access ‘98 authentication & security george machovec technical director colorado alliance of...
Post on 19-Dec-2015
213 views
TRANSCRIPT
Access ‘98Access ‘98Authentication & SecurityAuthentication & Security
George MachovecGeorge Machovec
Technical DirectorTechnical DirectorColorado Alliance of Research Colorado Alliance of Research
LibrariesLibraries
Authentication & SecurityAuthentication & Security
Authentication: To allow users to Authentication: To allow users to access the appropriate networked access the appropriate networked databases from anywhere at anytime. databases from anywhere at anytime. A user establishes a right to an identity.A user establishes a right to an identity.
Authorization: To allow users to Authorization: To allow users to receive the appropriate suite of receive the appropriate suite of electronic products to which they are electronic products to which they are entitled. Is an “identity” permitted to entitled. Is an “identity” permitted to perform some action...perform some action...
Authentication & SecurityAuthentication & Security
Libraries and consortia offer broad Libraries and consortia offer broad suites of electronic products which suites of electronic products which must be accessed both on-campus must be accessed both on-campus and remotely.and remotely.• Dial-in users through commercial ISPsDial-in users through commercial ISPs• Faculty on SabbaticalFaculty on Sabbatical• Distance education Distance education • Other authorized users not on campus Other authorized users not on campus
for whatever reasonfor whatever reason
Authentication & SecurityAuthentication & Security
Typical kinds of services libraries Typical kinds of services libraries want to distribute:want to distribute:• OCLC FirstSearchOCLC FirstSearch• Ovid or SilverPlatter (local or remote)Ovid or SilverPlatter (local or remote)• Information Access CompanyInformation Access Company• Encyclopedia BrittanicaEncyclopedia Brittanica• GaleNetGaleNet• Hundreds of othersHundreds of others
Authentication & SecurityAuthentication & Security
Authentication StrengthAuthentication Strength• Reasonable security which meets the Reasonable security which meets the
requirements of both the university and requirements of both the university and the supplier of data is important. This the supplier of data is important. This is somewhat subjective and depends on is somewhat subjective and depends on what is being protected, how easily is it what is being protected, how easily is it “hacked,” and what are the chance or “hacked,” and what are the chance or consequences of a breach either on a consequences of a breach either on a single or systematic basis.single or systematic basis.
Authentication & SecurityAuthentication & Security
Granularity of RequirementsGranularity of Requirements• How finely must users be segregated How finely must users be segregated
for access to different resources (e.g. for access to different resources (e.g. faculty, grad students, undergrads, faculty, grad students, undergrads, staff, community borrowers)staff, community borrowers)
• How does granularity affect pricing?How does granularity affect pricing?• What about use statistics?What about use statistics?• Be practical...Be practical...
Authentication & SecurityAuthentication & Security
Privacy IssuesPrivacy Issues• Confidentiality of users with vendors is keyConfidentiality of users with vendors is key• Possible data gathered by vendor should Possible data gathered by vendor should
be protected via contract from resale or be protected via contract from resale or reusereuse
• Many universities are bound by privacy Many universities are bound by privacy laws or legislative constraintslaws or legislative constraints
• Encryption as protection from hackers may Encryption as protection from hackers may offer better privacy but may not always be offer better privacy but may not always be practicalpractical
Authentication & SecurityAuthentication & SecurityTechniquesTechniques
IP Filtering - An IP address (or IP Filtering - An IP address (or range of addresses) is used to filter range of addresses) is used to filter access to a database or service so access to a database or service so that only users with a PC (e.g. that only users with a PC (e.g. browser) within a proper network browser) within a proper network domain may gain access.domain may gain access.
Authentication & SecurityAuthentication & SecurityIP FilteringIP Filtering
BenefitsBenefits• Widely usedWidely used• Well understoodWell understood• No passwords to No passwords to
remember or remember or changechange
• No unauthorized No unauthorized distribution of distribution of passwordspasswords
DrawbacksDrawbacks• Must be at a browser Must be at a browser
within an IP rangewithin an IP range• Bad for remote usersBad for remote users• Many academics are Many academics are
dropping their dropping their modem pools or they modem pools or they are too smallare too small
• Little granularity in Little granularity in use datause data
Authentication & SecurityAuthentication & SecurityTechniquesTechniques
UserID and Passords - the distribution UserID and Passords - the distribution of logins and passwords for access to of logins and passwords for access to computer systems has historically computer systems has historically been widely used in the computing been widely used in the computing community. Upon reaching an community. Upon reaching an electronic resource the user is asked electronic resource the user is asked to login for access. In more secure to login for access. In more secure systems passwords are periodically systems passwords are periodically changed.changed.
