Upload
roxanne-cross
View
216
Download
0
Tags:
Embed Size (px)
Citation preview
PKI: A Technology Whose Time Has Come in Higher Education
EDUCAUSE National
October 21, 2004
Copyright Mark Franklin, 2004. This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the author.
2
Our Systems Are Under Constant Attack
• Trojan horses• Worms• Viruses• Spam• Hackers• Disgruntled
insiders• Script kiddies• Sinister
Proxies
3
Some of These Attacks Succeed Spectacularly• Loss of personal data• Outages• Potentially huge costs:
– Productivity loss(user and IT staff)
– Remediation
– User notification
– Bad publicity, loss of credibility
– Lawsuits?
• See “Damage Control: When Your Security Incident Hits the 6 O’Clock News”
www.educause.edu/ir/library/ra/EDU0307.ram
4
IT Security Risks Escalate• More and more important information and
transactions are online:– Personal identity information – Financial transactions – Course enrollment, grades– Tests, quizzes administered online– Licensed materials– Confidential research data
• We must comply with increasingly strict regulations:– Health information - HIPAA:
http://www.hhs.gov/ocr/hipaa/– Educational records - FERPA:
http://www.ed.gov/policy/gen/guid/fpco/ferpa/index.html
5
• Spoofing email is trivial – Spoofed message from professor postponing a final– Inappropriate message seemingly from College President
• Email is like a postcard written in pencil– Others on network can see (or even modify) contents if not
encrypted (really easy on wireless!)
• Wayward email archives
Specific Example: Email
6
Specific Example: Student Information System
• Online enrollment, schedule, grades• FERPA protected information• Available to hackers
Q: What if someone hacks your authentication system and potentially downloads grades from thousands of students?
A: You are probably obligated by law to notify every individual whose grades may have been exposed!
Problems Current Password Solutions
8
Users Hate Passwords
• Too many to manage, so users:– Re-use same password– Use weak (easy to remember) passwords– Rely on “remember my password” crutches– Write them on post-it notes
• Password help desk calls cost $25 - $200 each (IDC)
• As we put more services online, it just gets worse…
9
Admininstrators Hate Passwords
• Each application is different:– Password resets– Backups, synchronization– Revoking access– Provisioning new accounts
• Unrewarding, repetitious work
• Expensive learning curve for each application
10
Addressing Password Woes
• Traditional approaches– Single password– Single sign-on, fewer sign-ons
• PKI– Local password management by end user– Two factor authentication
11
Single Password• Users like it, but…
• Inherently less secure
• Requires synchronizing passwords – problematic and costly
• Passwords databases exposed on network and to administrators – single username/password is single point of failure and as vulnerable as your weakest application
12
Single Sign-on, Fewer Sign-ons• More secure than single password & provides some
relief for users, but…
• Requires infrastructure (e.g. WebISO or Kerberos sidecar)
• Synchronization issues• Kerberos sidecar: problems with address translation
and firewalls and not widely supported• Cookie-based SSO vulnerabilities• Password database still exposed on network and to
administrators
13
Password Sharing
• Corrupts value of username/password for authentication
• Users do share passwords: PKI Lab survey of 171 undergraduates revealed 75% of them did, and fewer than half changed afterwards
• We need two factor authentication to address password sharing
• Human engineering is a huge vulnerability!
14
PKI’s Answer to Password Woes
• PKI can authenticate clients too
• Users manage own (single or few) passwords
• Cost-effective two factor authentication
• Widely supported in all sorts of applications (web-based and otherwise)
15
PKI Passwords Stay on the Client
• No user passwords on network servers
• Local password only unlocks PKI credentials
• One password per set of credentials (likely only one or two total)
• Password used for many apps => forgotten less
• Only one forgotten password process for many applications
16
PKI Enables Single Passwordand Single Sign-on
• One password to unlock user’s PKI credentials
• Credentials authenticate user to many services using PKI standards
• No need for password synchronization
• No additional infrastructure other than standard PKI and standard PKI authN hooks in apps
• Typically less effort to enable PKI authentication than other SSO methods
17
Underlying Key Technology• Asymmetric key encryption: each key only way to decrypt data encrypted by the
other.• Private key kept secret and carefully protected by its holder. Public key freely
distributed.
