SANS InfoSec Reading Room - Authentication

Most of the computer security white papers in the Reading Room have been written by students seeking GIAC certification to fulfill part of their certification requirements and are provided by SANS as a resource to benefit the security community at large. SANS attempts to ensure the accuracy of information, but papers are published "as is". Errors or inconsistencies may exist or may be introduced over time as material becomes dated. If you suspect a serious error, please contact webmaster@sans.org.

Featuring 50 papers as of May 22, 2013

Two-Factor Authentication: Can You Choose the Right One?

By: Emilio Valente (posted on October 15, 2009)

The focus of this paper is enterprise solutions for two-factor authentication.

OS and Application Fingerprinting Techniques

By: Jon Mark Allen (posted on October 22, 2008)

This paper will attempt to describe what application and operating system (OS) fingerprinting are and discuss techniques and methods used by three of the most popular fingerprinting  applications: nmap, Xprobe2, and p0f.

Simple Formula for Strong Passwords (SFSP) Tutorial

By: Bernie Thomas (posted on May 17, 2005)

The practice of using passwords for user authentication exposes organizations' and individual users' data to disclosure alteration and/or destruction. However, a large portion of the security issues that make this true can be satisfactorily addressed using a simple method that I would like to introduce as the Simple Formula for Strong Passwords (SFSP) [Note 1].

Installing a Secure Network DHCP Registration System

By: Pam Fournier (posted on May 5, 2005)

One limitation of DHCP is that there is no accountability for IP address usage. NetReg is a Network DHCP Registration System which provides a means of linking user information to MAC and IP addresses on the network.

Secure implementation of Enterprise single sign-on product in an organization

By: Ravikanth Ponnapalli (posted on January 18, 2005)

Single Sign-On is a very important component of the security architecture of an organization. In IT, it is generally believed that it is expensive to deploy an enterprise Single Sign-On solution that is secure and scalable. However, there is a growing awareness in IT management about the advantages of implementation of enterprise Single Sign-On.

An Exploration of Voice Biometrics

By: Lisa Myers (posted on July 25, 2004)

Biometrics is, in the simplest definition, something you are. It is a physical characteristic unique to each individual. Using biometrics to identify individuals is a practice as old as ancient Egypt. Today, it is becoming more and more popular to use biometrics to identify people and authenticate them for access to secure areas and systems.

Single Sign On Concepts & Protocols

By: Sandeep Sandhu (posted on March 25, 2004)

This paper describes the characteristics and concepts of a few important protocols and technologies that have been used for implementing authentication and single sign-on (SSO) mechanisms for computer networks.

Dont Blink:Iris Recognition for Biometric Identification

By: Mary Dunker (posted on March 8, 2004)

This paper explores the origins of iris recognition, how it works, how it stacks up against other forms of biometric identification and what is required to perform the identification.

Biometrics: An In Depth Examination

By: Kyle Cherry (posted on March 2, 2004)

The purpose of this paper is to give the reader a good foundational understanding of biometric security systems. The intent is not to make the reader an expert in any one system.

Convergence of Logical and Physical Security

By: Yahya Mehdizadeh (posted on January 11, 2004)

This paper will demonstrate that the convergence of logical and physical security brings significant benefits, specifically identifying areas where the two can interconnect to the greatest positive effect, and also recommends practical steps to take in this direction.

It's All About Authentication

By: Douglas Graham (posted on October 31, 2003)

This paper categorizes and then simplifies some of the core fundamentals of electronic security controls and mechanisms and concludes that authentication is the single most important aspect in information security.

Identity Management

By: Kevin Kaufman (posted on October 31, 2003)

Information security magazines of all nature are publishing more and more articles about identity management and improved access control measures.

Shedding some light on Voice Authentication

By: Dualta Currie (posted on October 31, 2003)

This paper attempts to explain, in non -technical language, the technologies behind one particular type of biometric authentication, voice authentication.

Biometrics: Are YOU the Key to Security?

By: Patricia Wittich (posted on October 31, 2003)

This paper will discuss the concepts behind the emerging biometrics craze along with its efficiency, cost, privacy issues, and success versus failure rate.

In Pursuit of Liberty?

By: Randy Mahrt (posted on October 31, 2003)

This paper explores the Liberty specification version 1.0 that was released on July 15, 2002.

An Introduction to Identity Management

By: Spencer Lee (posted on October 31, 2003)

The purpose of this document is to offer a broad overview of current identity management technologies and provide a framework for determining when an identity management system would benefit your company.

Identity Protection and Smart Card Adoption in America

By: Stephen Irwin (posted on October 31, 2003)

This paper will address smart card technology as a viable alternative to present financial and identity standards, and why it will be woven into the American identity fabric over the next decade.

Biometrics: Technology That Gives You a Password You Can't Share

By: Yevgeniy Libov (posted on October 31, 2003)

This paper examines biometrics technology as a means for making user authentication more secure based on a unique identifier, the fingerprint.

