Dartmouth Authentication Factors by fionan


									         Why PKI
           (Scott Rea)

     Boulder CO
November 15, 2007
        Identity Theft Is On the Rise

• Identify theft is the fastest growing crime
  in America:
  – 8.9 million victims in past year
  – 900,000 new victims each year
  – Cost to businesses more than $50 billion
  – Cost per incident to consumer $6,383
                                           Source: 2006 Javelin Survey

       Campuses Are A Prime Target
• Dramatic increase in identity theft:
    – In 2004, only seven cases of identity theft were
      reported in higher education.
    – In 2005, this number leapt to 64 – an 89% increase over
      the previous year.
    – In 2006, this number expected to increase yet again
• NY Times Dec 18, 2006: “…educational institutions have particularly acute
   problem when it comes to nation's leaky data issue; study by Public Policy Institute for
   AARP last July, using data compiled by Identity Theft Resource Center, determined that
   of 90 million records reportedly compromised in various breaches between Jan 1, 2005,
   and May 26, 2006, 43 percent were at educational institutions.”
• Most data is accessed from stolen computers and
  laptops or by hackers capturing data on
  unprotected networks.
 Beware the Hackers and Thieves
• University of Minnesota:
   – In August, two computers containing information on more than
     13,000 students, were stolen from an employee’s desk.

• Western Illinois University:
   – Hackers retrieved names, addresses, credit card numbers and
     Social Security numbers on nearly 180,000 users.

• University of California, Los Angeles:
   – In December, hackers infiltrated a database containing the personal
     information on 800,000 people, in one of the worst computer
     breaches ever at a U.S. university

 Beware the Hackers and Thieves
• Dartmouth College:
   – July 2004 Security Incident
   – Potential 17,000 Dartmouth affiliates affected
   – HR staff keeping unencrypted personal data on servers that anyone
     with a password could access
   – 8 servers impacted
   – FBI investigated with assistance from student security researchers
     in Prof. Sean Smith’s Computer Science group
   – Network vulnerability assessments on a regular basis were
   – eTokens now deployed as mandatory requirement for HE staff who
     require access to this data


       Students Frequently Victimized
• 1 in 3 victims is under 30 years old. Common risks:
   – Compromise of passwords protecting sensitive data
       • Stolen laptops or weak or no passwords on sensitive, or no encryption on
         data/passwords traversing networks
   – Dormitory burglaries
   – Driver’s license/student ID theft
   – Credit card offers
       • 30% of students throw these out without destroying them.
   – Social Security numbers
       • 48% of students have had grades posted by Social Security number

                               Sensitive Data

• Greater access levels to sensitive or personally
  identifying information than ever before
• How do we protect against ignorant or lazy users
  or poorly designed applications?
• How do we meet legislative requirements to
  contain and protect sensitive data?
   – FERPA
   – HIPAA
   – CALEA
• How can we be sure who is accessing the data?

                How Do We Protect Our

• While debate continues on what type of
  technology is best suited to prevent identity
  theft, many experts believe that a
  combination of PKI infrastructure and two-
  factor authentication offers the greatest
  promise of protection.

                             Source: Financial Services Technology, Preventing Identity Theft

                       Authentication Factors

• Three Factors of Authentication:
  – Something you know
     • e.g. password, secret, URI, graphic
  – Something you have
     • e.g. key, token, smartcard, badge
  – Something you are
     • e.g. fingerprint, iris scan, face scan, signature

                           Authentication Factors

• Single Factor of Authentication is most common
   – Passwords (something you know) are the most common single factor

• At least Two Factor Authentication is recommended for
  securing important assets
   – e.g. ATM card + PIN (have + know)

• 2 x Single Factor Authentication ≠ Two Factor Authentication
   – e.g. Password + Graphic is NOT equivalent to Smartcard + PIN
     (although it may be better than a single instance of One Factor

• Without Two Factor Authentication, some secure
  communications may be vulnerable to disclosure
   – Especially in wireless networks
Problems With Centralized
                     Managing the Multitude: User

• Users HATE username/passwords
• Too many for them to manage:
   – Re-use same password
   – Use weak (easy to remember) passwords
   – Rely on “remember my password” crutches
• Forgotten password help desk calls cost $25 - $200 (IDC)
  and are far too common
• As we put more services online, it just gets worse…
Managing the Multitude: Admin Perspective
          • Many different
            username/password schemes to
            learn, set up, and administer:
            – Backups, password resets, revoking
              access, initial password values, etc.
          • Multiple administrators have
            access usernames/passwords –
            many points of failure

