1 / 14

Identity Management and PKI Credentialing at UTHSC-H

Identity Management and PKI Credentialing at UTHSC-H. Bill Weems Academic Technology University of Texas Health Science Center at Houston. University of Texas Health Science Center at Houston UTHSC-H. Six Schools Graduate School of Biomedical Sciences Dental School Medical School

tiffanyi
Download Presentation

Identity Management and PKI Credentialing at UTHSC-H

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Identity ManagementandPKI Credentialing at UTHSC-H Bill Weems Academic Technology University of Texas Health Science Center at Houston

  2. University of Texas HealthScience Center at HoustonUTHSC-H • Six Schools • Graduate School of Biomedical Sciences • Dental School • Medical School • Nursing School • School of Health Information Sciences • School of Public Health • ~ 10,000 Students, Faculty and Staff

  3. PKI History at UTHSC-H • 1996-97 U.T. System begin considering PKI as a strategic initiative. • 1998 U.T. System signed MSA with VeriSign • 1998 UTHSC-H obtained 10,000 client seats • Public/Private keys stored in “soft key stores” • Single certs used for digital signatures, encryption and accessing restricted resources • 1999 Established enterprise LDAP directory • User’s public cert include as a user attribute

  4. PKI History at UTHSC-H • 2002 UTHSC-H begin issuing USB Tokens • Public/Private keys generated in “soft key” store & transferred to hard token • 2003 VeriSign MSA modified to provide dual keys per seat – signing and encryption keys • 2004 Begin generating public/private keys on USB E-Tokens – level 4 assurance • 2005 Projected issuance of 4,000 E-Tokens • 2005 Begin phasing out “soft key” stores

  5. UTHSC-H: An Identity Provider (IdP) It is critical to recognize that the university functions as an identity provider (IdP) in that UTHSC-H provides individuals with digital credentials that consist of an identifier and an authenticator. As an IdP, the university assumes specific responsibilities and liabilities.

  6. UTHSC-H Strategic Authentication Goals • Two authentication mechanisms. • Single university ID (UID) and password • Public Key Digital ID on Token (two-factor authentication) • Digital Signatures • Authenticates senders • Guarantees messages are unaltered, i.e. message integrity • Provides for non-repudiation • Legal signature • Encryption of email and other documents • Highly Secure Access Control • Potential for inherent global trust

  7. Assigns Everlasting Identifier Issues Digital Credential IdP Obtains Physical Characteristics Permanently Bound Person Only Activation Identifier Digital Credential Identity Vetting & Credentialing Identity Provider (IdP) uth.tmc.edu Permanent Identity Database Person

  8. Identity Vetting & Credentialing UTHSC-H Two Factor Authentication Identity Provider (IdP) uth.tmc.edu Permanent Identity Database Assigns Everlasting Identifier Issues Digital Credential IdP Obtains Physical Characteristics ? ? Permanently Bound Person Only Activation Identifier Person Digital Credential

  9. UTHSC-H Identity Management System HRMS SIS GMEIS UTP Guest MS Identity Reconciliation & Provisioning Processes Person Registry INDIS Authoritative Enterprise Directories OAC7 OAC47 User Administration Tools Attribute Management Sync Authentication Service Authorization Service Change Password Secondary Directories

  10. Obtaining a Digital Certificate • Access Local Hosted CA’s Web Page • Generate a public/private key pair • Send public key to Certificate Authority • RA verifies applicant’s identity to CA • CA issues X.509 certificate • CA notifies applicant that DID is certified • Applicant downloads certified public key • Applicant makes backup of DID

  11. Obtaining a Digital CertificateHard Token – Level 4 • Applicant appears in-person before RA • Inserts E-Token in USB Port • Access Certificate Authority’s Web Page • Token generates public/private key pair • Send public key to Certificate Authority • RA verifies applicant’s identity to CA • CA issues X.509 certificate • Applicant downloads certificate to token

  12. Lessons Learned The focus of planning should be on how PKI and directory services make life great for people in cyberspace!!! Don’t focus on underlying theory, arcane concepts and minute implementation details. If basic infrastructure is in place along with user applications, people will use it and demand more.

  13. What Is Needed To Reach Critical Mass? • Develop a core group that operationally believes in & understands middleware! • CA management system with basic policies. • Basic operational LDAP directory service. • As many “real” applications as possible! • Solutions that use signing & encryption. • Cherished resources PKI enabled for access.

  14. Why A Commercial CA • Texas requires a state approved CA • Certificate Practice State (CPS) • Certificate Policy • Relying Party Agreement • CA trust hierarchy automatically recognized by most browsers & clients world wide. • Provided a significant amount of support resources.

More Related