The Chronicle: Daily news: 03/21/2003 -- 01

Search The Site

More options | Back issues

Day pass

Home

Opinion & Forums
The Chronicle Review Commentary Forums Live Discussions

Careers
News & Advice My Career homepage Search jobs by position type by discipline/field by state/region by institution Tools & Resources Employer Profiles

Multimedia

Resource Center

Services
Help Contact us About The Chronicle Subscribe Day pass Manage your account Advertise with us Rights & permissions Employment opportunities /r

Friday, March 21, 2003

INTERNET2 CONNECTIONS

Seeking Additional Security After a Big Theft, JSTOR Tests Internet2's Shibboleth
By FLORENCE OLSEN

Last fall, someone taking advantage of a common method for gaining access to online databases attempted to download the vast collection of scholarly journals known as JSTOR. Now the owners of JSTOR are experimenting with new software developed by Internet2 researchers to prevent such incidents by improving online authentication.
The online thief or thieves had exploited a weakness in the method that JSTOR and other publishers use to control who can gain access to their subscription databases. The method, known as IP authentication, recognizes a block of IP network addresses as belonging to a particular institution that has paid for access to the database.
If a request to download an article comes from an IP address that the database recognizes, the database automatically responds to the request, even if the request is coming from an online intruder who is illegally using a college's computer network to gain access to the database.
JSTOR officials think that's what happened last fall, when someone downloaded about 50,000 articles from the journal database before being detected and prevented from downloading the entire collection (The Chronicle, January 10). JSTOR is a nonprofit group that licenses digital copies of scholarly journals.
College-network managers and publishers have known for a long time that IP authentication has inherent weaknesses because computer networks themselves are insecure. But IP authentication is easy to set up and therefore is widely used throughout the publishing industry.
Colleges also rely on user ID's and passwords to authenticate identities on the Internet, but keeping track of those is cumbersome and costly both for colleges and for publishers of databases and other Internet resources that colleges license. When students and faculty members are expected to use many different user ID's and passwords to gain access to off-campus resources, they frequently forget which ID's and passwords to use where.
But researchers are developing more-sophisticated methods for verifying a person's identity online, and one of those methods is the result of work done by some members of the Internet2 consortium, a group of colleges that develops advanced Internet applications. The Internet2 researchers call their method Shibboleth, after an ancient Hebrew word that members of one tribe couldn't pronounce the same way members of other tribes did, and that came to be used as a way of distinguishing members of that tribe.
The researchers, who have spent two years working on Shibboleth, say the software is now ready for colleges to use. The physics department at Pennsylvania State University's University Park campus, an early adopter, has set up Shibboleth to authenticate its students before they can use an external grading service that North Carolina State University provides over the Internet.
Besides being more secure than IP authentication, Shibboleth goes a step further, its creators say. It not only authenticates, or verifies, a person's identity online, but also checks to see whether a person is authorized -- by virtue of being a librarian, for example -- for a higher-than-usual level of access to an online database to which a college might subscribe.
This extra step makes it possible for publishers and subscribers to enforce complicated license agreements that may restrict access to special collections to small groups of faculty researchers, for example. Shibboleth does all this while protecting users' privacy, says Kenneth J. Klingenstein, who is the chief technologist for the University of Colorado at Boulder and who heads the Internet2 group that created Shibboleth.
Shibboleth can be used within a college, but it was designed to be a secure way for one institution to authorize users from another institution to use online databases or other online materials, he says.
Companies like Sun Microsystems and Microsoft also are trying to devise better methods of authorizing the use of Web databases and other Internet resources, but some publishers expect that colleges will adopt Shibboleth as their primary means of Internet authorization.
JSTOR has installed Shibboleth on its Web servers so that it will be ready if and when more colleges start using it. "It appears to have the right characteristics," says David Yakimischak, JSTOR's chief technology officer.
Shibboleth works in tandem with a college's directory server to generate a kind of digital token. The token is stored in the user's browser. When the user goes out on the Internet to gain access to a licensed database, for example, the token tells the database who the user is and what the user is allowed to do in the database.
The approach is more sophisticated than that taken by "cookies" -- bits of code that many Web sites rely on to identify users. Unlike Shibboleth, cookies are not sophisticated enough to enforce different levels of access to online resources based on who you are.
Most of Internet2's effort in the months ahead will be to get key software companies and online publishers to install Shibboleth "handlers" on their Web servers. A handler refers to the software, also known as middleware, that would handle requests for access to online resources.
"In general, the industry hasn't enforced authorization," primarily because there have been few effective means of doing so, says Kimberly Voltero, a senior manager at WebCT.
WebCT, which makes software for managing courses, has announced that its WebCT Campus Edition is able to handle authentication and authorization requests that originate from Shibboleth. The company's next release of WebCT Vista will also work with Shibboleth, Ms. Voltero says.
The most colorful endorsement of Shibboleth comes from Mr. Klingenstein himself. Shibboleth is like plywood subflooring, he says. "People will admire the wonderful tiles and carpets of applications on top of this, but [Shibboleth] will be utterly invisible."

Background articles from The Chronicle:

Security Lapses Permit Theft From Database of Scholarly Journals (1/10/2003 )

Easy-to-print version

E-mail this article

As war begins, students and professors organize protests, counterprotests, and discussions

In Boston, students from more than a dozen area colleges converge to oppose the war

Conflict sparks protests around the globe

Professor at U. of Central Florida is arrested on immigration charges

DeVry buys offshore medical and veterinary school for $310-million

Second annual winners of $1-million Dan David Prize are announced

Spring commencement speakers are announced by 11 colleges

Seeking additional security after a big theft, JSTOR tests Internet2's Shibboleth