Mechanics of User Identification and Authentication: Fundamentals of Identity Management
by Dobromir Todorov

Auerbach 2008.
ISBN 978-1420052190 . amazon.com USD75.40

Reviewed by  Richard Austin   March 10, 2008 

At over 700 pages, this book is not what one would call light reading, but in its five chapters, it provides an excellent overview of the current state of authentication practices.

The book opens with an introductory chapter on the concepts of user identification and authentication. Of particular interest is the description of the threats (ranging from authentication bypass to social engineering and dumpster diving) that an identification and authentication solution must face and counter.

Not too surprisingly. the following two chapters are devoted to authentication in UNIX and Windows. Coverage is thorough with numerous examples and case studies that put the concepts into practice. Tables and illustrations are common and provide ready reference to capabilities, parameters and usage scenarios.

Chapter 4 is devoted to "Authenticating Access to Services and Applications" and is the longest chapter in the book. Its discussion is well organized and proceeds from security programming interfaces such as the GSS-API, to authentication protocols (NTLM, Kerberos and SASL) to SSL/TLS. It then discusses authentication in the context of common applications such as Telnet and FTP, POP3 and IMAP before moving on to databases such as MS SQL and Oracle. A final section delves into the newer topics of SAML and WS-Security.

Chapter 5 covers how authentication functions in granting access to infrastructure such as routers/switches, remote access, wireless and centralized user authentication using RADIUS and TACACS+.

Unlike many books on such topics, Todorov does not rehash product documentation and RFC's but focuses on how the technologies actually work and are used in practice (including many traffic captures as concrete illustrations) - a good indicator is Appendix B that describes the layout of the lab that he used while writing the book. The strengths of the book lie in its broad coverage and significant level of detail. It is well organized and allows one to quickly locate and drill down on the particular area of interest. With these advantages, I would see this book as an excellent reference work that belongs on the shelf of any practicing security professional.

Before retiring, Richard Austin was the storage network security architect at a Fortune 25 company and currently earns his bread and cheese as an iterant university instructor and security consultant. He welcomes your thoughts and comments at rda7838@kennesaw.edu