Why Users Like PKI & Directory Services William A. Weems University of Texas Health Science Center at Houston.

Slides:

Advertisements

Similar presentations

Key Management. Shared Key Exchange Problem How do Alice and Bob exchange a shared secret? Offline – Doesnt scale Using public key cryptography (possible)

Advertisements

Kerberos 1 Public domain image of Heracles and Cerberus. From an Attic bilingual amphora, 530–520 BC. From Italy (?).

Grid Computing, B. Wilkinson, 20045a.1 Security Continued.

Digital Signatures Dan Fleck CS 469: Security Engineering These slides are modified with permission from Bill Young (Univ of Texas) Coming up: Digital.

Security Security comes in three forms. 1.Encryption – making data and information transmitted by one person unintelligible to anyone other than the intended.

CAMP Med Identity and Access Management for HIPAA: Technology Model William A. Weems Assistant Vice President Academic Technology The University of Texas.

Identity Management Realities in Higher Education NET Quarterly Meeting January 12, 2005.

Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.

Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.

PKI Activities at Virginia January 2004 CSG Meeting Jim Jokl.

DESIGNING A PUBLIC KEY INFRASTRUCTURE

David L. Wasley Information Resources & Communications Office of the President University of California Directories and PKI Basic Components of Middleware.

Mar 12, 2002Mårten Trolin1 This lecture Diffie-Hellman key agreement Authentication Certificates Certificate Authorities SSL/TLS.

16.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.

Chapter 9: Using and Managing Keys Security+ Guide to Network Security Fundamentals Second Edition.

Lecture 2 Page 1 CS 236, Spring 2008 Security Principles and Policies CS 236 On-Line MS Program Networks and Systems Security Peter Reiher Spring, 2008.

6/4/2015National Digital Certification Agency1 Security Engineering and PKI Applications in Modern Enterprises Mohamed HAMDI National.

Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.

Polytechnic University of Tirana Faculty of Information Technology Computer Engineering Department Identification of on-line users and Digital Signature.

Introduction to PKI Mark Franklin September 10, 2003 Dartmouth College PKI Lab.

21 June 2006Copyright 2006 University of Kent1 Delegation of Authority (DyVOSE project) David Chadwick University of Kent.

Signing and Encrypting With the Thawte Web of Trust CSU Professional Development Institute January 8, 2009 Steve Lovaas.

Identity and Access Management IAM A Preview. 2 Goal To design and implement an identity and access management (IAM) middleware infrastructure that –

03 December 2003 Public Key Infrastructure and Authentication Mark Norman DCOCE Oxford University Computing Services.

Identity Management and PKI Credentialing at UTHSC-H Bill Weems Academic Technology University of Texas Health Science Center at Houston.

TrustPort Public Key Infrastructure. Keep It Secure Table of contents  Security of electronic communications  Using asymmetric cryptography.

CAMP - June 4-6, Copyright Statement Copyright Robert J. Brentrup and Mark J. Franklin This work is the intellectual property of the authors.

Identity Management What is it? Why? Responsibilities? Bill Weems Academic Computing University of Texas Health Science Center at Houston.

CAMP Integration Reflect & Join A Case Study The University of Texas Health Science Center at Houston William A. Weems Assistant Vice President Academic.

Web Application Authentication with PKI & Other Functions Bill Weems & Mark B. Jones Academic Technology University of Texas Health Science Center at Houston.

Chapter 10: Authentication Guide to Computer Network Security.

Digital Identity Management Strategy, Policies and Architecture Kent Percival A presentation to the Information Services Committee.

Exchange Network Node Help Desk NOLA Conference Feb 9-10, 2004.

Identity Management 2.0 George O. Strawn NSF CIO.

National Science Foundation Chief Information Officer CIO Fall Update for the Advisory Committee for Business and Operations: Identity Management 2.0 George.

Introduction to Secure Messaging The Open Group Messaging Forum April 30, 2003.

Identity Management Practical Issues Associated with Sharing Federated Services UT System Identity Management Federation William A. Weems The University.