• In authentication, server challenges client to encrypt or decrypt something with private key. Ability to do so proves client identity.
• Private key and password always stay in the user’s possession.
Plain Text Encrypted Text
Encrypt
Decrypt
(anyone with public key)
(possessor of private key only)
18
PKI Provides Two Factor Authentication
1) Something the user has (credentials stored in the application or a smartcard or token)
2) Something a user knows (password to unlock credentials).
• Significant security improvement, especially with smartcard or token
• Post-it next to the screen no longer major security hole
• Can’t hijack a token via the network
• Reduces exposure to password sharing (token is difficult to share)
But Wait There’s More…
Benefits of PKIBeyond Authentication
20
PKI Benefit:Digital Signatures
• Our computerized world still runs by handwritten signatures on paper.
• PKI enables digital signatures– Improved assurance of electronic transactions (e.g. really know who
that email was from)– Recognized by Federal Government as legal signatures– Reduce paperwork via electronic forms– Faster, more traceable business processes– Fundamental building block of Web Services
Federal digital signature information:http://museum.nist.gov/exhibits/timeline/item.cfm?itemId=78
21
How Digital Signatures Work• Signer computes content digest, encrypts with own private
key.• Reader decrypts with signer’s public key.• Reader re-computes content digest and verifies match with
original – detects modification of signed data.• Only signer has private key, so no one else can spoof their
digital signature.
Plain Text Encrypted Text
Compute digest, sign & date,encrypt
Verify signature, check digest
(possessor of private key only)
(anyone with public key)
22
PKI Benefit:Encryption
• “For your eyes only” encryption without prior exchange of keys
• Strong encryption with extensible number of bits in key• Same PKI digital credentials as authentication and digital
signatures• More leverage of the PK Infrastructure
23
How PKI Encryption Works• Asymmetric encryption eliminates shared secrets• Anyone encrypts using public key of recipient• Only the recipient can decrypt using their private key• Private key is secret and protected, so “bad guys” can’t
read encrypted data
Plain Text Encrypted Text
Encrypt
Decrypt
(anyone with public key)
(possessor of private key only)
24
PKI Benefit: User Convenience
• Fewer passwords!
• Single, consistent authentication mechanism. (UT Houston Medical Center users now request that all network services use PKI authentication.)
• Same user credentials for authentication, digital signatures, and encryption – big payback for user’s effort to acquire and manage the credentials.
25
PKI Benefit: Coherent Enterprise-Wide Security Administration
• Same authentication mechanism for all network services
• Centralized issuance and revocation of user credentials (dovetails with identity management)
• Consistent identity checking when issuing certificates (not per application)
• Leverage investment in infrastructure and tokens or smart cards across many applications
26
Inter-institutional Trust• Authentication, digital signatures, and encryption
using credentials issued by a trusted collaborating institution– Signed forms and documents for business process (e.g.
grant applications, financial aid forms, government reports)
– Signed and encrypted email from a colleague at another school
– Authentication to applications shared among consortiums of schools
– Peer to peer authentication for secure information sharing http://wiki.osafoundation.org/twiki/bin/view/Chandler/DartmouthPkiProposal
27
Standards Based Solution• Interoperability among multiple vendors and
open source components and applications
• Wide variety of implementations available and broad coverage of application space
• Level playing field for open source and new vendors – promotes innovation and healthy competition
28
PKI Enjoys Unequaled Client, Server, and Application Support
• All major platforms
• Software and hardware key storage
• Commercial and open source
• Development libraries, toolkits and applications
• Certificate Authority, directory, escrow, revocation, and other infrastructure tools
• Major server platforms
• Vendors include Microsoft, Sun, Cisco, IBM, BEA, RSA, Verisign, DST, Entrust, AOL, Adobe, Infomosaic, Aladdin, Schlumberger
29
Momentum Outside Higher Education
• Industry support for PKI
• Federal and State governments major adopters
• Microsoft, Sun, Johnson and Johnson, Disney, heavy industry adopters
• Major deployment in Europe
• Web Services (e.g. SAML uses PKI signed assertions)
• China pushing WAPI wireless authentication that requires PKI
30
Likely Federal Opportunities• FBCA, HEBCA bridges
• Proof of concept NIH EDUCAUSE project to demonstrate digitally signing documents for submission to the Federal government
• Possible DOE, NSF, NIH applications for Higher Education?
