410 likes | 667 Vues
Making Digital Security a Reality With PKI Nicholas A. Davis, UW-Madison November 28, 2006. Overview. PKI 101 – Intro to digital certificates History of PKI at UW-Madison UW-Madison IT environment Why UW-Madison is interested in PKI PKI cost and model comparison
E N D
Making Digital Security a Reality With PKINicholas A. Davis, UW-Madison November 28, 2006
Overview • PKI 101 – Intro to digital certificates • History of PKI at UW-Madison • UW-Madison IT environment • Why UW-Madison is interested in PKI • PKI cost and model comparison • What it all actually looks like in reality • Our experience so far and our future plans • Universal truths • What we have learned • Final thoughts • How to get started today! • Questions
Public Key Infrastructure (PKI) 101 • PKI = System to manage digital certificates • Digital Passport • Digital key to unlock encrypted Data • Digital pen to sign
PKI 101 (Continued) • Digitally sign Microsoft Office documents, spreadsheets, email, PDF files, etc. • Encrypt email in transit and storage, end to end • Authenticate with a much stronger credential than username & password
History of PKI at UW-Madison • October 2000 – UW-Madison and Dartmouth get together • June 2004 – Requirements gathering • May 2005 – Geotrust selected
UW-Madison IT Landcscape • Faculty, Staff, Students • Highly decentralized • Public institution • Research driven environment
Communities Served by UW-Madison AuthNZIt’s Not Just About Us Anymore
Why the UW-Madison is interested in digital security solutions • Threat of identity theft (Authentication) – Alice and Bob story • More university businesses conducted via the Internet (encryption) • Non-repudiation (signing)
Up Front Development Costs • Gartner Group estimates that the average commercial PKI system costs $1 million to implement • 80% of PKI systems never get beyond “pilot” status • Our estimated first year costs are substantially less than this
PKI Models Under Consideration • In-House Commercial • In-House Open Source • Co-managed
Time to Implement • Feature Set • Cost of establishing sandbox, QA and production environments • Hardware acquisition • CP and CPS statements • Open Source, 12 months • In-House Commercial, 9 months • Co-Managed Commercial, 1 month
Geotrust Selected as UW-Madison PKI • Lower upfront fixed costs • Lower 10 year costs • Faster road to implementation • Trusted Root • Off Site Key Escrow • Automated certificate delivery • UW-Madison common look and feel • No long term lock in
No Trusted Root With Open Source Unsigned Root means distrust both within and outside our core universe
Certificate Storage • Aladdin Etoken • USB based for ease of integration • Excellent customer support • Enhanced platform support
What does it actually look like in practice (unlocking my private key)-sending-
What does it actually look like in practice?-receiving- (decrypted)
What does it actually look like in practice?-receiving- (intercepted)
Feature SetTrusted Root Seamless trust let’s us play globally via the Equifax Secure eBusiness CA1
Feature SetKey Escrow Is Big Brother watching? Who do the keys belong to anyway?
Feature Set – Distance Users – Co-Managed All the user needs is a web browser in order to get their certificate
Our Experience So Far Customers appreciate: • Automated certificate delivery • Trusted Root • Key Escrow Uses: • Using certificates for digital signing • Using certificates for encrypted email • Digital signing of mass email to campus
So Now What? • Digital certificate management model proven • Low hanging digital fruit has been harvested • Is it time for me to retire?
