PennKey: Improved Network Security Preparing for Change and Helping Us Protect Your Privacy Online

Several recent online security breaches at large universities (fortunately not at Penn) underscore once again the critical role of passwords and other personal identifiers in securing online information. While the University can ensure that the strongest possible security technologies are in place, those of us who use Penn systems must be aware of how our decisions and behaviors affect the security of our own personal information as well as the University's online environment. Adhering to sound security practices is always important, and the opportunity exists now as additional system security is being implemented and a new authentication system is being introduced to refresh our own practices. The security initiatives now being introduced are yet another step in Penn's commitment to protect personal information, as outlined in the Task Force on Privacy of Personal Information, chaired by Professor Gerald Porter. The Task Force's report (Almanac, April 17, 2001) reminded us that while the University has made extraordinary progress in improving physical safety, similar efforts must be extended to protecting the University community from fraudulent activities online.

Fall Security Initiatives

Kerberos. An article in the July 16, 2002 issue of Almanac outlined in some detail the security changes coming this fall. In the background, an authentication technology known as Kerberos is being phased in on many electronic services. In a fully Kerberized environment, where all campus services take advantage of Kerberos, passwords would never be transmitted across the network, even in encrypted form, and users would sign in only once a day to perform technology-based activities on the various systems they were authorized to access, such as email, GRAM, or Penn InTouch.

Not all the user and server software we use today can, however, take advantage of Kerberos now. Indeed, this fall‰s initial implementation of Kerberos is largely laying the foundation for the future. Some optional Kerberized services (primarily email) will be offered this fall, but most services will continue to use other secure authentication technologies. These non-Kerberized services will still require separate logons (no single sign-on yet), and passwords for them will still be transmitted across the network in strongly encrypted form.

PennKey. The change that will be visible to everyone will be the move from the use of PennNet IDs and passwords to PennKeys and passwords. Your PennKey will be your username in the Kerberos-based PennKey authentication system, which will replace the PennNet ID (a.k.a. PAS ID) system on October 14. A PennKey and associated password will be required to access both Kerberized services as they become available and the many web-based services that now require a PennNet ID and password, such as GRAM and BEN Reports. In addition, PennIntouch, which currently requires a Personal Access Code for access, will require a PennKey and password beginning October 14.

Web-based services that currently don't use PennNet IDs and passwords will not be affected by the switch to PennKeys immediately. BEN Financials, for example, will continue to use the familiar BEN logon ID. You'll hear more about which system will use which ID in the future, or you may consult the table of application logon methods at www.upenn.edu/computing/pennkey/lsp/chart.html.

Preparing for Change

The introduction of Kerberized services won‰t translate into global change this fall. Initially, Kerberized services, particularly email, will only be offered as an option in many Schools and centers. You‰ll hear more about these services from your Local Support Provider (LSP) as they become available in your School or center.

The shift to PennKey, on the other hand, will require that all faculty, staff, and students register their PennKey and associated password online. For uninterrupted access to online services switching from PennNet ID to PennKey authentication, we encourage you to register between September 30 and October 13, 2002, during the two-week PennKey Priority Period immediately preceding the October 14 implementation of the PennKey system.

Though the registration procedure is straightforward, it‰s important to be prepared before you go to the PennKey registration web site. If you need advice or assistance, consult your LSP or College House ITA. See www.upenn.edu/computing/view/support/ for a list of providers. 

1. Know your PennNet ID and password. You will need to enter them to identify yourself to the PennKey registration system. If you‰ve forgotten your password, you can reset it by swiping your PennCard at one of the campus PennNet ID swipe stations. For information and locations, see www.upenn.edu/computing/help/doc/passport. 

