Identity Management


Published on

  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Identity Management

  1. 1. Identity Management and PKI Credentialing at UTHSC-H Bill Weems Academic Technology University of Texas Health Science Center at Houston
  2. 2. University of Texas Health Science Center at Houston UTHSC-H <ul><li>Six Schools </li></ul><ul><ul><li>Graduate School of Biomedical Sciences </li></ul></ul><ul><ul><li>Dental School </li></ul></ul><ul><ul><li>Medical School </li></ul></ul><ul><ul><li>Nursing School </li></ul></ul><ul><ul><li>School of Health Information Sciences </li></ul></ul><ul><ul><li>School of Public Health </li></ul></ul><ul><li>~ 10,000 Students, Faculty and Staff </li></ul>
  3. 3. PKI History at UTHSC-H <ul><li>1996-97 U.T. System begin considering PKI as a strategic initiative. </li></ul><ul><li>1998 U.T. System signed MSA with VeriSign </li></ul><ul><li>1998 UTHSC-H obtained 10,000 client seats </li></ul><ul><ul><li>Public/Private keys stored in “soft key stores” </li></ul></ul><ul><ul><li>Single certs used for digital signatures, encryption and accessing restricted resources </li></ul></ul><ul><li>1999 Established enterprise LDAP directory </li></ul><ul><ul><li>User’s public cert include as a user attribute </li></ul></ul>
  4. 4. PKI History at UTHSC-H <ul><li>2002 UTHSC-H begin issuing USB Tokens </li></ul><ul><ul><li>Public/Private keys generated in “soft key” store & transferred to hard token </li></ul></ul><ul><li>2003 VeriSign MSA modified to provide dual keys per seat – signing and encryption keys </li></ul><ul><li>2004 Begin generating public/private keys on USB E-Tokens – level 4 assurance </li></ul><ul><li>2005 Projected issuance of 4,000 E-Tokens </li></ul><ul><li>2005 Begin phasing out “soft key” stores </li></ul>
  5. 5. UTHSC-H: An Identity Provider (IdP) It is critical to recognize that the university functions as an identity provider (IdP) in that UTHSC-H provides individuals with digital credentials that consist of an identifier and an authenticator. As an IdP, the university assumes specific responsibilities and liabilities.
  6. 6. UTHSC-H Strategic Authentication Goals <ul><li>Two authentication mechanisms. </li></ul><ul><ul><li>Single university ID (UID) and password </li></ul></ul><ul><ul><li>Public Key Digital ID on Token (two-factor authentication) </li></ul></ul><ul><ul><ul><li>Digital Signatures </li></ul></ul></ul><ul><ul><ul><ul><li>Authenticates senders </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Guarantees messages are unaltered, i.e. message integrity </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Provides for non-repudiation </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Legal signature </li></ul></ul></ul></ul><ul><ul><ul><li>Encryption of email and other documents </li></ul></ul></ul><ul><ul><ul><li>Highly Secure Access Control </li></ul></ul></ul><ul><ul><ul><li>Potential for inherent global trust </li></ul></ul></ul>
  7. 7. Identity Provider (IdP) Person Identity Vetting & Credentialing Permanent Identity Database IdP Obtains Physical Characteristics Identifier Permanently Bound Assigns Everlasting Identifier Digital Credential Issues Digital Credential Person Only Activation
  8. 8. Identity Provider (IdP) Person Identifier Digital Credential Permanently Bound Assigns Everlasting Identifier Issues Digital Credential IdP Obtains Physical Characteristics Person Only Activation Identity Vetting & Credentialing UTHSC-H Two Factor Authentication Permanent Identity Database ? ?
  9. 9. UTHSC-H Identity Management System HRMS SIS GMEIS Guest MS UTP INDIS OAC7 OAC47 Secondary Directories Sync Person Registry Authoritative Enterprise Directories Authorization Service Authentication Service User Administration Tools Change Password Attribute Management Identity Reconciliation & Provisioning Processes
  10. 10. Obtaining a Digital Certificate <ul><li>Access Local Hosted CA’s Web Page </li></ul><ul><li>Generate a public/private key pair </li></ul><ul><li>Send public key to Certificate Authority </li></ul><ul><li>RA verifies applicant’s identity to CA </li></ul><ul><li>CA issues X.509 certificate </li></ul><ul><li>CA notifies applicant that DID is certified </li></ul><ul><li>Applicant downloads certified public key </li></ul><ul><li>Applicant makes backup of DID </li></ul>
  11. 11. Obtaining a Digital Certificate Hard Token – Level 4 <ul><li>Applicant appears in-person before RA </li></ul><ul><li>Inserts E-Token in USB Port </li></ul><ul><li>Access Certificate Authority’s Web Page </li></ul><ul><li>Token generates public/private key pair </li></ul><ul><li>Send public key to Certificate Authority </li></ul><ul><li>RA verifies applicant’s identity to CA </li></ul><ul><li>CA issues X.509 certificate </li></ul><ul><li>Applicant downloads certificate to token </li></ul>
  12. 12. The focus of planning should be on how PKI and directory services make life great for people in cyberspace!!! Don’t focus on underlying theory, arcane concepts and minute implementation details. If basic infrastructure is in place along with user applications, people will use it and demand more. Lessons Learned
  13. 13. What Is Needed To Reach Critical Mass? <ul><li>Develop a core group that operationally believes in & understands middleware! </li></ul><ul><li>CA management system with basic policies. </li></ul><ul><li>Basic operational LDAP directory service. </li></ul><ul><li>As many “real” applications as possible! </li></ul><ul><ul><li>Solutions that use signing & encryption. </li></ul></ul><ul><ul><li>Cherished resources PKI enabled for access. </li></ul></ul>
  14. 14. Why A Commercial CA <ul><li>Texas requires a state approved CA </li></ul><ul><ul><li>Certificate Practice State (CPS) </li></ul></ul><ul><ul><li>Certificate Policy </li></ul></ul><ul><ul><li>Relying Party Agreement </li></ul></ul><ul><li>CA trust hierarchy automatically recognized by most browsers & clients world wide. </li></ul><ul><li>Provided a significant amount of support resources. </li></ul>