260 likes | 429 Views
William A. Weems. William.A.Weems@uth.tmc.edu. University of Texas Health Science Center at Houston. Why Users Like PKI & Directory Services. Middleware, such as public key infrastructure and directory services, solve “real problems” for users and IT professional alike.
E N D
William A. Weems William.A.Weems@uth.tmc.edu University of Texas Health Science Center at Houston Why Users Like PKI & Directory Services
Middleware, such as public key infrastructure and directory services, solve “real problems” for users and IT professional alike.
Core Middle Ware Services • Identifiers • Authentication • Directories • Authorization • Certificates Public Key Infrastructure
Digital ID • Having one makes life much, much easier! • Globally authenticates its owner’s identity • Allows owner to digitally sign • E-mail • Electronic documents • Software programs • Encrypt messages & documents
Must Touch & Feel Middleware Applications To Understand Their Importance • This is true both for general users and IT staff. • If we had only abstractly discussed the Web and not had Mosaic & NCSA’s server, where would the web be today?
What Makes Technology Revolutionary? Herbert A. Simon, 1987
Importance of Education By Immersion “Most Americans, after all, did not learn to drive automobiles in driver-education class.Instead, they learned to drive because there was a Model T on the farm, or maybe a tractor, and there was something or someone that had to moved from here to there - Herbert A. Simon, 1987
“so they got in their cars and figured out what all those levers and pedals did, how to take the car apart and put it together again. None of this was planned ahead of time; …” “We educated ourselves about them because we had to, and it was easy to do because they were all around us.” Herbert A. Simon, 1987
Would you be so kind as to change and restore my password. I was not able to connect via telnet from home. This email is signed, if you change my pwd and send it to me encrypted, it will be safe. --Stephen
Help Desk Scenarios. • User’s password times out or is forgotten • User contacts Help Desk • How does Help Desk identify user? • Signed e-mail request from user. • How is new password securely sent to user? • Signed and encrypted e-mail containing password.
Resident Database Certificate Authority Student Information System Personnel Database Guest Database LDAP Directory Data Driven Services
Formatted Queries & Data Exchange Request Authenticated Access Is Cert in LDAP? Data Exchange Yes, Cert in LDAP 3-Tier System LDAP Directory Oracle Database Web/Application Server
Access Control Scenarios • User wants to sponsor guest for IT privileges • Accesses “Guest Sponsor”form on Web. • Successfully completes authentication process. • Only faculty or A&P are authorized to sponsor. • If user meets authorization criteria, can sponsor.
Two Distinct Operational Concepts: • Authentication • Establishes that the presenting entity is who she/he/it pretends to be. • Authorization • Is the authenticated entity entitled to do what is being requested?
User ID/Password AuthenticationVery Risky Business • Too, too many user ID/password pairs to remember. Because of the huge number of user ID & passwords that an individual must remember, one often reuses the same user ID and password when possible. Thus, when a password used for access to multiple system is comprised, all systems become vulnerable. Since everyone has this problem, people feel the situation is hopeless and don’t really consider that there may be solutions!
User ID/Password Authentication • Too easy to share passwords • User’s perception as to password’s importance If one feels that what is being protected is not personally important, the probably is high that one will share the password. Conversely, if a single user ID/password pair protects everything of importance to an individual, one is highly unlikely to share that password.
User ID/Password Authentication • Passwords used online can easily be captured. • Separate user ID/password pairs used to determine authorization rights. If different levels of authorization are determined by different user IDs and passwords, then the number of passwords that one must remember grows even more.
User ID/Password Authentication • Too many individuals other that a user can alter a user’s password. This situation has many associated problems. • Does a request for password change really come from the assigned user? • Usually requires a temporary password that a user may not reset. • Someone with administrative privileges inappropriately misuses a person’s account.
Digital IDs (I.e. certs) ProvideStrong Authentication • Password known only to “owner”. • Password never transmitted on the network. • Digital ID verified by a third party. • Digital ID globally recognized. • Multiple mechanisms for detecting revoked digital ID. • Can be a strong, two factor authentication process.
Visions of Camelot in Cyberspace • Two authentication mechanisms. • Single Net ID and password. • Digital ID (DID) • Digital ID can be used to set password for Net ID/password process • No one but “owner” ever knows Net ID password. • When password of Net ID is “aged” say every 90 days, user can use DID to reset the password. User never has to contact help desk and help desk free to do other tasks!
Lessons Learned The focus of planning should be on how PKI and directory services make life great for people in cyberspace!!! Don’t focus on underlying theory, arcane concepts and minute implementation details. If basic infrastructure is in place along with user applications, people will use it and demand more.
Lessons From the UT System PKI Initiative • Even though the certificate authority infrastructure and basic policies are in place for 16 components, most institutions have done almost nothing with this infrastructure • Most IT personnel do not operationally understand the importance of middleware!!! • Do not require DIDs for a single application that is almost never used.
What UTHSC-H Users are Demanding • No new user ID/password challenges. • Ability to sign on-line Web forms. • Processes that use signed, and when appropriate, encrypted e-mail. • Ability to sign and encrypt documents. • Archive signed documents. • DID containing tokens for mobility.
What Is Needed To Reach Critical Mass? • Develop a core group that operationally believes in & understands middleware! • CA management system with basic policies. • Basic operational LDAP directory service. • As many “real” applications as possible! • Solutions that use signing & encryption. • Cherished resources PKI enabled for access.
When “Best” to Require Digital IDs. • Issue to typical users ONLY if they have at least one frequently used application that requires a DID! • The more applications the better! • Best to have both “signing” & access applications!!!
“The reason that the steam engine and associated inventions proved to be revolutionary is that they did not do anything specifically. Rather they allowed us to move in innumerable directions.” “Revolutionary significance lies in generality.” Herbert A. Simon, 1987