PKI Applications in Academic Computing|
Last modified: 07/17/01 05:11:15 PM
PKI Applications in Academic Computing The Dartmouth College PKI Lab <
PKI Applications in Academic Computing
The Dartmouth College PKI Lab <http://www.cs.dartmouth.edu/~pkilab/>) is working on Public Key Infrastructure (PKI) solutions to security problems in networked applications. This document describes possible academic applications for Research and Development.
The continued development and widespread deployment of security solutions are vital to increased use of the Internet and Internet applications by Academia. PKI has been identified by the Internet2 community and the Federal Government as the most viable solution to the many security concerns that need to be addressed in present and future Internet applications.
Public-Key Cryptography enables, in an information setting, secure expression of complex relationships among widely distributed users, machines, and organizations. Consequently, research and development of PKI is critical to securing the emerging inter-networked world: in government, commerce, and academia.
The availability of an interoperable PKI will enable new classes of Academic applications as well as permit improvement of the security of existing ones. Many examples can be described that are essential to expanding the academic mission of higher educational institutions. There are also many research questions that will need to be explored in the efforts to provide these services in a ubiquitous and transparent manner, so that PKI will be as widely available and easy to use as network ports are today.
Next-generation applications need a flexible way to decide access control based on many complex attributes, in distributed populations and organizations. Because of its ability to securely express information in such communities, public key cryptography is the perfect building block. Realizing this vision requires identifying and solving trust and usability shortcomings in client, server, and application tools. Academia provides a large set of real problems to drive and test our research work.
Some key academic applications that would benefit from the availability of a PKI and its use include:
Controlled access to copyrighted materials for students
More sophisticated access controls for copyrighted materials using standard PKI credentials would address many current issues that occur with expanded use of electronic material in instruction. One key issue is enabling and enforcing license agreements applicable to students enrolled in particular courses. For licensees use of PKI is a way to minimize the cost of the license by providing access to only the limited number of specific students who need it. For licensors it provides more secure control over access, without having to enroll each individual user of the service. New standards for this sort of interchange may provide more opportunities to share locally developed materials between higher educational institutions. Materials developed by one institution can be electronically delivered conveniently from their servers to individuals or groups at some other institution who are participating in a specific activity. This kind of control can also help meet the legal tests for fair use of materials when the institution has made digital reproductions of protected materials to make access more convenient for students. Accountability for the use of the materials may also be achieved with greater reliability.
Publishing Web sites that have public and private parts
Web sites have become an essential mechanism to disseminate results of any research project. As more projects involve researchers distributed at multiple locations and institutions, there is a simultaneous need for access controls that limit access to information "still in development" and other working information to research collaborators. Researchers may also wish to exchange electronic information on a confidential basis. PKI can be used in a standard and convenient way to provide this capability.
Replacing IP address access controls at Information Vendor sites
Internet Protocol address (IP) controls are the standard method used by many Academic Library information vendors to provide access control based on a site license of their materials. In addition to not being a very secure solution, this approach also causes difficulties for academics who may be travelling or using some other ISP to obtain internet dialup service from home or field locations. Standard credentials acceptable to the vendors could make these transactions more secure, even to the point of encrypting the data during transfers, while providing location independence to the end users.
Electronically signed submission of student assignments with timestamp
As more courses become web-enabled or web-based, being able to submit assignments electronically or take tests remotely is an increasingly attractive prospect. PKI provides a standard and secure way to determine that submissions originated from a specific student, have not been electronically tampered with and were submitted by the assigned deadline.
Protect sensitive data used by researchers while enhancing its availability
The protection of sensitive data being used for research is an important aspect of work in a number of fields. Data stored on network accessible servers to simplify transfer using the network needs to be protected from unauthorized access. Data sets need to be delivered only to authorized individuals using secure methods. PKI could enable such a secure networked data repository. Requested data could be transmitted to authorized researchers transparently encrypted in a way that guarantees the data is secure in transit over the network, such that only authorized individuals are able to decrypt it.
Expand use of Campus Directory while protecting individual privacy
Enhanced information in campus directories can enable a number of useful services for individuals both on and off campus. For example constructing and maintaining a mailing list for a group of individuals located at many different campuses would be greatly simplified if interoperable directories were available. On-campus users could locate the individual best able to resolve a problem by searching job description information. Determining what privileges should be provided to a particular individual is often a difficult question that directory information could help answer. However there is an equally strong need to closely control to whom directory information is provided and for what reason. It is necessary to protect individual privacy and to resist harassing or criminal acts. In some cases individuals may need complete privacy protection and yet still need to be able to make use of campus electronic services.
Secure wireless networking
The rapid adoption of wireless networking creates an additional security problem for the campus network. Without appropriate access controls, individuals on campus could join the campus network through a wireless access point, potentially gaining campus privileges.
Applications for Federal Student Loans and Services
In efforts to improve the efficiency of providing services and to enable easy access to personal information, various agencies of the Federal Government are actively developing and deploying systems that depend on PKI. Providing a campus PKI interoperable with the Federal PKI would be a great benefit to members of the institution who will need to use these systems. In particular the number of different electronic credentials an individual needs to obtain and manage is an important consideration.
Student and Faculty electronic interaction with administrative systems
Similarly local efforts to improve the efficiency of delivery and simplified methods of accomplishing business transactions are an important application of a campus PKI. Students might use these systems, for example, to enroll in classes, apply for housing and manage debit accounts. Replacement of paper forms with electronic documents and multiple signatures that cannot be repudiated has applications in numerous campus activities including payroll actions, benefits selection, and grant submission. Use of these systems requires the individual be able to trust the computation, obtain appropriate confirmation, and protect their workstation from attack.
These applications depend on providing solutions to the associated security issues in a manner that is not too difficult for the end user to apply. Properly protecting the privacy of individuals conducting business over the Internet is an important factor. For example, individuals should be able to obtain licensed information in an anonymous way. A prime example is scholarly content such as serials and journals as might be offered by libraries, vendors, or consortiums.
Some forms of information access and communication may require multiple signatures and authorizations, as is often true for interactions with administrative information systems. There are also more purely academic uses that are research or curricular based. The location and security of the device from which a request is being issued and which would receive the reply is also a consideration.
The need to educate end users is considerable and will require exploration and work. Individuals often do not even understand the underlying issues since network transactions are effectively invisible to them. Current web software offers little insight into "who" the browser operator or the service application is trusting even in a "secure" transaction. Also the institution is legally and financially liable if individuals do not properly protect their electronic credentials.
The more sophisticated applications described above will require desktop software packages to be acquired and installed on the workstations of all individuals participating in the service. While the per user cost of this software is already not especially high, the large multipliers to include the majority of the campus community can cause the price to become a significant expense.
Dartmouth is working to develop general solutions to these problems in collaboration with other institutions.
|Back to Dartmouth PKI Lab||Maintained by Robert Brentrup|