Title: PKI: A Technology Whose Time Has Come in Higher Education EDUCAUSE Southwest Regional Conference February 26, 2004
1PKI A Technology Whose Time Has Come in Higher
Education EDUCAUSE Southwest Regional
ConferenceFebruary 26, 2004
2Our Systems Are Under Constant Attack
- Trojan horses
- Worms
- Viruses
- Spam
- Hackers
- Disgruntled insiders
- Script kiddies
3Some of These Attacks Succeed Spectacularly
- Loss of personal data
- Outages
- Potentially huge costs
- Productivity loss
- (user and IT staff)
- Remediation
- User notification
- Bad publicity, loss of credibility
- Lawsuits?
- For real-life examples involving thousands of
users see the excellent EDUCAUSE session entitled
Damage Control When Your Security Incident Hits
the 6 OClock News - www.educause.edu/ir/library/ra/EDU0307.ram
4IT Security Risks Escalate
- More and more important information and
transactions are online - Personal identity information
- Financial transactions
- Course enrollment, grades
- Tests
- Licensed materials
- Confidential research data
- We must comply with increasingly strict
regulations - Health information - HIPAA http//www.hhs.gov/ocr
/hipaa/ - Educational records - FERPA http//www.ed.gov/pol
icy/gen/guid/fpco/ferpa/index.html
5Specific Example Email
- Spoofing email is trivial (simple setting in most
email clients) - Spoofed message from professor postponing a final
- Inappropriate message seemingly from College
President to female student - Email is like a postcard written in pencil
- Others on network can see (or even modify)
contents if not encrypted (really easy on
wireless!) - You may use SSL, but what about other hops
between mail servers? - Viruses or worms can forward random messages from
email archives to random recipients in address
book - HR employee forwarding salary data to random
employees
6Specific Example Student Information System
- Provides online enrollment, schedule, grades
- FERPA protected information
- Available to hackers
- Q What if someone hacks your authentication
system and downloads grades from thousands of
students? - A You are probably obligated by law to notify
every individual whose grades may have been
exposed!
7Problems With Centralized Passwords
8Managing the Multitude User Perspective
- Users HATE username/passwords
- Too many for them to manage
- Re-use same password
- Use weak (easy to remember) passwords
- Rely on remember my password crutches
- Forgotten password help desk calls cost 25 -
200 each (IDC) and are far too common - As we put more services online, it just gets
worse
9Managing the Multitude Admin Perspective
- Many different username/password schemes to
learn, set up, and administer - Backups, password resets, revoking access,
initial password values, etc. - Multiple administrators have access to
usernames/passwords many points of failure
10Ending the Madness
- Traditional approaches
- Single password
- Single sign-on, fewer sign-ons
- PKI
- Local password management by end user
- Two factor authentication
11Single Password
- Users like it, but
- Requires synchronizing passwords (inherently
problematic) actually makes admin madness
worse! - Single username/password becomes single point of
failure Hack weakest application and get
passwords to all applications! - Costly to maintain and difficult to make work
well. - Passwords databases exposed on network and to
administrators, as vulnerable as your weakest
application.
12Single Sign-on, Fewer Sign-ons
- More secure provides some relief for users,
but - Requires infrastructure (e.g. WebISO or Kerberos
sidecar). - Fewer sign-ons still has synchronization
problems. - Single sign-on solutions are typically for web
applications only. - Kerberos sidecar has problems with address
translation and firewalls and is not widely
supported. - Password database still exposed on network and to
administrators.
13Password Sharing
- Corrupts value of username/password for
authentication and authorization. - Users do share passwords PKI Lab survey of 171
undergraduates revealed that 75 of them shared
their password and fewer than half of those
changed it after sharing. - We need two factor authentication to address
password sharing.
14PKIs Answer to Password Woes
- Users manage their own (single or few) passwords.
- Cost-effective two factor authentication.
- Widely supported alternative for authentication
to all sorts of applications (both web-based and
otherwise).
15PKI Passwords Are Local to Client
- PKI eliminates user passwords on network servers.
- Password to PKI credentials are local in the
application key store or in hardware token. - User manages the password and only has one per
set of credentials (likely only one or two). - Still need process for forgotten password, but it
is only one for all applications using PKI
authentication, and users are much less likely to
forgot it since they use it frequently and
control it themselves.
