Welcome to the Mechanics of User Identification and
Authentication Companion Web Site!
The book contains many case studies (for details, please see the ToC), and for most of them there is an associated network traffic capture file. The captures can be found here. You may also want to check the topology
diagram for the lab used to generate the captures.
Our goal has been to provide the readers with a high quality product. Unfortunately, due to the large amount of undocumented information, as well as due to our human nature, we may have missed a few balls - so please check out the errata.
For an overview of the book, please see below.
Security and Protection of Information 2009, Brno, Czech Republic
On the 5th of May 2009, Dobromir Todorov gave a presentation at the Security and Protection of Information 2009 Conference in Brno, Czech Republic. His session was entitled Security for Unified Communications. You can download the presentation here.
On the 5th of May 2009, Dobromir Todorov gave a presentation at the Security and Protection of Information 2009 Conference in Brno, Czech Republic. His session was entitled Security for Unified Communications. You can download the presentation here.
RSA Security Conference Europe 2008, London ExCel
Dobromir Todorov gave a session at the RSA Security Conference Europe 2008. His session was entitled Unified Security for Unified Communications. You can download the presentation here.
Dobromir Todorov gave a session at the RSA Security Conference Europe 2008. His session was entitled Unified Security for Unified Communications. You can download the presentation here.
RSA Security Conference Europe 2007, London ExCel
Dobromir Todorov delivered a session on User Identification and Authentication at the RSA Security Conference Europe. The session is available here.
Dobromir Todorov delivered a session on User Identification and Authentication at the RSA Security Conference Europe. The session is available here.
Mechanics of User Identification and Authentication Brochure
A brochure outlining the content of the book and the ordering process can be downloaded here.
A brochure outlining the content of the book and the ordering process can be downloaded here.
Book
Overview
Information Technologies are a vital tool for today's business: they provide
access to information. Information is an asset and needs to be protected.
User authentication is an important part of an organization's controlled
access to resources; it is so important that if compromised, virtually all
other protection mechanisms will be rendered useless. Yet very often there
is lack of understanding of what user authentication is, what the goals of
user authentication are, as well as what the potential approaches to
designing and delivering secure user authentication solutions are.
This book presents the philosophy of user identification and authentication
and access control in general, and maps many of the popular user
authentication technologies to the access control needs of today's
organizations.
Rationale
User Authentication is an essential part of information security. Users
authenticate as they access their computer systems at work or at home
every day. Yet there seems to be ignorance in regards to why and how
they are actually being authenticated, what the security level of the
authentication mechanism that they are using is, and what are the potential
impacts of selecting one authentication mechanism or another.
There aren't many printed or online resources that discuss authentication
technologies per se. The few out there concentrate on either authentication
mechanisms provided by specific products or services, or on the theory
behind user authentication with complete detachment from industry
solutions. Neither the Internet, nor enterprise infrastructures are
comprised of just one product or service. Authentication services are very
often based on standards, and support heterogeneous infrastructures,
systems and user access.
The lack of structured information has often led to misunderstanding and
myths about specific products, services or technologies. This certainly
doesn't help the end user, or the security professional, and may pose
threats to the business and the overall protection of information resources.
There is a lot of information on the Internet on how to attack information
systems, and there are hacker tools as well. However unsystematic this
information may be, and however unprofessional the tools, there is still
more information that can benefit the attackers than the enterprise
infrastructure architect, consultant or engineer. Security and network
infrastructure professionals deserve to have at least as much information
as is available to the potential attackers of his information system.
Finally, if an IT professional wants to understand how to design a secure
authentication strategy, or whether a specific authentication mechanism
presents specific risks, the only option seems to be to try and read a large
amount of books, online resources and RFCs, and even then the answer
may still be missing either because the information sources don't provide a
systematic view of the subject, or because there is too much information.
Approach
Mechanics of User Identification and Authentication is a book that tries to
summarize a vast amount of information about User Authentication into a
single book. The content is based on the following concepts:
Description of the Book
The book consists of 5 chapters.
Chapter 1 provides background on a number of topics which are essential
to user authentication. First, it presents an overview of today's security
landscape, and the specific threats to user authentication. Then the book
outlines the process of controlled access to resources by means of
Authentication, Authorization and Accounting. This chapter discusses the
types of user credentials that can be presented as proof of identity prior to
accessing a computer system. Finally, the first chapter contains a crash
course on cryptography with the essential approaches and terms that are
required to understand how user authentication works.
Chapters 2 and 3 are specific and provide information on the specifics of
the user authentication process in the two most popular operating systems
today: UNIX (and derivatives) and Windows NT/2000/2003. These chapters
are meant to provide a consistent level of technical knowledge on all the
aspects of user authentication in both operating systems. The content is
technical and provides screenshots and configuration files, so that the
reader can relate the content to knowledge that he's already had and the
things he's already seen to the philosophy and the authentication concepts
discussed in the book.
