Skip to main content

New to Dartmouth?

Resources for:

Information Security

Connect with Computing

facebook twitter Wordpress Blog

Frequently Asked Questions about Web Authentication

If you have any questions not covered by the above topics, please contact the IT Service Desk (Help Desk) at 646-2999 and select from the options provided, send e-mail to help@dartmouth.edu, or call your department's IT support office.

What Is the Dartmouth Web Authentication System?

The Dartmouth Web Authentication system (nicknamed WebAuth) is a central framework for web-based applications to authenticate users. By providing a foundation for all web applications to use, a consistent user experience and security level can be achieved.

For more information, see Safe Computing:What You Can Do.

Top of page

What Browsers Does Dartmouth's Web Authentication System Support?

The Dartmouth Web Authentication system supports most current Web browsers, including Internet Explorer, Firefox, and Safari.

Note: WebAuth has not been tested with Google's new browser, Chrome.

To use the WebAuth system, your browser must be configured to accept cookies. While most browsers have cookies enabled by default, it is possible for a user to turn this off. Dartmouth recommends that the default security settings for cookies be maintained; rejecting all cookies is not necessary for a safe browsing experience and will cause many Web sites to fail.

Top of page

What Are the Symptoms of a Browser That Is Set to Reject Cookies?

The symptoms of a browser that doesn't accept cookies and can't access restricted pages are an inability to log into WebAuth, or a redirect to the WebAuth server for re-authentication on every page request.

How Can I Authenticate to Dartmouth's Web Authentication System?

The Dartmouth Web Authentication system allows authentication using Dartmouth PKI certificates (see Using PKI Secure Certificates at Dartmouth), Dartmouth Kerberos tickets (see How Do I Configure My Computer to Authenticate Using Kerberos? ), or entering your username and password on a Web form.

Top of page

What Is PKI?

PKI is the acronym for Public Key Infrastructure. The technology is called Public Key because, unlike earlier forms of cryptography, it works with a pair of keys. One of the two keys can be used to encrypt information that can only be decrypted with the other key. One key is made public and the other is kept secret. The secret key is usually called the private key. Since anyone can obtain the public key, users can initiate secure communications without having to previously share a secret through some other medium with their correspondent. The Infrastructure is the underlying system needed to issue keys and certificates and to publish the public information.

Public Key Certificates

A public key needs to be associated with the name of its owner. This is done by using a public key certificate, which is a data structure containing the owner's name, their public key and e-mail address, validity dates for the certificate, the location of revocation information, the location of the issuer's policies, and possibly other information such as their affiliation with the certificate issuer (often an employer or institution). The certificate data structure is signed with the private key of the issuer so that a recipient can verify the identity of the signer and prove that the data in the certificate has not been altered. Public Key Certificates are then published, often in an LDAP directory, so users of PKI can locate the certificate for an individual with whom they wish to communicate securely.

Encryption and Signing

A secret key allows two transformations of data to occur. Plain text is transformed to cipher text, which is unreadable until it is transformed back to plain text using the secret key. A public key system uses the Encrypt and Decrypt functions to implement two primitive operations, data encryption and signatures.

To encrypt data, the public key of the recipient is used to transform a plain text message to cipher text. The cipher text of the message can be converted back to plain text only by using the corresponding private key. Since this private key is known only by the intended recipient, only that individual can decrypt the message.

A signature is created by transforming plain text to cipher text using the private key of the signer. A signature is verified by looking up the public key of the signer and attempting to transform the cipher text of the signature back to plain text. If the operation is successful, it verifies that the data encryption was done with the corresponding private key. This implies that the signature was produced by the owner of that private key.

Top of page

How Do I Configure My Computer to Authenticate Using PKI?

There are two ways to use Dartmouth PKI certificates. The preferred method is to use a small USB storage device called an eToken to store the certificate. For information on using an eToken at Dartmouth, see Using eTokens (Macintosh, Windows).

If do not have an eToken or are unable to use one, you can install a Dartmouth PKI certificate on your computer; see Obtaining a Software Certificate (Macintosh, Windows). This is only recommended for your personal computer, and should NEVER be done on a public or shared account workstation.

Top of page

How Do I Configure My Computer to Authenticate Using Kerberos?

Kerberos authentication uses two software applications, SideCar and KClient. In order to use SideCar and KClient, you must have an entry in the Dartmouth Name Directory (DND), the Dartmouth Alumni Name Directory (dartmouth.org) or the Dartmouth-Hitchcock Name Directory. The databases control access to the network resources of each entity. If you have a BlitzMail account on one of these sites, your information is in one of these databases.

Top of page

How Can I Use Dartmouth's Web Authentication System with My Application or Website?

Application developers or Web site administrators interested in using the Dartmouth Web Authentication system can find more information on the developers page on the WebAuth project site.

Top of page

Last Updated: 2/3/10