Unc cause 2011 random pin


Published on

UNC Cause Pin about developing Random Pin Distribution tool for UNC Greensboro.

Published in: Technology, Education
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Unc cause 2011 random pin

  1. 1. Custom Secure RandomPin Distribution Moreland Smith The University of North Carolina at Greensboro
  2. 2. Alternate TitleHow we kept our Registrar from going to jailand got cookies!!!!
  3. 3. Session Rules of Etiquette• Please turn off your cell phone/pager• If you must leave the session early, please do so as discreetly as possible• Please avoid side conversation during the session• Do not pass Go, do not collect $200. 3
  4. 4. Introduction• My goal today• To share UNCG’s custom solution to random PIN distributions across all populations of entering people. 4
  5. 5. Benefits: An understanding of• Business Case• Technical Architecture• Administrative GUI• End User Experience• Project Results• Woulda / Shoulda / Coulda 5
  6. 6. Business CaseThings I learned from 1990’sInfomercials
  7. 7. The University of NorthCarolina at Greensboro• 18,000+ Fall 2010 Enrollment• Undergraduate• Graduate• Distance• Additional 2,000+ iSchoolers (High School)• 3 Entry Offices with Hiring Authority• 6 Entry Offices Admitting Students• Mods Philosophy: “Vanilla…. but with sprinkles… and a bit of fudge mixed in…” 7
  8. 8. Old way of Doing Business• Pattern based initial PIN, custom trigger on DOB entry• DOB rearranged YYDDMM• Pattern published on web sites• Some emailed ID and then snail mailed PIN• Some asked students to allow them to send both PIN via email.• Some offices handed paper to new hires• Letters are lost 8
  9. 9. Where we were Different Offices + Different Practices = INSANITY 9
  10. 10. Good advice from the mid1990’s….. 10
  11. 11. Potential Problems• Perception, ITS owns the PIN, call Service Desk– Have to talk through general pattern YYDDMM.– Service Desk can’t assist because…• Forgot PIN Q&A Not yet established, can not authoritatively identify caller, since never had successful login• “But they said….”• Root Causes – Incorrect DOB Entered (esp. Internationals) – Student does not know ID 11
  12. 12. Inspiration from Earlier Work• https://getmyid.uncg.edu• Built during transition from SSN to Generate ID approx 2006• Allows ID display via SSL browser with entry of persons UNCG Username/Password• Allows email delivery of ID• Single Last Name & Email Address Match – Last Name: Smith – Email: Moreland.Smith@gmail.com 12
  13. 13. The Vision: One tool to assistthem all• Web Based• Near Real Time, Secure (Encrypted) Delivery of Random PIN• Options for Paper Mail• Receive PIN Information from “Entry Office”, not ITS• Standard text with optional Entry Office specific info• Refer people back to “Entry Office” if there is a problem with their data• Flexible additional populations, additional “Entry Offices”• Log usage 13
  14. 14. However this was beyond ourbudget And had some nasty side effects…. 14
  15. 15. Core BusinessConcepts/Challenges• All persons have a “best fit” Entry Office – Single Role (New Freshman =Undergraduate Admissions) – Multi Role people (Employee taking classes=????)• Offices desire to minimize mailing costs, printing labor – Email/web is first choice – Paper mail only if email/web is not possible or selected by person.• If there is a problem with a person’s data it needs to be corrected by their Entry Office, not ITS.• People often do their email via insecure means (Public WiFi) – Therefore delivery of PIN should be SSL Protected and – Not “Man in the Middleable” (Firesheep) 15
  16. 16. Defining Happiness   •  for Person= Doing it all online themselves at 3am and never having to talk to UNCG staff.•  for Entry Office Staff= Person doing it all online themselves at 3am and never having to talk to UNCG Entry Office Staff.•  for Person= Couldn’t get it online, but can get it via snail mail, but at least I didn’t have to talk to a UNCG human.•  for Entry Office Staff= I guess I can run a daily batch job to print and mail some letters, sigh….•  For Both= I have to talk someone via phone???? 16
  17. 17. Random Pin OriginationProcess Flow 17
  18. 18. Random Pin Flow 18
  19. 19. Technical ArchitectureSome vanilla, some sprinkles, and somefudge ripple mixed in….
