PKI, The Key to Securing Sensitive Electronic Communications

Madison CollegeApril 24, 2014

Nicholas Davis, CISSP, CISA, Nice Person

Agenda

• Introduction

• We will watch movies

• We will find an error in the textbook

• We will learn

• We will chat

• We will have fun

OverviewWhy is electronic privacy such a hottopic these days?What is a digital certificate?What is PKI?Why are these technologies important?Trusted Root AuthoritiesUsing digital certificates for email encryptionKey Escrow, the double edged swordIntegrating digital certificates into email forSecurityHow is PKI related to SSL?Using certificates for code signing of softwareReal world issues with PKIChapter 12 top points!!!Discussion

Whay is Electronic Privacy Such a Hot Topic Today?

• Evolution of the Internet, commerce, banking, healthcare

• Dependence on Email and other trusted electronic communications

• Government regulations, SOX, HIPAA, GLB, PCI, FERPA

• Public Image• Business warehousing• Industrial Espionage• The government

The Topic is More Interesting When It Affects You!

Intercepting Your Electronic Communications

Discussion Topic One• Do you think the threat of Email

eavesdropping is real?• What about the government’s argument

about Email being like a “postcard?”• Should Target be allowed to look at

Walmart emails on a public network?• Are you angry now, or just afraid?• Who has the responsibility in this

situation?

What is a Digital Certificate?

Digital Certificates Continued

Digital CertificateElectronic Passport

Good for authentication

Good non-repudiation

Proof of authorship

Proof of non-altered content

Encryption!

Better than username - password

What is in a Certificate?

Public and Private Keys

The digital certificate has two parts, aPUBLIC key and a PRIVATE keyThe Public Key is distributed toeveryoneThe Private Key is held very closelyAnd NEVER sharedPublic Key is used for encryption andverification of a digital signaturePrivate Key is used for Digital signing anddecryption

Public Key Cryptography

Getting Someone’s Public Key

The Public Key must be shared to beUsefulIt can be included as part of yourEmail signatureIt can be looked up in an LDAPDirectoryCan you think of the advantages anddisadvantages of each method?

Who Could This Public Key Possibly Belong To?

What is PKI?

• PKI is an acronym for Public Key Infrastructure

• It is the system which manages and controls the lifecycle of digital certificates

• The PKI has many features

What Is In a PKI?

• Credentialing of individuals

• Generating certificates

• Distributing certificates

• Keeping copies of certificates

• Reissuing certificates

• Revoking certificates

• Renews certificates

• Providing proof of validity or revocation

Credentialing

• Non technical, but the most important part of a PKI!

• A certificate is only as trustworthy as the underlying credentialing and management system

• Certificate Policies and Certificate Practices Statement

Certificate Generation and Storage

• How do you know who you are dealing with in the generation process?

• Where you keep the certificate is important

Distributing Certificates

• Can be done remotely – benefits and drawbacks

• Can be done face to face – benefits and drawbacks

Keeping Copies – Key Escrow• Benefit –

Available in case of emergency

• Drawback – Can be stolen

• Compromise is the best!

• Use Audit Trails, separation of duties and good accounting controls for key escrow

Certificate Renewal

• Just like your passport, digital certificates expire

• This is for the safety of the organization and those who do business with it

• Short lifetime – more assurance of validity but a pain to renew

• Long lifetime – less assurance of validity, but easier to manage

• Can be renewed with same keypair or new keypair depending on escrow situation

Expiration

• A rare moment for me…I get to point out and error in the textbook! (Page 418)

• A message signed with an expired private key will show as invalid to the recipient

• However, a private key can ALWAYS be used to decrypt a message, even an expired private key.

• Nobody is perfect, forgive the textbook author!

Revocation

• Just like Stefan Wahe’s dirving license, it can be revoked prior to expiration

• CRL – Certificate Revocation List• OCSP – Online Certificate Status

Protocol• Both cam be real time, but CRL might

be batched instead• In practice, both are rarely used

Recovery• No escrow = no luck

• But with escrow it must be easy, right? !!NOT!!

• Proving identity

• Getting copy from escrow

• Secure delivery to recipient

• Complex, tempting to cut corners, but resist temptation!

• The book’s idea is even more complex!

Trusted Root Authorities

• A certificate issuer recognized by all computers around the globe

• Root certificates are stored in the computer’s central certificate store

• Requires a stringent audit and a lot of money!

