Why PKI & the 4BF (Scott Rea) Securing the ecampus - Hanover NH July 28, 2009

Transcription

1 Why PKI & the 4BF (Scott Rea) Securing the ecampus - Hanover NH July 28, 2009

2 Identity Theft Is On the Rise Identify theft is still a fast growing crime in America: 9.9 million victims in past year This is a 22% increase over previous year Cost to businesses more than $48 billion Cost per incident to consumer is down significantly (by 31%) to ~$500 Detection and resolution efforts appear to be working Source: 2009 Javelin Survey 2

3 Campuses Are A Prime Target NY Times Dec 18, 2006: educational institutions have particularly acute problem when it comes to nation's leaky data issue; study by Public Policy Institute for AARP last July, using data compiled by Identity Theft Resource Center, determined that of 90 million records reportedly compromised in various breaches between Jan 1, 2005, and May 26, 2006, 43 percent were at educational institutions Statistics: Banking/credit/financial 12% Business 36% Education 20% Govt/military 17% Medical/healthcare 15% 3

4 Beware the Hackers and Thieves 2008 dishonor roll: Stanford University (CA) 72,000 records University of Maryland (MD) 23,000 records Oklahoma State University 70,000 records Princeton Review (FL) 34,000 records Wilmer-Hale, Harvard (MA) 21,000 records Ohio State University (OH) 18,000 records Lasell College (MA) 20,000 records Long Island University (NY) 30,000 records Georgetown University (DC) 38,000 records Source: Identity Theft Resource Center 4

5 Beware the Hackers and Thieves Dartmouth College: July 2004 Security Incident Potential 17,000 Dartmouth affiliates affected HR staff keeping unencrypted personal data on servers that anyone with a password could access 8 servers impacted FBI investigated with assistance from student security researchers in Prof. Sean Smith s Computer Science group Network vulnerability assessments on a regular basis were recommended etokens now deployed as mandatory requirement for HE staff who require access to this data 5

6 Students Frequently Victimized 1 in 3 victims is under 30 years old. Common risks: Compromise of passwords protecting sensitive data Stolen laptops or weak or no passwords on sensitive, or no encryption on data/passwords traversing networks Dormitory burglaries Driver s license/student ID theft Credit card offers 30% of students throw these out without destroying them. Social Security numbers 48% of students have had grades posted by Social Security number 6

7 Sensitive Data Greater access levels to sensitive or personally identifying information than ever before How do we protect against ignorant or lazy users or poorly designed applications? How do we meet legislative requirements to contain and protect sensitive data? FERPA HIPAA CALEA How can we be sure who is accessing the data? 7

8 How Do We Protect Our Students/ Staff/Faculty While debate continues on what type of technology is best suited to prevent identity theft, many experts believe that a combination of PKI infrastructure and twofactor authentication offers the greatest promise of protection. Source: Financial Services Technology, Preventing Identity Theft 8

9 Authentication Factors Three Factors of Authentication: Something you know e.g. password, secret, URI, graphic Something you have e.g. key, token, smartcard, badge Something you are e.g. fingerprint, iris scan, face scan, signature 9

10 Authentication Factors Single Factor of Authentication is most common Passwords (something you know) are the most common single factor At least Two Factor Authentication is recommended for securing important assets e.g. ATM card + PIN (have + know) 2 x Single Factor Authentication Two Factor Authentication e.g. Password + Graphic is NOT equivalent to Smartcard + PIN (although it may be better than a single instance of One Factor Authentication) Without Two Factor Authentication, some secure communications may be vulnerable to disclosure Especially in wireless networks 10

11 Problems With Centralized Passwords

12 Managing the Multitude: User Perspective Users HATE username/passwords Too many for them to manage: Re-use same password Use weak (easy to remember) passwords Rely on remember my password crutches Forgotten password help desk calls cost $25 - $200 (IDC) and are far too common As we put more services online, it just gets worse 12

13 Managing the Multitude: Admin Perspective Many different username/ password schemes to learn, set up, and administer: Backups, password resets, revoking access, initial password values, etc. Multiple administrators have access usernames/passwords many points of failure 13

