Presentation is loading. Please wait.

Presentation is loading. Please wait.

Problems With Centralized Passwords Dartmouth College PKI Lab.

Published byRolf Adams Modified over 9 years ago

Similar presentations

Presentation on theme: "Problems With Centralized Passwords Dartmouth College PKI Lab."— Presentation transcript:

1 Problems With Centralized Passwords Dartmouth College PKI Lab

2 Managing the Multitude: User Perspective Users HATE username/passwords Too many for them to manage: –Re-use same password –Use weak (easy to remember) passwords –Rely on “remember my password” crutches Forgotten password help desk calls cost $25 - $200 (IDC) and are far too common As we put more services online, it just gets worse…

3 Managing the Multitude: Admin Perspective Many different username/password schemes to learn, set up, and administer: –Backups, password resets, revoking access, initial password values, etc. Multiple administrators have access usernames/passwords – many points of failure

4 Ending the Madness Traditional approaches –Single password –Single sign-on, fewer sign-ons PKI –Local password management by end user –Two factor authentication

5 Single Password Users like it, but… Requires synchronizing passwords (inherently problematic) – actually makes admin madness worse! Single username/password becomes single point of failure… Hack weakest application and get passwords to all applications! Costly to maintain and difficult to make work well.

6 Single Sign-on, Fewer Sign-ons More secure & provides some relief for users, but… Requires infrastructure (e.g. WebISO or Kerberos sidecar). Fewer sign-ons still has synchronization problems. Single sign-on solutions are for web applications only. Kerberos sidecar has problems with address translation and firewalls and is not widely supported.

7 Password Sharing Corrupts value of username/password for authentication and authorization. Users do share passwords: PKI Lab survey of 171 undergraduates revealed that 75% of them shared their password and fewer than half of those changed it after sharing. We need two factor authentication to address password sharing.

8 All Your Eggs in One Basket Traditional username/password authentication requires access to passwords database from network servers or authentication server: –Bad guys have network access, can use this to crack individual accounts or worse, get many or all passwords in one grand hack. How would you like to have to notify thousands of users to satisfy FERPA requirements when their accounts are breached? This has happened! –Multiple (possibly many) system administrators have access to user passwords. Traditional Single Sign-on or Fewer Sign-on means once a username/password is compromised, access to multiple services is compromised.

9 PKI’s Answer to Password Woes Users manage their own (single or few) passwords. Two factor authentication. Widely supported alternative for authentication to all sorts of applications (both web-based and otherwise).

10 PKI Passwords Are Local to Client PKI can eliminate user passwords on network servers. Password to PKI credentials are local in the application key store or in hardware token. User manages the password and only has one per set of credentials (likely only one or two). Still need process for forgotten password, but it is only one for all applications using PKI authentication, and users are much less likely to forgot it since they use it frequently and control it themselves.

11 PKI Enables Single Password and Single Sign-on User maintains password on their credentials. PKI credentials authenticate user to the various services they use via PKI standards. No need for password synchronization. No additional infrastructure other than standard PKI and simple, standard hooks for PKI authentication in applications. Typically less effort to enable PKI authentication than other SSO methods.

12 PKI Provides Two Factor Authentication Requires something the user has (credentials stored in the application or a smartcard or token) in addition to something a user knows (local password for the credentials). Significant security improvement, especially with smartcard or token (a post-it next to the screen is no longer a major security hole). Reduces risk of password sharing.

13 Benefits of PKI Dartmouth College PKI Lab

14 Password Management & SSO There are many problems managing network services usernames and passwords in the real world (see Problems With Centralized Passwords).Problems With Centralized Passwords PKI offers the best solution for cost- effectively securing network applications for your enterprise without driving users crazy.

15 Digital Signatures Our computerized world still relies heavily on handwritten signatures. PKI allows digital signatures, recognized by Federal Government as legal signatures: –Reduce paperwork with electronic forms. –Much faster and more traceable business processes. –Improved assurance of electronic transactions (e.g. really know who that email was from). http://museum.nist.gov/exhibits/timeline/item.cfm?itemId=78

16 Encryption Can use same PKI digital credentials as authentication and digital signatures. More leverage of the PK Infrastructure. Easy to encrypt data for any individual without prior exchange of information – simply look up their certificate which contains their public key.

17 User Convenience Fewer passwords! Consistent mechanism for authentication that they only have to learn once. UT Houston Medical Center users now request that all network services use PKI authentication. Same user credentials for authentication, digital signatures, and encryption – lots of payback for user’s effort to acquire and manage the credentials.

18 Coherent Enterprise-Wide Security Administration Centralized issuance and revocation of user credentials. Consistent identity checking when issuing certificates. Same authentication mechanism for all network services. Leverage investment in tokens or smart cards across many applications.

19 Interoperability With Other Institutions Inter-institution trust allows identity verification and encryption using credentials issued by a trusted collaborating institution: –Signed forms and documents for business process (e.g. grant applications, financial aid forms, government reports) –Signed and encrypted email from a colleague at another school –Authentication to applications shared among consortiums of schools –Peer to peer authentication for secure information sharing

20 Standards Based Solution Standards promise interoperability among vendors and open source, and already deliver in practice. Wide variety of implementations available and broad coverage of application space. Level playing field for open source and new vendors – promotes innovation and healthy competition.