Chapter 2 provides in depth information about the user authentication
model used in UNIX systems. Along with credential stores, technologies
such as process creation, impersonation and delegation are discussed in
this chapter.
Chapter 3 provides detailed information on the user authentication
architecture of Windows NT, Windows 2000 and Windows 2003. This
chapter covers local authentication, credential stores and protection, as well
as the Windows Domain Model. Both Windows NT directory services and
Active Directory are covered.
Chapters 4 and 5 are more standards orientated and provide a level of
abstraction from specific products and technologies. Here the reader will
get familiar with the design and implementation fundamentals of different
user authentication protocols and technologies that are independent from
specific products and can easily be applied to every product that follows the
standards.
Chapter 4 is dedicated to upper level applications and services. First, it
presents common security and user authentication models, such as
GSSAPI, SSPI and SASL. Then, information about authentication
mechanisms is provided and it includes generic authentication protocols,
such as Kerberos, NTLM and SSL/TLS that can be used for authentication
to any type of service or application. Information that becomes specific to
applications and then user authentication for access to files, e-mail and
databases are explained in detail.
Chapter 5 discusses user authentication for access to the infrastructure,
and covers user authentication architecture on Cisco routers and switches,
Remote Access Authentication protocols, as well as IPSec and VPN
authentication. Past and current Wireless authentication mechanisms are
covered as well. Finally, Chapter 5 discusses how user authentication can
be centralized by using security protocols, such as RADIUS and TACACS .
Intended Audience
The philosophy and architecture of user authentication are important
subjects for a broad spectrum of IT professionals. The author expects that
this book will be of particular interest to the following:
Information Technologies are a vital tool for today's business: they provide
access to information. Information is an asset and needs to be protected.
User authentication is an important part of an organization's controlled
access to resources; it is so important that if compromised, virtually all
other protection mechanisms will be rendered useless. Yet very often there
is lack of understanding of what user authentication is, what the goals of
user authentication are, as well as what the potential approaches to
designing and delivering secure user authentication solutions are.
This book presents the philosophy of user identification and authentication
and access control in general, and maps many of the popular user
authentication technologies to the access control needs of today's
organizations.
Rationale
User Authentication is an essential part of information security. Users
authenticate as they access their computer systems at work or at home
every day. Yet there seems to be ignorance in regards to why and how
they are actually being authenticated, what the security level of the
authentication mechanism that they are using is, and what are the potential
impacts of selecting one authentication mechanism or another.
There aren't many printed or online resources that discuss authentication
technologies per se. The few out there concentrate on either authentication
mechanisms provided by specific products or services, or on the theory
behind user authentication with complete detachment from industry
solutions. Neither the Internet, nor enterprise infrastructures are
comprised of just one product or service. Authentication services are very
often based on standards, and support heterogeneous infrastructures,
systems and user access.
The lack of structured information has often led to misunderstanding and
myths about specific products, services or technologies. This certainly
doesn't help the end user, or the security professional, and may pose
threats to the business and the overall protection of information resources.
There is a lot of information on the Internet on how to attack information
systems, and there are hacker tools as well. However unsystematic this
information may be, and however unprofessional the tools, there is still
more information that can benefit the attackers than the enterprise
infrastructure architect, consultant or engineer. Security and network
infrastructure professionals deserve to have at least as much information
as is available to the potential attackers of his information system.
Finally, if an IT professional wants to understand how to design a secure
authentication strategy, or whether a specific authentication mechanism
presents specific risks, the only option seems to be to try and read a large
amount of books, online resources and RFCs, and even then the answer
may still be missing either because the information sources don't provide a
systematic view of the subject, or because there is too much information.
Approach
Mechanics of User Identification and Authentication is a book that tries to
summarize a vast amount of information about User Authentication into a
single book. The content is based on the following concepts:
- Balance between
Philosophy and Reference Information: this is
intended to be more of a handbook that an actual narrative text that
reader will read from beginning to the end. Chapter 1 is fundamental
and is likely to be read by all readers. Many readers will read Chapter
2 or Chapter 3. Chapters 4 and 5 present authentication standards,
and are more likely to be used as a reference
- Specific versus
General: the book
tries to be very specific about
technical details whenever possible but without becoming so specific
that the reader cannot see the broader application of the technology
in question
- Standards versus
Proprietary Solutions: an attempt
has been made
to discuss user authentication as independently from specific
products and applications as possible. If a standard is available for a
specific technology, it is given the focus and then proprietary or
specific implementations are discussed in the light of the standard
- Strong versus
Weak: the books
tries to present authentication
technologies and give the reader a good understanding of why a
specific authentication method is considered secure or insecure
- Advantages and
Disadvantages: however
secure an authentication
method may be considered, it may still have functional or other
advantages and disadvantages
- Explore
Authentication in a Lab: services
and applications that use
most of the authentication mechanisms discussed in this book have
been configured in a lab environment. The book presents a diagram
and a description of the lab environment. For most of the
authentication methods there is a specific authentication scenario,
based on the configuration in the lab, and the book provides a traffic
capture and comments on the specific authentication mechanism used
and the details of the authentication process.
