Authentication, Crypto and Such

Faculty

What Is This Site?

This site discusses several information security topics of particular interest to me including authentication, cryptography, multilevel security (MLS), and security policy. The site also provides information about the books I've written.

A companion site, The Center for Password Sanity, examines the fundamental flaws one finds in typical password security policies and recommends more sane approaches.

Contents

Books

Authentication, From Passwords to Public Keys (2002)

Internet Cryptography (1997)

Computer Security Evaluations
Consulting

Cryptography Glossary

Multilevel Security
Password Sanity (summary)

Site Links

Random Links

Vendors and Web Sites

Talks and Writings

Recent Talks

Recent Publications

Papers and Other Publications

Talks On-line

University of St. Thomas

I maintain a web site at St. Thomas that describes courses I'm teaching and summarizes my current research activities there. Click here to reach that site.

About the Author

I am a faculty member at the University of St. Thomas who specializes in information security. I also operate Cryptosmith LLC, a modest consulting organization through which I perform contract studies and provide expert testimony. Click here for a technical biography.

Recent Talks

If you've attended a recent talk of mine and you're looking for something that's not here, please e-mail me. Older items may appear on the Talks On-Line page.

The Challenge of Multilevel Security, Black Hat Federal, Tyson's Corner, VA, October 2003. PDF

Authentication: Cautionary Tales, Black Hat Briefings, Las Vegas, NV, July 2003. PDF

The Biometrics Dilemma, Black Hat Briefings, Las Vegas, NV, July 2002. Powerpoint.

An Overview of Authentication Techniques, Webcast, February 28, 2002. PDF.

Site-Specific Planning for Authentication Systems, 28th Annual CSI Security Conference, Washington DC, October 2001. PDF.

Computer Security Basics, St. Thomas University, Mini Masters' Lecture, Spring 2000. Part 1 (120K), Part 2 (490K).

Internet Cryptography, National Information Systems Security Conference, Arlington VA, October 1998. Part 1 (480K), Part 2 (540K).

Network Security with Cryptography,12th Systems Engineering Conference, Santiago Chile, June 1998. Part 1 (260K), Part 2 (210K), Part 3 (400K).

Cryptographic Vulnerabilities: Beyond Algorithms and Key Lengths, University of Minnesota colloquium, 1998. One file (340K).

Books

Buy Now	Buy Now

Authentication provides a thorough examination of authentication concepts and techniques, from the password systems introduced in the 1960s to the public key systems of today. Each technique is described through diagrams and examples, covering both how they work and how attackers might defeat them. This provides readers with the essential understanding they need to choose the best techniques for their particular situation.

Internet Cryptography helps you choose and use today's crypto products for Internet applications. The book applies a practical perspective on Internet security to the selection and use of off-the-shelf Internet crypto devices and techniques. Using real-life case studies, examples, and commercially available software products, cryptography is presented as a practical solution to specific, everyday security challenges. 

Recent Publications

Also see the page of Papers and Other Publications.

Trends in Security Product Evaluations. A paper reviewing recent and long-term trends in security product evaluations. This is partially an update of an earlier paper, but this new one looks at several additional aspects of the question.

A spreadsheet-based simulation of CPU instruction execution. A paper describing how to simulate a CPU using a spreadsheet. It's not as obvious as it might seem, since spreadsheets nominally implement a rudimentary form of functional programming.

Multilevel Security. An article describing the problem of multilevel security and how it is addressed in real systems. The article will appear in the Handbook of Information Security (Bidgoli, ed., John Wiley).

The Strong Password Dilemma. An article describing how the quest for strong, hard to remember passwords can lead to reduced security. This was published in the CSI Computer Security Journal, Summer 2002.

Deciphering the Advanced Encryption Standard. An article describing the selection of Rijndael as the new AES, published in Network Magazine, March 2001.

Cost Profile of a Highly Assured, Secure Operating System. Final draft of an article describing the software development of the LOCK operating system, a candidate for the now-obsolete A1 security evaluation, which used to be the highest a computing system could aspire to. The article was published in the ACM Transactions on Information Systems Security, Fall 2001.

Are Web Transactions Safe? A simple description of how public-key cryptography is used to protect Web transactions, provided as supporting material for the companion Web site to the NOVA television program "Decoding Nazi Secrets."

Basic Cryptography Glossary A basic glossary of cryptographic terms that appeared in Internet Cryptography. This hypertext version contains cross reference links for terms appearing inside definitions.

Multilevel Security

Click here for some observations on the Holy Grail of military computer security, along with some links to papers I've written that touch on the subject.

MLS is closely tied to the concept of computer security product evaluations.

Security Evaluations

I performed a Historical Survey of Computer Security Evaluations. It provides a brief statistical review of government-promoted computer security evaluations world-wide up through 1999. This page includes a link to a paper on the subject presented at the Last National Informations Systems Security Conference (NISSC), in 2000, and published in its Proceedings.

Password Sanity

The Center for Password Sanity is a collection of information about sensible policies for password selection and use. The Center tries to discourage the traditional password policies that the vast majority of users ignore and/or circumvent on a daily basis. It's far more sensible to acknowledge how people really behave and design systems accordingly.

I'm a writer, educator, and information security consultant. Aside from the books, I am a faculty member at the University of St. Thomas in St. Paul, Minnesota, a contributing writer for Information Security magazine, and I hold a CISSP.

As an information security expert, I've been involved in DARPA cyber defense research and have also provided security architecture, evaluation, and engineering assistance to commercial and government organizations.

For several years I worked on the multi-level security problem and I worked on security products including the 3Com Embedded Firewall, the Sidewinder Internet Firewall, and the Standard Mail Guard (SMG).

My first experience in computer security was as a software developer for the LOCK high-assurance trusted computing base, which evolved into the SMG and served as the architectural model for the Sidewinder.

Earlier activities include protocol software development for the ARPANET, the forerunner of the modern Internet, the development of pioneering speech recognition products, and research in fault tolerant robotics for industrial and space applications.

I hold a B.S. in engineering from Boston University, and an M.S. and Ph.D. in computer science from the University of Minnesota.

You can contact me via e-mail at rick@cryptosmith.com.