Token and Authentication Systems - This website offers some statistics about computer crimes, and then follows with a nice discussion of authentication and authentication measures. It includes a discussion regarding passwords and password protection measures. In addition, it includes a discussion on token authentication. The article even touches a bit on biometric authentication. | What is a Digital Signature? - A nifty little website covering digital signatures. It has some great diagrams and simple explanations. The page covers what digital signatures are and how they work. Unfortunately, it does not cover why they are needed. Not a very complicated site, but an informative one. | Guidelines for Strong Passwords - A nice guideline for creating strong passwords. I particularly found the last example insightful. It gives an example of creating a complex password that a user actually has a chance of remembering. In addition, I appreciated how it points out that users should not pick words found in any language. Recently, a system at my school was compromised and the user password was his favorite Spanish movie. |
Observing Reusable Password Choices - This is a nice white paper with some great statistics on character frequencies used in passwords by the "average user." The paper found that, surprisingly, user generated passwords were more complex than imagined. However, the researchers discovered that "1 out of 5 where passwords were immediately found in the dictionary." Scary! | DEPARTMENT OF DEFENSE PASSWORD MANAGEMENT GUIDELINE - I found this extremely interesting. It is the approved for release Department of Defense Password Management Guidelines from 1985. It is interesting to compare some of the ideas from 1985 to those of today. For instance, the guideline states that users should change their passwords a minimum of once a year. Now, we debate over whether we should do so in 45 days or in 60 days! Also, it is interesting to note that even back in 1985, a minimum length of passwords of 6 characters was advocated. You can almost "see" the history of the authentication process by comparing this to today's security policies. | A New Two-Server Approach for Authentication with Short Secretsby John Brainard, Ari Juels, Burt Kaliski, and Michael Szydlo; RSA Laboratories; Bedford, MA 01730, USA; April 9, 2003; This paper talks about the problem of authenticating passwords of people now that technology has made roaming access available in a wide variety of instruments from pc's to cell phones. Smart card technology helps but not all of the devices use smart cards. These and other problems are addressed in this paper. This is quite an impressive article. |
Authenticating VPNs With RADIUS - By Jim Flint from July 24, 2000; This site is about replacing or supplementing a traditional remote-access dial-in platform with VPNs (virtual private networks). It angers a major question: What is the best way to manage the implementation and maintenance of the client database? The answer suggested in the article is RADIUS (Remote Authentication Dial-In User Service). | Authenticating Web Users Transparently against NTLM with ASP Script and ADSI- By Peter A. Bromberg, Ph.D.; This site describes how Bromberg solves the authenticating issue transparently. They gained access to the ADSI User object interface via the "GetObject" method. He presents the script as "test harness" to illustrate the methods involved via a form post. In real production one could make it into an authentication function to which you pass the XML node values or variables containing the user's UserName and Password, and the function would simply return "true" if they were authenticated, and "false" if not. Since my script is fairly well documented, he skips the talk and get right into the code. | Quick Tips for Authenticating Online Information - Deciding which online information is reliable can be a challenge, but luckily there are a few simple strategies that can help to separate good information from less credible data. This site points you in the right direction as far as authentication principals you don't want to ignore. |
Authenticating a User at Login - This site shows an example and goes into more detail to show how an initial user login takes place using NetWare 4 authentication. This discussion assumes that an NCP session already exists, and that session negotiations (for example, establishing a maximum packet size) are complete.Before starting authentication, the client uses SAP to locate the nearest NDS server having the same tree name as the user. The exchange between the client and the NDS server is illustrated in full detail. | "Digital Signatures," Author: Ricky M. Magalhaes, May 29, 2003; Summary: In this article the author tries to summarize the importance of a digital signature. He emphasizes the importance of protecting yourself on the Internet and ensuring you are communicating with whom you think. He gives several reasons for identifying identifications, the components of a digital signature, and the process of checking validation of digital signatures, the importance of private key revocation. | "Multi-Modal Biometrics Authentication System," Author: Mitsubishi Electric Corporation; Summary: This article discusses the Mitsubishi Electric multi-modal biometrics authentication system. The system can recognize a person by fingerprints, face, signatures and other methods. This system allows multiple methods of biometrics to be joined together in order to identify a person. Previously, most systems required some other form of identification such as passwords, because the system was not capable or 100% accurate when identifying a person by fingerprints alone. There is a pretty cool diagram of the Multi-modal Biometrics. |
