Dartmouth Authentication Factors Why PKI and e Tokens

Dartmouth Authentication Factors – Why PKI and e. Tokens are required (Scott Rea) PKCS Technical Services December 2006

Introduction • Strong Two Factor Authentication is required to protect digital identities and digital assets as campuses become targets for the fastest growing crime in America – Identity Theft • In response to a security breach two years ago (resulting in 17, 000 affiliated individuals having to be notified that their personal data had been potentially compromised), Dartmouth enhanced its production roll out of a Public Key Infrastructure (PKI) with e. Tokens to protect Dartmouth affiliated individuals, their assets, and Dartmouth’s reputation as a premier provider of higher education • Having the forethought to implement a two-factor PKI scheme using a USB form factor smartcard has proven to be a master stroke, as it has kept Dartmouth on the cuttingedge of security technologies while helping to guard our infrastructure against the latest cyber-attacks, in addition to keeping the College out of the headlines for all the wrong reasons. • Dartmouth needs to continue its targeted roll out of PKI and e. Tokens to enable the protection of critical entities on campus, and re-evaluate the benefits of a full deployment to all students, faculty, and staff given the current network architecture, so that it can maintain its position as a premier and safe provider of higher education 2

Contents • Identify theft (the fastest growing crime in America) • Factors of Authentication - Passwords insufficient • Dartmouth’s Password Vulnerabilities • Dartmouth’s Solution to Poor Passwords • Dartmouth’s PKI Pedigree • Strengthening PKI at Dartmouth with e. Tokens • Conclusion 3

Identity Theft Is On the Rise • Identify theft is the fastest growing crime in America: – 8. 9 million victims in past year – 900, 000 new victims each year – Cost to businesses more than $50 billion – Cost per incident to consumer $6, 383 Source: 2006 Javelin Survey 4

Campuses Are A Prime Target • Dramatic increase in identity theft: – In 2004, only seven cases of identity theft were reported in higher education. – In 2005, this number leapt to 64 – an 89% increase over the previous year. – In 2006, this number expected to increase yet again • NY Times Dec 18, 2006: “…educational institutions have particularly acute problem when it comes to nation's leaky data issue; study by Public Policy Institute for AARP last July, using data compiled by Identity Theft Resource Center, determined that of 90 million records reportedly compromised in various breaches between Jan 1, 2005, and May 26, 2006, 43 percent were at educational institutions. ” • Most data is accessed from stolen computers and laptops or by hackers capturing data on unprotected networks. 5

Beware the Hackers and Thieves • University of Minnesota: – In August, two computers containing information on more than 13, 000 students, were stolen from an employee’s desk. http: //www. twincities. com/mld/twincities/news/state/minnesota/15807799. htm • Western Illinois University: – Hackers retrieved names, addresses, credit card numbers and Social Security numbers on nearly 180, 000 users. http: //news. com/Illinois+university+hit+with+security+breach/2100 -7349_3 -6090860. html • University of California, Los Angeles: – In December, hackers infiltrated a database containing the personal information on 800, 000 people, in one of the worst computer breaches ever at a U. S. university http: //today. reuters. com/news/articlenews. aspx? type=technology. News&storyid=2006 -1212 T 214001 Z_01_N 12361703_RTRUKOC_0_US-USA-UCLA-HACKER. xml 6

Beware the Hackers and Thieves • Dartmouth College: – July 2004 Security Incident – Potential 17, 000 Dartmouth affiliates affected – HR staff keeping unencrypted personal data on servers that anyone with a password could access – 8 servers impacted – FBI investigated with assistance from student security researchers in Prof. Sean Smith’s Computer Science group – Network vulnerability assessments (like the one currently underway) on a regular basis were recommended – e. Tokens now deployed as mandatory requirement for HE staff who require access to this data http: //www. dartmouth. edu/comp/support/library/safecomputing/threats/id-theft/incidents/2004 -07 -28. html 7

Students Frequently Victimized • 1 in 3 victims is under 30 years old. Common risks: – Compromise of passwords protecting sensitive data • Stolen laptops or weak or no passwords on sensitive, or no encryption on data/passwords traversing networks – Dormitory burglaries – Driver’s license/student ID theft – Credit card offers • 30% of students throw these out without destroying them. – Social Security numbers • 48% of students have had grades posted by Social Security number 8

