Nicholas A. Davis DoIT Middleware September 29, 2005

Overview AuthN/Z at UW-Madison What is PKI? How can PKI be used? Why should PKI be used? Who can use PKI? Where can I get my own UW-Madison digital certificate? When can I start using PKI? Q&A session

AuthN/Z Coordinating Team Founded in 2003 Campus & DoIT collaboration Goals: 1.Develop, maintain, publish and publicize UW- Madison AuthNZ Roadmap 2.Solicit and document campus requirements for shared AuthNZ services 3.Recommend products and technologies based on an evaluation of candidates against functional and architectural requirements

Communities to be served

AuthN/Z Roadmap Implementation process: –Go to campus requirements –Release RFI and evaluate available technologies against requirements –Get approval from DoIT management to proceed with a specific, defined implementation. –Determine service implementation plan Web-ISO Service PKI Service Next in the queue: –Kerberos –Attribute delivery requirements gathering –Federated AuthN/Z

DoIT’s PKI activity 2000 September 2000 Created PKILab with CS and others 2001 IAIMS Secure Pilot Fall 2003 CA server installed in production Summer 2004 Campus Requirements Gathering and RFI 2003 – Present Pilot CA service made available to selective applications 2002 – Present Provided Digital Certs to Shibboleth Testing Community 2002 Participated in Federal Bridge Pilot Project February 2005 Presentation to DoIT CIO Office Sept End user cert Deployment

What is PKI? PKI is the acronym for Public Key Infrastructure. The PKI system ensures confidentiality, authenticity, integrity and non-repudiation of electronic data. Principles of public key cryptography and the public-private key relationship are the basis for any PKI The Infrastructure part of PKI is the underlying system needed to issue keys and certificates and to publish public information.

Confidentiality, Authenticity, Integrity, and Non-repudiation As the “wired world” progresses, we will become increasingly reliant upon electronic communication both within and outside of the UW-Madison campus network. We want to be careful to protect our online identity and confidential information. PKI can help us with this.

Confidentiality Means that the information contained in the message is kept private and only the sender and the intended recipient will be able to read it

Authenticity Verification that the people with whom we are corresponding actually are who they claim to be

Integrity Verification that the information contained in the message is not tampered with, accidentally or deliberately, during transmission

Non-repudiation There can be no denial on the part of the sender of having sent a message that is digitally signed

How does PKI accomplish all of these things? Data Encryption Digital Signature Root Authorities

Encryption refers to the conversion of a message into an unintelligible form of data, with the aim of ensuring confidentiality Decryption is the reversal of encryption; it is the process of transforming encrypted data back into an intelligible message In public key cryptography, encryption and decryption are performed with the use of a pair of public and private keys

The public and private key pair is comprised of two distinct and uniquely matched strings of numbers. The public key is available to everyone and a private key is personal and confidential, known to and maintained by the designated owner. Although related, it is computationally infeasible to derive the private key from the public key and vice-versa. When one of the keys in the key pair is used for encryption, the other key has to be used for decryption.

This relationship of public to private keys not only enables protection of data confidentiality, but also provides for the creation of a digital signature, which serves to ensure the authenticity and integrity of the message as well as its non-repudiation by the sender

Digital Signature Addresses the issues of authenticity, integrity and non-repudiation. Like its hand-written counterpart, a digital signature proves authorship of a particular message. Technically, a digital signature is derived from the content of the sender's message in combination with his private key, and can be verified by the recipient using the sender's public key to perform a verification operation.

Digital Certificates and Certificate Authorities A digital certificate is a digital document that proves the relationship between the identity of the holder of the digital certificate and the public key contained in the digital certificate. It is issued by a trusted third party called a Certificate Authority (CA.) Our digital certificate contains our public key and other attributes that can identify us.

When a person sends a digitally signed message to another person, the recipient may verify the validity of the signature via a mathematical operation, using the sender’s chained public key to verify the digital signature created by the sender.

