The document provides an overview of PKI (Public Key Infrastructure) and how it relates to securing electronic communications with digital certificates. It discusses how PKI manages the lifecycle of digital certificates, including generating, distributing, storing, renewing, and revoking certificates. It also explains how digital certificates and public/private key encryption can be used to securely sign and encrypt email, helping to authenticate senders and ensure message integrity and privacy. Overall, the document outlines the basic concepts of PKI and how it enables trusted electronic communications through the use of digital certificates.
A digital code that can be attached to an electronically transmitted message that uniquely identifies the sender. Like a written signature, the purpose of a digital signature is to guarantee that the individual sending the message really is who he or she claims to be. Digital signatures are especially important for electronic commerce and are a key component of most authentication schemes. To be effective, digital signatures must be unforgettable. There are a number of different encryption techniques to guarantee this level of security.
A digital code that can be attached to an electronically transmitted message that uniquely identifies the sender. Like a written signature, the purpose of a digital signature is to guarantee that the individual sending the message really is who he or she claims to be. Digital signatures are especially important for electronic commerce and are a key component of most authentication schemes. To be effective, digital signatures must be unforgettable. There are a number of different encryption techniques to guarantee this level of security.
A digital signature is a mathematical scheme for demonstrating the authenticity of a digital message or document. A valid digital signature gives a recipient reason to believe that the message was created by a known sender, such that the sender cannot deny having sent the message (authentication and non-repudiation) and that the message was not altered in transit (integrity). Digital signatures are commonly used for software distribution, financial transactions, and in other cases where it is important to detect forgery or tampering.
Digital signatures are often used to implement electronic signatures, a broader term that refers to any electronic data that carries the intent of a signature, but not all electronic signatures use digital signatures. In some countries, including the United States, India, and members of the European Union, electronic signatures have legal significance.
We want is to help all entrepreneur on the legal and regulatory
requirements, and be a partner throughout the business, We offer digital
signature support at every stage to ensure the business remains
compliant and continually grow your
business.www.dscdelhi.com/
How to design a digital signature in odooPlanetOdoo
Odoo Digital Signature is a fast and beneficial way to send, sign and approve documents. The Odoo digital signature can be very important for documents such as sale orders, purchase orders, invoices, payslips, procurement receipts, etc.
A digital signature is a mathematical scheme for demonstrating the authenticity of a digital message or document. A valid digital signature gives a recipient reason to believe that the message was created by a known sender, such that the sender cannot deny having sent the message (authentication and non-repudiation) and that the message was not altered in transit (integrity). Digital signatures are commonly used for software distribution, financial transactions, and in other cases where it is important to detect forgery or tampering.
Digital signatures are often used to implement electronic signatures, a broader term that refers to any electronic data that carries the intent of a signature, but not all electronic signatures use digital signatures. In some countries, including the United States, India, and members of the European Union, electronic signatures have legal significance.
We want is to help all entrepreneur on the legal and regulatory
requirements, and be a partner throughout the business, We offer digital
signature support at every stage to ensure the business remains
compliant and continually grow your
business.www.dscdelhi.com/
How to design a digital signature in odooPlanetOdoo
Odoo Digital Signature is a fast and beneficial way to send, sign and approve documents. The Odoo digital signature can be very important for documents such as sale orders, purchase orders, invoices, payslips, procurement receipts, etc.
In this talk, I will explain the foundations of the TLS protocol: symmetric encryption, digital signature, PKI, and how these concepts come together to secure your network connections
Security everywhere digital signature and digital fingerprint v1 (personal)Paul Yang
This is the slide I used to train people about the security concepts, such as digital signature and digital fingerprint.
I tried to use friendly way to explain the topic with animation and many example in real life.
Hope it helps for you.
There are three types of intruders who can dampen the company’s electronic system and they are hackers, freakers and crackers.
Banks, insurance companies, consultants, textile business are some of the major types of organizations who fall victim to such mal-practices. The intruders have a well-thought out system to attack the organization. They gain access to user’s accounts, use the victim’s system as a platform to attack other sites. Companies can save themselves from this serious threat if they follow certain basic tip such as using the latest version of the browser, installing SSL, ensuring that ISP has a security system and they should shop with familiar companies.
In this presentation we will discuss the ways in which the online security can be beefed up while keeping numerous kinds of intruders at bay. The methods in which victims are attacked and tips to ensure a secure e-commerce transaction will also be given prominence in this presentation.