31
Dartmouth PKI Lab• R&D to make PKI a practical component of
campus networks• Multi-campus collaboration sponsored by the
Mellon Foundation• Dual objectives:
– Deploy existing PKI technology to improve network applications (both at Dartmouth and elsewhere).
– Improve the current state of the art.• Identify security issues in current products.
• Develop solutions to the problems.
32
Production PKI Applications at Dartmouth• Dartmouth certificate authority
– 1295 end users have certificates, 858 of them are enrolled students
• PKI authentication in production for:– Banner Student Information System– VPN Concentrator (2-factor)– Active Directory smartcard logon– Library Electronic Journals– Tuck School of Business Portal– Blackboard CMS– Software downloads
• We plan to reach all Dartmouth users with PKI
• Starting to require tokens for staff• Large tokens distribution to students
33
Investigation and Research• Greenpass: pilot of 802.1x guest access
delegation using PKI authentication credentials– Supported by Cisco
• Wireless authentication– 802.1x authentication EAP-TLS (PKI) on Windows
and Macintosh – WEP or improved WPA encryption– These work well but require up to date drivers (and
sometimes recent hardware/firmware for WPA)
• Works for VPN authentication too
34
“Open Source CA in a Box”• Hardened open source Certificate Authority (based on
OpenCA) bundle suitable for trial and simple deployment
• PKI Lab’s “Enforcer” TPM-hardened Linux– Controversial “TCPA” technology turned to use for
good and freedom (secures Linux boot process and provides much enhanced run-time protection against hackers)
• Packaging for easy installation (bootable CD)www.dartmouth.edu/~deploypki/CA/InstallOpenCALiveCD.html
35
Deploying PKI• Get buy in and support from management, legal, audit,
others – a little fear of today’s risks is healthy.• Architect carefully, learn from examples of others.• Just do it. Start simple, extend later.• Start with low hanging fruit.• Take a long term view - PKI ROI is excellent when
leveraged broadly, not as strong for individual applications.
Project plan and how to information for deploying PKI: www.dartmouth.edu/~deploypki/deploying/
36
Dartmouth’s Experiences• End user PKI is challenging, but not intractable.• Low-key, optional approach works well (but slowly).• Multiple CA options are viable
– Outsource– Open source/homegrown– Commercial package
• Automated web application CA services works well.• Encryption key escrow is a challenge we avoided so far. • Application support for PKI still has rough edges.• PKI tokens for two-factor authentication are easy to justify.
Biometric tokens may finally eliminate passwords?• Users voluntarily adopt optional PKI that’s as easy as the
alternative, but will adopt higher impact PKI (e.g. tokens) only when required.
• Users acknowledge the need for stronger security.
37
Outreach• Many presentations
www.dartmouth.edu/~deploypki/events.html
• Educause Live! web seminarwww.educause.edu/live/2004/live045/
• March/April EDUCAUSE Review “New Horizons” articlewww.educause.edu/ir/library/pdf/erm0427.pdf
• PKI Deployment Summitwww.dartmouth.edu/~deploypki/summit04
• Working with schools deploying PKI – PKI’s inexpensive 2-factor authentication proving an attractive
proposition
– We can help you too!
38
Blatant Advertisement
• Please check out our outreach web at: www.dartmouth.edu/~deploypki
We seek to assist schools deploying PKI for end users, including direct assistance in the planning/justification, implementation, and deployment phases. Please let us know how we can help.
39
For More Information• Outreach web:
www.dartmouth.edu/~deploypki
• Dartmouth PKI LabPKI Lab information:
www.dartmouth.edu/~pkilab
Dartmouth user information, getting a Dartmouth certificate:
www.dartmouth.edu/~pki
I’ll happily send copies of these slides upon request.