Presentation is loading. Please wait.

Presentation is loading. Please wait.

25 June 2001EB IMW Belfast PKI: The View from Down Under Presentation to 2001 Institutional Web Management Workshop Queen’s University Belfast Monday 25.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "25 June 2001EB IMW Belfast PKI: The View from Down Under Presentation to 2001 Institutional Web Management Workshop Queen’s University Belfast Monday 25."— Presentation transcript:

1 25 June 2001EB IMW Belfast PKI: The View from Down Under Presentation to 2001 Institutional Web Management Workshop Queen’s University Belfast Monday 25 June 2001 Ed Bristow, PKI Technical Manager, Australian Taxation Office

2 25 June 2001EB IMW Belfast Agenda Who am I? Why am I here? The what, why and wherefore of PKI The Australian Scene The ATO PKI The Future

3 25 June 2001EB IMW Belfast Canberra

4 25 June 2001EB IMW Belfast Some definitions PKI - Public Key Infrastructure –The technology, policies and processes involved in generation, signing, issue and use of asymmetric ciphers and digital certificates ATO - Australian Taxation Office BAS - Business Activity Statement –Monthly or quarterly business tax report completed by all Australian businesses SSL - Secure Sockets Layer –Standard for encryption of connection between web server and browser. Now at Version 3.0. S/MIME - Secure Multipurpose Internet Mail Extensions (RFC 1521) – A standard for creating securely wrapped messages

5 25 June 2001EB IMW Belfast More Definitions OCSP - Online Certificate Status Protocol. –Standard (RFC 2560) for the checking of a certificate’s revocation status in real time CRL - Certificate revocation list –List of serial numbers of revoked certificates, published periodically by CA. Part of X.509 (RFC 2459) DMZ - Demilitarised zone. – Area between outer and inner firewalls where elements of a site’s security architecture is deployed X.500 - Standard for Internet directories LDAP - Lightweight Directory Access Protocol PKCS - Proprietary (but industry-wide) standards developed and maintained by RSA Security Inc

6 25 June 2001EB IMW Belfast Why PKI E-commerce on the rise The Internet is a dangerous place The importance of standards Digital signatures promise remote, un- repudiable authentication The dream of PKI - certificate once, authenticate everywhere

7 25 June 2001EB IMW Belfast Key Topics Confidentiality Authentication Authorisation

8 25 June 2001EB IMW Belfast Confidentiality Is SSL good enough? –Data is vulnerable on the server –Enforce strong cipher suites Consider use of S/MIME –Decryption is done deeper in DMZ Need to pay attention to web site design Some products don’t support two key pairs

9 25 June 2001EB IMW Belfast Authentication What to use? –User ID & Password Simple for users, but have to be administered & can be cracked –Shared Secret Just how secure is the secret? Doesn’t also provide integrity & non-repudiation –Digital Certificates It’s not a trivial decision

10 25 June 2001EB IMW Belfast Authorisation The next big challenge The unrealised potential of X.500 & LDAP Products starting to emerge Active Directory & Kerberos in Windows 2000 Solutions are policy & directory based What’s the degree of fit?

11 25 June 2001EB IMW Belfast Can PKI be made to work? It does cost! But it does also deliver Many standards based components But overall solution will need to be customised Native browser based PKI is just not up to it at present

12 25 June 2001EB IMW Belfast What are the major issues? Registration Key & Certificate distribution End-user application design Server side design

13 25 June 2001EB IMW Belfast Registration Binds the identity to the public key Get this wrong and there’s no point in worrying about the rest Can be logistically difficult (and expensive) –Especially with geographically dispersed population Are there opportunities to leverage another progress?

14 25 June 2001EB IMW Belfast End-User application design Native browser, applet or fat client What platforms to support? –Windows & Mac –IE & Netscape How are private keys stored & accessed –Smart card (PKCS#11) –‘Soft Key’ (PKCS#12)

15 25 June 2001EB IMW Belfast Server Side Design Performance Availability Certificate validation –OCSP vs CRL Do responses need to be signed? Accept keys and certificates from multiple CA’s or just one?

