Dismiss Notice
Join Physics Forums Today!
The friendliest, high quality science and math community on the planet! Everyone who loves science is here!

Homework Help: Computer Authentication

  1. Apr 8, 2008 #1
    Forgive me if this is not the proper place to pose this question. The question isn't that I'm having trouble solving a problem as that I'm having trouble finding reliable sources for research.

    1. The problem statement, all variables and given/known data

    I'm doing a research paper over verifying identity remotely, a topic that falls under the general heading of authentication. My problem is that I can find lots of good material from various non-academic sources (such as for-profit companies, various websites, wikipedia), but have so far been unable to find an academic discussion of many of the same ideas.

    The specific topics I'm trying to find discussed are authentication factors, two-factor authentication, and the difference between strong and weak authentication. In addition, I'm trying to find a sample implementation or two that demonstrates how sessions can be implemented to protect against interception and replay attacks. For simplicity I think sessions using a timestamps are conceptually simpler than using pseudo-random numbers, but either would be appreciated.

    3. The attempt at a solution

    I have read on websites that part of the problem is there are different organizations with their own sets of definitions. What one organization calls multi-factor authentication is what another organization calls strong authentication.

    At any rate, all of the good sources I can find wouldn't meet academic scrutiny, and searching these topics at the local library comes up with stuff from the 70's and 80's at most recent.

    I was hoping that there would be someone who could point me to a good, recent printed reference I can start my search at.
  2. jcsd
  3. Apr 8, 2008 #2


    User Avatar
    Staff Emeritus
    Science Advisor
    Gold Member

    Look for books on cryptography, like Bruce Schneier's classic, Applied Cryptography.

    Look into the TLS (SSL) system, used for authentication and secure communication on the web. The RFC is usually your best bet.

    Another important implementation is OpenSSH, used to tunnel all kinds of data across the internet. Take a look at the RFC for all the information you could ever want.

    - Warren
  4. Apr 9, 2008 #3
    It's a lot easier to derive a timestamp from a couple of sniffed/cracked packets than figuring out the key to a one way hash / pseudo random number.

    chroot gave some nice places to start, I'd like to add this to the list:

    The 1976 paper on public key cryptography by Whitfield Diffie and Martin Hellman (the name of the paper eludes me)

    You might also be interested in reading the papers that have been published on trusted remote computing, since there is a lot of cross-over in all these alice-and-bob scenarios.

  5. Apr 9, 2008 #4
    I think that part of the issue you're running into is that "authentication" may simply be too general a topic; it's a sort of pattern that might occur at any level of an OSI-type model. There's the authentication that occurs at between different physical network devices, different computers communicating via a low-level protocol like TCP/IP, a higher-level protocol like TLS/SSH, a stateful but low-level application function like HTTP digest authentication in a webserver, and a high-level application authentication like, say, vBulletin (which runs Physics Forums) or Wikipedia generating security tokens and storing them within a database on the server and on a client web browser via cookies, (and those last two application examples are purely a web context - there's all sorts of other fun stuff that happens on networks), there's user identity for processes within an operating system which becomes something like LDAP or Active Directory authentication when it's done remotely, then you've got stuff like digitally signing emails and documents, digital rights management for things like ITunes or Rhapsody or Windows Media Player content, etc.

    And I don't have any idea what military systems do. They probably incorporate alien technology from the flying saucers of little gray men from Area 51.

    Those things are all basically the same pattern but the problem domains have been too different for there to be any benefit in making some perfect, cerebral comp-sci-type abstraction across all of them. It seems to me it would be like looking for mechanical engineering papers on a topic like "wheels".

    So it seems to me that you may want to try to narrow the parameters of your search (and research paper). Pick a context for "identity" - physical devices? Network nodes? An application operating within a network node? Humans? Application accounts representing humans? And then a context for authentication of those sorts of identities like the sorts of things I listed above.

    Furthermore, do you want to study "ideal" authentication - the kind that would occur if a paranoid IT security guy got to redesign everything, or do you want to study the sorts of things that get implemented in practicality by software engineers trying to make things work who have a technical project manager laying the whip on their backs to meet a deadline?

    But even having narrowed the search in these ways I think you'll have it tough. You may find yourself relegated to tangential mention of authentication issues in papers with a different topic. One other idea that occurs to me is to try white papers, which are going to be from non-academic sources but try to put on a more academic face (though often failing horribly to do so.)

    So, uh, good luck. Sorry I didn't provide any actual answers to your questions.
Share this great discussion with others via Reddit, Google+, Twitter, or Facebook