- Clear Explanation
of the Authentication Mechanisms: the book
provides diagrams, step by step authentication process flows,
dependencies, encryption and integrity authentication, credential
store and other details in regards to each authentication method so
that the reader can fully understand how the specific authentication
mechanism works
Description of the Book
The book consists of 5 chapters.
Chapter 1 provides background on a number of topics which are essential
to user authentication. First, it presents an overview of today's security
landscape, and the specific threats to user authentication. Then the book
outlines the process of controlled access to resources by means of
Authentication, Authorization and Accounting. This chapter discusses the
types of user credentials that can be presented as proof of identity prior to
accessing a computer system. Finally, the first chapter contains a crash
course on cryptography with the essential approaches and terms that are
required to understand how user authentication works.
Chapters 2 and 3 are specific and provide information on the specifics of
the user authentication process in the two most popular operating systems
today: UNIX (and derivatives) and Windows NT/2000/2003. These chapters
are meant to provide a consistent level of technical knowledge on all the
aspects of user authentication in both operating systems. The content is
technical and provides screenshots and configuration files, so that the
reader can relate the content to knowledge that he's already had and the
things he's already seen to the philosophy and the authentication concepts
discussed in the book.
Chapter 2 provides in depth information about the user authentication
model used in UNIX systems. Along with credential stores, technologies
such as process creation, impersonation and delegation are discussed in
this chapter.
Chapter 3 provides detailed information on the user authentication
architecture of Windows NT, Windows 2000 and Windows 2003. This
chapter covers local authentication, credential stores and protection, as well
as the Windows Domain Model. Both Windows NT directory services and
Active Directory are covered.
Chapters 4 and 5 are more standards orientated and provide a level of
abstraction from specific products and technologies. Here the reader will
get familiar with the design and implementation fundamentals of different
user authentication protocols and technologies that are independent from
specific products and can easily be applied to every product that follows the
standards.
Chapter 4 is dedicated to upper level applications and services. First, it
presents common security and user authentication models, such as
GSSAPI, SSPI and SASL. Then, information about authentication
mechanisms is provided and it includes generic authentication protocols,
such as Kerberos, NTLM and SSL/TLS that can be used for authentication
to any type of service or application. Information that becomes specific to
applications and then user authentication for access to files, e-mail and
databases are explained in detail.
Chapter 5 discusses user authentication for access to the infrastructure,
and covers user authentication architecture on Cisco routers and switches,
Remote Access Authentication protocols, as well as IPSec and VPN
authentication. Past and current Wireless authentication mechanisms are
covered as well. Finally, Chapter 5 discusses how user authentication can
be centralized by using security protocols, such as RADIUS and TACACS .
Intended Audience
The philosophy and architecture of user authentication are important
subjects for a broad spectrum of IT professionals. The author expects that
this book will be of particular interest to the following:
- Security
Architects and Consultants: this
category of IT professionals
is likely to be interested in the entire content of the book
- Security Engineers
and Technicians: this
category of IT professionals
is likely to be interested in all chapters of the book
- Enterprise
Infrastructure Architects and Consultants - this category
of IT professionals is likely to be interested in the entire content of
the book
- Enterprise
Application Architects and Consultants - this category of
IT professionals is likely to be interested in all chapters except user
authentication for access to the infrastructure
- Infrastructure
Engineers: this
category of IT professionals is likely to
be interested in the entire content of the book
- System and
Application Developers: this
category of IT professionals
is likely to be interested in authentication to applications and services,
as well as operating system approaches for impersonation and
delegation.
- IT and Security
Auditors: this
category of IT professionals will find in
depth information on IT controls in regards to user authentication,
and is likely to be interested in the entire content
- Risk Management
Professionals: this
category of professionals will
find information on the potential risks that the selection of one or the
other authentication mechanism may bring, and are likely to be
interested in the entire content
- University and
College Students and Professors: as this
book
provides information on both the philosophy and the implementations
aspects of user authentication it may help bridge the gap between
academic and applied knowledge; they are likely to be interested in
the entire content
- IT Professionals
preparing for the Microsoft MCSE Exams, including
Design and implementation of Active Directory, Security and
Networking: likely to be interested in the entire book, apart from
Chapter 2 on Unix Authentication
- IT Professionals
preparing for the Cisco CCSP and CCIE Security
exams are likely to be interested in Chapter 1 (concepts), Chapter 4
(authentication to services) and Chapter 5 (infrastructure authentication)
- IT Professionals
preparing for the CompTIA Security or (ISC)2 CISSP
exams are likely to be interested in the entire book