Nicholas A. Davis DoIT Middleware September 29, 2005 Overview • AuthN/Z at UW-Madison • What is PKI? • How can PKI be used? • Why should PKI be used? • Who can use PKI? • Where can I get my own UW-Madison digital certificate? • When can I start using PKI? • Q&A session AuthN/Z Coordinating Team • Founded in 2003 • Campus & DoIT collaboration • Goals: 1. Develop, maintain, publish and publicize UW- Madison AuthNZ Roadmap 2. Solicit and document campus requirements for shared AuthNZ services 3. Recommend products and technologies based on an evaluation of candidates against functional and architectural requirements Communities to be served AuthN/Z Roadmap • Implementation process: – Go to campus requirements – Release RFI and evaluate available technologies against requirements – Get approval from DoIT management to proceed with a specific, defined implementation. – Determine service implementation plan • Web-ISO Service • PKI Service • Next in the queue: – Kerberos – Attribute delivery requirements gathering – Federated AuthN/Z DoIT’s PKI activity 2002 – Present Provided Digital Certs to Shibboleth Testing Community 2003 – Present September 2000 Pilot CA service made February 2005 Created PKILab available to selective Presentation to with CS and others applications DoIT CIO Office 2000 2001 Fall 2003 IAIMS Secure Summer 2004 Sept. 2005 CA server Email Pilot Campus End user cert installed in 2002 Requirements Deployment production Participated in Gathering and Federal Bridge RFI Pilot Project What is PKI? • PKI is the acronym for Public Key Infrastructure. • The PKI system ensures confidentiality, authenticity, integrity and non-repudiation of electronic data. • Principles of public key cryptography and the public-private key relationship are the basis for any PKI • The Infrastructure part of PKI is the underlying system needed to issue keys and certificates and to publish public information. Confidentiality, Authenticity, Integrity, and Non-repudiation As the “wired world” progresses, we will become increasingly reliant upon electronic communication both within and outside of the UW-Madison campus network. We want to be careful to protect our online identity and confidential information. PKI can help us with this. Confidentiality Means that the information contained in the message is kept private and only the sender and the intended recipient will be able to read it Authenticity Verification that the people with whom we are corresponding actually are who they claim to be Integrity Verification that the information contained in the message is not tampered with, accidentally or deliberately, during transmission Non-repudiation There can be no denial on the part of the sender of having sent a message that is digitally signed How does PKI accomplish all of these things? • Data Encryption • Digital Signature • Root Authorities • Encryption refers to the conversion of a message into an unintelligible form of data, with the aim of ensuring confidentiality • Decryption is the reversal of encryption; it is the process of transforming encrypted data back into an intelligible message • In public key cryptography, encryption and decryption are performed with the use of a pair of public and private keys • The public and private key pair is comprised of two distinct and uniquely matched strings of numbers. • The public key is available to everyone and a private key is personal and confidential, known to and maintained by the designated owner. • Although related, it is computationally infeasible to derive the private key from the public key and vice-versa. When one of the keys in the key pair is used for encryption, the other key has to be used for decryption. • This relationship of public to private keys not only enables protection of data confidentiality, but also provides for the creation of a digital signature, which serves to ensure the authenticity and integrity of the message as well as its non-repudiation by the sender • Digital Signature Addresses the issues of authenticity, integrity and non-repudiation. Like its hand-written counterpart, a digital signature proves authorship of a particular message. Technically, a digital signature is derived from the content of the sender's message in combination with his private key, and can be verified by the recipient using the sender's public key to perform a verification operation. Digital Certificates and Certificate Authorities • A digital certificate is a digital document that proves the relationship between the identity of the holder of the digital certificate and the public key contained in the digital certificate. It is issued by a trusted third party called a Certificate Authority (CA.) Our digital certificate contains our public key and other attributes that can identify us. When a person sends a digitally signed message to another person, the recipient may verify the validity of the signature via a mathematical operation, using the sender’s chained public key to verify the