Access '98 Authentication & Security
advertisement
Access ‘98 Authentication & Security George Machovec Technical Director Colorado Alliance of Research Libraries Authentication & Security Authentication: To allow users to access the appropriate networked databases from anywhere at anytime. A user establishes a right to an identity. Authorization: To allow users to receive the appropriate suite of electronic products to which they are entitled. Is an “identity” permitted to perform some action... Authentication & Security Libraries and consortia offer broad suites of electronic products which must be accessed both on-campus and remotely. • • • • Dial-in users through commercial ISPs Faculty on Sabbatical Distance education Other authorized users not on campus for whatever reason Authentication & Security Typical kinds of services libraries want to distribute: • • • • • • OCLC FirstSearch Ovid or SilverPlatter (local or remote) Information Access Company Encyclopedia Brittanica GaleNet Hundreds of others Authentication & Security Authentication Strength • Reasonable security which meets the requirements of both the university and the supplier of data is important. This is somewhat subjective and depends on what is being protected, how easily is it “hacked,” and what are the chance or consequences of a breach either on a single or systematic basis. Authentication & Security Granularity of Requirements • How finely must users be segregated for access to different resources (e.g. faculty, grad students, undergrads, staff, community borrowers) • How does granularity affect pricing? • What about use statistics? • Be practical... Authentication & Security Privacy Issues • Confidentiality of users with vendors is key • Possible data gathered by vendor should be protected via contract from resale or reuse • Many universities are bound by privacy laws or legislative constraints • Encryption as protection from hackers may offer better privacy but may not always be practical Authentication & Security Techniques IP Filtering - An IP address (or range of addresses) is used to filter access to a database or service so that only users with a PC (e.g. browser) within a proper network domain may gain access. Authentication & Security IP Filtering Benefits • Widely used • Well understood • No passwords to remember or change • No unauthorized distribution of passwords Drawbacks • Must be at a browser within an IP range • Bad for remote users • Many academics are dropping their modem pools or they are too small • Little granularity in use data Authentication & Security Techniques UserID and Passords - the distribution of logins and passwords for access to computer systems has historically been widely used in the computing community. Upon reaching an electronic resource the user is asked to login for access. In more secure systems passwords are periodically changed. Authentication & Security UserID and Passwords Benefits • Widely employed and often used in conjunction with IP filtering • Available on most services • Can be remembered and used from anywhere Drawbacks • Files must be maintained • Encryption of passwords? • Z39.50 compatibility may be a problem esp. with encryption • Unauthorized distribution Authentication & Security Techniques Hybrid Solutions with IP Filter + UserID/Password if filtering fails - In this scenario a user goes to a resource and goes through IP source address filtering…if it fails the user is then prompted for a UserID to establish their identity. Authentication & Security Hybrid IP filtering + UserID Benfits • Works for local and remote users • Does not require the “hassle” of a password when a person is in your local network • Implementation of this solution can range of easy to complex Drawbacks • Must maintain a user file • Unauthorized UserID distribution a danger • May work well with some situations and not others Authentication & Security Proxy Servers - In this technique a user must login or pass an IP filter into an intermediate server which is known by the end service as only passing on a legitimate user. This can be used in telnet, z39.50 or http sessions. In Web sessions the proxy may cache pages or return a Java applet to a browser for its identity to the end service. Authentication & Security Proxy Servers Benefits • Can be used from anywhere • Central management and control • Well understood technology • Modularize the authentication problem Drawbacks • Single point of failure • Extra overhead • Double handling of traffic in a “mechanical proxy” • Still may need to maintain a user file with its security issues Authentication & Security Techniques Credential Based Approaches - A user interacts directly with the end resource over the net. Issues include: • What credentials are presented by user? • How are credentials secured? • How are credentials validated by the issuing institution? Authentication & Security Credentials Password-based Credentials - the information resource maintains a password file of users. This technique has many of the drawbacks associated with any UserID approach . Other weaknesses: • Confidentiality/Privacy • How will password file be updated • Must be done on a resource-by-resource basis Authentication & Security Credentials Certificate-based Credentials - X.509 certificate-based approach offers a machine credentials that support its right to the use of an name and allows this to be verified by a certificate authority (e.g. run by the institution or a 3rd party). X.509 can include expirations, revocation, private keys, demographic data. Authentication & Security Certificate-Based Benefits • Well defined protocol/process for validation • X.509 uses lowerlevel protocolintegrated method • Works well in http • Flexible /much work in this area Drawbacks • Difficult to distribute • Complicated for users to install (esp. if a user has several PCs) • Backup, maintenance and recovery • Problematic on shared PCs (e.g. reference) • Must be supported by end resource too... Authentication & Security Examples - Colorado Alliance Colorado Alliance of Research Libraries - Uses a hybrid IP filtering + UserID scheme. If a user fails the IP filtering they are prompted for a library card ID and name which is embedded in an SQL database. The file is harvested from local III and CARL library OPACs. This will then launch a cgi which logs into the local or remote resource. Authentication & Security Examples - VIVA (Virginia) VIVA has 39 libraries and runs a central proxy server. A weekly extraction is made from OPACs of library card numbers and loaded into a central file. The system downloads a Java Applet to a local browser so it can take on proper identity in going to the remote service. Once users logins to proxy, the proxy goes to remote system for IP filter test. Proxy is only involved once... Netscape Proxy Server 2.5 Http://timesync.gmu.edu/proxy.html Authentication & Security Examples - IAC IAC Remote Patron Authentication Service - Does an IP filter check and if it fails it consults a flat ASCII patron file maintained by the local institution. • Only works with IAC Searchbank products • Extra charge for this product from IAC • Must still maintain your own patron file Authentication & Security Examples - Innovative Interfaces III Web Access Management - In Release 12 this is a true proxy server module which automatically checks a patron file on local III system. Can support patron type limits Problems include: • Limited to 50 targets (25 in release 11) • Uses-up III concurrent users (very expensive) • Requires set-up on each browser to address this proxy server Authentication & Security Examples - Athens (U.K.) Central (but mirrored) authentication system for all of higher education in UK including >2million students and faculty Built around Sybase on multiple servers. UserID & password based for all resources Local institutions must upload patron records according to prescribed format Supports all types of resources (several thousand)…including Web and Telnet targets. http://www.athens.ac.uk/info/authentication.html
