ACCC Home Page ACADEMIC COMPUTING and COMMUNICATIONS CENTER
Accounts / Passwords Email Labs / Classrooms Telecom Network Security Software Computing and Network Services Education / Teaching Getting Help
 
The ADN Connection, March/April 1997 The A3C Connection
March/April 1997 Contents Coming Soon to a Code Near You Some Practical Encryption Systems Security for Web Service at UIC: Bluestem and Ness Domains and Auth Methods in Bluestem Introducing Network Operations About the ADN Connection

More Security for Web Service at UIC: Bluestem and Ness

 
News on the Net
Everyone WWW

On a campus like UIC - or a group of campuses like the University of Illinois - the authentication question is a bit different. There are Web services that you're entitled to use just because you belong at UIC and others that you can use because you belong to the U of I. (Some of the services of the UIC Library, for example, and the online Oxford English Dictionary at UIUC.) So the question is how do you prove to these servers - particularly those on another U of I campus - that you're worthy?

The answer is not to give your netid and ADN password to them as proof of your identity. Even when you're using SSL, it's not a good idea to give out your password to anyone, server or human, unless you know exactly how they will use it and how safe they will keep it. Nor is the answer to have a separate ID and password for each service. That's quite cumbersome, and who could remember all those account ids and passwords anyway?

 
   
 
     
What's a poor server to do?
  Here at UIC and at UIUC, the answer is Bluestem, a protocol developed by Ed Kubaitis at UIUC. Bluestem is loosely modeled on the Kerberos model - when you want service from a remote (but oncampus) server, you first go to a well-known secure ID server and get a credential, then you present your credential to the remote server to receive its service. The beauty of Bluestem security is that you only give your password to the Bluestem secure ID server, never to any other server that you might not want to trust.

The Computer Center runs a Bluestem secure ID server for UIC, ness.uic.edu. (That's "ness" as in Elliot Ness, the FBI agent.) We will concentrate on making ness secure, so you can keep your password secure. Someday soon (if not already), you'll be able to use ness to access online services such as Grateful Med, from anywhere, without having a separate account for it or having to worry whether someone will snatch your password in the process.

Return to Contents.

 
     
How Bluestem Works
  Another advantage in using Bluestem is that most of its work is done without you - the "end user" - having to be aware of the details of what is going on. All you'll see is:
  1. You request service from a given URL.
  2. You receive a reply back from ness.uic.edu asking you for your netid and password, which you enter and ness processes. (See Figure 1.)
  3. The original server replies to your request.
Ness will send you a cookie somewhere along the way; if your browser asks whether to accept it, say yes.

Ness's asking you for your netid and password is its assurance to you that the server you've contacted is legitimate. Ness's sending you back to the server with your credentials and your netid is its assurance to the server that you are legitimate.

What really happens is a bit more complicated:

  1. You request service from a given URL. That URL's Web server receives your request and redirects your browser to ness.uic.edu, UIC's Bluestem Web server, asking it to verify your identity. ("Redirection" means that you request service from one URL but you receive a reply back from a different URL.)
  2. Using SSL encryption, ness asks you for your netid and password. You send them and ness receives and verifies them. Then, again using SSL, ness sends your netid to the original Web server with its OK.
  3. Continuing to use SSL encryption, the original server replies to your original request, having been satisfied by its conversation with ness that you are who you say you are: the person with your netid.
One caveat - your browser must be using SSL in order to protect the credential that ness will give to your browser. That means Netscape Navigator or Microsoft Internet Explorer, and not at this time lynx or Charlotte.

Return to Contents.

 
     
Logging in with Ness
  Getting authenticated by logging into ness is quite similar to logging into the ADN's Dialin terminal servers. This should not be surprising, though, because ness and the terminal servers use the same authentication method, or auth method for short. (For more on auth methods, see "Domains and Auth Methods in Bluestem".)

Logging into ness is quite easy. When ness asks you for your netid, type it in the box provided and press Enter. (Include your domain - @uic.edu - if the Bluestem login screen you get isn't from ness; for more information, see "Domains and Auth Methods in Bluestem".) Then ness will ask for your password; it will accept your tigger, icarus, or UICVM password. If your netid and password match, ness will send you to the original Web server with its blessing. If not, ness will allow you to restart the login process.

 
     
SSL Secured Browser Displays
  Note in the illustrations below that the URLs on SSL servers start with https:// instead of http:// and that your browser will make small changes in its display to indicate you're using an SSL-secured connection:
Netscape:
The key in the bottom left corner of the Netscape window is unbroken and there's a narrow blue line across the top of the display area, below the URL.
Microsoft Internet Explorer:
A yellow padlock appears in the bottom right corner of the IE window.
Select View-->Document Info in Netscape or File-->Properties in IE on either the netid or password screen to see info on ness's SSL certificate.

Never send your ADN password over the Web unless the request for it comes from ness.uic.edu and you see the blue line and unbroken key (in Netscape) or the padlock (in Internet Explorer). 

Figure 1a: SSL Security and the Bluestem Login Process

The figure below is the ness Bluestem login screen in Netscape:
Bluestem login in Netscape

 

Figure 1a: SSL Security and the Bluestem Login Process

And this is the ness Bluestem password screen in Microsoft Internet Explorer:
Bluestem login in IE

All in all, Bluestem provides a simple and easy way to get your applications and keep your password too!

Comments are welcome; send them to:
Bog Goldstein, bobg@uic.edu
Return to Contents		  
 

The ADN Connection, March/April 1997 Previous: Some Practical Encryption Systems Next: Domains and Auth Methods in Bluestem

1999-9-14  connect@uic.edu
UIC Home Page Search UIC Pages Contact UIC