16Underlying Key Technology
- Asymmetric encryption a pair of asymmetric keys
is used, one to encrypt, the other to decrypt. - Each key can only decrypt data encrypted with the
other. - One key is private and carefully protected by its
holder. The other is public and freely
distributed. - Authentication challenges the supplicant to
encrypt something with the private key. If it
decrypts properly with public key, then they have
proven who they are. - Private key and password always stay in the
users possession.
17PKI Enables Single Passwordand Single Sign-on
- User maintains one password on their credentials.
- PKI credentials authenticate user to the various
services they use via PKI standards. - No need for password synchronization.
- No additional infrastructure other than standard
PKI and simple, standard hooks for PKI
authentication in applications. - Typically less effort to enable PKI
authentication than other SSO methods.
18PKI Provides Two Factor Authentication
- Requires something the user has (credentials
stored in the application or a smartcard or
token) in addition to something a user knows
(local password for the credentials). - Significant security improvement, especially with
smartcard or token (a post-it next to the screen
is no longer a major security hole). - Reduces risk of password sharing.
19But Wait Theres MoreOther Benefits of PKI
20Digital Signatures
- Our computerized world still relies heavily on
handwritten signatures. - PKI allows digital signatures, recognized by
Federal Government as legal signatures - Reduce paperwork with electronic forms.
- Much faster and more traceable business
processes. - Improved assurance of electronic transactions
(e.g. really know who that email was from). - Federal digital signature information
- http//museum.nist.gov/exhibits/timeline/item.cfm?
itemId78
21Digital Signatures
- Signer computes content digest, encrypts with
their private key. - Reader decrypts with signers public key.
- Reader re-computes the content digest and
verifies match with original guarantees no one
has modified signed data. - Only signer has private key, so no one else can
spoof their digital signature.
22Encryption
- Strong encryption with extensible number of bits
in key. - Can use same PKI digital credentials as
authentication and digital signatures. - More leverage of the PK Infrastructure.
- Easy to encrypt data for any individual without
prior exchange of information simply look up
their certificate which contains their public key.
23Encryption
- Asymmetric encryption prevents need for shared
secrets. - Anyone encrypts with public key of recipient.
- Only the recipient can decrypt with their private
key. - Private key is secret and protected, so bad
guys cant read encrypted data.
24Benefit User Convenience
- Fewer passwords!
- Consistent mechanism for authentication that they
only have to learn once. (UT Houston Medical
Center users now request that all network
services use PKI authentication.) - Same user credentials for authentication, digital
signatures, and encryption lots of payback for
users effort to acquire and manage the
credentials.
25Benefit Coherent Enterprise-Wide Security
Administration
- Centralized issuance and revocation of user
credentials (goes hand in hand with identity
management). - Consistent identity checking when issuing
certificates. - Same authentication mechanism for all network
services. - Leverage investment in tokens or smart cards
across many applications.
26Interoperability With Other Institutions
- Inter-institution trust allows identity
verification and encryption using credentials
issued by a trusted collaborating institution - Signed forms and documents for business process
(e.g. grant applications, financial aid forms,
government reports) - Signed and encrypted email from a colleague at
another school - Authentication to applications shared among
consortiums of schools - Peer to peer authentication for secure
information sharing
27Standards Based Solution
- Standards provide interoperability among multiple
vendors and open source. - Wide variety of implementations available and
broad coverage of application space. - Level playing field for open source and new
vendors promotes innovation and healthy
competition.
28Unequaled Client and Server Support
- Windows, Macintosh, Linux, Solaris, UNIX
- Software and hardware key storage
- Commercial and open source
- Development libraries, toolkits and applications
- Certificate Authority, directory, escrow,
revocation, and other infrastructure tools - Apache, Oracle, IIS, SSL, Web Services,
Shibboleth, etc. - Applications from Microsoft, Sun, Cisco, IBM,
BEA, RSA, Verisign, DST, Entrust, AOL, Adobe,
Infomosaic, Aladdin, Schlumberger, and many
others - For more about applications of PKI
- www.dartmouth.edu/deploypki/applications.html
29Momentum Outside Higher Education
- Industry support for PKI
- Federal and State governments major adopters
- Microsoft, Johnson and Johnson, Disney, heavy
industry adopters - Major deployment in Europe
- China pushing WAPI wireless authentication that
requires PKI - Web Services (SAML uses PKI signed assertions)
30Likely Federal Opportunities
- FBCA, HEBCA bridge projects
- Proof of concept NIH EDUCAUSE project to
demonstrate digitally signing documents for
submission to the Federal government - Possible DOE, NSF, NIH applications for Higher
Education?
