Unc cause 2011 random pin

Custom Secure Random Pin Distribution

Moreland SmithThe University of North Carolina at Greensboro

Alternate Title

How we kept our Registrar from going to jail

and got cookies!!!!

Session Rules of Etiquette

• Please turn off your cell phone/pager

• If you must leave the session early, please do so as discreetly as possible

• Please avoid side conversation during the session

• Do not pass Go, do not collect $200.

3

Introduction

• My goal today• To share UNCG’s custom solution

to random PIN distributions across all populations of entering people.

4

Benefits: An understanding of

• Business Case• Technical Architecture• Administrative GUI• End User Experience• Project Results• Woulda / Shoulda / Coulda

5

Business Case

Things I learned from 1990’s Infomercials

The University of North Carolina at Greensboro• 18,000+ Fall 2010 Enrollment

• Undergraduate

• Graduate

• Distance

• Additional 2,000+ iSchoolers (High School)

• 3 Entry Offices with Hiring Authority

• 6 Entry Offices Admitting Students

• Mods Philosophy: “Vanilla…. but with sprinkles… and a bit of fudge mixed in…”

7

Old way of Doing Business

• Pattern based initial PIN, custom trigger on DOB entry

• DOB rearranged YYDDMM

• Pattern published on web sites

• Some emailed ID and then snail mailed PIN

• Some asked students to allow them to send both PIN via email.

• Some offices handed paper to new hires

• Letters are lost

8

Where we were

Different Offices +

Different Practices =

INSANITY

9

Good advice from the mid 1990’s…..

10

Potential Problems

• Perception, ITS owns the PIN, call Service Desk

– Have to talk through general pattern YYDDMM.

– Service Desk can’t assist because…

• Forgot PIN Q&A Not yet established, can not authoritatively identify caller, since never had successful login

• “But they said….”

• Root Causes

– Incorrect DOB Entered (esp. Internationals)

– Student does not know ID

11

Inspiration from Earlier Work

• https://getmyid.uncg.edu• Built during transition from SSN to Generate

ID approx 2006• Allows ID display via SSL browser with entry of

persons UNCG Username/Password • Allows email delivery of ID • Single Last Name & Email Address Match– Last Name: Smith– Email: [email protected]

• If one and only one match found i.e. Banner Record with Smith that also has [email protected] in GOREAML = Send ID# to that Email

12

The Vision: One tool to assist them all• Web Based• Near Real Time, Secure (Encrypted) Delivery of Random PIN • Options for Paper Mail • Receive PIN Information from “Entry Office”, not ITS• Standard text with optional Entry Office specific info• Refer people back to “Entry Office” if there is a problem with

their data• Flexible additional populations, additional “Entry Offices”• Log usage

13

However this was beyond our budget

14

And had some nasty side effects….

Core Business Concepts/Challenges• All persons have a “best fit” Entry Office

– Single Role (New Freshman =Undergraduate Admissions)– Multi Role people (Employee taking classes=????)

• Offices desire to minimize mailing costs, printing labor– Email/web is first choice– Paper mail only if email/web is not possible or selected by person.

• If there is a problem with a person’s data it needs to be corrected by their Entry Office, not ITS.

• People often do their email via insecure means (Public WiFi)– Therefore delivery of PIN should be SSL Protected and– Not “Man in the Middleable” (Firesheep)

15

Defining Happiness

• for Person= Doing it all online themselves at 3am and never having to talk to UNCG staff.

• for Entry Office Staff= Person doing it all online themselves at 3am and never having to talk to UNCG Entry Office Staff.

• for Person= Couldn’t get it online, but can get it via snail mail, but at least I didn’t have to talk to a UNCG human.

• for Entry Office Staff= I guess I can run a daily batch job to print and mail some letters, sigh….

• For Both= I have to talk someone via phone????

16

Random Pin Origination Process Flow

17

Random Pin Flow

18

Technical ArchitectureSome vanilla, some sprinkles, and some fudge ripple mixed in….

