Identity Management Realities in
Higher Education
NET Quarterly Meeting
January 12, 2005
Higher Education IT Environment
• Open campus, easy physical access to wired
and wireless network
• Open network, no firewall or address
translation to Internet – like an ISP
• Heterogeneous client computers
• Mix of very knowledgeable and very naïve
users
2
IT Security Risks Escalate
•
More and more important information and
transactions are online:
–
–
–
–
–
–
•
Personal identity information
Financial transactions
Course enrollment, grades
Tests, quizzes administered online
Licensed materials
Confidential research data
We must comply with increasingly strict regulations:
–
–
Health information - HIPAA: http://www.hhs.gov/ocr/hipaa/
Educational records - FERPA:
http://www.ed.gov/policy/gen/guid/fpco/ferpa/index.html
3
Dartmouth’s Identity Management
• Timesharing (’70s) and Dartmouth Name
Directory (’80s) pre-dated LDAP and AD
• LDAP now (with legacy DND interface for
backwards compatibility)
• Everyone has an LDAP entry
• Passwords centrally managed in LDAP
• Now provisioning accounts for applicants
An early start, but now pretty standard fare…
4
More to the Picture…
Having a good directory is important…
but we also need to be sure the individual at the
keyboard is who they claim to be.
Sometimes strong identity management can reduce
security by eliminating obscurity and enabling reuse of a single password for more applications.
5
Password Sharing
• Corrupts value of username/password for
authentication
• Sticky notes next to computer
• Files (even web pages full of passwords)
• Logging co-workers onto a system so they
can help
• Social engineering is a huge vulnerability!
6
Users Do Share Passwords
• PKI Lab survey of 171 undergraduates: 75% of them
shared passwords, < 50% changed afterwards
• Social engineering examples in “Probing End-User
Security Practices – Through Homework” (Prof. Sean
Smith)
– Offering squirt guns for passwords was 80% effective
– 83% provided their password to bogus survey web
www.educause.edu/ir/library/pdf/eqm0449.pdf
• Need two factor authentication to address password
sharing
Lest you think your users are different, remember students
comprise the future workforce.
7
PKI Provides Two Factor Authentication
1) Something the user has (credentials stored in
the application or a smartcard or token)
2) Something a user knows (password to unlock
credentials).
•
•
Significant security improvement
Reduces exposure to password sharing (token
is difficult to share)
8
Underlying Key Technology
• Asymmetric key encryption: each key only way to decrypt data
encrypted by the other.
• Private key kept secret and carefully protected by its holder. Public
key freely distributed.
Encrypt
(anyone with public key)
Plain Text
Encrypted Text
Decrypt
(possessor of private key only)
• In authentication, server challenges client to encrypt or decrypt
something with private key. Ability to do so proves client identity.
• Private key and password always stay in the user’s possession.
9
Digital Signatures
(Attaching Identity to
Electronic Forms and
Documents)
• Our computerized world still runs by handwritten
signatures on paper.
• Digital signatures promise to revolutionize many
business processes:
– Improve assurance of electronic transactions, verify and
record digital signatures
– Reduce paperwork via electronic forms
– Faster, cheaper, more traceable business processes
– Fundamental building block of Web Services
Federal digital signature information:
http://museum.nist.gov/exhibits/timeline/item.cfm?itemId=78
10
Inter-institutional Trust
• Accepting credentials issued by a trusted
collaborating institution
– Signed forms and documents for business process (e.g.
grant applications, financial aid forms, government
reports)
– Signed and encrypted email from a colleague at another
school
– Authentication to applications shared among
consortiums of schools
11
Dartmouth PKI Lab
• R&D to make PKI a practical component of
campus networks
• Multi-campus collaboration sponsored by the
Mellon Foundation
• Dual objectives:
– Deploy existing PKI technology to improve network
applications (both at Dartmouth and elsewhere).
– Improve the current state of the art.
• Identify security issues in current products.
• Develop solutions to the problems.
12
For More Information
• Outreach web:
www.dartmouth.edu/~deploypki
• Dartmouth PKI Lab
PKI Lab information:
www.dartmouth.edu/~pkilab
Dartmouth user information, getting a Dartmouth
certificate:
www.dartmouth.edu/~pki
[email protected]
I’ll happily send copies of these slides upon request.
13