   Ending the Madness
• Traditional approaches
  – Single password
  – Single sign-on, fewer sign-ons
  – Local password management by end user
  – Two factor authentication

                        Single Password
• Users like it, but…

• Requires synchronizing passwords (inherently
  problematic) – actually makes admin madness
• Single username/password becomes single
  point of failure… Hack weakest application
  and get passwords to all applications!
• Costly to maintain and difficult to make work
   All Your Eggs in One Basket
• Traditional username/password authentication
  requires access to passwords database from
  network servers or authentication server:
   – Bad guys have network access, can use this to crack
     individual accounts or worse, get many or all passwords
     in one grand hack. How would you like to have to notify
     thousands of users to satisfy FERPA requirements when
     their accounts are breached? This has happened!
   – Multiple (possibly many) system administrators have
     access to user passwords.
• Traditional Single Sign-on or Fewer Sign-on means
  once a username/password is compromised, access
  to multiple services is compromised.
                    Password Sharing

• Corrupts value of username/password for
  authentication and authorization.
• Users do share passwords: PKI Lab survey of
  171 undergraduates revealed that 75% of
  them shared their password and fewer than
  half of those changed it after sharing.
• We need two factor authentication to address
  password sharing.
                       Password Authentication

• General issues with Authentication using Password technology
   – Passwords easily shared with others (in violation of access policy)
   – Easily captured over a network if no encrypted channel used
   – Vulnerable to dictionary attacks even if encrypted channels are used
   – Weak passwords can be guessed or brute forced offline
   – Vulnerable to keyboard sniffing/logging attacks on public or
     compromised systems
   – Cannot provide non-repudiation since they generally require that the
     user be enrolled at the service provider, and so the service provider also
     knows the user's password
   – Vulnerable to Social Engineering attacks
   – Single factor of Authentication only

                         Password Authentication
• Definition of a Weak Password
  – The password contains less than eight characters
  – The password is a word found in a dictionary (English or
  – The password is a common usage word such as:
     • Names of family, pets, friends, co-workers, fantasy characters, etc.
     • Computer terms and names, commands, sites, companies, hardware,
     • Words using the company name or any derivation.
     • Birthdays and other personal information such as addresses and phone
     • Word or number patterns like aaabbb, qwerty, zyxwvuts, 123321, etc.
     • Any of the above spelled backwards.
     • Any of the above preceded or followed by a digit (e.g., secret1, 1secret)
                        Password Authentication

• Definition of a Strong Password
   – Contain both upper and lower case characters (e.g., a-z, A-Z)
   – Have digits and punctuation characters as well as letters (e.g.,
     0-9, !@#$%^&*()_+|~-=\`{}[]:”;’<>?,./)
   – Are greater than eight alphanumeric characters long.
   – Are not a word in any language, slang, dialect, jargon, etc.
   – Are not based on personal information, names of family, etc.
   – Passwords should never be written down or stored on-line
     without encryption protection.

                    Password Authentication

• Specific issues with Authentication using
  Password technology
   – Too many passwords to remember if requiring a
     different one for each application
      • Leads to users writing them down and not storing them
      • Leads to use of insecure or weak passwords (more secure ones
        are generally harder to remember)
      • Leads to higher helpdesk costs due to resetting of forgotten
      • Leads to re-use of passwords outside institutions’ domain
        where protection mechanisms may be much lower

                       Password Authentication

• Specific issues with Authentication using
  Password technology
   – Potential single point of failure for multiple
     applications if same password used
      •   Strong passwords not consistently supported in all applications
      •   Weak passwords leads to widespread compromises
      •   Passwords not consistently protected for all applications
      •   Password expiration not synchronized across applications
      •   Limited character set for input
      •   No control over use of passwords outside Dartmouth’s domain
      •   Offline attacks against passwords may be possible

 PKI’s Answer to Password Woes
• Users manage their own (single or few)
• Two factor authentication.
• Widely supported alternative for
  authentication to all sorts of applications
  (both web-based and otherwise).

    PKI Passwords Are Local to Client
• PKI can eliminate user passwords on network
• Password to PKI credentials are local in the
  application key store or in hardware token.
• User manages the password and only has one
  per set of credentials (likely only one or two).
• Still need process for forgotten password, but it
  is only one for all applications using PKI
  authentication, and users are much less likely to
  forgot it since they use it frequently and control
  it themselves.
    Single Sign-on, Fewer Sign-ons
• More secure & provides some relief for users, but…

• Requires infrastructure (e.g. WebISO or Kerberos
• Fewer sign-ons still has synchronization problems.
• Single sign-on solutions are for web applications only.
• Kerberos sidecar has problems with address translation
  and firewalls and is not widely supported.

