Slide 1 - Computing _ UW-Madison

Document Sample
Slide 1 - Computing _ UW-Madison Powered By Docstoc
					 Nicholas A. Davis
 DoIT Middleware
September 29, 2005
• AuthN/Z at UW-Madison
• What is PKI?
• How can PKI be used?
• Why should PKI be used?
• Who can use PKI?
• Where can I get my own UW-Madison digital
• When can I start using PKI?
• Q&A session
  AuthN/Z Coordinating Team
• Founded in 2003
• Campus & DoIT collaboration
• Goals:
    1. Develop, maintain, publish and publicize UW-
       Madison AuthNZ Roadmap
    2. Solicit and document campus requirements for
       shared AuthNZ services
    3. Recommend products and technologies based on
       an evaluation of candidates against functional
       and architectural requirements
Communities to be served
         AuthN/Z Roadmap
• Implementation process:
  – Go to campus requirements
  – Release RFI and evaluate available technologies
    against requirements
  – Get approval from DoIT management to proceed
    with a specific, defined implementation.
  – Determine service implementation plan
• Web-ISO Service
• PKI Service
• Next in the queue:
  – Kerberos
  – Attribute delivery requirements gathering
  – Federated AuthN/Z
                  DoIT’s PKI activity
               2002 – Present
               Provided Digital Certs
               to Shibboleth Testing
                             2003 – Present
  September 2000             Pilot CA service made February 2005
  Created PKILab             available to selective Presentation to
  with CS and others         applications           DoIT CIO Office

2000   2001
                                  Fall 2003
       IAIMS Secure                            Summer 2004 Sept. 2005
                                  CA server
       Email Pilot                             Campus        End user cert
                                  installed in
                2002                           Requirements Deployment
                Participated in                Gathering and
                Federal Bridge                 RFI
                Pilot Project
               What is PKI?
• PKI is the acronym for Public Key Infrastructure.
• The PKI system ensures confidentiality,
  authenticity, integrity and non-repudiation of
  electronic data.
• Principles of public key cryptography and the
  public-private key relationship are the basis for
  any PKI
• The Infrastructure part of PKI is the underlying
  system needed to issue keys and certificates
  and to publish public information.
  Confidentiality, Authenticity,
 Integrity, and Non-repudiation
 As the “wired world” progresses, we
will become increasingly reliant upon
electronic communication both within
and outside of the UW-Madison
campus network. We want to be
careful to protect our online identity
and confidential information. PKI can
help us with this.
Means that the information
contained in the message is kept
private and only the sender and
the intended recipient will be able
to read it
Verification that the people with
whom we are corresponding
actually are who they claim to be
Verification that the information
contained in the message is not
tampered with, accidentally or
deliberately, during transmission
There can be no denial on the
part of the sender of having sent
a message that is digitally signed
 How does PKI accomplish all of
        these things?
• Data Encryption
• Digital Signature
• Root Authorities
• Encryption refers to the conversion of a message
  into an unintelligible form of data, with the aim of
  ensuring confidentiality
• Decryption is the reversal of encryption; it is the
  process of transforming encrypted data back into
  an intelligible message
• In public key cryptography, encryption and
  decryption are performed with the use of a pair of
  public and private keys
• The public and private key pair is comprised of two distinct
  and uniquely matched strings of numbers.
• The public key is available to everyone and a private key is
  personal and confidential, known to and maintained by the
  designated owner.
• Although related, it is computationally infeasible to derive
  the private key from the public key and vice-versa. When
  one of the keys in the key pair is used for encryption, the
  other key has to be used for decryption.
• This relationship of public to private keys not
  only enables protection of data confidentiality,
  but also provides for the creation of a digital
  signature, which serves to ensure the
  authenticity and integrity of the message as well
  as its non-repudiation by the sender
• Digital Signature
  Addresses the issues of authenticity, integrity
  and non-repudiation. Like its hand-written
  counterpart, a digital signature proves authorship
  of a particular message. Technically, a digital
  signature is derived from the content of the
  sender's message in combination with his private
  key, and can be verified by the recipient using
  the sender's public key to perform a verification
Digital Certificates and Certificate
• A digital certificate is a digital
  document that proves the
  relationship between the
  identity of the holder of the
  digital certificate and the
  public key contained in the
  digital certificate. It is issued
  by a trusted third party called
  a Certificate Authority (CA.)
  Our digital certificate contains
  our public key and other
  attributes that can identify us.
When a person sends a digitally signed
message to another person, the recipient
may verify the validity of the signature via
a mathematical operation, using the
sender’s chained public key to verify the
digital signature created by the sender.
 How is a certificate issued?
When a person applies for a digital
certificate from a CA, the CA usually
checks the person's identity and then
generates the key pair on the user’s
computer. Alternatively, the CA may
generate the key pair for the person and
deliver the private key to the person via
secure means. The private key is kept by
the person (stored on the person's
computer or possibly on a smart card).
       Encryption Example
• Peter wants to send Ann his super secret
Encrypting an email (continued)
• Peter encrypts using Ann’s public key
• Ann decrypts using her private key
   Encryption (Continued)
If Ann wishes to send Peter a confidential
reply, she encrypts her message using
Peter's public key. Peter then uses his
private key to decrypt and read Ann's
Digital Signature Example
• Ann signs     • Peter verifies Ann’s
  the email       signature by running
  with her        an operation of the
  private key     digital signature
                  against her public
The UW-Madison Branded PKI
• Requirements gathering effort conducted in Summer/Fall
• Request For Information (RFI) developed by DoIT staff in
  Fall, 2004.
• Replies from commercial PKI vendors and DoIT internal
  staff (for Open Source solution) solicited in Fall, 2004
• RFI results presentation delivered to DoIT CIO’s in
  Winter, 2005
• Decision to proceed with a specific solution made by
  DoIT CIO’s Office in Spring, 2005
• Contract negotiations in Summer, 2005
• Pilot Rollout, Fall 2005
        UW-MSN Use Cases

