Identity Management Realities in Higher Education NET Quarterly Meeting January 12, 2005.

Slides:



Advertisements
Similar presentations
Chapter 10 Encryption: A Matter of Trust. Awad –Electronic Commerce 1/e © 2002 Prentice Hall 2 OBJECTIVES What is Encryption? Basic Cryptographic Algorithm.
Advertisements

Dartmouth PKI Certificate Deployment June 2004 Fed Ed Meeting.
SECURITY IN E-COMMERCE VARNA FREE UNIVERSITY Prof. Teodora Bakardjieva.
PKI: A Technology Whose Time Has Come in Higher Education EDUCAUSE Live! Web Seminar May 11, 2004.
Certification Authority. Overview  Identifying CA Hierarchy Design Requirements  Common CA Hierarchy Designs  Documenting Legal Requirements  Analyzing.
Problems With Centralized Passwords Dartmouth College PKI Lab.
Cross Platform Single Sign On using client certificates Emmanuel Ormancey, Alberto Pace Internet Services group CERN, Information Technology department.
Authentication & Kerberos
Copyright Statement Copyright Robert J. Brentrup and Sean W. Smith This work is the intellectual property of the authors. Permission is granted for.
Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.
PKI Activities at Virginia January 2004 CSG Meeting Jim Jokl.
Exchange Network Key Management Services A Security Component February 28, 2005 The Exchange Network Node Mentoring Workshop.
David L. Wasley Information Resources & Communications Office of the President University of California Directories and PKI Basic Components of Middleware.
Department of Information Engineering1 Major Concerns in Electronic Commerce Authentication –there must be proof of identity of the parties in an electronic.
WAP Public Key Infrastructure CSCI – Independent Study Fall 2002 Jaleel Syed Presentation No 5.
Dartmouth PKI Deployment Robert Brentrup PKI Summit July 14, 2004.
Figure 1: SDR / MExE Download Framework SDR Framework Network Server Gateway MExE Download + Verification Using MExE Repository (Java sandbox) MExE Applet.
Chapter 9: Using and Managing Keys Security+ Guide to Network Security Fundamentals Second Edition.
Client/Server Computing Model of computing in which very powerful personal computers (clients) are connected in a network with one or more server computers.
The PKI Lab at Dartmouth. Dartmouth PKI Lab R&D to make PKI a practical component of a campus network Multi-campus collaboration sponsored by the Mellon.
E-Procurement: Digital Signatures and Role of Certifying Authorities Jagdeep S. Kochar CEO, (n)Code Solutions.
 Key exchange o Kerberos o Digital certificates  Certificate authority structure o PGP, hierarchical model  Recovery from exposed keys o Revocation.
Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.
Polytechnic University of Tirana Faculty of Information Technology Computer Engineering Department Identification of on-line users and Digital Signature.
Security and Policy Enforcement Mark Gibson Dave Northey
The PKI Lab at Dartmouth Presentation for Mellon Retreat February 9, 2004.
About PKI Key Stores Dartmouth College PKI Lab. Key Store Defined Protected “vault” to hold user’s private key with their copy of their x.509 certificate.
Introduction to PKI Mark Franklin September 10, 2003 Dartmouth College PKI Lab.
CN1276 Server Kemtis Kunanuraksapong MSIS with Distinction MCTS, MCDST, MCP, A+
Superhighway Robbery: The Real Cost of Cyber Security NACUBO July 18, 2004 Copyright Mark Franklin, This work is the intellectual property of the.
E-Government Security and necessary Infrastructures Dimitrios Lekkas Dept. of Systems and Products Design Engineering University of the Aegean
Identity and Access Management IAM A Preview. 2 Goal To design and implement an identity and access management (IAM) middleware infrastructure that –
Copyright © Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE CSci530: Computer Security Systems Authentication.
CAMP - June 4-6, Copyright Statement Copyright Robert J. Brentrup and Mark J. Franklin This work is the intellectual property of the authors.
PKI Network Authentication Dartmouth Applications Robert Brentrup Educause/Dartmouth PKI Summit July 27, 2005.
INTRODUCTION Why Signatures? A uthenticates who created a document Adds formality and finality In many cases, required by law or rule Digital Signatures.
Public Key Infrastructure from the Most Trusted Name in e-Security.
Web Application Authentication with PKI & Other Functions Bill Weems & Mark B. Jones Academic Technology University of Texas Health Science Center at Houston.
Windows 2003 and 802.1x Secure Wireless Deployments.
PKI in Higher Education: Dartmouth PKI Lab Update Internet2 Virtual Meeting 5 October 2001.
Chapter 14 Encryption: A Matter Of Trust. Awad –Electronic Commerce 2/e © 2004 Pearson Prentice Hall 2 OBJECTIVES What is Encryption? Basic Cryptographic.
Component 4: Introduction to Information and Computer Science Unit 8: Security Lecture 2 This material was developed by Oregon Health & Science University,
Internet Security for Small & Medium Business Week 6
Chapter 9: Using and Managing Keys Security+ Guide to Network Security Fundamentals Second Edition.
E-Commerce Security Professor: Morteza Anvari Student: Xiaoli Li Student ID: March 10, 2001.
Configuring Directory Certificate Services Lesson 13.
Chapter 23 Internet Authentication Applications Kerberos Overview Initially developed at MIT Software utility available in both the public domain and.
Digital Envelopes, Secure Socket Layer and Digital Certificates By: Anthony and James.
Introduction to Public Key Infrastructure January 2004 CSG Meeting Jim Jokl.
1 7 th CACR Information Workshop Vulnerabilities of Multi- Application Systems April 25, 2001 MAXIMUS.
Dartmouth PKI Update Robert Brentrup Internet2 Member Meeting April 21, 2004.
1 Information Security Practice I Lab 5. 2 Cryptography and security Cryptography is the science of using mathematics to encrypt and decrypt data.
Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®
Prepared by Natalie Rose1 Managing Information Resources, Control and Security Lecture 9.
1 Protection and Security: Shibboleth. 2 Outline What is the problem Shibboleth is trying to solve? What are the key concepts? How does the Shibboleth.
Problems With Centralized Passwords Dartmouth College PKI Lab.
Security fundamentals Topic 5 Using a Public Key Infrastructure.
© ITT Educational Services, Inc. All rights reserved. IS3230 Access Security Unit 7 Authentication Methods and Requirements.
1 Objectives Discuss File Services in Windows Server 2008 Install the Distributed File System in Windows Server 2008 Discuss and create shared file resources.
Digital Signatures and Digital Certificates Monil Adhikari.
Copyright Statement Copyright Robert J. Brentrup This work is the intellectual property of the author. Permission is granted for this material to.
Electronic Security and PKI Richard Guida Chair, Federal PKI Steering Committee Chief Information Officers Council
Identity Management, Federating Identities, and Federations November 21, 2006 Kevin Morooney Jeff Kuhns Renee Shuey.
PKI: A Technology Whose Time Has Come in Higher Education EDUCAUSE Security Professionals Workshop May 17, 2004 Copyright Mark Franklin, This work.
Public Key Infrastructure (PKI)
Computer Communication & Networks
Chapter 17 Risks, Security and Disaster Recovery
Grid Computing Software Interface
Presentation transcript:

