PKI:%20The%20View%20from%20Down%20Under

1
PKI The View from Down Under

• Presentation to 2001 Institutional Web Management
  Workshop
• Queens University Belfast
• Monday 25 June 2001
• Ed Bristow, PKI Technical Manager,
• Australian Taxation Office

2
Agenda

• Who am I? Why am I here?
• The what, why and wherefore of PKI
• The Australian Scene
• The ATO PKI
• The Future

3
Canberra

• Canberra

4
Some definitions

• PKI - Public Key Infrastructure
• The technology, policies and processes involved
  in generation, signing, issue and use of
  asymmetric ciphers and digital certificates
• ATO - Australian Taxation Office
• BAS - Business Activity Statement
• Monthly or quarterly business tax report
  completed by all Australian businesses
• SSL - Secure Sockets Layer
• Standard for encryption of connection between web
  server and browser. Now at Version 3.0.
• S/MIME - Secure Multipurpose Internet Mail
  Extensions (RFC 1521)
• A standard for creating securely wrapped messages

5
More Definitions

• OCSP - Online Certificate Status Protocol.
• Standard (RFC 2560) for the checking of a
  certificates revocation status in real time
• CRL - Certificate revocation list
• List of serial numbers of revoked certificates,
  published periodically by CA. Part of X.509 (RFC
  2459)
• DMZ - Demilitarised zone.
• Area between outer and inner firewalls where
  elements of a sites security architecture is
  deployed
• X.500 - Standard for Internet directories
• LDAP - Lightweight Directory Access Protocol
• PKCS - Proprietary (but industry-wide) standards
  developed and maintained by RSA Security Inc

6
Why PKI

• E-commerce on the rise
• The Internet is a dangerous place
• The importance of standards
• Digital signatures promise remote, un-repudiable
  authentication
• The dream of PKI - certificate once, authenticate
  everywhere

7
Key Topics

• Confidentiality
• Authentication
• Authorisation

8
Confidentiality

• Is SSL good enough?
• Data is vulnerable on the server
• Enforce strong cipher suites
• Consider use of S/MIME
• Decryption is done deeper in DMZ
• Need to pay attention to web site design
• Some products dont support two key pairs

9
Authentication

• What to use?
• User ID Password
• Simple for users, but have to be administered
  can be cracked
• Shared Secret
• Just how secure is the secret?
• Doesnt also provide integrity non-repudiation
• Digital Certificates
• Its not a trivial decision

10
Authorisation

• The next big challenge
• The unrealised potential of X.500 LDAP
• Products starting to emerge
• Active Directory Kerberos in Windows 2000
• Solutions are policy directory based
• Whats the degree of fit?

11
Can PKI be made to work?

• It does cost!
• But it does also deliver
• Many standards based components
• But overall solution will need to be customised
• Native browser based PKI is just not up to it at
  present

12
What are the major issues?

• Registration
• Key Certificate distribution
• End-user application design
• Server side design

13
Registration

• Binds the identity to the public key
• Get this wrong and theres no point in worrying
  about the rest
• Can be logistically difficult (and expensive)
• Especially with geographically dispersed
  population
• Are there opportunities to leverage another
  progress?

14
End-User application design

• Native browser, applet or fat client
• What platforms to support?
• Windows Mac
• IE Netscape
• How are private keys stored accessed
• Smart card (PKCS11)
• Soft Key (PKCS12)

15
Server Side Design

• Performance
• Availability
• Certificate validation
• OCSP vs CRL
• Do responses need to be signed?
• Accept keys and certificates from multiple CAs
  or just one?

16
Overall

• Assess the value and importance of transactions
• Threat and risk analysis as first step
• look for leverage opportunities

17
Australia - Land of Contrasts

• Strengths
• Innovative culture
• Early adopters
• Government sector prepared to lead
• Small enough for national solutions to be viable
• Can do attitude

18
Australia - Land of Contrasts

• Weaknesses
• 7 2 Governments
• Short electoral cycle
• Small population base
• Geographic Isolation
• Branch Office Economy
• Slow telecoms in rural and remote areas
• The Tyranny of Distance

19
Gatekeeper

• Federal Government has provided a lead
• Accreditation scheme for CAs and RAs
• Mandated for Federal government agencies
• Also signed-up to by states (no mean feat!)
• Cross-recognition of Australian Identrus CAs

20
Gatekeeper - Drawbacks

• High barrier to entry
• Onerous accreditation requirements
• ATO completed 33 different documents
• Can be too slow for commercial requirements
• Focus to date has been on business
• PKI for individuals still some way off
• But Gatekeeper2 is coming ...

