Authentication concepts and techniques are surveyed in this book. Authentication is a process for ascertaining that an entity (for example, a person or a computer) really is who he, she, or it claims to be. It is one of the most fundamental problems in computer security.

This extremely readable book is appropriate for a wide audience, including novices to the field of computer security, students, system administrators, network security professionals, developers, and managers. The reader does not need prior experience in computer security to appreciate the concepts in the book. There are abundant examples and diagrams to illustrate how authentication techniques work and how attackers might defeat them. By understanding and using the ideas in the book, the reader will be able to choose the precise authentication factors and evaluate the strengths of different authentication mechanisms.

Chapter 1 introduces the scenery of authentication, including the elements of an authentication system, authentication in time-sharing systems, and attacks. Chapter 2 deals with the evolution of reusable passwords. The Unix password system and attacks on Unix password files are discussed. Chapter 3 is about the role people play, how users are enrolled, and how passwords are selected, the biases in their selection, and the attacks concerning them.

Chapter 4 is on the subject of choosing the correct design pattern for authentication by taking into account factors such as server environment, size of the enterprise, or administrative requirements. Chapter 5 is about local authentication, and includes a discussion on encryption and key handling issues. Chapter 6 deals with the topic of selecting PIN numbers and passwords. Chapter 7 is on biometric techniques and how they work. Chapter 8 is about authentication by addresses, such as IP addresses. Chapter 9 discusses authentication tokens, network password sniffing, and one-time passwords and attacks on them. Chapter 10 deals with challenge response passwords, Windows authentication and Windows NT LanMan (NTLM), an authentication process used by all members of the Windows NT family of products. Attacks on X9.9 (a United States national wholesale banking standard for authentication of financial transactions) are mentioned. There is also a discussion on S/Key (a one-time password scheme based on a one-way hash function).

Chapter 11 covers indirect authentication, the remote authentication dial-in user service (RADIUS) protocol and Windows NT secure channels. RADIUS is an extensively deployed protocol that enables organizations to authenticate, authorize, and account for remote users who desire access to a system or service from a central network server. Virtual private network (VPN) servers, wireless access points, authenticating ethernet switches, digital subscriber line (DSL) access, and several other network access types now use RADIUS. This protocol is more or less the de facto standard for remote authentication. Chapter 12 is on Kerberos and Windows 2000. Kerberos is a network authenticat ion protocol designed to provide strong authentication for client/server applications by using secret-key cryptography. Kerberos exists in diverse commercial products as well. Topics covered include user and workstation authentication, ticket delegation, and attacks on Kerberos networks. Chapter 13 discusses public key cryptography, attacks on RSA (a public-key cryptosystem) and authentication with secure socket layer (SSL), a protocol used for secure Internet communications. Chapter 14 is about managing public key certificates. Chapter 15 is on the security of private keys.

The presentation style is excellent. For every chapter, there is a short write up of the topics covered. Tables at the end of chapters summarize the strategies for attack and defense. Notes pertinent to the chapters help readers to understand the techniques and their history. The bibliography contains several hundred pointers to relevant literature. The author has also included updates and information about products and vendor contact information on a Web site. The glossary and index make reading this book a pleasant experience. The book offers information on a variety of authentication techniques, and guidance on which ones will work best, depending on the security requirements, budget, and user convenience. Through this splendid book, the author has communicated to readers his experience as a computer security expert offering solutions to real-world problems.

Even a voluminous work of this kind will not be able to cover all the practical applications of authentication, whether in the .NET framework or in the security of network protocols or mobile devices. Some readers may be disappointed that topics such as the exponential security system (TESS), distributed authentication security service (DASS), and secure European system for applications in a multi-vendor environment (SESAME) are not dealt with in the book. However, the value of this fine book far exceeds its price.