Presentation is loading. Please wait.

Presentation is loading. Please wait.

Digital Certificates Securing Email Communication Nicholas Davis, IS Consultant/Admin DoIT Middleware.

Published byLeo Marsh Modified over 9 years ago

Similar presentations

Presentation on theme: "Digital Certificates Securing Email Communication Nicholas Davis, IS Consultant/Admin DoIT Middleware."— Presentation transcript:

1 Digital Certificates Securing Email Communication Nicholas Davis, IS Consultant/Admin DoIT Middleware

2 Overview What are digital certificates? What can digital certificates be used for? How could digital certificates have been used avoid data theft at Ameritrade? Other methods of authentication Social Engineering Summary & Discussion

3 What is a Digital Certificate? A digital certificate can be thought of as an electronic passport It is used it to digitally sign email and documents It’s components can be used to encrypt email and attachments for end to end security. It can secure databases and other server data

4 Public Key Cryptography

5 Digital Certificates Functions Authentication – Proof that you are who you claim to be Encryption – encoding information in such a way as to make it unreadable Non-repudiation – Inability to deny having sent specific information or having accessed a specific system Data Integrity – Proof that the data has not been altered since it was originally sent

6 Public Key Cryptography A digital certificate is made up of two keys, a private key and a public key Public key is used for encrypting and verifying a person’s digital signature Private key is used for decrypting and digitally signing

7 Digital Certificates Are For Machines Too SSL – Secure Socket Layer Protection of data in transit Protection of data at rest Where is the greater threat?

8 Using a Digital Signature for Email Signing Provides proof that the email came from the purported sender (Authenticating the user) Provides proof that the contents of the email have not been altered from the Original form (Message Integrity)

9 Why Is Authenticating the Sender So Important?

10 What if This Happens at UW- Madison? Could cause harm in a critical situation Case Scenario Multiple hoax emails sent with Chancellor’s name and email. When real crisis arrives, people might not believe the warning. It is all about trust!

11 Digital Signing Summary Provides proof of the author Testifies to message integrity Valuable for both individual or mass email Supported by Wiscmail Web client (used by 80% of students)

12 What Encryption Does Encrypting data with a digital certificate secures It end to end. While in transit Across the network While sitting on email servers While in storage On your desktop computer On your laptop computer On a server

13 Encryption Protects the Data Physical theft from office Physical theft from airport Virtual theft over the network

14 Why Encryption is Important Keeps private information private HIPAA, FERPA, SOX, GLB Proprietary research Human Resource issues Legal Issues PR Issues

15 Where is my Certificate Stored? You digital certificate is stored either on your machine or on a cryptographic USB hardware device Dual factor authentication

16 What does it actually look like in practice? -Sending-

17 What does it actually look like in practice (unlocking my private key) -receiving-

18 What does it actually look like in practice? -receiving- (decrypted)

19 Digitally signed and verified; Encrypted

20 What does it actually look like in practice? -receiving- (intercepted)

21 Benefits of Using Digital Certificates Provide global assurance of your identity, both internally and externally to the UW-Madison Provide assurance of message authenticity and data integrity Keeps private information private, end to end, while in transit and storage You don’t need to have a digital certificate To verify someone else’s digital signature Can be used for individual or generic mail accounts.

22 Who Uses Digital Certificates at UW-Madison? DoIT UW Police and Security Office of the Registrar Office of Financial Aid Office of Admissions Primate Research Lab Medical School Others

23 Who Uses Digital Certificates Besides UW-Madison? US Department of Defense US Department of Homeland Security All Western European countries Dartmouth College University of Texas at Austin Johnson & Johnson Raytheon Others

24 The Telephone Analogy When the telephone was invented, it was hard to sell. It needed to reach critical Mass and then everyone wanted One.

25 That All Sounds Great In Theory…..But The world seems to get along just fine without digital certificates… Oh, really? Let’s talk about Ameritrade

26 1971, Ameritrade is founded Provides securities brokerage services and technology-based financial services 2006, TD Ameritrade reported more than 6.2 million accounts and average client trades of 216,970 per day. The company had $276 billion in client assets. Summer, 2007, Ameritrade customers begin receiving stock pump and dump spam September 14, 2007, Ameritrade states that it has found and removed “unauthorized code” from one of its databases. What went wrong? How could it have been avoided? Are legacy systems to blame?

27 Unauthorized code in database allowed names and mailing addresses to be harvested and used for spamming investment related email How did this code get there? Ameritrade claims that the investigation is ongoing and that they don’t have all the facts yet….You decide who is responsible.

28 Are Usernames and Passwords to blame? Why do we have usernames and passwords? Authenticate and Authorize, control access rights Why are usernames and passwords a bad idea? Theft, sniffing, shoulder surfing, brute force attacks, concurrent usage, intentional sharing to thwart technical controls. Would authenticating with digital certificates have helped?

29 Digital Certificates vs. Passwords Password = something you know Digital Certificate = something you have Digital Certificate on a hardware token = dual factor authentication

30 Database Information Storing data in the clear Storing data in encrypted form Both have their advantages Could Ameritrade had benefited from using an encrypted database?

