PKI & Personal Digital Certificates,  The Key to Securing Sensitive   Electronic CommunicationsDecember 2, 2010 Nicholas D...
Agenda•   Introduction•   We will eat•   We will watch movies•   We will find an error in the textbook•   We will learn•  ...
Twix• Twix is a candy bar made by Mars, Inc.,  consisting of a biscuit finger, topped with  caramel and coated in milk cho...
OverviewWhy is electronic privacy such a hottopic these days?What is a digital certificate?What is PKI?Why are these techn...
Whay is Electronic PrivacySuch a Hot Topic Today?    • Evolution of the Internet,      commerce, banking, healthcare    • ...
The Topic is More Interesting    When It Affects You!
Intercepting Your Electronic      Communications
Discussion Topic One• Do you think the threat of Email  eavesdropping is real?• What about the government’s argument  abou...
What is a Digital Certificate?
Digital Certificates Continued     Digital Certificate        Electronic Passport        Good for authentication        Go...
What is in a Certificate?
Public and Private Keys The digital certificate has two parts, a PUBLIC key and a PRIVATE key The Public Key is distribute...
Public Key Cryptography
Getting Someone’s Public Key      The Public Key must be shared to be      Useful      It can be included as part of your ...
Who Could This Public Key  Possibly Belong To?
What is PKI?• PKI is an acronym for Public Key  Infrastructure• It is the system which manages and  controls the lifecycle...
What Is In a PKI? •   Credentialing of individuals •   Generating certificates •   Distributing certificates •   Keeping c...
Credentialing• Non technical, but the most  important part of a PKI!• A certificate is only as trustworthy as  the underly...
Certificate Generation and Storage      • How do you know who you are        dealing with in the generation        process...
Distributing Certificates• Can be done  remotely – benefits  and drawbacks• Can be done face  to face – benefits  and draw...
Keeping Copies – Key Escrow    • Benefit –      Available in case      of emergency    • Drawback – Can      be stolen    ...
Certificate Renewal• Just like your passport, digital certificates  expire• This is for the safety of the organization  an...
Expiration• A rare moment for me…I get to point out  and error in the textbook! (Page 418)• A message signed with an expir...
Revocation• Just like Stefan Wahe’s dirving  license, it can (and should be) be  revoked prior to expiration• CRL – Certif...
Recovery• No escrow = no luck• But with escrow it must be easy,  right? !!NOT!!• Proving identity• Getting copy from escro...
Trusted Root Authorities• A certificate issuer  recognized by all  computers around  the globe• Root certificates  are sto...
It Is All About Trust
Using Certificates to Secure Email      • Best use for certificates, in my        opinion      • Digital certificate provi...
Secure Email is Called      S/MIME     • S/MIME = Secure       Multipurpose Mail       Extensions     • S/MIME is the     ...
Digital Signing of Email • Proves that the email came from   you • Invalidates plausible denial • Proves through a checksu...
Digital Signatures Do Not Prove Whena Message or Document Was Signed       You need a       neutral third party       time...
Send Me a Signed Email, Please,    I Need Your Public Key
Using a Digital Signature for Email             Signing     Provides proof that the     email came from the     purported ...
A Digital Signature Can Be Invalid For            Many Reasons
Why Is Authenticating the Sender So            Important?
What if This Happens at MadisonCollege?       Could cause harm in       a critical situation       Case Scenario          ...
Digital Signing Summary• Provides proof of the author• Testifies to message integrity• Valuable for both individual or  ma...
What Encryption DoesEncrypting data with adigital certificateSecures it end to end.• While in transit• Across the network•...
Encryption Protects the Data At Rest           and In Transit      Physical theft from office      Physical theft from air...
Why Encryption is Important    •   Keeps private information private    •   HIPAA, FERPA, SOX, GLB compliance    •   Propr...
What does it actually look like in practice?                -Sending-
What does it actually look like inpractice (unlocking my private key)             -receiving-
What does it actually look like in practice?        -receiving- (decrypted)
Digitally signed and verified;          Encrypted
What does it look like in practice?   -receiving- (intercepted)
Intercepting the Data in Transit     • How might encrypted email be a       security threat to your organization?