14 Ending the Madness Traditional approaches Single password Single sign-on, fewer sign-ons PKI Local password management by end user Two factor authentication 14

15 Single Password Users like it, but Requires synchronizing passwords (inherently problematic) actually makes admin madness worse! Single username/password becomes single point of failure Hack weakest application and get passwords to all applications! Costly to maintain and difficult to make work well. 15

16 All Your Eggs in One Basket Traditional username/password authentication requires access to passwords database from network servers or authentication server: Bad guys have network access, can use this to crack individual accounts or worse, get many or all passwords in one grand hack. How would you like to have to notify thousands of users to satisfy FERPA requirements when their accounts are breached? This has happened! Multiple (possibly many) system administrators have access to user passwords. Traditional Single Sign-on or Fewer Sign-on means once a username/password is compromised, access to multiple services is compromised. 16

17 Password Sharing Corrupts value of username/password for authentication and authorization. Users do share passwords: PKI Lab survey of 171 undergraduates revealed that 75% of them shared their password and fewer than half of those changed it after sharing. We need two factor authentication to address password sharing. 17

18 Password Authentication General issues with Authentication using Password technology Passwords easily shared with others (in violation of access policy) Easily captured over a network if no encrypted channel used Vulnerable to dictionary attacks even if encrypted channels are used Weak passwords can be guessed or brute forced offline Vulnerable to keyboard sniffing/logging attacks on public or compromised systems Cannot provide non-repudiation since they generally require that the user be enrolled at the service provider, and so the service provider also knows the user's password Vulnerable to Social Engineering attacks Single factor of Authentication only 18

19 Definition of a Weak Password Password Authentication The password contains less than eight characters The password is a word found in a dictionary (English or foreign) The password is a common usage word such as: Names of family, pets, friends, co-workers, fantasy characters, etc. Computer terms and names, commands, sites, companies, hardware, software. Words using the company name or any derivation. Birthdays and other personal information such as addresses and phone numbers. Word or number patterns like aaabbb, qwerty, zyxwvuts, , etc. Any of the above spelled backwards. Any of the above preceded or followed by a digit (e.g., secret1, 1secret) 19

20 Password Authentication Definition of a Strong Password Contain both upper and lower case characters (e.g., a-z, A-Z) Have digits and punctuation characters as well as letters (e.g., 0-9,!@#$%^&*()_+ ~-=\`{}[]: ; <>?,./) Are greater than eight alphanumeric characters long. Are not a word in any language, slang, dialect, jargon, etc. Are not based on personal information, names of family, etc. Passwords should never be written down or stored on-line without encryption protection. 20

21 Password Authentication Specific issues with Authentication using Password technology Too many passwords to remember if requiring a different one for each application Leads to users writing them down and not storing them securely Leads to use of insecure or weak passwords (more secure ones are generally harder to remember) Leads to higher helpdesk costs due to resetting of forgotten passwords. Leads to re-use of passwords outside institutions domain where protection mechanisms may be much lower 21

22 Password Authentication Specific issues with Authentication using Password technology Potential single point of failure for multiple applications if same password used Strong passwords not consistently supported in all applications Weak passwords leads to widespread compromises Passwords not consistently protected for all applications Password expiration not synchronized across applications Limited character set for input No control over use of passwords outside Dartmouth s domain Offline attacks against passwords may be possible 22

23 PKI s Answer to Password Woes Users manage their own (single or few) passwords. Two factor authentication. Widely supported alternative for authentication to all sorts of applications (both web-based and otherwise). 23

24 PKI Passwords Are Local to Client PKI can eliminate user passwords on network servers. Password to PKI credentials are local in the application key store or in hardware token. User manages the password and only has one per set of credentials (likely only one or two). Still need process for forgotten password, but it is only one for all applications using PKI authentication, and users are much less likely to forgot it since they use it frequently and control it themselves. 24

25 Single Sign-on, Fewer Sign-ons More secure & provides some relief for users, but Requires infrastructure (e.g. WebISO ). Fewer sign-ons still has synchronization problems. Single sign-on solutions are for web applications only. Some applications have problems with address translation and firewalls (e.g. Kerberos sidecar) and is not widely supported. 25

