Title: PKI: Real World Deployment and Digital Signatures for Web Forms Mellon NYC RIT Scholarly Communicati
1PKI Real World DeploymentandDigital Signatures
for Web FormsMellon NYC RIT Scholarly
Communications RetreatMarch 29, 2005Mark
FranklinPKI Lab
2Dartmouth PKI Lab
- Initiative to make end user PKI really happen in
higher education - On-campus deployment
- Outreach
- Deployment effort is part of central computing
organization, which has close affiliation and
synergy with Dartmouth PKI research led by
Professor Sean Smith (also co-director of ISTS
security institute) the PKI Lab - Helping develop inter-institutional trust by
hosting HEBCA and USHER CAs - Sponsored by Mellon Foundation. (Base that has
enabled other work as well.)
3Key Reasons for End User PKI
- Cryptographic authentication provides greater
resistance to the plethora of attacks on our
system - Authenticates users with greater assurance than
current systems allow, including enabling users
to digitally sign transactions
4Our Systems Are Under Constant Attack
- Sinister Proxies (e.g. MarketScore)
- Disgruntled insiders
- Trojan horses
- Worms
- Viruses
- Spam
- Hackers
- Script kiddies
5Some of These Attacks Succeed Spectacularly
- Loss of personal data
- Outages
- Potentially huge costs
- Productivity loss
- (user and IT staff)
- Remediation
- User notification
- Bad publicity, loss of credibility
- Lawsuits?
- See Damage Control When Your Security Incident
Hits the 6 OClock News - www.educause.edu/ir/library/ra/EDU0307.ram
6IT Security Risks Escalate
- More and more important information and
transactions are online - Personal identity information
- Financial transactions
- Patient health data
- Licensed materials
- Confidential research data
- We must comply with increasingly strict
regulations - Health information - HIPAA http//www.hhs.gov/ocr
/hipaa/ - Educational records - FERPA http//www.ed.gov/pol
icy/gen/guid/fpco/ferpa/index.html
7Dartmouth User Studies Surveys(Data courtesy of
Professor Denise Anthony, Sociology)
- Dartmouth students surveyed
- 75 have shared their password
- Over 50 did NOT change it afterward
- Nearly two-thirds never change password
- 36 use same password for all apps/sites
- all websites that require password
- no distinction between secure (SSL) and
non-secure websites
8Security Behavior OnlineHow often check browser
security signals when submitting sensitive
information?
9Link between concern and behavior
10How concerned are users?
- 2002 National data (UCLA)
- 54 very/extremely concerned about privacy when
purchasing online - 11.2 not at all (up from 5.5)
- Non-purchasers (58) more concerned than
purchasers (33) - New users (65) more concerned than experienced
users (47) - Methods to reduce concerns
- 23 Nothing!
- 6 better technology
- 27 guarantee/3rd party verification/Gov
regulation
11Implications(Last of Denise Anthony Data)
- Not evaluating security of websites
- Dont use security signals
- Dont know what to look for
- Engage in un-secure behavior
- Users already trust infrastructure
- Rely on reputation of company
- Expectation that technology is secure
- Want assurance that system works
- Third party incentives/regulation of security
12Users Hate Passwords
- Too many to manage, so users
- Re-use same password
- Use weak (easy to remember) passwords
- Rely on remember my password crutches
- Write them on post-it notes
- Password help desk calls cost 25 - 200 each
(IDC) - As we put more services online, it just gets
worse
13Password Sharing
- Corrupts value of username/password for
authentication and authorization. - Social engineering investigations in CS38
www.cs.dartmouth.edu/sws/papers/eq.pdf - We need to address password sharing, and
two-factor authentication (PKI tokens for all
Dartmouth users) is how we are implementing this.
14PKIs Answer to Password Woes
- Beyond HTTPS/SSL PKI can authenticate clients
too - Passwords never on network - managed solely by
user on token, only used to unlock PKI private
key - Cost-effective two factor authentication
- Widely supported in all sorts of applications
(web-based and otherwise) - Easy, consistent password recovery for all
applications
15Underlying Key Technology
- Asymmetric encryption uses a pair of asymmetric
keys, each is the only way to decrypt data
encrypted by the other. - One key is private and carefully protected by its
holder. The other is public and freely
distributed. - In authentication, the server challenges the
client to encrypt or decrypt something with the
private key. Its ability to do so proves its
identity. - Private key and password always stay in the
users possession.
