PKI: A Technology Whose Time Has Come in Higher Education EDUCAUSE Southwest Regional Conference February 26, 2004

1
PKI A Technology Whose Time Has Come in Higher
Education EDUCAUSE Southwest Regional
ConferenceFebruary 26, 2004
2
Our Systems Are Under Constant Attack

• Trojan horses
• Worms
• Viruses
• Spam
• Hackers
• Disgruntled insiders
• Script kiddies

3
Some of These Attacks Succeed Spectacularly

• Loss of personal data
• Outages
• Potentially huge costs
• Productivity loss
• (user and IT staff)
• Remediation
• User notification
• Bad publicity, loss of credibility
• Lawsuits?
• For real-life examples involving thousands of
  users see the excellent EDUCAUSE session entitled
  Damage Control When Your Security Incident Hits
  the 6 OClock News
• www.educause.edu/ir/library/ra/EDU0307.ram

4
IT Security Risks Escalate

• More and more important information and
  transactions are online
• Personal identity information
• Financial transactions
• Course enrollment, grades
• Tests
• Licensed materials
• Confidential research data
• We must comply with increasingly strict
  regulations
• Health information - HIPAA http//www.hhs.gov/ocr
  /hipaa/
• Educational records - FERPA http//www.ed.gov/pol
  icy/gen/guid/fpco/ferpa/index.html

5
Specific Example Email

• Spoofing email is trivial (simple setting in most
  email clients)
• Spoofed message from professor postponing a final
• Inappropriate message seemingly from College
  President to female student
• Email is like a postcard written in pencil
• Others on network can see (or even modify)
  contents if not encrypted (really easy on
  wireless!)
• You may use SSL, but what about other hops
  between mail servers?
• Viruses or worms can forward random messages from
  email archives to random recipients in address
  book
• HR employee forwarding salary data to random
  employees

6
Specific Example Student Information System

• Provides online enrollment, schedule, grades
• FERPA protected information
• Available to hackers
• Q What if someone hacks your authentication
  system and downloads grades from thousands of
  students?
• A You are probably obligated by law to notify
  every individual whose grades may have been
  exposed!

7
Problems With Centralized Passwords
8
Managing the Multitude User Perspective

• Users HATE username/passwords
• Too many for them to manage
• Re-use same password
• Use weak (easy to remember) passwords
• Rely on remember my password crutches
• Forgotten password help desk calls cost 25 -
  200 each (IDC) and are far too common
• As we put more services online, it just gets
  worse

9
Managing the Multitude Admin Perspective

• Many different username/password schemes to
  learn, set up, and administer
• Backups, password resets, revoking access,
  initial password values, etc.
• Multiple administrators have access to
  usernames/passwords many points of failure

10
Ending the Madness

• Traditional approaches
• Single password
• Single sign-on, fewer sign-ons
• PKI
• Local password management by end user
• Two factor authentication

11
Single Password

• Users like it, but
• Requires synchronizing passwords (inherently
  problematic) actually makes admin madness
  worse!
• Single username/password becomes single point of
  failure Hack weakest application and get
  passwords to all applications!
• Costly to maintain and difficult to make work
  well.
• Passwords databases exposed on network and to
  administrators, as vulnerable as your weakest
  application.

12
Single Sign-on, Fewer Sign-ons

• More secure provides some relief for users,
  but
• Requires infrastructure (e.g. WebISO or Kerberos
  sidecar).
• Fewer sign-ons still has synchronization
  problems.
• Single sign-on solutions are typically for web
  applications only.
• Kerberos sidecar has problems with address
  translation and firewalls and is not widely
  supported.
• Password database still exposed on network and to
  administrators.

13
Password Sharing

• Corrupts value of username/password for
  authentication and authorization.
• Users do share passwords PKI Lab survey of 171
  undergraduates revealed that 75 of them shared
  their password and fewer than half of those
  changed it after sharing.
• We need two factor authentication to address
  password sharing.

14
PKIs Answer to Password Woes

• Users manage their own (single or few) passwords.
• Cost-effective two factor authentication.
• Widely supported alternative for authentication
  to all sorts of applications (both web-based and
  otherwise).

15
PKI Passwords Are Local to Client

• PKI eliminates user passwords on network servers.
• Password to PKI credentials are local in the
  application key store or in hardware token.
• User manages the password and only has one per
  set of credentials (likely only one or two).
• Still need process for forgotten password, but it
  is only one for all applications using PKI
  authentication, and users are much less likely to
  forgot it since they use it frequently and
  control it themselves.

