Making Digital Security a Reality With PKINicholas A. Davis, UW-Madison

November 28, 2006

/ca/eecert

Overview• PKI 101 – Intro to digital certificates• History of PKI at UW-Madison• UW-Madison IT environment• Why UW-Madison is interested in

PKI• PKI cost and model comparison• What it all actually looks like in

reality• Our experience so far and our future

plans• Universal truths• What we have learned• Final thoughts• How to get started today!• Questions

Public Key Infrastructure (PKI) 101

• PKI = System to manage digital certificates

• Digital Passport• Digital key to

unlock encrypted Data

• Digital pen to sign

PKI 101 (Continued)

• Digitally sign Microsoft Office documents, spreadsheets, email, PDF files, etc.

• Encrypt email in transit and storage, end to end

• Authenticate with a much stronger credential than username & password

History of PKI at UW-Madison

• October 2000 – UW-Madison and Dartmouth get together

• June 2004 – Requirements gathering• May 2005 – Geotrust selected

UW-Madison IT Landcscape

• Faculty, Staff, Students• Highly decentralized• Public institution• Research driven environment

Communities Served by UW-Madison AuthNZ

It’s Not Just About Us Anymore

Why the UW-Madison is interested in digital security

solutions• Threat of identity theft

(Authentication) – Alice and Bob story

• More university businesses conducted via the Internet (encryption)

• Non-repudiation (signing)

Up Front Development Costs

• Gartner Group estimates that the average commercial PKI system costs $1 million to implement

• 80% of PKI systems never get beyond “pilot” status

• Our estimated first year costs are substantially less than this

PKI Models Under Consideration

• In-House Commercial• In-House Open Source • Co-managed

Time to Implement

• Feature Set• Cost of establishing sandbox,

QA and production environments

• Hardware acquisition• CP and CPS statements

• Open Source, 12 months• In-House Commercial, 9

months• Co-Managed Commercial, 1

month

Annual Cost Summary

$-

$100,000.00

$200,000.00

$300,000.00

$400,000.00

1 2 3 4 5 6 7 8 9 10

Build In House OpenSource

Build In HouseCommercial

Buy Co-Managed

!0 year cost

$-$500,000.00

$1,000,000.00$1,500,000.00$2,000,000.00$2,500,000.00

Build InHouse Open

Source

Build InHouse

Commercial

Buy Co-Managed

Geotrust Selected as UW-Madison PKI

• Lower upfront fixed costs

• Lower 10 year costs• Faster road to

implementation• Trusted Root• Off Site Key Escrow• Automated

certificate delivery• UW-Madison common

look and feel• No long term lock in

No Trusted Root With Open Source

Unsigned Root means distrustboth within and outside ourcore universe

Certificate Storage

• Aladdin Etoken• USB based for ease of

integration• Excellent customer support• Enhanced platform support

What does it actually look like in practice?

-Sending-

What does it actually look like in practice (unlocking my private key)

-sending-

What does it actually look like in practice?

-receiving- (decrypted)

Digitally Signed and Verified, Encrypted

What does it actually look like in practice?

-receiving- (intercepted)

The look of UW-Madison digital certificiates

Feature SetTrusted Root

Seamless trust let’s us playglobally via the EquifaxSecure eBusiness CA1

Feature SetKey Escrow

Is Big Brother watching?Who do the keys belong toanyway?

Feature Set – Distance Users – Co-Managed

All the user needs is a webbrowser in order to get their

certificate

Our Experience So FarCustomers appreciate:• Automated certificate delivery• Trusted Root• Key EscrowUses:• Using certificates for digital signing• Using certificates for encrypted

email• Digital signing of mass email to

campus

So Now What?

• Digital certificate management model proven

• Low hanging digital fruit has been harvested

• Is it time for me to retire?

Leveraging Our Existing System

• The UW-Madison PKI is in place today for signing and encryption

• Encourage others to change their way of doing business

• Integration with our current Web ISO for authentication

Example of Business Process Change

• UW-Madison Police and Security

• Building access: New centralized system

• Same historically weak business processes

• FERPA issues• PKI to the rescue!• 110 new users

Universal Truths

• People are not interested in vaporware to solve their problems

• Administrative controls don’t work

• If you don’t trust anyone, nobody will trust you. You have to play by the rules, even if you don’t like them

The Secret is Evolution, Not Revolution

Revolutions are bloody!Evolution lets you gainimmediate benefit today whileplanning for a better tomorrow withoutthrowing away all your current systems

Integration with WebISOEasy Evolution

• WebISO is an independent authentication module for web apps.

