Why PKI (Scott Rea) Boulder CO November 15, 2007.

Slides:



Advertisements
Similar presentations
Point3r$. Password Introduction Passwords are a key part of any security system : –Work or Personal Strong passwords make your personal and work.
Advertisements

ANNUAL SECURITY AWARENESS TRAINING – 2011 UMW Information Technology Security Program Annual Security Awareness Training for UMW Faculty and Staff.
Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.
Kerberos 1 Public domain image of Heracles and Cerberus. From an Attic bilingual amphora, 530–520 BC. From Italy (?).
Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.
Avoid data leakage, espionage, sabotage and other reputation and business risks without losing employee performance and mobility.
Password Security An overview. We need your help The IT department uses the latest technology and techniques to maintain the highest level of security.
Authentication and Constructing Strong Passwords.
1 MIS 2000 Class 22 System Security Update: Winter 2015.
Two-Factor Authentication & Tools for Password Management August 29, 2014 Pang Chamreth, IT Development Innovations 1.
Problems With Centralized Passwords Dartmouth College PKI Lab.
Information Security Confidential Two-Factor Authentication Solution Overview Shawn Fulton January 15th, 2015.
COEN 350: Network Security Authentication. Between human and machine Between machine and machine.
CMSC 414 Computer and Network Security Lecture 12 Jonathan Katz.
CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (7) AUTHENTICATION.
Identity Management Realities in Higher Education NET Quarterly Meeting January 12, 2005.
Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.
 Key exchange o Kerberos o Digital certificates  Certificate authority structure o PGP, hierarchical model  Recovery from exposed keys o Revocation.
Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.
1 Chapter 11: Authentication Basics Passwords. 2 Establishing Identity Authentication: binding of identity to subject One or more of the following –What.
8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.
FIT3105 Security and Identity Management Lecture 1.
CMSC 414 Computer and Network Security Lecture 21 Jonathan Katz.
Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.
Introduction to PKI Mark Franklin September 10, 2003 Dartmouth College PKI Lab.
Superhighway Robbery: The Real Cost of Cyber Security NACUBO July 18, 2004 Copyright Mark Franklin, This work is the intellectual property of the.
Identity and Access Management IAM A Preview. 2 Goal To design and implement an identity and access management (IAM) middleware infrastructure that –
Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.
CAMP - June 4-6, Copyright Statement Copyright Robert J. Brentrup and Mark J. Franklin This work is the intellectual property of the authors.
Security Liaisons Information Presentation. Introduction  What’s the big deal with computer security? Don’t we have an IT security department to take.
Dartmouth Authentication Factors – Why PKI and eTokens are required (Scott Rea) EDUCAUSE PKI Deployment Forum Madison, WI - April 16, 2008.
Chapter 10: Authentication Guide to Computer Network Security.
RSA Security Validating Users and Devices to Protect Network Assets Endpoint Solutions for Cisco Environments.
AIS, Passwords Should not be shared Should be changed by user Should be changed frequently and upon compromise (suspected unauthorized disclosure)
MOBILE DEVICE SECURITY. WHAT IS MOBILE DEVICE SECURITY? Mobile Devices  Smartphones  Laptops  Tablets  USB Memory  Portable Media Player  Handheld.
Database Security John Ortiz. Lecture 23Database Security2 Secure Passwords  Two main requirements for choosing a secure password:  1) MUST be easy.
