PKI: A Technology Whose Time Has Come in Higher Education EDUCAUSE Live Web Seminar May 11, 2004 - PowerPoint PPT Presentation


PPT – PKI: A Technology Whose Time Has Come in Higher Education EDUCAUSE Live Web Seminar May 11, 2004 PowerPoint presentation | free to download - id: a8e86-MzU1Z


The Adobe Flash plugin is needed to view this content

Get the plugin now

View by Category
About This Presentation

PKI: A Technology Whose Time Has Come in Higher Education EDUCAUSE Live Web Seminar May 11, 2004


Password Sharing. Corrupts value of username/password for authentication and authorization. ... Asymmetric encryption prevents need for shared secrets. ... – PowerPoint PPT presentation

Number of Views:61
Avg rating:3.0/5.0
Slides: 32
Provided by: markf163
Learn more at:


Write a Comment
User Comments (0)
Transcript and Presenter's Notes

Title: PKI: A Technology Whose Time Has Come in Higher Education EDUCAUSE Live Web Seminar May 11, 2004

PKI A Technology Whose Time Has Come in Higher
Education EDUCAUSE Live! Web SeminarMay 11,
Our Systems Are Under Constant Attack
  • The numbers of vulnerabilities and attack
    techniques continue to mushroom
  • We need to improve how we secure access to
    applications and data
  • Dont forget the greatest threat often comes from
    a disgruntled insider.

Some Attacks Succeed Spectacularly
  • Loss of personal data
  • Outages
  • Potentially huge costs
  • Productivity loss
  • Remediation
  • User notification
  • Bad publicity
  • Loss of credibility
  • Lawsuits?
  • See Damage Control When Your Security Incident
    Hits the 6 OClock News

IT Security Risks Escalate
  • More and more important information and
    transactions are online
  • Personal identity information
  • Financial transactions
  • Course enrollment, grades
  • Tests, quizzes administered online
  • Licensed materials
  • Confidential research data
  • We must comply with increasingly strict
  • Health information - HIPAA
  • Educational records - FERPA

Specific Example Email
  • Spoofing email is trivial (simple setting in most
    email clients)
  • Spoofed message from professor postponing a final
  • Inappropriate message seemingly from College
  • Email is like a postcard written in pencil
  • Others on network can see (or even modify)
    contents if not encrypted (really easy on
  • You may use SSL, but what about other hops
    between mail servers?
  • Risk of wayward email archives

Specific Example Student Information System
  • Online enrollment, schedule, grades
  • FERPA protected information
  • Potentially available to hackers via network
  • Q What if someone hacks your authentication
    system and potentially downloads students grades?
  • A You are probably obligated by law to notify
    every individual whose grades may have been

Password Problems User Perspective
  • Users HATE username/passwords
  • Too many for them to manage
  • Re-use same password
  • Use weak (easy to remember) passwords
  • Rely on remember my password crutches
  • Forgotten password help desk calls cost 25 -
    200 each (IDC) and are far too common
  • As we put more services online, it just gets

Password Problems Admin Perspective
  • Many different username/password schemes to
    learn, set up, and administer
  • Backups, password resets, revoking access,
    initial password values, etc.
  • Multiple administrators have access to
    usernames/passwords many points of failure

Password Sharing
  • Corrupts value of username/password for
    authentication and authorization.
  • Users do share passwords PKI Lab survey of 171
    undergraduates revealed that 75 of them shared
    their password and fewer than half of those
    changed it after sharing.
  • We need two factor authentication to address
    password sharing.

Ending the Madness
  • Traditional approaches
  • Single password
  • Single sign-on, fewer sign-ons
  • PKI
  • Local password management by end user
  • Two factor authentication

PKIs Answer to Password Woes
  • Users manage their own (single or few) passwords.
  • Cost-effective two factor authentication.
  • Widely supported alternative for authentication
    to all sorts of applications (both web-based and

PKI Passwords Are Local to Client
  • PKI eliminates user passwords on network servers.
  • Password to PKI credentials is local to users
    computer, smartcard, or token.
  • User manages the password and only has one per
    set of credentials (likely only one or two
  • No need for password synchronization.
  • Standard PKI infrastructure.
  • Still need process for forgotten password, but it
    is less likely to be forgotten (used frequently
    and not so many of them).

Underlying Key Technology
  • Asymmetric encryption uses a pair of asymmetric
    keys, each is the only way to decrypt data
    encrypted by the other.
  • One key is private and carefully protected by its
    holder. The other is public and freely
  • In authentication, the server challenges the
    client to encrypt or decrypt something with the
    private key. Its ability to do so proves its
  • Private key and password always stay in the
    users possession.

PKI Provides Two Factor Authentication
  • Requires something the user has (credentials
    stored in the application or a smartcard or
    token) in addition to something a user knows
    (local password for the credentials).
  • Significant security improvement, especially with
    smartcard or token (a post-it next to the screen
    is no longer a major security hole).
  • Reduces risk of password sharing.

PKI Benefit Encryption
  • Strong encryption with extensible number of bits
    in key.
  • Can use same PKI digital credentials as
    authentication and digital signatures.
  • More leverage of the PK Infrastructure.
  • Encrypt data for any individual without prior
    exchange of information just acquire their
    certificate which contains their public key.