To know more about Welingkar School’s Distance Learning Program and courses offered, visit:
http://www.welingkaronline.org/distance-learning/online-mba.html
Presented at Seminar at Bahria University June 2007
Cryptography Simplified - Symmetric Key, Public Key, PKI, Digital Signature, Certification Authority, Secure Socket Layer (SSL), Secure Electronic Transaction (SET)
Security and safety is very important part of E-Commerce nowadays, explained above is the various issues of security issues and steps to counter it.
For more such innovative content on management studies, join WeSchool PGDM-DLP Program: http://bit.ly/Sldeshareecoomercewelearn
Join us on Facebook: http://www.facebook.com/welearnindia
Follow us on Twitter: https://twitter.com/WeLearnIndia
Read our latest blog at: http://welearnindia.wordpress.com
Subscribe to our Slideshare Channel: http://www.slideshare.net/welingkarDLP
Conducting a NIST Cybersecurity Framework (CSF) AssessmentNicholas Davis
In today's ever-evolving cybersecurity landscape, organizations face an increasing number of threats. Conducting a NIST Cybersecurity Framework (CSF) assessment can be a valuable tool to identify, manage, and mitigate these risks. Let's explore how it can benefit your organization.
A NIST CSF assessment is not just about compliance; it's about proactively managing your cybersecurity posture. By identifying and addressing your vulnerabilities, you can reduce the likelihood and impact of cyberattacks. Additionally, the framework can help you communicate your security efforts effectively to internal and external stakeholders.
UW-Madison, Information Systems 371 - Decision Support SystemsNicholas Davis
Today, is Information Systems 371, I am lecturing about Decision Support Systems. In addition to covering the basics at a conceptual level, I am trying to get the students to think about the impact of IoT, 5G, and Artificial Intelligence, in terms of how Decision Support Systems are changing and what the new demands placed upon them will be.
During the Spring semester, I teach a 3 credit survey course in software development, at UW-Madison (IS 371), which is the first in the series of courses in the Information Systems major track. As part of this course, I devote an entire lecture to discussing different types of software development (Agile, Waterfall, Extreme, Spiral, etc.) I hope it helps the students better understand the different types of software development styles, as well as the benefits and drawbacks of each. In my opinion, they need to learn early on that there is more than one way to go about a software development challenge, and they need to figure out which style works best for them.
Information systems 365 - Cloud and BYOD SecurityNicholas Davis
Today, in class, I will be covering the topics of Cloud and BYOD Information Security. The intent of the lecture is to introduce students to the general issues surrounding information security in these two areas.
Information Security Awareness: at Work, at Home, and For Your Kids Nicholas Davis
This is the security awareness presentation which I will be giving to Quartz Health Solutions, on October 24, 2018. If focuses in on three areas: information security best practices for work, at home, and also contains some tips for kids. Topics include: PHI, ePHI, HIPAA, Identity Theft, Social Engineering, phishing, password management, malware, insider threats, social networks, and mobile devices.
A presentation about cyberwar basics, the past, present and future directions of cyberwar and some needed changes in technology and long standing societal attitudes, to combat this escalating threat
University of Wisconsin-Madison, Information Security 365/765 Course Summary,...Nicholas Davis
Last day of lecture, a summary presentation of everything the students learned this semester, in the information security class I teach at the University of Wisconsin-Madison
Bringing the Entire Information Security Semester Together With a Team ProjectNicholas Davis
Absorbing information does no good, unless you are able to apply what you have learned. Each semester, I give my information security students a team project, in which they must use all the knowledge acquired during the semester, in combination with their ability to do Internet research, to deliver an overall information security assessment of a company of their choosing. To make it a challenge, I make them grade all the other teams in the class, but only give them enough points to distribute so that the average is 90. In grading their peers, they must make decisions about which presentations are excellent, and which are not.
The Deep and Dark Web - Spooky Halloween Information Security Lecture -- Info...Nicholas Davis
Horrible things happen on the Deep Web. It is important for information security professionals to know about this topic, so that we can help to stop the problem. Silence is acquiescence----If you see something horribly wrong, you have got to speak up and be part of the solution to stop it. Contact the FBI or local law enforcement.
