What is a Digital Certificate? A digital certificate is an electronic credential, which can be thought of as an electronic passport with extra benefits. Based on global X.509 standard –Provides ID proof –Issued by a trusted authority –Not possible to forge –A single file with two distinct parts
What Does a Digital Certificate Look Like? (Two Parts) -----BEGIN CERTIFICATE----- MIIDXTCCAsagAwIBAgICAwcwDQYJKoZIhvcNAQEFBQAwgYkxCzAJBgNVBAYTAlVT MSswKQYDVQQKEyJEaXZpc2lvbiBvZiBJbmZvcm1hdGlvbiBUZWNobm9sb2d5MSM wIQYDVQQLExpGYWN1bHR5IC0gU3RhZmYgLSBTdHVkZW50czEoMCYGA1UEAxMf VW5pdmVyc2l0eSBvZiBXaXNjb25zaW4tTWFkaXNvbjAeFw0wNzA0MDQxODExMjla Fw0wODA2MjgxODExMjlaMIHrMQswCQYDVQQGEwJVUzESMBAGA1UECBMJV2lzY2 9uc2luMRAwDgYDVQQHEwdNYWRpc29uMSgwJgYDVQQKEx9Vbml2ZXJzaXR5IG9 mIFdpc2NvbnNpbi1NYWRpc29uMSMwIQYDVQQLExpGYWN1bHR5IC0gU3RhZmYgL SBTdHVkZW50czEQMA4GA1UECxMHVG9rZW4gLTErMCkGA1UEAxMiTGV0dGVycyB hbmQgU2NpZW5jZSBIb25vcnMgUHJvZ3JhbTEoMCYGCSqGSIb3DQEJARYZaG9ub3 JzQGhvbm9ycy5scy53aXNjLmVkdTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgY EAnno7RR1cJwwGE5A7Sd466tWM9qNDVuq5qpUtsvQq5Z+HoUZ3g2Z1+0wmXSZ vBydOcjGT3U4hSnahShQeYls7C7zXYcELUV0WVEvwjy3zmDWXp01Tol9IYrT8tAWR BcNpVDrRYmYlVqly31OHabJWqTAnLemfSmm/3COOunqAr6MCAwEAAaNwMG4wD gYDVR0PAQH/BAQDAgXgMDsGA1UdHwQ0MDIwMKAuoCyGKmh0dHA6Ly9jcmwuZ 2VvdHJ1c3QuY29tL2NybHMvd2lzY29uc2luLmNybDAfBgNVHSMEGDAWgBQcnlJSG wRiRyxrLAG4afGpNywjJDANBgkqhkiG9w0BAQUFAAOBgQC5LrMkMlBWuXuIlFKCjfS 98LSdpgBPRWwYRLWk9HzdPeu0WpvHf0zVW4fx/F+RBFsDNaJWTbF02FFz+mSFbFl h6cLIbeMOmX96twZ/2ZX3/B1WtwYKXmxgLk1Vs9UAmssn/vPRO2pnMd6XlFZ+fRjI DzrSATsl0e0zciecP860 HQ== -----END CERTIFICATE-----
Two Parts, Public and Private Keys Public key is used to encrypt data intended for Nicholas Davis and to verify his digital signature. Public key is published in LDAP directory and is available to everyone Private key is used by Nicholas Davis to decrypt data which was encrypted for him and for him to digitally sign things. Kept private, only one copy of this key.
With Do We Do With Our ID We gain physical access to secure places We perform secure electronic transactions Digital certificates can do both, better than other systems
Building Access Example Nicholas digitally signs a request to enter a building by placing his card in a reader outside the building Authenticating system takes his digital signature and computes validity based on Nicholass public key, also checks validity period, makes decision
Secure Transaction Example Nicholas Davis wants to drop a class, uses browser to log in to system, by sending a digital signature System verifies digital signature, grants or denies access to resources, similar to way WebISO works
How Does One Get a Digital Certificate? Currently applies through DoIT Tech Store User then downloads certificate via their browser Saves on PC or on secure hardware token/card Certificates can also be generated in batch and placed directly on token
What can be done with a digital certificate? Authenticate to computers, networks and applications Digitally sign, legally enforceable Encrypt data, email and docuemnts Control physical access
Revoking a Certificate Certificates expire after a set period of time called the validity period Can be revoked beforehand as well Check the CRL to see if the certificate has been revoked Certificate can also be renewed prior to expiration
A 10,000 Foot View of Campus ID Systems Campus has no authoritative ID Multiple systems, which dont directly communicate with each other How can we manage an identity when one single identity does not exist?
Student/Faculty/Staff ID Card A Stalkers Delight! ID number Photo Student/Faculty/Staff Designation Bar code Magnetic stripe / Wiscard Cost? Not safe! –Easily copied –Easily used if stolen –Too much personal information on card
UW Police Building Access Card HID iClass RFID proximity based card Controls physical access to buildings Cost? True Security? Single factor vs. Dual Factor
Parking Permit Issued by FP&M Magnetic stripe Controls Access to parking ramps Reissued every year Security? Cost?
NetID Issued by DoIT Controls access to many UW- Madison electronic resources Security? Cost?
Kerberos Controls access to computer lab machines Kiosks remain unprotected around campus Cost? Other uses?
Digtial Certificates Currently used for email, document and PDF digital signing and encryption Cost?
Why are these systems discrete? Different technologies Different storage devices Distributed ownership of associated systems Different cost centers for funding Why not bring them all together?
Why not bring them All Together? Cost Loss of control Incompatible technologies Legacy Systems So, what can be done?
