Making digital security a reality with pki nicholas a davis uw madison november 28 2006
1 / 41

Making Digital Security a Reality With PKI Nicholas A. Davis, UW-Madison November 28, 2006 - PowerPoint PPT Presentation

  • Uploaded on

Making Digital Security a Reality With PKI Nicholas A. Davis, UW-Madison November 28, 2006. Overview. PKI 101 – Intro to digital certificates History of PKI at UW-Madison UW-Madison IT environment Why UW-Madison is interested in PKI PKI cost and model comparison

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about ' Making Digital Security a Reality With PKI Nicholas A. Davis, UW-Madison November 28, 2006' - jackson-daugherty

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Making digital security a reality with pki nicholas a davis uw madison november 28 2006

Making Digital Security a Reality With PKINicholas A. Davis, UW-Madison November 28, 2006


  • PKI 101 – Intro to digital certificates

  • History of PKI at UW-Madison

  • UW-Madison IT environment

  • Why UW-Madison is interested in PKI

  • PKI cost and model comparison

  • What it all actually looks like in reality

  • Our experience so far and our future plans

  • Universal truths

  • What we have learned

  • Final thoughts

  • How to get started today!

  • Questions

Public key infrastructure pki 101
Public Key Infrastructure (PKI) 101

  • PKI = System to manage digital certificates

  • Digital Passport

  • Digital key to unlock encrypted Data

  • Digital pen to sign

Pki 101 continued
PKI 101 (Continued)

  • Digitally sign Microsoft Office documents, spreadsheets, email, PDF files, etc.

  • Encrypt email in transit and storage, end to end

  • Authenticate with a much stronger credential than username & password

History of pki at uw madison
History of PKI at UW-Madison

  • October 2000 – UW-Madison and Dartmouth get together

  • June 2004 – Requirements gathering

  • May 2005 – Geotrust selected

Uw madison it landcscape
UW-Madison IT Landcscape

  • Faculty, Staff, Students

  • Highly decentralized

  • Public institution

  • Research driven environment

Communities served by uw madison authnz it s not just about us anymore
Communities Served by UW-Madison AuthNZIt’s Not Just About Us Anymore

Why the uw madison is interested in digital security solutions
Why the UW-Madison is interested in digital security solutions

  • Threat of identity theft (Authentication) – Alice and Bob story

  • More university businesses conducted via the Internet (encryption)

  • Non-repudiation (signing)

Up front development costs
Up Front Development Costs solutions

  • Gartner Group estimates that the average commercial PKI system costs $1 million to implement

  • 80% of PKI systems never get beyond “pilot” status

  • Our estimated first year costs are substantially less than this

Pki models under consideration
PKI Models Under Consideration solutions

  • In-House Commercial

  • In-House Open Source

  • Co-managed

Time to implement
Time to Implement solutions

  • Feature Set

  • Cost of establishing sandbox, QA and production environments

  • Hardware acquisition

  • CP and CPS statements

  • Open Source, 12 months

  • In-House Commercial, 9 months

  • Co-Managed Commercial, 1 month

Geotrust selected as uw madison pki
Geotrust Selected as UW-Madison PKI solutions

  • Lower upfront fixed costs

  • Lower 10 year costs

  • Faster road to implementation

  • Trusted Root

  • Off Site Key Escrow

  • Automated certificate delivery

  • UW-Madison common look and feel

  • No long term lock in

No trusted root with open source
No Trusted Root With Open Source solutions

Unsigned Root means distrust

both within and outside our

core universe

Certificate storage
Certificate Storage solutions

  • Aladdin Etoken

  • USB based for ease of integration

  • Excellent customer support

  • Enhanced platform support

What does it actually look like in practice sending
What does it actually solutionslook like in practice? -Sending-

What does it actually look like in practice receiving decrypted
What does it actually look private key)like in practice?-receiving- (decrypted)

What does it actually look like in practice receiving intercepted
What does it actually look private key)like in practice?-receiving- (intercepted)

Feature set trusted root
Feature Set private key)Trusted Root

Seamless trust let’s us play

globally via the Equifax

Secure eBusiness CA1

Feature set key escrow
Feature Set private key)Key Escrow

Is Big Brother watching?

Who do the keys belong to


Feature set distance users co managed
Feature Set – Distance Users – Co-Managed private key)

All the user needs is a web

browser in order to get their


Our experience so far
Our Experience So Far private key)

Customers appreciate:

  • Automated certificate delivery

  • Trusted Root

  • Key Escrow


  • Using certificates for digital signing

  • Using certificates for encrypted email

  • Digital signing of mass email to campus

So now what
So Now What? private key)

  • Digital certificate management model proven

  • Low hanging digital fruit has been harvested

  • Is it time for me to retire?

Leveraging our existing system
Leveraging Our Existing System private key)

  • The UW-Madison PKI is in place today for signing and encryption

  • Encourage others to change their way of doing business

  • Integration with our current Web ISO for authentication

Example of business process change
Example of Business Process Change private key)

  • UW-Madison Police and Security

  • Building access: New centralized system

  • Same historically weak business processes

  • FERPA issues

  • PKI to the rescue!

  • 110 new users

Universal truths
Universal Truths private key)

  • People are not interested in vaporware to solve their problems

  • Administrative controls don’t work

  • If you don’t trust anyone, nobody will trust you. You have to play by the rules, even if you don’t like them

The secret is evolution not revolution
The Secret is Evolution, Not Revolution private key)

Revolutions are bloody!

Evolution lets you gain

immediate benefit today while

planning for a better tomorrow without

throwing away all your current systems

Integration with webiso easy evolution
Integration with WebISO private key)Easy Evolution

  • WebISO is an independent authentication module for web apps.

  • Currently username and password enabled

  • Easily converts to digital certificate based authentication without requiring rewrite of all applications

But what about securid
But What About SecurID? private key)

  • SecurID = One Time Password authentication device (OTP)

  • Great for authentication!

  • What else does it do?

  • Cost!

  • Vendor Lock-in!

  • Good point solution, but hardly forward thinking

Critical success factors for the uw madison
Critical Success factors for the UW-Madison private key)

  • A focus on the customer requirements is of pinnacle importance

  • Financial lifecycle modeling for both short and long term

  • Being careful not to reinvent the wheel simply for the sake of pride

  • Top down support from the CIO’s office

What we have learned
What We Have Learned private key)

  • A certificate is a certificate

  • What matters most is what your organization does with the certificate once it is issued

  • The challenge of implementing PKI is 30% technical and 70% user education, marketing and acceptance

Final thoughts
Final Thoughts private key)

  • The key to success in a decentralized environment lies in motivating your users, not obligating your users

  • Whether you choose to build or buy, remember to keep it simple for the customers

  • Don’t spend time on duplication of effort

But we are different
“But We Are Different…..” private key)

  • We all like to think we are different

  • Setup a content filtering device with 100 keywords on your outgoing email

  • Let me know what you discover

  • Ignorance is not an excuse for weak security practices

Audience question
Audience Question private key)

How is PKI

similar to a



The value of the

system is

proportional to

the number of

people who have

a phone or a

digital certificate!

The first taste is free
The First Taste is Free! to everyone eventually…..”

Download a FREE email digitial certificate

Perform inter-institutional testing with your

organization and UW-Madison!

Digital certificates are inherently supported in:

Outlook, Outlook Express, Thunderbird,,

Mulberry, Eudora 7.0

Questions and comments
Questions and Comments to everyone eventually…..”

Nicholas Davis

PKI Project Leader


[email protected]