Within the PennKey authentication system, an individual's
username is known as a PennKey. Paired with an associated password, a
PennKey is required to authenticate an individual's identity to many of
Penn's networked systems and services. Note that PennKeys are all lower
case, i.e., if a person whose PennKey is "smith" enters "Smith"
or "SMITH", authentication will fail.
Faculty, staff, and students of the University of Pennsylvania;
employees of the University of Pennsylvania Health System (UPHS).
PennKey is the latest evolution of the University's longstanding
commitment to securing critical online services.
requirements for critical services are outlined in the University's Critical
PennNet Host Security Policy, commonly referred to as the Critical
Host policy. One way the policy strives to protect Penn's systems and
services is by mandating that passwords sent between users and critical
host systems be "strongly encrypted," or protected by certain
ciphering methods, rather than sent over the network "in clear text."
The PennKey authentication system satisfies this requirement and provides
a foundation for even stronger forms of authentication that may be required
in the future. PennKey authentication is only one of several forms of
secure authentication that meet the Critical Host policy. Other forms
of secure authentication are being used on campus services as well.
The PennKey system is based on Kerberos, a security technology developed
at MIT. The Kerberos protocol enables individuals to demonstrate that
they are who they claim to be without ever transmitting passwords over
the network, even in encrypted form. Thus there are fewer opportunities
for password theft or unauthorized access to Penn's network, systems,
and confidential or personal data. Kerberos also lays the foundation for
the evolution towards a "single sign-on" environment over time
-- one in which a user would enter a unique ID and password only once
a day in order to access several different online services.