Authentication & SecurityAuthentication & SecurityUserID and PasswordsUserID and Passwords
BenefitsBenefits• Widely employed Widely employed
and often used in and often used in conjunction with IP conjunction with IP filteringfiltering
• Available on most Available on most servicesservices
• Can be Can be remembered and remembered and used from used from anywhereanywhere
DrawbacksDrawbacks• Files must be Files must be
maintainedmaintained• Encryption of Encryption of
passwords?passwords?• Z39.50 Z39.50
compatibility may compatibility may be a problem esp. be a problem esp. with encryptionwith encryption
• Unauthorized Unauthorized distributiondistribution
Authentication & SecurityAuthentication & SecurityTechniquesTechniques
Hybrid Solutions with IP Filter + Hybrid Solutions with IP Filter + UserID/Password if filtering fails - UserID/Password if filtering fails - In this scenario a user goes to a In this scenario a user goes to a resource and goes through IP resource and goes through IP source address filtering…if it fails source address filtering…if it fails the user is then prompted for a the user is then prompted for a UserID to establish their identity.UserID to establish their identity.
BenfitsBenfits• Works for local and Works for local and
remote usersremote users• Does not require the Does not require the
“hassle” of a “hassle” of a password when a password when a person is in your person is in your local networklocal network
• Implementation of Implementation of this solution can this solution can range of easy to range of easy to complexcomplex
DrawbacksDrawbacks• Must maintain a Must maintain a
user fileuser file• Unauthorized Unauthorized
UserID distribution UserID distribution a dangera danger
• May work well May work well with some with some situations and not situations and not othersothers
Authentication & SecurityAuthentication & SecurityHybrid IP filtering + UserIDHybrid IP filtering + UserID
Authentication & SecurityAuthentication & Security
Proxy Servers - In this technique a Proxy Servers - In this technique a user must login or pass an IP filter into user must login or pass an IP filter into an intermediate server which is known an intermediate server which is known by the end service as only passing on by the end service as only passing on a legitimate user. This can be used in a legitimate user. This can be used in telnet, z39.50 or http sessions. In Web telnet, z39.50 or http sessions. In Web sessions the proxy may cache pages sessions the proxy may cache pages or return a Java applet to a browser for or return a Java applet to a browser for its identity to the end service.its identity to the end service.
Authentication & SecurityAuthentication & SecurityProxy ServersProxy Servers
BenefitsBenefits• Can be used from Can be used from
anywhereanywhere• Central Central
management and management and controlcontrol
• Well understood Well understood technologytechnology
• Modularize the Modularize the authentication authentication problemproblem
DrawbacksDrawbacks• Single point of Single point of
failurefailure• Extra overheadExtra overhead• Double handling of Double handling of
traffic in a traffic in a “mechanical proxy”“mechanical proxy”
• Still may need to Still may need to maintain a user file maintain a user file with its security with its security issuesissues
Authentication & SecurityAuthentication & SecurityTechniquesTechniques
Credential Based Approaches - A Credential Based Approaches - A user interacts directly with the end user interacts directly with the end resource over the net. Issues resource over the net. Issues include:include:• What credentials are presented by What credentials are presented by
user?user?• How are credentials secured?How are credentials secured?• How are credentials validated by the How are credentials validated by the
issuing institution? issuing institution?
Authentication & SecurityAuthentication & SecurityCredentials Credentials
Password-based Credentials - the Password-based Credentials - the information resource maintains a information resource maintains a password file of users. This technique password file of users. This technique has many of the drawbacks associated has many of the drawbacks associated with any UserID approach . Other with any UserID approach . Other weaknesses:weaknesses:• Confidentiality/PrivacyConfidentiality/Privacy• How will password file be updatedHow will password file be updated• Must be done on a resource-by-resource Must be done on a resource-by-resource
basisbasis
Authentication & SecurityAuthentication & SecurityCredentialsCredentials
Certificate-based Credentials - X.509 Certificate-based Credentials - X.509 certificate-based approach offers a certificate-based approach offers a machine credentials that support its machine credentials that support its right to the use of an name and allows right to the use of an name and allows this to be verified by a certificate this to be verified by a certificate authority (e.g. run by the institution or authority (e.g. run by the institution or a 3rd party). X.509 can include a 3rd party). X.509 can include expirations, revocation, private keys, expirations, revocation, private keys, demographic data.demographic data.
