Internet2 Base CAMP Topics in Middleware: Authentication

Introduction  Background  Authentication Defined  Authentication Methods  Password Discussion  Positioning for Single Sign On at MTU

Authentication Defined  Authentic –Conforming to fact and therefore worthy of trust, reliance, or belief –Having a claimed and verifiable origin or authorship; not counterfeit or copied  Authenticate –To establish the authenticity of; prove genuine  Authentication –The verification of the identity of a person or process. In a communication system, authentication verifies that messages really come from their stated source, like the signature on a (paper) letter or a check

Authentication Methods  Challenge-Response  Biometrics  Public Key Infrastructure (PKI)/Digital Certificates  Kerberos  Userid/Password Pairs

Passwords (Cons)  Passwords are “crackable”  Frequently sent over the network in the clear  Too many promote “sticky note” storage

Passwords (Pros)  User friendly –People get the concept (like an ATM pin #) –Technology tends to get in the way with PKI and S/Key  Easy to manage  Supported across platforms

Password Security  Require a minimum password length –“Wider is better”  Require non-alphanumeric text –Increases your password alphabet –Passwords more difficult to crack  Attempt to crack passwords –During password change –Constantly, for all users  Maintain a password history –Attempts to regulate password reuse –Easily circumventable –Creates a list of users passwords (bad)

Password Security Continued  Implement an account lockout mechanism –Attempts to keep real time crackers at bay –Introduces a possible DoS for users  Implement “shared secrets” –Reduces administrative involvement in password resets –Useful in distance education situations  Use photo identification –Online and/or on an ID card

Password Security Continued  Develop a password expiration policy –No password expiration –Passwords expire at regular intervals  Never store a password as plain text –One-way crypt algorithms for password files –Symmetric ciphers for scripts  Maintain audit logs –Useful in tracking violators –Watch out for privacy issues –Watch out for cancerous growth

Password Security Continued  Develop procedures/policies for proper use of privileged accounts –Never send unencrypted –No “sticky note” storage

Positioning for Single Sign On What Michigan Tech Is Doing  Introducing LDAP –Unique userid registry –Unique Identifier –White Pages Non critical system All the person entries in one place

Positioning for Single Sign On Continued  Web Single Sign On –No account information required UUID SID Login Shell Home Directory –No clear text transmission of password –Easy for others to implement –Easy to demonstrate –Reduced Sign On –Pubcookie/WebISO –SAML (Security Assertion Markup Language)

Web Authentication at MTU Authenticate Issue cookie/credential Client Web Application Not Logged In Web authN service

Positioning for Single Sign On Continued  Single Password Issues –Cross platform Difficult to synchronize across platforms –Catch 22 issues Reset password notification –Application issues AuthN capabilities

Positioning for Single Sign On Continued  Central Authentication System Issues –Network issues Availability Load –Central storage issues Reliability Disk Space –Account management issues Who owns which users? Who can change account information?

Positioning for Single Sign On Continued  Reduced account management –No password files / NIS –Delegated administration  Enforceable secure protocols  Standard authN across campus and off campus

Sources  Identifiers, Authentication, and Directories: Best Practices for Higher Education. practices-00.html  The Free On-line Dictionary of Computing, © Denis Howe  The American Heritage® Dictionary of the English Language, Fourth Edition. Copyright © 2000 by Houghton Mifflin Company. Published by Houghton Mifflin Company. All rights reserved.