Nicholas A. Davis

1

• Nicholas A. Davis
• DoIT Middleware
• September 29, 2005

2
Overview

• AuthN/Z at UW-Madison
• What is PKI?
• How can PKI be used?
• Why should PKI be used?
• Who can use PKI?
• Where can I get my own UW-Madison digital
  certificate?
• When can I start using PKI?
• QA session

3
AuthN/Z Coordinating Team

• Founded in 2003
• Campus DoIT collaboration
• Goals
• Develop, maintain, publish and publicize
  UW-Madison AuthNZ Roadmap
• Solicit and document campus requirements for
  shared AuthNZ services
• Recommend products and technologies based on an
  evaluation of candidates against functional and
  architectural requirements

4
Communities to be served
5
AuthN/Z Roadmap

• Implementation process
• Go to campus requirements
• Release RFI and evaluate available technologies
  against requirements
• Get approval from DoIT management to proceed with
  a specific, defined implementation.
• Determine service implementation plan
• Web-ISO Service
• PKI Service
• Next in the queue
• Kerberos
• Attribute delivery requirements gathering
• Federated AuthN/Z

6
DoITs PKI activity
2000
7
What is PKI?

• PKI is the acronym for Public Key Infrastructure.
  
• The PKI system ensures confidentiality,
  authenticity, integrity and non-repudiation of
  electronic data.
• Principles of public key cryptography and the
  public-private key relationship are the basis for
  any PKI
• The Infrastructure part of PKI is the underlying
  system needed to issue keys and certificates and
  to publish public information.

8
Confidentiality, Authenticity, Integrity, and
Non-repudiation

• As the wired world progresses, we will
  become increasingly reliant upon electronic
  communication both within and outside of the
  UW-Madison campus network. We want to be careful
  to protect our online identity and confidential
  information. PKI can help us with this.

9
Confidentiality

• Means that the information contained in the
  message is kept private and only the sender and
  the intended recipient will be able to read it

10
Authenticity

• Verification that the people with whom we are
  corresponding actually are who they claim to be

11
Integrity

• Verification that the information contained in
  the message is not tampered with, accidentally or
  deliberately, during transmission

12
Non-repudiation

• There can be no denial on the part of the
  sender of having sent a message that is digitally
  signed

13
How does PKI accomplish all of these things?

• Data Encryption
• Digital Signature
• Root Authorities

14

• Encryption refers to the conversion of a message
  into an unintelligible form of data, with the aim
  of ensuring confidentiality
• Decryption is the reversal of encryption it is
  the process of transforming encrypted data back
  into an intelligible message
• In public key cryptography, encryption and
  decryption are performed with the use of a pair
  of public and private keys

15

• The public and private key pair is comprised of
  two distinct and uniquely matched strings of
  numbers.
• The public key is available to everyone and a
  private key is personal and confidential, known
  to and maintained by the designated owner.
• Although related, it is computationally
  infeasible to derive the private key from the
  public key and vice-versa. When one of the keys
  in the key pair is used for encryption, the other
  key has to be used for decryption.

16

• This relationship of public to private keys not
  only enables protection of data confidentiality,
  but also provides for the creation of a digital
  signature, which serves to ensure the
  authenticity and integrity of the message as well
  as its non-repudiation by the sender

17

• Digital SignatureAddresses the issues of
  authenticity, integrity and non-repudiation. Like
  its hand-written counterpart, a digital signature
  proves authorship of a particular message.
  Technically, a digital signature is derived from
  the content of the sender's message in
  combination with his private key, and can be
  verified by the recipient using the sender's
  public key to perform a verification operation.

18
Digital Certificates and Certificate Authorities

• A digital certificate is a digital document that
  proves the relationship between the identity of
  the holder of the digital certificate and the
  public key contained in the digital certificate.
  It is issued by a trusted third party called a
  Certificate Authority (CA.) Our digital
  certificate contains our public key and other
  attributes that can identify us.

19

• When a person sends a digitally signed message
  to another person, the recipient may verify the
  validity of the signature via a mathematical
  operation, using the senders chained public key
  to verify the digital signature created by the
  sender.

20
How is a certificate issued?

• When a person applies for a digital
  certificate from a CA, the CA usually checks the
  person's identity and then generates the key pair
  on the users computer. Alternatively, the CA may
  generate the key pair for the person and deliver
  the private key to the person via secure means.
  The private key is kept by the person (stored on
  the person's computer or possibly on a smart
  card).

21
Encryption Example

• Peter wants to send Ann his super secret resume.

22
Encrypting an email (continued)

• Peter encrypts using Anns public key
• Ann decrypts using her private key

23
Encryption (Continued)

• If Ann wishes to send Peter a confidential
  reply, she encrypts her message using Peter's
  public key. Peter then uses his private key to
  decrypt and read Ann's reply. 

24
Digital Signature Example

• Ann signs the email with her private key

• Peter verifies Anns signature by running an
  operation of the digital signature against her
  public key.

25
The UW-Madison Branded PKI

• Requirements gathering effort conducted in
  Summer/Fall 2004
• Request For Information (RFI) developed by DoIT
  staff in Fall, 2004.
• Replies from commercial PKI vendors and DoIT
  internal staff (for Open Source solution)
  solicited in Fall, 2004
• RFI results presentation delivered to DoIT CIOs
  in Winter, 2005
• Decision to proceed with a specific solution made
  by DoIT CIOs Office in Spring, 2005
• Contract negotiations in Summer, 2005
• Pilot Rollout, Fall 2005

26
UW-MSN Use Cases

• University Health Services (Theresa Regge)
• PKI alternative to firewall and VPN for UHS
  network
• Computer Sciences Department (Ian Alderman)
• PKI use in grid computing
• Graduate School (Pat Noordsij)
• NSF Fastlane grant submission    

27
PKI System is Co-Managed

• The U.W.-Madison PKI is co-managed by a vendor
  named Geotrust, for several reasons
• Time to implement was less than an in-house
  solution
• Initial implementation costs were less than
  in-house solution
• Off site key backup provides enhanced security
• The Geotrust Root certificate is pre-installed in
  99 of all Internet browsers in use today.

28
Where is my Certificate Stored?

• You digital certificate is stored either on your
  machine or on a cryptographic USB hardware device
• Dual factor authentication

29
How can this certificate protect my data?

• You can encrypt sensitive email and attachments
  sent to co-workers and friends.
• You can use Microsoft Office (Word, Excel,
  Powerpoint, Access) as well as other PKI enabled
  applications to protect data which you store on
  your local hard drive and on any network drive.
• Comply with HIPAA, FERPA, protect your privacy as
  well as the privacy of others who you do business
  with.
• Provide assurance to others that you are indeed
  who you claim to be.

30
Supported OS and Applications on the UW-Madison
PKI

• Both Windows and Macintosh are supported.
• Macintosh users can store their certificate in
  encrypted form on their hard disk
• Windows users have the additional option of
  storing their certificate on a hardware token.
• Outlook, Outlook Express, Thunderbird, Novell
  Groupwise, and Mail.app are all supported email
  packages.
• Microsoft Office applications are supported for
  encrypting and digitally signing documents,
  spreadsheets, etc.

31
What does it actually look like in practice?
-Sending-
32
What does it actually look like in practice
(unlocking my private key)-sending-
33
What does it actually look like in
practice?-receiving- (decrypted)
34
Digitally signed and verified Encrypted
35
What does it actually look like in
practice?-receiving- (intercepted)
36
Summary Points

• Digital Signatures can
• Provide verified assurance to the recipient of
  your email or document that you are indeed a
  member of the UW-Madison community
• Prove that the contents of an email or a document
  have not been altered from their original form
• Provide certified proof that you did indeed send
  a specific email or author a specific document.

37
Summary Points

• PKI based encryption allows you to
• Encrypt email and files for others so that they
  are protected end to end while in transit
• Maintain protection of email and files in storage
  on your local computer hard drive, or on any
  network drive.
• Assist in complying with HIPAA, FERPA and other
  such government regulations.

38
Summary Points

• PKI provides official verification of your status
  as a current member of the UW-Madison community.
• It is supported in both the Windows and Macintosh
  environments, in popular email software and
  Microsoft Office.
• PKI is available either by contacting Nicholas
  Davis directly (now), or by visiting the DoIT
  Tech Store (end of October.)

39
How to get started

• You must have a valid UW-Madison ID to become a
  PKI user
• Sign up today to have your certificate delivered
  to you automatically.
• Feel free to set up a meeting with me if you need
  assistance getting setup with PKI

40
Question and Answer Sessionndavis1_at_wisc.edu

• As you seek to find the truth, dont forget to
  protect your information!