Dartmouth Authentication Factors – Why PKI and eTokens are required (Scott Rea) PKCS Technical Services December 2006.
Security Planning and Administrative Delegation Lesson 6.
Adrian Ellison Assistant Director, IT Services Wednesday 23 November 2011.
Security Awareness Challenges of Securing Information No single simple solution to protecting computers and securing information Different types of attacks.
PRIVACY, SECURITY & ID THEFT PREVENTION - TIPS FOR THE VIGILANT BUSINESS - SMALL BUSINESS & ECONOMIC DEVELOPMENT FORUM October 21, WITH THANKS TO.
1 Lecture 8: Authentication of People what you know (password schemes) what you have (keys, smart cards, etc.) what you are (voice recognition, fingerprints,
Passwords. Outline Objective Authentication How/Where Passwords are Used Why Password Development is Important Guidelines for Developing Passwords Summary.
Managing Data Against Insider Threats Dr. John D. Johnson, CISSP.
What are the rules? Information technology is available to every student, faculty and staff member in support of the essential mission of the University.
1 Chapter 11: Authentication Basics Passwords. 2 Establishing Identity Authentication: binding of identity to subject One or more of the following –What.
Cloud Computing Security Keep Your Head and Other Data Secure in the Cloud Lynne Pizzini, CISSP, CISM, CIPP Information Systems Security Officer Information.
CSCE 522 Identification and Authentication. CSCE Farkas2Reading Reading for this lecture: Required: – Pfleeger: Ch. 4.5, Ch. 4.3 Kerberos – An Introduction.
COEN 350: Network Security Authentication. Between human and machine Between machine and machine.
Securing Passwords Against Dictionary Attacks Presented By Chad Frommeyer.
Identification Authentication. 2 Authentication Allows an entity (a user or a system) to prove its identity to another entity Typically, the entity whose.
November 19, 2008 CSC 682 Do Strong Web Passwords Accomplish Anything? Florencio, Herley and Coskun Presented by: Ryan Lehan.
Problems With Centralized Passwords Dartmouth College PKI Lab.
INFORMATION TECHNOLOGY IN A GLOBAL SOCIETY: SECURITY Taylor Moncrief.
Authentication What you know? What you have? What you are?
IT Security Challenges In Higher Education Steve Schuster Cornell University Copyright Steve Schuster This work is the intellectual property of.
Data Security at Duke DECEMBER What happened: “At this time, we have no indication that research data or personal data managed by Harvard systems.
COEN 351 Authentication. Authentication is based on What you know Passwords, Pins, Answers to questions, … What you have (Physical) keys, tokens, smart-card.
Password Security Module 8. Objectives Explain Authentication and Authorization Provide familiarity with how passwords are used Identify the importance.
CSCE 201 Identification and Authentication Fall 2015.
Unit 7 ITT TECHNICAL INSTITUTE NT1330 Client-Server Networking II Date: 2/3/2016 Instructor: Williams Obinkyereh.
ASHRAY PATEL Protection Mechanisms. Roadmap Access Control Four access control processes Managing access control Firewalls Scanning and Analysis tools.
What is Kerberos? Network authentication protocol Developed at MIT in the mid 1980s Kerberos is a three-headed dog Available as open source or in supported.
A l a d d I n. c o m Strong Authentication and Beyond Budai László, IT Biztonságtechnikai tanácsadó.
Unit 4 Protecting Your Information Section C. Chapter 1, Slide 2Starting Out with Visual Basic 3 rd EditionIntroduction to ComputersUnit 4C – Protecting.
Common Methods Used to Commit Computer Crimes
Grid Security.
Introduction to Computers
Module 2 OBJECTIVE 14: Compare various security mechanisms.
Security Planning and Administrative Delegation
Presentation transcript:

