Problems With Centralized Passwords Dartmouth College PKI Lab.

Slides:

Advertisements

Similar presentations

Chapter 14 – Authentication Applications

Advertisements

Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.

Kerberos 1 Public domain image of Heracles and Cerberus. From an Attic bilingual amphora, 530–520 BC. From Italy (?).

Akshat Sharma Samarth Shah

Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.

Avoid data leakage, espionage, sabotage and other reputation and business risks without losing employee performance and mobility.

Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.

PKI: A Technology Whose Time Has Come in Higher Education EDUCAUSE Live! Web Seminar May 11, 2004.

Problems With Centralized Passwords Dartmouth College PKI Lab.

Lecture 23 Internet Authentication Applications

CMSC 414 Computer and Network Security Lecture 12 Jonathan Katz.

Identity Management Realities in Higher Education NET Quarterly Meeting January 12, 2005.

Why PKI (Scott Rea) Boulder CO November 15, 2007.

Prepared by Dept. of Information Technology & Telecommunication, October 24, 2005 Enterprise Directory Services and Identity Management.

 Key exchange o Kerberos o Digital certificates  Certificate authority structure o PGP, hierarchical model  Recovery from exposed keys o Revocation.

Web Services Security Multimedia Information Engineering Lab. Yoon-Sik Yoo.

May 22, 2002 Joint Operations Group Discussion Overview Describe the UC Davis Security Architecture Describe Authentication Efforts at UC Davis Current.

Polytechnic University of Tirana Faculty of Information Technology Computer Engineering Department Identification of on-line users and Digital Signature.

Dr. Sarbari Gupta Electrosoft Services Tel: (703) Security Characteristics of Cryptographic.

CMSC 414 Computer and Network Security Lecture 21 Jonathan Katz.

Introduction to PKI Mark Franklin September 10, 2003 Dartmouth College PKI Lab.

ISA 3200 NETWORK SECURITY Chapter 10: Authenticating Users.

Superhighway Robbery: The Real Cost of Cyber Security NACUBO July 18, 2004 Copyright Mark Franklin, This work is the intellectual property of the.

CertAnon A Proposal for an Anonymous WAN Authentication Service David Mirra CS410 January 30, 2007.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 10 Authenticating Users By Whitman, Mattord, & Austin© 2008 Course Technology.

Identity Management, what does it solve By Gautham Mudra.

Enterprise Single Sign On Identity management for web applications.

PKI-Enabled Applications That work! Linda Pruss Office of Campus Information Security

CAMP - June 4-6, Copyright Statement Copyright Robert J. Brentrup and Mark J. Franklin This work is the intellectual property of the authors.

Security and Risk Management. Who Am I Matthew Strahan from Content Security Principal Security Consultant I look young, but I’ve been doing this for.

RSA Security Validating Users and Devices to Protect Network Assets Endpoint Solutions for Cisco Environments.

Realizing the Promise of Web Networks with Unified Access Management __________________.

Lecture 7 Page 1 CS 236 Online Password Management Limit login attempts Encrypt your passwords Protecting the password file Forgotten passwords Generating.

Principles of Secure Account Management By Chuck Connell

CertAnon The feasibility of an anonymous WAN authentication service Red Group CS410 March 1, 2007.

Identity Management in Education. Welcome Scott Johnson, NetProf, Inc. Creator of OmnID Identity Management for Education

Microsoft Active Directory(AD) A presentation by Robert, Jasmine, Val and Scott IMT546 December 11, 2004.

Delivering Security for Mobile Device and Mobile Application Management INSERT MSP LOGO HERE.

Identity on Force.com & Benefits of SSO Nick Simha.

Federated or Not: Secure Identity Management Janemarie Duh Identity Management Systems Architect Chair, Security Working Group ITS, Lafayette College.

Chapter 23 Internet Authentication Applications Kerberos Overview Initially developed at MIT Software utility available in both the public domain and.

Simplify and Strengthen Security with Oracle Application Server Allan L Haensgen Senior Principal Instructor Oracle Corporation Session id:

 Access Control 1 Access Control  Access Control 2 Access Control Two parts to access control Authentication: Are you who you say you are? – Determine.

Single Sign-On in the Danish Educational Sector Per Thorboll Deputy director UNI-C.

Cryptography and Network Security Chapter 14 Fourth Edition by William Stallings Lecture slides by Lawrie Brown.

OARN Database UPDATE – SEPTEMBER We’re Live – and Testing  The site is up and running in Google’s data centers:  The site has been secured: 

Securing Passwords Against Dictionary Attacks Presented By Chad Frommeyer.

