|Academic Computing and Communications Center|
More Security for Web Service at UIC: Bluestem and Ness
On a campus like UIC - or a group of campuses like the University of Illinois - the authentication question is a bit different. There are Web services that you're entitled to use just because you belong at UIC and others that you can use because you belong to the U of I. (Some of the services of the UIC Library, for example, and the online Oxford English Dictionary at UIUC.) So the question is how do you prove to these servers - particularly those on another U of I campus - that you're worthy?
The answer is not to give your netid and ADN password to them as proof of your identity. Even when you're using SSL, it's not a good idea to give out your password to anyone, server or human, unless you know exactly how they will use it and how safe they will keep it. Nor is the answer to have a separate ID and password for each service. That's quite cumbersome, and who could remember all those account ids and passwords anyway?
|What's a poor server to do?|
Here at UIC and at UIUC, the answer is Bluestem, a protocol developed by Ed Kubaitis
at UIUC. Bluestem is loosely modeled on the Kerberos model - when you want service
from a remote (but oncampus) server, you first go to a well-known secure
ID server and get a credential, then you present your credential
to the remote server to receive its service. The beauty of Bluestem security is
that you only give your password to the Bluestem secure ID server, never to any
other server that you might not want to trust.
The Computer Center runs a Bluestem secure ID server for UIC, ness.uic.edu. (That's "ness" as in Elliot Ness, the FBI agent.) We will concentrate on making ness secure, so you can keep your password secure. Someday soon (if not already), you'll be able to use ness to access online services such as Grateful Med, from anywhere, without having a separate account for it or having to worry whether someone will snatch your password in the process.
Return to Contents.
|How Bluestem Works|
Another advantage in using Bluestem is that most of its work is done without
you - the "end user" - having to be aware of the details of what is going
on. All you'll see is:
Ness's asking you for your netid and password is its assurance to you that the server you've contacted is legitimate. Ness's sending you back to the server with your credentials and your netid is its assurance to the server that you are legitimate.
What really happens is a bit more complicated:
Return to Contents.
|Logging in with Ness|
Getting authenticated by logging into ness is quite similar to logging into the
ADN's Dialin terminal servers. This should not be surprising, though, because
ness and the terminal servers use the same authentication method,
or auth method for short. (For more on auth methods, see "Domains
and Auth Methods in Bluestem".)
Logging into ness is quite easy. When ness asks you for your netid, type it in the box provided and press Enter. (Include your domain - @uic.edu - if the Bluestem login screen you get isn't from ness; for more information, see "Domains and Auth Methods in Bluestem".) Then ness will ask for your password; it will accept your tigger, icarus, or UICVM password. If your netid and password match, ness will send you to the original Web server with its blessing. If not, ness will allow you to restart the login process.
|SSL Secured Browser Displays|
Note in the illustrations below that the URLs on SSL servers start with https://
instead of http:// and that your browser will make small changes in its
display to indicate you're using an SSL-secured connection:
Never send your ADN password over the Web unless the request for it comes from ness.uic.edu and you see the blue line and unbroken key (in Netscape) or the padlock (in Internet Explorer).
All in all, Bluestem provides a simple and easy way to get your applications and keep your password too!
Comments are welcome; send them to:Return to Contents
|The ADN Connection, March/April 1997||Previous: Some Practical Encryption Systems||Next: Domains and Auth Methods in Bluestem|