SlideShare una empresa de Scribd logo

Pki the key to securing sensitive communications

Nicholas Davis
Nicholas Davis

PKI overview presentation for Madison College students, in their IT Security course.

Tecnología
1 de 79
Descargar para leer sin conexión
PKI, The Key to Securing Sensitive Electronic Communications Madison College April 24, 2014 Nicholas Davis, CISSP, CISA, Nice Person
Agenda • Introduction • We will watch movies • We will find an error in the textbook • We will learn • We will chat • We will have fun
Overview Why is electronic privacy such a hot topic these days? What is a digital certificate? What is PKI? Why are these technologies important? Trusted Root Authorities Using digital certificates for email encryption Key Escrow, the double edged sword Integrating digital certificates into email for Security How is PKI related to SSL? Using certificates for code signing of software Real world issues with PKI Chapter 12 top points!!! Discussion
Whay is Electronic Privacy Such a Hot Topic Today? • Evolution of the Internet, commerce, banking, healt hcare • Dependence on Email and other trusted electronic communications • Government regulations, SOX, HIPAA, GLB, P CI, FERPA • Public Image • Business warehousing
The Topic is More Interesting When It Affects You!
Intercepting Your Electronic Communications
Discussion Topic One • Do you think the threat of Email eavesdropping is real? • What about the government’s argument about Email being like a “postcard?” • Should Target be allowed to look at Walmart emails on a public network? • Are you angry now, or just afraid? • Who has the responsibility in this situation?
What is a Digital Certificate?
Digital Certificates Continued Digital Certificate Electronic Passport Good for authentication Good non-repudiation Proof of authorship Proof of non-altered content Encryption! Better than username - password
What is in a Certificate?
Public and Private Keys The digital certificate has two parts, a PUBLIC key and a PRIVATE key The Public Key is distributed to everyone The Private Key is held very closely And NEVER shared Public Key is used for encryption and verification of a digital signature Private Key is used for Digital signing and decryption
Public Key Cryptography
Getting Someone’s Public Key The Public Key must be shared to be Useful It can be included as part of your Email signature It can be looked up in an LDAP Directory Can you think of the advantages and disadvantages of each method?
Who Could This Public Key Possibly Belong To?
What is PKI? • PKI is an acronym for Public Key Infrastructure • It is the system which manages and controls the lifecycle of digital certificates • The PKI has many features
What Is In a PKI? • Credentialing of individuals • Generating certificates • Distributing certificates • Keeping copies of certificates • Reissuing certificates • Revoking certificates • Renews certificates • Providing proof of validity or revocation
Credentialing • Non technical, but the most important part of a PKI! • A certificate is only as trustworthy as the underlying credentialing and management system • Certificate Policies and Certificate Practices Statement
Certificate Generation and Storage • How do you know who you are dealing with in the generation process? • Where you keep the certificate is important
Distributing Certificates • Can be done remotely – benefits and drawbacks • Can be done face to face – benefits and drawbacks
Keeping Copies – Key Escrow • Benefit – Available in case of emergency • Drawback – Can be stolen • Compromise is the best! • Use Audit Trails, separatio n of duties and good accounting controls for key escrow
Certificate Renewal • Just like your passport, digital certificates expire • This is for the safety of the organization and those who do business with it • Short lifetime – more assurance of validity but a pain to renew • Long lifetime – less assurance of validity, but easier to manage • Can be renewed with same keypair or new keypair depending on escrow situation
Expiration • A rare moment for me…I get to point out and error in the textbook! (Page 418) • A message signed with an expired private key will show as invalid to the recipient • However, a private key can ALWAYS be used to decrypt a message, even an expired private key. • Nobody is perfect, forgive the textbook author!
Revocation • Just like Stefan Wahe’s dirving license, it can be revoked prior to expiration • CRL – Certificate Revocation List • OCSP – Online Certificate Status Protocol • Both cam be real time, but CRL might be batched instead • In practice, both are rarely used
Recovery • No escrow = no luck • But with escrow it must be easy, right? !!NOT!! • Proving identity • Getting copy from escrow • Secure delivery to recipient • Complex, tempting to cut corners, but resist temptation! • The book’s idea is even more complex!
Trusted Root Authorities • A certificate issuer recognized by all computers around the globe • Root certificates are stored in the computer’s central certificate store • Requires a stringent audit and a lot of money!
It Is All About Trust
Using Certificates to Secure Email • Best use for certificates, in my opinion • Digital certificate provides proof that the email did indeed come from the purported sender • Public key enables encryption and ensures that the message can only be read by the intended recipient