Digital Certificates For Machines Too        • SSL – Secure          Socket Layer        • Protection of data          in ...
Benefits of Using Digital          CertificatesProvide global assurance of your identity,both internally and externally to...
The Telephone AnalogyWhen thetelephone wasinvented, it washard to sell.It needed toreach criticalmass and theneveryone wan...
That All Sounds Great in Theory,    But Do I Really Need It?    • The world seems      to get along just      fine without...
We Have Internal Threats Too     @ UW-Madison!
How Do Users Feel About the      Technology?   • Ease of use   • Challenges   • Changes in how they do their daily     wor...
It Really Is Up To You!• Digital certificates / PKI is not hard to  implement• It provides end to end security of  sensiti...
Traditional Written Signatures                                 54
Signatures - Evidence• What is a signature?• A signature is not part of the substance of a  transaction, but rather, it re...
Signatures – The Three Part Process • Ceremony, Approval and Commitment
Signatures – The Three     Part Process• Ceremony:• The act of signing a document calls to the  signers attention the sign...
Signatures – The ThreePart Process• Approval:• In certain contexts defined by law or  custom, a signature expresses the  s...
Signatures – The ThreePart Process• Commitment:• A signature on a written document  often imparts a sense of clarity and  ...
Signatures• Traditional signatures put the cart before  the horse!• How can you be certain that a mortgage  application wi...
Signatures• Trust – When the going gets tough,  scoundrels can emerge, to challenge the  signature on a document• Verifica...
Signature• Before a signature can be trusted, we  must have proof that the signature does  truly belong to the signer• Thi...
Signatures – CredentialingProcess• Credentialing – An initial method of  attestation to the truth of certain stated  facts...
Signatures – AuthenticationProcess• Authentication – The process of verifying  that a person is in fact who they claim to ...
Signatures – AuthorizationProcess• Authorization -- The granting of power or  authority to someone, to do something  speci...
Signatures -- Trust      • In order for a signature to be relied upon        and trusted for authorization of a        tra...
Signatures -- Trust• A written signature, provided without  a solid credentialing and  authentication process, can make  a...
Digital Signatures vs.  Written Signatures• A digital signature provides proof of:• Verified identity of the signer• Docum...
Digital Signatures – A Note About Identity Theft          • As the Internet and E-Commerce            continue to evolve a...
Digital Signatures• Written signatures may be  acceptable in person, but are  impractical and risky when used in  an onlin...
Digital Signatures vs Electronic Signatures         • “Electronic signature” and “Digital           signature” are not syn...
Digital Signatures vsElectronic Signatures• A digital signature is a form of an  electronic signature, but an  electronic ...
How Can I Help You?ndavis1@wisc.eduTel. 608-347-2486
Upcoming SlideShare
Loading in …5
×

Pki & personal digital certificates, the key to securing sensitive electronic communications

513 views

Published on

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
513
On SlideShare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
12
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Pki & personal digital certificates, the key to securing sensitive electronic communications

  1. 1. PKI & Personal Digital Certificates, The Key to Securing Sensitive Electronic CommunicationsDecember 2, 2010 Nicholas Davis
  2. 2. Agenda• Introduction• We will eat• We will watch movies• We will find an error in the textbook• We will learn• We will chat• We will have fun
  3. 3. Twix• Twix is a candy bar made by Mars, Inc., consisting of a biscuit finger, topped with caramel and coated in milk chocolate. Being somewhat smaller in width than other confectionery bars, Twix bars are typically packaged in pairs. Twix was first produced in the UK in 1967, and introduced in the United States in 1979
  4. 4. OverviewWhy is electronic privacy such a hottopic these days?What is a digital certificate?What is PKI?Why are these technologies important?Trusted Root AuthoritiesUsing digital certificates for email encryptionKey Escrow, the double edged swordIntegrating digital certificates into email forSecurityHow is PKI related to SSL?Using certificates for code signing of softwareReal world issues with PKIDiscussion
  5. 5. Whay is Electronic PrivacySuch a Hot Topic Today? • Evolution of the Internet, commerce, banking, healthcare • Dependence on Email • Government regulations, SOX, HIPAA, GLB, PCI, FERPA • Public Image • Business warehousing • Industrial Espionage • The government
  6. 6. The Topic is More Interesting When It Affects You!
