Get real: the security of your network users' digital identities has become crucial. It's time to look at authentication technology - Technology

University Business, Feb, 2003 by Tom Warger

With hundreds of millions of people using the Internet every day, the task of creating and managing digital identities has become a major challenge for operators of online information services. Many of those Internet users have, in fact, multiple identities (as employees, students, subscribers, customers)--roles, and relationships that need to be accurate, trustworthy, and secure. And each digital identity has its own life cycle, with attributes, credentials, and access permissions changing sometimes daily. Being able to establish authoritatively the identity of network users is the technical domain of "authentication"--the bedrock of Internet-based transactions.

But colleges and universities have historically favored openness of network accessibility over security concerns. For the most part, authentication of users has been accomplished at the threshold of particular applications--primarily e-mail for faculty and students, and enterprise resource planning systems (ERP) for staff and administrative users. License agreements with software and content providers have been enforced by limiting access by IP domain. Right now, some IHEs require all computers used on the campus network to be registered, but many more do not. There are signs, however, that the protection of digital identities is becoming a higher priority on campuses. The University of Colorado-Boulder, for one, set a first-week-of-2003 deadline for encrypted authentication of all e-mail, telnet, and FTP sessions, with the goal of ensuring that no username-password pairings are sent over the network as plain text, which is vulnerable to theft via electronic eavesdropping.

TOO MANY IDENTITIES

Identity information is typically maintained inside each information service or software application at an institution. Passwords and PIN numbers are assigned and managed by the keepers of e-mail library, course management systems (CMS), ERPs, and departmental LANS. What's more, security practices vary widely in methods and rigor, even on the same campus. To cope with the number of different passwords to remember, many users use the same password for each system that gives them the chance to choose their own. Others write down their passwords in notebooks or carry them on paper in their wallets. Both of these measures undermine good password discipline by worsening the extent of any breach of secrecy. Then, in the background, IT staff tending separate repositories of identity information duplicate services, wasting valuable time and talent. Still, for all their effort, the institution's information services are not more secure. Each password-authenticated transaction is only as secure as the practices and standards for that particular application.

FINDING A CORE FOR IDENTITY

The good news is that valuable tools for identity authentication are actually in widespread use. Kerberos, a server-based generator of encrypted, temporary certificates of identity, was developed at MIT and is an open-standard component found in most authentication software. (For more on Kerberos, head to web.mit.edu/kerberos/www/krb5-1.2/index.html) Lightweight Directory Access Protocol (LDAP), another open standard, is used as a repository for storing identity profiles and corresponding access privileges. The most commonly used commercial products implementing these tools are Microsoft Active Directory and Exchange Server (www.microsoft.com). On many campuses, these products were initially adopted to provide e-mail and network account management, but have since gained added value because the LDAP service underlying them can be used for user authentication by many other software packages.

Kerberos and LDAP also figure in the emerging Public Key Infrastructure (PKI) method of user authentication, which uses encrypted "certificates" to vouch for properly identified network users. At Dartmouth College, Kerberos has been in use since the mid-1980s to allow different directory systems--including some custom written at Dartmouth--to share user credentials. A pilot project currently under way at Dartmouth uses Entrust's PKI software (Entrust Authority, Directory, and Entelligence products; go to www.entrust.com) to authenticate digital signatures for electronic payroll authorization. The library hopes to adopt this same PKI solution to substitute for IP address checking when granting access to vendor-supplied information products. To date, Dartmouth has invested approximately $50,000 in the development of its PKI capability and estimates that the eventual campuswide expansion could run to $500,000.

FEDERATED IDENTITY

The Internet2 Shibboleth Project is a collaborative effort to build an inter-institutional standard for authentication, wherein each user's home campus is responsible for original authentication (For more information, head to www.shibboleth.internet2.edu). Once that identity has been established, it is certified to other schools participating in the technical framework established under Shibboleth. This "federated" approach to authentication retains local control of private information while allowing network users to access resources on other campuses. For example, a student taking a course at another college may need to use licensed information sources. Shibboleth aims to use the student's home-campus authentication to satisfy the access requirements at the campus where that student is a visitor.