Secure Email is Called S/MIME • S/MIME = Secure Multipurpose Mail Extensions • S/MIME is the industry standard, not a point solution, unique to a specific vendor
Digital Signing of Email • Proves that the email came from you • Invalidates plausible denial • Proves through a checksum that the contents of the email were not altered while in transit • Provides a mechanism to distribute your public key
Digital Signatures Do Not Prove When a Message or Document Was Signed You need a neutral third party time stamping service, similar to how hostages often have their pictures taken in front of a newspaper to prove they are still alive!
Send Me a Signed Email, Please, I Need Your Public Key
Using a Digital Signature for Email Signing Provides proof that the email came from the purported sender…Is this email really from Vice President Cheney? Provides proof that the contents of the email have not been altered from the original form…Should we really invade Mexico?
A Digital Signature Can Be Invalid For Many Reasons
Why Is Authenticating the Sender So Important?
What if This Happens at Madison College? Could cause harm in a critical situation Case Scenario Multiple hoax emails sent with Chancellor’s name and email. When real crisis arrives, people might not believe the warning. It is all about trust!
Digital Signing Summary • Provides proof of the author • Testifies to message integrity • Valuable for both individual or mass email • Supported by most email clients….Remember the 80-20 rule..Perfect in the enemy of good!
What Encryption Does Encrypting data with a digital certificate Secures it end to end. • While in transit • Across the network • While sitting on email servers • While in storage • On your desktop computer • On your laptop computer • On a server
Encryption Protects the Data At Rest and In Transit Physical theft from office Physical theft from airport Virtual theft over the network
Why Encryption is Important • Keeps private information private • HIPAA, FERPA, SOX, GLB compliance • Proprietary research • Human Resource issues • Legal Issues • PR Issues • Industrial Espionage • Over-intrusive Government • You never know who is listening and watching!
What does it actually look like in practice? -Sending-
What does it actually look like in practice (unlocking my private key) -receiving-
What does it actually look like in practice? -receiving- (decrypted)
Digitally signed and verified; Encrypted
What does it look like in practice? -receiving- (intercepted)
Intercepting the Data in Transit • How might encrypted email be a security threat to your organization?
Digital Certificates For Machines Too • SSL – Secure Socket Layer • Protection of data in transit • Protection of data at rest • Where is the greater threat? • Certs can protect both, but usually just in transit, and not at rest.
Benefits of Using Digital Certificates Provide global assurance of your identity, both internally and externally to the organization Provide assurance of message authenticity and data integrity Keeps private information private, end to end, while in transit and storage You don’t need to have a digital certificate To verify someone else’s digital signature Can be used for individual or generic mail accounts.
The Telephone Analogy When the telephone was invented, it was hard to sell. It needed to reach critical mass and then everyone wanted one.
That All Sounds Great in Theory, But Do I Really Need It? • The world seems to get along just fine without digital certificates… • Oh, really? • Let’s talk about some recent stories
We Have Internal Threats Too @ UW-Madison!
How Do Users Feel About the Technology? • Ease of use • Challenges • Changes in how they do their daily work • Benefits • Drawbacks
It Really Is Up To You! • Digital certificates / PKI is not hard to implement • It provides end to end security of sensitive communications • It is comprehensive, not a mix of point solutions • You are the leaders of tomorrow, make your choices count by pushing for secure electronic communications!
Signatures - Evidence • What is a signature? • A signature is not part of the substance of a transaction, but rather, it represents an understanding, acceptance or indication of agreement • Evidence: A signature authenticates a person by linking the signer with the signed document. When the signer makes a mark in a distinctive manner, the writing becomes attributable to the signer. • Example: Credit card receipt
Let’s Talk About Signatures • Traditional ink and paper • Electronic Signature vs Digital Signature
Signatures – The Three Part Process • Ceremony, Approval and Commitment
Signatures – The Three Part Process • Ceremony: • The act of signing a document calls to the signer's attention the significance of the signer's act, and thereby helps prevent reckless or careless commitments
Signatures – The Three Part Process • Approval: • In certain contexts defined by law or custom, a signature expresses the signer's approval or authorization of the writing, or the signer's intention that it have legal effect
Signatures – The Three Part Process • Commitment: • A signature on a written document often imparts a sense of clarity and finality to the transaction
Signatures • Traditional signatures put the cart before the horse! • How can you be certain that a mortgage application with Nicholas Davis’s signature was indeed signed by Nicholas Davis? • As trusting people, we generally accept a written signature at face value