Why PKI (Scott Rea) Boulder CO November 15, 2007

2 Identity Theft Is On the Rise Identify theft is the fastest growing crime in America: –8.9 million victims in past year –900,000 new victims each year –Cost to businesses more than $50 billion –Cost per incident to consumer $6,383 Source: 2006 Javelin Survey

3 Campuses Are A Prime Target Dramatic increase in identity theft: –In 2004, only seven cases of identity theft were reported in higher education. –In 2005, this number leapt to 64 – an 89% increase over the previous year. –In 2006, this number expected to increase yet again NY Times Dec 18, 2006: “…educational institutions have particularly acute problem when it comes to nation's leaky data issue; study by Public Policy Institute for AARP last July, using data compiled by Identity Theft Resource Center, determined that of 90 million records reportedly compromised in various breaches between Jan 1, 2005, and May 26, 2006, 43 percent were at educational institutions.” Most data is accessed from stolen computers and laptops or by hackers capturing data on unprotected networks.

4 Beware the Hackers and Thieves University of Minnesota: –In August, two computers containing information on more than 13,000 students, were stolen from an employee’s desk. Western Illinois University: –Hackers retrieved names, addresses, credit card numbers and Social Security numbers on nearly 180,000 users. University of California, Los Angeles: –In December, hackers infiltrated a database containing the personal information on 800,000 people, in one of the worst computer breaches ever at a U.S. university 12T214001Z_01_N _RTRUKOC_0_US-USA-UCLA-HACKER.xml

5 Beware the Hackers and Thieves Dartmouth College: –July 2004 Security Incident –Potential 17,000 Dartmouth affiliates affected –HR staff keeping unencrypted personal data on servers that anyone with a password could access –8 servers impacted –FBI investigated with assistance from student security researchers in Prof. Sean Smith’s Computer Science group –Network vulnerability assessments on a regular basis were recommended –eTokens now deployed as mandatory requirement for HE staff who require access to this data

6 Students Frequently Victimized 1 in 3 victims is under 30 years old. Common risks: –Compromise of passwords protecting sensitive data Stolen laptops or weak or no passwords on sensitive, or no encryption on data/passwords traversing networks –Dormitory burglaries –Driver’s license/student ID theft –Credit card offers 30% of students throw these out without destroying them. –Social Security numbers 48% of students have had grades posted by Social Security number

7 Sensitive Data Greater access levels to sensitive or personally identifying information than ever before How do we protect against ignorant or lazy users or poorly designed applications? How do we meet legislative requirements to contain and protect sensitive data? –FERPA –HIPAA –CALEA How can we be sure who is accessing the data?

8 How Do We Protect Our Students/Staff/Faculty While debate continues on what type of technology is best suited to prevent identity theft, many experts believe that a combination of PKI infrastructure and two- factor authentication offers the greatest promise of protection. Source: Financial Services Technology, Preventing Identity Theft

9 Authentication Factors Three Factors of Authentication: –Something you know e.g. password, secret, URI, graphic –Something you have e.g. key, token, smartcard, badge –Something you are e.g. fingerprint, iris scan, face scan, signature

10 Authentication Factors Single Factor of Authentication is most common –Passwords (something you know) are the most common single factor At least Two Factor Authentication is recommended for securing important assets –e.g. ATM card + PIN (have + know) 2 x Single Factor Authentication ≠ Two Factor Authentication –e.g. Password + Graphic is NOT equivalent to Smartcard + PIN (although it may be better than a single instance of One Factor Authentication) Without Two Factor Authentication, some secure communications may be vulnerable to disclosure –Especially in wireless networks

Problems With Centralized Passwords…

12 Managing the Multitude: User Perspective Users HATE username/passwords Too many for them to manage: –Re-use same password –Use weak (easy to remember) passwords –Rely on “remember my password” crutches Forgotten password help desk calls cost $25 - $200 (IDC) and are far too common As we put more services online, it just gets worse…

13 Managing the Multitude: Admin Perspective Many different username/password schemes to learn, set up, and administer: –Backups, password resets, revoking access, initial password values, etc. Multiple administrators have access usernames/passwords – many points of failure

14 Ending the Madness Traditional approaches –Single password –Single sign-on, fewer sign-ons PKI –Local password management by end user –Two factor authentication

15 Single Password Users like it, but… Requires synchronizing passwords (inherently problematic) – actually makes admin madness worse! Single username/password becomes single point of failure… Hack weakest application and get passwords to all applications! Costly to maintain and difficult to make work well.