           PKI Enables Single Password
                    and Single Sign-on
• User maintains password on their credentials.
• PKI credentials authenticate user to the various
  services they use via PKI standards.
• No need for password synchronization.
• No additional infrastructure other than standard
  PKI and simple, standard hooks for PKI
  authentication in applications.
• Typically less effort to enable PKI
  authentication than other SSO methods.
  PKI Facilitates Two Factor Authentication
• Requires something the user has (credentials
  stored in the application or a smartcard or token)
  in addition to something a user knows (local
  password for the credentials).
• Significant security improvement, especially
  with smartcard or token (a post-it next to the
  screen is no longer a major security hole).
• Reduces risk of password sharing.

                                         The PKI Solution

• Solution to Password vulnerabilities -Public Key
  Infrastructure (PKI)
   – PKI consists of a key pair – 1 public, stored in a certificate, 1
     private, stored in a protected file or smartcard
   – Allows exchange of session secrets in a protected (encrypted)
     manner without disclosing private key
   – PKI lets users authenticate without giving their passwords away to
     the service that needs to authenticate them
       • Dartmouth’s own password-hunting experiences, written up in
         EDUCAUSE Quarterly, shows that users happily type their user ID
         and password into any reasonable-looking web site, because so many
         of them require it already.
       • PKI is a very effective measure against phishing

                                                         PKI Solution
• Solution to Password vulnerabilities -Public Key
  Infrastructure (PKI)
   – PKI lets users directly authenticate across domains
       • Researchers can collaborate more easily
       • Students can easily access materials from other institutions providing broader
         educational opportunities
   – PKI allows decentralized handling of authorization
       • Students on a project can get access to a web site or some other resource
         because Prof Smith delegated it to them
       • PKI simplifies this process – no need for a centralized bureaucracy, lowers
         overheads associated with research
   – Private key is never sent across the wire so cannot be compromised
     by sniffing
   – Not vulnerable to dictionary attacks
   – Brute force is not practical for given key lengths
   – Facilitates encryption of sensitive data to protect it even if a data
     stream or source is captured by a malicious entity

                                                         PKI Solution
• Solution to Password vulnerabilities -Public Key
  Infrastructure (PKI)
   – 1024-bit keys are better than 128 character passwords (they are not
     subject to a limited character input set)
       • This is far stronger than our current Blitzmail or DND password
         based authentication
       • As one researcher said recently “the Sun will burn out before we
         break these”

   Quote from Prof Smith: “In the long run:        user authentication and authorization
     in the broader information infrastructure is a widely recognized grand challenge.
     The best bet will likely be some combination of PKI and user tokens.”

   – Failing to look ahead in our IT choices means failing in our
     research and educational mission.

                      Additional PKI Benefits

• Additional drivers for PKI in Higher Education
  (besides stronger authentication):
   – Better protection of digital assets from disclosure, theft,
     tampering, and destruction
   – More efficient workflow in distributed environments
   – Greater ability to collaborate and reliably communicate
     with colleagues and peers
   – Greater access (and more efficient access) to external
   – Facilitation of research funding opportunities
   – Compliance

                       Additional PKI Benefits

• Applications that utilize PKI in Higher Education
   –   Secure Wireless
   –   S/MIME email
   –   Paperless Office workflow (Documentum)
   –   Encrypted File Systems (protecting mobile data assets)
   –   Strong SSO
   –   Shibboleth/Federations
   –   GRID Computing Enabled for Federations
   –   E-grants facilitation

•   Identity theft if the fastest growing crime in the US, Institutions of Higher Education are
    a prime target - 43% of this activity results from Campus compromises
     –   There has been an exponential increase in the number of reported cases each year
     –   UCLA recently had the worst computer breach ever at a US university (800,000 people
         impacted) in December 2006
     –   Dartmouth has already had a security breach (17,000 people impacted in 2004)

•   Protecting sensitive data with passwords is no longer sufficient – Two Factor
    Authentication is recommended
     –   Passwords by nature are vulnerable to many different easily replicable attacks
     –   No consistency in policy and implementation, allowing exploits for weak, reused, unmonitored

•   Applications now have better support for PKI, making it very useable for everyday users
    as vendors recognize the importance of this technology to securing digital assets

•   PKI facilitates a broader range of educational opportunities through decentralized
    authorization and cross-domain authentication with Federated identities

•   The PKI solution provides a number of promising additional benefits - not just the
    required stronger authentication

            For More Information
Dartmouth PKI Outreach:

Dartmouth PKI Lab:

Scott Rea - Scott.Rea@dartmouth.edu


To top