Embed Size (px)
Citation preview
Authentication Prereqs, Reqs, Techs ….& Seqs
Keith Hazelton
University of Wisconsin-Madison
Internet2 MACE member
CAMP - June 4-6, 2003 2
Copyright Keith Hazelton 2003. This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the author
CAMP - June 4-6, 2003 3
Authentication (AuthN)
• Prerequisites
• Requirements
• Technologies
• Sequiters
CAMP - June 4-6, 2003 4
Authentication (AuthN) Prerequisites
CAMP - June 4-6, 2003 5
Some key terms
• Talk first about a person (you)• Attributes: specific items of information about you or
associated with you.• Identity: the whole set of attributes about you
•hfjakfhlafhh
•hfjakfhlafhh
•hfjakfhlafhh
•hfjakfhlafhh
•hfjakfhlafhh
•dd
•dd
•dd
•dd
•dd
•dd
CAMP - June 4-6, 2003 6
Some key terms• Then remind you that these terms can apply as well
to online resources, servers and services• Attributes: specific items of information about X or
associated with X.• Identity: the whole set of attributes about X
•hfjakfhlafhh
•hfjakfhlafhh
•hfjakfhlafhh
•hfjakfhlafhh
•hfjakfhlafhh
•dd
•dd
•dd
•dd
•dd
•dd
CAMP - June 4-6, 2003 7
Another key term
• Identity credential– Something issued to you (or to X) by an organization– It associates you with a specific identity known to the
organization
CAMP - June 4-6, 2003 8
Another key term• A cautionary tale about identity credentials
– One day when I was supposed to review proposals at NSF HQ…
– I didn’t have photo ID with me (not my state issued driver’s license nor my University issued ID card)
– NSF receptionist needs to see photo ID– SOL except for the “break the glass” emergency policy– The program director has to come down & vouch for me– THEN & only then do I get a nifty NSF temp ID badge that
lets me go through doors magically for the rest of my visit, no questions asked
– An identity credential from one institution good for an attribute assertion (“allowed in”) from a different institution
CAMP - June 4-6, 2003 9
More key terms• Authentication
– process of proving your identity by “presenting” an identity credential.
– In IT systems, often done by a login process
• Authorization – process of determining if policy permits a requested action to
proceed– Often associated with an authenticated identity, but not
always and not necessarily
CAMP - June 4-6, 2003 10
Hold this thought: Justifying AuthN
• In the NSF story, why the fuss?• Things of value…
– Property– People– Information– Services
• Being protected from some threat– Intruder destroying or stealing property, or– …harming people, or– …getting access to information he shouldn’t have, or– …diverting valuable services from those who should get them
CAMP - June 4-6, 2003 11
AuthN as a piece of core middleware:So what is Core Middleware?
• Suite of campus-wide security, access, and information services– Integrates data sources and manages information about
people and their contact locations– Establishes electronic identity of users– Issues identity credentials– Uses administrative data and management tools to assign
affiliation attributes – …and gives permission to use services based on those
attributes
CAMP - June 4-6, 2003 12
AuthN in context: Middlewareland
CAMP - June 4-6, 2003 13
AuthN in context: Core Middlewareland
CAMP - June 4-6, 2003 14
AuthN in context: Core Middlewareland
CAMP - June 4-6, 2003 15
AuthN in context: Core Middlewareland
CAMP - June 4-6, 2003 16
Prerequisites: Making the Business Case
• Middleware is never a good sell as middleware• Slide it in as part of a killer app
– Positive: We can secure our email application– Negative: We’re gonna get sued if we don’t protect that data
• Or, if you have an enlighten-able upper admin– Point out it’s not fair to have first app pay for this shared good– So the middleware infrastructure should be centrally funded– Besides, then the institution, not the app owner, has final say
CAMP - June 4-6, 2003 17
Prerequisites: Making the Business Case
• Increased ability to offer tailored services while maintaining privacy and adhering to FERPA, HIPAA– Opportunity cost– Reduced time– Accommodate expectations– Fewer technology staff required to maintain additional services
• Increased security
– Security-minded folks managing access– Integrated logging function– Access changes with role or status of role
• Ease of use– Reduced number of identity credentials and gatekeeper points
CAMP - June 4-6, 2003 18
Authentication (AuthN) Requirements
CAMP - June 4-6, 2003 19
AuthN Requirements
• What kinds of resources do you need to protect• …From what kinds of threats?