2. Review the current password rules and be prepared to establish a new password. See www.upenn.edu/computing/email/pswd_guide.html for current password guidelines. Though you may reuse your PennNet password as your PennKey password, a new password offers the greatest amount of security. It‰s particularly important to set a new password if you have used your PennNet password elsewhere, on non-Penn systems, or have shared it with anyone. Note too that password rules have become more stringent over the years, and some passwords that work with the PennNet ID system may not be accepted by the PennKey system. In such cases, individuals will be forced to create new passwords. 

3. Decide how you want to be able to reset your PennKey password should you forget it. Resetting a forgotten PennKey password will require obtaining a PIN and then resetting the password online. When you register your PennKey, youëll be presented with different options for obtaining a PIN and will be asked to choose whether to participate in an online ‹Challenge-ResponseŠ option, which will enable you to obtain a PIN, online, without a wait. Otherwise you would obtain a PIN by visiting a campus PIN administration office, or by calling the PennKey PIN Request Line and having a PIN sent by U.S. Mail. The Challenge-Response option will require that you answer three personal information questions when you register your PennKey, and later provide the correct answers online if you forget your password. Challenge- Response would be a good choice for frequent travelers, international students, or anyone likely to forget their password. However, individuals who provide system administration services for critical systems should not participate in the Challenge-Response option. 

4. Review and change usage habits that may compromise your privacy. Think of your PennKey password as analogous to the Personal Identification Number (PIN) you use at an ATM machine. Just as sharing your ATM PIN would give someone else access to your bank balance, sharing your PennKey password would give them access to grant financial information in GRAM or your GPA in Penn InTouch. Indeed, when you share your password, you give others access to everything your PennKey gives you access to though you are still responsible for anything they do in your stead. If you have been sharing passwords in order to delegate tasks such as calendar scheduling, responding to email, or grant administration, your LSP can advise you on alternatives. Refer also to the information at www.upenn.edu/computing/pennkey/lsp/noshare.html.

Learn More 

For more information about PennKey and Kerberos, check the PennKey web site at www.upenn.edu/computing/pennkey. Information and assistance will also be available from Local Support Providers and through various University and School channels. And always keep in mind that online security is a balancing act. The University continues to implement technologies that minimize risk, but technology will never be perfect. We are all responsible for following best practices in crafting our passwords and keeping them secure.

ÖRobin Beck, Vice President Information Systems and Computing  

PennXxxxÖWhat do all those terms mean?

Confused about all those ID-related terms that begin with ‹PennŠ? Here‰s what they mean.

PennCard Your University ID card showing your photo and PennCard Number. You need your PennCard to create a PennNet ID and password or to reset a forgotten PennNet password at a PennNet ID swipe station.

PennCard Number The three-part number on your PennCard. It takes the form: 123456 12345678 12

Penn ID The middle 8-digit sequence of your PennCard Number. Penn IDs are NOT required in the PennKey registration process.

PennKey Your user name in the PennKey Authentication System.

PennKey Authentication System A new authentication system that will replace the PennNet ID, a.k.a. PAS, authentication system on October 14, 2002.

PennName A unique identifier that is the basis for user names in various University systems. For example, PennNet IDs, PennKeys, BEN Financials user names, and usernames for many Penn e-mail systems are based on PennNames. [Note: Although an individual would have the same PennName-based username for each of these systems, the associated passwords would be the same only if the individual created the same password for some or all of the systems.]

PennNet (a.k.a. PAS) ID Your user name in the PennNet Authentication System.

PennNet (PAS) Authentication System Penn‰s homegrown authentication system that will be replaced by the PennKey authentication system on October 14, 2002.

PennNet ID Swipe Station Stations at various campus locations where you can bring your PennCard and use it to create a PennNet ID and password or reset a forgotten PennNet password. These swipe stations will go out of service on October 14, 2002. Locations are listed at www.upenn.edu/computing/help/doc/passport/netid.html.

Almanac, Vol. 49, No. 3, September 10, 2002

ISSUE HIGHLIGHTS:

Tuesday,
September 10, 2002
Volume 49 Number 3
www.upenn.edu/almanac/