Signatures • Trust – When the going gets tough, scoundrels can emerge, to challenge the signature on a document • Verification against other documents – Assumes that you have access to other signed documents and assumes that signatures on those documents were not forged
Signature • Before a signature can be trusted, we must have proof that the signature does truly belong to the signer • This is not as easy at it sounds…..
Signatures – Credentialing Process • Credentialing – An initial method of attestation to the truth of certain stated facts, such as identity. • Example: Government photo ID, address verification or proof of your SSN#, are all attestation methods used to credential people
Signatures – Authentication Process • Authentication – The process of verifying that a person is in fact who they claim to be • Example: Showing your driver’s license to the guard at the front desk authenticates me as genuinely being Nicholas Davis
Signatures – Authorization Process • Authorization -- The granting of power or authority to someone, to do something specific • Example: The information system authorizes Nicholas Davis the rights to view certain files
Signatures -- Trust • In order for a signature to be relied upon and trusted for authorization of a transaction, the individual presenting the signature must first be credentialed and then authenticated, prior to allowing them to authorize a transaction • A three step process: Credentialing, Authentication, Authorization • In the world of written signatures, organizations rarely credential or authenticate people
Signatures -- Trust • A written signature, provided without a solid credentialing and authentication process, can make an organization and its customers vulnerable to fraudulent transactions • To further protect the organization and our customers from fraud, we look to information technology and the use of digital signatures…..
Digital Signatures vs. Written Signatures • A digital signature provides proof of: • Verified identity of the signer • Document integrity (The document has not been altered since it was digitally signed) • Non-repudiation (the signer can’t deny signing the document, as it was done with their digital certificate, which only they had access to) • A written signature provides proof of: • Unverified identity of the signer • Which type of signature provides a higher degree of trust?
Digital Signatures – A Note About Identity Theft • As the Internet and E-Commerce continue to evolve and grow, it is important to understand what this change in business environment means • More and more traditional business processes are being converted to online applications • It is harder to impersonate someone in person than it is over the Internet
Digital Signatures • Written signatures may be acceptable in person, but are impractical and risky when used in an online transaction because, we no longer can associate a face with the signature • If our processes are going digital, so must our signatures!
Digital Signatures vs Electronic Signatures • “Electronic signature” and “Digital signature” are not synonymous. • An electronic signature can be a symbol, sound, or process used to sign a document or transaction. • A digital signature, on the other hand, is a secure electronic signature which uses encryption to authenticate the entity who signed the document, encapsulate document contents to protect from unauthorized alteration and provide proof of non-repudiation
Digital Signatures vs Electronic Signatures • A digital signature is a form of an electronic signature, but an electronic signature is not necessarily a digital signature. • Electronic signatures at best provide only questionable proof of identity, and do not provide proof of information/message integrity or non-repudiation
!!!Stop Sleeping!!! Chapter 12 – Most Important Stuff, in the next six slides!
Types of Certificates • Certificate Authority (CA), issues and signs other types of certs, NEVER used for other functions • Server Certificates: Such as SSL, for identification and encryption of data for an entity • User Certificates: Such as P12 or PFX files, for identification and encryption of data of an individual
Types of Certificates • Object Signing Certificates: Used by an entity to sign software code, to prove origin and integrity. • Signature Verification Certificates: Object or user certificate WITHOUT the signing key • DCM = Digital Certificate Manager, stores and organizes all of your certificates
PKI Components • Certificate Authority (CA): Issues and verifies certificates • Registration Authority (RA): Verifies identity and enrolls a requestor, (machine or human) • Revocation Mechanism: CRL or OCSP • Publishing methods: Directories, databases, email, even floppy disk.
PKI Components • Certificate Management System: CA, RA, CRLs, etc, all together, to keep track of certificates and their status, and change status, if necessary. • MOST important: PKI aware applications, such as S/MIME email, or Microsoft Word.
PKI Management Tasks • Identity verification • Certificate issuance • Certificate validity checking • Certificate renewal • Certificate revocation • Certificate escrow • Certificate recovery
Transport Protocols • SSL: Developed by Netscape, 1996 • TLS: Variation of SSL (RFC 2246) • HTTPS: Web server, Port 443, built into MOST browsers • SSH: Secure Shell, TCP Port 22 • SFTP: Secure File Transfer • SCP: Secure File Copy • IPSEC: TCP layer 3 packet encryption RFC 4301-4309
How Can I Help You? ndavis1@wisc.edu Tel. 608-347-2486

