UC Davis - Office of the Vice Provost - Information & Educational Technology

Vice Provost | Advanced Technology Projects | Teams | Common Authentication Charge

Common Authentication Advanced Technology Project

February 4, 2002

TOM ARONS
Information Resources

ROBERT ONO
Office of the Vice Provost, Information and Educational Technology

BILL GRABERT
Accounting and Financial Services

DAVID JOHNSTON
Office of the Registrar

MATT BISHOP
Computer Science Department

DON STITT
UC Davis Medical Center

SUBJECT: Authentication Advanced Technology Project

Since the early days of computing, operating system and application developers have struggled with the providing methods to permit or deny user access to computer and/or network resources. Computer security systems typically employ a two-step process to provide this functionality. The first process is authentication, which ensures that only an identified individual is able to access computing and/or network services. The second process is authorization, which allows a user access to various computing and network resources based on the user's confirmed identity. (who you are vs. what you can do)

Authentication methods are commonly classified in three categories: something you know, something you have, and something you are. Something you have is a piece of knowledge such as a password or PIN. Something you have would be something like a mag stripe card, smart card or password token. Something you are would be biometric data such as fingerprint, hand geometry, or retinal scan. Strong, or multi-factor authentication makes use of some combination of these items, for example a smart card and a password. The source of a request in a network can also be used as a form of authentication and implicit authorization. An example of this is allowing web access to copyrighted material without additional authentication if the request originates from a host on the campus network. Solutions providing authentication and authorization services for computing and network resources can also be leveraged to meet other campus needs, such as access to physical structures and student services.

In the mid-1990s, UC Davis developed and implemented a central campus authentication service for access to computing and network resources. This authentication service is based on the implementation of a commercial Kerberos product formerly marketed by CyberSafe. Many campus applications use this Kerberos authentication system, however use of this central authentication service is not mandated and product limitations may preclude further development of the CyberSafe Kerberos authentication service. More recently, the University of California, Office of the President (UCOP), initiated development of a Public Key Infrastructure (PKI) system that will be limited to authentication services.

A common authentication service is an architectural foundation for campus development of an enterprise computing model. A campus-wide authentication service could provide single sign-on capabilities, simplify authorization processes and security management and provide other ancillary benefits supporting digital signatures, encryption services and non-repudiation. In recognition of the need for a strategic authentication process for the campus, the Vice Provost, Information and Educational Technology, will initiate an advanced technology project to develop strategic authentication recommendations for the campus enterprise computing model in support of the University of California New Business Architecture.

Project Charge

Identify a long-term campus authentication requirements
Review existing authentication services in respect to strategic requirements
Identify alternative methods to address strategic authentication requirements
Review the advantages and disadvantages of alternative authentication systems, in respect to factors including, but not limited to, functionality, scalability, resiliency, security, and manageability
Provide long-range authentication service recommendations

Team Members

Tom Arons, Information Resources
Bill Grabert, Accounting and Financial Services
Robert Ono, Office of the Vice Provost, Information and Educational Technology, Chairperson
David Johnston, Office of the Registrar
Matt Bishop, Ph.D., Professor, Computer Science Department
Don Stitt, UCDMC

Status

To be determined

Report

July 30, 2002

We appreciate your willingness to serve on this advanced technology project and look forward to receiving your report. Please don't hesitate to consult with my office if you have any questions.

Sincerely,

John Bruno
Vice Provost
Information and Educational Technology

c: Doug Hartline
   Brian Alexander, Co-Chair, NBA Technology Development Team
   Mike Allred, Co-Chair, NBA Implementation Workgroup
   Jeff Barrett, Co-Chair, NBA Technology Development Team
   Jack Farrell, Registrar, Office of the Registrar
   Bob Franks, Associate Vice Chancellor, Student Affairs
   David Harry, Network and Communication Services, UC Davis Medical Center
   Morna Mellor, Manager, Data Center
   Dave Shelby, Co-Chair, NBA Implementation Workgroup

_{_Modified:} _{_{Comments: ietweb@ucdavis.edu}}