Personal Digital Certificates, The Key to Securing Sensitive Electronic Communications

1
Personal Digital Certificates, The Key to
Securing Sensitive Electronic Communications

• Nicholas A. Davis
• University of Wisconsin-Madison
• Division of Information Technology

2
Every Good Presentation Starts With a Bad Cartoon
3
Session Rules

• There are no rulesIf you wanted rules, you would
  have stayed at work!
• Feel free to interrupt, ask questions, make
  comments
• Dont bother raising your hand, we are not in
  school anymore
• Lets go!!!

4
Why Am I Listening to This Person?

• Because you have a feeling that some of your data
  communications are insecure
• Because it sounds exciting, like something James
  Bond uses, and you want to emulate James Bond
• Because this sounded less boring than the other
  sessions

5
Overview

• Evolutionary vs. Revolutionary
• Software
• Digital Certificates, Evolutionary
• What can digital certificates be used
• for?
• How can digital certificates be used to
• avoid data theft?
• Summary Discussion

6
Evolution Vs. Revolution

• Comparison of methodologies for modernizing
  business processes.
• Rip and replace cost, time, effort, education,
  usefulness
• Enhance cost, time, effort, education,
  usefulness
• Digital certificates are evolutionary

7
What is a Digital Certificate?
8
Digital Certificates

• Distributed centrally by DoIT at UW-Madison
• Integrate seamlessly with existing software such
  as email and MS Office
• Support our diverse environment Its an IT
  jungle out there!

9
Public Key Cryptography, It Isnt Like Captain
Crunch Wanted it to be

• A digital certificate is made up of two keys, a
  private key and a public key
• Public key is used for encrypting and verifying a
  persons digital signature
• Private key is used for decrypting and digitally
  signing
• However, the Captain does make an excellent
  breakfast cereal.

10
Public Key Cryptography
11
Send Me a Signed Email, Please, I Need Your
Public Key
12
How Do People Get a Certificate?

• ID credentialing done at DoIT Tech Store or in
  person for large groups
• Person receives a PIN number
• Person receives an email with a link to click on
• Certificate downloads to their machine

13
How the technology is being used

• Faculty Staff Students
• Windows and Macintosh
• Digitally sign files and email
• Encrypt email and attachments
• Outlook, Outlook Express, Thunderbird and
  Mail.app

14
New Applications Coming Online This Summer!

• Bye bye old ID card!
• Hello Smartcard!
• One card does it all!
• Email encryption, document signing, web access to
  sensitive applications and whole disk encryption

15
It Is All About Trust
16
Digital Certificate Functions

• Authentication Proof that you are who you claim
  to be (digital signing)
• Encryption encoding information in such a way
  as to make it unreadable
• Non-repudiation Inability to deny having sent
  specific information or having accessed a
  specific system
• Data Integrity Proof that the data has not been
  altered since it was originally sent

17
Digital Certificates For Machines Too

• SSL Secure Socket Layer
• Protection of data in transit
• Protection of data at rest
• Where is the greater threat?
• Our certs protect both!

18
Using a Digital Signature for Email Signing

• Provides proof that the
• email came from the
• purported senderIs
• this email really from
• Vice President Cheney?
• Provides proof that the
• contents of the email
• have not been altered
• from the original
• formShould we
• Really invade Canada?

19
Why Is Authenticating the Sender So Important?
20
What if This Happens at UW-Madison?

• Could cause harm in
• a critical situation
• Case Scenario
• Multiple hoax emails sent with Chancellors name
  and email.
• When real crisis arrives, people might not
  believe the warning.
• It is all about trust!

21
Digital Signing Summary

• Provides proof of the author
• Testifies to message integrity
• Valuable for both individual or mass email
• Supported by Wiscmail Web client (used by 80 of
  students)

22
What Encryption Does

• Encrypting data with a
• digital certificate
• Secures it end to end.
• While in transit
• Across the network
• While sitting on email servers
• While in storage
• On your desktop computer
• On your laptop computer
• On a server

23
Encryption Protects the Data

• Physical theft from office
• Physical theft from airport
• Virtual theft over the network

24
Why Encryption is Important

• Keeps private information private
• HIPAA, FERPA, SOX, GLB compliance
• Proprietary research
• Human Resource issues
• Legal Issues
• PR Issues

25
Case Study - Why the Registrars Office Chose
Digital Certificates

• Cost
• Easy Integration
• Security
• No individual process evaluation
• Leverages a central, generic resource
• Ability to inter-communicate

26
Where is my Certificate Stored?

• You digital certificate is stored either on your
  machine or on a cryptographic USB hardware device
• Dual factor authentication

27
What does it actually look like in practice?
-Sending-
28
What does it actually look like in practice
(unlocking my private key)-receiving-
29
What does it actually look like in
practice?-receiving- (decrypted)
30
Digitally signed and verified Encrypted
31
What does it actually look like in
practice?-receiving- (intercepted)
32
Intercepting the Data in Transit
33
Benefits of Using Digital Certificates

• Provide global assurance of your identity,
• both internally and externally to the
• UW-Madison
• Provide assurance of message authenticity
• and data integrity
• Keeps private information private, end to
• end, while in transit and storage
• You dont need to have a digital certificate
• To verify someone elses digital signature
• Can be used for individual or generic mail
• accounts.

34
Who Uses Digital Certificates at UW-Madison?

• DoIT
• UW Police and Security
• Office of the Registrar
• Office of Financial Aid
• Office of Admissions
• Primate Research Lab
• Medical School
• Bucky Badger, because hes a team
• player and slightly paranoid about his
• basketball plays being stolen

35
Who Uses Digital Certificates Besides UW-Madison?

• US Department of Defense
• US Department of Homeland
• Security
• All Western European countries
• New US Passport
• Dartmouth College
• University of Texas at Austin
• Johnson Johnson
• Raytheon
• Others

36
The Telephone Analogy

• When the
• telephone was
• invented, it was
• hard to sell.
• It needed to
• reach critical
• mass and then
• everyone wanted
• one.

37
That All Sounds Great in Theory, But Do I Really
Need It?

• The world seems to get along just fine without
  digital certificates
• Oh, really?
• Lets talk about some recent stories

38
We Have Our Gems Too _at_ UW-Madison!
39
How Do Users Feel About the Technology?

• Ease of use
• Challenges
• Changes in how they do their daily work
• Benefits
• Drawbacks

40
It Really Is Up To You!

• Digital certificates / PKI is not hard to
  implement
• It provides end to end security of sensitive
  communications
• It is comprehensive, not a mix of point solutions

41
How Can I Help You?

• ndavis1_at_wisc.edu
• www.doit.wisc.edu/middleware/pki