  7. 7. Intercepting Your Electronic Communications
  8. 8. Discussion Topic One• Do you think the threat of Email eavesdropping is real?• What about the government’s argument about Email being like a “postcard?”• Should Target be allowed to look at Walmart emails on a public network?• Are you angry now, or just afraid?• Who has the responsibility in this situation?
  9. 9. What is a Digital Certificate?
  10. 10. Digital Certificates Continued Digital Certificate Electronic Passport Good for authentication Good non-repudiation Proof of authorship Proof of non-altered content Encryption! Better than username - password
  11. 11. What is in a Certificate?
  12. 12. Public and Private Keys The digital certificate has two parts, a PUBLIC key and a PRIVATE key The Public Key is distributed to everyone The Private Key is held very closely And NEVER shared Public Key is used for encryption and verification of a digital signature Private Key is used for Digital signing and decryption
  13. 13. Public Key Cryptography
  14. 14. Getting Someone’s Public Key The Public Key must be shared to be Useful It can be included as part of your Email signature It can be looked up in an LDAP Directory Can you think of the advantages and disadvantages of each method?
  15. 15. Who Could This Public Key Possibly Belong To?
  16. 16. What is PKI?• PKI is an acronym for Public Key Infrastructure• It is the system which manages and controls the lifecycle of digital certificates• The PKI has many features
  17. 17. What Is In a PKI? • Credentialing of individuals • Generating certificates • Distributing certificates • Keeping copies of certificates • Reissuing certificates • Revoking certificates • Renews certificates
  18. 18. Credentialing• Non technical, but the most important part of a PKI!• A certificate is only as trustworthy as the underlying credentialing and management system• Certificate Policies and Certificate Practices Statement
  19. 19. Certificate Generation and Storage • How do you know who you are dealing with in the generation process? • Where you keep the certificate is important
  20. 20. Distributing Certificates• Can be done remotely – benefits and drawbacks• Can be done face to face – benefits and drawbacks
  21. 21. Keeping Copies – Key Escrow • Benefit – Available in case of emergency • Drawback – Can be stolen • Compromise is the best! • Use Audit Trails, separation of duties and good accounting controls for key escrow
  22. 22. Certificate Renewal• Just like your passport, digital certificates expire• This is for the safety of the organization and those who do business with it• Short lifetime – more assurance of validity but a pain to renew• Long lifetime – less assurance of validity, but easier to manage• Can be renewed with same keypair or new keypair depending on escrow situation
  23. 23. Expiration• A rare moment for me…I get to point out and error in the textbook! (Page 418)• A message signed with an expired private key will show as invalid to the recipient• However, a private key can ALWAYS be used to decrypt a message, even an expired private key.• Nobody is perfect, forgive the textbook author!
  24. 24. Revocation• Just like Stefan Wahe’s dirving license, it can (and should be) be revoked prior to expiration• CRL – Certificate Revocation List• OCSP – Online Certificate Status Protocol• Both are real time• In practice, both are rarely used
  25. 25. Recovery• No escrow = no luck• But with escrow it must be easy, right? !!NOT!!• Proving identity• Getting copy from escrow• Secure delivery to recipient• Complex, tempting to cut corners, but resist temptation!• The book’s idea is even more complex!
  26. 26. Trusted Root Authorities• A certificate issuer recognized by all computers around the globe• Root certificates are stored in the computer’s central certificate store• Requires a stringent audit and a lot of money!
