In Depth
Identity Management at Harvard and MIT
Harvard and MIT have similar identity management challenges but very different solutions. Comparing the two is a good exercise for any CSO looking at ID management.
By Simson Garfinkel
When an MIT student or staff member logs in to his computer, the computer asks the Kerberos server for a special "ticket granting ticket." The Kerberos server sends the ticket encrypted with the user's password. If the user's computer can decrypt the ticket, then the user must know the right password, so the user has been implicitly authenticated. With that decrypted ticket, the user can go on to request other tickets for specific online services. At MIT's Project Athena the Kerberos system is used for e-mail, for file access and even for sending jobs to the printer. (Each student has a monthly printing limit.)
MIT deployed Kerberos widely by the late 1980s. In the 1990s Kerberos was adopted by most Unix vendors; Microsoft added support to Windows 2000.
Kerberos has a reputation for being very secure. It also has a reputation for being very difficult to configure and use. Both reputations are justly deserved. The big problem with Kerberos is that every application program needs to be specially "Kerberized" so that it can work with Kerberos—a difficult process. Web browsers, in particular, were very hard to Kerberize because they were numerous and evolving so fast. So in the late 1990s, MIT adopted a second enterprise authentication system, based on SSL and client-side X.509 digital certificates, which it runs in parallel with Kerberos. Students and staff members create their Kerberos user name and password when they show up at the Institute. Once they have a Kerberos account, they can go to a special website and get an "MIT Certificate" by entering their Kerberos user name, password and MIT ID number.
The combination of Kerberos and client-side certificates produces a system that is awkward and confusing; some services are certified by Kerberos, some are certified by the MIT Certificate, and it really isn't clear which service uses which certification or why. For example, a student who wants to read her bursar's statement needs to use her MIT Certificate to access the special MIT student website. That's because the SSL certificates are considered secure. But a student who wants to read his MIT Web mail goes to a different website and enters his Kerberos user name and password. The reason for this difference is that MIT assumes that students will be reading their Web mail at Internet cafés and friends' computers—places where students shouldn't be leaving copies of their MIT Certificate. Unfortunately, this means that students' Kerberos passwords could be stolen by keyboard sniffers. Fortunately, anybody with a Kerberos password that's truly valuable doesn't use computers at Internet cafés: They carry their own laptops.
$firstKeyword
Security Directions: A Virtual Conference
Available On Demand Sept. 30 - Dec. 30
Join us for a virtual event with candid, expert information on top security challenges and issues - all from the comfort of your desktop.
Protecting PII: How to Work with IT to Manage Risk
Understand the critical nature of the test data privacy problem and get tips on how to work with IT to implement a test data privacy program.
- Keeping Your Members Safe from Online Scams and Predators
- Understanding Versatile Authentication and Its Benefits
- Upgrading to VMware vSphere with vWire
- Removing Barriers To Better Server Virtualization Efficiency
- Staying A Step Ahead of the Hackers: The Importance of Identifying Critical Web Application Vulnerabilities
- WagerWorks Takes Fraudsters Out of the Game Using iovation
Get instant notifications when whitepapers, webcasts and case studies are added
to our library. Sign up for a Resource Alert now!
CSO Corporate Partners
CSO Perspectives
-
April 5-7, 2010Hyatt Regency Santa ClaraClick here for more information!
Santa Clara, California
(ISC)2 members can earn up to 24 CPE Credits!