Identity Management Realities in Higher Education NET Quarterly Meeting January 12, 2005

2 Higher Education IT Environment Open campus, easy physical access to wired and wireless network Open network, no firewall or address translation to Internet – like an ISP Heterogeneous client computers Mix of very knowledgeable and very naïve users

3 IT Security Risks Escalate More and more important information and transactions are online: –Personal identity information –Financial transactions –Course enrollment, grades –Tests, quizzes administered online –Licensed materials –Confidential research data We must comply with increasingly strict regulations: –Health information - HIPAA: –Educational records - FERPA:

4 Dartmouth’s Identity Management Timesharing (’70s) and Dartmouth Name Directory (’80s) pre-dated LDAP and AD LDAP now (with legacy DND interface for backwards compatibility) Everyone has an LDAP entry Passwords centrally managed in LDAP Now provisioning accounts for applicants An early start, but now pretty standard fare…

5 More to the Picture… Having a good directory is important… but we also need to be sure the individual at the keyboard is who they claim to be. Sometimes strong identity management can reduce security by eliminating obscurity and enabling re- use of a single password for more applications.

6 Password Sharing Corrupts value of username/password for authentication Sticky notes next to computer Files (even web pages full of passwords) Logging co-workers onto a system so they can help Social engineering is a huge vulnerability!

7 Users Do Share Passwords PKI Lab survey of 171 undergraduates: 75% of them shared passwords, < 50% changed afterwards Social engineering examples in “Probing End-User Security Practices – Through Homework” (Prof. Sean Smith) –Offering squirt guns for passwords was 80% effective –83% provided their password to bogus survey web Need two factor authentication to address password sharing Lest you think your users are different, remember students comprise the future workforce.

8 PKI Provides Two Factor Authentication 1)Something the user has (credentials stored in the application or a smartcard or token) 2)Something a user knows (password to unlock credentials). Significant security improvement Reduces exposure to password sharing (token is difficult to share)

9 Underlying Key Technology Asymmetric key encryption: each key only way to decrypt data encrypted by the other. Private key kept secret and carefully protected by its holder. Public key freely distributed. In authentication, server challenges client to encrypt or decrypt something with private key. Ability to do so proves client identity. Private key and password always stay in the user’s possession.

10 Digital Signatures (Attaching Identity to Electronic Forms and Documents) Our computerized world still runs by handwritten signatures on paper. Digital signatures promise to revolutionize many business processes: –Improve assurance of electronic transactions, verify and record digital signatures –Reduce paperwork via electronic forms –Faster, cheaper, more traceable business processes –Fundamental building block of Web Services Federal digital signature information:

11 Inter-institutional Trust Accepting credentials issued by a trusted collaborating institution –Signed forms and documents for business process (e.g. grant applications, financial aid forms, government reports) –Signed and encrypted from a colleague at another school –Authentication to applications shared among consortiums of schools

12 Dartmouth PKI Lab R&D to make PKI a practical component of campus networks Multi-campus collaboration sponsored by the Mellon Foundation Dual objectives: –Deploy existing PKI technology to improve network applications (both at Dartmouth and elsewhere). –Improve the current state of the art. Identify security issues in current products. Develop solutions to the problems.

13 For More Information Outreach web: Dartmouth PKI Lab PKI Lab information: Dartmouth user information, getting a Dartmouth certificate: I’ll happily send copies of these slides upon request.