Home

Welcome to the Mechanics of User Identification and 
Authentication Companion Web Site!


The full Table of Contents can be found 
here.

The book contains many case studies (for details, please see the 
ToC), and for most of them there is an associated network traffic capture file. The captures can be found here. You may also want to check the topology 
diagram for the lab used to generate the captures.

Our goal has been to provide the readers with a high quality product. Unfortunately, due to the large amount of undocumented information, as well as due to our human nature, we may have missed a few balls - so please check out the 
errata.

For an overview of the book, please see below.

Security and Protection of Information 2009, Brno, Czech Republic

On the 5th of May 2009, Dobromir Todorov gave a presentation at the Security and Protection of Information 2009 Conference in Brno, Czech Republic. His session was entitled Security for Unified Communications. You can download the presentation here.

RSA Security Conference Europe 2008, London ExCel

Dobromir Todorov gave a session at the RSA Security Conference Europe 2008. His session was entitled Unified Security for Unified Communications. You can download the presentation here.

RSA Security Conference Europe 2007, London ExCel

Dobromir Todorov delivered a session on User Identification and Authentication at the RSA Security Conference Europe. The session is available here.

Mechanics of User Identification and Authentication Brochure

A brochure outlining the content of the book and the ordering process can be downloaded here.

Book Overview
Information Technologies are a vital tool for today's business: they provide
access to information. Information is an asset and needs to be protected.
User authentication is an important part of an organization's controlled
access to resources; it is so important that if compromised, virtually all
other protection mechanisms will be rendered useless. Yet very often there
is lack of understanding of what user authentication is, what the goals of
user authentication are, as well as what the potential approaches to
designing and delivering secure user authentication solutions are.

This book presents the philosophy of user identification and authentication
and access control in general, and maps many of the popular user
authentication technologies to the access control needs of today's
organizations.

Rationale
User Authentication is an essential part of information security. Users
authenticate as they access their computer systems at work or at home
every day. Yet there seems to be ignorance in regards to why and how
they are actually being authenticated, what the security level of the
authentication mechanism that they are using is, and what are the potential
impacts of selecting one authentication mechanism or another.

There aren't many printed or online resources that discuss authentication
technologies
per se. The few out there concentrate on either authentication
mechanisms provided by specific products or services, or on the theory
behind user authentication with complete detachment from industry
solutions. Neither the Internet, nor enterprise infrastructures are
comprised of just one product or service. Authentication services are very
often based on standards, and support heterogeneous infrastructures,
systems and user access.

The lack of structured information has often led to misunderstanding and
myths about specific products, services or technologies. This certainly
doesn't help the end user, or the security professional, and may pose
threats to the business and the overall protection of information resources.

There is a lot of information on the Internet on how to attack information
systems, and there are hacker tools as well. However unsystematic this
information may be, and however unprofessional the tools, there is still
more information that can benefit the attackers than the enterprise
infrastructure architect, consultant or engineer. Security and network
infrastructure professionals deserve to have at least as much information
as is available to the potential attackers of his information system.

Finally, if an IT professional wants to understand how to design a secure
authentication strategy, or whether a specific authentication mechanism
presents specific risks, the only option seems to be to try and read a large
amount of books, online resources and RFCs, and even then the answer
may still be missing either because the information sources don't provide a
systematic view of the subject, or because there is too much information.

Approach
Mechanics of User Identification and Authentication is a book that tries to
summarize a vast amount of information about User Authentication into a
single book. The content is based on the following concepts:
  • Balance between Philosophy and Reference Information: this is
    intended to be more of a handbook that an actual narrative text that
    reader will read from beginning to the end. Chapter 1 is fundamental
    and is likely to be read by all readers. Many readers will read Chapter
    2 or Chapter 3. Chapters 4 and 5 present authentication standards,
    and are more likely to be used as a reference
  • Specific versus General: the book tries to be very specific about
    technical details whenever possible but without becoming so specific
    that the reader cannot see the broader application of the technology
    in question
  • Standards versus Proprietary Solutions: an attempt has been made
    to discuss user authentication as independently from specific
    products and applications as possible. If a standard is available for a
    specific technology, it is given the focus and then proprietary or
    specific implementations are discussed in the light of the standard
  • Strong versus Weak: the books tries to present authentication
    technologies and give the reader a good understanding of why a
    specific authentication method is considered secure or insecure
  • Advantages and Disadvantages: however secure an authentication
    method may be considered, it may still have functional or other
    advantages and disadvantages
  • Explore Authentication in a Lab: services and applications that use
    most of the authentication mechanisms discussed in this book have
    been configured in a lab environment. The book presents a diagram
    and a description of the lab environment. For most of the
    authentication methods there is a specific authentication scenario,
    based on the configuration in the lab, and the book provides a traffic
    capture and comments on the specific authentication mechanism used
    and the details of the authentication process.
  • Clear Explanation of the Authentication Mechanisms: the book
    provides diagrams, step by step authentication process flows,
    dependencies, encryption and integrity authentication, credential
    store and other details in regards to each authentication method so
    that the reader can fully understand how the specific authentication
    mechanism works

Description of the Book
The book consists of 5 chapters.

