Presentation is loading. Please wait.

Presentation is loading. Please wait.

Authentication Prereqs, Reqs, Techs ….& Seqs Keith Hazelton University of Wisconsin-Madison Internet2 MACE member.

Published byMarjory Stevens Modified over 9 years ago

Similar presentations

Presentation on theme: "Authentication Prereqs, Reqs, Techs ….& Seqs Keith Hazelton University of Wisconsin-Madison Internet2 MACE member."— Presentation transcript:

1 Authentication Prereqs, Reqs, Techs ….& Seqs Keith Hazelton University of Wisconsin-Madison Internet2 MACE member

2 CAMP - June 4-6, 2003 2 Copyright Keith Hazelton 2003. This work is the intellectual property of the author. Permission is granted for this material to be shared for non- commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the author

3 CAMP - June 4-6, 2003 3 Authentication (AuthN) Prerequisites Requirements Technologies Sequiters

4 CAMP - June 4-6, 2003 4 Authentication (AuthN) Prerequisites

5 CAMP - June 4-6, 2003 5 Some key terms Talk first about a person (you) Attributes: specific items of information about you or associated with you. Identity: the whole set of attributes about you hfjakfhlafhh dd

6 CAMP - June 4-6, 2003 6 Some key terms Then remind you that these terms can apply as well to online resources, servers and services Attributes: specific items of information about X or associated with X. Identity: the whole set of attributes about X hfjakfhlafhh dd

7 CAMP - June 4-6, 2003 7 Another key term Identity credential –Something issued to you (or to X) by an organization –It associates you with a specific identity known to the organization

8 CAMP - June 4-6, 2003 8 Another key term A cautionary tale about identity credentials –One day when I was supposed to review proposals at NSF HQ… –I didn’t have photo ID with me (not my state issued driver’s license nor my University issued ID card) –NSF receptionist needs to see photo ID –SOL except for the “break the glass” emergency policy –The program director has to come down & vouch for me –THEN & only then do I get a nifty NSF temp ID badge that lets me go through doors magically for the rest of my visit, no questions asked –An identity credential from one institution good for an attribute assertion (“allowed in”) from a different institution

9 CAMP - June 4-6, 2003 9 More key terms Authentication –process of proving your identity by “presenting” an identity credential. –In IT systems, often done by a login process Authorization –process of determining if policy permits a requested action to proceed –Often associated with an authenticated identity, but not always and not necessarily

10 CAMP - June 4-6, 2003 10 Hold this thought: Justifying AuthN In the NSF story, why the fuss? Things of value… –Property –People –Information –Services Being protected from some threat –Intruder destroying or stealing property, or –…harming people, or –…getting access to information he shouldn’t have, or –…diverting valuable services from those who should get them

11 CAMP - June 4-6, 2003 11 AuthN as a piece of core middleware: So what is Core Middleware? Suite of campus-wide security, access, and information services –Integrates data sources and manages information about people and their contact locations –Establishes electronic identity of users –Issues identity credentials –Uses administrative data and management tools to assign affiliation attributes –…and gives permission to use services based on those attributes

12 CAMP - June 4-6, 2003 12 AuthN in context: Middlewareland

13 CAMP - June 4-6, 2003 13 AuthN in context: Core Middlewareland

14 CAMP - June 4-6, 2003 14 AuthN in context: Core Middlewareland

15 CAMP - June 4-6, 2003 15 AuthN in context: Core Middlewareland

16 CAMP - June 4-6, 2003 16 Prerequisites: Making the Business Case Middleware is never a good sell as middleware Slide it in as part of a killer app –Positive: We can secure our email application –Negative: We’re gonna get sued if we don’t protect that data Or, if you have an enlighten-able upper admin –Point out it’s not fair to have first app pay for this shared good –So the middleware infrastructure should be centrally funded –Besides, then the institution, not the app owner, has final say

17 CAMP - June 4-6, 2003 17 Prerequisites: Making the Business Case Increased ability to offer tailored services while maintaining privacy and adhering to FERPA, HIPAA –Opportunity cost –Reduced time –Accommodate expectations –Fewer technology staff required to maintain additional services Increased security –Security-minded folks managing access –Integrated logging function –Access changes with role or status of role Ease of use –Reduced number of identity credentials and gatekeeper points