Authentication & SecurityAuthentication & SecurityCertificate-BasedCertificate-Based
BenefitsBenefits• Well defined Well defined
protocol/process protocol/process for validationfor validation
• X.509 uses lower-X.509 uses lower-level protocol-level protocol-integrated methodintegrated method
• Works well in httpWorks well in http• Flexible /much Flexible /much
work in this areawork in this area
DrawbacksDrawbacks• Difficult to distributeDifficult to distribute• Complicated for users Complicated for users
to install (esp. if a user to install (esp. if a user has several PCs)has several PCs)
• Backup, maintenance Backup, maintenance and recoveryand recovery
• Problematic on shared Problematic on shared PCs (e.g. reference)PCs (e.g. reference)
• Must be supported by Must be supported by end resource too...end resource too...
Authentication & SecurityAuthentication & SecurityExamples - Colorado Examples - Colorado
AllianceAlliance
Colorado Alliance of Research Libraries Colorado Alliance of Research Libraries - Uses a hybrid IP filtering + UserID - Uses a hybrid IP filtering + UserID scheme. If a user fails the IP filtering scheme. If a user fails the IP filtering they are prompted for a library card ID they are prompted for a library card ID and name which is embedded in an and name which is embedded in an SQL database. The file is harvested SQL database. The file is harvested from local III and CARL library OPACs. from local III and CARL library OPACs. This will then launch a cgi which logs This will then launch a cgi which logs into the local or remote resource.into the local or remote resource.
Authentication & SecurityAuthentication & SecurityExamples - VIVA (Virginia)Examples - VIVA (Virginia)
VIVA has 39 libraries and runs a central proxy VIVA has 39 libraries and runs a central proxy server. A weekly extraction is made from server. A weekly extraction is made from OPACs of library card numbers and loaded into OPACs of library card numbers and loaded into a central file. The system downloads a Java a central file. The system downloads a Java Applet to a local browser so it can take on Applet to a local browser so it can take on proper identity in going to the remote service. proper identity in going to the remote service. Once users logins to proxy, the proxy goes to Once users logins to proxy, the proxy goes to remote system for IP filter test. Proxy is only remote system for IP filter test. Proxy is only involved once...involved once...
Netscape Proxy Server 2.5Netscape Proxy Server 2.5 Http://timesync.gmu.edu/proxy.htmlHttp://timesync.gmu.edu/proxy.html
Authentication & SecurityAuthentication & SecurityExamples - IAC Examples - IAC
IAC Remote Patron Authentication IAC Remote Patron Authentication Service - Does an IP filter check and if Service - Does an IP filter check and if it fails it consults a flat ASCII patron it fails it consults a flat ASCII patron file maintained by the local file maintained by the local institution. institution. • Only works with IAC Searchbank Only works with IAC Searchbank
productsproducts• Extra charge for this product from IACExtra charge for this product from IAC• Must still maintain your own patron fileMust still maintain your own patron file
Authentication & SecurityAuthentication & SecurityExamples - Innovative Examples - Innovative
InterfacesInterfaces
III Web Access Management - In Release III Web Access Management - In Release 12 this is a true proxy server module 12 this is a true proxy server module which automatically checks a patron file which automatically checks a patron file on local III system. Can support patron on local III system. Can support patron type limits Problems include:type limits Problems include:• Limited to 50 targets (25 in release 11)Limited to 50 targets (25 in release 11)• Uses-up III concurrent users (very Uses-up III concurrent users (very
expensive)expensive)• Requires set-up on each browser to address Requires set-up on each browser to address
this proxy serverthis proxy server
Authentication & SecurityAuthentication & SecurityExamples - Athens (U.K.)Examples - Athens (U.K.)
Central (but mirrored) authentication system Central (but mirrored) authentication system for all of higher education in UK including for all of higher education in UK including >2million students and faculty>2million students and faculty
Built around Sybase on multiple servers. Built around Sybase on multiple servers. UserID & password based for all resourcesUserID & password based for all resources
Local institutions must upload patron records Local institutions must upload patron records according to prescribed formataccording to prescribed format
Supports all types of resources (several Supports all types of resources (several thousand)…including Web and Telnet targets. thousand)…including Web and Telnet targets. http://www.athens.ac.uk/info/authentication.htmlhttp://www.athens.ac.uk/info/authentication.html