  20. 20. Sometimes good things are abit messy…. 20
  21. 21. Security Principles• All Web traffic must be SSL• Email may or not be read via secure means, therefore we must assume it is not• You can’t prove who you are on the web, so we must communicate via previously established address• Something you have, plus something you know. – You have: PIN LINK (Random URL) delivered by email – You know: “Verification word” you gave in an SSL Session, stored by the system, which you must match to use PIN LINK URL 21
  22. 22. Security Principles Continued• Any PIN LINK URLs must be sufficiently random• Any PIN LINK URLs must expire with a set brief time period• Minimize visibility of PIN to UNCG staff (only on hardcopy prints in Entry Office)• Random PINS should be one time use only (Baseline takes over from there)• Even if someone starts the getmypin process who is not you (but they know your Last Name, ID & DOB, we should minimize the “reveal” of your protected information [result=masking of email/addresses]) 22
  23. 23. Technical Components:Baseline• Configurations within – Letter Generation Letters & Paragraphs – GTVSQPR (Business Rule Process Code Validation) – GTVSQRU (Business Rule Code Validation) – GORRSQL (Business Rules Form) – GTVSDAX (For setting expiration value)• Draw upon data within – GOREAML Table – SPRADDR Table – SPRIDEN Table – Various Student, Alumni, Employee tables calculating Entry Office association for a person• Baseline functionality – Ability to set PIN as pre expired (i.e. force change on next login) 23
  24. 24. Technical Components: UNCGCustom Built• INB Components – SZAEOFC (Entry Office Control Form) – SZAHIRC (Entry Office Rule Hierarchy Control Form) – SZAPDIS (Pin Distribution Form)• URL on Banner App Server – https://getmypin.uncg.edu• SSB pages (outside Secure Login) – Request PIN Getting – Respond to PIN LINK URLS• Email generation function (draws text from LTR/PARA)• Batch Job – SZPPNPT (Pin Letter Printing)• PL/SQL Function for Random URL String Generation to NIST Special Publication 800-63 Standard 24
  25. 25. 20 Minutes of Defense• How long to make the random URL???• Calculations by UNCG Security Analyst• Assuming web requests can be processed at 20,000 per second, x 60 seconds per minute x 20 minutes=24 million attempts possible in time frame.• http://csrc.nist.gov/publications/nistpubs/800-63/SP800-63V1_0_2.pdf page 53• Goal 36 bits of entropy• Achieved by 20 character random from a 63 character alphabet (upper, lower and numbers)• If 20 characters is good, then 32 is even better….• And even if you get a hit on a Random URL that happens to be “Usable” at the moment, you still have to guess the Verification word, and you only have 3 attempts. 25
  26. 26. Administrative GUIPutting the Puzzle Together
  27. 27. Initial Setups• GTVSQPR (Business Rule Process Code Validation)• GTVSQRU (Business Rule Code Validation)• GORRSQL (Business Rules Form)• GTVSDAX (For setting expiration value) 27
  28. 28. GTVSQPR Business RuleProcess Code Validation 28
  29. 29. GTVSQRU: Business RuleCode Validation 29
  30. 30. GORRSQL Business Rule FormSample 30
  31. 31. Now for the Custom UNCGStuff• SZAEOFC (Entry Office Control Form)• SZAHIRC (Entry Office Rule Hierarchy Control Form)• SZAPDIS (Pin Distribution Form) 31
  32. 32. SZAEOFC: Entry OfficeControl Form 32
  33. 33. SZAHIRC: Entry Office RuleHierarchy Control Form 33
  34. 34. SZAPDIS: Pin DistributionForm 34
  35. 35. End User ExperienceFinding Happiness
  36. 36. Finding Happiness 36
  37. 37. 3 Faces of Happiness•  Self Service Email Delivery•  Request Paper Mail Delivery, Entry Office Prints•  Sorry, Person and Entry Office Communication Required• All begin at https://getmypin.uncg.edu 37
  38. 38. Answer me these Questions 3 What is Your Name What is Your ID What is your DOB 38
  39. 39. Initial Entry: ID, Name, DOB 39
  40. 40. Would you like your pin inbits? 40
  41. 41. For your safety…… 41
  42. 42. Process Tips & Disclaimers 42
  43. 43. Were done! Check youremail 43