– Identity theft (identity credentials are a choice target of attack)– Unauthorized access or use– Denial (or corruption) of service– Information theft– Information destruction or corruption– Loss of appropriate anonymity– Loss of privacy– …
CAMP - June 4-6, 2003 20
AuthN Requirements
• Draw your requirements from the need to thwart those threats to those resources– E.g., Protection of the identity credential
• Password strength
• Private key protection
• Remember, you want those who should get in to get in (me!)
– Break-the-glass provisions (Dr’s in the ER w/out his hardware token)
– Watch the tradeoff between security & convenience or it’ll bite back
CAMP - June 4-6, 2003 21
Authentication (AuthN) Technologies
CAMP - June 4-6, 2003 22
AuthN Technologies: Choices, choices
• IP addresses (what are they? Ident cred.for host? Authoriz. attribute?
• GOF un/pw identity credentials– AuthN app compares with LDAP store at login– Let’s agree for the duration of camp not to say “LDAP
Authentication”– …or MIT Kerberos (or MS Kerberos), keeps password off
the network
• Some kind of *SO (single sign-on, fewer sign-ons,…)– Web ISO (Initial sign-on) like PubCookie, CAS, Cosign,…– Kerberos ticket granting tickets for kerberized services
CAMP - June 4-6, 2003 23
AuthN Technologies: Choices, choices
• PKI, oh my– Did you want Lite, ultra-Light or Industrial Strength or…– With the “I” you get a uniquely useful cert + private key pair
• It’s an identity credential, it’s a coder/decoder ring, it’s an unforgeable signing thingie, it’s a magic door opener
CAMP - June 4-6, 2003 24
AuthN Technologies: Reqs & Techs
• Make your choice by comparing requirements with the features of the various technologies– You want to curb rampant identity theft
• Switch from GOF un/pw to Kerberos or…• Limit the places people expect to enter the un/pw pair
– By some form of *SO• …and then train them not to enter un/pw on any old screen that
pops up– You need a higher level of assurance that the identity
credential was issued to the right person (me!)
• Certificate Authorities put in each cert an indication of how much reliance you dare put in the asserted identity
CAMP - June 4-6, 2003 25
AuthN Technologies: Reqs & Techs
• Make your choice by comparing requirements with the features of the various technologies– You need to integrate that great new Portal engine or ERP
system the CIO just bought with your AuthN service– You want to run a job that spawns other jobs or calls
additional protected services on your behalf• Forwardable Kerberos tickets• If you’re using the Grid® then you use “Proxy certificates” based
on (but extending) the X.509v3 standard• Watch out for that nth tier!
– You are told to roll out Network layer AuthN– You are told to roll out Wireless AuthN
CAMP - June 4-6, 2003 26
Authentication (AuthN) Sequiters
CAMP - June 4-6, 2003 27
Authentication (AuthN) Sequiters• Going over the walls: inter-realm authN• We’ve been talking about local credentials and local
resources• What if
– The resources or services you want to make available are provided by (gulp) and outsider
– You want to make your resources available to people you haven’t seen before, let alone issued identity credentials to
– You want to import or export additional attributes (bits of identity) from/to other institutions/organizations and be confident that those bits of info get added to the right set of other bits.
• Then you need Federated Identity Management!!!
CAMP - June 4-6, 2003 28
Inter-realm AuthN
• Federated Identity Management is where you and another organization agree to trust the identity credentials and/or identity information provided by the opposite party.
• Remember, AuthN is first and foremost a stepping stone to Authorization (AuthZ)
• Technologies (details later, campers)– Shibboleth (AutheNticate locally, access resources globally)
– Liberty Alliance (pull together (under user control) subsets of identity information from multiple organizations to build an identity that will entitle you to use a desired service/resource
– Passport
CAMP - June 4-6, 2003 29
Inter-realm AuthN
• The trick is matching Org A identity with the corresponding Org B identity (it’s me, really!)
• And agreeing to trust each other just enough to do business
• …or put another way, agreeing to accept a given level of risk that some security goal might be compromised by doing business this way
CAMP - June 4-6, 2003 30
Q & A
• What’s the next step in AuthN for your campus?• What technology do you really need to know more
about?• What would you like to see on an AuthN Roadmap to
help you & your institution?