Recomendados

Pki & Personal Digital Certificates, The Key To Securing Sensitive Electr...
Pki & Personal Digital Certificates, The Key To Securing Sensitive Electr...Pki & Personal Digital Certificates, The Key To Securing Sensitive Electr...
Pki & Personal Digital Certificates, The Key To Securing Sensitive Electr...Nicholas Davis
 
Pki & Personal Digital Certificates, Securing Sensitive Electronic Commun...
Pki & Personal Digital Certificates, Securing Sensitive Electronic Commun...Pki & Personal Digital Certificates, Securing Sensitive Electronic Commun...
Pki & Personal Digital Certificates, Securing Sensitive Electronic Commun...Nicholas Davis
 
Cryptography
CryptographyCryptography
CryptographyNicholas Davis
 
Securing Email And Electronic Documents With Digital Certificates, By Nichola...
Securing Email And Electronic Documents With Digital Certificates, By Nichola...Securing Email And Electronic Documents With Digital Certificates, By Nichola...
Securing Email And Electronic Documents With Digital Certificates, By Nichola...Nicholas Davis
 
Authentication Technologies
Authentication TechnologiesAuthentication Technologies
Authentication TechnologiesNicholas Davis
 
Authenticationtechnologies 120711134100-phpapp01
Authenticationtechnologies 120711134100-phpapp01Authenticationtechnologies 120711134100-phpapp01
Authenticationtechnologies 120711134100-phpapp01Hai Nguyen
 
Enhancing Learner Mobility with SSI & Portable Digital Credentials
Enhancing Learner Mobility with SSI & Portable Digital CredentialsEnhancing Learner Mobility with SSI & Portable Digital Credentials
Enhancing Learner Mobility with SSI & Portable Digital CredentialsEvernym
 
Pki Digital Id Itmc University Wisconsin
Pki Digital Id Itmc University WisconsinPki Digital Id Itmc University Wisconsin
Pki Digital Id Itmc University WisconsinNicholas Davis
 

Más contenido relacionado

Similar a Pki the key to securing sensitive communications

Pki & personal digital certificates, the key to securing sensitive electronic...
Pki & personal digital certificates, the key to securing sensitive electronic...Pki & personal digital certificates, the key to securing sensitive electronic...
Pki & personal digital certificates, the key to securing sensitive electronic...Nicholas Davis
 
Pki & personal digital certificates, securing sensitive electronic communicat...
Pki & personal digital certificates, securing sensitive electronic communicat...Pki & personal digital certificates, securing sensitive electronic communicat...
Pki & personal digital certificates, securing sensitive electronic communicat...Nicholas Davis
 
Securing email and electronic documents with digital certificates, by nichola...
Securing email and electronic documents with digital certificates, by nichola...Securing email and electronic documents with digital certificates, by nichola...
Securing email and electronic documents with digital certificates, by nichola...Nicholas Davis
 
Authentication technologies
Authentication technologiesAuthentication technologies
Authentication technologiesNicholas Davis
 
Using Digital Certificates To Secure Sensitive Communications At Uw Madison
Using Digital Certificates To Secure Sensitive Communications At Uw MadisonUsing Digital Certificates To Secure Sensitive Communications At Uw Madison
Using Digital Certificates To Secure Sensitive Communications At Uw MadisonNicholas Davis
 
Using digital certificates to secure sensitive communications at uw madison
Using digital certificates to secure sensitive communications at uw madisonUsing digital certificates to secure sensitive communications at uw madison
Using digital certificates to secure sensitive communications at uw madisonNicholas Davis
 
Healthcare information security secure sensitive communications within the ...
Healthcare information security secure sensitive communications within the ...Healthcare information security secure sensitive communications within the ...
Healthcare information security secure sensitive communications within the ...Nicholas Davis
 
