PKI: A Technology Whose Time Has Come in Higher Education EDUCAUSE Live! Web Seminar May 11, 2004
Download
Report
Transcript PKI: A Technology Whose Time Has Come in Higher Education EDUCAUSE Live! Web Seminar May 11, 2004
PKI: A Technology Whose Time Has
Come in Higher Education
EDUCAUSE Live! Web Seminar
May 11, 2004
Our Systems Are Under Constant Attack
• The numbers of vulnerabilities and attack techniques
continue to mushroom
• We need to improve how we secure access to
applications and data
Don’t forget the greatest threat often comes from a
disgruntled insider.
2
Some Attacks Succeed Spectacularly
• Loss of personal data
• Outages
• Potentially huge costs:
– Productivity loss
– Remediation
– User notification
– Bad publicity
– Loss of credibility
– Lawsuits?
• See “Damage Control: When Your Security Incident Hits the 6
O’Clock News”
www.educause.edu/ir/library/ra/EDU0307.ram
3
IT Security Risks Escalate
•
More and more important information and
transactions are online:
–
–
–
–
–
–
•
Personal identity information
Financial transactions
Course enrollment, grades
Tests, quizzes administered online
Licensed materials
Confidential research data
We must comply with increasingly strict regulations:
–
–
Health information - HIPAA
Educational records - FERPA
4
Specific Example: Email
• Spoofing email is trivial (simple setting in most
email clients)
– Spoofed message from professor postponing a final
– Inappropriate message seemingly from College
President
• Email is like a postcard written in pencil
– Others on network can see (or even modify)
contents if not encrypted (really easy on wireless!)
– You may use SSL, but what about other hops
between mail servers?
• Risk of wayward email archives
5
Specific Example: Student
Information System
• Online enrollment, schedule, grades
• FERPA protected information
• Potentially available to hackers via network
Q: What if someone hacks your authentication system
and potentially downloads students grades?
A: You are probably obligated by law to notify every
individual whose grades may have been exposed!
6
Password Problems: User Perspective
• Users HATE username/passwords
• Too many for them to manage:
– Re-use same password
– Use weak (easy to remember) passwords
– Rely on “remember my password” crutches
• Forgotten password help desk calls cost $25 - $200
each (IDC) and are far too common
• As we put more services online, it just gets worse…
7
Password Problems: Admin Perspective
• Many different username/password schemes
to learn, set up, and administer:
– Backups, password resets, revoking access,
initial password values, etc.
• Multiple administrators have access to
usernames/passwords – many points of
failure
8
Password Sharing
• Corrupts value of username/password for
authentication and authorization.
• Users do share passwords: PKI Lab survey of
171 undergraduates revealed that 75% of them
shared their password and fewer than half of
those changed it after sharing.
• We need two factor authentication to address
password sharing.
9
Ending the Madness
• Traditional approaches
– Single password
– Single sign-on, fewer sign-ons
• PKI
– Local password management by end user
– Two factor authentication
10
PKI’s Answer to Password Woes
• Users manage their own (single or few)
passwords.
• Cost-effective two factor authentication.
• Widely supported alternative for authentication
to all sorts of applications (both web-based and
otherwise).
11
PKI Passwords Are Local to Client
• PKI eliminates user passwords on network
servers.
• Password to PKI credentials is local to user’s
computer, smartcard, or token.
• User manages the password and only has one per
set of credentials (likely only one or two total).
• No need for password synchronization.
• Standard PKI infrastructure.
• Still need process for forgotten password, but it is
less likely to be forgotten (used frequently and
not so many of them).
12
Underlying Key Technology
• Asymmetric encryption uses a pair of asymmetric keys, each is the
only way to decrypt data encrypted by the other.
• One key is private and carefully protected by its holder. The other is
public and freely distributed.
• In authentication, the server challenges the client to encrypt or
decrypt something with the private key. Its ability to do so proves
its identity.
• Private key and password always stay in the user’s possession.
13
PKI Provides Two Factor Authentication
• Requires something the user has (credentials
stored in the application or a smartcard or token)
in addition to something a user knows (local
password for the credentials).
• Significant security improvement, especially
with smartcard or token (a post-it next to the
screen is no longer a major security hole).
• Reduces risk of password sharing.
14
PKI Benefit: Encryption
• Strong encryption with extensible number of bits
in key.
• Can use same PKI digital credentials as
authentication and digital signatures.
• More leverage of the PK Infrastructure.
• Encrypt data for any individual without prior
exchange of information – just acquire their
certificate which contains their public key.
15
•
•
•
•
How PKI Encryption Works
Asymmetric encryption prevents need for shared secrets.
Anyone encrypts with public key of recipient.
Only the recipient can decrypt with their private key.
Private key is secret and protected, so “bad guys” can’t
read encrypted data.
16
PKI Benefit:
Digital Signatures
• Our computerized world still relies heavily on
handwritten signatures on paper.
