Penn,
like other institutions, has in place a campus-wide program
to ensure the continued security of critical networked systems
and services whose compromise might significantly increase privacy
risks for individuals or harm the University. In our increasingly
networked world, where online purchasing, banking, and other
activities are becoming commonplace, ever more secure access
management methods are necessary to verify who we are and what
we are authorized to do. In the fall, we at Penn will take our
next step forward with the implementation of an authentication
method called Kerberos and the replacement of our current PennNet
IDs and passwords with PennKeys and their associated passwords.
What
Is Kerberos?
As
new security protocols have been implemented on campus services
over the years, we have been moving away from transmitting passwords
either "in the clear" or with "weak" encryption.
Indeed, several secure protocols with strong encryption are
already in use at Penn. The Kerberos authentication protocol
we are implementing as our next step is, however, held to be
among the most secure, and over time we will move toward standardized
use of Kerberos. (In Greek mythology, Kerberos, better known
to many by the Latin name Cerberus, was the three-headed dog
that guarded the gates of Hades.)
The
advantage of Kerberos authentication is that passwords are not
transmitted across the network, even in encrypted form. Rather,
when a user logs on, Kerberos provides a ticket that has been
authenticated and time-stamped, and remains valid for a session
approximately the length of one working day. In simplest terms,
it is the ticket, not the password, that is transmitted over
the network. Because your ticket will identify you to any Kerberized
service, you need not reauthenticate yourself to each service
you use. Thus Kerberos moves us closer to our goal of a single
password for multiple campus services.
It
will take some time and several steps before we achieve our
goal of a Kerberized environmentone where you would sign
on once a day and securely read your email and perform all your
technology-based activities during the time your ticket was
valid. Not all user and server software products that we use
today take advantage of Kerberos; hence, the continued use of
other secure protocols as software vendors move towards this
standard.
PennNet
IDs Being Replaced with PennKeys
While
Kerberos is something that runs in the background and that you
will generally not be aware of, what will be visible to us all
is the move from the use of PennNet IDs and passwords to PennKeys
and their associated passwords. A PennKey is simply your username
in the Kerberos-based PennKey authentication system, which will
replace the PennNet ID (also known as PAS) system on October
14. Faculty, staff, and students will need to register their
PennKey and password before being able to access any service
that requires a PennKey.
Many
services will not yet be "Kerberized" by the fall.
Your PennKey, however, will be used for those that are Kerberized
as well as certain systems not yet using this standard. In particular,
web-based services now requiring a PennNet ID and password will
require a PennKey and password in mid-October. For those services,
your password would still be sent across the network in a secure,
strongly encrypted form. One of the first implementations of
a Kerberized service you are likely to encounter will be Kerberized
email, which will be available as an option in many Schools
and centers in the fall. Youll hear more in the future
about which email services will make this option available,
and about other Kerberized services.
How
to Get Your PennKey
Beginning
September 3 and continuing until October 14, the following procedures
for registering a PennKey will be available:
Current
students, faculty, and staff with a PennNet ID and password.
The procedure will be very straightforward. You will go to a
web site and enter your existing PennNet ID and password. The
system will display your PennKey, which will be the same as
your PennNet ID. You will then have to establish an associated
PennKey password. The system will enforce rigorous password
standardsand that really does mean you cant use
your dogs name any longer!
Current
students, faculty, and staff who dont have a PennNet ID
and password or have forgotten them. First you will
need to go to a PennNet ID swipe station with your PennCard
to create or reset your PennNet ID and password. Then you can
register a PennKey online as described above.
New
students, faculty, and staff. Until October
14, when the PennNet ID and password system is replaced, new
students, faculty, and staff will first need to create a PennNet
ID and password and then use it to register in the PennKey system,
just as current faculty, staff, and students do.
Beginning
on October 14, a different registration procedure, also web-based,
will be instituted for newcomers to Penn. In addition, there
will be procedures in place for resetting forgotten passwords.
About
Passwords and Password Sharing
Though
a totally new password offers you the highest level of security,
you may reuse your PennNet password as your PennKey password
when you register your PennKey, with two important caveats:
If you have used your PennNet password elsewhere, on other
systems, or have shared it with anyone, you are strongly advised
to choose a new password.
Password rules have become more stringent over the years.
Some PennNet passwords no longer comply with the current rules
and will not be accepted by the PennKey registration application.
You will need to create a new password that complies
with the password guidelines described at http://www.upenn.edu/computing/email/pswd_guide.html.
Remember
that it is a violation of University policy to share a PennKey
password with anyone. When you share your password, you give
others access to everything your PennKey gives you access to,
and you become responsible for whatever others do with that
access. Your LSP can advise you on alternatives to password
sharing if, for example, you have been sharing passwords in
order to delegate tasks such as calendar scheduling, responding
to email, or grant administration.
What
Else Will Change This Fall
Many
critical services will have new security options in place that
require the use of appropriately configured, supported versions
of desktop client software. If you are using outdated software,
you may need to upgrade for continued access to some services.
See http://www.upenn.edu/computing/product/
or your LSP for current standards.
Learn
More
As
details are finalized over the coming months, current information
will be available on a dedicated web site, through various University
and School channels, and from Local Support Providers. There
will be additional Almanac articles as well.
Let
me conclude by emphasizing that due diligence in protecting
and keeping information appropriately confidential and secure
is a responsibility we all share. Follow best practices in crafting
your password and dont share it with others. Though access
software will continue to evolve and become ever more robust,
it will never be perfect. Well keep that three-headed
dog on guard and look to its successors to continue minimizing
risk in the future.
Robin
Beck, Vice President, Information Systems and Computing