Loading ...
Sorry, an error occurred while loading the content.

REVIEW: "Authentication: From Passwords to Public Keys", Richard E. Smith

Expand Messages
  • Rob, grandpa of Ryan, Trevor, Devon & Ha
    BKAUTHNT.RVW 20020220 Authentication: From Passwords to Public Keys , Richard E. Smith, 2002, 0-201-61599-1, U$44.99/C$67.50 %A Richard E. Smith %C P.O.
    Message 1 of 1 , Mar 18, 2002
    View Source
    • 0 Attachment
      BKAUTHNT.RVW 20020220

      "Authentication: From Passwords to Public Keys", Richard E. Smith,
      2002, 0-201-61599-1, U$44.99/C$67.50
      %A Richard E. Smith
      %C P.O. Box 520, 26 Prince Andrew Place, Don Mills, Ontario M3C 2T8
      %D 2002
      %G 0-201-61599-1
      %I Addison-Wesley Publishing Co.
      %O U$44.99/C$67.50 416-447-5101 fax: 416-443-0948 bkexpress@...
      %P 549 p.
      %T "Authentication: From Passwords to Public Keys"

      Chapter one looks at the history and evolution of password technology,
      and introduces a system of discussing attacks and defences that
      provides an easy structure for an end-of-chapter summary. A more
      detailed history appears in chapter two, while chapter three discusses
      the enrolling of users.

      Chapter four is rather odd: it brings up the concept of "patterns" as
      defined in the study of architecture, but doesn't really explain what
      this has to do with authentication or the book itself. The closest
      relation seems to be the idea of determining a security perimeter.
      The material poses a number of authentication problems and touches on
      lots of different technologies, but the various difficulties are not
      fully analyzed.

      Chapter five is supposed to be about local authentication, but mostly
      examines encryption.

      Strangely, chapter six inveighs against the complex rules for password
      choice and management that are commonly recommended--and then adds to
      the list of canons the requirement to assess the security of a system
      when choosing a password. Ultimately the text falls back on the
      traditional suggestions, with a few good suggestions for password
      generation. This place in the text also marks a change in the volume:
      the content moves from a vague collection of trivia to a much more
      practical and useful guide.

      Chapter seven is a decent overview of biometrics, although there is an
      odd treatment of false acceptance and rejection rates, and some
      strange opinions. Authentication by address, emphasizing IP spoofing,
      is covered in chapter eight, while hardware tokens are discussed in
      chapter nine. Challenge/response systems are reviewed in chapter ten,
      as well as software tokens. Indirect or remote authentication,
      concentrating on the RADIUS (Remote Authentication Dial In User
      Services) system, is examined in chapter eleven. Chapter twelve
      outlines Kerberos, and has a discussion of the Windows 2000 version,
      albeit with limited analysis. The study of public key (asymmetric)
      cryptography in chapter thirteen would be more convincing with just a
      few more sentences of explanation about how keys are established.
      Chapter fourteen talks about certificates and signing, while fifteen
      finishes with some vague thoughts on password storage.

      After a slow (but interesting) start, the book does have a good deal
      of useful material in the later chapters. Long on verbiage and a bit
      short on focus, this text does have enough to recommend it to security
      practitioners serious about the authentication problem.

      copyright Robert M. Slade, 2002 BKAUTHNT.RVW 20020220


      ====================== (quote inserted randomly by Pegasus Mailer)
      rslade@... rslade@... slade@... p1@...
      Your e-mail has been returned due to insufficient voltage.
      http://victoria.tc.ca/techrev or http://sun.soci.niu.edu/~rslade
    Your message has been successfully submitted and would be delivered to recipients shortly.