• PKI enables digital signatures, recognized by
Federal Government as legal signatures:
– Reduce paperwork with electronic forms.
– Much faster and more traceable business
processes.
– Improved assurance of electronic transactions
(e.g. really know who that email was from).
17
How Digital Signatures Work
• Signer computes content digest, encrypts with their private
key.
• Reader decrypts with signer’s public key.
• Reader re-computes the content digest and verifies match
with original – guarantees no one has modified signed data.
• Only signer has private key, so no one else can spoof their
digital signature.
18
PKI Benefit: User Convenience
• Fewer passwords!
• Consistent mechanism for authentication that
users only have to learn once. (UT Houston
Medical Center users now request that all
network services use PKI authentication.)
• Same user credentials for authentication,
digital signatures, and encryption – lots of
payback for user’s effort to acquire and
manage the credentials.
19
PKI Benefit: Coherent EnterpriseWide Security Administration
• Centralized issuance and revocation of user
credentials (goes hand in hand with identity
management).
• Consistent identity checking when issuing
certificates.
• Same authentication mechanism for all network
services.
• Single process to recover from lost passwords or
keys (not per application).
• Leverage investment in tokens or smart cards across
many applications.
20
Interoperability With Other Institutions
• Allows authentication, digital signatures, and
encryption using credentials issued by a trusted
collaborating institution:
– Signed forms and documents for business process (e.g.
grant applications, financial aid forms, government
reports)
– Signed and encrypted email from a colleague at another
school
– Authentication to applications shared among schools
(e.g. grid)
– Peer to peer authentication for secure information
sharing
21
Standards Based Solution
• Standards provide interoperability among
multiple vendors and open source.
• Wide variety of implementations available
and broad coverage of application space.
• Level playing field for open source and new
vendors – promotes innovation and healthy
competition.
22
PKI Enjoys Unequaled Client, Server, and
Application Support
• Commercial and open source
• Windows, Macintosh, Linux, Solaris, UNIX
• Apache, Oracle, IIS, SSL, Web Services,
Shibboleth, Browsers, email, VPN, Acrobat, MS
Office, AIM, and many others Software and
hardware key storage
• Development libraries, toolkits and applications
• Certificate Authority, directory, escrow,
revocation, and other infrastructure tools
23
Momentum Outside Higher Education
• Industry support for PKI
• Federal and State governments major adopters
• Microsoft, Sun, Johnson and Johnson, Disney,
banks heavy industry adopters
• Major deployment in Europe
• China pushing WAPI wireless authentication
standard that requires PKI
• Web Services (e.g. SAML uses PKI signed
assertions)
24
Federal Collaborations
• FBCA, HEBCA bridge projects
• Proof of concept NIH EDUCAUSE project to
demonstrate digitally signing documents for
submission to the Federal government
• Possible DOE, NSF, NIH applications for
Higher Education?
25
Dartmouth PKI Lab
• R&D to make client side PKI a practical
component of campus networks
• Multi-campus collaboration sponsored by the
Mellon Foundation
• Dual objectives:
– Deploy existing PKI technology to improve network
applications (both at Dartmouth and elsewhere).
– Improve the current state of the art.
• Identify security issues in current products.
• Develop solutions to the problems.
26
•
Production PKI Applications at
Dartmouth
Dartmouth certificate authority
– 780 end users have certificates, 558 of them are students
• PKI authentication in production for:
–
–
–
–
–
–
Banner Student Information System
Library Electronic Journals
Tuck School of Business Portal
VPN Concentrator
Blackboard CMS
Software downloads
• S/MIME email (Outlook, Mozilla, Thunderbird)
• AOL AIM (PKI-secured sys admin communications)
27
“Open Source CA in a Box”
• Hardened open source Certificate Authority (based on
OpenCA) bundle suitable for trial and simple
deployment
• PKI Lab’s “Enforcer” TPM-hardened Linux
– Controversial “TCPA” technology turned to use for
good and freedom (secures Linux boot process and
provides much enhanced run-time protection against
hackers)
• Packaging for easy installation (bootable CD)
• Carefully chosen enhancements to OpenCA
• We welcome feedback on requirements, contributions,
testing, etc!
28
Deploying PKI
• Client-side PKI is usually a significant undertaking
and requires planning and commitment.
• Get buy in and support from management, legal, audit,
others – a little fear in today’s cyber world is healthy.
• Learn from examples and experiences of others.
• Deploy in phases, plan for future extensibility.
• Choose initial applications to maximize benefits versus
cost.
• Take a long term view - PKI ROI is excellent when
leveraged broadly, but probably not as strong for
individual applications.
See www.dartmouth.edu/~deploypki/deploying/
29
Blatant Advertisement
• We seek a few schools that we can assist as
you deploy PKI credentials and applications
for end users! An explicit part of our mission
is to directly assist you in the
planning/justification, implementation, and
deployment phases.
30
For More Information
www.dartmouth.edu/~deploypki
[email protected]
31