PKI & Personal Digital Certificates,  The Key to Securing Sensitive   Electronic Communications        MATC    April 22, 2...
OverviewWhy is electronic privacy such a hottopic these days?Watch videoWhat is a digital certificate?What is PKI?Why are ...
Why is Electronic PrivacySuch a Hot Topic Today?   • Evolution of the Internet,     commerce, banking, healthcare   • Depe...
The Topic is More Interesting    When It Affects You!
Intercepting Your Electronic      Communications
Digital certificates can         protect your      sensitive electronic    information in multiple             WaysEncrypt...
Discussion Topic One• Do you think the threat of Email  eavesdropping is real?• What about the government’s argument  abou...
What is a Digital Certificate?
Digital Certificate Terminology            Defined      Digital Certificate        Electronic Passport        Good for aut...
What is in a Certificate?
Public and Private Keys The digital certificate has two parts, a PUBLIC key and a PRIVATE key The Public Key is distribute...
Public Key Cryptography
Getting Someone’s Public Key      The Public Key must be shared to be      Useful      It can be included as part of your ...
Who Could This Public Key  Possibly Belong To?
What is PKI?• PKI is an acronym for Public Key  Infrastructure• It is the system which manages and  controls the lifecycle...
What Is In a PKI? •   Credentialing of individuals •   Generating certificates •   Distributing certificates •   Keeping c...
Credentialing• Non technical, but the most  important part of a PKI!• A certificate is only as trustworthy as  the underly...
Certificate Generation and Storage      • How do you know who you are        dealing with in the generation        process...
Distributing Certificates• Can be done  remotely – benefits  and drawbacks• Can be done face  to face – benefits  and draw...
Keeping Copies – Key Escrow    • Benefit –      Available in case      of emergency    • Drawback – Can      be stolen    ...
Certificate Renewal• Just like your passport, digital certificates  expire• This is for the safety of the organization  an...
Trusted Root Authorities• A certificate issuer  recognized by all  computers around  the globe• Root certificates  are sto...
It Is All About Trust
Using Certificates to Secure Email      • Best use for certificates, in my        opinion      • Digital certificate provi...
Secure Email is Called      S/MIME     • S/MIME = Secure       Multipurpose Mail       Extensions     • S/MIME is the     ...
Using Certificates For   Authentication
Digital Certificates• A digital passport,  either contained on a  secure device, or on  a hard disk• Secured with a  passw...
Digital Certificate Benefits   • True Dual Factor Authentication   • Low variable cost to produce   • Can contain authoriz...
Digital Certificate Drawbacks   • High fixed cost to build initial     infrastructure   • Can be copied and shared if not ...
Digital Signing of Email • Proves that the email came from   you • Invalidates plausible denial • Proves through a checksu...
Using Digital Certificates for Digital              Signing
Digital Signatures Do Not Prove Whena Message or Document Was Signed       You need a       neutral third party       time...
Send Me a Signed Email, Please,    I Need Your Public Key
What Does a Digital Signature Prove?      Provides proof that the      email came from the      purported sender…Is      t...
A Digital Signature Can Be Invalid For            Many Reasons
Why Is The Digital Signature of the      Sender So Important?
What if This Happens at MATC?       Could cause harm in       a critical situation       Case Scenario           Multiple ...
Digital Signing Summary• Provides proof of the  author• Testifies to message  integrity• Valuable for both  individual or ...
Using Digital Certificates for        Encryption
What Encryption DoesEncrypting data with adigital certificateSecures it end to end.• While in transit• Across the network•...
Encryption Protects the Data At Rest           and In Transit      Physical theft from office      Physical theft from air...
Why Encryption is Important    •   Keeps private information private    •   HIPAA, FERPA, SOX, GLB compliance    •   Propr...
What does it actually look like in practice?                -Sending-
What does it actually look like inpractice (unlocking my private key)             -receiving-
What does it actually look like in practice?        -receiving- (decrypted)
Digitally signed and verified;          Encrypted
What does it look like in practice?   -receiving- (intercepted)
Intercepting the Data in Transit
Digital Certificates For Machines Too        • SSL – Secure          Socket Layer        • Protection of data          in ...
Case Study - Why the Registrar’sOffice Chose Digital Certificates      • Cost      • Easy Integration      • Security     ...
Is the NSA Watching? • Discussion of NSA_key in Microsoft   Operating System • What about UW-Madison?
SUMMARY• Authentication• Digital Signing of Documents• Encryption• Digital certificates can do all of this!
Benefits of Using Digital          CertificatesProvide global assurance of your identity,both internally and externally to...
Who Uses Digital Certificates     at UW-Madison?DoITUW Police and SecurityOffice of the RegistrarOffice of Financial AidOf...
Who Uses Digital Certificates  Besides UW-Madison?US Department of DefenseUS Department of HomelandSecurityAll Western Eur...
The Telephone AnalogyWhen thetelephone wasinvented, it washard to sell.It needed toreach criticalmass and theneveryone wan...
That All Sounds Great in Theory,    But Do I Really Need It?    • The world seems      to get along just      fine without...
We Have Internal Threats Too     @ UW-Madison!
How Do Users Feel About the      Technology?   • Ease of use   • Challenges   • Changes in how they do their daily     wor...
It Really Is Up To You!• Digital certificates / PKI is not hard to  implement• It provides end to end security of  sensiti...
How Can I Help You?ndavis1@wisc.eduhttp://www.cio.wisc.edu/security/digitalCert/
Upcoming SlideShare
Loading in …5
×