Overview of S/Key usage with OpenBSD

By: Christian Lecompte (posted on October 31, 2003)

An evaluation of S/Key usage and integration with the The OpenBSD Operating System.

Proximity Authentication

By: Ali Merayyan (posted on October 31, 2003)

The author discusses protecting data by denying direct physical access onto a user's computer; that is, protect sensitive data terminals from being used by unauthorized users.

Clear Text Password Risk Assessment Documentation

By: Kimberly Rallo (posted on October 31, 2003)

This paper will present a risk assessment on sending clear text passwords across an enterprise network.

Password Protection: Is This the Best We Can Do?

By: Jason Mortensen (posted on October 31, 2003)

This paper explores how a combination of user education, strict password policies, encrypted network traffic, onetime passwords, Public-Key Infrastructure systems, and the use of biometrics, authentication can make computer systems less vulnerable to attacks.

Inadequate Password Policies Can Lead to Problems

By: Leonard Hermens (posted on October 31, 2003)

This paper explores how, overall, the security administrator's duty is to reasonably ensure the security of the network, and how he/she can do this by setting effective password policies

An Overview of Different Authentication Methods and Protocols

By: Richard Duncan (posted on October 31, 2003)

This overview will generalize several Authentication Methods and Authentication Protocols in hopes of better understanding a few options that are available when designing a security system.

Technical Aspect of Implementing/Upgrading SAP Security 4.6

By: Mary E. Sims (posted on October 31, 2003)

This paper will discuss the technical aspect of securing the SAP environment and, even more specifically, the details of controlling security for the SAP Release 4.0 and above.

Passwords are DEAD! (Long live passwords?)

By: David Beverstock (posted on October 31, 2003)

Following a brief history and definition of passwords, this paper will show three properties of passwords that render passwords risky or unsuitable for use.

A Concept for Universal Identification

By: Daniel E. Williams (posted on October 31, 2003)

The goal of this paper is to provide a detailed look at a new perspective for a unified, secure and consolidated form of personal identification. The advanced yet inexpensive technology exists today to step up modern identification to the next level.

Biometrics and User Authentication

By: Michael Zimmerman (posted on October 31, 2003)

The purpose of this paper will be to look at the use of biometrics technology to determine how secure it might be in authenticating users, and how the users job function or role would impact the authentication process or protocol. We will also examine personal issues of privacy in the methods used for authentication; the cost of implementing a biometrics authentication system; the efficiency of biometrics authentication; and the potential for false positive or negative recognition of individual users.

Authentication and Authorization: The Big Picture with IEEE 802.1X

By: Arthur Fisher (posted on October 31, 2003)

This paper explores how Auth-x brings authentication and authorization down to a port level, enabling true privilege-based management of network services.

More Than a Pretty Face, Biometrics and SmartCard Tokens

By: Gregory Williams (posted on October 31, 2003)

This paper will address many of the types of Biometrics available as well as the use of smart card technology.

Biometric Technology Stomps Identity Theft

By: Seyoum "Zeg" Zegiorgis (posted on October 31, 2003)

This paper discusses the benefits of implementing a biometric technology product--one more tool for safeguarding the information assets and key installations of an organization--the privacy issues associated with the deployment of a BTP

Securing Access: Making Passwords a Legitimate Corporate Defense

By: David H. Sherrod (posted on October 31, 2003)

This paper outlines four easy steps to secure access to your systems using strong passwords, even those selected by users.

Build a Web Interface to Allow Users to Change their Passwords (The Web Password Page)

By: Mark Holbrook (posted on October 31, 2003)

The purpose of this paper is to show you (the System Administrator) how to break free from the mundane task of periodically changing user passwords (in keeping with good security practices from GIAC Security Essentials). This document is designed to show you step-by-step how to build a web page for users to update their passwords on a UNIX or Windows server, easily, securely and without spending too much money on software!

Java Smart Cards Are Here To Stay: Benefits And Concerns

By: Sonia Otero (posted on October 31, 2003)

In this paper, the author describes the extensive security layers involved in Java smart cards, as well as their vulnerabilities. The conclusion is that the benefits seem to outweigh the disadvantages, since certain sectors of society have already accepted the risks.

Web Single Sign-On Meets Business Reality

By: Tim Mather (posted on October 31, 2003)

This paper discusses some of the real-world operational challenges in getting a Web-only SSO deployed, starting with the impetus for why to deploy SSO; some considerations in vendor selection; operational considerations in a deployment, including challenges with having SSO and load balancing work effectively together; and, some compensating security controls.

Smart Cards: How Secure Are They?

By: John Abbott (posted on October 31, 2003)

The author looks at the history, types and uses of smart cards and how they may be vulnerable. Since smart cards were never designed to be standalone systems, the author examines some of the applications that have incorporated smart cards into their design to see how they work, looks at the motivation for why they might be threatened, reviews some of the documented attacks, and puts forth a cost/benefit analysis of incorporating smart cards. Finally, there is a determination of how secure smart cards really are.