It Is All About Trust

Using Certificates to Secure Email

• Best use for certificates, in my opinion

• Digital certificate provides proof that the email did indeed come from the purported sender

• Public key enables encryption and ensures that the message can only be read by the intended recipient

Secure Email is Called S/MIME

• S/MIME = Secure Multipurpose Mail Extensions

• S/MIME is the industry standard, not a point solution, unique to a specific vendor

Digital Signing of Email

• Proves that the email came from you

• Invalidates plausible denial• Proves through a checksum that the

contents of the email were not altered while in transit

• Provides a mechanism to distribute your public key

Digital Signatures Do Not Prove When a Message or Document Was Signed

You need a neutral third party time stamping service, similar to how hostages often have their pictures taken in front of a newspaper to prove they are still alive!

Send Me a Signed Email, Please, I Need Your Public Key

Using a Digital Signature for Email Signing

Provides proof that theemail came from thepurported sender…Isthis email really fromVice President Cheney? Provides proof that thecontents of the emailhave not been alteredfrom the originalform…Should wereally invade Mexico?

A Digital Signature Can Be Invalid For Many Reasons

Why Is Authenticating the Sender So Important?

What if This Happens at Madison College?

Could cause harm in

a critical situation

Case Scenario

Multiple hoax emails sent with Chancellor’s name and email.

When real crisis arrives, people might not believe the warning.

It is all about trust!

Digital Signing Summary

• Provides proof of the author• Testifies to message integrity• Valuable for both individual or

mass email• Supported by most email

clients….Remember the 80-20 rule..Perfect in the enemy of good!

What Encryption Does

Encrypting data with a digital certificateSecures it end to end.• While in transit• Across the network• While sitting on email

servers• While in storage• On your desktop

computer• On your laptop computer• On a server

Encryption Protects the Data At Rest and In Transit

Physical theft from office

Physical theft from airport

Virtual theft over the network

Why Encryption is Important• Keeps private information private• HIPAA, FERPA, SOX, GLB compliance• Proprietary research• Human Resource issues• Legal Issues• PR Issues• Industrial Espionage• Over-intrusive Government• You never know who is

listening and watching!

What does it actually look like in practice? -Sending-

What does it actually look like in practice (unlocking my private key)

-receiving-

What does it actually look like in practice?-receiving- (decrypted)

Digitally signed and verified; Encrypted

What does it look like in practice?-receiving- (intercepted)

Intercepting the Data in Transit

• How might encrypted email be a security threat to your organization?

Digital Certificates For Machines Too• SSL – Secure Socket

Layer• Protection of data in

transit• Protection of data at

rest• Where is the greater

threat?• Certs can protect both,

but usually just in transit, and not at rest.

Benefits of Using Digital Certificates

Provide global assurance of your identity,both internally and externally to the organizationProvide assurance of message authenticityand data integrityKeeps private information private, end toend, while in transit and storageYou don’t need to have a digital certificateTo verify someone else’s digital signatureCan be used for individual or generic mailaccounts.

The Telephone Analogy

When the

telephone was

invented, it was

hard to sell.

It needed to

reach critical

mass and then

everyone wanted

one.

That All Sounds Great in Theory, But Do I Really Need It?• The world seems

to get along just fine without digital certificates…

• Oh, really?• Let’s talk about

some recent stories

We Have Internal Threats Too @ UW-Madison!

How Do Users Feel About the Technology?

• Ease of use

• Challenges

• Changes in how they do their daily work

• Benefits

• Drawbacks

It Really Is Up To You!

• Digital certificates / PKI is not hard to implement

• It provides end to end security of sensitive communications

• It is comprehensive, not a mix of point solutions

• You are the leaders of tomorrow, make your choices count by pushing for secure electronic communications!

Signatures - Evidence• What is a signature?• A signature is not part of the substance of a

transaction, but rather, it represents an understanding, acceptance or indication of agreement

• Evidence: A signature authenticates a person by linking the signer with the signed document. When the signer makes a mark in a distinctive manner, the writing becomes attributable to the signer.

• Example: Credit card receipt

Let’s Talk About Signatures

• Traditional ink and paper

• Electronic Signature vs Digital Signature

Signatures – The Three Part Process

• Ceremony, Approval and Commitment

Signatures – The Three Part Process

• Ceremony:

• The act of signing a document calls to the signer's attention the significance of the signer's act, and thereby helps prevent reckless or careless commitments

Signatures – The Three Part Process• Approval:

• In certain contexts defined by law or custom, a signature expresses the signer's approval or authorization of the writing, or the signer's intention that it have legal effect

Signatures – The Three Part Process• Commitment:

• A signature on a written document often imparts a sense of clarity and finality to the transaction

Signatures

• Traditional signatures put the cart before the horse!

• How can you be certain that a mortgage application with Nicholas Davis’s signature was indeed signed by Nicholas Davis?