How Do We Protect Our Students/Staff/Faculty • While debate continues on what type of technology is best suited to prevent identity theft, many experts believe that a combination of PKI infrastructure and twofactor authentication offers the greatest promise of protection. Source: Financial Services Technology, Preventing Identity Theft 9

Authentication Factors • Three Factors of Authentication: – Something you know • e. g. password, secret, URI, graphic – Something you have • e. g. key, token, smartcard, badge – Something you are • e. g. fingerprint, iris scan, face scan, signature 10

Authentication Factors • Single Factor of Authentication is most common – Passwords (something you know) are the most common single factor • At least Two Factor Authentication is recommended for securing important assets – e. g. ATM card + PIN (have + know) • 2 x Single Factor Authentication ≠ Two Factor Authentication – e. g. Password + Graphic is NOT equivalent to Smartcard + PIN (although it may be better than a single instance of One Factor Authentication) • Without Two Factor Authentication, some secure communications may be vulnerable to disclosure – Especially in wireless networks 11

Password Authentication • General issues with Authentication using Password technology – – – Passwords easily shared with others (in violation of access policy) Easily captured over a network if no encrypted channel used Vulnerable to dictionary attacks even if encrypted channels are used Weak passwords can be guessed or brute forced offline Vulnerable to keyboard sniffing/logging attacks on public or compromised systems – Cannot provide non-repudiation since they generally require that the user be enrolled at the service provider, and so the service provider also knows the user's password – Vulnerable to Social Engineering attacks – Single factor of Authentication only 12

Password Authentication • Definition of a Weak Password – The password contains less than eight characters – The password is a word found in a dictionary (English or foreign) – The password is a common usage word such as: • Names of family, pets, friends, co-workers, fantasy characters, etc. • Computer terms and names, commands, sites, companies, hardware, software. • Words using the company name or any derivation. • Birthdays and other personal information such as addresses and phone numbers. • Word or number patterns like aaabbb, qwerty, zyxwvuts, 123321, etc. • Any of the above spelled backwards. • Any of the above preceded or followed by a digit (e. g. , secret 1, 1 secret) 13

Password Authentication • Definition of a Strong Password – Contain both upper and lower case characters (e. g. , a-z, A-Z) – Have digits and punctuation characters as well as letters (e. g. , 09, !@#$%^&*()_+|~-=`{}[]: ”; ’<>? , . /) – Are greater than eight alphanumeric characters long. – Are not a word in any language, slang, dialect, jargon, etc. – Are not based on personal information, names of family, etc. – Passwords should never be written down or stored on-line without encryption protection. 14

Password Authentication • Specific issues with Authentication using Password technology – Too many passwords to remember if requiring a different one for each application • Leads to users writing them down and not storing them securely • Leads to use of insecure or weak passwords (more secure ones are generally harder to remember) • Leads to higher helpdesk costs due to resetting of forgotten passwords. • Leads to re-use of passwords outside Dartmouth’s domain where protection mechanisms may be much lower 15

Password Authentication • Specific issues with Authentication using Password technology – Potential single point of failure for multiple applications if same password used • • Strong passwords not consistently supported in all applications Weak passwords leads to widespread compromises Passwords not consistently protected for all applications Password expiration not synchronized across applications Limited character set for input No control over use of passwords outside Dartmouth’s domain Offline attacks against passwords may be possible 16

Passwords at Dartmouth • Dartmouth’s Password vulnerabilities – All Kerberos/Side. Car enabled applications restrict password length to 8 characters (barely reaching the “strong” minimum length) – Blitzmail only uses first 8 characters of a password – Older Blitzmail accounts do not even have this minimum protection, e. g. some 3 -4 character passwords still exist – No policy for password rotation enforced – No policy for password authentication attempts enforced – Lots of different systems with different password requirements • No consistency – a password policy with enforcement is required 17

Passwords at Dartmouth • Dartmouth’s Password vulnerabilities – Passwords are written down and not encrypted – Passwords are happily entered into any authentic looking login page • The Web. Auth effort is aimed at mitigating this risk for DND password based authentication, • The PKI authentication option for Web. Auth eliminates it – Pervasive wireless network makes it easier to grab passwords sent in the clear (and they are) – Encrypted channels with weak passwords are able to be attacked offline 18

