attempt has been made to discuss user authentication as independently from specific products and applications as possible. If a standard is available for a specific technology, it is given the focus and then proprietary or specific implementations are discussed in the light of the standard

• Strong versus Weak: the books tries to present authentication technologies and give the reader a good understanding of why a specific authentication method is considered secure or insecure

• Advantages and Disadvantages: however secure an authentication method may be considered, it may still have functional or other advantages and disadvantages

• Explore Authentication in a Lab: services and applications that use most of the authentication mechanisms discussed in this book have been configured in a lab environment. The book presents a diagram and a description of the lab environment. For most of the authentication methods there is a specific authentication scenario, based on the configuration in the lab, and the book provides a traffic capture and comments on the specific authentication mechanism used and the details of the authentication process.

• Clear Explanation of the Authentication Mechanisms: the book provides diagrams, step by step authentication process flows, dependencies, encryption and integrity authentication, credential store and other details in regards to each authentication method so that the reader can fully understand how the specific authentication mechanism works

Description of the Book

The book consists of 5 chapters.

Chapter 1 provides background on a number of topics which are essential to user authentication. First, it presents an overview of today's security landscape, and the specific threats to user authentication. Then the book outlines the process of controlled access to resources by means of Authentication, Authorization and Accounting. This chapter discusses the types of user credentials that can be presented as proof of identity prior to accessing a computer system. Finally, the first chapter contains a crash course on cryptography with the essential approaches and terms that are required to understand how user authentication works.

Chapters 2 and 3 are specific and provide information on the specifics of the user authentication process in the two most popular operating systems today: UNIX (and derivatives) and Windows NT/2000/2003. These chapters are meant to provide a consistent level of technical knowledge on all the aspects of user authentication in both operating systems. The content is technical and provides screenshots and configuration files, so that the reader can relate the content to knowledge that he's already had and the things he's already seen to the philosophy and the authentication concepts discussed in the book.

Chapter 2 provides in depth information about the user authentication model used in UNIX systems. Along with credential stores, technologies such as process creation, impersonation and delegation are discussed in this chapter.

Chapter 3 provides detailed information on the user authentication architecture of Windows NT, Windows 2000 and Windows 2003. This chapter covers local authentication, credential stores and protection, as well as the Windows Domain Model. Both Windows NT directory services and Active Directory are covered.

Chapters 4 and 5 are more standards orientated and provide a level of abstraction from specific products and technologies. Here the reader will get familiar with the design and implementation fundamentals of different user authentication protocols and technologies that are independent from specific products and can easily be applied to every product that follows the standards.

Chapter 4 is dedicated to upper level applications and services. First, it presents common security and user authentication models, such as GSSAPI, SSPI and SASL. Then, information about authentication mechanisms is provided and it includes generic authentication protocols, such as Kerberos, NTLM and SSL/TLS that can be used for authentication to any type of service or application. Information that becomes specific to applications and then user authentication for access to files, e-mail and databases are explained in detail.

Chapter 5 discusses user authentication for access to the infrastructure, and covers user authentication architecture on Cisco routers and switches, Remote Access Authentication protocols, as well as IPSec and VPN authentication. Past and current Wireless authentication mechanisms are covered as well. Finally, Chapter 5 discusses how user authentication can be centralized by using security protocols, such as RADIUS and TACACS .

Intended Audience

The philosophy and architecture of user authentication are important subjects for a broad spectrum of IT professionals. The author expects that

this book will be of particular interest to the following:

• Security Architects and Consultants: this category of IT professionals is likely to be interested in the entire content of the book

• Security Engineers and Technicians: this category of IT professionals is likely to be interested in all chapters of the book

• Enterprise Infrastructure Architects and Consultants - this category of IT professionals is likely to be interested in the entire content of the book

• Enterprise Application Architects and Consultants - this category of IT professionals is likely to be interested in all chapters except user authentication for access to the infrastructure

• Infrastructure Engineers: this category of IT professionals is likely to be interested in the entire content of the book

• System and Application Developers: this category of IT professionals is likely to be interested in authentication to applications and services, as well as operating system approaches for impersonation and delegation.

• IT and Security Auditors: this category of IT professionals will find in depth information on IT controls in regards to user authentication, and is likely to be interested in the entire content

• Risk Management Professionals: this category of professionals will find information on the potential risks that the selection of one or the other authentication mechanism may bring, and are likely to be interested in the entire content

• University and College Students and Professors: as this book provides information on both the philosophy and the implementations aspects of user authentication it may help bridge the gap between academic and applied knowledge; they are likely to be interested in the entire content

• IT Professionals preparing for the Microsoft MCSE Exams, including Design and implementation of Active Directory, Security and Networking: likely to be interested in the entire book, apart from Chapter 2 on Unix Authentication

• IT Professionals preparing for the Cisco CCSP and CCIE Security exams are likely to be interested in Chapter 1 (concepts), Chapter 4 (authentication to services) and Chapter 5 (infrastructure  authentication)

• IT Professionals preparing for the CompTIA Security or (ISC)2 CISSP exams are likely to be interested in the entire book