Nicholas A. Davis DoIT Middleware September 29, 2005

Nicholas A. Davis

DoIT Middleware

September 29, 2005

Overview• AuthN/Z at UW-Madison• What is PKI?• How can PKI be used?• Why should PKI be used?• Who can use PKI?• Where can I get my own UW-Madison digital

certificate?• When can I start using PKI?• Q&A session

AuthN/Z Coordinating Team

• Founded in 2003

• Campus & DoIT collaboration

• Goals:1. Develop, maintain, publish and publicize UW-

Madison AuthNZ Roadmap

2. Solicit and document campus requirements for shared AuthNZ services

3. Recommend products and technologies based on an evaluation of candidates against functional and architectural requirements

Communities to be served

AuthN/Z Roadmap• Implementation process:

– Go to campus requirements– Release RFI and evaluate available technologies against

requirements – Get approval from DoIT management to proceed with a

specific, defined implementation.– Determine service implementation plan

• Web-ISO Service• PKI Service• Next in the queue:

– Kerberos– Attribute delivery requirements gathering– Federated AuthN/Z

DoIT’s PKI activity

2000

September 2000Created PKILab with CS and others

2001IAIMS Secure Email Pilot

Fall 2003CA server installed in production

Summer 2004Campus Requirements Gathering and RFI

2003 – PresentPilot CA service made available to selective applications

2002 – PresentProvided Digital Certs to Shibboleth Testing Community

2002 Participated in Federal Bridge Pilot Project

February 2005Presentation to DoIT CIO Office

Sept. 2005End user certDeployment

What is PKI?

• PKI is the acronym for Public Key Infrastructure. • The PKI system ensures confidentiality,

authenticity, integrity and non-repudiation of electronic data.

• Principles of public key cryptography and the public-private key relationship are the basis for any PKI

• The Infrastructure part of PKI is the underlying system needed to issue keys and certificates and to publish public information.

Confidentiality, Authenticity, Integrity, and Non-repudiation

As the “wired world” progresses, we will become increasingly reliant upon electronic communication both within and outside of the UW-Madison campus network. We want to be careful to protect our online identity and confidential information. PKI can help us with this.

Confidentiality

Means that the information contained in the message is kept private and only the sender and the intended recipient will be able to read it

Authenticity

Verification that the people with whom we are corresponding actually are who they claim to be

Integrity

Verification that the information contained in the message is not tampered with, accidentally or deliberately, during transmission

Non-repudiation

There can be no denial on the part of the sender of having sent a message that is digitally signed

How does PKI accomplish all of these things?

• Data Encryption

• Digital Signature

• Root Authorities

• Encryption refers to the conversion of a message into an unintelligible form of data, with the aim of ensuring confidentiality

• Decryption is the reversal of encryption; it is the process of transforming encrypted data back into an intelligible message

• In public key cryptography, encryption and decryption are performed with the use of a pair of public and private keys

• The public and private key pair is comprised of two distinct

and uniquely matched strings of numbers. • The public key is available to everyone and a private key is

personal and confidential, known to and maintained by the designated owner.

• Although related, it is computationally infeasible to derive the private key from the public key and vice-versa. When one of the keys in the key pair is used for encryption, the other key has to be used for decryption.

• This relationship of public to private keys not only enables protection of data confidentiality, but also provides for the creation of a digital signature, which serves to ensure the authenticity and integrity of the message as well as its non-repudiation by the sender

• Digital SignatureAddresses the issues of authenticity, integrity and non-repudiation. Like its hand-written counterpart, a digital signature proves authorship of a particular message. Technically, a digital signature is derived from the content of the sender's message in combination with his private key, and can be verified by the recipient using the sender's public key to perform a verification operation.

Digital Certificates and Certificate Authorities

• A digital certificate is a digital document that proves the relationship between the identity of the holder of the digital certificate and the public key contained in the digital certificate. It is issued by a trusted third party called a Certificate Authority (CA.) Our digital certificate contains our public key and other attributes that can identify us.

When a person sends a digitally signed message to another person, the recipient may verify the validity of the signature via a mathematical operation, using the sender’s chained public key to verify the digital signature created by the sender.

