Reading Room

Sorry! The requested paper could not be found.


Featuring 55 Papers as of March 27, 2014

  • An Architecture for Implementing Enterprise Multifactor Authentication with Open Source Tools Masters Tom Webb - March 27, 2014

    We are all familiar with how password authentication works as we log into dozens of systems each day to check email or view bank account balance.

  • Implementing IEEE 802.1x for Wired Networks Johan Loos - March 14, 2014

    Most companies do not have an extra of security layer in place when client computers are connecting to a wired network.

  • The Dangers of Weak Hashes Kelly Brown - December 4, 2013

    In June of 2012 a hacker posted more than 8 million passwords to the internet belonging to LinkedIn and eHarmony (Goodin, 2012).

  • Daisy Chain Authentication Masters Courtney Imbert - September 18, 2013

    "Daisy chain authentication", a term originally coined by Wired writer Mat Honan, is defined as an attacker using normal but alternative authentication methods to break into an account, building upon public or previously compromised data to gain access to other accounts.

  • SSL/TLS: What's Under the Hood Masters Sally Vandeven - August 22, 2013

    Secure Sockets Layer (SSL) and Transport Layer Security (TLS) are both protocols used for the encryption of network data.

  • Two-Factor Authentication: Can You Choose the Right One? Masters Emilio Valente - October 15, 2009

    The focus of this paper is enterprise solutions for two-factor authentication.

  • OS and Application Fingerprinting Techniques Masters Jon Mark Allen - October 22, 2008

    This paper will attempt to describe what application and operating system (OS) fingerprinting are and discuss techniques and methods used by three of the most popular fingerprinting  applications: nmap, Xprobe2, and p0f.

  • Simple Formula for Strong Passwords (SFSP) Tutorial Bernie Thomas - May 17, 2005

    The practice of using passwords for user authentication exposes organizations' and individual users' data to disclosure alteration and/or destruction. However, a large portion of the security issues that make this true can be satisfactorily addressed using a simple method that I would like to introduce as the Simple Formula for Strong Passwords (SFSP) [Note 1].

  • Installing a Secure Network DHCP Registration System Pam Fournier - May 5, 2005

    One limitation of DHCP is that there is no accountability for IP address usage. NetReg is a Network DHCP Registration System which provides a means of linking user information to MAC and IP addresses on the network.

  • Secure implementation of Enterprise single sign-on product in an organization Ravikanth Ponnapalli - January 18, 2005

    Single Sign-On is a very important component of the security architecture of an organization. In IT, it is generally believed that it is expensive to deploy an enterprise Single Sign-On solution that is secure and scalable. However, there is a growing awareness in IT management about the advantages of implementation of enterprise Single Sign-On.

  • An Exploration of Voice Biometrics Lisa Myers - July 25, 2004

    Biometrics is, in the simplest definition, something you are. It is a physical characteristic unique to each individual. Using biometrics to identify individuals is a practice as old as ancient Egypt. Today, it is becoming more and more popular to use biometrics to identify people and authenticate them for access to secure areas and systems.

  • Single Sign On Concepts & Protocols Sandeep Sandhu - March 25, 2004

    This paper describes the characteristics and concepts of a few important protocols and technologies that have been used for implementing authentication and single sign-on (SSO) mechanisms for computer networks.

  • Dont Blink:Iris Recognition for Biometric Identification Mary Dunker - March 8, 2004

    This paper explores the origins of iris recognition, how it works, how it stacks up against other forms of biometric identification and what is required to perform the identification.

  • Biometrics: An In Depth Examination Kyle Cherry - March 2, 2004

    The purpose of this paper is to give the reader a good foundational understanding of biometric security systems. The intent is not to make the reader an expert in any one system.

  • Convergence of Logical and Physical Security Yahya Mehdizadeh - January 11, 2004

    This paper will demonstrate that the convergence of logical and physical security brings significant benefits, specifically identifying areas where the two can interconnect to the greatest positive effect, and also recommends practical steps to take in this direction.

