Presentation is loading. Please wait.

Presentation is loading. Please wait.

PKI: A Technology Whose Time Has Come in Higher Education EDUCAUSE Live! Web Seminar May 11, 2004.

Published byMeagan Skinner Modified over 9 years ago

Similar presentations

Presentation on theme: "PKI: A Technology Whose Time Has Come in Higher Education EDUCAUSE Live! Web Seminar May 11, 2004."— Presentation transcript:

1 PKI: A Technology Whose Time Has Come in Higher Education EDUCAUSE Live! Web Seminar May 11, 2004

2 2 Our Systems Are Under Constant Attack The numbers of vulnerabilities and attack techniques continue to mushroom We need to improve how we secure access to applications and data Don’t forget the greatest threat often comes from a disgruntled insider.

3 3 Some Attacks Succeed Spectacularly Loss of personal data Outages Potentially huge costs: –Productivity loss –Remediation –User notification –Bad publicity –Loss of credibility –Lawsuits? See “Damage Control: When Your Security Incident Hits the 6 O’Clock News” www.educause.edu/ir/library/ra/EDU0307.ram

4 4 IT Security Risks Escalate More and more important information and transactions are online: –Personal identity information –Financial transactions –Course enrollment, grades –Tests, quizzes administered online –Licensed materials –Confidential research data We must comply with increasingly strict regulations: –Health information - HIPAA –Educational records - FERPA

5 5 Spoofing email is trivial (simple setting in most email clients) –Spoofed message from professor postponing a final –Inappropriate message seemingly from College President Email is like a postcard written in pencil –Others on network can see (or even modify) contents if not encrypted (really easy on wireless!) –You may use SSL, but what about other hops between mail servers? Risk of wayward email archives Specific Example: Email

6 6 Specific Example: Student Information System Online enrollment, schedule, grades FERPA protected information Potentially available to hackers via network Q: What if someone hacks your authentication system and potentially downloads students grades? A: You are probably obligated by law to notify every individual whose grades may have been exposed!

7 7 Password Problems: User Perspective Users HATE username/passwords Too many for them to manage: –Re-use same password –Use weak (easy to remember) passwords –Rely on “remember my password” crutches Forgotten password help desk calls cost $25 - $200 each (IDC) and are far too common As we put more services online, it just gets worse…

8 8 Password Problems: Admin Perspective Many different username/password schemes to learn, set up, and administer: –Backups, password resets, revoking access, initial password values, etc. Multiple administrators have access to usernames/passwords – many points of failure

9 9 Password Sharing Corrupts value of username/password for authentication and authorization. Users do share passwords: PKI Lab survey of 171 undergraduates revealed that 75% of them shared their password and fewer than half of those changed it after sharing. We need two factor authentication to address password sharing.

10 10 Ending the Madness Traditional approaches –Single password –Single sign-on, fewer sign-ons PKI –Local password management by end user –Two factor authentication

11 11 PKI’s Answer to Password Woes Users manage their own (single or few) passwords. Cost-effective two factor authentication. Widely supported alternative for authentication to all sorts of applications (both web-based and otherwise).

12 12 PKI Passwords Are Local to Client PKI eliminates user passwords on network servers. Password to PKI credentials is local to user’s computer, smartcard, or token. User manages the password and only has one per set of credentials (likely only one or two total). No need for password synchronization. Standard PKI infrastructure. Still need process for forgotten password, but it is less likely to be forgotten (used frequently and not so many of them).

13 13 Underlying Key Technology Asymmetric encryption uses a pair of asymmetric keys, each is the only way to decrypt data encrypted by the other. One key is private and carefully protected by its holder. The other is public and freely distributed. In authentication, the server challenges the client to encrypt or decrypt something with the private key. Its ability to do so proves its identity. Private key and password always stay in the user’s possession.

14 14 PKI Provides Two Factor Authentication Requires something the user has (credentials stored in the application or a smartcard or token) in addition to something a user knows (local password for the credentials). Significant security improvement, especially with smartcard or token (a post-it next to the screen is no longer a major security hole). Reduces risk of password sharing.

15 15 PKI Benefit: Encryption Strong encryption with extensible number of bits in key. Can use same PKI digital credentials as authentication and digital signatures. More leverage of the PK Infrastructure. Encrypt data for any individual without prior exchange of information – just acquire their certificate which contains their public key.

16 16 How PKI Encryption Works Asymmetric encryption prevents need for shared secrets. Anyone encrypts with public key of recipient. Only the recipient can decrypt with their private key. Private key is secret and protected, so “bad guys” can’t read encrypted data.