16Production PKI Applications at Dartmouth
- Dartmouth certificate authority
- 877 active students have certificates
- 1259 total end user certificates
- PKI authentication in production for
- Banner Student Information System
- Tuck School of Business Portal
- Blackboard CMS
- Library Electronic Journals
- Software downloads
- VPN concentrator
- SSL/load balancing appliance
- Mixed client environment (Windows, Macintosh,
Linux)
17Current Deployment Efforts at Dartmouth
- Actively deploying
- Hardware tokens for authentication
- Required for VPN access to secured subnets
- Authentication for network access (wired and
wireless) - Active Directory smartcard (token) logon
- Digitally signed web form for transcript
requests. - Implementing S/MIME email in our Blitzmail email
client. - F5 authentication appliance client-side PKI
authentication in a box. - We intend to reach all Dartmouth users with PKI
through continued deployment of applications and
increasing incentives and requirement for its
use.
18PKI Tokens for Private Subnets
- Department authorization groups (web application
enables group maintenance by the department) - Each group has a certain VPN private IP address
range - VPN concentrator and RADIUS assign users a
private IP address from their group only if they
have valid high assurance (token) credentials - Firewalls allow access to that departments
services only from its IP address range - Users need a token to get access to their daily
work - Deployed and working well at HR, Payroll, planned
at Health Services, Dean of Faculty Office,
International Student Office, and many other
departments.
19BeyondAuthenticationDigital Signatures
- Our computerized world still runs on handwritten
signatures on paper. - PKI enables digital signatures which can enable
vastly more efficient business processes. - Federal digital signature information
- http//museum.nist.gov/exhibits/timeline/item.cfm?
itemId78
20How Digital Signatures Work
- Signer computes content digest, encrypts with own
private key. - Reader decrypts with signers public key.
- Reader re-computes content digest and verifies
match with original detects modification of
signed data. - Only signer has private key, so no one else can
spoof their digital signature.
21Open Source Web Forms Signing Toolkit
- Easily add PKI digital signatures to web
- applications
- Builds on existing web application infrastructure
- Requires only a browser on client
- Flexible toolkit and sample application will
adapt to the needs of many institutions - Verify signatures on submission and archive them
for later referral - All open source, standards-based implementation
- Any web server, open source DB, FireFox (also
IE), openSSL or IAIK, Java or Perl or Python or
PHP or
22Benefits of Digitally Signing Web Forms
- Electronic equivalent of signed paper forms
- Enables business processes that are
- More convenient
- Faster
- More efficient Easy to implement in existing
application infrastructure - Store the transaction with its signature for
later verification and proof - Strongest of the electronic signatures
23uPortal
- Integrate digitally signed web forms
- Release of sensitive user data
- Transcripts
- Health data
- Personal financial information
- References to Dartmouth web for info on using PKI
authentication with uPortal
24Kuali
- Integrate digitally signed web forms
- High transactions
- Authorization for sensitive information release
- Paperless filing of signed forms in database
- Automatic digital signature verification as
appropriate when viewing data - References to Dartmouth web for info on using PKI
authentication with Kuali
25Sakai
- Integrate digitally signed web forms
- Proof of submission, attestation of ones own
work - Assignments
- Online tests
- References to Dartmouth web for info on using PKI
authentication with Sakai
26Fedora
- References to Dartmouth web for info on using PKI
authentication with Fedora client application
27Westwood/Chandler
- Finish PKI user authentication
- Finish implementing S/MIME email
28Lionshare
- Implement PKI authentication for end users
- With institutional PKI
- Without institutional PKI (per our proposal last
year)
29EDUCAUSE Dartmouth PKI Deployment Summit
- July 25 27, 2005
- Dartmouth College
- Hanover, NH
- Details coming Real Soon Now on
www.dartmouth.edu/deploypki .
30PKI, Shibboleth, and Pubcookie
- Differences in scope
- Shibboleth focused on federation-based
inter-institutional trust - Pubcookie focused on single/fewer sign-on for web
applicaations - Only PKI offers digital signatures
- Interoperate with each other (especially
Shibboleth and PKI) - Overlap
- Inter-institutional trust (HEBCA USHER for PKI
federations for Shibboleth) - Single/fewer sign-on (cookies versus single
password on PKI credentials) - Differences in technology
- Asymmetric key encryption, treatment of passwords
31For More Information
- Outreach web
- www.dartmouth.edu/deploypki
- Dartmouth PKI Lab
- PKI Lab information
- www.dartmouth.edu/pkilab
- Dartmouth user information, getting a Dartmouth
certificate - www.dartmouth.edu/pki
- Mark.J.Franklin_at_dartmouth.edu