Contact Us

Support Line
773-834-8324 | email

Voice & Data Networking
773-702-9100 | email

Solution Center
773-702-6086 | email

ID & Privileges
773-702-3344 | email

Research & Teaching
773-702-9944 | email


More Contacts

Home > NSIT Policies > Policy for Authenticating University of Chicago Users

Policy for Authenticating University of Chicago Users

Requirements for Authenticating University of Chicago Users

The University's Eligibility and Acceptable Use Policy and the Infrastructure, Servers, Public Access, and Wireless Device Policy state that any service which meets one or more of the following criteria must not send the authentication information (e.g., passwords) over the network in an insecure fashion:

  • The server has a substantial number of active users.
  • The server has a substantial number of service authentications daily.
  • The system contains sensitive data or data that is critical to the business of the University.
  • The system has had a serious security incident in the past.

The purpose of this policy is to protect the University's network and to protect the security and privacy of any data that is either critical to the business of the University or legally required to be protected by the University.

In general, services which have more than twenty active users, more than one thousand authentications per day, have had a privileged account compromised, or which protect student records, patient data, human resources information, or other critical or sensitive data are subject to this policy and cannot allow unsecured authentications.

However, The Network Security Center recommends that all authentications be secured even if the service is not covered by the policy requiring that the authentications be secured.

In some rare cases services which may otherwise fall under this policy but use a distinct authenticator (which is to say, they cannot hare a password with a service that is covered by this policy) and are unimportant to University business may be eligible for an exemption to the policy. If you believe your service may qualify for such an exemption, please contact the Network Security Center at security@uchicago.edu.

For authentications to be considered secure they must not be able to be reversed with modern computing technology in the amount of time for which they are valid. For example, a Kerberos ticket which has a valid lifetime of about eight hours is sufficiently secure as it takes significantly more than eight hours to decrypt the DES encryption with which it was encrypted. If a password which is changed only yearly is encrypted with DES, this is not sufficiently secure as a DES encrypted password can easily be decrypted in under a year.

If you have any questions as to whether or how this policy applies to your specific server or service is, please contact the Network Security Center at security@uchicago.edu.

 

View Technologies for Securing Remote Access to Systems

Last updated: 5/5/08