17 17 PKI Benefit: Digital Signatures Our computerized world still relies heavily on handwritten signatures on paper. PKI enables digital signatures, recognized by Federal Government as legal signatures: –Reduce paperwork with electronic forms. –Much faster and more traceable business processes. –Improved assurance of electronic transactions (e.g. really know who that email was from).

18 18 How Digital Signatures Work Signer computes content digest, encrypts with their private key. Reader decrypts with signer’s public key. Reader re-computes the content digest and verifies match with original – guarantees no one has modified signed data. Only signer has private key, so no one else can spoof their digital signature.

19 19 PKI Benefit: User Convenience Fewer passwords! Consistent mechanism for authentication that users only have to learn once. (UT Houston Medical Center users now request that all network services use PKI authentication.) Same user credentials for authentication, digital signatures, and encryption – lots of payback for user’s effort to acquire and manage the credentials.

20 20 PKI Benefit: Coherent Enterprise- Wide Security Administration Centralized issuance and revocation of user credentials (goes hand in hand with identity management). Consistent identity checking when issuing certificates. Same authentication mechanism for all network services. Single process to recover from lost passwords or keys (not per application). Leverage investment in tokens or smart cards across many applications.

21 21 Interoperability With Other Institutions Allows authentication, digital signatures, and encryption using credentials issued by a trusted collaborating institution: –Signed forms and documents for business process (e.g. grant applications, financial aid forms, government reports) –Signed and encrypted email from a colleague at another school –Authentication to applications shared among schools (e.g. grid) –Peer to peer authentication for secure information sharing

22 22 Standards Based Solution Standards provide interoperability among multiple vendors and open source. Wide variety of implementations available and broad coverage of application space. Level playing field for open source and new vendors – promotes innovation and healthy competition.

23 23 PKI Enjoys Unequaled Client, Server, and Application Support Commercial and open source Windows, Macintosh, Linux, Solaris, UNIX Apache, Oracle, IIS, SSL, Web Services, Shibboleth, Browsers, email, VPN, Acrobat, MS Office, AIM, and many others Software and hardware key storage Development libraries, toolkits and applications Certificate Authority, directory, escrow, revocation, and other infrastructure tools

24 24 Momentum Outside Higher Education Industry support for PKI Federal and State governments major adopters Microsoft, Sun, Johnson and Johnson, Disney, banks heavy industry adopters Major deployment in Europe China pushing WAPI wireless authentication standard that requires PKI Web Services (e.g. SAML uses PKI signed assertions)

25 25 Federal Collaborations FBCA, HEBCA bridge projects Proof of concept NIH EDUCAUSE project to demonstrate digitally signing documents for submission to the Federal government Possible DOE, NSF, NIH applications for Higher Education?

26 26 Dartmouth PKI Lab R&D to make client side PKI a practical component of campus networks Multi-campus collaboration sponsored by the Mellon Foundation Dual objectives: –Deploy existing PKI technology to improve network applications (both at Dartmouth and elsewhere). –Improve the current state of the art. Identify security issues in current products. Develop solutions to the problems.

27 27 Production PKI Applications at Dartmouth Dartmouth certificate authority –780 end users have certificates, 558 of them are students PKI authentication in production for: –Banner Student Information System –Library Electronic Journals –Tuck School of Business Portal –VPN Concentrator –Blackboard CMS –Software downloads S/MIME email (Outlook, Mozilla, Thunderbird) AOL AIM (PKI-secured sys admin communications)

28 28 “Open Source CA in a Box” Hardened open source Certificate Authority (based on OpenCA) bundle suitable for trial and simple deployment PKI Lab’s “Enforcer” TPM-hardened Linux –Controversial “TCPA” technology turned to use for good and freedom (secures Linux boot process and provides much enhanced run-time protection against hackers) Packaging for easy installation (bootable CD) Carefully chosen enhancements to OpenCA We welcome feedback on requirements, contributions, testing, etc!

29 29 Deploying PKI Client-side PKI is usually a significant undertaking and requires planning and commitment. Get buy in and support from management, legal, audit, others – a little fear in today’s cyber world is healthy. Learn from examples and experiences of others. Deploy in phases, plan for future extensibility. Choose initial applications to maximize benefits versus cost. Take a long term view - PKI ROI is excellent when leveraged broadly, but probably not as strong for individual applications. See www.dartmouth.edu/~deploypki/deploying/www.dartmouth.edu/~deploypki/deploying/

30 30 Blatant Advertisement We seek a few schools that we can assist as you deploy PKI credentials and applications for end users! An explicit part of our mission is to directly assist you in the planning/justification, implementation, and deployment phases.

