PKI A Technology Whose Time Has Come in

PKI: A Technology Whose Time Has Come in Higher Education EDUCAUSE National October 21, 2004 Copyright Mark Franklin, 2004. This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the author.

Our Systems Are Under Constant Attack • • • Trojan horses Worms Viruses Spam Hackers Disgruntled insiders • Script kiddies • Sinister Proxies 2

Some of These Attacks Succeed Spectacularly • Loss of personal data • Outages • Potentially huge costs: – Productivity loss (user and IT staff) – Remediation – User notification – Bad publicity, loss of credibility – Lawsuits? • See “Damage Control: When Your Security Incident Hits the 6 O’Clock News” www. educause. edu/ir/library/ra/EDU 0307. ram 3

IT Security Risks Escalate • More and more important information and transactions are online: – – – • Personal identity information Financial transactions Course enrollment, grades Tests, quizzes administered online Licensed materials Confidential research data We must comply with increasingly strict regulations: – – Health information - HIPAA: http: //www. hhs. gov/ocr/hipaa/ Educational records - FERPA: http: //www. ed. gov/policy/gen/guid/fpco/ferpa/index. html 4

Specific Example: Email • Spoofing email is trivial – Spoofed message from professor postponing a final – Inappropriate message seemingly from College President • Email is like a postcard written in pencil – Others on network can see (or even modify) contents if not encrypted (really easy on wireless!) • Wayward email archives 5

ific Example: Student Information System • Online enrollment, schedule, grades • FERPA protected information • Available to hackers Q: What if someone hacks your authentication system and potentially downloads grades from thousands of students? A: You are probably obligated by law to notify every individual whose grades may have been exposed! 6

Problems Current Password Solutions

Users Hate Passwords • Too many to manage, so users: – Re-use same password – Use weak (easy to remember) passwords – Rely on “remember my password” crutches – Write them on post-it notes • Password help desk calls cost $25 - $200 each (IDC) • As we put more services online, it just gets worse… 8

Admininstrators Hate Passwords • Each application is different: – Password resets – Backups, synchronization – Revoking access – Provisioning new accounts • Unrewarding, repetitious work • Expensive learning curve for each application 9

Addressing Password Woes • Traditional approaches – Single password – Single sign-on, fewer sign-ons • PKI – Local password management by end user – Two factor authentication 10

Single Password • Users like it, but… • Inherently less secure • Requires synchronizing passwords – problematic and costly • Passwords databases exposed on network and to administrators – single username/password is single point of failure and as vulnerable as your weakest application 11

Single Sign-on, Fewer Sign-ons • More secure than single password & provides some relief for users, but… • Requires infrastructure (e. g. Web. ISO or Kerberos sidecar) • Synchronization issues • Kerberos sidecar: problems with address translation and firewalls and not widely supported • Cookie-based SSO vulnerabilities • Password database still exposed on network and to administrators 12

Password Sharing • Corrupts value of username/password for authentication • Users do share passwords: PKI Lab survey of 171 undergraduates revealed 75% of them did, and fewer than half changed afterwards • We need two factor authentication to address password sharing • Human engineering is a huge vulnerability! 13

PKI’s Answer to Password Woes • • PKI can authenticate clients too Users manage own (single or few) passwords Cost-effective two factor authentication Widely supported in all sorts of applications (web-based and otherwise) 14

PKI Passwords Stay on the Client • No user passwords on network servers • Local password only unlocks PKI credentials • One password per set of credentials (likely one or two total) • Password used for many apps => forgotten less • Only one forgotten password process for many applications 15

PKI Enables Single Password and Single Sign-on • One password to unlock user’s PKI credentials • Credentials authenticate user to many services using PKI standards • No need for password synchronization • No additional infrastructure other than standard PKI and standard PKI auth. N hooks in apps • Typically less effort to enable PKI authentication than other SSO methods 16

Underlying Key Technology • Asymmetric key encryption: each key only way to decrypt data encrypted by the other. • Private key kept secret and carefully protected by its holder. Public key freely distributed. • In authentication, server challenges client to encrypt or decrypt something with private key. Ability to do so proves client identity. • Private key and password always stay in the user’s possession. 17

PKI Provides Two Factor Authentication 1) Something the user has (credentials stored in the application or a smartcard or token) 2) Something a user knows (password to unlock credentials). • Significant security improvement, especially with smartcard or token • • • Post-it next to the screen no longer major security hole Can’t hijack a token via the network Reduces exposure to password sharing (token is difficult to share) 18

But Wait There’s More… Benefits of PKI Beyond Authentication

PKI Benefit: Digital Signatures • Our computerized world still runs by handwritten signatures on paper. • PKI enables digital signatures – Improved assurance of electronic transactions (e. g. really know who that email was from) – Recognized by Federal Government as legal signatures – Reduce paperwork via electronic forms – Faster, more traceable business processes – Fundamental building block of Web Services Federal digital signature information: http: //museum. nist. gov/exhibits/timeline/item. cfm? item. Id=78 20

How Digital Signatures Work • Signer computes content digest, encrypts with own private key. • Reader decrypts with signer’s public key. • Reader re-computes content digest and verifies match with original – detects modification of signed data. • Only signer has private key, so no one else can spoof their digital signature. 21

PKI Benefit: Encryption • “For your eyes only” encryption without prior exchange of keys • Strong encryption with extensible number of bits in key • Same PKI digital credentials as authentication and digital signatures • More leverage of the PK Infrastructure 22

How PKI Encryption Works • • Asymmetric encryption eliminates shared secrets Anyone encrypts using public key of recipient Only the recipient can decrypt using their private key Private key is secret and protected, so “bad guys” can’t read encrypted data 23