18 CAMP - June 4-6, 2003 18 Authentication (AuthN) Requirements

19 CAMP - June 4-6, 2003 19 AuthN Requirements What kinds of resources do you need to protect …From what kinds of threats? –Identity theft (identity credentials are a choice target of attack) –Unauthorized access or use –Denial (or corruption) of service –Information theft –Information destruction or corruption –Loss of appropriate anonymity –Loss of privacy –…

20 CAMP - June 4-6, 2003 20 AuthN Requirements Draw your requirements from the need to thwart those threats to those resources –E.g., Protection of the identity credential Password strength Private key protection Remember, you want those who should get in to get in (me!) –Break-the-glass provisions (Dr’s in the ER w/out his hardware token) –Watch the tradeoff between security & convenience or it’ll bite back

21 CAMP - June 4-6, 2003 21 Authentication (AuthN) Technologies

22 CAMP - June 4-6, 2003 22 AuthN Technologies: Choices, choices IP addresses (what are they? Ident cred.for host? Authoriz. attribute? GOF un/pw identity credentials –AuthN app compares with LDAP store at login –Let’s agree for the duration of camp not to say “LDAP Authentication” –…or MIT Kerberos (or MS Kerberos), keeps password off the network Some kind of *SO (single sign-on, fewer sign-ons,…) –Web ISO (Initial sign-on) like PubCookie, CAS, Cosign,… –Kerberos ticket granting tickets for kerberized services

23 CAMP - June 4-6, 2003 23 AuthN Technologies: Choices, choices PKI, oh my –Did you want Lite, ultra-Light or Industrial Strength or… –With the “I” you get a uniquely useful cert + private key pair It’s an identity credential, it’s a coder/decoder ring, it’s an unforgeable signing thingie, it’s a magic door opener

24 CAMP - June 4-6, 2003 24 AuthN Technologies: Reqs & Techs Make your choice by comparing requirements with the features of the various technologies –You want to curb rampant identity theft Switch from GOF un/pw to Kerberos or… Limit the places people expect to enter the un/pw pair –By some form of *SO …and then train them not to enter un/pw on any old screen that pops up –You need a higher level of assurance that the identity credential was issued to the right person (me!) Certificate Authorities put in each cert an indication of how much reliance you dare put in the asserted identity

25 CAMP - June 4-6, 2003 25 AuthN Technologies: Reqs & Techs Make your choice by comparing requirements with the features of the various technologies –You need to integrate that great new Portal engine or ERP system the CIO just bought with your AuthN service –You want to run a job that spawns other jobs or calls additional protected services on your behalf Forwardable Kerberos tickets If you’re using the Grid ® then you use “Proxy certificates” based on (but extending) the X.509v3 standard Watch out for that nth tier! –You are told to roll out Network layer AuthN –You are told to roll out Wireless AuthN

26 CAMP - June 4-6, 2003 26 Authentication (AuthN) Sequiters

27 CAMP - June 4-6, 2003 27 Authentication (AuthN) Sequiters Going over the walls: inter-realm authN We’ve been talking about local credentials and local resources What if –The resources or services you want to make available are provided by (gulp) and outsider –You want to make your resources available to people you haven’t seen before, let alone issued identity credentials to –You want to import or export additional attributes (bits of identity) from/to other institutions/organizations and be confident that those bits of info get added to the right set of other bits. Then you need Federated Identity Management!!!

28 CAMP - June 4-6, 2003 28 Inter-realm AuthN Federated Identity Management is where you and another organization agree to trust the identity credentials and/or identity information provided by the opposite party. Remember, AuthN is first and foremost a stepping stone to Authorization (AuthZ) Technologies (details later, campers) –Shibboleth (AutheNticate locally, access resources globally) –Liberty Alliance (pull together (under user control) subsets of identity information from multiple organizations to build an identity that will entitle you to use a desired service/resource –Passport

29 CAMP - June 4-6, 2003 29 Inter-realm AuthN The trick is matching Org A identity with the corresponding Org B identity (it’s me, really!) And agreeing to trust each other just enough to do business …or put another way, agreeing to accept a given level of risk that some security goal might be compromised by doing business this way

30 CAMP - June 4-6, 2003 30 Q & A What’s the next step in AuthN for your campus? What technology do you really need to know more about? What would you like to see on an AuthN Roadmap to help you & your institution?

Download ppt "Authentication Prereqs, Reqs, Techs ….& Seqs Keith Hazelton University of Wisconsin-Madison Internet2 MACE member."

Similar presentations

Security Protocols Sathish Vadhiyar Sources / Credits: Kerberos web pages and documents contained / pointed.