How is a certificate issued? When a person applies for a digital certificate from a CA, the CA usually checks the person's identity and then generates the key pair on the user’s computer. Alternatively, the CA may generate the key pair for the person and deliver the private key to the person via secure means. The private key is kept by the person (stored on the person's computer or possibly on a smart card).

Encryption Example Peter wants to send Ann his super secret resume.

Encrypting an (continued) Peter encrypts using Ann’s public key Ann decrypts using her private key

Encryption (Continued) If Ann wishes to send Peter a confidential reply, she encrypts her message using Peter's public key. Peter then uses his private key to decrypt and read Ann's reply.

Digital Signature Example Ann signs the with her private key Peter verifies Ann’s signature by running an operation of the digital signature against her public key.

The UW-Madison Branded PKI Requirements gathering effort conducted in Summer/Fall 2004 Request For Information (RFI) developed by DoIT staff in Fall, Replies from commercial PKI vendors and DoIT internal staff (for Open Source solution) solicited in Fall, 2004 RFI results presentation delivered to DoIT CIO’s in Winter, 2005 Decision to proceed with a specific solution made by DoIT CIO’s Office in Spring, 2005 Contract negotiations in Summer, 2005 Pilot Rollout, Fall 2005

UW-MSN Use Cases University Health Services (Theresa Regge) –PKI alternative to firewall and VPN for UHS network Computer Sciences Department (Ian Alderman) –PKI use in grid computing Graduate School (Pat Noordsij) –NSF Fastlane grant submission

PKI System is Co-Managed The U.W.-Madison PKI is co- managed by a vendor named Geotrust, for several reasons: Time to implement was less than an in-house solution Initial implementation costs were less than in-house solution Off site key backup provides enhanced security The Geotrust Root certificate is pre- installed in 99% of all Internet browsers in use today.

Where is my Certificate Stored? You digital certificate is stored either on your machine or on a cryptographic USB hardware device Dual factor authentication

How can this certificate protect my data? You can encrypt sensitive and attachments sent to co-workers and friends. You can use Microsoft Office (Word, Excel, Powerpoint, Access) as well as other PKI enabled applications to protect data which you store on your local hard drive and on any network drive. Comply with HIPAA, FERPA, protect your privacy as well as the privacy of others who you do business with. Provide assurance to others that you are indeed who you claim to be.

Supported OS and Applications on the UW-Madison PKI Both Windows and Macintosh are supported. Macintosh users can store their certificate in encrypted form on their hard disk Windows users have the additional option of storing their certificate on a hardware token. Outlook, Outlook Express, Thunderbird, Novell Groupwise, and Mail.app are all supported packages. Microsoft Office applications are supported for encrypting and digitally signing documents, spreadsheets, etc.

What does it actually look like in practice? -Sending-

What does it actually look like in practice (unlocking my private key) -sending-

What does it actually look like in practice? -receiving- (decrypted)

Digitally signed and verified; Encrypted

What does it actually look like in practice? -receiving- (intercepted)

Summary Points Digital Signatures can: –Provide verified assurance to the recipient of your or document that you are indeed a member of the UW-Madison community –Prove that the contents of an or a document have not been altered from their original form –Provide certified proof that you did indeed send a specific or author a specific document.

Summary Points PKI based encryption allows you to: Encrypt and files for others so that they are protected end to end while in transit Maintain protection of and files in storage on your local computer hard drive, or on any network drive. Assist in complying with HIPAA, FERPA and other such government regulations.

Summary Points PKI provides official verification of your status as a current member of the UW- Madison community. It is supported in both the Windows and Macintosh environments, in popular software and Microsoft Office. PKI is available either by contacting Nicholas Davis directly (now), or by visiting the DoIT Tech Store (end of October.)

How to get started You must have a valid UW-Madison ID to become a PKI user Sign up today to have your certificate delivered to you automatically. Feel free to set up a meeting with me if you need assistance getting setup with PKI

Question and Answer Session As you seek to find the truth, don’t forget to protect your information!