1. Internet2 Base CAMP Topics in Middleware: Authentication

2. Introduction  Background  Authentication Defined  Authentication Methods  Password Discussion  Positioning for Single Sign On at MTU

3. Authentication Defined  Authentic –Conforming to fact and therefore worthy of trust, reliance, or belief –Having a claimed and verifiable origin or authorship; not counterfeit or copied  Authenticate –To establish the authenticity of; prove genuine  Authentication –The verification of the identity of a person or process. In a communication system, authentication verifies that messages really come from their stated source, like the signature on a (paper) letter or a check

4. Authentication Methods  Challenge-Response  Biometrics  Public Key Infrastructure (PKI)/Digital Certificates  Kerberos  Userid/Password Pairs

5. Passwords (Cons)  Passwords are “crackable”  Frequently sent over the network in the clear  Too many promote “sticky note” storage

6. Passwords (Pros)  User friendly –People get the concept (like an ATM pin #) –Technology tends to get in the way with PKI and S/Key  Easy to manage  Supported across platforms

7. Password Security  Require a minimum password length –“Wider is better”  Require non-alphanumeric text –Increases your password alphabet –Passwords more difficult to crack  Attempt to crack passwords –During password change –Constantly, for all users  Maintain a password history –Attempts to regulate password reuse –Easily circumventable –Creates a list of users passwords (bad)

8. Password Security Continued  Implement an account lockout mechanism –Attempts to keep real time crackers at bay –Introduces a possible DoS for users  Implement “shared secrets” –Reduces administrative involvement in password resets –Useful in distance education situations  Use photo identification –Online and/or on an ID card

9. Password Security Continued  Develop a password expiration policy –No password expiration –Passwords expire at regular intervals  Never store a password as plain text –One-way crypt algorithms for password files –Symmetric ciphers for scripts  Maintain audit logs –Useful in tracking violators –Watch out for privacy issues –Watch out for cancerous growth

10. Password Security Continued  Develop procedures/policies for proper use of privileged accounts –Never send unencrypted –No “sticky note” storage

11. Positioning for Single Sign On What Michigan Tech Is Doing  Introducing LDAP –Unique userid registry –Unique Identifier –White Pages Non critical system All the person entries in one place

12. Positioning for Single Sign On Continued  Web Single Sign On –No account information required UUID SID Login Shell Home Directory –No clear text transmission of password –Easy for others to implement –Easy to demonstrate –Reduced Sign On –Pubcookie/WebISO –SAML (Security Assertion Markup Language)

13. Web Authentication at MTU Authenticate Issue cookie/credential Client Web Application Not Logged In Web authN service

14. Positioning for Single Sign On Continued  Single Password Issues –Cross platform Difficult to synchronize across platforms –Catch 22 issues Reset password notification –Application issues AuthN capabilities

15. Positioning for Single Sign On Continued  Central Authentication System Issues –Network issues Availability Load –Central storage issues Reliability Disk Space –Account management issues Who owns which users? Who can change account information?

16. Positioning for Single Sign On Continued  Reduced account management –No password files / NIS –Delegated administration  Enforceable secure protocols  Standard authN across campus and off campus

17. Sources  Identifiers, Authentication, and Directories: Best Practices for Higher Education. http://middleware.internet2.edu/internet2-mi-best- practices-00.html  The Free On-line Dictionary of Computing, © 1993-2001 Denis Howe  The American Heritage® Dictionary of the English Language, Fourth Edition. Copyright © 2000 by Houghton Mifflin Company. Published by Houghton Mifflin Company. All rights reserved.