Student Presentation Sample (Netflix) -- Information Security 365/765 -- UW-M...Nicholas Davis
The final assignment in the Information Security 365/765 course I teach at UW-Madison, is for teams of students to put together company focused IT security presentations, in which they take the concepts learned in class throughout the entire semester, and apply them to a real company. Here is a sample from Team Netflix! I am proud of the students, and feel that they have gained a solid foundation in the field of information security. Another semester come and gone!
Information Security Fall Semester 2016 - Course Wrap Up SummaryNicholas Davis
This presentation is a summary, for the students of the IS 365/765 course I teach, at the University of Wisconsin-Madison, providing a 104 slide reminder of the most important topics in Information Security, which we covered throughout the semester. Today is the last day of course material. We have 4 days of student team presentations, to follow.
A general education presentation, created to teach employees of an organization about Phishing, what it is, how to recognize it, avoid becoming a phishing victim, how to recognize common social engineering techniques, and what to do if you think you have been phished.
Information Security 365/765 Lecture 13 – Legal Regulations, Industry Compli...Nicholas Davis
Today's topic in the Information Security 365/765 class, which I teach at the University of Wisconsin-Madison.
Computer crimes and computer laws, Motives and profiles of attackers, Various types of evidence, Laws and acts to fight computer crime, Computer crime investigation process, Incident handling procedures, Ethics and best practices
Epistemic Interaction - tuning interfaces to provide information for AI supportAlan Dix
Paper presented at SYNERGY workshop at AVI 2024, Genoa, Italy. 3rd June 2024
https://alandix.com/academic/papers/synergy2024-epistemic/
As machine learning integrates deeper into human-computer interactions, the concept of epistemic interaction emerges, aiming to refine these interactions to enhance system adaptability. This approach encourages minor, intentional adjustments in user behaviour to enrich the data available for system learning. This paper introduces epistemic interaction within the context of human-system communication, illustrating how deliberate interaction design can improve system understanding and adaptation. Through concrete examples, we demonstrate the potential of epistemic interaction to significantly advance human-computer interaction by leveraging intuitive human communication strategies to inform system design and functionality, offering a novel pathway for enriching user-system engagements.
zkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex ProofsAlex Pruden
This paper presents Reef, a system for generating publicly verifiable succinct non-interactive zero-knowledge proofs that a committed document matches or does not match a regular expression. We describe applications such as proving the strength of passwords, the provenance of email despite redactions, the validity of oblivious DNS queries, and the existence of mutations in DNA. Reef supports the Perl Compatible Regular Expression syntax, including wildcards, alternation, ranges, capture groups, Kleene star, negations, and lookarounds. Reef introduces a new type of automata, Skipping Alternating Finite Automata (SAFA), that skips irrelevant parts of a document when producing proofs without undermining soundness, and instantiates SAFA with a lookup argument. Our experimental evaluation confirms that Reef can generate proofs for documents with 32M characters; the proofs are small and cheap to verify (under a second).
Paper: https://eprint.iacr.org/2023/1886
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Albert Hoitingh
In this session I delve into the encryption technology used in Microsoft 365 and Microsoft Purview. Including the concepts of Customer Key and Double Key Encryption.
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf91mobiles
91mobiles recently conducted a Smart TV Buyer Insights Survey in which we asked over 3,000 respondents about the TV they own, aspects they look at on a new TV, and their TV buying preferences.
GraphRAG is All You need? LLM & Knowledge GraphGuy Korland
Guy Korland, CEO and Co-founder of FalkorDB, will review two articles on the integration of language models with knowledge graphs.
1. Unifying Large Language Models and Knowledge Graphs: A Roadmap.
https://arxiv.org/abs/2306.08302
2. Microsoft Research's GraphRAG paper and a review paper on various uses of knowledge graphs:
https://www.microsoft.com/en-us/research/blog/graphrag-unlocking-llm-discovery-on-narrative-private-data/
Welcome to the first live UiPath Community Day Dubai! Join us for this unique occasion to meet our local and global UiPath Community and leaders. You will get a full view of the MEA region's automation landscape and the AI Powered automation technology capabilities of UiPath. Also, hosted by our local partners Marc Ellis, you will enjoy a half-day packed with industry insights and automation peers networking.
📕 Curious on our agenda? Wait no more!
