Making digital security a reality with pki nicholas a davis uw madison november 28 2006
Download
1 / 41

Making Digital Security a Reality With PKI Nicholas A. Davis, UW-Madison November 28, 2006 - PowerPoint PPT Presentation


  • 236 Views
  • Uploaded on

Making Digital Security a Reality With PKI Nicholas A. Davis, UW-Madison November 28, 2006. Overview. PKI 101 – Intro to digital certificates History of PKI at UW-Madison UW-Madison IT environment Why UW-Madison is interested in PKI PKI cost and model comparison

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about ' Making Digital Security a Reality With PKI Nicholas A. Davis, UW-Madison November 28, 2006' - jackson-daugherty


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Making digital security a reality with pki nicholas a davis uw madison november 28 2006

Making Digital Security a Reality With PKINicholas A. Davis, UW-Madison November 28, 2006


Overview
Overview

  • PKI 101 – Intro to digital certificates

  • History of PKI at UW-Madison

  • UW-Madison IT environment

  • Why UW-Madison is interested in PKI

  • PKI cost and model comparison

  • What it all actually looks like in reality

  • Our experience so far and our future plans

  • Universal truths

  • What we have learned

  • Final thoughts

  • How to get started today!

  • Questions


Public key infrastructure pki 101
Public Key Infrastructure (PKI) 101

  • PKI = System to manage digital certificates

  • Digital Passport

  • Digital key to unlock encrypted Data

  • Digital pen to sign


Pki 101 continued
PKI 101 (Continued)

  • Digitally sign Microsoft Office documents, spreadsheets, email, PDF files, etc.

  • Encrypt email in transit and storage, end to end

  • Authenticate with a much stronger credential than username & password


History of pki at uw madison
History of PKI at UW-Madison

  • October 2000 – UW-Madison and Dartmouth get together

  • June 2004 – Requirements gathering

  • May 2005 – Geotrust selected


Uw madison it landcscape
UW-Madison IT Landcscape

  • Faculty, Staff, Students

  • Highly decentralized

  • Public institution

  • Research driven environment


Communities served by uw madison authnz it s not just about us anymore
Communities Served by UW-Madison AuthNZIt’s Not Just About Us Anymore


Why the uw madison is interested in digital security solutions
Why the UW-Madison is interested in digital security solutions

  • Threat of identity theft (Authentication) – Alice and Bob story

  • More university businesses conducted via the Internet (encryption)

  • Non-repudiation (signing)


Up front development costs
Up Front Development Costs solutions

  • Gartner Group estimates that the average commercial PKI system costs $1 million to implement

  • 80% of PKI systems never get beyond “pilot” status

  • Our estimated first year costs are substantially less than this


Pki models under consideration
PKI Models Under Consideration solutions

  • In-House Commercial

  • In-House Open Source

  • Co-managed


Time to implement
Time to Implement solutions

  • Feature Set

  • Cost of establishing sandbox, QA and production environments

  • Hardware acquisition

  • CP and CPS statements

  • Open Source, 12 months

  • In-House Commercial, 9 months

  • Co-Managed Commercial, 1 month



Geotrust selected as uw madison pki
Geotrust Selected as UW-Madison PKI solutions

  • Lower upfront fixed costs

  • Lower 10 year costs

  • Faster road to implementation

  • Trusted Root

  • Off Site Key Escrow

  • Automated certificate delivery

  • UW-Madison common look and feel

  • No long term lock in


No trusted root with open source
No Trusted Root With Open Source solutions

Unsigned Root means distrust

both within and outside our

core universe


Certificate storage
Certificate Storage solutions

  • Aladdin Etoken

  • USB based for ease of integration

  • Excellent customer support

  • Enhanced platform support


What does it actually look like in practice sending
What does it actually solutionslook like in practice? -Sending-



What does it actually look like in practice receiving decrypted
What does it actually look private key)like in practice?-receiving- (decrypted)



What does it actually look like in practice receiving intercepted
What does it actually look private key)like in practice?-receiving- (intercepted)



Feature set trusted root
Feature Set private key)Trusted Root

Seamless trust let’s us play

globally via the Equifax

Secure eBusiness CA1


Feature set key escrow
Feature Set private key)Key Escrow

Is Big Brother watching?

Who do the keys belong to

anyway?


Feature set distance users co managed
Feature Set – Distance Users – Co-Managed private key)

All the user needs is a web

browser in order to get their

certificate


Our experience so far
Our Experience So Far private key)

Customers appreciate:

  • Automated certificate delivery

  • Trusted Root

  • Key Escrow

    Uses:

  • Using certificates for digital signing

  • Using certificates for encrypted email

  • Digital signing of mass email to campus


So now what
So Now What? private key)

  • Digital certificate management model proven

  • Low hanging digital fruit has been harvested

  • Is it time for me to retire?


Leveraging our existing system
Leveraging Our Existing System private key)

  • The UW-Madison PKI is in place today for signing and encryption

  • Encourage others to change their way of doing business

  • Integration with our current Web ISO for authentication


Example of business process change
Example of Business Process Change private key)

  • UW-Madison Police and Security

  • Building access: New centralized system

  • Same historically weak business processes

  • FERPA issues

  • PKI to the rescue!