16
Underlying Key Technology

• Asymmetric encryption a pair of asymmetric keys
  is used, one to encrypt, the other to decrypt.
• Each key can only decrypt data encrypted with the
  other.
• One key is private and carefully protected by its
  holder. The other is public and freely
  distributed.
• Authentication challenges the supplicant to
  encrypt something with the private key. If it
  decrypts properly with public key, then they have
  proven who they are.
• Private key and password always stay in the
  users possession.

17
PKI Enables Single Passwordand Single Sign-on

• User maintains one password on their credentials.
• PKI credentials authenticate user to the various
  services they use via PKI standards.
• No need for password synchronization.
• No additional infrastructure other than standard
  PKI and simple, standard hooks for PKI
  authentication in applications.
• Typically less effort to enable PKI
  authentication than other SSO methods.

18
PKI Provides Two Factor Authentication

• Requires something the user has (credentials
  stored in the application or a smartcard or
  token) in addition to something a user knows
  (local password for the credentials).
• Significant security improvement, especially with
  smartcard or token (a post-it next to the screen
  is no longer a major security hole).
• Reduces risk of password sharing.

19
But Wait Theres MoreOther Benefits of PKI
20
Digital Signatures

• Our computerized world still relies heavily on
  handwritten signatures.
• PKI allows digital signatures, recognized by
  Federal Government as legal signatures
• Reduce paperwork with electronic forms.
• Much faster and more traceable business
  processes.
• Improved assurance of electronic transactions
  (e.g. really know who that email was from).
• Federal digital signature information
• http//museum.nist.gov/exhibits/timeline/item.cfm?
  itemId78

21
Digital Signatures

• Signer computes content digest, encrypts with
  their private key.
• Reader decrypts with signers public key.
• Reader re-computes the content digest and
  verifies match with original guarantees no one
  has modified signed data.
• Only signer has private key, so no one else can
  spoof their digital signature.

22
Encryption

• Strong encryption with extensible number of bits
  in key.
• Can use same PKI digital credentials as
  authentication and digital signatures.
• More leverage of the PK Infrastructure.
• Easy to encrypt data for any individual without
  prior exchange of information simply look up
  their certificate which contains their public key.

23
Encryption

• Asymmetric encryption prevents need for shared
  secrets.
• Anyone encrypts with public key of recipient.
• Only the recipient can decrypt with their private
  key.
• Private key is secret and protected, so bad
  guys cant read encrypted data.

24
Benefit User Convenience

• Fewer passwords!
• Consistent mechanism for authentication that they
  only have to learn once. (UT Houston Medical
  Center users now request that all network
  services use PKI authentication.)
• Same user credentials for authentication, digital
  signatures, and encryption lots of payback for
  users effort to acquire and manage the
  credentials.

25
Benefit Coherent Enterprise-Wide Security
Administration

• Centralized issuance and revocation of user
  credentials (goes hand in hand with identity
  management).
• Consistent identity checking when issuing
  certificates.
• Same authentication mechanism for all network
  services.
• Leverage investment in tokens or smart cards
  across many applications.

26
Interoperability With Other Institutions

• Inter-institution trust allows identity
  verification and encryption using credentials
  issued by a trusted collaborating institution
• Signed forms and documents for business process
  (e.g. grant applications, financial aid forms,
  government reports)
• Signed and encrypted email from a colleague at
  another school
• Authentication to applications shared among
  consortiums of schools
• Peer to peer authentication for secure
  information sharing

27
Standards Based Solution

• Standards provide interoperability among multiple
  vendors and open source.
• Wide variety of implementations available and
  broad coverage of application space.
• Level playing field for open source and new
  vendors promotes innovation and healthy
  competition.

28
Unequaled Client and Server Support

• Windows, Macintosh, Linux, Solaris, UNIX
• Software and hardware key storage
• Commercial and open source
• Development libraries, toolkits and applications
• Certificate Authority, directory, escrow,
  revocation, and other infrastructure tools
• Apache, Oracle, IIS, SSL, Web Services,
  Shibboleth, etc.
• Applications from Microsoft, Sun, Cisco, IBM,
  BEA, RSA, Verisign, DST, Entrust, AOL, Adobe,
  Infomosaic, Aladdin, Schlumberger, and many
  others
• For more about applications of PKI
• www.dartmouth.edu/deploypki/applications.html

29
Momentum Outside Higher Education

• Industry support for PKI
• Federal and State governments major adopters
• Microsoft, Johnson and Johnson, Disney, heavy
  industry adopters
• Major deployment in Europe
• China pushing WAPI wireless authentication that
  requires PKI
• Web Services (SAML uses PKI signed assertions)

30
Likely Federal Opportunities

• FBCA, HEBCA bridge projects
• Proof of concept NIH EDUCAUSE project to
  demonstrate digitally signing documents for
  submission to the Federal government
• Possible DOE, NSF, NIH applications for Higher
  Education?