31Dartmouth PKI Lab
- RD to make PKI a practical component of campus
networks - Multi-campus collaboration sponsored by the
Mellon Foundation - Dual objectives
- Deploy existing PKI technology to improve network
applications (both at Dartmouth and elsewhere). - Improve the current state of the art.
- Identify security issues in current products.
- Develop solutions to the problems.
32Production PKI Applications at Dartmouth
- Dartmouth certificate authority
- Over 700 end user certificates issued, 483 of
them for students - Authentication for
- Banner Student Information System
- Library Electronic Journals
- Tuck School of Business Portal
- VPN Concentrator
- S/MIME email (Outlook, Mozilla, Thunderbird)
33Second Wave of PKI Deployment at Dartmouth
- Actively developing
- Authentication for
- Blackboard Course Management System
- Software downloads
- Hardware tokens
- Required for VPN access to secured subnets
- Higher assurance certificates (picture ID check)
- We plan to reach all Dartmouth users with PKI
through continued deployment of applications and
increasing incentives and requirement for its use
34Investigation and Research
- Greenpass pilot of delegation of PKI
authentication credentials for wireless 802.1x
guest access - Supported by Cisco
- Wireless authentication
- 802.1x authentication EAP-TLS (PKI) on Windows
and Macintosh - WEP or improved WPA encryption
- These work well but requires up to date drivers
(and sometimes recent hardware/firmware for WPA)
35Open Source CA in a Box
- A hardened open source CA (based on OpenCA)
bundle suitable for trial and (initially) simple
deployment. - Enforcer TPM-hardened Linux (product of PKI Lab
research) - Controversial TCPA technology turned to use for
good and freedom - Secures Linux boot process and provides much
enhanced run-time protection against hackers - Useful for any Linux server application
- slashdot.org/article.pl?sid03/09/10/0255245
- Packaging for easy installation
- Carefully chosen enhancements to OpenCA
- Documentation
- Enhanced private key protection
- Added features
- We welcome feedback on requirements,
contributions, testing, etc!
36Deploying PKI
- PKI is a significant undertaking and requires
planning and commitment. - Get buy in and support from management, legal,
audit, others a little fear in todays cyber
world is healthy. - Architect carefully, follow examples of others.
- Choose your initial applications carefully.
- Deploy in phases, plan for future extensibility.
- Remember, PKI ROI is excellent when leveraged
broadly, but probably not strong for individual
applications - take a long term view. - More detailed project plan and how to information
for deploying PKI - www.dartmouth.edu/deploypki/deploying/
37Outreach
- Many presentations
- www.dartmouth.edu/deploypki/events.html
- Planning a PKI Deployment Summit
- Working with schools deploying PKI
- PKIs inexpensive 2-factor authentication proving
an attractive proposition - Deployment partners
- University of Wisconsin
- University of Minnesota
- University of Texas
- Others getting started (USC, Yale, Brown)
- March/April EDUCAUSE Review New Horizons article
38Blatant Advertisement
- Please check out our outreach web at
www.dartmouth.edu/deploypki (still growing, but
already has a lot of useful information) - We seek a few schools that we can assist as you
deploy PKI credentials and applications for end
users! An explicit part of our mission is to
directly assist as you in the planning/justificati
on, implementation, and deployment phases. Mark
Franklin and others from the PKI Lab can work
directly and extensively with your team.
39For More Information
- Outreach web
- www.dartmouth.edu/deploypki
- Dartmouth PKI Lab
- PKI Lab information
- www.dartmouth.edu/pkilab
- Dartmouth user information, getting a
certificate - www.dartmouth.edu/pki
- Mark.J.Franklin_at_dartmouth.edu
- Ill happily send copies of these slides upon
request.