10:00 Welcome note - UiPath Community in Dubai
Lovely Sinha, UiPath Community Chapter Leader, UiPath MVPx3, Hyper-automation Consultant, First Abu Dhabi Bank
10:20 A UiPath cross-region MEA overview
Ashraf El Zarka, VP and Managing Director MEA, UiPath
10:35: Customer Success Journey
Deepthi Deepak, Head of Intelligent Automation CoE, First Abu Dhabi Bank
11:15 The UiPath approach to GenAI with our three principles: improve accuracy, supercharge productivity, and automate more
Boris Krumrey, Global VP, Automation Innovation, UiPath
12:15 To discover how Marc Ellis leverages tech-driven solutions in recruitment and managed services.
Brendan Lingam, Director of Sales and Business Development, Marc Ellis
Accelerate your Kubernetes clusters with Varnish CachingThijs Feryn
A presentation about the usage and availability of Varnish on Kubernetes. This talk explores the capabilities of Varnish caching and shows how to use the Varnish Helm chart to deploy it to Kubernetes.
This presentation was delivered at K8SUG Singapore. See https://feryn.eu/presentations/accelerate-your-kubernetes-clusters-with-varnish-caching-k8sug-singapore-28-2024 for more details.
The Metaverse and AI: how can decision-makers harness the Metaverse for their...Jen Stirrup
The Metaverse is popularized in science fiction, and now it is becoming closer to being a part of our daily lives through the use of social media and shopping companies. How can businesses survive in a world where Artificial Intelligence is becoming the present as well as the future of technology, and how does the Metaverse fit into business strategy when futurist ideas are developing into reality at accelerated rates? How do we do this when our data isn't up to scratch? How can we move towards success with our data so we are set up for the Metaverse when it arrives?
How can you help your company evolve, adapt, and succeed using Artificial Intelligence and the Metaverse to stay ahead of the competition? What are the potential issues, complications, and benefits that these technologies could bring to us and our organizations? In this session, Jen Stirrup will explain how to start thinking about these technologies as an organisation.
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfPaige Cruz
Monitoring and observability aren’t traditionally found in software curriculums and many of us cobble this knowledge together from whatever vendor or ecosystem we were first introduced to and whatever is a part of your current company’s observability stack.
While the dev and ops silo continues to crumble….many organizations still relegate monitoring & observability as the purview of ops, infra and SRE teams. This is a mistake - achieving a highly observable system requires collaboration up and down the stack.
I, a former op, would like to extend an invitation to all application developers to join the observability party will share these foundational concepts to build on:
Elevating Tactical DDD Patterns Through Object CalisthenicsDorra BARTAGUIZ
After immersing yourself in the blue book and its red counterpart, attending DDD-focused conferences, and applying tactical patterns, you're left with a crucial question: How do I ensure my design is effective? Tactical patterns within Domain-Driven Design (DDD) serve as guiding principles for creating clear and manageable domain models. However, achieving success with these patterns requires additional guidance. Interestingly, we've observed that a set of constraints initially designed for training purposes remarkably aligns with effective pattern implementation, offering a more ‘mechanical’ approach. Let's explore together how Object Calisthenics can elevate the design of your tactical DDD patterns, offering concrete help for those venturing into DDD for the first time!
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdfPeter Spielvogel
Building better applications for business users with SAP Fiori.
• What is SAP Fiori and why it matters to you
• How a better user experience drives measurable business benefits
• How to get started with SAP Fiori today
• How SAP Fiori elements accelerates application development
• How SAP Build Code includes SAP Fiori tools and other generative artificial intelligence capabilities
• How SAP Fiori paves the way for using AI in SAP apps
Removing Uninteresting Bytes in Software FuzzingAftab Hussain
Imagine a world where software fuzzing, the process of mutating bytes in test seeds to uncover hidden and erroneous program behaviors, becomes faster and more effective. A lot depends on the initial seeds, which can significantly dictate the trajectory of a fuzzing campaign, particularly in terms of how long it takes to uncover interesting behaviour in your code. We introduce DIAR, a technique designed to speedup fuzzing campaigns by pinpointing and eliminating those uninteresting bytes in the seeds. Picture this: instead of wasting valuable resources on meaningless mutations in large, bloated seeds, DIAR removes the unnecessary bytes, streamlining the entire process.
In this work, we equipped AFL, a popular fuzzer, with DIAR and examined two critical Linux libraries -- Libxml's xmllint, a tool for parsing xml documents, and Binutil's readelf, an essential debugging and security analysis command-line tool used to display detailed information about ELF (Executable and Linkable Format). Our preliminary results show that AFL+DIAR does not only discover new paths more quickly but also achieves higher coverage overall. This work thus showcases how starting with lean and optimized seeds can lead to faster, more comprehensive fuzzing campaigns -- and DIAR helps you find such seeds.