• University Health Services (Theresa Regge)
  – PKI alternative to firewall and VPN for UHS network
• Computer Sciences Department (Ian
  – PKI use in grid computing
• Graduate School (Pat Noordsij)
  – NSF Fastlane grant submission
PKI System is Co-Managed
• The U.W.-Madison PKI is co-
  managed by a vendor named
  Geotrust, for several reasons:
• Time to implement was less than an
  in-house solution
• Initial implementation costs were less
  than in-house solution
• Off site key backup provides
  enhanced security
• The Geotrust Root certificate is pre-
  installed in 99% of all Internet
  browsers in use today.
Where is my Certificate Stored?
• You digital certificate is stored either on
  your machine or on a cryptographic USB
  hardware device
• Dual factor authentication
 How can this certificate protect my
• You can encrypt sensitive email and
  attachments sent to co-workers and
• You can use Microsoft Office (Word,
  Excel, Powerpoint, Access) as well as
  other PKI enabled applications to
  protect data which you store on your
  local hard drive and on any network
• Comply with HIPAA, FERPA, protect
  your privacy as well as the privacy of
  others who you do business with.
• Provide assurance to others that you
  are indeed who you claim to be.
Supported OS and Applications on
     the UW-Madison PKI
• Both Windows and Macintosh are supported.
• Macintosh users can store their certificate in encrypted
  form on their hard disk
• Windows users have the additional option of storing their
  certificate on a hardware token.
• Outlook, Outlook Express, Thunderbird, Novell
  Groupwise, and are all supported email
• Microsoft Office applications are supported for
  encrypting and digitally signing documents,
  spreadsheets, etc.
What does it actually look like in practice?
What does it actually look like in practice
      (unlocking my private key)
What does it actually look like in practice?
        -receiving- (decrypted)
Digitally signed and verified;
What does it actually look like in
   -receiving- (intercepted)
           Summary Points
• Digital Signatures can:
  – Provide verified assurance to the recipient of
    your email or document that you are indeed a
    member of the UW-Madison community
  – Prove that the contents of an email or a
    document have not been altered from their
    original form
  – Provide certified proof that you did indeed
    send a specific email or author a specific
          Summary Points
• PKI based encryption allows you to:
• Encrypt email and files for others so that
  they are protected end to end while in
• Maintain protection of email and files in
  storage on your local computer hard drive,
  or on any network drive.
• Assist in complying with HIPAA, FERPA
  and other such government regulations.
           Summary Points
• PKI provides official verification of your
  status as a current member of the UW-
  Madison community.
• It is supported in both the Windows and
  Macintosh environments, in popular email
  software and Microsoft Office.
• PKI is available either by contacting
  Nicholas Davis directly (now), or by visiting
  the DoIT Tech Store (end of October.)
         How to get started
• You must have a valid UW-Madison ID to
  become a PKI user
• Sign up today to have your certificate
  delivered to you automatically.
• Feel free to set up a meeting with me if
  you need assistance getting setup with
    Question and Answer Session

As you seek to find the truth, don’t forget
       to protect your information!

Shared By: