'Shibboleth' Relieves Password Overload, Enhances Computer Privacy
Duke taking lead role in national password project
Friday, September 3, 2004
"It's no wonder some people keep their passwords in a desk drawer or slap sticky notes on their monitor," Gettes said. "Password overload is a pain. More importantly, having an impossible number of passwords to remember is a sign that personal privacy is at risk."
Gettes was so concerned that he has helped develop a software system, called Shibboleth, that will relieve password overload and enhance privacy protections at the same time.
"Shibboleth requires only a single user ID and password at a single institution for access to resources on potentially thousands of computers at numerous institutions," Gettes said. "Only one institution needs to have personally identifiable information about the user."
Shibboleth is named for the first known password, described in the Bible's Book of Judges. "The Shibboleth of biblical times was the world's one and only password," Gettes said. "The modern Shibboleth tries to have only one password for each user."
Gettes said password overload and privacy dangers are linked because obtaining each password usually requires storing personal information on an additional computer system with its own vulnerabilities. "It's an ancient law of computing: no access without revealing personally identifiable information, such as the user's true name, email address or social security number," said Gettes. "Shibboleth repeals that law."
According to Gettes, Shibboleth works across institutions that choose to band together in "federations of trust." Within such a federation, institutions agree to grant access based on the user's attributes rather than demanding personally identifiable information.
"Attributes are things like being a student at an institution, being enrolled in a certain course, being a faculty member, being a staff member in a particular department, or working on a certain grant or contract," said Gettes.
When a user requests information on a Web site at another institution, Shibboleth goes into action behind the scenes, Gettes said. The Web site forwards the request to a Shibboleth program that asks for the user's home organization and redirects the request there. The home institution asks for a user ID and password. Then a Shibboleth "handle server" generates a temporary name, or "handle," for the user. The information request goes back to the original site, this time on behalf of the "handle."
"The site considering the request doesn't know who this handle represents, only that a trusted institution issued it," Gettes said.
The site asks the home institution for the unknown person's attributes. If those attributes meet the requirements for access to the requested information, access is granted.
"The whole process of using the computer at another institution happens without revealing the user's true identity, without any personal information leaving the home institution, and without anyone at the other institution assigning a user ID and password," said Gettes.
The need for technology such as Shibboleth is growing as people use more services on the Internet each year and privacy regulations demand increasing numbers of separate passwords for personnel and medical information, Gettes said. "Biometric" technology can help with password overload by replacing a password with the user's unique physical characteristics, such as a scan of the user's finger. However, said Gettes, biometric systems increase costs and remain uncommon.
Shibboleth was introduced in 2003 by the Middleware Architecture Committee for Education of the Internet2 consortium that operates the high-speed Internet for higher education. Gettes serves on the committee.
"Middleware is a layer of software between the programs people use and the networked systems that run the programs," Gettes said. "Good middleware makes computing easier, more secure or more reliable."
Internet2's middleware efforts, directed by Ken Klingenstein of the University of Colorado, fit into a larger National Science Foundation program, said Gettes.
Gettes helped write the specification for Shibboleth and helps coordinate the middleware committee's work on directories and identity management. "The directory efforts laid the groundwork for Shibboleth," Gettes said. "Attributes are important in Shibboleth and identity management systems are where attributes belong."
Gettes said Steven Carmody of Brown University coordinates the Shibboleth project, working closely with lead developers Scott Cantor of Ohio State and Walter Hoehn of the University of Memphis. In a 2002 pilot test, Shibboleth proved its effectiveness by enabling Penn State students to use the IDs and passwords of their university to access online physics tests at North Carolina State University. Shibboleth went into production in 2003. Duke began implementing Shibboleth this year. Shibboleth has already helped eliminate the use of social security numbers in university parking registration.
Two organizations are developing Shibboleth-like technology for commercial use, Gettes said. The Liberty Alliance builds on the same technical security standard as Shibboleth. The WS-Federation is developing an alternative standard.
"Standards permitting, someday a Duke ID and password may provide access beyond higher education, at e-commerce sites like Yahoo and Amazon," Gettes said. "Cutting down on password overload will be the most obvious benefit, but the really important thing is protecting privacy."
Gettes said privacy concerns are his primary reason for promoting Shibboleth at every opportunity. "I teach workshops, give presentations and answer questions by email," Gettes said. "I even take the message straight to the public. If you see a car with 'GOTSHIB?' on the license plate, chances are good that it's mine."
Also, learn how to protect your passwords by visiting here.