Chapter 1 provides background on a number of topics which are essential
to user authentication. First, it presents an overview of today's security
landscape, and the specific threats to user authentication. Then the book
outlines the process of controlled access to resources by means of
Authentication, Authorization and Accounting. This chapter discusses the
types of user credentials that can be presented as proof of identity prior to
accessing a computer system. Finally, the first chapter contains a crash
course on cryptography with the essential approaches and terms that are
required to understand how user authentication works.

Chapters 2 and 3 are specific and provide information on the specifics of
the user authentication process in the two most popular operating systems
today: UNIX (and derivatives) and Windows NT/2000/2003. These chapters
are meant to provide a consistent level of technical knowledge on all the
aspects of user authentication in both operating systems. The content is
technical and provides screenshots and configuration files, so that the
reader can relate the content to knowledge that he's already had and the
things he's already seen to the philosophy and the authentication concepts
discussed in the book.

Chapter 2 provides in depth information about the user authentication
model used in UNIX systems. Along with credential stores, technologies
such as process creation, impersonation and delegation are discussed in
this chapter.

Chapter 3 provides detailed information on the user authentication
architecture of Windows NT, Windows 2000 and Windows 2003. This
chapter covers local authentication, credential stores and protection, as well
as the Windows Domain Model. Both Windows NT directory services and
Active Directory are covered.

Chapters 4 and 5 are more standards orientated and provide a level of
abstraction from specific products and technologies. Here the reader will
get familiar with the design and implementation fundamentals of different
user authentication protocols and technologies that are independent from
specific products and can easily be applied to every product that follows the
standards.

Chapter 4 is dedicated to upper level applications and services. First, it
presents common security and user authentication models, such as
GSSAPI, SSPI and SASL. Then, information about authentication
mechanisms is provided and it includes generic authentication protocols,
such as Kerberos, NTLM and SSL/TLS that can be used for authentication
to any type of service or application. Information that becomes specific to
applications and then user authentication for access to files, e-mail and
databases are explained in detail.

Chapter 5 discusses user authentication for access to the infrastructure,
and covers user authentication architecture on Cisco routers and switches,
Remote Access Authentication protocols, as well as IPSec and VPN
authentication. Past and current Wireless authentication mechanisms are
covered as well. Finally, Chapter 5 discusses how user authentication can
be centralized by using security protocols, such as RADIUS and TACACS .

Intended Audience
The philosophy and architecture of user authentication are important
subjects for a broad spectrum of IT professionals. The author expects that
this book will be of particular interest to the following:
  • Security Architects and Consultants: this category of IT professionals
    is likely to be interested in the entire content of the book
  • Security Engineers and Technicians: this category of IT professionals
    is likely to be interested in all chapters of the book
  • Enterprise Infrastructure Architects and Consultants - this category
    of IT professionals is likely to be interested in the entire content of
    the book
  • Enterprise Application Architects and Consultants - this category of
    IT professionals is likely to be interested in all chapters except user
    authentication for access to the infrastructure
  • Infrastructure Engineers: this category of IT professionals is likely to
    be interested in the entire content of the book
  • System and Application Developers: this category of IT professionals
    is likely to be interested in authentication to applications and services,
    as well as operating system approaches for impersonation and
    delegation.
  • IT and Security Auditors: this category of IT professionals will find in
    depth information on IT controls in regards to user authentication,
    and is likely to be interested in the entire content
  • Risk Management Professionals: this category of professionals will
    find information on the potential risks that the selection of one or the
    other authentication mechanism may bring, and are likely to be
    interested in the entire content
  • University and College Students and Professors: as this book
    provides information on both the philosophy and the implementations
    aspects of user authentication it may help bridge the gap between
    academic and applied knowledge; they are likely to be interested in
    the entire content
  • IT Professionals preparing for the Microsoft MCSE Exams, including
    Design and implementation of Active Directory, Security and
    Networking: likely to be interested in the entire book, apart from
    Chapter 2 on Unix Authentication
  • IT Professionals preparing for the Cisco CCSP and CCIE Security
    exams are likely to be interested in Chapter 1 (concepts), Chapter 4
    (authentication to services) and Chapter 5 (infrastructure  authentication)
  • IT Professionals preparing for the CompTIA Security or (ISC)2 CISSP
    exams are likely to be interested in the entire book