How PKI Encryption Works
  • Asymmetric encryption prevents need for shared
  • Anyone encrypts with public key of recipient.
  • Only the recipient can decrypt with their private
  • Private key is secret and protected, so bad
    guys cant read encrypted data.

PKI BenefitDigital Signatures
  • Our computerized world still relies heavily on
    handwritten signatures on paper.
  • PKI enables digital signatures, recognized by
    Federal Government as legal signatures
  • Reduce paperwork with electronic forms.
  • Much faster and more traceable business
  • Improved assurance of electronic transactions
    (e.g. really know who that email was from).

How Digital Signatures Work
  • Signer computes content digest, encrypts with
    their private key.
  • Reader decrypts with signers public key.
  • Reader re-computes the content digest and
    verifies match with original guarantees no one
    has modified signed data.
  • Only signer has private key, so no one else can
    spoof their digital signature.

PKI Benefit User Convenience
  • Fewer passwords!
  • Consistent mechanism for authentication that
    users only have to learn once. (UT Houston
    Medical Center users now request that all network
    services use PKI authentication.)
  • Same user credentials for authentication, digital
    signatures, and encryption lots of payback for
    users effort to acquire and manage the

PKI Benefit Coherent Enterprise-Wide Security
  • Centralized issuance and revocation of user
    credentials (goes hand in hand with identity
  • Consistent identity checking when issuing
  • Same authentication mechanism for all network
  • Single process to recover from lost passwords or
    keys (not per application).
  • Leverage investment in tokens or smart cards
    across many applications.

Interoperability With Other Institutions
  • Allows authentication, digital signatures, and
    encryption using credentials issued by a trusted
    collaborating institution
  • Signed forms and documents for business process
    (e.g. grant applications, financial aid forms,
    government reports)
  • Signed and encrypted email from a colleague at
    another school
  • Authentication to applications shared among
    schools (e.g. grid)
  • Peer to peer authentication for secure
    information sharing

Standards Based Solution
  • Standards provide interoperability among multiple
    vendors and open source.
  • Wide variety of implementations available and
    broad coverage of application space.
  • Level playing field for open source and new
    vendors promotes innovation and healthy

PKI Enjoys Unequaled Client, Server, and
Application Support
  • Commercial and open source
  • Windows, Macintosh, Linux, Solaris, UNIX
  • Apache, Oracle, IIS, SSL, Web Services,
    Shibboleth, Browsers, email, VPN, Acrobat, MS
    Office, AIM, and many others Software and
    hardware key storage
  • Development libraries, toolkits and applications
  • Certificate Authority, directory, escrow,
    revocation, and other infrastructure tools

Momentum Outside Higher Education
  • Industry support for PKI
  • Federal and State governments major adopters
  • Microsoft, Sun, Johnson and Johnson, Disney,
    banks heavy industry adopters
  • Major deployment in Europe
  • China pushing WAPI wireless authentication
    standard that requires PKI
  • Web Services (e.g. SAML uses PKI signed

Federal Collaborations
  • FBCA, HEBCA bridge projects
  • Proof of concept NIH EDUCAUSE project to
    demonstrate digitally signing documents for
    submission to the Federal government
  • Possible DOE, NSF, NIH applications for Higher

Dartmouth PKI Lab
  • RD to make client side PKI a practical component
    of campus networks
  • Multi-campus collaboration sponsored by the
    Mellon Foundation
  • Dual objectives
  • Deploy existing PKI technology to improve network
    applications (both at Dartmouth and elsewhere).
  • Improve the current state of the art.
  • Identify security issues in current products.
  • Develop solutions to the problems.

Production PKI Applications at Dartmouth
  • Dartmouth certificate authority
  • 780 end users have certificates, 558 of them are
  • PKI authentication in production for
  • Banner Student Information System
  • Library Electronic Journals
  • Tuck School of Business Portal
  • VPN Concentrator
  • Blackboard CMS
  • Software downloads
  • S/MIME email (Outlook, Mozilla, Thunderbird)
  • AOL AIM (PKI-secured sys admin communications)

Open Source CA in a Box
  • Hardened open source Certificate Authority (based
    on OpenCA) bundle suitable for trial and simple
  • PKI Labs Enforcer TPM-hardened Linux
  • Controversial TCPA technology turned to use for
    good and freedom (secures Linux boot process and
    provides much enhanced run-time protection
    against hackers)
  • Packaging for easy installation (bootable CD)
  • Carefully chosen enhancements to OpenCA
  • We welcome feedback on requirements,
    contributions, testing, etc!

Deploying PKI
  • Client-side PKI is usually a significant
    undertaking and requires planning and commitment.
  • Get buy in and support from management, legal,
    audit, others a little fear in todays cyber
    world is healthy.
  • Learn from examples and experiences of others.
  • Deploy in phases, plan for future extensibility.
  • Choose initial applications to maximize benefits
    versus cost.
  • Take a long term view - PKI ROI is excellent when
    leveraged broadly, but probably not as strong for
    individual applications.
  • See

Blatant Advertisement
  • We seek a few schools that we can assist as you
    deploy PKI credentials and applications for end
    users! An explicit part of our mission is to
    directly assist you in the planning/justification,
    implementation, and deployment phases.

For More Information