digital signature created by the sender. How is a certificate issued? When a person applies for a digital certificate from a CA, the CA usually checks the person's identity and then generates the key pair on the user’s computer. Alternatively, the CA may generate the key pair for the person and deliver the private key to the person via secure means. The private key is kept by the person (stored on the person's computer or possibly on a smart card). Encryption Example • Peter wants to send Ann his super secret resume. Encrypting an email (continued) • Peter encrypts using Ann’s public key • Ann decrypts using her private key Encryption (Continued) If Ann wishes to send Peter a confidential reply, she encrypts her message using Peter's public key. Peter then uses his private key to decrypt and read Ann's reply. Digital Signature Example • Ann signs • Peter verifies Ann’s the email signature by running with her an operation of the private key digital signature against her public key. The UW-Madison Branded PKI • Requirements gathering effort conducted in Summer/Fall 2004 • Request For Information (RFI) developed by DoIT staff in Fall, 2004. • Replies from commercial PKI vendors and DoIT internal staff (for Open Source solution) solicited in Fall, 2004 • RFI results presentation delivered to DoIT CIO’s in Winter, 2005 • Decision to proceed with a specific solution made by DoIT CIO’s Office in Spring, 2005 • Contract negotiations in Summer, 2005 • Pilot Rollout, Fall 2005 UW-MSN Use Cases • University Health Services (Theresa Regge) – PKI alternative to firewall and VPN for UHS network • Computer Sciences Department (Ian Alderman) – PKI use in grid computing • Graduate School (Pat Noordsij) – NSF Fastlane grant submission PKI System is Co-Managed • The U.W.-Madison PKI is co- managed by a vendor named Geotrust, for several reasons: • Time to implement was less than an in-house solution • Initial implementation costs were less than in-house solution • Off site key backup provides enhanced security • The Geotrust Root certificate is pre- installed in 99% of all Internet browsers in use today. Where is my Certificate Stored? • You digital certificate is stored either on your machine or on a cryptographic USB hardware device • Dual factor authentication How can this certificate protect my data? • You can encrypt sensitive email and attachments sent to co-workers and friends. • You can use Microsoft Office (Word, Excel, Powerpoint, Access) as well as other PKI enabled applications to protect data which you store on your local hard drive and on any network drive. • Comply with HIPAA, FERPA, protect your privacy as well as the privacy of others who you do business with. • Provide assurance to others that you are indeed who you claim to be. Supported OS and Applications on the UW-Madison PKI • Both Windows and Macintosh are supported. • Macintosh users can store their certificate in encrypted form on their hard disk • Windows users have the additional option of storing their certificate on a hardware token. • Outlook, Outlook Express, Thunderbird, Novell Groupwise, and Mail.app are all supported email packages. • Microsoft Office applications are supported for encrypting and digitally signing documents, spreadsheets, etc. What does it actually look like in practice? -Sending- What does it actually look like in practice (unlocking my private key) -sending- What does it actually look like in practice? -receiving- (decrypted) Digitally signed and verified; Encrypted What does it actually look like in practice? -receiving- (intercepted) Summary Points • Digital Signatures can: – Provide verified assurance to the recipient of your email or document that you are indeed a member of the UW-Madison community – Prove that the contents of an email or a document have not been altered from their original form – Provide certified proof that you did indeed send a specific email or author a specific document. Summary Points • PKI based encryption allows you to: • Encrypt email and files for others so that they are protected end to end while in transit • Maintain protection of email and files in storage on your local computer hard drive, or on any network drive. • Assist in complying with HIPAA, FERPA and other such government regulations. Summary Points • PKI provides official verification of your status as a current member of the UW- Madison community. • It is supported in both the Windows and Macintosh environments, in popular email software and Microsoft Office. • PKI is available either by contacting Nicholas Davis directly (now), or by visiting the DoIT Tech Store (end of October.) How to get started • You must have a valid UW-Madison ID to become a PKI user • Sign up today to have your certificate delivered to you automatically. • Feel free to set up a meeting with me if you need assistance getting setup with PKI Question and Answer Session firstname.lastname@example.org As you seek to find the truth, don’t forget to protect your information!