PKI Benefit: User Convenience • Fewer passwords! • Single, consistent authentication mechanism. (UT Houston Medical Center users now request that all network services use PKI authentication. ) • Same user credentials for authentication, digital signatures, and encryption – big payback for user’s effort to acquire and manage the credentials. 24

PKI Benefit: Coherent Enterprise. Wide Security Administration • Same authentication mechanism for all network services • Centralized issuance and revocation of user credentials (dovetails with identity management) • Consistent identity checking when issuing certificates (not per application) • Leverage investment in infrastructure and tokens or smart cards across many applications 25

Inter-institutional Trust • Authentication, digital signatures, and encryption using credentials issued by a trusted collaborating institution – Signed forms and documents for business process (e. g. grant applications, financial aid forms, government reports) – Signed and encrypted email from a colleague at another school – Authentication to applications shared among consortiums of schools – Peer to peer authentication for secure information sharing http: //wiki. osafoundation. org/twiki/bin/view/Chandler/Dartmouth. Pki. Proposal 26

Standards Based Solution • Interoperability among multiple vendors and open source components and applications • Wide variety of implementations available and broad coverage of application space • Level playing field for open source and new vendors – promotes innovation and healthy competition 27

• • PKI Enjoys Unequaled Client, Server, and Application Support All major platforms Software and hardware key storage Commercial and open source Development libraries, toolkits and applications Certificate Authority, directory, escrow, revocation, and other infrastructure tools Major server platforms Vendors include Microsoft, Sun, Cisco, IBM, BEA, RSA, Verisign, DST, Entrust, AOL, Adobe, Infomosaic, Aladdin, Schlumberger 28

Momentum Outside Higher Education • Industry support for PKI • Federal and State governments major adopters • Microsoft, Sun, Johnson and Johnson, Disney, heavy industry adopters • Major deployment in Europe • Web Services (e. g. SAML uses PKI signed assertions) • China pushing WAPI wireless authentication that requires PKI 29

Likely Federal Opportunities • FBCA, HEBCA bridges • Proof of concept NIH EDUCAUSE project to demonstrate digitally signing documents for submission to the Federal government • Possible DOE, NSF, NIH applications for Higher Education? 30

Dartmouth PKI Lab • R&D to make PKI a practical component of campus networks • Multi-campus collaboration sponsored by the Mellon Foundation • Dual objectives: – Deploy existing PKI technology to improve network applications (both at Dartmouth and elsewhere). – Improve the current state of the art. • Identify security issues in current products. • Develop solutions to the problems. 31

• Production PKI Applications at Dartmouth certificate authority Dartmouth – 1295 end users have certificates, 858 of them are enrolled students • PKI authentication in production for: – – – – Banner Student Information System VPN Concentrator (2 -factor) Active Directory smartcard logon Library Electronic Journals Tuck School of Business Portal Blackboard CMS Software downloads • We plan to reach all Dartmouth users with PKI • Starting to require tokens for staff • Large tokens distribution to students 32

Investigation and Research • Greenpass: pilot of 802. 1 x guest access delegation using PKI authentication credentials – Supported by Cisco • Wireless authentication – 802. 1 x authentication EAP-TLS (PKI) on Windows and Macintosh – WEP or improved WPA encryption – These work well but require up to date drivers (and sometimes recent hardware/firmware for WPA) • Works for VPN authentication too 33

“Open Source CA in a Box” • Hardened open source Certificate Authority (based on Open. CA) bundle suitable for trial and simple deployment • PKI Lab’s “Enforcer” TPM-hardened Linux – Controversial “TCPA” technology turned to use for good and freedom (secures Linux boot process and provides much enhanced run-time protection against hackers) • Packaging for easy installation (bootable CD) www. dartmouth. edu/~deploypki/CA/Install. Open. CALive. CD. html 34

Deploying PKI • Get buy in and support from management, legal, audit, others – a little fear of today’s risks is healthy. • Architect carefully, learn from examples of others. • Just do it. Start simple, extend later. • Start with low hanging fruit. • Take a long term view - PKI ROI is excellent when leveraged broadly, not as strong for individual applications. Project plan and how to information for deploying PKI: www. dartmouth. edu/~deploypki/deploying/ 35

Dartmouth’s Experiences • End user PKI is challenging, but not intractable. • Low-key, optional approach works well (but slowly). • Multiple CA options are viable – Outsource – Open source/homegrown – Commercial package • • Automated web application CA services works well. Encryption key escrow is a challenge we avoided so far. Application support for PKI still has rough edges. PKI tokens for two-factor authentication are easy to justify. Biometric tokens may finally eliminate passwords? • Users voluntarily adopt optional PKI that’s as easy as the alternative, but will adopt higher impact PKI (e. g. tokens) only when required. • Users acknowledge the need for stronger security. 36

Outreach • Many presentations www. dartmouth. edu/~deploypki/events. html • Educause Live! web seminar www. educause. edu/live/2004/live 045/ • March/April EDUCAUSE Review “New Horizons” article www. educause. edu/ir/library/pdf/erm 0427. pdf • PKI Deployment Summit www. dartmouth. edu/~deploypki/summit 04 • Working with schools deploying PKI – PKI’s inexpensive 2 -factor authentication proving an attractive proposition – We can help you too! 37

Blatant Advertisement • Please check out our outreach web at: www. dartmouth. edu/~deploypki We seek to assist schools deploying PKI for end users, including direct assistance in the planning/justification, implementation, and deployment phases. Please let us know how we can help. 38

For More Information • Outreach web: www. dartmouth. edu/~deploypki • Dartmouth PKI Lab information: www. dartmouth. edu/~pkilab Dartmouth user information, getting a Dartmouth certificate: www. dartmouth. edu/~pki Mark. J. Franklin@dartmouth. edu I’ll happily send copies of these slides upon request. 39