Technology Models

Authentication Model

Version: 3.0
Status: Proposed: 09/18/98
Contact: LaVonn Creighton

Purpose

To provide a model to support simple authentication for application and computing services in the VCCS client/server environment.

Scope

This model covers the primary layer of security of a person or application trying to access services within the college campus Intranets of VCCS.

Applicability

This model is applicable to all colleges and campuses within the VCCS.

Definition

As the VCCS plans to conduct business using the Internet, the addition of network security services and secured applications become essential to do business securely on the open network, as well as the VCCS Intranet. Benefits include the ability to securely provide services to customers without compromising the VCCS network infrastructure and related resources.
Three security features are required for conducting business on an open network without compromising security: authentication, message integrity and message privacy. For the greatest level of security, these features need to be available at the application level, rather than the network level.
Authentication verifies the identity of an individual or application (also known as principals) trying to access services. Message integrity ensures messages (which contain a cryptographic checksum to be verified on the receiving end) are not tampered with when they are sent across the network. Message Privacy ensures messages sent are not visible to network eavesdroppers. Messages are encrypted prior to transmission, then decrypted at the receiving end.

Authentication is the process used to verify identity. Authentication is composed of three basic schemes.

  1. Simple Authentication-checking that customers are who they say they are by providing a password before granting them access.
  2. Host Authentication-gives customers the capability to verify that they're communicating with a valid host.
  3. Message Authentication-permits documents to be digitally signed, allowing them to be traced back to the sender and preventing them from being changed in transit.

Model

SIMPLE AUTHENTICATION SERVICES

The VCCS will utilize simple authentication as its primary layer of security for accessing applications. The customer id will receive a "ticket" which will allow access to the appropriate network and application resources. After authentication, customers have transparent, yet secured, access to any application to which they have authorized access.

There are three ways to which a customer could prove who they are:

The primary layer of security is provided by simple authentication (something you know). Additional layers of security can be provided by the examples stated above or by security within the applications.

Through simple authentication, a customer is identified with a customer id and password. The theory is if the customer knows the password for a customer id, then it is assumed they are the owner. After the customer id and password is entered, the information is verified by a database containing information about all VCCS staff, faculty and students. If the database contains the customer, access is granted. After authentication, customers have the primary layer of security for access to applications in the VCCS client/server environment.

Through simple authentication, customers gain a primary level of secure access to all their network resources with one password, which can become single sign-on in the future. With the reduction in passwords and their administration, and the addition of: authentication, message integrity and privacy, the VCCS may conduct business more effectively and efficiently.

This model will be reviewed as necessary to reflect changes in technology and customer requirements.