- These are slides of the talk given at IEEE International Conference on Software Testing Verification and Validation Workshop, ICSTW 2022.
Pki & personal digital certificates, the key to securing sensitive electronic communications
1. PKI & Personal Digital Certificates,
The Key to Securing Sensitive
Electronic Communications
December 2, 2010
Nicholas Davis
2. Agenda
• Introduction
• We will eat
• We will watch movies
• We will find an error in the textbook
• We will learn
• We will chat
• We will have fun
3. Twix
• Twix is a candy bar made by Mars, Inc.,
consisting of a biscuit finger, topped with
caramel and coated in milk chocolate. Being
somewhat smaller in width than other
confectionery bars, Twix bars are typically
packaged in pairs. Twix was first produced in the
UK in 1967, and introduced in the United States
in 1979
4. Overview
Why is electronic privacy such a hot
topic these days?
What is a digital certificate?
What is PKI?
Why are these technologies important?
Trusted Root Authorities
Using digital certificates for email encryption
Key Escrow, the double edged sword
Integrating digital certificates into email for
Security
How is PKI related to SSL?
Using certificates for code signing of software
Real world issues with PKI
Discussion
5. Whay is Electronic Privacy
Such a Hot Topic Today?
• Evolution of the Internet,
commerce, banking, healthcare
• Dependence on Email
• Government regulations, SOX,
HIPAA, GLB, PCI, FERPA
• Public Image
• Business warehousing
• Industrial Espionage
• The government
6. The Topic is More Interesting
When It Affects You!
8. Discussion Topic One
• Do you think the threat of Email
eavesdropping is real?
• What about the government’s argument
about Email being like a “postcard?”
• Should Target be allowed to look at
Walmart emails on a public network?
• Are you angry now, or just afraid?
• Who has the responsibility in this
situation?
10. Digital Certificates Continued
Digital Certificate
Electronic Passport
Good for authentication
Good non-repudiation
Proof of authorship
Proof of non-altered content
Encryption!
Better than username - password
12. Public and Private Keys
The digital certificate has two parts, a
PUBLIC key and a PRIVATE key
The Public Key is distributed to
everyone
The Private Key is held very closely
And NEVER shared
Public Key is used for encryption and
verification of a digital signature
Private Key is used for Digital signing and
decryption
14. Getting Someone’s Public Key
The Public Key must be shared to be
Useful
It can be included as part of your
Email signature
It can be looked up in an LDAP
Directory
Can you think of the advantages and
disadvantages of each method?
16. What is PKI?
• PKI is an acronym for Public Key
Infrastructure
• It is the system which manages and
controls the lifecycle of digital
certificates
• The PKI has many features
17. What Is In a PKI?
• Credentialing of individuals
• Generating certificates
• Distributing certificates
• Keeping copies of certificates
• Reissuing certificates
• Revoking certificates
• Renews certificates
18. Credentialing
• Non technical, but the most
important part of a PKI!
• A certificate is only as trustworthy as
the underlying credentialing and
management system
• Certificate Policies and Certificate
Practices Statement
19. Certificate Generation and Storage
• How do you know who you are
dealing with in the generation
process?
• Where you keep the certificate is
important
20. Distributing Certificates
• Can be done
remotely – benefits
and drawbacks
• Can be done face
to face – benefits
and drawbacks
21. Keeping Copies – Key Escrow
• Benefit –
Available in case
of emergency
• Drawback – Can
be stolen
• Compromise is
the best!
• Use Audit Trails,
separation of
duties and good
accounting
controls for key
escrow
22. Certificate Renewal
• Just like your passport, digital certificates
expire
• This is for the safety of the organization
and those who do business with it
• Short lifetime – more assurance of
validity but a pain to renew
• Long lifetime – less assurance of validity,
but easier to manage
• Can be renewed with same keypair or
new keypair depending on escrow
situation
23. Expiration
• A rare moment for me…I get to point out
and error in the textbook! (Page 418)
• A message signed with an expired private
key will show as invalid to the recipient
• However, a private key can ALWAYS be
used to decrypt a message, even an
expired private key.
• Nobody is perfect, forgive the textbook
author!
24. Revocation
• Just like Stefan Wahe’s dirving
license, it can (and should be) be
revoked prior to expiration
• CRL – Certificate Revocation List
• OCSP – Online Certificate Status
Protocol
• Both are real time
• In practice, both are rarely used
25. Recovery
• No escrow = no luck
• But with escrow it must be easy,
right? !!NOT!!
• Proving identity
• Getting copy from escrow
• Secure delivery to recipient
• Complex, tempting to cut corners,
but resist temptation!
• The book’s idea is even more
complex!
26. Trusted Root Authorities
• A certificate issuer
recognized by all
computers around
the globe
• Root certificates
are stored in the
computer’s central
certificate store
• Requires a
stringent audit and
a lot of money!
28. Using Certificates to Secure Email
• Best use for certificates, in my
opinion
• Digital certificate provides proof that
the email did indeed come from the
purported sender
• Public key enables encryption and
ensures that the message can only
be read by the intended recipient
29. Secure Email is Called
S/MIME
• S/MIME = Secure
Multipurpose Mail
Extensions
• S/MIME is the
industry standard,
not a point
solution, unique to
a specific vendor
30. Digital Signing of Email
• Proves that the email came from
you
• Invalidates plausible denial
• Proves through a checksum that the
contents of the email were not
altered while in transit
• Provides a mechanism to distribute
your public key
31. Digital Signatures Do Not Prove When
a Message or Document Was Signed
You need a
neutral third party
time stamping
service, similar to
how hostages
often have their
pictures taken in
front of a
newspaper to
prove they are still
alive!
32. Send Me a Signed Email, Please,
I Need Your Public Key
33. Using a Digital Signature for Email
Signing
Provides proof that the
email came from the
purported sender…Is
this email really from
Vice President Cheney?
Provides proof that the
contents of the email
have not been altered
from the original
form…Should we
really invade Mexico?
36. What if This Happens at Madison
College?
Could cause harm in
a critical situation
Case Scenario
Multiple hoax emails
sent with Chancellor’s
name and email.
When real crisis
arrives, people might
not believe the
warning.
It is all about trust!
37. Digital Signing Summary
• Provides proof of the author
• Testifies to message integrity
• Valuable for both individual or
mass email
• Supported by most email
clients….Remember the 80-20
rule..Perfect in the enemy of
good!
38. What Encryption Does
Encrypting data with a
digital certificate
Secures it end to end.
• While in transit
• Across the network
• While sitting on email
servers
• While in storage
• On your desktop
computer
• On your laptop computer
• On a server
39. Encryption Protects the Data At Rest
and In Transit
Physical theft from office
Physical theft from airport
Virtual theft over the network
40. Why Encryption is Important
• Keeps private information private
• HIPAA, FERPA, SOX, GLB compliance
• Proprietary research
• Human Resource issues
• Legal Issues
• PR Issues
• Industrial Espionage
• Over-intrusive Government
• You never know who is
listening and watching!
41. What does it actually look like in practice?
-Sending-
42. What does it actually look like in
practice (unlocking my private key)
-receiving-
43. What does it actually look like in practice?
-receiving- (decrypted)
45. What does it look like in practice?
-receiving- (intercepted)
46. Intercepting the Data in Transit
• How might encrypted email be a
security threat to your organization?
47. Digital Certificates For Machines Too
• SSL – Secure
Socket Layer
• Protection of data
in transit
• Protection of data
at rest
• Where is the
greater threat?
• Our certs protect
both!
48. Benefits of Using Digital
Certificates
Provide global assurance of your identity,
both internally and externally to the organization
Provide assurance of message authenticity
and data integrity
Keeps private information private, end to
end, while in transit and storage
You don’t need to have a digital certificate
To verify someone else’s digital signature
Can be used for individual or generic mail
accounts.
49. The Telephone Analogy
When the
telephone was
invented, it was
hard to sell.
It needed to
reach critical
mass and then
everyone wanted
one.
50. That All Sounds Great in Theory,
But Do I Really Need It?
• The world seems
to get along just
fine without digital
certificates…
• Oh, really?
• Let’s talk about
some recent
stories
52. How Do Users Feel About the
Technology?
• Ease of use
• Challenges
• Changes in how they do their daily
work
• Benefits
• Drawbacks
53. It Really Is Up To You!
• Digital certificates / PKI is not hard to
implement
• It provides end to end security of
sensitive communications
• It is comprehensive, not a mix of point
solutions
• You are the leaders of tomorrow, make
your choices count by pushing for
secure electronic communications!
55. Signatures - Evidence
• What is a signature?
• A signature is not part of the substance of a
transaction, but rather, it represents an
understanding, acceptance or indication of
agreement
• Evidence: A signature authenticates a person by
linking the signer with the signed document.
When the signer makes a mark in a distinctive
manner, the writing becomes attributable to the
signer.
• Example: Credit card receipt
56. Signatures – The Three Part Process
• Ceremony, Approval and Commitment
57. Signatures – The Three
Part Process
• Ceremony:
• The act of signing a document calls to the
signer's attention the significance of the
signer's act, and thereby helps prevent
reckless or careless commitments
58. Signatures – The Three
Part Process
• Approval:
• In certain contexts defined by law or
custom, a signature expresses the
signer's approval or authorization of
the writing, or the signer's intention
that it have legal effect
59. Signatures – The Three
Part Process
• Commitment:
• A signature on a written document
often imparts a sense of clarity and
finality to the transaction
60. Signatures
• Traditional signatures put the cart before
the horse!
• How can you be certain that a mortgage
application with Nicholas Davis’s
signature was indeed signed by Nicholas
Davis?
• As trusting people, we generally accept a
written signature at face value
61. Signatures
• Trust – When the going gets tough,
scoundrels can emerge, to challenge the
signature on a document
• Verification against other documents –
Assumes that you have access to other
signed documents and assumes that
signatures on those documents were not
forged
62. Signature
• Before a signature can be trusted, we
must have proof that the signature does
truly belong to the signer
• This is not as easy at it sounds…..
63. Signatures – Credentialing
Process
• Credentialing – An initial method of
attestation to the truth of certain stated
facts, such as identity.
• Example: Government photo ID, address
verification or proof of your SSN#, are all
attestation methods used to credential
people
64. Signatures – Authentication
Process
• Authentication – The process of verifying
that a person is in fact who they claim to
be
• Example: Showing your driver’s license to
the guard at the front desk authenticates
me as genuinely being Nicholas Davis
65. Signatures – Authorization
Process
• Authorization -- The granting of power or
authority to someone, to do something
specific
• Example: The information system
authorizes Nicholas Davis the rights to
view certain files
66. Signatures -- Trust
• In order for a signature to be relied upon
and trusted for authorization of a
transaction, the individual presenting the
signature must first be credentialed and
then authenticated, prior to allowing them
to authorize a transaction
• A three step process: Credentialing,
Authentication, Authorization
• In the world of written signatures,
organizations rarely credential or
authenticate people
67. Signatures -- Trust
• A written signature, provided without
a solid credentialing and
authentication process, can make
an organization and its customers
vulnerable to fraudulent transactions
• To further protect the organization
and our customers from fraud, we
look to information technology and
the use of digital signatures…..
68. Digital Signatures vs.
Written Signatures
• A digital signature provides proof of:
• Verified identity of the signer
• Document integrity (The document has not been
altered since it was digitally signed)
• Non-repudiation (the signer can’t deny signing the
document, as it was done with their digital certificate,
which only they had access to)
• A written signature provides proof of:
• Unverified identity of the signer
• Which type of signature provides a higher degree of
trust?
69. Digital Signatures – A Note About Identity Theft
• As the Internet and E-Commerce
continue to evolve and grow, it is
important to understand what this
change in business environment
means
• More and more traditional business
processes are being converted to
online applications
• It is harder to impersonate someone in
person than it is over the Internet
70. Digital Signatures
• Written signatures may be
acceptable in person, but are
impractical and risky when used in
an online transaction because, we
no longer can associate a face with
the signature
• If our processes are going digital, so
must our signatures!
71. Digital Signatures vs Electronic Signatures
• “Electronic signature” and “Digital
signature” are not synonymous.
• An electronic signature can be a symbol,
sound, or process used to sign a
document or transaction.
• A digital signature, on the other hand, is a
secure electronic signature which uses
encryption to authenticate the entity who
signed the document, encapsulate
document contents to protect from
unauthorized alteration and provide proof
of non-repudiation
72. Digital Signatures vs
Electronic Signatures
• A digital signature is a form of an
electronic signature, but an
electronic signature is not
necessarily a digital signature.
• Electronic signatures at best provide
only questionable proof of identity,
and do not provide proof of
information/message integrity or
non-repudiation
73. How Can I Help You?
ndavis1@wisc.edu
Tel. 608-347-2486