Consolidate & Converge It is possible to consolidate these technologies onto one card today! Saves us nothing, actually costs more! Such a Common Access Card (CAC) could contain all technologies in use around campus at the present time which makes the users happy, but makes us sad
Common Card is Nice--But Consolidating on one card is nice for end user but results in wastage Many faculty/staff and students will NEVER need a card with an HID core on it or a parking permit The key is to find ONE technology that everyone on campus can use, not one card with a different technology for each person
To Save Money, We Need One Common Technology HID works for physical access, trustworthy, but does nothing else Magnetic stripe good for access control and cheap, but is easily copied Bar code, nice for checking out books from library, but wont work in parking or building access due to ease of copying None of these address electronic access
What We Need Something which can be centrally generated and managed locally Something secure Something that controls physical access Something that controls electronic access Something that can be audited Something that can be real time if we want it to be
What We Need Something that EVERY application can use Something that binds our physical identity to our electronic identity Something that is easy to manage and can be user self service or delegated administration
Making Our Systems Cheaper One card means fewer distinct administrators of system needed Customer can get building access added to their card from their home computer because we trust it is REALLY them at their home computer
Digital Certificates Can Do Everything and Do It More Securely All physical access, parking, buildings, etc All property access, Wiscard vending, library book checkout All electronic access, my.wisc.edu, WebISO for web apps Cant be stolen
Decisions About Bucky Can Be Made Based on Certificate Contents Verify it really is Bucky based on his digital signature Add Buckys public key to the groups you want him in Make a yes/no decision based on validity of Buckys signature and which groups he is in
Digital Ceritifcates Can Do New Things Too Allow people to encrypt email Allow people to encrypt files to protect intellectual property Allow people to digitally sign email to Wisconsin State Government legal standards HIPAA, FERPA, GLB, PHI compliance – PRIVACY!
Everything is Related UW Police Access scenario System only as strong as weakest link. Electronic ID verification is related to physical security Same system that secures communications could also be system that controls access to buildings
So What is Involved? Lots of work to do Issuing certificates Getting them on secure devices Upgrading applications to use WebISO for certificate based access Upgrading physical readers to read certificate based cards Educating campus
Did Someone Say Cost? More expensive than current UW Photo ID Less expensive than current UW Photo ID + UWPD ID + Digital Certificate Token + Parking Permit
A Standard is Established For the Future Every student and every faculty/staff member gets one when they enter UW-Madison, addressing issue of how the cards are distributed They can use the card for any application they wish, electronic or physical
Why Should Digital Certificates Be the Standard? They can authenticate users both physically and electronically Digital certificates allow digital signing and encryption, not offered by other technologies. Expiration dates can be extended remotely (Pay your tuition online and the system extends the validity of your certificate by 6 months, without you ever leaving home) Stronger than username and password, as digital certificates cant be shared or unknowingly stolen, secure
Digital Certificates Can Do Everything that All Current ID Methods Do Building (Authentication) Parking (Authentication) Wiscard (Authentication) Library (Authentication) Digital signing (non repudiation) Encrypted communication via enail Protecting data (file and whole disk encryption) my.wisc.edu (electronic applications) Computer labs Kiosks
What New Things Can Digital Certificates Do? Guest access to UW facilities with short term limits Help us comply with HIPAA and FERPA Provide true real time issuance and revocation Provide distance issuance, great for incoming students! Provide centralized issuance and delegated administration Decrease manual processes Increase security – Username and password has to go if we want to advance our applications and user self service
If Digital Certificates Are So Great, Why Dont I See Them Everywhere? How powerful is the telephone? How widely adopted was it when it was first introduced When you control the environment, you can make the telephone a must have
Who Else Uses Digital Certificates in Higher Ed? Dartmouth University of Virginia University of Texas University of Michigan MIT Used to control electronic Access
Who Outside of Higher Ed Uses Digital Certificates? US Department of Defense All European Union Countries Johnson & Johnson Disney Used for physical access control
What is in it for us? Save money long term Reduce complexity for end Users Provide better security Enable new functionality National recognition as a leader in this area of Identity Management Gives us a single authoritative campus identity to manage in our IDM system
Important Willingness of EVERYONE to accept that some departments will derive more benefit, some less, but overall, reduces work, decreases long term costs, makes life easier for users, increases security, adds new functionality, decreases manual labor and beginning of semester crunch for UW-Madison Systems
What We Know So Far Today we can consolidate all major ID cards, having a quick and somewhat easy win for the users Common Access Card costs $10 to $60 depending on vendor and quantity
Evolution Not Revolution No major price shock associated with overhauling all current systems at once Can phase out old systems as budget will allow Users see immediate benefits UW-Madison sees benefits both immediately and over time
User Scenario Logs into computer in lab Signs up for classes Pays tuition Validates ID for 6 months, getting access to all facilities Parks in ramp Goes to SERF, sprains ankle Sends HIPAA related email to doctor All done with a combination of current technologies on a common card this year……In 5 years time, it could evolve application by application to be all digital certificate based
Historic One Time Opportunity If we only go part way, simply moving current technologies onto a single card, but not establishing a single technology standard, we will have played our best card without getting anything in return
An Even Trade Users want a single card We want simple, more secure administration and new features The only time campus will accept a new standard is when we change form factor, not afterwards
Next Steps Standardize on a single form factor containing all old technologies + digital certificates even if no applications use the digital certificate at first Begin to migrate applications one by one. Since the cert will already be on card, migration will be seamless to end users and less painful for us
How Can I Help? Ive kind of been here before This is the most exciting opportunity I could imagine I dont have all the questions (Thats your job) I dont know all the answers (but I will work hard to find them) Please let me know what I can do, research, presentations, demonstrations, find out answers to questions, vendor communications, etc?