16 25 June 2001EB IMW Belfast Overall Assess the value and importance of transactions Threat and risk analysis as first step look for leverage opportunities

17 25 June 2001EB IMW Belfast Australia - Land of Contrasts Strengths –Innovative culture –Early adopters –Government sector prepared to lead –Small enough for national solutions to be viable –‘Can do’ attitude

18 25 June 2001EB IMW Belfast Australia - Land of Contrasts Weaknesses –7 + 2 Governments –Short electoral cycle –Small population base –Geographic Isolation –‘Branch Office’ Economy –Slow telecoms in rural and remote areas –‘The Tyranny of Distance’

19 25 June 2001EB IMW Belfast Gatekeeper Federal Government has provided a lead Accreditation scheme for CA’s and RA’s Mandated for Federal government agencies Also signed-up to by states (no mean feat!) Cross-recognition of Australian Identrus CA’s

20 25 June 2001EB IMW Belfast Gatekeeper - Drawbacks High barrier to entry Onerous accreditation requirements –ATO completed 33 different documents –Can be too slow for commercial requirements Focus to date has been on business –PKI for individuals still some way off But Gatekeeper2 is coming...

21 25 June 2001EB IMW Belfast Gatekeeper - Progress ATO was first to achieve full accreditation Commercial sector (eSign & Baltimore) now also fully accredited Government-sponsored standard for certificates –Contains Australian Business Number (ABN) –Can be used by businesses to deal with government at all levels –Can be issued by any accredited or cross- recognized CA –Simplifies the applications development task

22 25 June 2001EB IMW Belfast The ATO Main revenue collection authority for Commonwealth Government Collects Income Tax, GST, Excise and other taxes Approx 20,000 Staff Facing the ‘electronic challenge’ –Improve services –Reduce costs –Change the paradigm of interaction

23 25 June 2001EB IMW Belfast ATO Electronic Initiatives Agent lodged Income Tax returns via X.25 and proprietary s/w since 1991 –Now accounts for > 75% of all returns Self-lodged Income Tax returns via pre- Gatekeeper PKI-enabled ‘e-tax’ system –Now in 4th year of operation –Expect 400,000 lodgments this year

24 25 June 2001EB IMW Belfast PKI in the ATO First full Gatekeeper accreditation Support of tax Reform –GST (VAT type tax) from 1/7/2001 –New reporting regime for business Not our core business! 100k certificate pairs issued

25 25 June 2001EB IMW Belfast The ATO PKI Project Created and rolled-out an accredited PKI in less than 9 months High pressure project –Short time frame –Legislative deadline –Complex requirements Breaking new ground

26 25 June 2001EB IMW Belfast Features Rely on business registration process to feed the RA –Integrated with legacy (DB2/OS390) database Centrally-generated keys Distribution via Internet Two key pairs/certificates –Authentication (Signing) –Confidentiality (Encryption)

27 25 June 2001EB IMW Belfast Constraints Very rapid roll-out required –145,000 in first month (achieved) Security requirements on certificate download Use Baltimore technology (UniCERT) Drop dead deadline (legislative) Outsourced infrastructure

28 25 June 2001EB IMW Belfast The Good 100,000 sets of keys and certificates distributed in first year of operation 70,000 businesses registered to deal electronically Over 500,000 e-BAS’s lodged Most find process fairly straightforward Businesses appear happy with authentication and confidentiality provided Vastly lower rejection and intervention rates on e- BAS’s Quicker refunds (where payable)

29 25 June 2001EB IMW Belfast The Bad Teething problems - rapid roll-out Design issues - eg including ATO-specific data in certificate User experience (eg download) still not satisfactory Lack of perceived value to business Process to get certificates and e-BAS complex - plenty of opportunities for problems logistical delays (eg PIC mailer printing) Marketing in a saturated environment

30 25 June 2001EB IMW Belfast The Ugly Keys and certificates delivered in browser unfriendly package Changes in external S/W (eg IE 5.5 SP1) can have near-catastrophic effects Technical (il)literacy of some users Security can have serious effects on useability Data quality (esp. e-mail addresses)

31 25 June 2001EB IMW Belfast Learnings Key success factors –‘Drop dead’ deadline –Strong corporate support –Small, strongly focussed team –Exploitation of skills and knowledge of partners Pay attention to useability –Otherwise - help desk gets very busy! Understand the customer - market segmentation

32 25 June 2001EB IMW Belfast The Future - Some Questions Will PKI become universal, or is it just too hard? Is the Internet too dangerous a place to do business? Can schemes like Gatekeeper ever really succeed? Can anyone make serious money out of PKI?

33 25 June 2001EB IMW Belfast The Future - Some Answers RSA appears to be unassailable - for now –We can be confident about the technology Success of PKI depends on –Robust and trustable registration processes –Useful applications - there must be a value proposition –Making the technology transparent Australian model has significant strengths –Universal scheme –Standards based - vendor neutral –Public-Private sector partnership

34 25 June 2001EB IMW Belfast Links www.ato.gov.au www.taxreform.ato.gov.au www.ato-pki.ato.gov.au www.govonline.gov.au www.baltimore.com www.esign.com.au www.identrus.com

35 25 June 2001EB IMW Belfast Thank You

Download ppt "25 June 2001EB IMW Belfast PKI: The View from Down Under Presentation to 2001 Institutional Web Management Workshop Queen’s University Belfast Monday 25."

