Somehow I have Dan Sullivan’s voice in my head saying “Ask Who not How” when I teach development life cycles. As a hacker/security guy, I stress to my customers that the first step in any SDLC is “Who” and if you get that wrong, nothing else matters. From being the victim of a con job to simply delivering your product or service to the wrong customer, it is essential that we properly identify and authenticate who we are communicating with.

When I learned to use a telephone, I was taught to first identify myself and THEN, ask “Who is calling”, AKA “Mutual Authentication”. Somehow this was not considered in the earliest forms of remote access to computers. Most systems only asked a user to authenticate to a server, but not the reverse, leaving the system vulnerable to rogue infrastructure, most common a man in the middle “MiTM” attack. For instance a card skimmer at an ATM. This is the reason all our banks switched to smart cards. Using PKI, our smart cards provide Mutual Authentication. For instance my card proves to Walmart that I am Larry and Walmart’s reader proves to my card that it is Walmart before any financial transactions can be performed.

Another limitation of early internet authentication systems is that they only used “Passwords” for authentication and even these were often in clear text. The Password Authentication Protocol (PAP) was replaced with the Challenge Handshake Authentication Protocol (CHAP) to allow for encrypted passwords. Multi Factor Authentication (MFA) is considered much stronger, by mixing something you know (passwords) with something you have (cards, tokens, etc) and/or something you are/do (biometrics; thumbprints, hand written signature, etc). To support MFA we needed something other than PAP/CHAP and for that reason the Extensible Authentication Protocol was created.

I have made much of my living of the last 20 plus years teaching CISSP exam preparation courses and have had quite a few people in my class who preparing to take the exam again, after missing it. These people often come with stories of being blindsided by how many questions they got on a particular subject. No more so than those who come to me saying they got “like 20 questions” on the various versions of EAP and wonder why. I say because without it, there is no way to strengthen our first step in any SDLC.

As 2023 is the year the ChatGPT and other LLM AIs are lighting the headlines and the budgets of so many organizations, it is important to note that most conversations on the internet do not involve people, they are mostly between applications via Application Program Interfaces (APIs). For instance, I prove to my Dropbox client, I am Larry. After that, my client software talks to the Dropbox server, who talks to AWS’s platform and all of these invoke many other supportive API conversations. API hacking is where most large scale threats seem to emerge these days. We need to get a handle on all these conversations and the first step is mutually asking “Who” from these APIs. And that is why EAP and it’s many implementations are SO Important to information security.

For anyone interested in a CISSP practice question about EAP, please see my take on YouTube:
https://youtu.be/Lu1dj2TDFZ0

That’s all I have this morning on this. As always, Live Long & Prosper (~_^)

Larry Greenblatt
“Securing a Future of Abundance for the Common Good”