  • It's All About Authentication Douglas Graham - October 31, 2003

    This paper categorizes and then simplifies some of the core fundamentals of electronic security controls and mechanisms and concludes that authentication is the single most important aspect in information security.

  • Identity Management Kevin Kaufman - October 31, 2003

    Information security magazines of all nature are publishing more and more articles about identity management and improved access control measures.

  • Shedding some light on Voice Authentication Dualta Currie - October 31, 2003

    This paper attempts to explain, in non -technical language, the technologies behind one particular type of biometric authentication, voice authentication.

  • Biometrics: Are YOU the Key to Security? Patricia Wittich - October 31, 2003

    This paper will discuss the concepts behind the emerging biometrics craze along with its efficiency, cost, privacy issues, and success versus failure rate.

  • In Pursuit of Liberty? Randy Mahrt - October 31, 2003

    This paper explores the Liberty specification version 1.0 that was released on July 15, 2002.

  • An Introduction to Identity Management Spencer Lee - October 31, 2003

    The purpose of this document is to offer a broad overview of current identity management technologies and provide a framework for determining when an identity management system would benefit your company.

  • Identity Protection and Smart Card Adoption in America Stephen Irwin - October 31, 2003

    This paper will address smart card technology as a viable alternative to present financial and identity standards, and why it will be woven into the American identity fabric over the next decade.

  • Biometrics: Technology That Gives You a Password You Can't Share Yevgeniy Libov - October 31, 2003

    This paper examines biometrics technology as a means for making user authentication more secure based on a unique identifier, the fingerprint.

  • Overview of S/Key usage with OpenBSD Christian Lecompte - October 31, 2003

    An evaluation of S/Key usage and integration with the The OpenBSD Operating System.

  • Proximity Authentication Ali Merayyan - October 31, 2003

    The author discusses protecting data by denying direct physical access onto a user's computer; that is, protect sensitive data terminals from being used by unauthorized users.

  • Clear Text Password Risk Assessment Documentation Kimberly Rallo - October 31, 2003

    This paper will present a risk assessment on sending clear text passwords across an enterprise network.

  • Password Protection: Is This the Best We Can Do? Jason Mortensen - October 31, 2003

    This paper explores how a combination of user education, strict password policies, encrypted network traffic, onetime passwords, Public-Key Infrastructure systems, and the use of biometrics, authentication can make computer systems less vulnerable to attacks.

  • Inadequate Password Policies Can Lead to Problems Leonard Hermens - October 31, 2003

    This paper explores how, overall, the security administrator's duty is to reasonably ensure the security of the network, and how he/she can do this by setting effective password policies

  • An Overview of Different Authentication Methods and Protocols Richard Duncan - October 31, 2003

    This overview will generalize several Authentication Methods and Authentication Protocols in hopes of better understanding a few options that are available when designing a security system.

  • Technical Aspect of Implementing/Upgrading SAP Security 4.6 Mary Sims - October 31, 2003

    This paper will discuss the technical aspect of securing the SAP environment and, even more specifically, the details of controlling security for the SAP Release 4.0 and above.

  • Passwords are DEAD! (Long live passwords?) David Beverstock - October 31, 2003

    Following a brief history and definition of passwords, this paper will show three properties of passwords that render passwords risky or unsuitable for use.

  • A Concept for Universal Identification Daniel Williams - October 31, 2003

    The goal of this paper is to provide a detailed look at a new perspective for a unified, secure and consolidated form of personal identification. The advanced yet inexpensive technology exists today to step up modern identification to the next level.

  • Biometrics and User Authentication Michael Zimmerman - October 31, 2003

    The purpose of this paper will be to look at the use of biometrics technology to determine how secure it might be in authenticating users, and how the users job function or role would impact the authentication process or protocol. We will also examine personal issues of privacy in the methods used for authentication; the cost of implementing a biometrics authentication system; the efficiency of biometrics authentication; and the potential for false positive or negative recognition of individual users.