Pki & personal digital certificates, securing sensitive electronic communications, by nicholas davis, uw madison

465 views
359 views

Published on

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
465
On SlideShare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
23
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Pki & personal digital certificates, securing sensitive electronic communications, by nicholas davis, uw madison

  1. 1. PKI & Personal Digital Certificates, The Key to Securing Sensitive Electronic Communications MATC April 22, 2010 Nicholas Davis
  2. 2. OverviewWhy is electronic privacy such a hottopic these days?Watch videoWhat is a digital certificate?What is PKI?Why are these technologies important?Trusted Root AuthoritiesUsing digital certificates for email encryptionKey Escrow, the double edged swordIntegrating digital certificates into email forsecurityNew uses for digital certificatesHow is PKI related to SSL?Using certificates for code signing ofsoftwareNSA conspiracy theoriesReal world issues with PKIDiscussion
  3. 3. Why is Electronic PrivacySuch a Hot Topic Today? • Evolution of the Internet, commerce, banking, healthcare • Dependence on Email • Government regulations, SOX, HIPAA, GLB, PCI, FERPA • Public Image • Business warehousing • Industrial Espionage • The United States government!
  4. 4. The Topic is More Interesting When It Affects You!
  5. 5. Intercepting Your Electronic Communications
  6. 6. Digital certificates can protect your sensitive electronic information in multiple WaysEncryption, Digital Signing and Authentication
  7. 7. Discussion Topic One• Do you think the threat of Email eavesdropping is real?• What about the government’s argument about Email being like a “postcard?”• Should DOA be allowed to look at DWD emails on a public network?• Are you angry now, or just afraid?• Who has the responsibility in this situation?
  8. 8. What is a Digital Certificate?
  9. 9. Digital Certificate Terminology Defined Digital Certificate Electronic Passport Good for authentication Good non-repudiation Proof of authorship Proof of non-altered content Encryption! Better than username - password
  10. 10. What is in a Certificate?
  11. 11. Public and Private Keys The digital certificate has two parts, a PUBLIC key and a PRIVATE key The Public Key is distributed to everyone The Private Key is held very closely And NEVER shared Public Key is used for encryption and verification of a digital signature Private Key is used for Digital signing and decryption
  12. 12. Public Key Cryptography
  13. 13. Getting Someone’s Public Key The Public Key must be shared to be Useful It can be included as part of your Email signature It can be looked up in an LDAP Directory Can you think of the advantages and disadvantages of each method?
  14. 14. Who Could This Public Key Possibly Belong To?
  15. 15. What is PKI?• PKI is an acronym for Public Key Infrastructure• It is the system which manages and controls the lifecycle of digital certificates• The PKI has many features
  16. 16. What Is In a PKI? • Credentialing of individuals • Generating certificates • Distributing certificates • Keeping copies of certificates • Reissuing certificates • Revoking Certificates
  17. 17. Credentialing• Non technical, but the most important part of a PKI!• A certificate is only as trustworthy as the underlying credentialing and management system• Certificate Policies and Certificate Practices Statement
  18. 18. Certificate Generation and Storage • How do you know who you are dealing with in the generation process? • Where you keep the certificate is important
  19. 19. Distributing Certificates• Can be done remotely – benefits and drawbacks• Can be done face to face – benefits and drawbacks
  20. 20. Keeping Copies – Key Escrow • Benefit – Available in case of emergency • Drawback – Can be stolen • Compromise is the best! • Use Audit Trails, separation of duties and good accounting controls for key escrow
  21. 21. Certificate Renewal• Just like your passport, digital certificates expire• This is for the safety of the organization and those who do business with it• Short lifetime – more assurance of validity but a pain to renew• Long lifetime – less assurance of validity, but easier to manage• Use a Certificate Revocation List if you are unsure of certificate validity
  22. 22. Trusted Root Authorities• A certificate issuer recognized by all computers around the globe• Root certificates are stored in the computer’s central certificate store• Requires a stringent audit and a lot of money!
  23. 23. It Is All About Trust
  24. 24. Using Certificates to Secure Email • Best use for certificates, in my opinion • Digital certificate provides proof that the email did indeed come from the purported sender • Public key enables encryption and ensures that the message can only be read by the intended recipient
  25. 25. Secure Email is Called S/MIME • S/MIME = Secure Multipurpose Mail Extensions • S/MIME is the industry standard, not a point solution, unique to a specific vendor
  26. 26. Using Certificates For Authentication
  27. 27. Digital Certificates• A digital passport, either contained on a secure device, or on a hard disk• Secured with a password, making them truly a dual factor solution• Can be used to authenticate machines as well as humans
  28. 28. Digital Certificate Benefits • True Dual Factor Authentication • Low variable cost to produce • Can contain authorization data as well as authentication data
