140 likes | 318 Views
Identity Management and PKI Credentialing at UTHSC-H. Bill Weems Academic Technology University of Texas Health Science Center at Houston. University of Texas Health Science Center at Houston UTHSC-H. Six Schools Graduate School of Biomedical Sciences Dental School Medical School
E N D
Identity ManagementandPKI Credentialing at UTHSC-H Bill Weems Academic Technology University of Texas Health Science Center at Houston
University of Texas HealthScience Center at HoustonUTHSC-H • Six Schools • Graduate School of Biomedical Sciences • Dental School • Medical School • Nursing School • School of Health Information Sciences • School of Public Health • ~ 10,000 Students, Faculty and Staff
PKI History at UTHSC-H • 1996-97 U.T. System begin considering PKI as a strategic initiative. • 1998 U.T. System signed MSA with VeriSign • 1998 UTHSC-H obtained 10,000 client seats • Public/Private keys stored in “soft key stores” • Single certs used for digital signatures, encryption and accessing restricted resources • 1999 Established enterprise LDAP directory • User’s public cert include as a user attribute
PKI History at UTHSC-H • 2002 UTHSC-H begin issuing USB Tokens • Public/Private keys generated in “soft key” store & transferred to hard token • 2003 VeriSign MSA modified to provide dual keys per seat – signing and encryption keys • 2004 Begin generating public/private keys on USB E-Tokens – level 4 assurance • 2005 Projected issuance of 4,000 E-Tokens • 2005 Begin phasing out “soft key” stores
UTHSC-H: An Identity Provider (IdP) It is critical to recognize that the university functions as an identity provider (IdP) in that UTHSC-H provides individuals with digital credentials that consist of an identifier and an authenticator. As an IdP, the university assumes specific responsibilities and liabilities.
UTHSC-H Strategic Authentication Goals • Two authentication mechanisms. • Single university ID (UID) and password • Public Key Digital ID on Token (two-factor authentication) • Digital Signatures • Authenticates senders • Guarantees messages are unaltered, i.e. message integrity • Provides for non-repudiation • Legal signature • Encryption of email and other documents • Highly Secure Access Control • Potential for inherent global trust
Assigns Everlasting Identifier Issues Digital Credential IdP Obtains Physical Characteristics Permanently Bound Person Only Activation Identifier Digital Credential Identity Vetting & Credentialing Identity Provider (IdP) uth.tmc.edu Permanent Identity Database Person
Identity Vetting & Credentialing UTHSC-H Two Factor Authentication Identity Provider (IdP) uth.tmc.edu Permanent Identity Database Assigns Everlasting Identifier Issues Digital Credential IdP Obtains Physical Characteristics ? ? Permanently Bound Person Only Activation Identifier Person Digital Credential
UTHSC-H Identity Management System HRMS SIS GMEIS UTP Guest MS Identity Reconciliation & Provisioning Processes Person Registry INDIS Authoritative Enterprise Directories OAC7 OAC47 User Administration Tools Attribute Management Sync Authentication Service Authorization Service Change Password Secondary Directories
Obtaining a Digital Certificate • Access Local Hosted CA’s Web Page • Generate a public/private key pair • Send public key to Certificate Authority • RA verifies applicant’s identity to CA • CA issues X.509 certificate • CA notifies applicant that DID is certified • Applicant downloads certified public key • Applicant makes backup of DID
Obtaining a Digital CertificateHard Token – Level 4 • Applicant appears in-person before RA • Inserts E-Token in USB Port • Access Certificate Authority’s Web Page • Token generates public/private key pair • Send public key to Certificate Authority • RA verifies applicant’s identity to CA • CA issues X.509 certificate • Applicant downloads certificate to token
Lessons Learned The focus of planning should be on how PKI and directory services make life great for people in cyberspace!!! Don’t focus on underlying theory, arcane concepts and minute implementation details. If basic infrastructure is in place along with user applications, people will use it and demand more.
What Is Needed To Reach Critical Mass? • Develop a core group that operationally believes in & understands middleware! • CA management system with basic policies. • Basic operational LDAP directory service. • As many “real” applications as possible! • Solutions that use signing & encryption. • Cherished resources PKI enabled for access.
Why A Commercial CA • Texas requires a state approved CA • Certificate Practice State (CPS) • Certificate Policy • Relying Party Agreement • CA trust hierarchy automatically recognized by most browsers & clients world wide. • Provided a significant amount of support resources.