Dartmouth’s Solution • Dartmouth’s Solution to Password vulnerabilities -Public Key Infrastructure (PKI) – PKI consists of a key pair – 1 public, stored in a certificate, 1 private, stored in a protected file or smartcard – Allows exchange of session secrets in a protected (encrypted) manner without disclosing private key – PKI lets users authenticate without giving their passwords away to the service that needs to authenticate them • Our own password-hunting experiences, written up in EDUCAUSE Quarterly, shows that users happily type their user ID and password into any reasonable-looking web site, because so many of them require it already. • PKI is a very effective measure against phishing 19

Dartmouth’s Solution • Dartmouth’s Solution to Password vulnerabilities -Public Key Infrastructure (PKI) – PKI lets users directly authenticate across domains • Researchers can collaborate more easily • Students can easily access materials from other institutions providing broader educational opportunities – PKI allows decentralized handling of authorization • Students on a project can get access to a web site or some other resource because Prof Smith delegated it to them • PKI simplifies this process – no need for a centralized bureaucracy, lowers overheads associated with research – Private key is never sent across the wire so cannot be compromised by sniffing – Not vulnerable to dictionary attacks – Brute force is not practical for given key lengths – Facilitates encryption of sensitive data to protect it even if a data stream or source is captured by a malicious entity 20

Dartmouth’s Solution • Dartmouth’s Solution to Password vulnerabilities Public Key Infrastructure (PKI) – 1024 -bit keys are better than 128 character passwords (they are not subject to a limited character input set) • This is far stronger than our current Blitzmail or DND password based authentication • As one researcher said recently “the Sun will burn out before we break these” Quote from Prof Smith: “In the long run: user authentication and authorization in the broader information infrastructure is a widely recognized grand challenge. The best bet will likely be some combination of PKI and user tokens. ” – Failing to look ahead in our IT choices means failing in our research and educational mission. 21

Dartmouth’s Solution • Dartmouth’s Solution to Password vulnerabilities -Public Key Infrastructure (PKI) – Browsers now have better support for PKI, making it very useable for everyday users • Vendors recognize the importance of this technology to securing digital assets • The ubiquitous browser interface can now be a tool for secure and confidential communications • Dartmouth no longer needs to be concerned with maintaining bolt-on security mechanisms like Side. Car which has Kerberos version compatibility issues, open port through firewall issues etc. • Critical educational applications like Banner and Blackboard can now be securely access via PKI right from any browser 22

PKI at Dartmouth • Dartmouth’s PKI History – Dartmouth has been providing PKI leadership since 2000 across many sectors – not just Higher Education – Dartmouth has run a production Certificate Authority on campus for 4 years – There are currently over 9000 active certificates in circulation, issued by the Dartmouth CA – The default for Web. Auth authentication on the Dartmouth campus is PKI – Dartmouth facilitates Two Factor Authentication through PKI and Aladdin e. Tokens – Distribution of over 2, 250 e. Tokens to Faculty, Staff, and Students on campus – e. Token distribution to Freshmen for past three years 23

PKI at Dartmouth • Dartmouth’s PKI History – Dartmouth established a PKI Lab in 2000 and performs PKI Outreach to the HE community – Dartmouth built and operates the Higher Education Bridge Certificate Authority (HEBCA) for EDUCAUSE. HEBCA is a mechanism for allowing trust and interoperability between all US HE institutions, the US federal government, and other communities of interest – Dartmouth built the US Higher Education Root (USHER) infrastructure for Internet 2, and created the first USHER CA – a common policy framework for establishing trust and PKIs in HE. – Dartmouth is a founding member of The Americas Grid Policy Management Authority (TAGPMA) who sets PKI policy and accredits grid authentication service providers within the International Grid Trust Federation 24

PKI at Dartmouth • Dartmouth’s PKI History – Dartmouth provided the founding program Chair of the NIST/NIH PKI Research Workshop which has become the premier event on the information security PKI research circuit – Dartmouth has provided program committee representation on every NIST PKI conference – Dartmouth actually has 2 representatives this year – Dartmouth has provided program committee representation on every Euro. PKI conference (which were founded in response to the NIST conferences listed above) – Dartmouth has published approximately 50 PKI-related research papers since the establishment of the PKI Lab and provided a prodigious amount of PKI-related talks at conferences and workshops – Dartmouth is a founding member of the HEBCA Policy Authority (meaning we have continuous representation on the PA), and has provided the first two Chairs for this organization, and the current Secretary 25

