The Library Single Use Password Authorized Cache Service-1
  
 Contents
 RSS
 Setting Up Unattended
 Installation Medium-1
 METU CC User Training
 Sessions and Seminars
 Human-Computer
 Interaction Research
 and Application
 Laboratory -2
 Campus Network
 Security and
 Management
 The Library Single Use
 Password Authorized
 Cache Service
 CISN Archive
 Send Feedback
  
     
 

Introduction

METU Library provides access to many domestic and international databases from within the campus and the possibility to conduct research. These database resources are connected to the METU IP address block (144.122.0.0/16) and the users accessing the network from an in-campus computer have the right to access these databases automatically. Most users demand to be able to use these research facilities from out of campus and this fact brings along the problems of authorization of the users and password security.

When current technology is taken into account, what appears to be the best solution is the use of a web cache in order to endow users with access to web pages that are restricted by a certain authorization mechanism. Squid Web Cache software, employed on many servers worldwide and successfully used for many years for in-campus connections at METU, has been chosen for this purpose.

Web caching is storing a required internet object (data that can be reached on protocols like HTTP, FTP, Gopher) on a server on the local area network and meeting the demand from the local server when there is one from the same or a different user. For browsers using the same web cache server, the time for access, on the average, will drop and there will be economization on the bandwidth. To make use of the web caching service it should be defined to the browser. The in-campus web caching service of METU is being used since 1999. Via this service, users can get fast access to frequently used web pages by defining the necessary settings file to their computer.

The Necessities

The system to be developed for off-campus users to access the library resources should meet some necessary standards. These must be kept in mind during the design of the system. These necessities can be summed up as:

  1. There ought to be an authorization mechanism for both the students and the staff of METU.
  2. The user codes and the passwords that the clients are going to use must be secure.
  3. It should be supported by all the browsers.
  4. It should be user friendly on the client side.
  5. The provided service should have ease of installation and administration.
  6. It should have provision to enable the users to access from a single computer simultaneously.
  7. Users should have access to authorized web pages only.
  8. It should have IP and user code blocking for misuse.
  9. It must have a structure to prevent sharing of user codes and passwords with others.
  10. Error message sheets should be clear cut enough.
  11. Number of maximum connections the users can make should be limited.
  12. The server to be used must be secure enough.
  13. The operation and the settings of the server should be documented.

When all the needs assed above are considered, the components of the system to be developed and designed turns out to be:


Figure 1. Service Components

The General Structure of the System

The task that the web caching program , Squid, performs is to receive the web page request directed to itself by the user and to send it across on the user's behalf and then to pass the returned result to the client. On the client side a settings file (proxy.pac) is used to determine which web pages will be accessed by using the squid web caching service. Users who have defined this to their browsers are directed to the squid server when they want to access the web pages determined on this settings file. In the next step due to the settings made at the squid server, the user will be required to provide a user code and a password. Since the user code and the password the user provides will be transmitted as clear text, this raises a security risk. To minimize the risk, the user must be given a "Single Use Password" in order to make the connection, instead of using the user code/password dual given for mail accounts an other METU specific services. With the system installed in METU, it is required of the users to access an https protocol web page by supplying the central system user code and password. After clarifying the authorization at this point, by means of a process the user is given a password consisting of randomly selected letters and numbers. Having obtained this password, the user can enter this user code and password in the fields to access a database using the web caching service.


Figure 2. Web Caching Path Flow

Single use passwords and authority clarification can be classified under two main headings. The first is the settings the user must adjust in the computer, and the second is the settings of the squid server and the generation of the single use password and its registration on the database. The only setting to be done on the user computer is the web caching setting. Even though there are three basic ways of setting this (auto find, use a settings file, manual setting), we recommend the use of a settings file. It will suffice for our users to enter the web caching settings window of their browsers and enter http://www.metu.edu.tr/proxy.pac for the settings file. The browser in use will make use of the squid server for authorized web pages checking the info on the assigned settings file or the routine server for other regular Internet web pages. For the process under the second heading, the user is requested to access the address http://netregister.cc.metu.edu.tr via the service provider. This address directs the request to https://webauth.metu.edu.tr address, where the user is asked to provide the central user code and password. The provided info is checked against the registered info in the LDAP server and depending on the reaction, the user is supplied with the web page or an error message pane. On the authorized screen there is a button to click on which will provide a single use password. Clicking on that button the user obtains the single use password. This password is also registered on a database server with the user code. These records are regularly checked and those over two hours are deleted. When accessing the related web pages via the squid server, the users enter the previously obtained single use password and their user code. These are checked by the squid server against the database. If the provided info and the info on the database match, the access of the user is confirmed and the web addresses entered on the browser are provided from the squid server. After the duration of two hours, the user code and the single use password are deleted from the data base and the user browser starts asking for a password again.


Figure 3. The Functioning of the System in General

In the coming issue Squid settings and single use password steps will be provided.

Presented on Akademik Bilişim 2007.

Ferdi Ayaydın - Gökhan Eryol

 
     
  - TOP -