21
Gatekeeper - Progress

• ATO was first to achieve full accreditation
• Commercial sector (eSign Baltimore) now also
  fully accredited
• Government-sponsored standard for certificates
• Contains Australian Business Number (ABN)
• Can be used by businesses to deal with government
  at all levels
• Can be issued by any accredited or
  cross-recognized CA
• Simplifies the applications development task

22
The ATO

• Main revenue collection authority for
  Commonwealth Government
• Collects Income Tax, GST, Excise and other taxes
• Approx 20,000 Staff
• Facing the electronic challenge
• Improve services
• Reduce costs
• Change the paradigm of interaction

23
ATO Electronic Initiatives

• Agent lodged Income Tax returns via X.25 and
  proprietary s/w since 1991
• Now accounts for gt 75 of all returns
• Self-lodged Income Tax returns via pre-Gatekeeper
  PKI-enabled e-tax system
• Now in 4th year of operation
• Expect 400,000 lodgments this year

24
PKI in the ATO

• First full Gatekeeper accreditation
• Support of tax Reform
• GST (VAT type tax) from 1/7/2001
• New reporting regime for business
• Not our core business!
• 100k certificate pairs issued

25
The ATO PKI Project

• Created and rolled-out an accredited PKI in less
  than 9 months
• High pressure project
• Short time frame
• Legislative deadline
• Complex requirements
• Breaking new ground

26
Features

• Rely on business registration process to feed the
  RA
• Integrated with legacy (DB2/OS390) database
• Centrally-generated keys
• Distribution via Internet
• Two key pairs/certificates
• Authentication (Signing)
• Confidentiality (Encryption)

27
Constraints

• Very rapid roll-out required
• 145,000 in first month (achieved)
• Security requirements on certificate download
• Use Baltimore technology (UniCERT)
• Drop dead deadline (legislative)
• Outsourced infrastructure

28
The Good

• 100,000 sets of keys and certificates distributed
  in first year of operation
• 70,000 businesses registered to deal
  electronically
• Over 500,000 e-BASs lodged
• Most find process fairly straightforward
• Businesses appear happy with authentication and
  confidentiality provided
• Vastly lower rejection and intervention rates on
  e-BASs
• Quicker refunds (where payable)

29
The Bad

• Teething problems - rapid roll-out
• Design issues - eg including ATO-specific data in
  certificate
• User experience (eg download) still not
  satisfactory
• Lack of perceived value to business
• Process to get certificates and e-BAS complex -
  plenty of opportunities for problems
• logistical delays (eg PIC mailer printing)
• Marketing in a saturated environment

30
The Ugly

• Keys and certificates delivered in browser
  unfriendly package
• Changes in external S/W (eg IE 5.5 SP1) can have
  near-catastrophic effects
• Technical (il)literacy of some users
• Security can have serious effects on useability
• Data quality (esp. e-mail addresses)

31
Learnings

• Key success factors
• Drop dead deadline
• Strong corporate support
• Small, strongly focussed team
• Exploitation of skills and knowledge of partners
• Pay attention to useability
• Otherwise - help desk gets very busy!
• Understand the customer - market segmentation

32
The Future - Some Questions

• Will PKI become universal, or is it just too
  hard?
• Is the Internet too dangerous a place to do
  business?
• Can schemes like Gatekeeper ever really succeed?
• Can anyone make serious money out of PKI?

33
The Future - Some Answers

• RSA appears to be unassailable - for now
• We can be confident about the technology
• Success of PKI depends on
• Robust and trustable registration processes
• Useful applications - there must be a value
  proposition
• Making the technology transparent
• Australian model has significant strengths
• Universal scheme
• Standards based - vendor neutral
• Public-Private sector partnership

34
Links

• www.ato.gov.au
• www.taxreform.ato.gov.au
• www.ato-pki.ato.gov.au
• www.govonline.gov.au
• www.baltimore.com
• www.esign.com.au
• www.identrus.com

35
Thank You