PKI at Dartmouth • Dartmouth’s PKI History – Dartmouth developed the CA-in-a-box distribution to reduce the set up costs and complexity for entities wanting to run their own PKI Certification Authority • This is used in Grid-related authentication services (a recent example is the Texas Advanced Computing Center) • This is also used by institutions of higher education for CA services (e. g. Cornell University) – Dartmouth developed the Air. Gap solution to securely connect offline Certification Authorities with highly available online Directories • This device was constructed for under $100 and provided the HEBCA and USHER projects with up to $200, 000 in potential savings • This solution is now used by federal agencies, commercial entities, and institutions of higher education • This solution was voted the #1 beneficial hack or inspired workaround by Info. World in its May 2006 edition 26

PKI at Dartmouth • Dartmouth’s PKI History – Dartmouth is the developer of the Greenpass project - a PKI based method of delegating access authorization to a restricted network for guests visiting another institution • This project generated intense interest from industry giants such as Cisco and Intel, enough for them to provide large research grants for its further development and invite talks and demonstrations to their internal campuses – Dartmouth is the site for the development of the next generation of Open. CA for PKI services, partially funded by Sun Microsystems. • Massimiliano Pala (the existing Open. CA Project Manager) is a visiting post-doctoral fellow for this purpose (from January 2007) – Dartmouth through Prof. Smith, was awarded a prestigious multi-million dollar "NSF CAREER" grant explicitly about making PKI usable • • The CAREER program recognizes and supports the early career-development activities of those teacherscholars who are most likely to become the academic leaders of the 21 st century. Prof. Smith is studying how to use PKI and trusted computing technology to build trustworthy relationships among users spanning many organizations. – Dartmouth has been regularly sought out for, and provided PKI consulting and advice to a multitude of industry sectors including: • • • federal government banking industry pharmaceutical industry technological sector higher education 27

PKI at Dartmouth • Dartmouth’s PKI History “Dartmouth is honored to participate with other institutions in working with EDUCAUSE and the National Institutes of Health in this demonstration of the Public Key Infrastructure. The success of our submission today represents a significant step toward establishing higher levels of trust for the secure exchange of information over the Internet. The development of this Public Key Infrastructure will allow individuals and institutions to send a range of transactions from student loan agreements to the simple exchange of digitally signed e-mail with the confidence that they will be secure. This project is of enormous benefit to higher education as well as the broader society. ” President James E. Wright On the EDUCAUSE HEBCA Project (http: //www. educause. edu/Press. Releases/1175? ID=1035) “The Public Key Infrastructure (PKI) project focuses on the day-to-day security needs of the higher education institution. . Although public keys already exist on many campuses, this project will help to develop much-needed protocols and standards for the use of such keys. . Such research is of vital importance to the nation's security interests and has implications for the commercial and academic realms. ” President James E. Wright On the PKI Project at Dartmouth EDUCAUSE Review, vol. 37, no. 5 28

Additional PKI Benefits • Additional drivers for PKI at Dartmouth (besides stronger authentication): – Better protection of digital assets from disclosure, theft, tampering, and destruction – More efficient workflow in distributed environments – Greater ability to collaborate and reliably communicate with colleagues and peers – Greater access (and more efficient access) to external resources – Facilitation of research funding opportunities – Compliance 29

Additional PKI Benefits • Applications that utilize PKI in Higher Education – – – – S/MIME email Paperless Office workflow (Documentum) Encrypted File Systems (protecting mobile data assets) Strong SSO Shibboleth/Federations GRID Computing Enabled for Federations E-grants facilitation 30

Strengthening PKI at Dartmouth • Standard PKI is single factor authentication – it is something you have (a private key) • Storing the private key in a secure place and protecting access to it with a passphrase creates Two Factor Authentication – (i. e. private key [something you have] and passphrase [something you know]) • But storing a private key in software ONLY means it can be copied to many places – some of which may not be secure – potentially reducing this to single factor only (the passphrase protecting the private key) and also making it vulnerable to offline attacks • Storing the key in a FIPS-140 authenticated PKI hardware module ensures the private key only has a single instance - But a single instance can be restricting unless it is very portable 31