• As trusting people, we generally accept a written signature at face value

Signatures

• Trust – When the going gets tough, scoundrels can emerge, to challenge the signature on a document

• Verification against other documents – Assumes that you have access to other signed documents and assumes that signatures on those documents were not forged

Signature

• Before a signature can be trusted, we must have proof that the signature does truly belong to the signer

• This is not as easy at it sounds…..

Signatures – Credentialing Process• Credentialing – An initial method of

attestation to the truth of certain stated facts, such as identity.

• Example: Government photo ID, address verification or proof of your SSN#, are all attestation methods used to credential people

Signatures – Authentication Process• Authentication – The process of verifying

that a person is in fact who they claim to be

• Example: Showing your driver’s license to the guard at the front desk authenticates me as genuinely being Nicholas Davis

Signatures – Authorization Process• Authorization -- The granting of power or

authority to someone, to do something specific

• Example: The information system authorizes Nicholas Davis the rights to view certain files

Signatures -- Trust

• In order for a signature to be relied upon and trusted for authorization of a transaction, the individual presenting the signature must first be credentialed and then authenticated, prior to allowing them to authorize a transaction

• A three step process: Credentialing, Authentication, Authorization

• In the world of written signatures, organizations rarely credential or authenticate people

Signatures -- Trust

• A written signature, provided without a solid credentialing and authentication process, can make an organization and its customers vulnerable to fraudulent transactions

• To further protect the organization and our customers from fraud, we look to information technology and the use of digital signatures…..

Digital Signatures vs. Written Signatures

• A digital signature provides proof of:• Verified identity of the signer• Document integrity (The document has not been

altered since it was digitally signed)• Non-repudiation (the signer can’t deny signing the

document, as it was done with their digital certificate, which only they had access to)

• A written signature provides proof of:• Unverified identity of the signer• Which type of signature provides a higher degree of

trust?

Digital Signatures – A Note About Identity Theft

• As the Internet and E-Commerce continue to evolve and grow, it is important to understand what this change in business environment means

• More and more traditional business processes are being converted to online applications

• It is harder to impersonate someone in person than it is over the Internet

Digital Signatures

• Written signatures may be acceptable in person, but are impractical and risky when used in an online transaction because, we no longer can associate a face with the signature

• If our processes are going digital, so must our signatures!

Digital Signatures vs Electronic Signatures• “Electronic signature” and “Digital signature”

are not synonymous. • An electronic signature can be a symbol,

sound, or process used to sign a document or transaction.

• A digital signature, on the other hand, is a secure electronic signature which uses encryption to authenticate the entity who signed the document, encapsulate document contents to protect from unauthorized alteration and provide proof of non-repudiation

Digital Signatures vs Electronic Signatures• A digital signature is a form of an

electronic signature, but an electronic signature is not necessarily a digital signature.

• Electronic signatures at best provide only questionable proof of identity, and do not provide proof of information/message integrity or non-repudiation

!!!Stop Sleeping!!!Chapter 12 – Most Important Stuff, in the next six slides!

Types of Certificates

• Certificate Authority (CA), issues and signs other types of certs, NEVER used for other functions

• Server Certificates: Such as SSL, for identification and encryption of data for an entity

• User Certificates: Such as P12 or PFX files, for identification and encryption of data of an individual

Types of Certificates

• Object Signing Certificates: Used by an entity to sign software code, to prove origin and integrity.

• Signature Verification Certificates: Object or user certificate WITHOUT the signing key

• DCM = Digital Certificate Manager, stores and organizes all of your certificates

PKI Components

• Certificate Authority (CA): Issues and verifies certificates

• Registration Authority (RA): Verifies identity and enrolls a requestor, (machine or human)

• Revocation Mechanism: CRL or OCSP

• Publishing methods: Directories, databases, email, even floppy disk.

PKI Components

• Certificate Management System: CA, RA, CRLs, etc, all together, to keep track of certificates and their status, and change status, if necessary.

• MOST important: PKI aware applications, such as S/MIME email, or Microsoft Word.

PKI Management Tasks

• Identity verification

• Certificate issuance

• Certificate validity checking

• Certificate renewal

• Certificate revocation

• Certificate escrow

• Certificate recovery

Transport Protocols

• SSL: Developed by Netscape, 1996• TLS: Variation of SSL (RFC 2246)• HTTPS: Web server, Port 443, built into

MOST browsers• SSH: Secure Shell, TCP Port 22• SFTP: Secure File Transfer• SCP: Secure File Copy• IPSEC: TCP layer 3 packet encryption

RFC 4301-4309

How Can I Help You?

ndavis1@wisc.edu

Tel. 608-347-2486