Healthcare Information Security Secure Sensitive Communications Within The ...
Healthcare Information Security Secure Sensitive Communications Within The ...Healthcare Information Security Secure Sensitive Communications Within The ...
Healthcare Information Security Secure Sensitive Communications Within The ...Nicholas Davis
 
Public Key Infrastructures
Public Key InfrastructuresPublic Key Infrastructures
Public Key InfrastructuresZefren Edior
 
How to secure your emails for sensitive docs
How to secure your emails for sensitive docsHow to secure your emails for sensitive docs
How to secure your emails for sensitive docsDavid Strom
 
Digital signature service in noida
Digital signature service in noidaDigital signature service in noida
Digital signature service in noidaDSC Delhi
 
#OSSPARIS19 - TLS for dummies - MAXIME BESSON, Worteks
#OSSPARIS19 - TLS for dummies - MAXIME BESSON, Worteks#OSSPARIS19 - TLS for dummies - MAXIME BESSON, Worteks
#OSSPARIS19 - TLS for dummies - MAXIME BESSON, WorteksParis Open Source Summit
 
[POSS 2019] TLS for Dummies
[POSS 2019] TLS for Dummies[POSS 2019] TLS for Dummies
[POSS 2019] TLS for DummiesWorteks
 
Digital signature
Digital signatureDigital signature
Digital signatureJanani S
 

Similar a Pki the key to securing sensitive communications (20)

Pki & personal digital certificates, the key to securing sensitive electronic...
Pki & personal digital certificates, the key to securing sensitive electronic...Pki & personal digital certificates, the key to securing sensitive electronic...
Pki & personal digital certificates, the key to securing sensitive electronic...
 
Pki & personal digital certificates, securing sensitive electronic communicat...
Pki & personal digital certificates, securing sensitive electronic communicat...Pki & personal digital certificates, securing sensitive electronic communicat...
Pki & personal digital certificates, securing sensitive electronic communicat...
 
Securing email and electronic documents with digital certificates, by nichola...
Securing email and electronic documents with digital certificates, by nichola...Securing email and electronic documents with digital certificates, by nichola...
Securing email and electronic documents with digital certificates, by nichola...
 
Cryptography
CryptographyCryptography
Cryptography
 
Authentication technologies
Authentication technologiesAuthentication technologies
Authentication technologies
 
Using Digital Certificates To Secure Sensitive Communications At Uw Madison
Using Digital Certificates To Secure Sensitive Communications At Uw MadisonUsing Digital Certificates To Secure Sensitive Communications At Uw Madison
Using Digital Certificates To Secure Sensitive Communications At Uw Madison
 
Using digital certificates to secure sensitive communications at uw madison
Using digital certificates to secure sensitive communications at uw madisonUsing digital certificates to secure sensitive communications at uw madison
Using digital certificates to secure sensitive communications at uw madison
 
Healthcare information security secure sensitive communications within the ...
Healthcare information security secure sensitive communications within the ...Healthcare information security secure sensitive communications within the ...
Healthcare information security secure sensitive communications within the ...
 
Healthcare Information Security Secure Sensitive Communications Within The ...
Healthcare Information Security Secure Sensitive Communications Within The ...Healthcare Information Security Secure Sensitive Communications Within The ...
Healthcare Information Security Secure Sensitive Communications Within The ...
 
Public Key Infrastructures
Public Key InfrastructuresPublic Key Infrastructures
Public Key Infrastructures
 
Electronic security
Electronic securityElectronic security
Electronic security
 
Electronic Security
Electronic SecurityElectronic Security
Electronic Security
 
How to secure your emails for sensitive docs
How to secure your emails for sensitive docsHow to secure your emails for sensitive docs
How to secure your emails for sensitive docs
 
Digital signature service in noida
Digital signature service in noidaDigital signature service in noida
Digital signature service in noida
 
Cryptography
CryptographyCryptography
Cryptography
 
#OSSPARIS19 - TLS for dummies - MAXIME BESSON, Worteks
#OSSPARIS19 - TLS for dummies - MAXIME BESSON, Worteks#OSSPARIS19 - TLS for dummies - MAXIME BESSON, Worteks
#OSSPARIS19 - TLS for dummies - MAXIME BESSON, Worteks
 