National Computational Science National Center for Supercomputing Applications National Computational Science GSI Online Credential Retrieval Requirements.

Active Directory. Computers in organizations Computers are linked together for communication and sharing of resources There is always a need to administer.

Chris Calderon – February 2016 MIS 534 Information Security Management.

PKI: A Technology Whose Time Has Come in Higher Education EDUCAUSE Security Professionals Workshop May 17, 2004 Copyright Mark Franklin, This work.

Agenda  Microsoft Directory Synchronization Tool  Active Directory Federation Server  ADFS Proxy  Hybrid Features – LAB.

Business Objects XIr2 Windows NT Authentication Single Sign-on 18 August 2006.

What is Kerberos? Network authentication protocol Developed at MIT in the mid 1980s Kerberos is a three-headed dog Available as open source or in supported.

WSO2 Identity Server. Small company (called company A) had few services deployed on one app server.

Secure Connected Infrastructure

Single sign-on Mike Ladd Nazia Raoof Bret Walker

Chapter One: Mastering the Basics of Security

Data and database administration

Common Methods Used to Commit Computer Crimes

Data and Applications Security Developments and Directions

Cryptography and Network Security

Jason Hart Chief Executive Officer

Introduction to Networking

Kerberos Kerberos is an authentication protocol for trusted hosts on untrusted networks.

Strong Password Authentication Protocols

Single Sign On Glen Dorton 1/18/2019.

Presentation transcript:

Problems With Centralized Passwords Dartmouth College PKI Lab

Managing the Multitude: User Perspective Users HATE username/passwords Too many for them to manage: –Re-use same password –Use weak (easy to remember) passwords –Rely on “remember my password” crutches Forgotten password help desk calls cost $25 - $200 (IDC) and are far too common As we put more services online, it just gets worse…

Managing the Multitude: Admin Perspective Many different username/password schemes to learn, set up, and administer: –Backups, password resets, revoking access, initial password values, etc. Multiple administrators have access usernames/passwords – many points of failure

Ending the Madness Traditional approaches –Single password –Single sign-on, fewer sign-ons PKI –Local password management by end user –Two factor authentication

Single Password Users like it, but… Requires synchronizing passwords (inherently problematic) – actually makes admin madness worse! Single username/password becomes single point of failure… Hack weakest application and get passwords to all applications! Costly to maintain and difficult to make work well.

Single Sign-on, Fewer Sign-ons More secure & provides some relief for users, but… Requires infrastructure (e.g. WebISO or Kerberos sidecar). Fewer sign-ons still has synchronization problems. Single sign-on solutions are for web applications only. Kerberos sidecar has problems with address translation and firewalls and is not widely supported.

Password Sharing Corrupts value of username/password for authentication and authorization. Users do share passwords: PKI Lab survey of 171 undergraduates revealed that 75% of them shared their password and fewer than half of those changed it after sharing. We need two factor authentication to address password sharing.

All Your Eggs in One Basket Traditional username/password authentication requires access to passwords database from network servers or authentication server: –Bad guys have network access, can use this to crack individual accounts or worse, get many or all passwords in one grand hack. How would you like to have to notify thousands of users to satisfy FERPA requirements when their accounts are breached? This has happened! –Multiple (possibly many) system administrators have access to user passwords. Traditional Single Sign-on or Fewer Sign-on means once a username/password is compromised, access to multiple services is compromised.

PKI’s Answer to Password Woes Users manage their own (single or few) passwords. Two factor authentication. Widely supported alternative for authentication to all sorts of applications (both web-based and otherwise).

PKI Passwords Are Local to Client PKI can eliminate user passwords on network servers. Password to PKI credentials are local in the application key store or in hardware token. User manages the password and only has one per set of credentials (likely only one or two). Still need process for forgotten password, but it is only one for all applications using PKI authentication, and users are much less likely to forgot it since they use it frequently and control it themselves.

PKI Enables Single Password and Single Sign-on User maintains password on their credentials. PKI credentials authenticate user to the various services they use via PKI standards. No need for password synchronization. No additional infrastructure other than standard PKI and simple, standard hooks for PKI authentication in applications. Typically less effort to enable PKI authentication than other SSO methods.

PKI Provides Two Factor Authentication Requires something the user has (credentials stored in the application or a smartcard or token) in addition to something a user knows (local password for the credentials). Significant security improvement, especially with smartcard or token (a post-it next to the screen is no longer a major security hole). Reduces risk of password sharing.