How is a certificate issued? When a person applies for a digital

certificate from a CA, the CA usually checks the person's identity and then generates the key pair on the user’s computer. Alternatively, the CA may generate the key pair for the person and deliver the private key to the person via secure means. The private key is kept by the person (stored on the person's computer or possibly on a smart card).

Encryption Example

• Peter wants to send Ann his super secret resume.

Encrypting an email (continued)• Peter encrypts using Ann’s public key• Ann decrypts using her private key

Encryption (Continued) If Ann wishes to send Peter a confidential

reply, she encrypts her message using Peter's public key. Peter then uses his private key to decrypt and read Ann's reply. 

Digital Signature Example

• Ann signs the email with her private key

• Peter verifies Ann’s signature by running an operation of the digital signature against her public key.

The UW-Madison Branded PKI• Requirements gathering effort conducted in Summer/Fall

2004• Request For Information (RFI) developed by DoIT staff in

Fall, 2004.• Replies from commercial PKI vendors and DoIT internal

staff (for Open Source solution) solicited in Fall, 2004• RFI results presentation delivered to DoIT CIO’s in

Winter, 2005• Decision to proceed with a specific solution made by

DoIT CIO’s Office in Spring, 2005• Contract negotiations in Summer, 2005• Pilot Rollout, Fall 2005

UW-MSN Use Cases

• University Health Services (Theresa Regge)– PKI alternative to firewall and VPN for UHS network

• Computer Sciences Department (Ian Alderman)– PKI use in grid computing

• Graduate School (Pat Noordsij)– NSF Fastlane grant submission    

PKI System is Co-Managed

• The U.W.-Madison PKI is co-managed by a vendor named Geotrust, for several reasons:

• Time to implement was less than an in-house solution

• Initial implementation costs were less than in-house solution

• Off site key backup provides enhanced security

• The Geotrust Root certificate is pre-installed in 99% of all Internet browsers in use today.

Where is my Certificate Stored?• You digital certificate is stored either on

your machine or on a cryptographic USB hardware device

• Dual factor authentication

How can this certificate protect my data?

• You can encrypt sensitive email and attachments sent to co-workers and friends.

• You can use Microsoft Office (Word, Excel, Powerpoint, Access) as well as other PKI enabled applications to protect data which you store on your local hard drive and on any network drive.

• Comply with HIPAA, FERPA, protect your privacy as well as the privacy of others who you do business with.

• Provide assurance to others that you are indeed who you claim to be.

Supported OS and Applications on the UW-Madison PKI

• Both Windows and Macintosh are supported.• Macintosh users can store their certificate in encrypted

form on their hard disk• Windows users have the additional option of storing their

certificate on a hardware token.• Outlook, Outlook Express, Thunderbird, Novell

Groupwise, and Mail.app are all supported email packages.

• Microsoft Office applications are supported for encrypting and digitally signing documents, spreadsheets, etc.

What does it actually look like in practice? -Sending-

What does it actually look like in practice (unlocking my private key)

-sending-

What does it actually look like in practice?-receiving- (decrypted)

Digitally signed and verified; Encrypted

What does it actually look like in practice?

-receiving- (intercepted)

Summary Points

• Digital Signatures can:– Provide verified assurance to the recipient of

your email or document that you are indeed a member of the UW-Madison community

– Prove that the contents of an email or a document have not been altered from their original form

– Provide certified proof that you did indeed send a specific email or author a specific document.

Summary Points

• PKI based encryption allows you to:• Encrypt email and files for others so that

they are protected end to end while in transit

• Maintain protection of email and files in storage on your local computer hard drive, or on any network drive.

• Assist in complying with HIPAA, FERPA and other such government regulations.

Summary Points

• PKI provides official verification of your status as a current member of the UW-Madison community.

• It is supported in both the Windows and Macintosh environments, in popular email software and Microsoft Office.

• PKI is available either by contacting Nicholas Davis directly (now), or by visiting the DoIT Tech Store (end of October.)

How to get started

• You must have a valid UW-Madison ID to become a PKI user

• Sign up today to have your certificate delivered to you automatically.

• Feel free to set up a meeting with me if you need assistance getting setup with PKI

Question and Answer Sessionndavis1@wisc.edu

As you seek to find the truth, don’t forget

to protect your information!