• Currently username and password enabled

• Easily converts to digital certificate based authentication without requiring rewrite of all applications

But What About SecurID?

• SecurID = One Time Password authentication device (OTP)

• Great for authentication!

• What else does it do?

• Cost!• Vendor Lock-in!• Good point

solution, but hardly forward thinking

Critical Success factors for the UW-Madison

• A focus on the customer requirements is of pinnacle importance

• Financial lifecycle modeling for both short and long term

• Being careful not to reinvent the wheel simply for the sake of pride

• Top down support from the CIO’s office

What We Have Learned• A certificate is a certificate• What matters most is what

your organization does with the certificate once it is issued

• The challenge of implementing PKI is 30% technical and 70% user education, marketing and acceptance

Final Thoughts• The key to success in a

decentralized environment lies in motivating your users, not obligating your users

• Whether you choose to build or buy, remember to keep it simple for the customers

• Don’t spend time on duplication of effort

“But We Are Different…..”

• We all like to think we are different

• Setup a content filtering device with 100 keywords on your outgoing email

• Let me know what you discover • Ignorance is not an excuse for

weak security practices

Audience Question

How is PKIsimilar to aTelephonenetwork?

The value of thesystem isproportional tothe number ofpeople who havea phone or adigital certificate!

“It can happen to you, it can happen to me, it can happen to everyone eventually…..”

The First Taste is Free!Download a FREE email digitial certificatewww.ascertia.comwww.thawte.com

Perform inter-institutional testing with yourorganization and UW-Madison!

Digital certificates are inherently supported in:Outlook, Outlook Express, Thunderbird, Mail.app,Mulberry, Eudora 7.0

Questions and CommentsNicholas DavisPKI Project LeaderUW-Madisonndavis1@wisc.edu608-262-3837www.doit.wisc.edu/middleware/pki

PLEASE PARTNER WITH US AS WE MOVE FORWARD WITH PKI!

-----BEGIN CERTIFICATE-----MIIDLjCCApegAwIBAgICAdkwDQYJKoZIhvcNAQEFBQAwgYkxCzAJBgNVBAYTAlVTMSswKQYDVQQKEyJEaXZpc2lvbiBvZiBJbmZvcm1hdGlvbiBUZWNobm9sb2d5MSMw

IQYDVQQLExpGYWN1bHR5IC0gU3RhZmYgLSBTdHVkZW50czEoMCYGA1UEAxMfVW5pdmVyc2l0eSBvZiBXaXNjb25zaW4tTWFkaXNvbjAeFw0wNjA5MDYxNjUzMjJaFw0w

NzA5MDYxNjUzMjJaMIG8MQswCQYDVQQGEwJVUzESMBAGA1UECBMJV2lzY29uc2luMRAwDgYDVQQHEwdNYWRpc29uMSgwJgYDVQQKEx9Vbml2ZXJzaXR5IG9mIFdpc2NvbnNpbi1NYWRpc29uMSMwIQYDVQQLExpGYWN1bHR5IC0gU3RhZmYgLSBTdHVkZW50czEXMBUGA1UEAxMOTmljaG9sYXMgRGF2aXMxHzAdBgkqhkiG9w0BCQEWEG5kYXZp

czFAd2lzYy5lZHUwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAJECUO2/kNderq9BXL9c60k7glXKSilVTS2hWfI7OVrVVVpSdOOVwd2djZ4EfuuJTmvwMRWdnU3h124gFZWO+LiDhLx+iLC1bCwVbvUJPyfjViqXMoKgUNx7NStt6YlntqxvNfzW5Lxq

NQ2VCu23AFqczmGxvX27M2VtSPg1oCWfAgMBAAGjcDBuMA4GA1UdDwEB/wQEAwIF4DA7BgNVHR8ENDAyMDCgLqAshipodHRwOi8vY3JsLmdlb3RydXN0LmNvbS9jcmxzL3dpc2NvbnNpbi5jcmwwHwYDVR0jBBgwFoAUHJ5SUhsEYkcsaywBuGnxqTcsIyQwDQYJKoZIhvcNAQEFBQADgYEADgrwXFZyVWceIhbro0lR2NfdwqbkY1p1ywr9v8lf

JGUfZ0scAxaNfdfkXMHJvMK7MZCQ65vXEO9YwTFAfugXK+AAFot0HhNvWMwvBLqXcYKps+A5VU9JnhNAKZJRIImiGCKjz2e+ZARm6fjTxheW5qJyJq30sbwukG/tsbXT

jnw=-----END CERTIFICATE-----