26 PKI Enables Single Password and Single Sign-on User maintains password on their credentials. PKI credentials authenticate user to the various services they use via PKI standards. No need for password synchronization. No additional infrastructure other than standard PKI and simple, standard hooks for PKI authentication in applications. Typically less effort to enable PKI authentication than other SSO methods. 26

27 PKI Facilitates Two Factor Authentication Requires something the user has (credentials stored in the application or a smartcard or token) in addition to something a user knows (local password for the credentials). Significant security improvement, especially with smartcard or token (a post-it next to the screen is no longer a major security hole). Reduces risk of password sharing. 27

28 The PKI Solution Solution to Password vulnerabilities -Public Key Infrastructure (PKI) PKI consists of a key pair 1 public, stored in a certificate, 1 private, stored in a protected file or smartcard Allows exchange of session secrets in a protected (encrypted) manner without disclosing private key PKI lets users authenticate without giving their passwords away to the service that needs to authenticate them Dartmouth s own password-hunting experiences, written up in EDUCAUSE Quarterly, shows that users happily type their user ID and password into any reasonable-looking web site, because so many of them require it already. PKI is a very effective measure against phishing 28

29 PKI Solution Solution to Password vulnerabilities -Public Key Infrastructure (PKI) PKI lets users directly authenticate across domains Researchers can collaborate more easily Students can easily access materials from other institutions providing broader educational opportunities PKI allows decentralized handling of authorization Students on a project can get access to a web site or some other resource because Prof Smith delegated it to them PKI simplifies this process no need for a centralized bureaucracy, lowers overheads associated with research Private key is never sent across the wire so cannot be compromised by sniffing Not vulnerable to dictionary attacks Brute force is not practical for given key lengths Facilitates encryption of sensitive data to protect it even if a data stream or source is captured by a malicious entity 29

30 PKI Solution Solution to Password vulnerabilities -Public Key Infrastructure (PKI) 1024-bit keys are better than 128 character passwords (they are not subject to a limited character input set) This is far stronger than any password based authentication NIST now recommends 2048-bit keys which are better than 256 character passwords As one researcher said recently the Sun will burn out before we break these Quote from Prof Smith: In the long run: user authentication and authorization in the broader information infrastructure is a widely recognized grand challenge. The best bet will likely be some combination of PKI and user tokens. Failing to look ahead in our IT choices means failing in our research and educational mission. 30

31 Additional PKI Benefits Additional drivers for PKI in Higher Education (besides stronger authentication): Better protection of digital assets from disclosure, theft, tampering, and destruction More efficient workflow in distributed environments Greater ability to collaborate and reliably communicate with colleagues and peers Greater access (and more efficient access) to external resources Facilitation of research funding opportunities Compliance 31

32 Additional PKI Benefits Applications that utilize PKI in Higher Education Secure Wireless S/MIME Paperless Office workflow (Time sheets, document management system) Encrypted File Systems (protecting mobile data assets) Strong SSO Shibboleth/Federations GRID Computing Enabled for Federations E-grants facilitation 32

33 Summary Identity theft is still a growing crime in the US, Institutions of Higher Education are a prime target - 20% of this activity results from Campus compromises (that s 2 nd most targeted community) There has been a significant increase in the number of reported cases this past year Dartmouth has already had a security breach (17,000 people impacted in 2004) Protecting sensitive data with passwords is no longer sufficient Two Factor Authentication is recommended Passwords by nature are vulnerable to many different easily replicable attacks No consistency in policy and implementation, allowing exploits for weak, reused, unmonitored passwords Applications now have better support for PKI, making it very useable for everyday users as vendors recognize the importance of this technology to securing digital assets PKI facilitates a broader range of educational opportunities through decentralized authorization and cross-domain authentication with Federated identities The PKI solution provides a number of promising additional benefits - not just the required stronger authentication 33

34 For More Information Scott Rea - Scott.Rea@dartmouth.edu 34