Is such a thing even possible? Yes, Richard E. Smith proves it by publishing Authentication – a comprehensive guide to all things that authenticate or are authenticated. The book will educate you on more aspects of authentication than you ever wanted to know, but most likely you will enjoy it. As a security professional, I found the author's writing to be excellent and even entertaining, a clear sign of writing by a true expert on the subject.
Every obscure form of authentication protocol (have you heard of X9.17 lately?) finds its place in a book. Passwords, tokens, biometrics, various authentication protocols are all described and analyzed in great detail, in plain English and with multiple diagrams. Another valuable feature is that for every authentication protocol, the relevant attacks and defenses are outlined in every chapter summary. The attacks which are not covered by existing defenses ("residual attacks") are emphasized at the end as something to watch for. For example, a 'trojan horse' attack to steal authentication credentials is one of them – apparently there is no 100 percent reliable way to stop it.
A chapter on passwords contains several creative ideas to make this ubiquitous form of authentication more effective, simultaneously more secure and more usable. It also answers some interesting password questions. When does it make no sense to enforce a complex non-dictionary password? How random is a random password from a dictionary? Why is a bank PIN of four digits secure enough for the job? When it is better to write a password down? Read the book and you will discover the answers! The book also explains public key crypto systems and their use for authentication (such as PKI).
People issues of security also receive well-deserved coverage in a separate chapter. Various kinds of secrets used for people as passwords are outlined. An interesting discussion on choosing an initial password when providing system access reveals important aspects of this process that few people think about.
For more technically inclined readers, straightforward analysis of complexities of Windows authentication (LANMAN, NTLM, Kerberos) and attacks against it is provided in a "Challenge Response Passwords" chapter. Computer scientists will find some insights on authentication algorithm design patterns. For less technical readers, understanding authentication based on Ali Baba and a cave of treasures will help to sort through the authentication system requirements and peculiarities. Overall, the book (while being targeted at security professionals) contains something for almost everyone interested in how computers tell that whoever is sitting at the console is who she says she is.
Book: Authentication: From Passwords to Public Keys
Author: Richard E. Smith
Publisher: Addison-Wesley, 2001
Paperback, 448 pp.
Anton Chuvakin, Ph.D. is a senior security analyst with netForensics (www.netforensics.com), a security information management software company that provides real-time network security monitoring solutions.