Federated authentication of academic visitors

Construction and operation of a web authentication system for a campus network (HINET2007)


At Hiroshima University’s Information Media Center (IMC), a web authentication system that uses UPKI initiative server certificates is being built and operated on the university’s HINET2007 campus network. We spoke to IMC director professor Reiji Aibara about the goals and achievements of this project.
(Date of interview: March 19, 2010)

Can you first tell us a bit about what the IMC does?

Aibara: We’re currently working on three projects — network services, a university-wide information service, and a project that implements information-based education and provides IT support for educators. In the network services project, we are constructing and operating a network platform used by all the university staff. In the university-wide information service, we are providing services such as email, web access, education PCs and advanced scientific computing services. And in the education-related project, we are providing services such as basic computer literacy training and IT-based education support.

What steps have you taken to introduce network technology into Hiroshima University?

Aibara: The university’s campus network was set up in 1993 and went into operation in 1994 as our first network (HINET93). The original LAN used FDDI, but as networking technology evolved we subsequently made a number of additions and modifications to the network. We have also used SINET for a long time, and SINET3 currently forms the core backbone network of our external connection.

At the time, our environment consisted of small-scale networks for each department and laboratory, and a trunk network connecting them together which was managed by (what was then known as) the Information Processing Center. This was the best solution available to us at the time, because the network environment of this era (which was called a “subnet management system”) would have made it impossible for the center to build and operate a large-scale campus network like the one we have today.

But you had to overcome a few issues along the way.

Aibara: Yes. The teaching staff who were involved with the initial HINET network have been gradually leaving due to transfers or retirement, and students leave every year as they graduate. This has brought about a situation where the network is still operational, but there are no people who are familiar with its content. Moreover, in the majority of cases, individual subnets were used for multiple laboratories, so a fault in one laboratory is liable to affect all the other laboratories on the same subnet. More recently, it has become important to employ countermeasures to damage by viruses and the like. To address these issues, we felt that the conventional subnet management system had to be changed somewhere. Therefore in the HINET2007 network that went into operation in fiscal 2008, we decided to drastically reform the network infrastructure.

What were the aims of this network reconfiguration?

Aibara: When a fault occurred in the old network, it was difficult for us to figure out who did what, where and when. So of course it took us a long time to investigate the causes of faults under these conditions. For HINET2007, we therefore decided to implement a system where users must always be authenticated before they start using their computers. If we know which computers are being used by which individuals and at which times, then we can identify the causes of faults very quickly. We can also expect this system to deter people from using their computers improperly.

So you implemented this system by using web authentication.

Aibara: For the user authentication method, we considered various different patterns including 802.1X. If we had only considered the technical side of things, we might have chosen some other method. But that isn’t really sufficient when you consider the fact that this is a university environment. Even if we consider just a single client PC, there are many different combinations of PC brands and operating systems being used in the university, and we aren’t able to restrict users to a particular type of terminal in the way that many businesses do. By using web authentication, we are able to offer a system that will work on PCs no matter how old they are, as long as they are capable of running a web browser. Also, since Hiroshima University has been researching and developing its own terminal authentication schemes for hard-wired and wireless LANs since the late 1990s, it seemed that web authentication was the way forward.

Did you encounter any difficulties in constructing this system?

Aibara: Since we wanted to perform authentication as close to the edge nodes as possible, we looked around for a low-cost switch product equipped with authentication functions that are compatible with server certificates. But at the time there weren’t many switches that were compatible with intermediate certificate authorities, which meant that we had to ask the manufacturers to implement these functions. Another problem was with the server certificates themselves. The number of switches introduced in HINET2007 was about 450 by the time the network started full-scale operations. If we purchased commercial server certificates for each of these switches, then the cost for the certificates alone would have run into the tens of millions of yen. On the other hand, we couldn’t use self-signed certificates because they don’t lend themselves to the creation of a reliably secure environment. Ordinary users are always told not to trust suspicious-looking certificates, so it wouldn’t be a good idea to ask users to treat any untrusted certificate as a special case.

So the UPKI Initiative’s server certificate project came in useful?

Aibara: It certainly did. At exactly the same time, the NII and other organizations and universities were starting up the UPKI server authentication project, so we decided to immediately adopt this technology in HINET2007. This enabled us to implement one of Japan’s largest web authentication environments without incurring the substantial costs that I mentioned earlier. Looking back, I think we really would have found ourselves in quite a quandary if UPKI server certificates hadn’t been available at the time. Incidentally, we provided a mechanism whereby the terminals authorized by administrators in each laboratory are able to use the network authorized based on their MAC addresses.
After we got this system up and running at Hiroshima University, a growing number of other universities built similar web authentication environments. Since it made such a large contribution, I think this project was very significant.

What are your plans for further development of this system?

Aibara: First of all we want to implement a single sign-on environment. Currently when teaching staff and students who have logged in to a portal want to use another system, they have to enter their ID and password information again. A single sign-on environment eliminates this problem and should make things more convenient for users. Another thing we are looking into is the provision of a service for people from outside the university, such as visitors from scientific organizations. At present, people who want to use the network first have to submit an application so we can issue an ID and password. However, this approach not only creates work for the people that do the issuing, but also requires that visitors go through the application process. To resolve these issues, we are investigating an authentication method that is compatible with UPKI federation using Shibboleth. This would make it possible for visitors from other universities to log in with the same credentials that they use at their own universities, instead of having to provide each of them with their own guest account.

Finally, what are your hopes for the future?

Aibara: In terms of using the infrastructure to provide services, I’d like to make further improvements to the system and network environment. I’d also like to put more effort into research and development. In fact, the other day we received a Yamashita SIG Research Award from the Information Processing Society of Japan for our work on HINET2007, and I’m really happy that our efforts at implementing and operating this network have been recognized in this way. In the future, I hope to continue working hard at keeping HINET2007 running smoothly while taking part in advanced network research.

Thank you.