Security Protocols Sathish Vadhiyar Sources / Credits: Kerberos web pages and documents contained / pointed.
Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.

Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.
WebISO PanelEducause SAC 2003 1 Implementing Single Sign On Technologies for Campus Portals Panel Nathan Dors, Project Lead Security/Middleware Unit Univ.

WebISO PanelEducause SAC Implementing Single Sign On Technologies for Campus Portals Panel Nathan Dors, Project Lead Security/Middleware Unit Univ.
How Identity and Access Management Can Help Your Institution Touch Its Toes Renee Woodten Frost Internet2 and University of Michigan Kevin Morooney The.

How Identity and Access Management Can Help Your Institution Touch Its Toes Renee Woodten Frost Internet2 and University of Michigan Kevin Morooney The.
Copyright Tom Parker, Ron DiNapoli, Andrea Beesing, Joy Veronneau 2004. This work is the intellectual property of the authors. Permission is granted for.

Copyright Tom Parker, Ron DiNapoli, Andrea Beesing, Joy Veronneau This work is the intellectual property of the authors. Permission is granted for.
Copyright Ann West 2003. This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial,

Copyright Ann West This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial,
Multi-Organizational Authorization Services RL “Bob” Morgan, University of Washington Internet2/Educause Advanced CAMP Boulder, Colorado July 2003.

Multi-Organizational Authorization Services RL “Bob” Morgan, University of Washington Internet2/Educause Advanced CAMP Boulder, Colorado July 2003.
Lecture 23 Internet Authentication Applications

Lecture 23 Internet Authentication Applications
Using Levels of Assurance Renee Shuey nmi-edit CAMP: Charting Your Authentication Roadmap February 8, 2007.

Using Levels of Assurance Renee Shuey nmi-edit CAMP: Charting Your Authentication Roadmap February 8, 2007.
Technical Issues with Establishing Levels of Assurance Zephyr McLaughlin Lead, Security Middleware Computing & Communications University of Washington.

Technical Issues with Establishing Levels of Assurance Zephyr McLaughlin Lead, Security Middleware Computing & Communications University of Washington.
Grid Security. Typical Grid Scenario Users Resources.

Grid Security. Typical Grid Scenario Users Resources.
Identity Management Realities in Higher Education NET Quarterly Meeting January 12, 2005.

Identity Management Realities in Higher Education NET Quarterly Meeting January 12, 2005.
1 Issues in federated identity management Sandy Shaw EDINA IASSIST 24-27 May 2005, Edinburgh.

1 Issues in federated identity management Sandy Shaw EDINA IASSIST May 2005, Edinburgh.
David L. Wasley Information Resources & Communications Office of the President University of California Directories and PKI Basic Components of Middleware.

David L. Wasley Information Resources & Communications Office of the President University of California Directories and PKI Basic Components of Middleware.
 Single sign-on o Centralized and federated passport o Federated Liberty Alliance and Shibboleth  Authorization o Who can access which resource o ACM.

 Single sign-on o Centralized and federated passport o Federated Liberty Alliance and Shibboleth  Authorization o Who can access which resource o ACM.
Identity and Access Management IAM. 2 Definition Identity and Access Management provide the following: – Mechanisms for identifying, creating, updating.

Identity and Access Management IAM. 2 Definition Identity and Access Management provide the following: – Mechanisms for identifying, creating, updating.
Identity and Access Management IAM A Preview. 2 Goal To design and implement an identity and access management (IAM) middleware infrastructure that –

Identity and Access Management IAM A Preview. 2 Goal To design and implement an identity and access management (IAM) middleware infrastructure that –
JA-SIG CAS Enterprise Single Sign-On Scott Battaglia Application Developer Enterprise Systems & Services Rutgers, the State University of New Jersey Copyright.

JA-SIG CAS Enterprise Single Sign-On Scott Battaglia Application Developer Enterprise Systems & Services Rutgers, the State University of New Jersey Copyright.
FAMILY EDUCATIONAL RIGHTS AND PRIVACY ACT Electronic Signatures This work is the intellectual property of the author. Permission is granted for this material.

FAMILY EDUCATIONAL RIGHTS AND PRIVACY ACT Electronic Signatures This work is the intellectual property of the author. Permission is granted for this material.
Moving Your Paperwork Online Western Washington University E-Sign Web Forms Copyright Western Washington University, 2004. This work is the intellectual.

Moving Your Paperwork Online Western Washington University E-Sign Web Forms Copyright Western Washington University, This work is the intellectual.

Similar presentations

Ads by Google