Tech Guides :: Information Security :: Secure Communication
ITS Requires Secure Communication
Information Technology Services (ITS) is in the process of tightening security by requiring passwords to be sent across the campus network in a more secure manner. As a first step towards this goal, telnet and FTP access will be deactivated on all campus servers (July 15, 2005). These services already have a widely available secure alternative, the SSH (Secure Shell) suite of tools provided in HSU labs and available for download on home computers. The second step will come this fall (October 1, 2005), when ITS will require encrypted logins for e-mail as well.
As more and more campus services become available to users via the HSU User Names, preventing others from gaining access to the passwords associated with those HSU User Names becomes extremely important. Access to computer systems is typically based on Authentication (determining that you are who you say you are) and Authorization (determining what resources you are allowed access to). The Authorization step typically takes place behind the scenes, determining if you are a faculty member, staff person or a student; or if you enrolled in a certain course section, etc. Authentication, however, is an interactive process where you let us know that you are really who you say that you are. Currently you do that by supplying a password that only you know.
Unfortunately, the Internet is not the safe academic research environment that it once was, there are a lot of malicious folks out there trying to get a hold of passwords so that they can impersonate other users and gain access to their accounts. For these malicious users, “sniffing” passwords sent over the network in “clear text” is a primary way to get access to others' accounts. Because of this, moving away from older technologies that send passwords in clear text over the network is a top security priority for ITS. Newer services such as SSH get away from sending your password in “clear text” by first running everything you type in the session through a mathematical formula which encrypts it so that only the server you are talking to can decrypt the data and then sending the result over the network.
When browsing the web, you can tell if your connection to any given web site is encrypted by looking at the web address or URL. Encrypted sites will begin with https:// rather than http://, this shows that your web browser's connection to the server is using the Secure Socket Layer (SSL) encryption algorithm to protect any data sent between client and server. ITS is working to move all web based services provided by the campus which require a user name and password to be entered for access via SSL encryption. SSL encryption uses a pair of encryption keys to secure communications, each server has both a public key, which is made available freely to anyone who needs it, and a private key which is only available on the server. When you go to an SSL-encrypted https:// web site, your web browser is using the the server's public key to encrypt the data it sends to the server. Another user possessing the server's public key would not be able to decrypt the message, it can only be decrypted using the private key.
The combination of a public and private key issued to a server is known as a Certificate and is issued by a Certificate Authority (CA). If your web browser or e-mail client knows about the CA which issued the public key that it is receiving from a server, it will encrypt the session without any errors. If your client doesn't recognize the CA that issued the server's SSL Certificate, you'll get an error message asking you if you want to trust that web site for the current session, on an ongoing basis, or not at all. Since SSL Certificates from large trusted Certificate Authorities are expensive, HSU has established its own CA to issue SSL Certificates. This will save the University a considerable amount of money on an ongoing basis, but will require users to train their browsers to trust the HSU CA if they want to avoid getting error messages going to local SSL sites or checking their mail.
This brings us back to telnet, FTP, and why ITS is getting rid of clear text passwords. For the security of HSU users' confidential data, we can no longer support systems which transmit user-names and passwords in clear text over the network. This transition will undoubtedly cause some pain and initially, extra work for everyone involved, but the end result will be a safer, more trustworthy computing environment that the campus can be proud of.
