PKI: Real World Deployment and Digital Signatures for Web Forms Mellon NYC RIT Scholarly Communicati

1
PKI Real World DeploymentandDigital Signatures
for Web FormsMellon NYC RIT Scholarly
Communications RetreatMarch 29, 2005Mark
FranklinPKI Lab
2
Dartmouth PKI Lab

• Initiative to make end user PKI really happen in
  higher education
• On-campus deployment
• Outreach
• Deployment effort is part of central computing
  organization, which has close affiliation and
  synergy with Dartmouth PKI research led by
  Professor Sean Smith (also co-director of ISTS
  security institute) the PKI Lab
• Helping develop inter-institutional trust by
  hosting HEBCA and USHER CAs
• Sponsored by Mellon Foundation. (Base that has
  enabled other work as well.)

3
Key Reasons for End User PKI

• Cryptographic authentication provides greater
  resistance to the plethora of attacks on our
  system
• Authenticates users with greater assurance than
  current systems allow, including enabling users
  to digitally sign transactions

4
Our Systems Are Under Constant Attack

• Sinister Proxies (e.g. MarketScore)
• Disgruntled insiders
• Trojan horses
• Worms
• Viruses
• Spam
• Hackers
• Script kiddies

5
Some of These Attacks Succeed Spectacularly

• Loss of personal data
• Outages
• Potentially huge costs
• Productivity loss
• (user and IT staff)
• Remediation
• User notification
• Bad publicity, loss of credibility
• Lawsuits?
• See Damage Control When Your Security Incident
  Hits the 6 OClock News
• www.educause.edu/ir/library/ra/EDU0307.ram

6
IT Security Risks Escalate

• More and more important information and
  transactions are online
• Personal identity information
• Financial transactions
• Patient health data
• Licensed materials
• Confidential research data
• We must comply with increasingly strict
  regulations
• Health information - HIPAA http//www.hhs.gov/ocr
  /hipaa/
• Educational records - FERPA http//www.ed.gov/pol
  icy/gen/guid/fpco/ferpa/index.html

7
Dartmouth User Studies Surveys(Data courtesy of
Professor Denise Anthony, Sociology)

• Dartmouth students surveyed
• 75 have shared their password
• Over 50 did NOT change it afterward
• Nearly two-thirds never change password
• 36 use same password for all apps/sites
• all websites that require password
• no distinction between secure (SSL) and
  non-secure websites

8
Security Behavior OnlineHow often check browser
security signals when submitting sensitive
information?
9
Link between concern and behavior
10
How concerned are users?

• 2002 National data (UCLA)
• 54 very/extremely concerned about privacy when
  purchasing online
• 11.2 not at all (up from 5.5)
• Non-purchasers (58) more concerned than
  purchasers (33)
• New users (65) more concerned than experienced
  users (47)
• Methods to reduce concerns
• 23 Nothing!
• 6 better technology
• 27 guarantee/3rd party verification/Gov
  regulation

11
Implications(Last of Denise Anthony Data)

• Not evaluating security of websites
• Dont use security signals
• Dont know what to look for
• Engage in un-secure behavior
• Users already trust infrastructure
• Rely on reputation of company
• Expectation that technology is secure
• Want assurance that system works
• Third party incentives/regulation of security

12
Users Hate Passwords

• Too many to manage, so users
• Re-use same password
• Use weak (easy to remember) passwords
• Rely on remember my password crutches
• Write them on post-it notes
• Password help desk calls cost 25 - 200 each
  (IDC)
• As we put more services online, it just gets
  worse

13
Password Sharing

• Corrupts value of username/password for
  authentication and authorization.
• Social engineering investigations in CS38
  www.cs.dartmouth.edu/sws/papers/eq.pdf
• We need to address password sharing, and
  two-factor authentication (PKI tokens for all
  Dartmouth users) is how we are implementing this.

14
PKIs Answer to Password Woes

• Beyond HTTPS/SSL PKI can authenticate clients
  too
• Passwords never on network - managed solely by
  user on token, only used to unlock PKI private
  key
• Cost-effective two factor authentication
• Widely supported in all sorts of applications
  (web-based and otherwise)
• Easy, consistent password recovery for all
  applications

15
Underlying Key Technology

• Asymmetric encryption uses a pair of asymmetric
  keys, each is the only way to decrypt data
  encrypted by the other.
• One key is private and carefully protected by its
  holder. The other is public and freely
  distributed.
• In authentication, the server challenges the
  client to encrypt or decrypt something with the
  private key. Its ability to do so proves its
  identity.
• Private key and password always stay in the
  users possession.