21 Unequaled Client and Server Support Commercial and open source Development toolkits and applications Certificate Authority, directory, escrow, revocation, and other infrastructure tools Windows, Macintosh, Linux, Solaris, UNIX Software and hardware key storage Apache, Oracle, IIS, SSL, Web Services, Shibboleth, etc. Microsoft, Sun, Cisco, IBM, BEA, RSA, Verisign, DST, Entrust, AOL, Adobe, Infomosaic, Aladdin, Schlumberger, and many others

22 Momentum Outside Higher Education Industry support for PKI Federal and State governments major adopters Microsoft, Johnson and Johnson, Disney, heavy industry adopters Major deployment in Europe China pushing WAPI wireless authentication that requires PKI Web Services (SAML uses PKI signed assertions)

23 Likely Federal Opportunities FBCA, HEBCA bridge projects Proof of concept NIH EDUCAUSE project to demonstrate digitally signing documents for submission to the Federal government (more later) Possible DOE, NSF, NIH applications for Higher Education?

Download ppt "Problems With Centralized Passwords Dartmouth College PKI Lab."

Similar presentations

NIH-EDUCAUSE PKI Interoperability Project Electronic Grant Application With Multiple Digital Signatures Peter Alterman, Ph.D. Director of Operations Office.

NIH-EDUCAUSE PKI Interoperability Project Electronic Grant Application With Multiple Digital Signatures Peter Alterman, Ph.D. Director of Operations Office.
Single Sign-On with GRID Certificates Ernest Artiaga (CERN – IT) GridPP 7 th Collaboration Meeting July 2003 July 2003.

Single Sign-On with GRID Certificates Ernest Artiaga (CERN – IT) GridPP 7 th Collaboration Meeting July 2003 July 2003.
Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.

Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.
Overview of US Federal Identity Management Initiatives Peter Alterman, Ph.D. Chair, Federal PKI Policy Authority and Asst. CIO E-Authentication, NIH.

Overview of US Federal Identity Management Initiatives Peter Alterman, Ph.D. Chair, Federal PKI Policy Authority and Asst. CIO E-Authentication, NIH.
Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.

Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.
PKI: A Technology Whose Time Has Come in Higher Education EDUCAUSE Live! Web Seminar May 11, 2004.

PKI: A Technology Whose Time Has Come in Higher Education EDUCAUSE Live! Web Seminar May 11, 2004.
Certification Authority. Overview  Identifying CA Hierarchy Design Requirements  Common CA Hierarchy Designs  Documenting Legal Requirements  Analyzing.

Certification Authority. Overview  Identifying CA Hierarchy Design Requirements  Common CA Hierarchy Designs  Documenting Legal Requirements  Analyzing.
Cross Platform Single Sign On using client certificates Emmanuel Ormancey, Alberto Pace Internet Services group CERN, Information Technology department.

Cross Platform Single Sign On using client certificates Emmanuel Ormancey, Alberto Pace Internet Services group CERN, Information Technology department.
Lecture 23 Internet Authentication Applications

Lecture 23 Internet Authentication Applications
Identity Management Realities in Higher Education NET Quarterly Meeting January 12, 2005.

Identity Management Realities in Higher Education NET Quarterly Meeting January 12, 2005.
Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.

Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.
Why PKI (Scott Rea) Boulder CO November 15, 2007.

Why PKI (Scott Rea) Boulder CO November 15, 2007.
PKI in US Higher Education TAGPMA Meeting, March 2006 Rio De Janeiro, Brazil.

PKI in US Higher Education TAGPMA Meeting, March 2006 Rio De Janeiro, Brazil.
PKI Activities at Virginia January 2004 CSG Meeting Jim Jokl.

PKI Activities at Virginia January 2004 CSG Meeting Jim Jokl.
U.S. Environmental Protection Agency Central Data Exchange EPA E-Authentication Pilot NOLA Network Node Workshop February 28, 2005.

U.S. Environmental Protection Agency Central Data Exchange EPA E-Authentication Pilot NOLA Network Node Workshop February 28, 2005.
Dartmouth PKI Deployment Robert Brentrup PKI Summit July 14, 2004.

Dartmouth PKI Deployment Robert Brentrup PKI Summit July 14, 2004.
Public Key Infrastructure at the University of Pittsburgh Robert F. Pack, Vice Provost Academic Planning and Resources Management March 27, 2000 CNI Spring.

Public Key Infrastructure at the University of Pittsburgh Robert F. Pack, Vice Provost Academic Planning and Resources Management March 27, 2000 CNI Spring.
 Key exchange o Kerberos o Digital certificates  Certificate authority structure o PGP, hierarchical model  Recovery from exposed keys o Revocation.

 Key exchange o Kerberos o Digital certificates  Certificate authority structure o PGP, hierarchical model  Recovery from exposed keys o Revocation.
Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.

Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.
Web Services Security Multimedia Information Engineering Lab. Yoon-Sik Yoo.

Web Services Security Multimedia Information Engineering Lab. Yoon-Sik Yoo.

Similar presentations

Ads by Google