16 All Your Eggs in One Basket Traditional username/password authentication requires access to passwords database from network servers or authentication server: –Bad guys have network access, can use this to crack individual accounts or worse, get many or all passwords in one grand hack. How would you like to have to notify thousands of users to satisfy FERPA requirements when their accounts are breached? This has happened! –Multiple (possibly many) system administrators have access to user passwords. Traditional Single Sign-on or Fewer Sign-on means once a username/password is compromised, access to multiple services is compromised.

17 Password Sharing Corrupts value of username/password for authentication and authorization. Users do share passwords: PKI Lab survey of 171 undergraduates revealed that 75% of them shared their password and fewer than half of those changed it after sharing. We need two factor authentication to address password sharing.

18 Password Authentication General issues with Authentication using Password technology –Passwords easily shared with others (in violation of access policy) –Easily captured over a network if no encrypted channel used –Vulnerable to dictionary attacks even if encrypted channels are used –Weak passwords can be guessed or brute forced offline –Vulnerable to keyboard sniffing/logging attacks on public or compromised systems –Cannot provide non-repudiation since they generally require that the user be enrolled at the service provider, and so the service provider also knows the user's password –Vulnerable to Social Engineering attacks –Single factor of Authentication only

19 Password Authentication Definition of a Weak Password –The password contains less than eight characters –The password is a word found in a dictionary (English or foreign) –The password is a common usage word such as: Names of family, pets, friends, co-workers, fantasy characters, etc. Computer terms and names, commands, sites, companies, hardware, software. Words using the company name or any derivation. Birthdays and other personal information such as addresses and phone numbers. Word or number patterns like aaabbb, qwerty, zyxwvuts, , etc. Any of the above spelled backwards. Any of the above preceded or followed by a digit (e.g., secret1, 1secret)

20 Password Authentication Definition of a Strong Password –Contain both upper and lower case characters (e.g., a-z, A-Z) –Have digits and punctuation characters as well as letters (e.g., 0-9, –Are greater than eight alphanumeric characters long. –Are not a word in any language, slang, dialect, jargon, etc. –Are not based on personal information, names of family, etc. –Passwords should never be written down or stored on-line without encryption protection.

21 Password Authentication Specific issues with Authentication using Password technology –Too many passwords to remember if requiring a different one for each application Leads to users writing them down and not storing them securely Leads to use of insecure or weak passwords (more secure ones are generally harder to remember) Leads to higher helpdesk costs due to resetting of forgotten passwords. Leads to re-use of passwords outside institutions’ domain where protection mechanisms may be much lower

22 Password Authentication Specific issues with Authentication using Password technology –Potential single point of failure for multiple applications if same password used Strong passwords not consistently supported in all applications Weak passwords leads to widespread compromises Passwords not consistently protected for all applications Password expiration not synchronized across applications Limited character set for input No control over use of passwords outside Dartmouth’s domain Offline attacks against passwords may be possible

23 PKI’s Answer to Password Woes Users manage their own (single or few) passwords. Two factor authentication. Widely supported alternative for authentication to all sorts of applications (both web-based and otherwise).

24 PKI Passwords Are Local to Client PKI can eliminate user passwords on network servers. Password to PKI credentials are local in the application key store or in hardware token. User manages the password and only has one per set of credentials (likely only one or two). Still need process for forgotten password, but it is only one for all applications using PKI authentication, and users are much less likely to forgot it since they use it frequently and control it themselves.

25 Single Sign-on, Fewer Sign-ons More secure & provides some relief for users, but… Requires infrastructure (e.g. WebISO or Kerberos sidecar). Fewer sign-ons still has synchronization problems. Single sign-on solutions are for web applications only. Kerberos sidecar has problems with address translation and firewalls and is not widely supported.

