	ACADEMIC COMPUTING and COMMUNICATIONS CENTER

Web Security at UIC: Authentication with Bluestem and Ness

Authentication at UIC

On a campus like UIC -- or a group of campuses like the University of Illinois -- authentication somewhat complicated. There are Web services that you're entitled to use just because you belong at UIC and others that you can use because you belong to the U of I. (Some of the services of the UIC Library, for example, and the online Oxford English Dictionary at UIUC.) So the question is how do you prove to these servers -- particularly those on another U of I campus -- that you're worthy?

The answer is not to give your netid and ACCC password to them as proof of your identity. Even when you're using the Web secure transmission mode SSL (Secure Sockets Layer), it's not a good idea to give out your password to anyone, server or human, unless you know exactly how they will use it and how safe they will keep it. Nor is the answer to have a separate ID and password for each service. That's quite cumbersome, and who could remember all those account ids and passwords anyway?

What's a poor server to do?

Here at UIC and at UIUC, the answer is Bluestem, a protocol developed by Ed Kubaitis at UIUC. Bluestem is loosely modeled on the Kerberos model -- when you want service from a remote (but oncampus) server, you first go to a well-known secure ID server and get a credential, then you present your credential to the remote server to receive its service. The beauty of Bluestem security is that you only give your password to the Bluestem secure ID server, never to any other server that you might not want to trust.

The Computer Center runs two Bluestem secure ID servers for UIC, ness.uic.edu and ness1.uic.edu. (That's "ness" as in Elliot Ness, the FBI agent.) We will concentrate on making the nesses secure, so you can keep your password secure and you'll be able to use ness to access any number of online services from anywhere, without having a separate account for each service or having to worry whether someone will snatch your password in the process.

How Bluestem Works

Another advantage in using Bluestem is that most of its work is done without you -- the "end user" -- having to be aware of the details of what is going on. All you'll see is:

You request service from a given URL.
You receive a reply back from ness.uic.edu or ness1.uic.edu asking you for your netid and password, which you enter and ness processes. (See Figure 1.)
The original server replies to your request.

Ness will send you a cookie somewhere along the way; if your browser asks whether to accept it, say yes.

Ness's asking you for your netid and password is its assurance to you that the server you've contacted is legitimate. Ness's sending you back to the server with your credentials and your netid is its assurance to the server that you are legitimate.

What really happens is a bit more complicated:

You request service from a given URL. That URL's Web server receives your request and redirects your browser to ness.uic.edu, UIC's Bluestem Web server, asking it to verify your identity. ("Redirection" means that you request service from one URL but you receive a reply back from a different URL.)
Using SSL encryption, ness asks you for your netid and password. You send them and ness receives and verifies them. Then, again using SSL, ness sends your netid to the original Web server with its OK.
Continuing to use SSL encryption, the original server replies to your original request, having been satisfied by its conversation with ness that you are who you say you are: the person with your netid.

One caveat - your browser must be using SSL in order to protect the credential that ness will give to your browser. That means Netscape Navigator or Microsoft Internet Explorer, and not lynx on tigger or icarus at this time.

Logging in with Ness

Getting authenticated by logging into ness is quite similar to logging into the ACCC's Dialin terminal servers. This should not be surprising, though, because ness and the terminal servers use the same authentication method, or auth method for short. (For more on auth methods, see Domains and Auth Methods in Bluestem.)

Logging into ness is quite easy.

When ness asks you for your netid, type it in the box provided and press Enter. (Include your domain -- @uic.edu -- if the Bluestem login screen you get isn't from ness or ness1; for more information, see Domains and Auth Methods in Bluestem.)
Then ness will ask for your password; it will accept your tigger, icarus, or mailserv password. Or you can use your UIH Winstation password if you have one.
If your netid and password match, ness will send you to the original Web server with its blessing. If not, ness will allow you to restart the login process.

SSL Secured Browser Displays

Note in the illustrations below that the URLs on SSL servers start with https:// instead of http:// and that your browser will make small changes in its display to indicate you're using an SSL-secured connection:

Older Netscapes:: The key in the bottom left corner of the Netscape window is unbroken and there's a narrow blue line across the top of the display area, below the URL.
Newer Netscapes :: A closed yellow padlock appears in the bottom left corner and the padlock at the top is highlighted in yellow.
Microsoft Internet Explorer:: A closed yellow padlock appears in the bottom right.

Select View->Page Info in Netscape or File->Properties in IE on either the netid or password screen to see info on ness's SSL certificate.

Never send your ACCC password over the Web unless the request for it comes from ness.uic.edu or ness1.uic.edu and you see the blue line and unbroken key (in Netscape) or the padlock (in Internet Explorer).

Figure 1a: SSL Security and the Bluestem Login Process

The figure below is the ness Bluestem login screen in Netscape:

Figure 1a: SSL Security and the Bluestem Login Process

And this is the ness Bluestem password screen in Microsoft Internet Explorer:

All in all, Bluestem provides a simple and easy way to get your applications and keep your password too!

Domains and Auth Methods in Bluestem

If the application you're requesting Bluestem authentication for is in the UIC domain and it accepts ness's default auth method, then all is well, and you don't have to worry about domains or auth methods when you login. That is the case for most services that ness and ness1 provides authentication for.

However, domains or auth methods can present a small complication in the Bluestem login process. Some university-wide services, for example, are in the UIUC domain. (The UIC and UIUC Bluestem servers know about each other and will accept authentication from the other where appropriate.) And some applications might require specific auth methods.

How do you tell the Bluestem server the domain or auth method that it should use? Instead of typing just your netid in the login screen (see Figure 1), you use:

netid@domain
or: netid/authmethod
or: netid@domain/authmethod

How can you tell when you need to specify the domain or auth method?

The domain is easy -- you need to specify it any time the Bluestem login screen doesn't say "University of Illinois at Chicago" or the URL displayed doesn't begin with ness.uic.edu or ness1.uic.edu. In that case, you must include @uic.edu with your netid. Thus Ada Byron, whose netid is adabyron, would use: adabyron@uic.edu
(Ms. Byron could use adabyron@uic.edu for her netid when she logs into ness, too. It's not wrong; it's just not necessary.)

Deciding when you need to specify an auth method is even easier. The default, whatever it happens to be (it's TACACS now), will almost always work. And if you ever use an application where it won't work, someone will tell you about it ahead of time and will tell you what method you should use instead.

2001-8-20 ACCC Consultants