Implementing User Authentication for a State-wide Initiative

1
Implementing User Authenticationfor a State-wide
Initiative
Mary-Elise Haug INSPIRE System Administrator mehau
g_at_incolsa.net
2
Outline

• Overview of INSPIRE
• INSPIRE user authentication issues
• Using proxy servers for ISPs in Indiana
• Using digital certificates for national ISPs
• Interaction with sitesearch authentication

3
Overview What is INSPIRE

• Indianas Virtual Library on the Internet
• primarily collection of commercial databases
  that have contractual restrictions on use
• Part of the mission is to ensure access to
  these information resources for all residents of
  all ages, in all walks of life through Internet
  connected computers in homes, businesses,
  schools, and libraries.

4
Overview Who are INSPIREs users

• All residents of Indiana
• Residents are not required to have a library
  card or any other institutional affiliation
• What separates INSPIRE from other statewide
  projects is having a user population based on
  geography rather than affiliation or pc location
• we do not require libraries to authenticate
  their own patrons

5
Authentication definitions

• Access -- the ability to use licensed databases
• Authorization -- providing a user access to
  restricted databases
• Authentication -- verifying that user is really
  who you think the user is

6
Authentication issues

• Existing authentication methods assume that you
  know who your users are and may already have a
  database of users
• computers in library or school buildings
• database of library users or students

7
Authentication issues II

• Internet commerce solutions (ie users register
  themselves)
• methods for registering users/creating
  maintaining db
• easy to verify email address
• accept users data for address
• anyone that can figure out a valid zipcode for
  Indiana could gain access

8
Authentication issues III

• Two issues involved
• how to verify residency
• how to maintain information about authorized
  users
• Two different approaches
• machine (pc) oriented
• user oriented

9
Authentication pcs in Indiana

• Access Control (ACL)
• list of ip addresses or domains used by Indiana
  institutions
• .in.us
• Surveyed libraries for initial list
• commercial ISPs verified in ARIN when possible

10
Squid

• Use the squid proxy server as an http
  accelerator
• listens on port 80
• will get db interface pages for ip/domains list
  in acl list
• redirects others to secure web server/access
  denied page

11
Squid diagram
12
Authentication user based

• Evaluated alternatives
• username/password vs. digital certificates
• Digital certificates chosen
• new, innovative technology
• easier to maintain then traditional db
• possibility that certificates could deal with
  address verification

13
Authentication user based Digital Certificate
Implementation

• certs with address verification too costly (10
  each) represented overkill for security needs
• using a CA (Verisign/Thawte) also involved
  considerable cost/potential for user to have to
  pay for a base certificate
• decided to become a CA and issue our own
  certificates
• selected Netscape Certificate Server

14
Authentication user basedVerify residency

• no high tech solutions seemed to meet our needs
  or fit in within budget parameters
• decided to mail a one time use password
• the password would allow users to request a
  digital certificate
• digital certificates would expire, forcing user
  to have address re-checked

15
Authentication user based How it works

• User fills out registration form
• password is assigned
• mailed to user in a secure self mailer
• user enters valid password
• access to digital certificate server granted
• user requests downloads certificate
• links to database interfaces available through
  secure web server which requires a valid
  certificate

16
Authentication Secure Web Server

• Use Stronghold -- chose this option to avoid
  dealing with encryption law
• Set up to check for a digital certificate issued
  by INSPIRE CA
• As digital certs gain in popularity could check
  stateIN for Indiana residents
• Using as a proxy yields a lot of overhead, so
  current pass an autho/pw

17
(No Transcript)
18
Downside of Digital Certificates

• Difficulty downloading certificates
• AOL users
• process intimidating
• implemented differently in Netscape and IE
• Free toolkits underdeveloped
• examples only work with Netscape
• Prices for commercial products increased
  dramatically in the last 18 months
• When act as a CA the server certificate isnt
  built in to the browser

19
Interaction with SiteSearch Authentication

• With Squid all users appear to come from an
  internal ip address, which is in msql db
• With the secure web server have used it as a
  proxy or have passed a username/pw embedded in a
  php script

20
Interaction with SiteSearch Authentication

• Downside is that cannot track users based on an
  individual library
• Authentication scheme will need modification
  which will involve entering library ip addresses
  in msql db and use squid to redirect users to
  sitesearch port
• Potential to include an institutional field in
  the digital certificate exists

21
Summary

• Authentication most challenging aspect of
  setting up INSPIRE system
• Requires continuous staff attention
• institutions change ISPs/set up firewalls or
  proxies that change authentication
• helping users with digital certificates
• Still have not developed the optimum solution
• Does that magic solution exist ?