[POSS 2019] TLS for Dummies
[POSS 2019] TLS for Dummies[POSS 2019] TLS for Dummies
[POSS 2019] TLS for Dummies
 
Electronic Security
Electronic SecurityElectronic Security
Electronic Security
 
Digital signature
Digital signatureDigital signature
Digital signature
 
Cryptography Simplified - Symmetric Key, Public Key, PKI, Digital Signature, ...
Cryptography Simplified - Symmetric Key, Public Key, PKI, Digital Signature, ...Cryptography Simplified - Symmetric Key, Public Key, PKI, Digital Signature, ...
Cryptography Simplified - Symmetric Key, Public Key, PKI, Digital Signature, ...
 

Más de Nicholas Davis

Conducting a NIST Cybersecurity Framework (CSF) Assessment
Conducting a NIST Cybersecurity Framework (CSF) AssessmentConducting a NIST Cybersecurity Framework (CSF) Assessment
Conducting a NIST Cybersecurity Framework (CSF) AssessmentNicholas Davis
 
Top Cybersecurity Challenges Facing Your Business
Top Cybersecurity Challenges Facing Your BusinessTop Cybersecurity Challenges Facing Your Business
Top Cybersecurity Challenges Facing Your BusinessNicholas Davis
 
UW-Madison, Information Systems 371 - Decision Support Systems
UW-Madison, Information Systems 371 - Decision Support SystemsUW-Madison, Information Systems 371 - Decision Support Systems
UW-Madison, Information Systems 371 - Decision Support SystemsNicholas Davis
 
Software Development Methodologies
Software Development MethodologiesSoftware Development Methodologies
Software Development MethodologiesNicholas Davis
 
Information systems 365 - Cloud and BYOD Security
Information systems 365 - Cloud and BYOD SecurityInformation systems 365 - Cloud and BYOD Security
Information systems 365 - Cloud and BYOD SecurityNicholas Davis
 
Information Security Awareness: at Work, at Home, and For Your Kids
Information Security Awareness: at Work, at Home, and For Your Kids Information Security Awareness: at Work, at Home, and For Your Kids
Information Security Awareness: at Work, at Home, and For Your Kids Nicholas Davis
 
Information Systems 365/765, Lecture 4, Policies, Data Classification, Traini...
Information Systems 365/765, Lecture 4, Policies, Data Classification, Traini...Information Systems 365/765, Lecture 4, Policies, Data Classification, Traini...
Information Systems 365/765, Lecture 4, Policies, Data Classification, Traini...Nicholas Davis
 
Information Systems 371 -The Internet of Things Overview
Information Systems 371 -The Internet of Things OverviewInformation Systems 371 -The Internet of Things Overview
Information Systems 371 -The Internet of Things OverviewNicholas Davis
 
Cyberwar Gets Personal
Cyberwar Gets PersonalCyberwar Gets Personal
Cyberwar Gets PersonalNicholas Davis
 
University of Wisconsin-Madison, Information Security 365/765 Course Summary,...
University of Wisconsin-Madison, Information Security 365/765 Course Summary,...University of Wisconsin-Madison, Information Security 365/765 Course Summary,...
University of Wisconsin-Madison, Information Security 365/765 Course Summary,...Nicholas Davis
 
Bringing the Entire Information Security Semester Together With a Team Project
Bringing the Entire Information Security Semester Together With a Team ProjectBringing the Entire Information Security Semester Together With a Team Project
Bringing the Entire Information Security Semester Together With a Team ProjectNicholas Davis
 
The Deep and Dark Web - Spooky Halloween Information Security Lecture -- Info...
The Deep and Dark Web - Spooky Halloween Information Security Lecture -- Info...The Deep and Dark Web - Spooky Halloween Information Security Lecture -- Info...
The Deep and Dark Web - Spooky Halloween Information Security Lecture -- Info...Nicholas Davis
 
Student Presentation Sample (Netflix) -- Information Security 365/765 -- UW-M...
Student Presentation Sample (Netflix) -- Information Security 365/765 -- UW-M...Student Presentation Sample (Netflix) -- Information Security 365/765 -- UW-M...
Student Presentation Sample (Netflix) -- Information Security 365/765 -- UW-M...Nicholas Davis
 