Invitation to Computer Science 5th Edition

NENA Development Conference | October 2014 | Orlando, Florida Security Certificates Between i3 ESInet’s and FE’s Nate Wilcox Emergicom, LLC Brian Rosen.

Chapter 9: Using and Managing Keys Security+ Guide to Network Security Fundamentals Second Edition.

SSL, Single Sign On, and External Authentication Presented By Jeff Kelley April 12, 2005.

Identity on Force.com & Benefits of SSO Nick Simha.

Unit 1: Protection and Security for Grid Computing Part 2

Configuring Directory Certificate Services Lesson 13.

Chapter 23 Internet Authentication Applications Kerberos Overview Initially developed at MIT Software utility available in both the public domain and.

Secure Messaging Workshop The Open Group Messaging Forum February 6, 2003.

Maintaining Network Health. Active Directory Certificate Services Public Key Infrastructure (PKI) Provides assurance that you are communicating with the.

Chapter 4 Using Encryption in Cryptographic Protocols & Practices.

MARK B. JONES PKI DEPLOYMENT FORUM MADISON, WI APRIL 16 TH, 2008 Why do I need a Digital ID?

Who’s watching your network The Certificate Authority In a Public Key Infrastructure, the CA component is responsible for issuing certificates. A certificate.

31.1 Chapter 31 Network Security Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display.

Public Key Infrastructure (PKI) Chien-Chung Shen

Problems With Centralized Passwords Dartmouth College PKI Lab.

Security fundamentals Topic 5 Using a Public Key Infrastructure.

Network Security Continued. Digital Signature You want to sign a document. Three conditions. – 1. The receiver can verify the identity of the sender.

Shibboleth & Federated Identity A Change of Mindset University of Texas Health Science Center at Houston Barry Ribbeck

Internet2 Base CAMP Topics in Middleware: Authentication.

Shibboleth for Middle Schools James Burger -

Business Objects XIr2 Windows NT Authentication Single Sign-on 18 August 2006.

Secure HTTP (HTTPS) Pat Morin COMP 2405.

Key management issues in PGP

Trust Profiling for Adaptive Trust Negotiation

Digital Signatures A digital signature is a protocol that produces the same effect as a real signature: It is a mark that only the sender can make but.

Active Directory Administration

Certificates An increasingly popular form of authentication

Chapter 4 Cryptography / Encryption

SharePoint Online Authentication Patterns

Security Principles and Policies CS 236 On-Line MS Program Networks and Systems Security Peter Reiher.

Presentation transcript:

Why Users Like PKI & Directory Services William A. Weems University of Texas Health Science Center at Houston

Middleware, such as public key infrastructure and directory services, solve “real problems” for users and IT professional alike.

Core Middle Ware Services Identifiers Authentication Directories Authorization Certificates Public Key Infrastructure

Digital ID Having one makes life much, much easier! –Globally authenticates its owner’s identity –Allows owner to digitally sign Electronic documents Software programs –Encrypt messages & documents –Single authentication mechanism for restricted resources. (No more multiple user IDs & passwords!)

Must Touch & Feel Middleware Applications To Understand Their Importance This is true both for general users and IT staff. If we had only abstractly discussed the Web and not had Mosaic & NCSA’s server, where would the web be today?

What Makes Technology Revolutionary? Herbert A. Simon, 1987

“Most Americans, after all, did not learn to drive automobiles in driver-education class. Instead, they learned to drive because there was a Model T on the farm, or maybe a tractor, and there was something or someone that had to moved from here to there - Herbert A. Simon, 1987 Importance of Education By Immersion

“so they got in their cars and figured out what all those levers and pedals did, how to take the car apart and put it together again. None of this was planned ahead of time; …” Herbert A. Simon, 1987 “We educated ourselves about them because we had to, and it was easy to do because they were all around us.”

