Internet2 Base CAMPTopics in Middleware:

Authentication

Introduction Background Authentication Defined Authentication Methods Password Discussion Positioning for Single Sign On at MTU

Authentication Defined Authentic

– Conforming to fact and therefore worthy of trust, reliance, or belief

– Having a claimed and verifiable origin or authorship; not counterfeit or copied

Authenticate– To establish the authenticity of; prove genuine

Authentication– The verification of the identity of a person or process. In a

communication system, authentication verifies that messages really come from their stated source, like the signature on a (paper) letter or a check

Authentication Methods Challenge-Response Biometrics Public Key Infrastructure (PKI)/Digital

Certificates Kerberos Userid/Password Pairs

Passwords (Cons) Passwords are “crackable” Frequently sent over the network in the

clear Too many promote “sticky note” storage

Passwords (Pros) User friendly

– People get the concept (like an ATM pin #)– Technology tends to get in the way with PKI

and S/Key Easy to manage Supported across platforms

Password Security Require a minimum password length

– “Wider is better” Require non-alphanumeric text

– Increases your password alphabet– Passwords more difficult to crack

Attempt to crack passwords– During password change– Constantly, for all users

Maintain a password history– Attempts to regulate password reuse– Easily circumventable– Creates a list of users passwords (bad)

Password Security Continued Implement an account lockout mechanism

– Attempts to keep real time crackers at bay– Introduces a possible DoS for users

Implement “shared secrets”– Reduces administrative involvement in

password resets– Useful in distance education situations

Use photo identification– Online and/or on an ID card

Password Security Continued Develop a password expiration policy

– No password expiration– Passwords expire at regular intervals

Never store a password as plain text– One-way crypt algorithms for password files– Symmetric ciphers for scripts

Maintain audit logs– Useful in tracking violators– Watch out for privacy issues– Watch out for cancerous growth

Password Security Continued Develop procedures/policies for proper use

of privileged accounts– Never send unencrypted– No “sticky note” storage

Positioning for Single Sign OnWhat Michigan Tech Is Doing Introducing LDAP

– Unique userid registry– Unique Identifier– White Pages

• Non critical system• All the person entries in one place

Positioning for Single Sign On Continued Web Single Sign On

– No account information required• UUID• SID• Login Shell• Home Directory

– No clear text transmission of password– Easy for others to implement– Easy to demonstrate– Reduced Sign On– Pubcookie/WebISO– SAML (Security Assertion Markup Language)

Web Authentication at MTU

Authenticate

Issue cookie/credential

Client

Web Application

Not Logged

In

Web authN service

Positioning for Single Sign On Continued Single Password Issues

– Cross platform• Difficult to synchronize across platforms

– Catch 22 issues• Reset password notification

– Application issues• AuthN capabilities

Positioning for Single Sign On Continued Central Authentication System Issues

– Network issues• Availability• Load

– Central storage issues• Reliability• Disk Space

– Account management issues• Who owns which users?• Who can change account information?

Positioning for Single Sign On Continued Reduced account management

– No password files / NIS– Delegated administration

Enforceable secure protocols Standard authN across campus and off

campus

Sources Identifiers, Authentication, and Directories: Best

Practices for Higher Education.http://middleware.internet2.edu/internet2-mi-best-practices-00.html

The Free On-line Dictionary of Computing, © 1993-2001 Denis Howe

The American Heritage® Dictionary of the English Language, Fourth Edition.Copyright © 2000 by Houghton Mifflin Company. Published by Houghton Mifflin Company. All rights reserved.