"About Biometrics," Author: National Institute of Standards and Technology, last updated: January 8, 2003; Summary: This article gives a good summary of what biometrics is and how they can be used to improve security. It also provides additional links to websites that provide discussions related to biometrics. | "Taiwan introduces world's 1st DNA chip," Author: Alfred Lee, The China Post, August 23, 2001; Summary: This article is very interesting. It is referring to the first DNA chip used as a form of Authentication. Biowell Technology develops the chip. It can be used to authenticate several different items ranging from driver's licenses to ink. The chip is fairly inexpensive to install; it compares with the IC chip and it takes 2 seconds to recognize DNA. | "THE THREE MOST COSTLY MISTAKES IN NETWORK SECURITY"; By Scott Palmquist, VP, Product Management, CipherOptics, Date: July 21, 2003; Summary: This article gives the three most costly mistakes in network security. They are 1) Our leased lines are safe-only we have access to them. 2) Our VPNs are secure 3) Our system has a firewall-we're already protected. Unfortunately, these mistakes have been proven to be costly to companies. The articles gives a history of encryption, and the need for using another protection mechanism such as authentication to ensure the data you are receiving is the correct data and has not been intercepted and changed. |
Biometric Authentication, An Introduction; Date: April, 2000; Author: Keith Palmgren; Summary: The article discusses biometric authentication. Additionally, the article offers a step by step summary of how biometric systems work. The article states that biometrics are best defined as measurable human physiological and/or behavioral characteristics used to verify identity. According to the article, there are seven types of biometric measurements in common use today: fingerprint verification, hand geometry, voice recognition, retinal scanning, iris scanning, signature verification, and facial recognition. The article concludes that there is a good chance that biometric authentication will become more commonplace. | Using User Authentication; Date: October 18, 1996; The article discusses user authentication. There are two ways of restricting access to documents: either by the hostname of the browser being used, or by asking for a username and password. If the people who are allowed to access the documents are widely dispersed or the server administrator needs to be able to control access on an individual basis, it is possible to use user authentication which requires a username and password to access a document. According to the article, setting up user authentication takes two steps: firstly, a file containing the usernames and passwords must be created. Secondly, the server must be told what resources are to be protected and which users are allowed (after entering a valid password) to access them. | Bridging The Business-to-Business Authentication Gap; Date: July 10, 1997; Author: Christy Hudgins-Bonafield; Summary: The article discusses the issues involved in the use of business-to-business authentication. According to the article, public key (PK) authentication and underlying encryption ultimately will determine whether businesses forsake private networks to derive the savings, collaborative and competitive benefits of the Internet. Similarly, authentication, access control and privileges may underlie efforts to streamline staffs previously needed for business-to-business transactions. Nevertheless, both businesses and vendors are discovering that the framework for this new child of the Internet has yet to be established and that there are many gaps and hurdles on the road ahead. |
Auditing Web Site Authentication, Part One; April 24, 2003; Author: Mark Burnett; Summary: The article discusses web site authentication and how issues such as inadequate user security and whether inadequate user security is due to a lack of standards or a lack of auditing. The article also focuses on the issues surrounding usernames and passwords. By doing so, the article establishes a standard audit procedure by which to measure web security. Furthermore, the article suggests that web developers test a list of questions against their own Web site's authentication scheme to see how it stands. | Biometrics in Airports; September 25, 2001; Bruce Schneier; According to the article, biometrics is an effective authentication tool. There are three basic kinds of authentication: something you know (password, PIN code, secret handshake), something you have (door key, physical ticket into a concert, signet ring), and something you are (biometrics). Good security uses at least two different authentication types: an ATM card and a PIN code, computer access using both a password and a fingerprint reader, a security badge that includes a picture that a guard looks at. Implemented properly, biometrics can be an effective part of an access control system. The author of the article does not suggest the usage of biometrics in airports due to an increased the complexity of the identification which leads to identification failures. | Digital Signatures - Authentication, Access Control & Encryption; Date: May 29, 2003; by Ricky M. Magalhaes; A short and sweet explanation of digital signatures. Explains the whys and how's of using digital signature and gives an explanation of public private key encryption. |
Passwords: the Weak Link in Network Security; May 07, 2003; Deb Shinder; A good article on passwords, usage and weakness. The author explains why passwords are the weakest link, and what can be done to improve password creation. | Biometric Technologies - An interesting website, this particular page discusses biometrics and details the differences between identification or an open search and authentication or closed search. | Biometrics by the Technology Investigation Center Document last modified 11/12/2002; an informative website on biometrics, it discusses the topics in terms of false recognition rates, physiological vs. behavioral biometrics. |
Password Crackers By Larry J. Seltzer; December 13, 2001; Relating to our discussion on password policy and authentication methods, I thought it might be informative to see how the opposition sees the security of our passwords. From PCMAG.com an article on password cracking, how its done and who does it. | Personal Identification; This is an interesting site that promotes biometrics authentication by fingerprint. It attempts to prove that biometrics is superior to traditional passwords and id badges. | Role Based Access Control with Biometrics Authentication for Enterprise Networks - Lih-Chyau Wuu, Bae-ling Chen, Yuh-Wen Yang; This site provides some nice diagrams and explanations of role base access control. Promotes fingerprint authentication. States that the two combined simplify security management. |
Kerberos: The Network Authentication Protocol - This site describes the basics of Kerberos authentication protocol. This is a good site for an overview of Kerberos but does not go into any detail on the topic. However, the site does provide a number of links to more detailed Kerberos information. | Authentication - August 28, 2002; This site provides links to the basic concepts and definitions that are related to authentication. This site provides links to certificate authority websites. It also explains how authentication and authorization are related and provides a link to understanding authorization. | Designing An Authentication System: A Dialogue in Four Scenes by Bill Bryant; February 1988. This is a hilarious site that describes the Kerberos protocol in dialogue form. |
Session Authentication by John Coggeshall, May 15, 2001; Describes session authentication and explains why to use it and how to use it. Site provides useful code examples in order to understand the process. | Kerberos: The Network Authentication Protocol - An excellent site that discusses Kerberos and Authentication. We have covered both with the CPSC 6136. Contains excellent information that describes what Kerberos is, what Authentication is, and how Kerberos uses Authentication. | - Another great site that discusses Authentication along with Access Management. It discusses authentication with regards to consumer-oriented electronic commerce on the Internet, where authentication has made considerable advances. Written by Clifford Lynch of Coalition of Networked Information |
- This article was written by The Net Working Group and authored by J. Franks Northwestern University, P. Hallam-Baker Verisign, Inc., J. Hostetler AbiSource, Inc., S. Lawrence Agranat Systems, Inc., P. Leach Microsoft Corporation, A. Luotonen Netscape Communications Corporation, and L. Stewart Open Market, Inc. on June 1999. This article discusses authentication in terms of HTTP Authentication. A must read article. | - This page is short, however, I thought it had some great points. It's primary focus is on an authentication system for a firewall. Written by Alexandre Belloni. See the following URL for more information: http://www.deadly.org/article.php3?sid=20030827091850 | - This is a how to paper that entitled Authentication, Authorization, and Access Control with respect to Apache HTTP Server Version 1.3. It has topics such as: Basic Authentication, How to use basic authentication, Protecting content with basic authentication and Digest authentication to name a few. If you are interested in authentication you need to read this article for a good overview. |
Back to Information Assurance e-Library Index
Click here to return to Wayne's World's homepage: