2. Readings for Next Class
• Signing by FAX
• Secure Email
• Biometrics
• All articles are located in the
September 18 folder
3. Overview
Why is electronic privacy such a hot
topic these days?
Types of Cryptography
Steganography
What is a digital certificate?
What is PKI?
Why are these technologies important?
Trusted Root Authorities
Using digital certificates for email encryption
Key Escrow, the double edged sword
Integrating digital certificates into email for
Security
New uses for digital certificates
How is PKI related to SSL?
Using certificates for code signing of software
NSA conspiracy theories
Real world issues with PKI
Computer lab exercises
Discussion
4. Today’s Chocolate
Bar – Milky Way
• Created in 1924 by Frank C. Mars
• Frank Mars and Milton Hershey were
friends, but their different candy bar
ideologies drove them apart.
• Milky Way was the first “filled” candy bar.
Previously, all candy bars were flat
• The European version will float in a glass
of milk, the American version won’t
• A Milky Way wrapper from 1975 recently
sold for $16 in a collector’s magazine
• Originally there were two flavors, dark
chocolate and milk chocolate. The dark
chocolate version was discontinued in
1979, but came back in 2000 as “Milky
Way Midnight Bar”
5. Is the NSA Watching?
• Discussion of the Crypto AG article
• Discussion of NSA_key in Microsoft
Operating System
• What about UW-Madison?
6. Whay is Electronic Privacy
Such a Hot Topic Today?
• Evolution of the Internet,
commerce, banking, healthcare
• Dependence on Email
• Government regulations, SOX,
HIPAA, GLB, PCI, FERPA
• Public Image
• Business warehousing
• Industrial Espionage
• The United States government!
7. Encryption
• To encode information in such a way as
to make it unreadable by anyone aside
from its intended recipient
• Symmetric Encryption, where a single
secret key is used for both encryption and
decryption.
• Asymmetric Encryption, where a pair of
keys is used -- one for Encryption and the
other for Decryption.
8. Symmetric Encryption
• Simple substitution
C=5
O=1
W=7
517 = COW
• Shifting
Add two letters to each character (letter + 2)
AMU = COW (A + 2 = C, M + 2 = 0, etc)
Hmm, everything appears to = COW
9. Advantages and Disadvantages of
Symmetric Encryption
• Easy to use
• Decryption key can be memorized
• Easy to determine patterns and
guess decryption key (frequency of
letters in the English language)
• Anyone with the key can decrypt the
message even if it was not intended
for them
10. Asymmetric Encryption
• Uses one key to encrypt and a
different key to decrypt
• Public key to encrypt
• Private key to decrypt
• Keys are related, but not the same
11. Advantages and Disadvantages of
Asymmetric Encryption
• Much stronger, more complex keys than
used in symmetric encryption
• Only the intended recipient can REALLY
read the message since only they
possess the private key
• Far more complex than symmetric
encryption, requires larger infrastructure
to manage
• If private key is lost, you are out of luck
12. Yesterday’s Extra Credit
• Take a bow James Loethen, Jeff
Roller and Zach Tranmer! I admire
your investigative abilities
• Decrypted message was: “the
secret agent is a Holstein cow”
• This was symmetric encryption,
where the key was known to the
application
• http://www.yellowpipe.com/yis/tools/en
13.
14.
15. Overt vs. Covert Encryption
• When the US government intercepts
“VGhlIHNlY3JldCBhZ2VudCBpcyBhI
hvbHN0ZWluIGNvdyE=“, from Kemps Ice
Cream factory email system, they know
that a sneaky cow is up to no good.
This message is overtly encrypted
17. Covert Encryption
• Covertly encrypted messages are
much harder to discover
• This one was encoded in a graphics
file
• With overt encryption it is evident
that you are up to something that
you want to keep secret
• With covert encryption, nobody
suspects anything is wrong
18. Covert Encryption is Known as
Steganography
• Not related to Stegosaurus, which
was a dinosaur!
19. Steganography
• Steganography is
the art and
science of writing
hidden messages
in such a way that
no one apart from
the sender and
intended recipient
even realizes
there is a hidden
message
20. How to Determine if Steganography is
Being employed
• Compare sizes of graphics relative
to resolution.
• A low resolution graphic with a large
file size is a good hint that
Steganography is being used
• Image of cow and dolphin
• 71 KB vs 616 KB……Hmmmmm
22. Discussion Topic One
• Do you think the threat of Email
eavesdropping is real?
• What about the government’s argument
about Email being like a “postcard?”
• Should Target be allowed to look at
Walmart emails on a public network?
• Are you angry now, or just afraid?
• Who has the responsibility in this
situation?
28. Digital Certificates Continued
Digital Certificate
Electronic Passport
Good for authentication
Good non-repudiation
Proof of authorship
Proof of non-altered content
Encryption!
Better than username - password
30. Public and Private Keys
The digital certificate has two parts, a
PUBLIC key and a PRIVATE key
The Public Key is distributed to
everyone
The Private Key is held very closely
And NEVER shared
Public Key is used for encryption and
verification of a digital signature
Private Key is used for Digital signing and
decryption
32. Getting Someone’s Public Key
The Public Key must be shared to be
Useful
It can be included as part of your
Email signature
It can be looked up in an LDAP
Directory
Can you think of the advantages and
disadvantages of each method?
34. What is PKI?
• PKI is an acronym for Public Key
Infrastructure
• It is the system which manages and
controls the lifecycle of digital
certificates
• The PKI has many features
35. What Is In a PKI?
• Credentialing of individuals
• Generating certificates
• Distributing certificates
• Keeping copies of certificates
• Reissuing certificates
• Revoking Certificates
36. Credentialing
• Non technical, but the most
important part of a PKI!
• A certificate is only as trustworthy as
the underlying credentialing and
management system
• Certificate Policies and Certificate
Practices Statement
37. Certificate Generation and Storage
• How do you know who you are
dealing with in the generation
process?
• Where you keep the certificate is
important
38. Distributing Certificates
• Can be done
remotely – benefits
and drawbacks
• Can be done face
to face – benefits
and drawbacks
39. Keeping Copies – Key Escrow
• Benefit –
Available in case
of emergency
• Drawback – Can
be stolen
• Compromise is
the best!
• Use Audit Trails,
separation of
duties and good
accounting
controls for key
escrow
40. Certificate Renewal
• Just like your passport, digital certificates
expire
• This is for the safety of the organization
and those who do business with it
• Short lifetime – more assurance of
validity but a pain to renew
• Long lifetime – less assurance of validity,
but easier to manage
• Use a Certificate Revocation List if you
are unsure of certificate validity
41. Trusted Root Authorities
• A certificate issuer
recognized by all
computers around
the globe
• Root certificates
are stored in the
computer’s central
certificate store
• Requires a
stringent audit and
a lot of money!
43. Using Certificates to Secure Email
• Best use for certificates, in my
opinion
• Digital certificate provides proof that
the email did indeed come from the
purported sender
• Public key enables encryption and
ensures that the message can only
be read by the intended recipient
44. Secure Email is Called
S/MIME
• S/MIME = Secure
Multipurpose Mail
Extensions
• S/MIME is the
industry standard,
not a point
solution, unique to
a specific vendor
45. Digital Signing of Email
• Proves that the email came from
you
• Invalidates plausible denial
• Proves through a checksum that the
contents of the email were not
altered while in transit
• Provides a mechanism to distribute
your public key
• Does NOT prove when you sent the
email
46. Digital Signatures Do Not Prove When
a Message or Document Was Signed
You need a
neutral third party
time stamping
service, similar to
how hostages
often have their
pictures taken in
front of a
newspaper to
prove they are still
alive!
47. Send Me a Signed Email, Please,
I Need Your Public Key
48. Using a Digital Signature for Email
Signing
Provides proof that the
email came from the
purported sender…Is
this email really from
Vice President Cheney?
Provides proof that the
contents of the email
have not been altered
from the original
form…Should we
really invade Canada?
51. What if This Happens at UW-
Madison?
Could cause harm in
a critical situation
Case Scenario
Multiple hoax emails
sent with Chancellor’s
name and email.
When real crisis
arrives, people might
not believe the
warning.
It is all about trust!
52. Digital Signing Summary
• Provides proof of the
author
• Testifies to message
integrity
• Valuable for both
individual or mass
email
• Supported by
Wiscmail Web client
(used by 80% of
students)
53. What Encryption Does
Encrypting data with a
digital certificate
Secures it end to end.
• While in transit
• Across the network
• While sitting on email
servers
• While in storage
• On your desktop
computer
• On your laptop
computer
• On a server
54. Encryption Protects the Data At Rest
and In Transit
Physical theft from office
Physical theft from airport
Virtual theft over the network
55. Why Encryption is Important
• Keeps private information private
• HIPAA, FERPA, SOX, GLB compliance
• Proprietary research
• Human Resource issues
• Legal Issues
• PR Issues
• Industrial Espionage
• Over-intrusive Government
• You never know who is
listening and watching!
56. What does it actually look like in practice?
-Sending-
57. What does it actually look like in
practice (unlocking my private key)
-receiving-
58. What does it actually look like in practice?
-receiving- (decrypted)
62. New Applications Coming
Online This Summer!
• Bye bye old ID card!
• Hello Smartcard!
• One card does it all!
• Email encryption,
document signing,
web access to
sensitive applications
and whole disk
encryption
63. Digital Certificates For Machines Too
• SSL – Secure
Socket Layer
• Protection of data
in transit
• Protection of data
at rest
• Where is the
greater threat?
• Our certs protect
both!
64. Benefits of Using Digital
Certificates
Provide global assurance of your identity,
both internally and externally to the
UW-Madison
Provide assurance of message authenticity
and data integrity
Keeps private information private, end to
end, while in transit and storage
You don’t need to have a digital certificate
To verify someone else’s digital signature
Can be used for individual or generic mail
accounts.
65. Who Uses Digital Certificates
at UW-Madison?
DoIT
UW Police and Security
Office of the Registrar
Office of Financial Aid
Office of Admissions
Primate Research Lab
Medical School
Bucky Badger, because he’s a team
player and slightly paranoid about his
basketball plays being stolen
66. Who Uses Digital Certificates
Besides UW-Madison?
US Department of Defense
US Department of Homeland
Security
All Western European countries
New US Passport
Dartmouth College
University of Texas at Austin
Johnson & Johnson
Raytheon
Others
67. The Telephone Analogy
When the
telephone was
invented, it was
hard to sell.
It needed to
reach critical
mass and then
everyone wanted
one.
68. That All Sounds Great in Theory,
But Do I Really Need It?
• The world seems
to get along just
fine without digital
certificates…
• Oh, really?
• Let’s talk about
some recent
stories
70. How Do Users Feel About the
Technology?
• Ease of use
• Challenges
• Changes in how they do their daily
work
• Benefits
• Drawbacks
71. It Really Is Up To You!
• Digital certificates / PKI is not hard to
implement
• It provides end to end security of
sensitive communications
• It is comprehensive, not a mix of point
solutions
• You are the leaders of tomorrow, make
your choices count by pushing for
secure electronic communications!
72. Lab Exercises
• Crack a password protected file to
show how weak password
protection really is
• Digitally sign an email to each other
• Encrypt an email to each other