making digital security a reality with pki nicholas a. davis, uw-madison november 28, 2006
TRANSCRIPT
Making Digital Security a Reality With PKINicholas A. Davis, UW-Madison
November 28, 2006
/ca/eecert
Overview• PKI 101 – Intro to digital certificates• History of PKI at UW-Madison• UW-Madison IT environment• Why UW-Madison is interested in
PKI• PKI cost and model comparison• What it all actually looks like in
reality• Our experience so far and our future
plans• Universal truths• What we have learned• Final thoughts• How to get started today!• Questions
Public Key Infrastructure (PKI) 101
• PKI = System to manage digital certificates
• Digital Passport• Digital key to
unlock encrypted Data
• Digital pen to sign
PKI 101 (Continued)
• Digitally sign Microsoft Office documents, spreadsheets, email, PDF files, etc.
• Encrypt email in transit and storage, end to end
• Authenticate with a much stronger credential than username & password
History of PKI at UW-Madison
• October 2000 – UW-Madison and Dartmouth get together
• June 2004 – Requirements gathering• May 2005 – Geotrust selected
UW-Madison IT Landcscape
• Faculty, Staff, Students• Highly decentralized• Public institution• Research driven environment
Communities Served by UW-Madison AuthNZ
It’s Not Just About Us Anymore
Why the UW-Madison is interested in digital security
solutions• Threat of identity theft
(Authentication) – Alice and Bob story
• More university businesses conducted via the Internet (encryption)
• Non-repudiation (signing)
Up Front Development Costs
• Gartner Group estimates that the average commercial PKI system costs $1 million to implement
• 80% of PKI systems never get beyond “pilot” status
• Our estimated first year costs are substantially less than this
PKI Models Under Consideration
• In-House Commercial• In-House Open Source • Co-managed
Time to Implement
• Feature Set• Cost of establishing sandbox,
QA and production environments
• Hardware acquisition• CP and CPS statements
• Open Source, 12 months• In-House Commercial, 9
months• Co-Managed Commercial, 1
month
Annual Cost Summary
$-
$100,000.00
$200,000.00
$300,000.00
$400,000.00
1 2 3 4 5 6 7 8 9 10
Build In House OpenSource
Build In HouseCommercial
Buy Co-Managed
!0 year cost
$-$500,000.00
$1,000,000.00$1,500,000.00$2,000,000.00$2,500,000.00
Build InHouse Open
Source
Build InHouse
Commercial
Buy Co-Managed
Geotrust Selected as UW-Madison PKI
• Lower upfront fixed costs
• Lower 10 year costs• Faster road to
implementation• Trusted Root• Off Site Key Escrow• Automated
certificate delivery• UW-Madison common
look and feel• No long term lock in
No Trusted Root With Open Source
Unsigned Root means distrustboth within and outside ourcore universe
Certificate Storage
• Aladdin Etoken• USB based for ease of
integration• Excellent customer support• Enhanced platform support
Feature SetTrusted Root
Seamless trust let’s us playglobally via the EquifaxSecure eBusiness CA1
Feature Set – Distance Users – Co-Managed
All the user needs is a webbrowser in order to get their
certificate
Our Experience So FarCustomers appreciate:• Automated certificate delivery• Trusted Root• Key EscrowUses:• Using certificates for digital signing• Using certificates for encrypted
email• Digital signing of mass email to
campus
So Now What?
• Digital certificate management model proven
• Low hanging digital fruit has been harvested
• Is it time for me to retire?
Leveraging Our Existing System
• The UW-Madison PKI is in place today for signing and encryption
• Encourage others to change their way of doing business
• Integration with our current Web ISO for authentication
Example of Business Process Change
• UW-Madison Police and Security
• Building access: New centralized system
• Same historically weak business processes
• FERPA issues• PKI to the rescue!• 110 new users
Universal Truths
• People are not interested in vaporware to solve their problems
• Administrative controls don’t work
• If you don’t trust anyone, nobody will trust you. You have to play by the rules, even if you don’t like them
The Secret is Evolution, Not Revolution
Revolutions are bloody!Evolution lets you gainimmediate benefit today whileplanning for a better tomorrow withoutthrowing away all your current systems
Integration with WebISOEasy Evolution
• WebISO is an independent authentication module for web apps.