  • 110 new users


Universal truths
Universal Truths private key)

  • People are not interested in vaporware to solve their problems

  • Administrative controls don’t work

  • If you don’t trust anyone, nobody will trust you. You have to play by the rules, even if you don’t like them


The secret is evolution not revolution
The Secret is Evolution, Not Revolution private key)

Revolutions are bloody!

Evolution lets you gain

immediate benefit today while

planning for a better tomorrow without

throwing away all your current systems


Integration with webiso easy evolution
Integration with WebISO private key)Easy Evolution

  • WebISO is an independent authentication module for web apps.

  • Currently username and password enabled

  • Easily converts to digital certificate based authentication without requiring rewrite of all applications


But what about securid
But What About SecurID? private key)

  • SecurID = One Time Password authentication device (OTP)

  • Great for authentication!

  • What else does it do?

  • Cost!

  • Vendor Lock-in!

  • Good point solution, but hardly forward thinking


Critical success factors for the uw madison
Critical Success factors for the UW-Madison private key)

  • A focus on the customer requirements is of pinnacle importance

  • Financial lifecycle modeling for both short and long term

  • Being careful not to reinvent the wheel simply for the sake of pride

  • Top down support from the CIO’s office


What we have learned
What We Have Learned private key)

  • A certificate is a certificate

  • What matters most is what your organization does with the certificate once it is issued

  • The challenge of implementing PKI is 30% technical and 70% user education, marketing and acceptance


Final thoughts
Final Thoughts private key)

  • The key to success in a decentralized environment lies in motivating your users, not obligating your users

  • Whether you choose to build or buy, remember to keep it simple for the customers

  • Don’t spend time on duplication of effort


But we are different
“But We Are Different…..” private key)

  • We all like to think we are different

  • Setup a content filtering device with 100 keywords on your outgoing email

  • Let me know what you discover

  • Ignorance is not an excuse for weak security practices


Audience question
Audience Question private key)

How is PKI

similar to a

Telephone

network?

The value of the

system is

proportional to

the number of

people who have

a phone or a

digital certificate!



The first taste is free
The First Taste is Free! to everyone eventually…..”

Download a FREE email digitial certificate

www.ascertia.com

www.thawte.com

Perform inter-institutional testing with your

organization and UW-Madison!

Digital certificates are inherently supported in:

Outlook, Outlook Express, Thunderbird, Mail.app,

Mulberry, Eudora 7.0


Questions and comments
Questions and Comments to everyone eventually…..”

Nicholas Davis

PKI Project Leader

UW-Madison

[email protected]

608-262-3837

www.doit.wisc.edu/middleware/pki

PLEASE PARTNER WITH US AS WE MOVE FORWARD WITH PKI!

-----BEGIN CERTIFICATE-----

MIIDLjCCApegAwIBAgICAdkwDQYJKoZIhvcNAQEFBQAwgYkxCzAJBgNVBAYTAlVT

MSswKQYDVQQKEyJEaXZpc2lvbiBvZiBJbmZvcm1hdGlvbiBUZWNobm9sb2d5MSMw

IQYDVQQLExpGYWN1bHR5IC0gU3RhZmYgLSBTdHVkZW50czEoMCYGA1UEAxMfVW5p

dmVyc2l0eSBvZiBXaXNjb25zaW4tTWFkaXNvbjAeFw0wNjA5MDYxNjUzMjJaFw0w

NzA5MDYxNjUzMjJaMIG8MQswCQYDVQQGEwJVUzESMBAGA1UECBMJV2lzY29uc2lu

MRAwDgYDVQQHEwdNYWRpc29uMSgwJgYDVQQKEx9Vbml2ZXJzaXR5IG9mIFdpc2Nv

bnNpbi1NYWRpc29uMSMwIQYDVQQLExpGYWN1bHR5IC0gU3RhZmYgLSBTdHVkZW50

czEXMBUGA1UEAxMOTmljaG9sYXMgRGF2aXMxHzAdBgkqhkiG9w0BCQEWEG5kYXZp

czFAd2lzYy5lZHUwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAJECUO2/kNde

rq9BXL9c60k7glXKSilVTS2hWfI7OVrVVVpSdOOVwd2djZ4EfuuJTmvwMRWdnU3h

124gFZWO+LiDhLx+iLC1bCwVbvUJPyfjViqXMoKgUNx7NStt6YlntqxvNfzW5Lxq

NQ2VCu23AFqczmGxvX27M2VtSPg1oCWfAgMBAAGjcDBuMA4GA1UdDwEB/wQEAwIF

4DA7BgNVHR8ENDAyMDCgLqAshipodHRwOi8vY3JsLmdlb3RydXN0LmNvbS9jcmxz

L3dpc2NvbnNpbi5jcmwwHwYDVR0jBBgwFoAUHJ5SUhsEYkcsaywBuGnxqTcsIyQw

DQYJKoZIhvcNAQEFBQADgYEADgrwXFZyVWceIhbro0lR2NfdwqbkY1p1ywr9v8lf

JGUfZ0scAxaNfdfkXMHJvMK7MZCQ65vXEO9YwTFAfugXK+AAFot0HhNvWMwvBLqX

cYKps+A5VU9JnhNAKZJRIImiGCKjz2e+ZARm6fjTxheW5qJyJq30sbwukG/tsbXT

jnw=

-----END CERTIFICATE-----


ad