  • Authentication and Authorization: The Big Picture with IEEE 802.1X Arthur Fisher - October 31, 2003

    This paper explores how Auth-x brings authentication and authorization down to a port level, enabling true privilege-based management of network services.

  • More Than a Pretty Face, Biometrics and SmartCard Tokens Gregory Williams - October 31, 2003

    This paper will address many of the types of Biometrics available as well as the use of smart card technology.

  • Biometric Technology Stomps Identity Theft Seyoum Zegiorgis - October 31, 2003

    This paper discusses the benefits of implementing a biometric technology product--one more tool for safeguarding the information assets and key installations of an organization--the privacy issues associated with the deployment of a BTP

  • Securing Access: Making Passwords a Legitimate Corporate Defense David Sherrod - October 31, 2003

    This paper outlines four easy steps to secure access to your systems using strong passwords, even those selected by users.

  • Build a Web Interface to Allow Users to Change their Passwords (The Web Password Page) Mark Holbrook - October 31, 2003

    The purpose of this paper is to show you (the System Administrator) how to break free from the mundane task of periodically changing user passwords (in keeping with good security practices from GIAC Security Essentials). This document is designed to show you step-by-step how to build a web page for users to update their passwords on a UNIX or Windows server, easily, securely and without spending too much money on software!

  • Java Smart Cards Are Here To Stay: Benefits And Concerns Sonia Otero - October 31, 2003

    In this paper, the author describes the extensive security layers involved in Java smart cards, as well as their vulnerabilities. The conclusion is that the benefits seem to outweigh the disadvantages, since certain sectors of society have already accepted the risks.

  • Web Single Sign-On Meets Business Reality Tim Mather - October 31, 2003

    This paper discusses some of the real-world operational challenges in getting a Web-only SSO deployed, starting with the impetus for why to deploy SSO; some considerations in vendor selection; operational considerations in a deployment, including challenges with having SSO and load balancing work effectively together; and, some compensating security controls.

  • Smart Cards: How Secure Are They? John Abbott - October 31, 2003

    The author looks at the history, types and uses of smart cards and how they may be vulnerable. Since smart cards were never designed to be standalone systems, the author examines some of the applications that have incorporated smart cards into their design to see how they work, looks at the motivation for why they might be threatened, reviews some of the documented attacks, and puts forth a cost/benefit analysis of incorporating smart cards. Finally, there is a determination of how secure smart cards really are.

  • Iris Recognition Technology for Improved Authentication Penny Khaw - October 31, 2003

    Iris recognition technology does provide a good method of authentication to replace the current methods of passwords, token cards or PINs and if used in conjunction with something the user knows in a two-factor authentication system then the authentication becomes even stronger.

  • L is for Login Carolee Rand - October 31, 2003

    This paper will look at login commands, authentication mechanisms, passwords and password management programs used in several UNIX platforms, highlighting aspects of Solaris 8 and Red Hat Linux (RH) 7.3.

  • Biometrics: A Double Edged Sword - Security and Privacy Wayne Penny - October 31, 2003

    This paper presents an overview of biometrics in general and describes some of the issues related to biometrics vulnerabilities and security, and its other side, the protection of one's privacy. It considers that for biometrics to be publicly accepted, implementations will require cooperation between organizations and individuals, working with developed open standards that meet the demand for security and demonstrate the protection of personal privacy.

  • Making Smart Cards Work In the Enterprise Brett Lewis - October 31, 2003

    The time has come for enterprises to begin considering whether smart cards can be used to improve security in their environments. Smart cards offer a secure and convenient form factor on which employees can carry digital credentials for accessing parking facilities, buildings, computers, and network resources. Indeed, the ability for an employee to carry both physical and logical access credentials can be provided on a single card. Adding to the significance of smart cards, that same card can also be used for employee photo identification, and potentially a multitude of other applications, including encryption, digital signatures, secure storage of employee medical information, and electronic wallet for cafeterias and vending machines. Done right, a single-card solution can provide return on investment in the forms of vastly improved security, reduced need for certain security and IT personnel functions, and customer satisfaction. This paper examines some of the key benefits that can be realized from employing smart cards, and it explains how smart cards can be used to significantly improve both physical and logical security. Additionally, it provides an overview of some strategic infrastructure elements needed to make smart cards work in an enterprise environment, including complimentary technologies, personnel, hardware, software, and perhaps most importantly, policies and procedures.

