Preface.
What This Book Is About.Who This Book Is For.Acknowledgments.
1. The Authentication Landscape.
A Very Old Story.Elements of an Authentication System.Revised
Attacks and Revised Defenses.Security Strategies.Authentication in
Timesharing Systems.Passwords Under Attack.Hashed
Passwords.Attacking the Secret.Guessing Attacks.Social
Engineering.Sniffing Attacks.Sniffing in Software.Trojan Login.Van
Eck Sniffing.Authentication Factors.Judging Attack
Prevalence.Summary Tables.
2. Evolution of Reusable Passwords.
Passwords: Something You Know.Authentication and Base
Secrets.Cultural Authentication.Random Secrets.The Unix Password
System.Attacking the Unix Password File.The M-209 Hash.The DES
Hash.Dictionary Attacks.The Internet WorM.Resisting Guessing
Attacks.Randomness and Bit Spaces.Biases in Base Secrets.Average
Attack Space.Summary Tables.
3. Integrating People.
Roles People Play.Insiders and Outsiders.Users and
Administrators.Carriers and Crackers.Enrolling
Users.Self-Authentication.Enrollment in Person.Assigning an Initial
Secret.Random Secret.Cultural Secret.Changing the Initial
Password.Entropy and User Password Selection.Statistical Bias in
Text.Dictionary Attacks.Estimating Bias in Password
Selection.Restricting Password Selection.Therapeutic Password
Cracking.Automatic Password Generation.Proactive Password
Checking.Limitations on Password Strength.Summary Tables.
4. Design Patterns.
Patterns in Authentication Systems.The Role of Physical
Security.Protecting Software Authentication.Protecting
Workstations.Hardware Protection of Authentication.Administrative
Requirements.Physical Protection.Ease of Authentication.Efficient
Administration.Local Authentication.Direct Authentication.Indirect
Authentication.Authentication Protocols.Indirect Authentication
Protocols.Off-Line Authentication.Applying the Patterns.Summary
Tables.
5. Local Authentication.
Laptops and Workstations.Workstation Encryption.File
Encryption.Volume Encryption.Encryption for Data
Protection.Shortcut Attacks on Encryption.Trial-and-Error Attacks
on Encryption.Theoretical Guess-Rate Limitations.Key-Handling
Issues.Memorized Keys.Key-Handling Policies.Key Escrow and Crypto
Politics.Summary Tables.
6. Picking PINs and Passwords.
Password Complexity.Passwords and Usability.Forcing Functions and
Mouse Pads.Different Secrets for Different Uses.Sniffable
Passwords.PIN Applications.Internal Passwords.External
Passwords.Improving Internal Password Entry.Operator-Controlled
Password Display.Report Incorrect User Names.Allow Many Password
Guesses.Report Incorrect Password Attempts.Avoid Periodic Password
Changes.Password Selection.Internal Passwords.External and
Administrative Passwords.Shared Passwords.Multiple-Use
Passwords.Password Delegation.Storing Written Passwords.Physical
Custody.Locked Storage.Electronic Storage.Sequences and Groups of
Passwords.Password Sequences.Forward Secrecy With Theme
Words.Passwords From Songs and Poems.Summary Tables.
7. Biometrics.
Biometrics: Something You Are.Promise and Reality.Uses of
Biometrics.Biometric Techniques.Measuring Physical Traits.Measuring
Behavioral Traits.How Biometrics Work.Taking a Biometric
Reading.Feedback During Biometric Input.Forging a Physical
Trait.Building and Matching Patterns.Example: A Trivial Hand
Geometry Biometric.Enrolling a User.Biometric Accuracy.Trading Off
Usability and Security.Average Attack Space.Biometric
Encryption.Preserving Secrecy.Authenticity of Biometric Data.The
Problem of Biometric Exploitation.Summary Tables.
8. Authentication by Address.
Who Versus Where.Telephone Numbers as Addresses.Identification via
Dial-Back.Dial-Up Identification: Caller ID.Network
Addresses.Addressing on the ARPANET.Internet Protocol
Addresses.Attacks on Internet Addresses.IP Address Theft.Denial of
Service Attacks.Effective Source Authentication.Unix Local Network
Authentication.The “Commands”.Remote Procedure Calls, NFS, and
NIS.Authenticating a Geographical Location.Summary Tables.
9. Authentication Tokens.
Tokens: Something You Have.Passive Tokens.Active Tokens.Network
Password Sniffing.One-Time Passwords.Counter-Based One-Time
Passwords.Clock-Based One-Time Passwords.Attacks on One-Time
Passwords.Man in the Middle Attack.IP Hijacking.Incorporating a
PIN.PIN Appended to an External Password.PIN as an Internal
Password.PIN as Part of the Base Secret.Enrolling Users.Summary
Tables.
10. Challenge Response Passwords.
Challenge Response.Challenge Response and X.S/Key
Authentication.Challenge Response Issues.User Interaction.Known
Ciphertext Attack on ANSI X9.9.Password Token Deployment.Soft
Tokens.Handling Multiple Servers.Proprietary
Implementations.Evolving Windows Authentication.LANMAN
Hashing.Attacking the LANMAN Hash.Plaintext Passwords on
Windows.Windows Challenge Response.Attacking Windows Challenge
Response.Windows NTLM Authentication.Attacking the NT Password
Database.Attacking NTLM Challenge Response.Summary Tables.
11. Indirect Authentication.
Indirect Authentication.Network Boundary Control.One-Time Password
Products.LAN Resource Control.RADIUS Protocol.A RADIUS
Logon.Protecting RADIUS Messages.RADIUS Challenge
Response.Encrypted Connections and Windows NT.Encrypted
Connections.Integrity Protection.Politics, Encryption, and
Technical Choices.Windows NT Secure Channels.Secure Channel
Keying.Attacks on Secure Channels.Computers' Authentication
Secrets.Summary Tables.
12. Kerberos and Windows 2000.
The Key Distribution Center.Tickets.Needham-Schroeder.Kerberos.The
Authentication Server.Authenticating to a Server.Ticket-Granting
Service.User and Workstation Authentication.Workstation
Authentication.Preauthentication.Ticket Delegation.Proxiable
TGT.Forwardable TGT.Realms and Referral Tickets.Attacking a
Kerberos Network.Intrusion Tolerance.Clock Synchronization.Kerberos
in Windows 2000.Master Keys and Workstation Authentication.Service
and Proocol Support.Summary Tables.
13. Public Keys and Off-Line Authentication.
Public Key Cryptography.The RSA Public Key Algorithm.Attacking
RSA.Attacking RSA Keys.Attacking Digital Signatures.The Digital
Signature Standard.Challenge Response Revisited.LOCKOut Fortezza
Authentication Protocol.FIPS 196 Authentication.Secure Sockets
Layer.Establishing Keys with SSL.Authentication with Typical
SSL.SSL Client Authentication.Public Keys and Biometrics.Summary
Tables.
14. Public Key Certificates.
Tying Names to Public Keys.Certificate Authorities.Using the Right
Certificate.Creating Certificates.Certificate
Standards.Certificates and Access Control.Certificate
Authorities.Proprietors as Certificate Authorities.Commercial
Certificate Authorities.Public Key Infrastructure.Centralized
Hierarchy.Authority Lists.Cross-Certification.Personal
Certification.Certified by Reputation.Certified by a Web of
Trust.Certificate Revocation.Certificate Revocation List.On-line
Revocation.Timely Certification.Certificates with Kerberos.Summary
Tables.
15. Private Key Security.
Generating Private Keys.The Private Key Storage Problem.Smart Cards
and Private Keys.Off-Card Key Generation.On-Card Key
Generation.Smart Card Access Control.PINs.Biometrics.Private Keys
on Servers.Novell NetWare: Key Downloading.Safeword Virtual Smart
Card: Data Uploading.Passwords Revisited.Summary Tables.
Notes.
Bibliography.
Web and Vendor Resources.
Glossary.
Index. 0201615991T10012001
This is the first comprehensive guide to authentication: making sure your users are who they say they are. Leading security consultant Richard Smith reviews every option for authentication, from passwords to biometrics, and virtually every application scenario -- offering practical guidance on choosing the best option, implementing it, and managing it. Smith begins by introducing the authentication landscape, explaining how today's authentication options have evolved from yesterday's timesharing systems, and showing how to estimate the prevalence of successful attacks. He presents detailed coverage of passwords, password selection, and the human issues associated with password-based authentication. Other key topics include: authentication for laptops and workstations, encryption, cryptographic keys, PIN numbers, biometrics, tokens, Windows 2000's Kerberos implementation, public and private keys, SSL, certificates, and more. For all network and security professionals.
Richard E. Smith works for Secure Computing Corporation
where he provides consulting services in network security to
commercial and government organizations, including the National
Security Agency. He has also served as principal systems engineer
for military network guard systems and the Sidewinder Internet
Firewall. He frequently lectures, writes, and conducts seminars on
cryptography and computer security. He holds an M.S. and Ph.D. in
computer science from the University of Minnesota and a B.S. in
engineering from Boston University.
0201615991AB06252001
Ask a Question About this Product More... |