31 31 For More Information www.dartmouth.edu/~deploypki Mark.J.Franklin@dartmouth.edu

Download ppt "PKI: A Technology Whose Time Has Come in Higher Education EDUCAUSE Live! Web Seminar May 11, 2004."

Similar presentations

April 19-22, 2005SecureIT-2005 How to Start a PKI A Practical Guide Dr. Javier Torner Information Security Officer Professor of Physics.

April 19-22, 2005SecureIT-2005 How to Start a PKI A Practical Guide Dr. Javier Torner Information Security Officer Professor of Physics.
1 ABCs of PKI TAG Presentation 18 th May 2004 Paul Butler.

1 ABCs of PKI TAG Presentation 18 th May 2004 Paul Butler.
Public Key Infrastructure A Quick Look Inside PKI Technology Investigation Center 3/27/2002.

Public Key Infrastructure A Quick Look Inside PKI Technology Investigation Center 3/27/2002.
Dartmouth PKI Deployment Case Study: What Works and Doesn’t Work (so far) Presented by: Mark Franklin Sixth Annual PKI Summit at Snowmass, Colorado August.

Dartmouth PKI Deployment Case Study: What Works and Doesn’t Work (so far) Presented by: Mark Franklin Sixth Annual PKI Summit at Snowmass, Colorado August.
Dartmouth PKI Certificate Deployment June 2004 Fed Ed Meeting.

Dartmouth PKI Certificate Deployment June 2004 Fed Ed Meeting.
© Southampton City Council Sean Dawtry – Southampton City Council The Southampton Pathfinder for Smart Cards in public services.

© Southampton City Council Sean Dawtry – Southampton City Council The Southampton Pathfinder for Smart Cards in public services.
Problems With Centralized Passwords Dartmouth College PKI Lab.

Problems With Centralized Passwords Dartmouth College PKI Lab.
Cross Platform Single Sign On using client certificates Emmanuel Ormancey, Alberto Pace Internet Services group CERN, Information Technology department.

Cross Platform Single Sign On using client certificates Emmanuel Ormancey, Alberto Pace Internet Services group CERN, Information Technology department.
Lecture 23 Internet Authentication Applications

Lecture 23 Internet Authentication Applications
1 Pertemuan 12 Authentication, Encryption, Digital Payments, and Digital Money Matakuliah: M0284/Teknologi & Infrastruktur E-Business Tahun: 2005 Versi:

1 Pertemuan 12 Authentication, Encryption, Digital Payments, and Digital Money Matakuliah: M0284/Teknologi & Infrastruktur E-Business Tahun: 2005 Versi:
Copyright Statement Copyright Robert J. Brentrup and Sean W. Smith 2002. This work is the intellectual property of the authors. Permission is granted for.

Copyright Statement Copyright Robert J. Brentrup and Sean W. Smith This work is the intellectual property of the authors. Permission is granted for.
Identity Management Realities in Higher Education NET Quarterly Meeting January 12, 2005.

Identity Management Realities in Higher Education NET Quarterly Meeting January 12, 2005.
Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.

Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.
PKI in US Higher Education TAGPMA Meeting, March 2006 Rio De Janeiro, Brazil.

PKI in US Higher Education TAGPMA Meeting, March 2006 Rio De Janeiro, Brazil.
PKI Activities at Virginia January 2004 CSG Meeting Jim Jokl.

PKI Activities at Virginia January 2004 CSG Meeting Jim Jokl.
DESIGNING A PUBLIC KEY INFRASTRUCTURE

DESIGNING A PUBLIC KEY INFRASTRUCTURE
David L. Wasley Information Resources & Communications Office of the President University of California Directories and PKI Basic Components of Middleware.

David L. Wasley Information Resources & Communications Office of the President University of California Directories and PKI Basic Components of Middleware.
Department of Information Engineering1 Major Concerns in Electronic Commerce Authentication –there must be proof of identity of the parties in an electronic.

Department of Information Engineering1 Major Concerns in Electronic Commerce Authentication –there must be proof of identity of the parties in an electronic.
Dartmouth PKI Deployment Robert Brentrup PKI Summit July 14, 2004.

Dartmouth PKI Deployment Robert Brentrup PKI Summit July 14, 2004.
Client/Server Computing Model of computing in which very powerful personal computers (clients) are connected in a network with one or more server computers.

Client/Server Computing Model of computing in which very powerful personal computers (clients) are connected in a network with one or more server computers.

Similar presentations

Ads by Google