Authentication Prereqs, Reqs, Techs ….& Seqs Keith Hazelton University of Wisconsin-Madison Internet2 MACE member
CAMP - June 4-6, Copyright Keith Hazelton This work is the intellectual property of the author. Permission is granted for this material to be shared for non- commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the author
CAMP - June 4-6, Authentication (AuthN) Prerequisites Requirements Technologies Sequiters
CAMP - June 4-6, Authentication (AuthN) Prerequisites
CAMP - June 4-6, Some key terms Talk first about a person (you) Attributes: specific items of information about you or associated with you. Identity: the whole set of attributes about you hfjakfhlafhh dd
CAMP - June 4-6, Some key terms Then remind you that these terms can apply as well to online resources, servers and services Attributes: specific items of information about X or associated with X. Identity: the whole set of attributes about X hfjakfhlafhh dd
CAMP - June 4-6, Another key term Identity credential –Something issued to you (or to X) by an organization –It associates you with a specific identity known to the organization
CAMP - June 4-6, Another key term A cautionary tale about identity credentials –One day when I was supposed to review proposals at NSF HQ… –I didn’t have photo ID with me (not my state issued driver’s license nor my University issued ID card) –NSF receptionist needs to see photo ID –SOL except for the “break the glass” emergency policy –The program director has to come down & vouch for me –THEN & only then do I get a nifty NSF temp ID badge that lets me go through doors magically for the rest of my visit, no questions asked –An identity credential from one institution good for an attribute assertion (“allowed in”) from a different institution
CAMP - June 4-6, More key terms Authentication –process of proving your identity by “presenting” an identity credential. –In IT systems, often done by a login process Authorization –process of determining if policy permits a requested action to proceed –Often associated with an authenticated identity, but not always and not necessarily
CAMP - June 4-6, Hold this thought: Justifying AuthN In the NSF story, why the fuss? Things of value… –Property –People –Information –Services Being protected from some threat –Intruder destroying or stealing property, or –…harming people, or –…getting access to information he shouldn’t have, or –…diverting valuable services from those who should get them
CAMP - June 4-6, AuthN as a piece of core middleware: So what is Core Middleware? Suite of campus-wide security, access, and information services –Integrates data sources and manages information about people and their contact locations –Establishes electronic identity of users –Issues identity credentials –Uses administrative data and management tools to assign affiliation attributes –…and gives permission to use services based on those attributes
CAMP - June 4-6, AuthN in context: Middlewareland
CAMP - June 4-6, AuthN in context: Core Middlewareland
CAMP - June 4-6, AuthN in context: Core Middlewareland
CAMP - June 4-6, AuthN in context: Core Middlewareland
CAMP - June 4-6, Prerequisites: Making the Business Case Middleware is never a good sell as middleware Slide it in as part of a killer app –Positive: We can secure our application –Negative: We’re gonna get sued if we don’t protect that data Or, if you have an enlighten-able upper admin –Point out it’s not fair to have first app pay for this shared good –So the middleware infrastructure should be centrally funded –Besides, then the institution, not the app owner, has final say
CAMP - June 4-6, Prerequisites: Making the Business Case Increased ability to offer tailored services while maintaining privacy and adhering to FERPA, HIPAA –Opportunity cost –Reduced time –Accommodate expectations –Fewer technology staff required to maintain additional services Increased security –Security-minded folks managing access –Integrated logging function –Access changes with role or status of role Ease of use –Reduced number of identity credentials and gatekeeper points
CAMP - June 4-6, Authentication (AuthN) Requirements
CAMP - June 4-6, AuthN Requirements What kinds of resources do you need to protect …From what kinds of threats? –Identity theft (identity credentials are a choice target of attack) –Unauthorized access or use –Denial (or corruption) of service –Information theft –Information destruction or corruption –Loss of appropriate anonymity –Loss of privacy –…
CAMP - June 4-6, AuthN Requirements Draw your requirements from the need to thwart those threats to those resources –E.g., Protection of the identity credential Password strength Private key protection Remember, you want those who should get in to get in (me!) –Break-the-glass provisions (Dr’s in the ER w/out his hardware token) –Watch the tradeoff between security & convenience or it’ll bite back
CAMP - June 4-6, Authentication (AuthN) Technologies
CAMP - June 4-6, AuthN Technologies: Choices, choices IP addresses (what are they? Ident cred.for host? Authoriz. attribute? GOF un/pw identity credentials –AuthN app compares with LDAP store at login –Let’s agree for the duration of camp not to say “LDAP Authentication” –…or MIT Kerberos (or MS Kerberos), keeps password off the network Some kind of *SO (single sign-on, fewer sign-ons,…) –Web ISO (Initial sign-on) like PubCookie, CAS, Cosign,… –Kerberos ticket granting tickets for kerberized services
CAMP - June 4-6, AuthN Technologies: Choices, choices PKI, oh my –Did you want Lite, ultra-Light or Industrial Strength or… –With the “I” you get a uniquely useful cert + private key pair It’s an identity credential, it’s a coder/decoder ring, it’s an unforgeable signing thingie, it’s a magic door opener
CAMP - June 4-6, AuthN Technologies: Reqs & Techs Make your choice by comparing requirements with the features of the various technologies –You want to curb rampant identity theft Switch from GOF un/pw to Kerberos or… Limit the places people expect to enter the un/pw pair –By some form of *SO …and then train them not to enter un/pw on any old screen that pops up –You need a higher level of assurance that the identity credential was issued to the right person (me!) Certificate Authorities put in each cert an indication of how much reliance you dare put in the asserted identity
CAMP - June 4-6, AuthN Technologies: Reqs & Techs Make your choice by comparing requirements with the features of the various technologies –You need to integrate that great new Portal engine or ERP system the CIO just bought with your AuthN service –You want to run a job that spawns other jobs or calls additional protected services on your behalf Forwardable Kerberos tickets If you’re using the Grid ® then you use “Proxy certificates” based on (but extending) the X.509v3 standard Watch out for that nth tier! –You are told to roll out Network layer AuthN –You are told to roll out Wireless AuthN
CAMP - June 4-6, Authentication (AuthN) Sequiters
CAMP - June 4-6, Authentication (AuthN) Sequiters Going over the walls: inter-realm authN We’ve been talking about local credentials and local resources What if –The resources or services you want to make available are provided by (gulp) and outsider –You want to make your resources available to people you haven’t seen before, let alone issued identity credentials to –You want to import or export additional attributes (bits of identity) from/to other institutions/organizations and be confident that those bits of info get added to the right set of other bits. Then you need Federated Identity Management!!!
CAMP - June 4-6, Inter-realm AuthN Federated Identity Management is where you and another organization agree to trust the identity credentials and/or identity information provided by the opposite party. Remember, AuthN is first and foremost a stepping stone to Authorization (AuthZ) Technologies (details later, campers) –Shibboleth (AutheNticate locally, access resources globally) –Liberty Alliance (pull together (under user control) subsets of identity information from multiple organizations to build an identity that will entitle you to use a desired service/resource –Passport
CAMP - June 4-6, Inter-realm AuthN The trick is matching Org A identity with the corresponding Org B identity (it’s me, really!) And agreeing to trust each other just enough to do business …or put another way, agreeing to accept a given level of risk that some security goal might be compromised by doing business this way
CAMP - June 4-6, Q & A What’s the next step in AuthN for your campus? What technology do you really need to know more about? What would you like to see on an AuthN Roadmap to help you & your institution?