  • Biometric Selection: Body Parts Online Steven Walker - October 31, 2003

    The purpose of this paper is to provide information that will assist a biometric implementer evaluate and select biometric technology. The scope of this paper is limited to the selection of biometric technology as an authenticator in a networked environment.

  • Single Sign On Through Password Synchronization Nancy Loveland - October 31, 2003

    This paper is a case study on a project to provide a Single Sign On (SSO) solution to web based applications that use the mainframe as the data store.

  • Combating the Lazy User: An Examination of Various Password Policies and Guidelines Sam Wilson - October 31, 2003

    This paper demonstrates that many published policies and guidelines will allow for the creation of weak passwords by lazy or inexperienced users. This paper also makes recommendations by which the Security Administrator can improve the strength of the passwords which are created by the users on his system.

  • Iris Recognition: Closer Than We Think? Miltiades Leonidou - October 31, 2003

    This overview covers the new and emerging biometric technique of Iris Recognition, with focus on image processing and computer vision aspects. Algorithms, systems and their experimental results will be reported.

  • Biometric Scanning Technologies: Finger, Facial and Retinal Scanning Edmund Spinella - October 31, 2003

    This paper discusses several Biometric scan technologies: finger-scan, facialscan and retinal-scan.

  • Common issues in PKI implementations - climbing the "Slope of Enlightenment" Angela Keith - October 31, 2003

    This paper is an attempt to go beyond the many conceptual papers published about Public Key Infrastructure (PKI) and look at the actual problems experienced when implementing it.

  • Considerations For Implementing Single Sign-On Within The Enterprise Russell Hobbs - October 31, 2003

    The goal of this paper is to provide insight into many important areas that should be considered before implementing an enterprise SSO system.

  • Strengthening Authentication with Biometric Technology Tricia Olsson - October 31, 2003

    This paper looks at the danger and cost of identity theft, uncover the problem with current authentication practices, demonstrate how a biometric solution can be used to provide stronger authentication, and look at the added benefit of using multiple factor authentication practices.

  • Preventing the fraudulent use of Internet DSL accesses by dial-up accounts: a network authentication issue. Bruno Germain - October 31, 2003

    This document provides details of a typical deployment between DSL providers and ISPs in order to highlight the areas of vulnerability of the model.

  • Kerberos Token Size and DoS Joshua Sprenger

    Kerberos has been the default authentication protocol for Windows since XP/2000. Although the protocol enjoys many benefits over its predecessors, it does have some weaknesses. One unintended weakness of Kerberos is the ability of the Kerberos token size to grow to the point where Denial of Service (DoS) issues arise. This is especially prevalent in large enterprises where during the 10 years that Kerberos has been the primary Windows protocol, some users have found their accounts to be members of several hundred groups. The result of this scenario includes inability to use important company resources such as Exchange Servers and the ability to authenticate to web sites. Additionally, this weakness can be used maliciously to cause widespread DoS throughout an enterprise.

Most of the computer security white papers in the Reading Room have been written by students seeking GIAC certification to fulfill part of their certification requirements and are provided by SANS as a resource to benefit the security community at large. SANS attempts to ensure the accuracy of information, but papers are published "as is". Errors or inconsistencies may exist or may be introduced over time as material becomes dated. If you suspect a serious error, please contact

All papers are copyrighted. No re-posting or distribution of papers is permitted.

Masters This paper was created by a SANS Technology Institute student as part of their Master's curriculum.