Similar presentations

1 ABCs of PKI TAG Presentation 18 th May 2004 Paul Butler.

1 ABCs of PKI TAG Presentation 18 th May 2004 Paul Butler.
Experiences with Massive PKI Deployment and Usage Daniel Kouřil, Michal Procházka Masaryk University & CESNET Security and Protection of Information 2009.

Experiences with Massive PKI Deployment and Usage Daniel Kouřil, Michal Procházka Masaryk University & CESNET Security and Protection of Information 2009.
Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.

Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.
EDUCAUSE 2001, Indianapolis IN Securing e-Government: Implementing the Federal PKI David Temoshok Federal PKI Policy Manager GSA Office of Governmentwide.

EDUCAUSE 2001, Indianapolis IN Securing e-Government: Implementing the Federal PKI David Temoshok Federal PKI Policy Manager GSA Office of Governmentwide.
PKI: A Taxing Experience Ed Bristow Technical Manager, PKI Project Australian Taxation Office 5 December 2000 Secure Foundations.

PKI: A Taxing Experience Ed Bristow Technical Manager, PKI Project Australian Taxation Office 5 December 2000 Secure Foundations.
Grid Computing, B. Wilkinson, 20045a.1 Security Continued.

Grid Computing, B. Wilkinson, 20045a.1 Security Continued.
Cryptography Chapter 7 Part 4 Pages 833 to 874. PKI Public Key Infrastructure Framework for Public Key Cryptography and for Secret key exchange.

Cryptography Chapter 7 Part 4 Pages 833 to 874. PKI Public Key Infrastructure Framework for Public Key Cryptography and for Secret key exchange.
Topic 8: Secure communication in mobile devices. Choice of secure communication protocols, leveraging SSL for remote authentication and using HTTPS for.

Topic 8: Secure communication in mobile devices. Choice of secure communication protocols, leveraging SSL for remote authentication and using HTTPS for.
SECURITY IN E-COMMERCE VARNA FREE UNIVERSITY Prof. Teodora Bakardjieva.

SECURITY IN E-COMMERCE VARNA FREE UNIVERSITY Prof. Teodora Bakardjieva.
Certification Authority. Overview  Identifying CA Hierarchy Design Requirements  Common CA Hierarchy Designs  Documenting Legal Requirements  Analyzing.

Certification Authority. Overview  Identifying CA Hierarchy Design Requirements  Common CA Hierarchy Designs  Documenting Legal Requirements  Analyzing.
PKI Implementation in the Real World

PKI Implementation in the Real World
Cross Platform Single Sign On using client certificates Emmanuel Ormancey, Alberto Pace Internet Services group CERN, Information Technology department.

Cross Platform Single Sign On using client certificates Emmanuel Ormancey, Alberto Pace Internet Services group CERN, Information Technology department.
Lecture 23 Internet Authentication Applications

Lecture 23 Internet Authentication Applications
Chief Information Officer Branch Gestion du dirigeant principal de l’information “We will have a world class public key infrastructure in place” Prime.

Chief Information Officer Branch Gestion du dirigeant principal de l’information “We will have a world class public key infrastructure in place” Prime.
Password?. Project CLASP: Common Login and Access rights across Services Plan

Password?. Project CLASP: Common Login and Access rights across Services Plan
Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.

Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.
Encryption and Firewalls Chapter 7. Learning Objectives Understand the role encryption plays in firewall architecture Know how digital certificates work.

Encryption and Firewalls Chapter 7. Learning Objectives Understand the role encryption plays in firewall architecture Know how digital certificates work.
Security+ Guide to Network Security Fundamentals, Third Edition Chapter 12 Applying Cryptography.

Security+ Guide to Network Security Fundamentals, Third Edition Chapter 12 Applying Cryptography.
Exchange Network Key Management Services A Security Component February 28, 2005 The Exchange Network Node Mentoring Workshop.

Exchange Network Key Management Services A Security Component February 28, 2005 The Exchange Network Node Mentoring Workshop.
Sentry: A Scalable Solution Margie Cashwell Senior Sales Engineer Sept 2000 Margie Cashwell Senior Sales Engineer

Sentry: A Scalable Solution Margie Cashwell Senior Sales Engineer Sept 2000 Margie Cashwell Senior Sales Engineer

Similar presentations

Ads by Google