• Currently username and password enabled
• Easily converts to digital certificate based authentication without requiring rewrite of all applications
But What About SecurID?
• SecurID = One Time Password authentication device (OTP)
• Great for authentication!
• What else does it do?
• Cost!• Vendor Lock-in!• Good point
solution, but hardly forward thinking
Critical Success factors for the UW-Madison
• A focus on the customer requirements is of pinnacle importance
• Financial lifecycle modeling for both short and long term
• Being careful not to reinvent the wheel simply for the sake of pride
• Top down support from the CIO’s office
What We Have Learned• A certificate is a certificate• What matters most is what
your organization does with the certificate once it is issued
• The challenge of implementing PKI is 30% technical and 70% user education, marketing and acceptance
Final Thoughts• The key to success in a
decentralized environment lies in motivating your users, not obligating your users
• Whether you choose to build or buy, remember to keep it simple for the customers
• Don’t spend time on duplication of effort
“But We Are Different…..”
• We all like to think we are different
• Setup a content filtering device with 100 keywords on your outgoing email
• Let me know what you discover • Ignorance is not an excuse for
weak security practices
Audience Question
How is PKIsimilar to aTelephonenetwork?
The value of thesystem isproportional tothe number ofpeople who havea phone or adigital certificate!
The First Taste is Free!Download a FREE email digitial certificatewww.ascertia.comwww.thawte.com
Perform inter-institutional testing with yourorganization and UW-Madison!
Digital certificates are inherently supported in:Outlook, Outlook Express, Thunderbird, Mail.app,Mulberry, Eudora 7.0
Questions and CommentsNicholas DavisPKI Project [email protected]/middleware/pki
PLEASE PARTNER WITH US AS WE MOVE FORWARD WITH PKI!
-----BEGIN CERTIFICATE-----MIIDLjCCApegAwIBAgICAdkwDQYJKoZIhvcNAQEFBQAwgYkxCzAJBgNVBAYTAlVTMSswKQYDVQQKEyJEaXZpc2lvbiBvZiBJbmZvcm1hdGlvbiBUZWNobm9sb2d5MSMw
IQYDVQQLExpGYWN1bHR5IC0gU3RhZmYgLSBTdHVkZW50czEoMCYGA1UEAxMfVW5pdmVyc2l0eSBvZiBXaXNjb25zaW4tTWFkaXNvbjAeFw0wNjA5MDYxNjUzMjJaFw0w
NzA5MDYxNjUzMjJaMIG8MQswCQYDVQQGEwJVUzESMBAGA1UECBMJV2lzY29uc2luMRAwDgYDVQQHEwdNYWRpc29uMSgwJgYDVQQKEx9Vbml2ZXJzaXR5IG9mIFdpc2NvbnNpbi1NYWRpc29uMSMwIQYDVQQLExpGYWN1bHR5IC0gU3RhZmYgLSBTdHVkZW50czEXMBUGA1UEAxMOTmljaG9sYXMgRGF2aXMxHzAdBgkqhkiG9w0BCQEWEG5kYXZp
czFAd2lzYy5lZHUwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAJECUO2/kNderq9BXL9c60k7glXKSilVTS2hWfI7OVrVVVpSdOOVwd2djZ4EfuuJTmvwMRWdnU3h124gFZWO+LiDhLx+iLC1bCwVbvUJPyfjViqXMoKgUNx7NStt6YlntqxvNfzW5Lxq
NQ2VCu23AFqczmGxvX27M2VtSPg1oCWfAgMBAAGjcDBuMA4GA1UdDwEB/wQEAwIF4DA7BgNVHR8ENDAyMDCgLqAshipodHRwOi8vY3JsLmdlb3RydXN0LmNvbS9jcmxzL3dpc2NvbnNpbi5jcmwwHwYDVR0jBBgwFoAUHJ5SUhsEYkcsaywBuGnxqTcsIyQwDQYJKoZIhvcNAQEFBQADgYEADgrwXFZyVWceIhbro0lR2NfdwqbkY1p1ywr9v8lf
JGUfZ0scAxaNfdfkXMHJvMK7MZCQ65vXEO9YwTFAfugXK+AAFot0HhNvWMwvBLqXcYKps+A5VU9JnhNAKZJRIImiGCKjz2e+ZARm6fjTxheW5qJyJq30sbwukG/tsbXT
jnw=-----END CERTIFICATE-----