Would you be so kind as to change and restore my password. I was not able to connect via telnet from home. This is signed, if you change my pwd and send it to me encrypted, it will be safe. --Stephen

Help Desk Scenarios. User’s password times out or is forgotten User contacts Help Desk –How does Help Desk identify user? Signed request from user. –How is new password securely sent to user? Signed and encrypted containing password.

Personnel Database Student Information System Resident Database Certificate Authority LDAP Directory Data Driven Services Guest Database

LDAP Directory Web/Application Server Oracle Database Request Authenticated Access Is Cert in LDAP? Yes, Cert in LDAP Data Exchange Formatted Queries & Data Exchange 3-Tier System

Access Control Scenarios User wants to sponsor guest for IT privileges Accesses “Guest Sponsor”form on Web. Successfully completes authentication process. Only faculty or A&P are authorized to sponsor. If user meets authorization criteria, can sponsor.

Two Distinct Operational Concepts: Authentication –Establishes that the presenting entity is who she/he/it pretends to be. Authorization –Is the authenticated entity entitled to do what is being requested?

User ID/Password Authentication Very Risky Business Too, too many user ID/password pairs to remember. Because of the huge number of user ID & passwords that an individual must remember, one often reuses the same user ID and password when possible. Thus, when a password used for access to multiple system is comprised, all systems become vulnerable. Since everyone has this problem, people feel the situation is hopeless and don’t really consider that there may be solutions!

User ID/Password Authentication Too easy to share passwords User’s perception as to password’s importance If one feels that what is being protected is not personally important, the probably is high that one will share the password. Conversely, if a single user ID/password pair protects everything of importance to an individual, one is highly unlikely to share that password.

User ID/Password Authentication Passwords used online can easily be captured. Separate user ID/password pairs used to determine authorization rights. If different levels of authorization are determined by different user IDs and passwords, then the number of passwords that one must remember grows even more.

User ID/Password Authentication Too many individuals other that a user can alter a user’s password. This situation has many associated problems. –Does a request for password change really come from the assigned user? –Usually requires a temporary password that a user may not reset. –Someone with administrative privileges inappropriately misuses a person’s account.

Digital IDs (I.e. certs) Provide Strong Authentication Password known only to “owner”. Password never transmitted on the network. Digital ID verified by a third party. Digital ID globally recognized. Multiple mechanisms for detecting revoked digital ID. Can be a strong, two factor authentication process.

Visions of Camelot in Cyberspace Two authentication mechanisms. –Single Net ID and password. –Digital ID (DID) Digital ID can be used to set password for Net ID/password process –No one but “owner” ever knows Net ID password. –When password of Net ID is “aged” say every 90 days, user can use DID to reset the password. User never has to contact help desk and help desk free to do other tasks!

The focus of planning should be on how PKI and directory services make life great for people in cyberspace!!! Don’t focus on underlying theory, arcane concepts and minute implementation details. If basic infrastructure is in place along with user applications, people will use it and demand more. Lessons Learned

Lessons From the UT System PKI Initiative Even though the certificate authority infrastructure and basic policies are in place for 16 components, most institutions have done almost nothing with this infrastructure Most IT personnel do not operationally understand the importance of middleware!!! Do not require DIDs for a single application that is almost never used.

What UTHSC-H Users are Demanding No new user ID/password challenges. Ability to sign on-line Web forms. Processes that use signed, and when appropriate, encrypted . Ability to sign and encrypt documents. Archive signed documents. DID containing tokens for mobility.

What Is Needed To Reach Critical Mass? Develop a core group that operationally believes in & understands middleware! CA management system with basic policies. Basic operational LDAP directory service. As many “real” applications as possible! –Solutions that use signing & encryption. –Cherished resources PKI enabled for access.

When “Best” to Require Digital IDs. Issue to typical users ONLY if they have at least one frequently used application that requires a DID! The more applications the better! Best to have both “signing” & access applications!!!

“The reason that the steam engine and associated inventions proved to be revolutionary is that they did not do anything specifically. Rather they allowed us to move in innumerable directions.” “Revolutionary significance lies in generality.” Herbert A. Simon, 1987