31
Dartmouth PKI Lab

• RD to make PKI a practical component of campus
  networks
• Multi-campus collaboration sponsored by the
  Mellon Foundation
• Dual objectives
• Deploy existing PKI technology to improve network
  applications (both at Dartmouth and elsewhere).
• Improve the current state of the art.
• Identify security issues in current products.
• Develop solutions to the problems.

32
Production PKI Applications at Dartmouth

• Dartmouth certificate authority
• Over 700 end user certificates issued, 483 of
  them for students
• Authentication for
• Banner Student Information System
• Library Electronic Journals
• Tuck School of Business Portal
• VPN Concentrator
• S/MIME email (Outlook, Mozilla, Thunderbird)

33
Second Wave of PKI Deployment at Dartmouth

• Actively developing
• Authentication for
• Blackboard Course Management System
• Software downloads
• Hardware tokens
• Required for VPN access to secured subnets
• Higher assurance certificates (picture ID check)
• We plan to reach all Dartmouth users with PKI
  through continued deployment of applications and
  increasing incentives and requirement for its use

34
Investigation and Research

• Greenpass pilot of delegation of PKI
  authentication credentials for wireless 802.1x
  guest access
• Supported by Cisco
• Wireless authentication
• 802.1x authentication EAP-TLS (PKI) on Windows
  and Macintosh
• WEP or improved WPA encryption
• These work well but requires up to date drivers
  (and sometimes recent hardware/firmware for WPA)

35
Open Source CA in a Box

• A hardened open source CA (based on OpenCA)
  bundle suitable for trial and (initially) simple
  deployment.
• Enforcer TPM-hardened Linux (product of PKI Lab
  research)
• Controversial TCPA technology turned to use for
  good and freedom
• Secures Linux boot process and provides much
  enhanced run-time protection against hackers
• Useful for any Linux server application
• slashdot.org/article.pl?sid03/09/10/0255245
• Packaging for easy installation
• Carefully chosen enhancements to OpenCA
• Documentation
• Enhanced private key protection
• Added features
• We welcome feedback on requirements,
  contributions, testing, etc!

36
Deploying PKI

• PKI is a significant undertaking and requires
  planning and commitment.
• Get buy in and support from management, legal,
  audit, others a little fear in todays cyber
  world is healthy.
• Architect carefully, follow examples of others.
• Choose your initial applications carefully.
• Deploy in phases, plan for future extensibility.
• Remember, PKI ROI is excellent when leveraged
  broadly, but probably not strong for individual
  applications - take a long term view.
• More detailed project plan and how to information
  for deploying PKI
• www.dartmouth.edu/deploypki/deploying/

37
Outreach

• Many presentations
• www.dartmouth.edu/deploypki/events.html
• Planning a PKI Deployment Summit
• Working with schools deploying PKI
• PKIs inexpensive 2-factor authentication proving
  an attractive proposition
• Deployment partners
• University of Wisconsin
• University of Minnesota
• University of Texas
• Others getting started (USC, Yale, Brown)
• March/April EDUCAUSE Review New Horizons article

38
Blatant Advertisement

• Please check out our outreach web at
  www.dartmouth.edu/deploypki (still growing, but
  already has a lot of useful information)
• We seek a few schools that we can assist as you
  deploy PKI credentials and applications for end
  users! An explicit part of our mission is to
  directly assist as you in the planning/justificati
  on, implementation, and deployment phases. Mark
  Franklin and others from the PKI Lab can work
  directly and extensively with your team.

39
For More Information

• Outreach web
• www.dartmouth.edu/deploypki
• Dartmouth PKI Lab
• PKI Lab information
• www.dartmouth.edu/pkilab
• Dartmouth user information, getting a
  certificate
• www.dartmouth.edu/pki
• Mark.J.Franklin_at_dartmouth.edu
• Ill happily send copies of these slides upon
  request.