Click for Philadelphia, Pennsylvania Forecast
HOME ISSUE CALENDAR BETWEEN ISSUES ARCHIVE DEADLINES CONTACT US
 
 

 

ISC

New Security Measures for Penn’s Networked Systems and How They Affect Faculty, Staff and Students

Penn, like other institutions, has in place a campus-wide program to ensure the continued security of critical networked systems and services whose compromise might significantly increase privacy risks for individuals or harm the University. In our increasingly networked world, where online purchasing, banking, and other activities are becoming commonplace, ever more secure access management methods are necessary to verify who we are and what we are authorized to do. In the fall, we at Penn will take our next step forward with the implementation of an authentication method called Kerberos and the replacement of our current PennNet IDs and passwords with PennKeys and their associated passwords.

What Is Kerberos?

As new security protocols have been implemented on campus services over the years, we have been moving away from transmitting passwords either "in the clear" or with "weak" encryption. Indeed, several secure protocols with strong encryption are already in use at Penn. The Kerberos authentication protocol we are implementing as our next step is, however, held to be among the most secure, and over time we will move toward standardized use of Kerberos. (In Greek mythology, Kerberos, better known to many by the Latin name Cerberus, was the three-headed dog that guarded the gates of Hades.)

The advantage of Kerberos authentication is that passwords are not transmitted across the network, even in encrypted form. Rather, when a user logs on, Kerberos provides a ticket that has been authenticated and time-stamped, and remains valid for a session approximately the length of one working day. In simplest terms, it is the ticket, not the password, that is transmitted over the network. Because your ticket will identify you to any Kerberized service, you need not reauthenticate yourself to each service you use. Thus Kerberos moves us closer to our goal of a single password for multiple campus services.

It will take some time and several steps before we achieve our goal of a Kerberized environment–one where you would sign on once a day and securely read your email and perform all your technology-based activities during the time your ticket was valid. Not all user and server software products that we use today take advantage of Kerberos; hence, the continued use of other secure protocols as software vendors move towards this standard.

PennNet IDs Being Replaced with PennKeys

While Kerberos is something that runs in the background and that you will generally not be aware of, what will be visible to us all is the move from the use of PennNet IDs and passwords to PennKeys and their associated passwords. A PennKey is simply your username in the Kerberos-based PennKey authentication system, which will replace the PennNet ID (also known as PAS) system on October 14. Faculty, staff, and students will need to register their PennKey and password before being able to access any service that requires a PennKey.

Many services will not yet be "Kerberized" by the fall. Your PennKey, however, will be used for those that are Kerberized as well as certain systems not yet using this standard. In particular, web-based services now requiring a PennNet ID and password will require a PennKey and password in mid-October. For those services, your password would still be sent across the network in a secure, strongly encrypted form. One of the first implementations of a Kerberized service you are likely to encounter will be Kerberized email, which will be available as an option in many Schools and centers in the fall. You’ll hear more in the future about which email services will make this option available, and about other Kerberized services.

How to Get Your PennKey

Beginning September 3 and continuing until October 14, the following procedures for registering a PennKey will be available:

Current students, faculty, and staff with a PennNet ID and password. The procedure will be very straightforward. You will go to a web site and enter your existing PennNet ID and password. The system will display your PennKey, which will be the same as your PennNet ID. You will then have to establish an associated PennKey password. The system will enforce rigorous password standards–and that really does mean you can’t use your dog’s name any longer!

Current students, faculty, and staff who don’t have a PennNet ID and password or have forgotten them. First you will need to go to a PennNet ID swipe station with your PennCard to create or reset your PennNet ID and password. Then you can register a PennKey online as described above.

New students, faculty, and staff. Until October 14, when the PennNet ID and password system is replaced, new students, faculty, and staff will first need to create a PennNet ID and password and then use it to register in the PennKey system, just as current faculty, staff, and students do.

Beginning on October 14, a different registration procedure, also web-based, will be instituted for newcomers to Penn. In addition, there will be procedures in place for resetting forgotten passwords.

About Passwords and Password Sharing

Though a totally new password offers you the highest level of security, you may reuse your PennNet password as your PennKey password when you register your PennKey, with two important caveats:

• If you have used your PennNet password elsewhere, on other systems, or have shared it with anyone, you are strongly advised to choose a new password.

• Password rules have become more stringent over the years. Some PennNet passwords no longer comply with the current rules and will not be accepted by the PennKey registration application. You will need to create a new password that complies with the password guidelines described at http://www.upenn.edu/computing/email/pswd_guide.html.

Remember that it is a violation of University policy to share a PennKey password with anyone. When you share your password, you give others access to everything your PennKey gives you access to, and you become responsible for whatever others do with that access. Your LSP can advise you on alternatives to password sharing if, for example, you have been sharing passwords in order to delegate tasks such as calendar scheduling, responding to email, or grant administration.

What Else Will Change This Fall

Many critical services will have new security options in place that require the use of appropriately configured, supported versions of desktop client software. If you are using outdated software, you may need to upgrade for continued access to some services. See http://www.upenn.edu/computing/product/ or your LSP for current standards.

Learn More

As details are finalized over the coming months, current information will be available on a dedicated web site, through various University and School channels, and from Local Support Providers. There will be additional Almanac articles as well.

Let me conclude by emphasizing that due diligence in protecting and keeping information appropriately confidential and secure is a responsibility we all share. Follow best practices in crafting your password and don’t share it with others. Though access software will continue to evolve and become ever more robust, it will never be perfect. We’ll keep that three-headed dog on guard and look to its successors to continue minimizing risk in the future.

– Robin Beck, Vice President, Information Systems and Computing


Almanac, Vol. 49, No. 1, July 16, 2002

ISSUE HIGHLIGHTS:

Tuesday,
July 16, 2002
Volume 49 Number 1
www.upenn.edu/almanac/

Dr. Marvin Lazerson gets a new Endowed Chair in Education.
The annual GSE Awards are presented.
The Penn Cancer Center is renamed.
The Faculty Senate's Slate of nominees for the Senate Executive Committee.
PPSA's 2002-2003 Board has been elected.
The A-3 Assembly's officers invite all A-3 employees to a July meeting.
The Trustees held their full board meetings last month.
The report of the Council Committee on Facilities deals with classrooms, Campus Development Plan, and Transportation.
Graduate Medical Education has a new director.
Speaking Out about the future of the BioPond and protecting personal privacy.
Honors for faculty, staff, students, and HUP
Research Foundation Awards for Spring 2002.
Research Roundup: Sumerian Dictionary, Smallpox, Alzheimer's Disease, and Schizophrenia.
New challenges, more efforts to conserve energy and control energy costs.
Business Services: Parking Rates; Children's Center; Mail Service; Dining Services; Customized Penn merchandise; Directory Update; Computer Connection.
New Security Measures for Penn's Networked Systems will require replacing PennNet ID and password PennKeys and passwords.