31 Summary of Ameritrade Issue Using a digital certificate for authentication would have provided additional assurance Using a digital certificate to encrypt the data within the database Dual tiered approach to data protection

32 Other Authentication Technologies Proximity Based Authentication Biometrics One Time Password devices

33 Proximity Based Authentication and Authorization Usually radio- frequency responders Base station recognizes token Communicates with access-control system Initiates automatic logon Can have two-factor authentication Immediate screen lock when user leaves

34 One Time Password Devices RSA SecurID Addresses many username/password concerns Time based Event based Only good for authentication

35 Social Engineering Threats If you insist on username/password, beware of: –Threatening behavior –Authoritarian behavior –Flattery

36 The Importance of Maintaining a Trusted Network Control who has access to your systems with dual factor authentication Do daily data comparisons Keep critical data encrypted when possible Apply patches and updates Look at the logs regularly

37 Question and Answer Session ndavis1@wisc.edu As you seek to find the truth, don’t forget to protect your information!

Download ppt "Digital Certificates Securing Email Communication Nicholas Davis, IS Consultant/Admin DoIT Middleware."

Similar presentations

Public Key Infrastructure A Quick Look Inside PKI Technology Investigation Center 3/27/2002.

Public Key Infrastructure A Quick Look Inside PKI Technology Investigation Center 3/27/2002.
Spring 2000CS 4611 Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.

Spring 2000CS 4611 Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.
SECURITY IN E-COMMERCE VARNA FREE UNIVERSITY Prof. Teodora Bakardjieva.

SECURITY IN E-COMMERCE VARNA FREE UNIVERSITY Prof. Teodora Bakardjieva.
By: Mr Hashem Alaidaros MIS 326 Lecture 6 Title: E-Business Security.

By: Mr Hashem Alaidaros MIS 326 Lecture 6 Title: E-Business Security.
1 Supplement III: Security Controls What security services should network systems provide? Confidentiality Access Control Integrity Non-repudiation Authentication.

1 Supplement III: Security Controls What security services should network systems provide? Confidentiality Access Control Integrity Non-repudiation Authentication.
1 Pertemuan 12 Authentication, Encryption, Digital Payments, and Digital Money Matakuliah: M0284/Teknologi & Infrastruktur E-Business Tahun: 2005 Versi:

1 Pertemuan 12 Authentication, Encryption, Digital Payments, and Digital Money Matakuliah: M0284/Teknologi & Infrastruktur E-Business Tahun: 2005 Versi:
Department of Information Engineering1 Major Concerns in Electronic Commerce Authentication –there must be proof of identity of the parties in an electronic.

Department of Information Engineering1 Major Concerns in Electronic Commerce Authentication –there must be proof of identity of the parties in an electronic.
Principles of Information Security, 2nd edition1 Cryptography.

Principles of Information Security, 2nd edition1 Cryptography.
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 9: Planning and Managing Certificate Services.

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 9: Planning and Managing Certificate Services.
8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.

8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.
Apr 22, 2003Mårten Trolin1 Agenda Course high-lights – Symmetric and asymmetric cryptography – Digital signatures and MACs – Certificates – Protocols Interactive.

Apr 22, 2003Mårten Trolin1 Agenda Course high-lights – Symmetric and asymmetric cryptography – Digital signatures and MACs – Certificates – Protocols Interactive.
8-1 What is network security? Confidentiality: only sender, intended receiver should “understand” message contents m sender encrypts message m receiver.

8-1 What is network security? Confidentiality: only sender, intended receiver should “understand” message contents m sender encrypts message m receiver.
Introduction to PKI Mark Franklin September 10, 2003 Dartmouth College PKI Lab.

Introduction to PKI Mark Franklin September 10, 2003 Dartmouth College PKI Lab.
Securing Data Storage Protecting Data at Rest Advanced Systems Group Dell Computer Asia Ltd.

Securing Data Storage Protecting Data at Rest Advanced Systems Group Dell Computer Asia Ltd.
Introduction to Public Key Infrastructure (PKI) Office of Information Security The University of Texas at Brownsville & Texas Southmost College.

Introduction to Public Key Infrastructure (PKI) Office of Information Security The University of Texas at Brownsville & Texas Southmost College.
Security on the Internet Jan Damsgaard Dept. of Informatics Copenhagen Business School

Security on the Internet Jan Damsgaard Dept. of Informatics Copenhagen Business School
Identity Management and PKI Credentialing at UTHSC-H Bill Weems Academic Technology University of Texas Health Science Center at Houston.

Identity Management and PKI Credentialing at UTHSC-H Bill Weems Academic Technology University of Texas Health Science Center at Houston.
E- Business Digital Signature Varna Free University Prof. Teodora Bakardjieva.

E- Business Digital Signature Varna Free University Prof. Teodora Bakardjieva.
Alter – Information Systems 4th ed. © 2002 Prentice Hall 1 E-Business Security.

Alter – Information Systems 4th ed. © 2002 Prentice Hall 1 E-Business Security.
INTRODUCTION Why Signatures? A uthenticates who created a document Adds formality and finality In many cases, required by law or rule Digital Signatures.

INTRODUCTION Why Signatures? A uthenticates who created a document Adds formality and finality In many cases, required by law or rule Digital Signatures.

Similar presentations

Ads by Google