Loading in 2 Seconds...
Loading in 2 Seconds...
PKI: A Technology Whose Time Has Come in Higher Education EDUCAUSE Live! Web Seminar May 11, 2004. Our Systems Are Under Constant Attack. The numbers of vulnerabilities and attack techniques continue to mushroom We need to improve how we secure access to applications and data
Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.
Don’t forget the greatest threat often comes from a disgruntled insider.
Q: What if someone hacks your authentication system and potentially downloads students grades?
A: You are probably obligated by law to notify every individual whose grades may have been exposed!
Too many for them to manage:
Re-use same password
Use weak (easy to remember) passwords
Rely on “remember my password” crutches
Forgotten password help desk calls cost $25 - $200 each (IDC) and are far too common
As we put more services online, it just gets worse…Password Problems: User Perspective
Backups, password resets, revoking access, initial password values, etc.
Multiple administrators have access to usernames/passwords – many points of failurePassword Problems: Admin Perspective
Users do share passwords: PKI Lab survey of 171 undergraduates revealed that 75% of them shared their password and fewer than half of those changed it after sharing.
We need two factor authentication to address password sharing.Password Sharing
Password to PKI credentials is local to user’s computer, smartcard, or token.
User manages the password and only has one per set of credentials (likely only one or two total).
No need for password synchronization.
Standard PKI infrastructure.
Still need process for forgotten password, but it is less likely to be forgotten (used frequently and not so many of them).PKI Passwords Are Local to Client
One key is private and carefully protected by its holder. The other is public and freely distributed.
In authentication, the server challenges the client to encrypt or decrypt something with the private key. Its ability to do so proves its identity.
Private key and password always stay in the user’s possession.Underlying Key Technology
Significant security improvement, especially with smartcard or token (a post-it next to the screen is no longer a major security hole).
Reduces risk of password sharing.PKI Provides Two Factor Authentication
Can use same PKI digital credentials as authentication and digital signatures.
More leverage of the PK Infrastructure.
Encrypt data for any individual without prior exchange of information – just acquire their certificate which contains their public key.PKI Benefit: Encryption
Anyone encrypts with public key of recipient.
Only the recipient can decrypt with their private key.
Private key is secret and protected, so “bad guys” can’t read encrypted data.How PKI Encryption Works
PKI enables digital signatures, recognized by Federal Government as legal signatures:
Reduce paperwork with electronic forms.
Much faster and more traceable business processes.
Improved assurance of electronic transactions (e.g. really know who that email was from).PKI Benefit:Digital Signatures
Reader decrypts with signer’s public key.
Reader re-computes the content digest and verifies match with original – guarantees no one has modified signed data.
Only signer has private key, so no one else can spoof their digital signature.How Digital Signatures Work
Consistent mechanism for authentication that users only have to learn once. (UT Houston Medical Center users now request that all network services use PKI authentication.)
Same user credentials for authentication, digital signatures, and encryption – lots of payback for user’s effort to acquire and manage the credentials.PKI Benefit: User Convenience
Consistent identity checking when issuing certificates.
Same authentication mechanism for all network services.
Single process to recover from lost passwords or keys (not per application).
Leverage investment in tokens or smart cards across many applications.PKI Benefit: Coherent Enterprise-Wide Security Administration
Signed forms and documents for business process (e.g. grant applications, financial aid forms, government reports)
Signed and encrypted email from a colleague at another school
Authentication to applications shared among schools (e.g. grid)
Peer to peer authentication for secure information sharingInteroperability With Other Institutions
Wide variety of implementations available and broad coverage of application space.
Level playing field for open source and new vendors – promotes innovation and healthy competition.Standards Based Solution
Windows, Macintosh, Linux, Solaris, UNIX
Apache, Oracle, IIS, SSL, Web Services, Shibboleth, Browsers, email, VPN, Acrobat, MS Office, AIM, and many others Software and hardware key storage
Development libraries, toolkits and applications
Certificate Authority, directory, escrow, revocation, and other infrastructure toolsPKI Enjoys Unequaled Client, Server, and Application Support
Federal and State governments major adopters
Microsoft, Sun, Johnson and Johnson, Disney, banks heavy industry adopters
Major deployment in Europe
China pushing WAPI wireless authentication standard that requires PKI
Web Services (e.g. SAML uses PKI signed assertions)Momentum Outside Higher Education
R&D to make client side PKI a practical component of campus networks
Multi-campus collaboration sponsored by the Mellon Foundation
Deploy existing PKI technology to improve network applications (both at Dartmouth and elsewhere).
Improve the current state of the art.
Identify security issues in current products.
Develop solutions to the problems.