Web Authentication

1. Web Authentication • Need to authenticate to multiple web-based services • Need to do this with both U-M and external web-based services • Need to be able to use off the shelf browsers • Want passwords to be more secure CSG • Tucson • Feb 2000 • Slide 1

2. Kerberos-X.509 Project • Start with, and enhance, MIT’sPKI-Kerberos work • which creates certificates basedon Kerberos authentication … • We build on existing U-M identity and authentication services CSG • Tucson • Feb 2000 • Slide 2

3. MIT design generated certificate with user interaction MIT design required sending password to the certificate server once per session MIT design worked only with Netscape Navigator U-M obtains certificate without user action at Kerberos login U-M generates certificate without sending password to certificate server U-M works with Internet Explorer 5 (Win-32) UM Enhancements CSG • Tucson • Feb 2000 • Slide 3

4. Implementation Steps • Make MIT certificate service codework in U-M environment • Make certificate generation automaticat Kerberos log in, and certificate installation invisible to the user • Make the capability cross-platform CSG • Tucson • Feb 2000 • Slide 4

5. Description • Use short-term certificates “Junk Keys” • Obtain certificates securely from CA Kerberized CA server • For Authentication ONLY! not for encrypting; not for signing

6. Why “Junk Keys”? • Revocation becomes a non-issue • Private Key storage is less problematic • Public Key sharing is not necessary

7. Status • Feb/00 WORKING NOW: • Kerberos authentication to CA • No user interaction • IE 5 & Netscape Navigator on Win-32 WORKING SOON: • Netscape Navigator on Macintosh • In-house pilot during March 2000 CSG • Tucson • Feb 2000 • Slide 7