26 PKI Enables Single Password and Single Sign-on User maintains password on their credentials. PKI credentials authenticate user to the various services they use via PKI standards. No need for password synchronization. No additional infrastructure other than standard PKI and simple, standard hooks for PKI authentication in applications. Typically less effort to enable PKI authentication than other SSO methods.

27 PKI Facilitates Two Factor Authentication Requires something the user has (credentials stored in the application or a smartcard or token) in addition to something a user knows (local password for the credentials). Significant security improvement, especially with smartcard or token (a post-it next to the screen is no longer a major security hole). Reduces risk of password sharing.

28 The PKI Solution Solution to Password vulnerabilities -Public Key Infrastructure (PKI) –PKI consists of a key pair – 1 public, stored in a certificate, 1 private, stored in a protected file or smartcard –Allows exchange of session secrets in a protected (encrypted) manner without disclosing private key –PKI lets users authenticate without giving their passwords away to the service that needs to authenticate them Dartmouth’s own password-hunting experiences, written up in EDUCAUSE Quarterly, shows that users happily type their user ID and password into any reasonable-looking web site, because so many of them require it already. PKI is a very effective measure against phishing

29 PKI Solution Solution to Password vulnerabilities -Public Key Infrastructure (PKI) –PKI lets users directly authenticate across domains Researchers can collaborate more easily Students can easily access materials from other institutions providing broader educational opportunities –PKI allows decentralized handling of authorization Students on a project can get access to a web site or some other resource because Prof Smith delegated it to them PKI simplifies this process – no need for a centralized bureaucracy, lowers overheads associated with research –Private key is never sent across the wire so cannot be compromised by sniffing –Not vulnerable to dictionary attacks –Brute force is not practical for given key lengths –Facilitates encryption of sensitive data to protect it even if a data stream or source is captured by a malicious entity

30 PKI Solution Solution to Password vulnerabilities -Public Key Infrastructure (PKI) –1024-bit keys are better than 128 character passwords (they are not subject to a limited character input set) This is far stronger than our current Blitzmail or DND password based authentication As one researcher said recently “the Sun will burn out before we break these” Quote from Prof Smith: “In the long run: user authentication and authorization in the broader information infrastructure is a widely recognized grand challenge. The best bet will likely be some combination of PKI and user tokens.” –Failing to look ahead in our IT choices means failing in our research and educational mission.

31 Additional PKI Benefits Additional drivers for PKI in Higher Education (besides stronger authentication): –Better protection of digital assets from disclosure, theft, tampering, and destruction –More efficient workflow in distributed environments –Greater ability to collaborate and reliably communicate with colleagues and peers –Greater access (and more efficient access) to external resources –Facilitation of research funding opportunities –Compliance

32 Additional PKI Benefits Applications that utilize PKI in Higher Education –Secure Wireless –S/MIME –Paperless Office workflow (Documentum) –Encrypted File Systems (protecting mobile data assets) –Strong SSO –Shibboleth/Federations –GRID Computing Enabled for Federations –E-grants facilitation

33 Summary Identity theft if the fastest growing crime in the US, Institutions of Higher Education are a prime target - 43% of this activity results from Campus compromises –There has been an exponential increase in the number of reported cases each year –UCLA recently had the worst computer breach ever at a US university (800,000 people impacted) in December 2006 –Dartmouth has already had a security breach (17,000 people impacted in 2004) Protecting sensitive data with passwords is no longer sufficient – Two Factor Authentication is recommended –Passwords by nature are vulnerable to many different easily replicable attacks –No consistency in policy and implementation, allowing exploits for weak, reused, unmonitored passwords Applications now have better support for PKI, making it very useable for everyday users as vendors recognize the importance of this technology to securing digital assets PKI facilitates a broader range of educational opportunities through decentralized authorization and cross-domain authentication with Federated identities The PKI solution provides a number of promising additional benefits - not just the required stronger authentication

34 For More Information Dartmouth PKI Outreach: Dartmouth PKI Lab: Scott Rea -

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.