Iris Recognition Technology for Improved Authentication

By: Penny Khaw (posted on October 31, 2003)

Iris recognition technology does provide a good method of authentication to replace the current methods of passwords, token cards or PINs and if used in conjunction with something the user knows in a two-factor authentication system then the authentication becomes even stronger.

L is for Login

By: Carolee Rand (posted on October 31, 2003)

This paper will look at login commands, authentication mechanisms, passwords and password management programs used in several UNIX platforms, highlighting aspects of Solaris 8 and Red Hat Linux (RH) 7.3.

Biometrics: A Double Edged Sword - Security and Privacy

By: Wayne Penny (posted on October 31, 2003)

This paper presents an overview of biometrics in general and describes some of the issues related to biometrics vulnerabilities and security, and its other side, the protection of one's privacy. It considers that for biometrics to be publicly accepted, implementations will require cooperation between organizations and individuals, working with developed open standards that meet the demand for security and demonstrate the protection of personal privacy.

Making Smart Cards Work In the Enterprise

By: Brett Lewis (posted on October 31, 2003)

The time has come for enterprises to begin considering whether smart cards can be used to improve security in their environments. Smart cards offer a secure and convenient form factor on which employees can carry digital credentials for accessing parking facilities, buildings, computers, and network resources. Indeed, the ability for an employee to carry both physical and logical access credentials can be provided on a single card. Adding to the significance of smart cards, that same card can also be used for employee photo identification, and potentially a multitude of other applications, including encryption, digital signatures, secure storage of employee medical information, and electronic wallet for cafeterias and vending machines. Done right, a single-card solution can provide return on investment in the forms of vastly improved security, reduced need for certain security and IT personnel functions, and customer satisfaction. This paper examines some of the key benefits that can be realized from employing smart cards, and it explains how smart cards can be used to significantly improve both physical and logical security. Additionally, it provides an overview of some strategic infrastructure elements needed to make smart cards work in an enterprise environment, including complimentary technologies, personnel, hardware, software, and perhaps most importantly, policies and procedures.

Biometric Selection: Body Parts Online

By: Steven M. Walker (posted on October 31, 2003)

The purpose of this paper is to provide information that will assist a biometric implementer evaluate and select biometric technology. The scope of this paper is limited to the selection of biometric technology as an authenticator in a networked environment.

Single Sign On Through Password Synchronization

By: Nancy Loveland (posted on October 31, 2003)

This paper is a case study on a project to provide a Single Sign On (SSO) solution to web based applications that use the mainframe as the data store.

Combating the Lazy User: An Examination of Various Password Policies and Guidelines

By: Sam Wilson (posted on October 31, 2003)

This paper demonstrates that many published policies and guidelines will allow for the creation of weak passwords by lazy or inexperienced users. This paper also makes recommendations by which the Security Administrator can improve the strength of the passwords which are created by the users on his system.

Iris Recognition: Closer Than We Think?

By: Miltiades Leonidou (posted on October 31, 2003)

This overview covers the new and emerging biometric technique of Iris Recognition, with focus on image processing and computer vision aspects. Algorithms, systems and their experimental results will be reported.

Biometric Scanning Technologies: Finger, Facial and Retinal Scanning

By: Edmund Spinella (posted on October 31, 2003)

This paper discusses several Biometric scan technologies: finger-scan, facialscan and retinal-scan.

Common issues in PKI implementations - climbing the "Slope of Enlightenment"

By: Angela Keith (posted on October 31, 2003)

This paper is an attempt to go beyond the many conceptual papers published about Public Key Infrastructure (PKI) and look at the actual problems experienced when implementing it.

Considerations For Implementing Single Sign-On Within The Enterprise

By: Russell Hobbs (posted on October 31, 2003)

The goal of this paper is to provide insight into many important areas that should be considered before implementing an enterprise SSO system.

Strengthening Authentication with Biometric Technology

By: Tricia Olsson (posted on October 31, 2003)

This paper looks at the danger and cost of identity theft, uncover the problem with current authentication practices, demonstrate how a biometric solution can be used to provide stronger authentication, and look at the added benefit of using multiple factor authentication practices.

Preventing the fraudulent use of Internet DSL accesses by dial-up accounts: a network authentication issue.

By: Bruno Germain (posted on October 31, 2003)

This document provides details of a typical deployment between DSL providers and ISPs in order to highlight the areas of vulnerability of the model.

Kerberos Token Size and DoS

By: Joshua Sprenger (posted on )

Kerberos has been the default authentication protocol for Windows since XP/2000. Although the protocol enjoys many benefits over its predecessors, it does have some weaknesses. One unintended weakness of Kerberos is the ability of the Kerberos token size to grow to the point where Denial of Service (DoS) issues arise. This is especially prevalent in large enterprises where during the 10 years that Kerberos has been the primary Windows protocol, some users have found their accounts to be members of several hundred groups. The result of this scenario includes inability to use important company resources such as Exchange Servers and the ability to authenticate to web sites. Additionally, this weakness can be used maliciously to cause widespread DoS throughout an enterprise.