Sometimes good things are a bit messy….

20

Security Principles

• All Web traffic must be SSL

• Email may or not be read via secure means, therefore we must assume it is not

• You can’t prove who you are on the web, so we must communicate via previously established address

• Something you have, plus something you know.

– You have: PIN LINK (Random URL) delivered by email

– You know: “Verification word” you gave in an SSL Session, stored by the system, which you must match to use PIN LINK URL

21

Security Principles Continued

• Any PIN LINK URLs must be sufficiently random• Any PIN LINK URLs must expire with a set brief time period• Minimize visibility of PIN to UNCG staff (only on hardcopy

prints in Entry Office)• Random PINS should be one time use only (Baseline takes

over from there)• Even if someone starts the getmypin process who is not you

(but they know your Last Name, ID & DOB, we should minimize the “reveal” of your protected information [result=masking of email/addresses])

22

Technical Components :Baseline • Configurations within

– Letter Generation Letters & Paragraphs– GTVSQPR (Business Rule Process Code Validation)– GTVSQRU (Business Rule Code Validation)– GORRSQL (Business Rules Form) – GTVSDAX (For setting expiration value)

• Draw upon data within– GOREAML Table– SPRADDR Table– SPRIDEN Table– Various Student, Alumni, Employee tables calculating Entry Office

association for a person• Baseline functionality

– Ability to set PIN as pre expired (i.e. force change on next login)23

Technical Components: UNCG Custom Built• INB Components

– SZAEOFC (Entry Office Control Form)– SZAHIRC (Entry Office Rule Hierarchy Control Form)– SZAPDIS (Pin Distribution Form)

• URL on Banner App Server– https://getmypin.uncg.edu

• SSB pages (outside Secure Login)– Request PIN Getting– Respond to PIN LINK URLS

• Email generation function (draws text from LTR/PARA)• Batch Job

– SZPPNPT (Pin Letter Printing) • PL/SQL Function for Random URL String Generation to NIST Special

Publication 800-63 Standard24

20 Minutes of Defense

• How long to make the random URL???• Calculations by UNCG Security Analyst• Assuming web requests can be processed at 20,000 per second, x 60

seconds per minute x 20 minutes=24 million attempts possible in time frame.

• http://csrc.nist.gov/publications/nistpubs/800-63/SP800-63V1_0_2.pdf page 53

• Goal 36 bits of entropy• Achieved by 20 character random from a 63 character alphabet (upper,

lower and numbers)• If 20 characters is good, then 32 is even better….• And even if you get a hit on a Random URL that happens to be “Usable”

at the moment, you still have to guess the Verification word, and you only have 3 attempts.

25

Administrative GUIPutting the Puzzle Together

Initial Setups

• GTVSQPR (Business Rule Process Code Validation)• GTVSQRU (Business Rule Code Validation)• GORRSQL (Business Rules Form) • GTVSDAX (For setting expiration value)

27

GTVSQPR Business Rule Process Code Validation

28

GTVSQRU: Business Rule Code Validation

29

GORRSQL Business Rule Form Sample

30

Now for the Custom UNCG Stuff• SZAEOFC (Entry Office Control Form)• SZAHIRC (Entry Office Rule Hierarchy

Control Form)• SZAPDIS (Pin Distribution Form)

31

SZAEOFC: Entry Office Control Form

32

SZAHIRC: Entry Office Rule Hierarchy Control Form

33

SZAPDIS: Pin Distribution Form

34

End User Experience

Finding Happiness

Finding Happiness

36

3 Faces of Happiness

• Self Service Email Delivery

• Request Paper Mail Delivery, Entry Office Prints

• Sorry, Person and Entry Office Communication Required

• All begin at https://getmypin.uncg.edu

37

Answer me these Questions 3

38

What is Your NameWhat is Your IDWhat is your DOB

Initial Entry: ID, Name, DOB

39

Would you like your pin in bits?