Strengthening PKI at Dartmouth • Smartcards or USB Tokens are very portable hardware options. The USB Token is usually favored over smartcards due to the additional cost of the latter option requiring readers everywhere the card is to be used (USB is mostly ubiquitous) • Dartmouth chose Aladdin e. Token as its partner for PKI hardware modules after an evaluation of available products utilized for this purpose • Aladdin e. Token is a house key sized HSM that protects PKI keys and can also perform other information security functions • Dartmouth began rolling out to freshmen 3 years ago, also targeted faculty and staff are required to carry them for compliance (FERPA, HIPAA) reasons 32

Strengthening PKI at Dartmouth • Dartmouth started with 16 K version e. Token – now moving to 64 K version that allows for stronger key sizes • Aladdin also has combination devices that contain a standard flash memory chip (like a standards thumb drive) as well as the cryptography chip (delivering 2 -for-1 functionality) • Aladdin provides drivers for the e. Token for the operating systems supported on the Dartmouth Campus – Windows, Linux, Mac OSX • By spring 2008, all freshmen will have had a chance to obtain an e. Token with a certificate and Dartmouth can start requiring Two Factor Authentication for applications with sensitive data (PKI is optional right now) 33

Summary • Identity theft if the fastest growing crime in the US, Institutions of Higher Education are a prime target - 43% of this activity results from Campus compromises – – – • There has been an exponential increase in the number of reported cases each year UCLA just had the worst computer breach ever at a US university (800, 000 people impacted) in December 2006 Dartmouth has already had a security breach (17, 000 people impacted in 2004) Protecting sensitive data with passwords is no longer sufficient – Two Factor Authentication is recommended – – Passwords by nature are vulnerable to many different easily replicable attacks No consistency in policy and implementation, allowing exploits for weak, reused, unmonitored passwords • Dartmouth has been implementing PKI and e. Tokens as the replacement authentication mechanism to passwords since 2003 • Aladdin e. Tokens combined with PKI provide bullet-proof Two Factor protection • Browsers now have better support for PKI, making it very useable for everyday users as vendors recognize the importance of this technology to securing digital assets 34

Summary • PKI facilitates a broader range of educational opportunities through decentralized authorization and cross-domain authentication with Federated identities • The PKI solution provides a number of promising additional benefits - not just the required stronger authentication • Dartmouth has a long history of PKI achievements and leadership across many sectors – not just higher education: – – – – Successful local PKI deployment Operation of large PKI based communities of interest (HEBCA, USHER) Establishment of PKI governance bodies (HEBCA, TAGPMA) Development of PKI related technologies (CA-in-a-box, Air. Gap, Greenpass, Open. CA-NG) Participation, leadership and establishment of PKI based conferences and workshops (NIST PKI R&D, Euro. PKI, EDUCAUSE PKI Summit) Prolific publishing of papers and invited talks and panels at PKI related conferences Grants for PKI related research from large industry corporations and government agencies (NSF, DHS, Cisco, Intel, Sun, Mellon Foundation) Dartmouth is sought after and recognized as a PKI leader by industries outside of higher education (government, finance, pharmaceutical, technology) 35

Summary • James E. Wright, President of Dartmouth College has publicly endorsed and promoted the PKI project. In reference to this project he stated: “We need to be careful that we do not stray from the basic principles of access and openness that John Kemeny articulated and that the academy embraced so many years ago. Colleges and universities are not, by definition, secretive places. They thrive on the free exchange of ideas and on open debate. But nor can we afford to be Pollyannaish about the real changes that have occurred in the digital world in which we live and learn. Thus we must strive for a sensitive balance between openness and security, between access and control. We need both. …Public key systems enable parties to engage in the trusted exchange of information even if they have never met and share no secrets beforehand. ” EDUCAUSE Review, vol. 37, no. 5 • Dartmouth, by making e. Tokens available to incoming freshmen, is only ½ way through its roll out for all students. To ensure the integrity of this solution, with a common protection standard for the entire student population, the roll out should continue in order to protect Dartmouth from future breaches, and keep Dartmouth as a leader at the forefront of this technology. • Failing to look ahead in our IT choices means failing in our research and educational mission. 36

For More Information Dartmouth PKI Outreach: http: //www. dartmouth. edu/~deploypki/ Dartmouth PKI Lab: http: //www. dartmouth. edu/~pkilab/ Scott Rea - Scott. Rea@dartmouth. edu 37