  27. 27. It Is All About Trust
  28. 28. Using Certificates to Secure Email • Best use for certificates, in my opinion • Digital certificate provides proof that the email did indeed come from the purported sender • Public key enables encryption and ensures that the message can only be read by the intended recipient
  29. 29. Secure Email is Called S/MIME • S/MIME = Secure Multipurpose Mail Extensions • S/MIME is the industry standard, not a point solution, unique to a specific vendor
  30. 30. Digital Signing of Email • Proves that the email came from you • Invalidates plausible denial • Proves through a checksum that the contents of the email were not altered while in transit • Provides a mechanism to distribute your public key
  31. 31. Digital Signatures Do Not Prove Whena Message or Document Was Signed You need a neutral third party time stamping service, similar to how hostages often have their pictures taken in front of a newspaper to prove they are still alive!
  32. 32. Send Me a Signed Email, Please, I Need Your Public Key
  33. 33. Using a Digital Signature for Email Signing Provides proof that the email came from the purported sender…Is this email really from Vice President Cheney? Provides proof that the contents of the email have not been altered from the original form…Should we really invade Mexico?
  34. 34. A Digital Signature Can Be Invalid For Many Reasons
  35. 35. Why Is Authenticating the Sender So Important?
  36. 36. What if This Happens at MadisonCollege? Could cause harm in a critical situation Case Scenario Multiple hoax emails sent with Chancellor’s name and email. When real crisis arrives, people might not believe the warning. It is all about trust!
  37. 37. Digital Signing Summary• Provides proof of the author• Testifies to message integrity• Valuable for both individual or mass email• Supported by most email clients….Remember the 80-20 rule..Perfect in the enemy of good!
  38. 38. What Encryption DoesEncrypting data with adigital certificateSecures it end to end.• While in transit• Across the network• While sitting on email servers• While in storage• On your desktop computer• On your laptop computer• On a server
  39. 39. Encryption Protects the Data At Rest and In Transit Physical theft from office Physical theft from airport Virtual theft over the network
  40. 40. Why Encryption is Important • Keeps private information private • HIPAA, FERPA, SOX, GLB compliance • Proprietary research • Human Resource issues • Legal Issues • PR Issues • Industrial Espionage • Over-intrusive Government • You never know who is listening and watching!
  41. 41. What does it actually look like in practice? -Sending-
  42. 42. What does it actually look like inpractice (unlocking my private key) -receiving-
  43. 43. What does it actually look like in practice? -receiving- (decrypted)
  44. 44. Digitally signed and verified; Encrypted
  45. 45. What does it look like in practice? -receiving- (intercepted)
  46. 46. Intercepting the Data in Transit • How might encrypted email be a security threat to your organization?
  47. 47. Digital Certificates For Machines Too • SSL – Secure Socket Layer • Protection of data in transit • Protection of data at rest • Where is the greater threat? • Our certs protect both!
  48. 48. Benefits of Using Digital CertificatesProvide global assurance of your identity,both internally and externally to the organizationProvide assurance of message authenticityand data integrityKeeps private information private, end toend, while in transit and storageYou don’t need to have a digital certificateTo verify someone else’s digital signatureCan be used for individual or generic mailaccounts.
  49. 49. The Telephone AnalogyWhen thetelephone wasinvented, it washard to sell.It needed toreach criticalmass and theneveryone wantedone.
  50. 50. That All Sounds Great in Theory, But Do I Really Need It? • The world seems to get along just fine without digital certificates… • Oh, really? • Let’s talk about some recent stories
  51. 51. We Have Internal Threats Too @ UW-Madison!
  52. 52. How Do Users Feel About the Technology? • Ease of use • Challenges • Changes in how they do their daily work • Benefits • Drawbacks
  53. 53. It Really Is Up To You!• Digital certificates / PKI is not hard to implement• It provides end to end security of sensitive communications• It is comprehensive, not a mix of point solutions• You are the leaders of tomorrow, make your choices count by pushing for secure electronic communications!
