250 likes | 371 Views
Access ‘98 Authentication & Security. George Machovec Technical Director Colorado Alliance of Research Libraries. Authentication & Security. Authentication: To allow users to access the appropriate networked databases from anywhere at anytime. A user establishes a right to an identity.
E N D
Access ‘98Authentication & Security George Machovec Technical Director Colorado Alliance of Research Libraries
Authentication & Security • Authentication: To allow users to access the appropriate networked databases from anywhere at anytime. A user establishes a right to an identity. • Authorization: To allow users to receive the appropriate suite of electronic products to which they are entitled. Is an “identity” permitted to perform some action...
Authentication & Security • Libraries and consortia offer broad suites of electronic products which must be accessed both on-campus and remotely. • Dial-in users through commercial ISPs • Faculty on Sabbatical • Distance education • Other authorized users not on campus for whatever reason
Authentication & Security • Typical kinds of services libraries want to distribute: • OCLC FirstSearch • Ovid or SilverPlatter (local or remote) • Information Access Company • Encyclopedia Brittanica • GaleNet • Hundreds of others
Authentication & Security • Authentication Strength • Reasonable security which meets the requirements of both the university and the supplier of data is important. This is somewhat subjective and depends on what is being protected, how easily is it “hacked,” and what are the chance or consequences of a breach either on a single or systematic basis.
Authentication & Security • Granularity of Requirements • How finely must users be segregated for access to different resources (e.g. faculty, grad students, undergrads, staff, community borrowers) • How does granularity affect pricing? • What about use statistics? • Be practical...
Authentication & Security • Privacy Issues • Confidentiality of users with vendors is key • Possible data gathered by vendor should be protected via contract from resale or reuse • Many universities are bound by privacy laws or legislative constraints • Encryption as protection from hackers may offer better privacy but may not always be practical
Authentication & SecurityTechniques • IP Filtering - An IP address (or range of addresses) is used to filter access to a database or service so that only users with a PC (e.g. browser) within a proper network domain may gain access.
Benefits Widely used Well understood No passwords to remember or change No unauthorized distribution of passwords Drawbacks Must be at a browser within an IP range Bad for remote users Many academics are dropping their modem pools or they are too small Little granularity in use data Authentication & SecurityIP Filtering
Authentication & SecurityTechniques • UserID and Passords - the distribution of logins and passwords for access to computer systems has historically been widely used in the computing community. Upon reaching an electronic resource the user is asked to login for access. In more secure systems passwords are periodically changed.
Benefits Widely employed and often used in conjunction with IP filtering Available on most services Can be remembered and used from anywhere Drawbacks Files must be maintained Encryption of passwords? Z39.50 compatibility may be a problem esp. with encryption Unauthorized distribution Authentication & SecurityUserID and Passwords
Authentication & SecurityTechniques • Hybrid Solutions with IP Filter + UserID/Password if filtering fails - In this scenario a user goes to a resource and goes through IP source address filtering…if it fails the user is then prompted for a UserID to establish their identity.
Drawbacks Must maintain a user file Unauthorized UserID distribution a danger May work well with some situations and not others Authentication & SecurityHybrid IP filtering + UserID • Benfits • Works for local and remote users • Does not require the “hassle” of a password when a person is in your local network • Implementation of this solution can range of easy to complex
Authentication & Security • Proxy Servers - In this technique a user must login or pass an IP filter into an intermediate server which is known by the end service as only passing on a legitimate user. This can be used in telnet, z39.50 or http sessions. In Web sessions the proxy may cache pages or return a Java applet to a browser for its identity to the end service.
Benefits Can be used from anywhere Central management and control Well understood technology Modularize the authentication problem Drawbacks Single point of failure Extra overhead Double handling of traffic in a “mechanical proxy” Still may need to maintain a user file with its security issues Authentication & SecurityProxy Servers
Authentication & SecurityTechniques • Credential Based Approaches - A user interacts directly with the end resource over the net. Issues include: • What credentials are presented by user? • How are credentials secured? • How are credentials validated by the issuing institution?
Authentication & SecurityCredentials • Password-based Credentials - the information resource maintains a password file of users. This technique has many of the drawbacks associated with any UserID approach . Other weaknesses: • Confidentiality/Privacy • How will password file be updated • Must be done on a resource-by-resource basis
Authentication & SecurityCredentials • Certificate-based Credentials - X.509 certificate-based approach offers a machine credentials that support its right to the use of an name and allows this to be verified by a certificate authority (e.g. run by the institution or a 3rd party). X.509 can include expirations, revocation, private keys, demographic data.
Benefits Well defined protocol/process for validation X.509 uses lower-level protocol-integrated method Works well in http Flexible /much work in this area Drawbacks Difficult to distribute Complicated for users to install (esp. if a user has several PCs) Backup, maintenance and recovery Problematic on shared PCs (e.g. reference) Must be supported by end resource too... Authentication & SecurityCertificate-Based
Authentication & SecurityExamples - Colorado Alliance • Colorado Alliance of Research Libraries - Uses a hybrid IP filtering + UserID scheme. If a user fails the IP filtering they are prompted for a library card ID and name which is embedded in an SQL database. The file is harvested from local III and CARL library OPACs. This will then launch a cgi which logs into the local or remote resource.
Authentication & SecurityExamples - VIVA (Virginia) • VIVA has 39 libraries and runs a central proxy server. A weekly extraction is made from OPACs of library card numbers and loaded into a central file. The system downloads a Java Applet to a local browser so it can take on proper identity in going to the remote service. Once users logins to proxy, the proxy goes to remote system for IP filter test. Proxy is only involved once... • Netscape Proxy Server 2.5 • Http://timesync.gmu.edu/proxy.html
Authentication & SecurityExamples - IAC • IAC Remote Patron Authentication Service - Does an IP filter check and if it fails it consults a flat ASCII patron file maintained by the local institution. • Only works with IAC Searchbank products • Extra charge for this product from IAC • Must still maintain your own patron file
Authentication & SecurityExamples - Innovative Interfaces • III Web Access Management - In Release 12 this is a true proxy server module which automatically checks a patron file on local III system. Can support patron type limits Problems include: • Limited to 50 targets (25 in release 11) • Uses-up III concurrent users (very expensive) • Requires set-up on each browser to address this proxy server
Authentication & SecurityExamples - Athens (U.K.) • Central (but mirrored) authentication system for all of higher education in UK including >2million students and faculty • Built around Sybase on multiple servers. UserID & password based for all resources • Local institutions must upload patron records according to prescribed format • Supports all types of resources (several thousand)…including Web and Telnet targets. http://www.athens.ac.uk/info/authentication.html