  44. 44. Sample of Email Body (sentfrom EO email addy)Note the PIN LINK Long URL 44
  45. 45. Having clicked the link 45
  46. 46. Oops, you waited too long 46
  47. 47. 3 strikes and you are Out! 47
  48. 48. If you remember yourVerification Word: Success! 48
  49. 49. From Here• User logs into Baseline Self Service – They must answer baseline “Forgot PIN” Security Questions & Answers• Because random PIN was set as pre-expired – They must set a new PIN.• User is in Self Service and can do their business•  “didn’t have to talk to a human…” 49
  50. 50. Face #2 Request Paper Mail Delivery, Entry Office Prints 50
  51. 51. You want your PIN on deadtrees… 51
  52. 52. Ok, Please be Patient 52
  53. 53. Were done! 53
  54. 54. After the Entry Office, Prints,Mails and you receive 54
  55. 55. The Third Face  Sorry, Person and Entry Office Communication Required 55
  56. 56.  Recap of the Path• Success with ID, DOB, & Name• No Valid Emails or did not choose emails and• No Valid Mailing Address or said do not send via paper 56
  57. 57. Oh, addresses out of date/don’t trust US Postal Service 57
  58. 58.  Next Steps• Hopefully person calls their entry office at the phone number listed.• Staff member with privileges on SZAPDIS can review request, status, etc.• Based on Entry Office specific practices staff can attempt to – Identify person calling (20 questions method) – Gather corrected contact information – Immediately enter that in Banner (GOAEMAL/SPRADDR) – Have the person try again. 58
  59. 59. Miscellaneous Info• Email is sent from Entry Office specific email address, so bounces are returned there for remediation by Entry Office staff.• Letters are sent from Entry Office, in their envelopes, so returned mail can be dealt with by Entry Office staff.• Other Error Messages – Did not answer 3 initial questions correctly = “The Information you entered was not found in our records. Please check the Information for Errors.” 59
  60. 60. ResultsWhat it has done for UNCG
  61. 61. Results Page• All persons (students, staff, faculty, other) follow the same process.• Email & Address data is better maintained by Entry Offices, since correct emails mean more happy faces.• DOB Pattern based PINs are gone!• Many fewer calls to Service Desk with PIN problems due to DOB issues, or “I lost my letter/email”• Registrar’s Office Staff spend less time dealing with PINS for Alums (required for transcript ordering) 61
  62. 62. Unsolicited Client Email:Subj: Just sending some loveThe PIN re-set website has been a great help. In the past, I received an average of 8-10 calls a month. Which isnt bad, I know, but as this was an average, I sometimes had 8-10 in a week. I have only printed 3 PIN letters since we went live with this function last Spring.THANK YOU. --Kelly A. Rowett-James , University RegistrarThe University of North Carolina at Greensboro 62
  63. 63. Summary• Solve the Business Problem: – Make it Standardized, Self Service, Secure, – Also make it Flexible and Customizable• Architecture: Use what you have & build what you need – Baseline Components: GORRSQL, Letter Gen, GTVSDAX – Custom INB, SSB, Batch Job pieces• Admin GUI: Build for flexibility• End User Experience – Small, Simple Steps 63
  64. 64. Woulda/Shoulda/CouldaThings we might do to enhance or woulddo differently.
  65. 65. Ideas to make it better• Build Form/Table to map users of SZAPDIS to Entry Offices in order to restrict staff to “their” people, and ITS Staff to global Query. [Could also be done with Value Based Security]• Build a secondary log table for each status of a Pin Reset Request.• Build a “pre log table” to capture any situations where all 3 items do not match, to detect bot attack• Put in a “Captcha” as a bot defense• Build reporting to look for patterns of non successful actions.• Schedule batch process in UC4 for automatic nightly printing.• Set up Workflow’s to notify Entry office, “You’ve’ got PIN LETTERS to Print!” 65
  66. 66. Questions?• Any and all are welcome 66
  67. 67. Thank You! Moreland Smith mtsmith@uncg.edu Please complete the class evaluation form 67