  29. 29. Digital Certificate Drawbacks • High fixed cost to build initial infrastructure • Can be copied and shared if not properly stored • Expiration • Often require access to an interface such as a card reader of USB port, not always available at kiosks
  30. 30. Digital Signing of Email • Proves that the email came from you • Invalidates plausible denial • Proves through a checksum that the contents of the email were not altered while in transit • Provides a mechanism to distribute your public key • Does NOT prove when you sent the email
  31. 31. Using Digital Certificates for Digital Signing
  32. 32. Digital Signatures Do Not Prove Whena Message or Document Was Signed You need a neutral third party time stamping service, similar to how hostages often have their pictures taken in front of a newspaper to prove they are still alive!
  33. 33. Send Me a Signed Email, Please, I Need Your Public Key
  34. 34. What Does a Digital Signature Prove? Provides proof that the email came from the purported sender…Is this email really from Britney Spears? Provides proof that the contents of the email have not been altered from the original form
  35. 35. A Digital Signature Can Be Invalid For Many Reasons
  36. 36. Why Is The Digital Signature of the Sender So Important?
  37. 37. What if This Happens at MATC? Could cause harm in a critical situation Case Scenario Multiple hoax emails sent with Chancellor’s name and email. When real crisis arrives, people might not believe the warning. It is all about trust!
  38. 38. Digital Signing Summary• Provides proof of the author• Testifies to message integrity• Valuable for both individual or mass email• Supported by Wiscmail Web client (used by 80% of students)
  39. 39. Using Digital Certificates for Encryption
  40. 40. What Encryption DoesEncrypting data with adigital certificateSecures it end to end.• While in transit• Across the network• While sitting on email servers• While in storage• On your desktop computer• On your laptop computer• On a server
  41. 41. Encryption Protects the Data At Rest and In Transit Physical theft from office Physical theft from airport Virtual theft over the network
  42. 42. Why Encryption is Important • Keeps private information private • HIPAA, FERPA, SOX, GLB compliance • Proprietary research • Human Resource issues • Legal Issues • PR Issues • Industrial Espionage • Over-intrusive Government • You never know who is listening and watching!
  43. 43. What does it actually look like in practice? -Sending-
  44. 44. What does it actually look like inpractice (unlocking my private key) -receiving-
  45. 45. What does it actually look like in practice? -receiving- (decrypted)
  46. 46. Digitally signed and verified; Encrypted
  47. 47. What does it look like in practice? -receiving- (intercepted)
  48. 48. Intercepting the Data in Transit
  49. 49. Digital Certificates For Machines Too • SSL – Secure Socket Layer • Protection of data in transit • Protection of data at rest • Where is the greater threat? • Our certs protect both!
  50. 50. Case Study - Why the Registrar’sOffice Chose Digital Certificates • Cost • Easy Integration • Security • No individual process evaluation • Leverages a central, generic resource • Ability to inter- communicate
  51. 51. Is the NSA Watching? • Discussion of NSA_key in Microsoft Operating System • What about UW-Madison?
  52. 52. SUMMARY• Authentication• Digital Signing of Documents• Encryption• Digital certificates can do all of this!
  53. 53. Benefits of Using Digital CertificatesProvide global assurance of your identity,both internally and externally to theUW-MadisonProvide assurance of message authenticityand data integrityKeeps private information private, end toend, while in transit and storageYou don’t need to have a digital certificateTo verify someone else’s digital signatureCan be used for individual or generic mailaccounts.
  54. 54. Who Uses Digital Certificates at UW-Madison?DoITUW Police and SecurityOffice of the RegistrarOffice of Financial AidOffice of AdmissionsPrimate Research LabMedical SchoolBucky Badger, because he’s a teamplayer and slightly paranoid about hisbasketball plays being stolen
  55. 55. Who Uses Digital Certificates Besides UW-Madison?US Department of DefenseUS Department of HomelandSecurityAll Western European countriesNew US PassportDartmouth CollegeUniversity of Texas at AustinJohnson & JohnsonRaytheonOthers
  56. 56. The Telephone AnalogyWhen thetelephone wasinvented, it washard to sell.It needed toreach criticalmass and theneveryone wantedone.
  57. 57. That All Sounds Great in Theory, But Do I Really Need It? • The world seems to get along just fine without digital certificates… • Oh, really? • Let’s talk about some recent stories
  58. 58. We Have Internal Threats Too @ UW-Madison!
  59. 59. How Do Users Feel About the Technology? • Ease of use • Challenges • Changes in how they do their daily work • Benefits • Drawbacks
  60. 60. It Really Is Up To You!• Digital certificates / PKI is not hard to implement• It provides end to end security of sensitive communications• It is comprehensive, not a mix of point solutions• You are the leaders of tomorrow, make your choices count by pushing for secure electronic communications!
  61. 61. How Can I Help You?ndavis1@wisc.eduhttp://www.cio.wisc.edu/security/digitalCert/

×