Leveraging Our Existing System • The UW-Madison PKI is in place today for signing and encryption • Encourage others to change their way of doing business • Integration with our current Web ISO for authentication
Example of Business Process Change • UW-Madison Police and Security • Building access: New centralized system • Same historically weak business processes • FERPA issues • PKI to the rescue! • 110 new users
Universal Truths • People are not interested in vaporware to solve their problems • Administrative controls don’t work • If you don’t trust anyone, nobody will trust you. You have to play by the rules, even if you don’t like them
The Secret is Evolution, Not Revolution Revolutions are bloody! Evolution lets you gain immediate benefit today while planning for a better tomorrow without throwing away all your current systems
Integration with WebISOEasy Evolution • WebISO is an independent authentication module for web apps. • Currently username and password enabled • Easily converts to digital certificate based authentication without requiring rewrite of all applications
But What About SecurID? • SecurID = One Time Password authentication device (OTP) • Great for authentication! • What else does it do? • Cost! • Vendor Lock-in! • Good point solution, but hardly forward thinking
Critical Success factors for the UW-Madison • A focus on the customer requirements is of pinnacle importance • Financial lifecycle modeling for both short and long term • Being careful not to reinvent the wheel simply for the sake of pride • Top down support from the CIO’s office
What We Have Learned • A certificate is a certificate • What matters most is what your organization does with the certificate once it is issued • The challenge of implementing PKI is 30% technical and 70% user education, marketing and acceptance
Final Thoughts • The key to success in a decentralized environment lies in motivating your users, not obligating your users • Whether you choose to build or buy, remember to keep it simple for the customers • Don’t spend time on duplication of effort
“But We Are Different…..” • We all like to think we are different • Setup a content filtering device with 100 keywords on your outgoing email • Let me know what you discover • Ignorance is not an excuse for weak security practices
Audience Question How is PKI similar to a Telephone network? The value of the system is proportional to the number of people who have a phone or a digital certificate!
“It can happen to you, it can happen to me, it can happen to everyone eventually…..”
The First Taste is Free! Download a FREE email digitial certificate www.ascertia.com www.thawte.com Perform inter-institutional testing with your organization and UW-Madison! Digital certificates are inherently supported in: Outlook, Outlook Express, Thunderbird, Mail.app, Mulberry, Eudora 7.0
Questions and Comments Nicholas Davis PKI Project Leader UW-Madison ndavis1@wisc.edu 608-262-3837 www.doit.wisc.edu/middleware/pki PLEASE PARTNER WITH US AS WE MOVE FORWARD WITH PKI! -----BEGIN CERTIFICATE----- MIIDLjCCApegAwIBAgICAdkwDQYJKoZIhvcNAQEFBQAwgYkxCzAJBgNVBAYTAlVT MSswKQYDVQQKEyJEaXZpc2lvbiBvZiBJbmZvcm1hdGlvbiBUZWNobm9sb2d5MSMw IQYDVQQLExpGYWN1bHR5IC0gU3RhZmYgLSBTdHVkZW50czEoMCYGA1UEAxMfVW5p dmVyc2l0eSBvZiBXaXNjb25zaW4tTWFkaXNvbjAeFw0wNjA5MDYxNjUzMjJaFw0w NzA5MDYxNjUzMjJaMIG8MQswCQYDVQQGEwJVUzESMBAGA1UECBMJV2lzY29uc2lu MRAwDgYDVQQHEwdNYWRpc29uMSgwJgYDVQQKEx9Vbml2ZXJzaXR5IG9mIFdpc2Nv bnNpbi1NYWRpc29uMSMwIQYDVQQLExpGYWN1bHR5IC0gU3RhZmYgLSBTdHVkZW50 czEXMBUGA1UEAxMOTmljaG9sYXMgRGF2aXMxHzAdBgkqhkiG9w0BCQEWEG5kYXZp czFAd2lzYy5lZHUwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAJECUO2/kNde rq9BXL9c60k7glXKSilVTS2hWfI7OVrVVVpSdOOVwd2djZ4EfuuJTmvwMRWdnU3h 124gFZWO+LiDhLx+iLC1bCwVbvUJPyfjViqXMoKgUNx7NStt6YlntqxvNfzW5Lxq NQ2VCu23AFqczmGxvX27M2VtSPg1oCWfAgMBAAGjcDBuMA4GA1UdDwEB/wQEAwIF 4DA7BgNVHR8ENDAyMDCgLqAshipodHRwOi8vY3JsLmdlb3RydXN0LmNvbS9jcmxz L3dpc2NvbnNpbi5jcmwwHwYDVR0jBBgwFoAUHJ5SUhsEYkcsaywBuGnxqTcsIyQw DQYJKoZIhvcNAQEFBQADgYEADgrwXFZyVWceIhbro0lR2NfdwqbkY1p1ywr9v8lf JGUfZ0scAxaNfdfkXMHJvMK7MZCQ65vXEO9YwTFAfugXK+AAFot0HhNvWMwvBLqX cYKps+A5VU9JnhNAKZJRIImiGCKjz2e+ZARm6fjTxheW5qJyJq30sbwukG/tsbXT jnw= -----END CERTIFICATE-----