40

For your safety……

41

Process Tips & Disclaimers

42

Were done! Check your email

43

Sample of Email Body (sent from EO email addy)

44

Note the PIN LINK Long URL

Having clicked the link

45

Oops, you waited too long

46

3 strikes and you are Out!

47

If you remember your Verification Word: Success!

48

From Here

• User logs into Baseline Self Service– They must answer baseline “Forgot PIN” Security

Questions & Answers

• Because random PIN was set as pre-expired– They must set a new PIN.

• User is in Self Service and can do their business• “didn’t have to talk to a human…”

49

Face #2

Request Paper Mail Delivery, Entry

Office Prints

50

You want your PIN on dead trees…

51

Ok, Please be Patient

52

Were done!

53

After the Entry Office, Prints, Mails and you receive

54

The Third Face

Sorry, Person and Entry

Office Communication Required

55

Recap of the Path

• Success with ID, DOB, & Name• No Valid Emails or did not choose emails

and • No Valid Mailing Address or said do not send

via paper

56

Oh, addresses out of date/ don’t trust US Postal Service

57

Next Steps

• Hopefully person calls their entry office at the phone number listed.

• Staff member with privileges on SZAPDIS can review request, status, etc.

• Based on Entry Office specific practices staff can attempt to – Identify person calling (20 questions method)– Gather corrected contact information– Immediately enter that in Banner (GOAEMAL/SPRADDR)– Have the person try again.

58

Miscellaneous Info

• Email is sent from Entry Office specific email address, so bounces are returned there for remediation by Entry Office staff.

• Letters are sent from Entry Office, in their envelopes, so returned mail can be dealt with by Entry Office staff.

• Other Error Messages– Did not answer 3 initial questions correctly = “The

Information you entered was not found in our records. Please check the Information for Errors.”

59

Results

What it has done for UNCG

Results Page

• All persons (students, staff, faculty, other) follow the same process.

• Email & Address data is better maintained by Entry Offices, since correct emails mean more happy faces.

• DOB Pattern based PINs are gone!

• Many fewer calls to Service Desk with PIN problems due to DOB issues, or “I lost my letter/email”

• Registrar’s Office Staff spend less time dealing with PINS for Alums (required for transcript ordering)

61

Unsolicited Client Email:

Subj: Just sending some love The PIN re-set website has been a great help.

In the past, I received an average of 8-10 calls a month. Which isn't bad, I know, but as this was an average, I sometimes had 8-10 in a week. I have only printed 3 PIN letters since we went live with this function last Spring.

THANK YOU.--

Kelly A. Rowett-James , University RegistrarThe University of North Carolina at Greensboro

62

Summary

• Solve the Business Problem:

– Make it Standardized, Self Service, Secure,

– Also make it Flexible and Customizable

• Architecture: Use what you have & build what you need

– Baseline Components: GORRSQL, Letter Gen, GTVSDAX

– Custom INB, SSB, Batch Job pieces

• Admin GUI: Build for flexibility

• End User Experience

– Small, Simple Steps

63

Woulda/Shoulda/CouldaThings we might do to enhance or would do differently.

Ideas to make it better

• Build Form/Table to map users of SZAPDIS to Entry Offices in order to restrict staff to “their” people, and ITS Staff to global Query. [Could also be done with Value Based Security]

• Build a secondary log table for each status of a Pin Reset Request.

• Build a “pre log table” to capture any situations where all 3 items do not match, to detect bot attack

• Put in a “Captcha” as a bot defense

• Build reporting to look for patterns of non successful actions.

• Schedule batch process in UC4 for automatic nightly printing.

• Set up Workflow’s to notify Entry office, “You’ve’ got PIN LETTERS to Print!”

65

Questions?

• Any and all are welcome

66

Thank You!

Moreland [email protected]

Please complete the class evaluation form

67