  54. 54. Traditional Written Signatures 54
  55. 55. Signatures - Evidence• What is a signature?• A signature is not part of the substance of a transaction, but rather, it represents an understanding, acceptance or indication of agreement• Evidence: A signature authenticates a person by linking the signer with the signed document. When the signer makes a mark in a distinctive manner, the writing becomes attributable to the signer.• Example: Credit card receipt
  56. 56. Signatures – The Three Part Process • Ceremony, Approval and Commitment
  57. 57. Signatures – The Three Part Process• Ceremony:• The act of signing a document calls to the signers attention the significance of the signers act, and thereby helps prevent reckless or careless commitments
  58. 58. Signatures – The ThreePart Process• Approval:• In certain contexts defined by law or custom, a signature expresses the signers approval or authorization of the writing, or the signers intention that it have legal effect
  59. 59. Signatures – The ThreePart Process• Commitment:• A signature on a written document often imparts a sense of clarity and finality to the transaction
  60. 60. Signatures• Traditional signatures put the cart before the horse!• How can you be certain that a mortgage application with Nicholas Davis’s signature was indeed signed by Nicholas Davis?• As trusting people, we generally accept a written signature at face value
  61. 61. Signatures• Trust – When the going gets tough, scoundrels can emerge, to challenge the signature on a document• Verification against other documents – Assumes that you have access to other signed documents and assumes that signatures on those documents were not forged
  62. 62. Signature• Before a signature can be trusted, we must have proof that the signature does truly belong to the signer• This is not as easy at it sounds…..
  63. 63. Signatures – CredentialingProcess• Credentialing – An initial method of attestation to the truth of certain stated facts, such as identity.• Example: Government photo ID, address verification or proof of your SSN#, are all attestation methods used to credential people
  64. 64. Signatures – AuthenticationProcess• Authentication – The process of verifying that a person is in fact who they claim to be• Example: Showing your driver’s license to the guard at the front desk authenticates me as genuinely being Nicholas Davis
  65. 65. Signatures – AuthorizationProcess• Authorization -- The granting of power or authority to someone, to do something specific• Example: The information system authorizes Nicholas Davis the rights to view certain files
  66. 66. Signatures -- Trust • In order for a signature to be relied upon and trusted for authorization of a transaction, the individual presenting the signature must first be credentialed and then authenticated, prior to allowing them to authorize a transaction • A three step process: Credentialing, Authentication, Authorization • In the world of written signatures, organizations rarely credential or authenticate people
  67. 67. Signatures -- Trust• A written signature, provided without a solid credentialing and authentication process, can make an organization and its customers vulnerable to fraudulent transactions• To further protect the organization and our customers from fraud, we look to information technology and the use of digital signatures…..
  68. 68. Digital Signatures vs. Written Signatures• A digital signature provides proof of:• Verified identity of the signer• Document integrity (The document has not been altered since it was digitally signed)• Non-repudiation (the signer can’t deny signing the document, as it was done with their digital certificate, which only they had access to)• A written signature provides proof of:• Unverified identity of the signer• Which type of signature provides a higher degree of trust?
  69. 69. Digital Signatures – A Note About Identity Theft • As the Internet and E-Commerce continue to evolve and grow, it is important to understand what this change in business environment means • More and more traditional business processes are being converted to online applications • It is harder to impersonate someone in person than it is over the Internet
  70. 70. Digital Signatures• Written signatures may be acceptable in person, but are impractical and risky when used in an online transaction because, we no longer can associate a face with the signature• If our processes are going digital, so must our signatures!
  71. 71. Digital Signatures vs Electronic Signatures • “Electronic signature” and “Digital signature” are not synonymous. • An electronic signature can be a symbol, sound, or process used to sign a document or transaction. • A digital signature, on the other hand, is a secure electronic signature which uses encryption to authenticate the entity who signed the document, encapsulate document contents to protect from unauthorized alteration and provide proof of non-repudiation
  72. 72. Digital Signatures vsElectronic Signatures• A digital signature is a form of an electronic signature, but an electronic signature is not necessarily a digital signature.• Electronic signatures at best provide only questionable proof of identity, and do not provide proof of information/message integrity or non-repudiation
  73. 73. How Can I Help You?ndavis1@wisc.eduTel. 608-347-2486

×