16
Production PKI Applications at Dartmouth

• Dartmouth certificate authority
• 877 active students have certificates
• 1259 total end user certificates
• PKI authentication in production for
• Banner Student Information System
• Tuck School of Business Portal
• Blackboard CMS
• Library Electronic Journals
• Software downloads
• VPN concentrator
• SSL/load balancing appliance
• Mixed client environment (Windows, Macintosh,
  Linux)

17
Current Deployment Efforts at Dartmouth

• Actively deploying
• Hardware tokens for authentication
• Required for VPN access to secured subnets
• Authentication for network access (wired and
  wireless)
• Active Directory smartcard (token) logon
• Digitally signed web form for transcript
  requests.
• Implementing S/MIME email in our Blitzmail email
  client.
• F5 authentication appliance client-side PKI
  authentication in a box.
• We intend to reach all Dartmouth users with PKI
  through continued deployment of applications and
  increasing incentives and requirement for its
  use.

18
PKI Tokens for Private Subnets

• Department authorization groups (web application
  enables group maintenance by the department)
• Each group has a certain VPN private IP address
  range
• VPN concentrator and RADIUS assign users a
  private IP address from their group only if they
  have valid high assurance (token) credentials
• Firewalls allow access to that departments
  services only from its IP address range
• Users need a token to get access to their daily
  work
• Deployed and working well at HR, Payroll, planned
  at Health Services, Dean of Faculty Office,
  International Student Office, and many other
  departments.

19
BeyondAuthenticationDigital Signatures

• Our computerized world still runs on handwritten
  signatures on paper.
• PKI enables digital signatures which can enable
  vastly more efficient business processes.
• Federal digital signature information
• http//museum.nist.gov/exhibits/timeline/item.cfm?
  itemId78

20
How Digital Signatures Work

• Signer computes content digest, encrypts with own
  private key.
• Reader decrypts with signers public key.
• Reader re-computes content digest and verifies
  match with original detects modification of
  signed data.
• Only signer has private key, so no one else can
  spoof their digital signature.

21
Open Source Web Forms Signing Toolkit

• Easily add PKI digital signatures to web
• applications
• Builds on existing web application infrastructure
• Requires only a browser on client
• Flexible toolkit and sample application will
  adapt to the needs of many institutions
• Verify signatures on submission and archive them
  for later referral
• All open source, standards-based implementation
• Any web server, open source DB, FireFox (also
  IE), openSSL or IAIK, Java or Perl or Python or
  PHP or

22
Benefits of Digitally Signing Web Forms

• Electronic equivalent of signed paper forms
• Enables business processes that are
• More convenient
• Faster
• More efficient Easy to implement in existing
  application infrastructure
• Store the transaction with its signature for
  later verification and proof
• Strongest of the electronic signatures

23
uPortal

• Integrate digitally signed web forms
• Release of sensitive user data
• Transcripts
• Health data
• Personal financial information
• References to Dartmouth web for info on using PKI
  authentication with uPortal

24
Kuali

• Integrate digitally signed web forms
• High transactions
• Authorization for sensitive information release
• Paperless filing of signed forms in database
• Automatic digital signature verification as
  appropriate when viewing data
• References to Dartmouth web for info on using PKI
  authentication with Kuali

25
Sakai

• Integrate digitally signed web forms
• Proof of submission, attestation of ones own
  work
• Assignments
• Online tests
• References to Dartmouth web for info on using PKI
  authentication with Sakai

26
Fedora

• References to Dartmouth web for info on using PKI
  authentication with Fedora client application

27
Westwood/Chandler

• Finish PKI user authentication
• Finish implementing S/MIME email

28
Lionshare

• Implement PKI authentication for end users
• With institutional PKI
• Without institutional PKI (per our proposal last
  year)

29
EDUCAUSE Dartmouth PKI Deployment Summit

• July 25 27, 2005
• Dartmouth College
• Hanover, NH
• Details coming Real Soon Now on
  www.dartmouth.edu/deploypki .

30
PKI, Shibboleth, and Pubcookie

• Differences in scope
• Shibboleth focused on federation-based
  inter-institutional trust
• Pubcookie focused on single/fewer sign-on for web
  applicaations
• Only PKI offers digital signatures
• Interoperate with each other (especially
  Shibboleth and PKI)
• Overlap
• Inter-institutional trust (HEBCA USHER for PKI
  federations for Shibboleth)
• Single/fewer sign-on (cookies versus single
  password on PKI credentials)
• Differences in technology
• Asymmetric key encryption, treatment of passwords

31
For More Information

• Outreach web
• www.dartmouth.edu/deploypki
• Dartmouth PKI Lab
• PKI Lab information
• www.dartmouth.edu/pkilab
• Dartmouth user information, getting a Dartmouth
  certificate
• www.dartmouth.edu/pki
• Mark.J.Franklin_at_dartmouth.edu