Information Security Fall Semester 2016 - Course Wrap Up Summary
Information Security Fall Semester 2016 - Course Wrap Up SummaryInformation Security Fall Semester 2016 - Course Wrap Up Summary
Information Security Fall Semester 2016 - Course Wrap Up SummaryNicholas Davis
 
Organizational Phishing Education
Organizational Phishing EducationOrganizational Phishing Education
Organizational Phishing EducationNicholas Davis
 
Security Operations -- An Overview
Security Operations -- An OverviewSecurity Operations -- An Overview
Security Operations -- An OverviewNicholas Davis
 
Network Design, Common Network Terminology and Security Implications
Network Design, Common Network Terminology and Security ImplicationsNetwork Design, Common Network Terminology and Security Implications
Network Design, Common Network Terminology and Security ImplicationsNicholas Davis
 
Survey Presentation About Application Security
Survey Presentation About Application SecuritySurvey Presentation About Application Security
Survey Presentation About Application SecurityNicholas Davis
 
Information Security 365/765 Lecture 13 – Legal Regulations, Industry Compli...
Information Security 365/765 Lecture 13 – Legal Regulations, Industry Compli...Information Security 365/765 Lecture 13 – Legal Regulations, Industry Compli...
Information Security 365/765 Lecture 13 – Legal Regulations, Industry Compli...Nicholas Davis
 

Más de Nicholas Davis (20)

Conducting a NIST Cybersecurity Framework (CSF) Assessment
Conducting a NIST Cybersecurity Framework (CSF) AssessmentConducting a NIST Cybersecurity Framework (CSF) Assessment
Conducting a NIST Cybersecurity Framework (CSF) Assessment
 
Top Cybersecurity Challenges Facing Your Business
Top Cybersecurity Challenges Facing Your BusinessTop Cybersecurity Challenges Facing Your Business
Top Cybersecurity Challenges Facing Your Business
 
UW-Madison, Information Systems 371 - Decision Support Systems
UW-Madison, Information Systems 371 - Decision Support SystemsUW-Madison, Information Systems 371 - Decision Support Systems
UW-Madison, Information Systems 371 - Decision Support Systems
 
Lecture blockchain
Lecture blockchainLecture blockchain
Lecture blockchain
 
Software Development Methodologies
Software Development MethodologiesSoftware Development Methodologies
Software Development Methodologies
 
Information systems 365 - Cloud and BYOD Security
Information systems 365 - Cloud and BYOD SecurityInformation systems 365 - Cloud and BYOD Security
Information systems 365 - Cloud and BYOD Security
 
Information Security Awareness: at Work, at Home, and For Your Kids
Information Security Awareness: at Work, at Home, and For Your Kids Information Security Awareness: at Work, at Home, and For Your Kids
Information Security Awareness: at Work, at Home, and For Your Kids
 
Information Systems 365/765, Lecture 4, Policies, Data Classification, Traini...
Information Systems 365/765, Lecture 4, Policies, Data Classification, Traini...Information Systems 365/765, Lecture 4, Policies, Data Classification, Traini...
Information Systems 365/765, Lecture 4, Policies, Data Classification, Traini...
 
Information Systems 371 -The Internet of Things Overview
Information Systems 371 -The Internet of Things OverviewInformation Systems 371 -The Internet of Things Overview
Information Systems 371 -The Internet of Things Overview
 
Cyberwar Gets Personal
Cyberwar Gets PersonalCyberwar Gets Personal
Cyberwar Gets Personal
 
University of Wisconsin-Madison, Information Security 365/765 Course Summary,...
University of Wisconsin-Madison, Information Security 365/765 Course Summary,...University of Wisconsin-Madison, Information Security 365/765 Course Summary,...
University of Wisconsin-Madison, Information Security 365/765 Course Summary,...
 
Bringing the Entire Information Security Semester Together With a Team Project
Bringing the Entire Information Security Semester Together With a Team ProjectBringing the Entire Information Security Semester Together With a Team Project
Bringing the Entire Information Security Semester Together With a Team Project
 
The Deep and Dark Web - Spooky Halloween Information Security Lecture -- Info...
The Deep and Dark Web - Spooky Halloween Information Security Lecture -- Info...The Deep and Dark Web - Spooky Halloween Information Security Lecture -- Info...
The Deep and Dark Web - Spooky Halloween Information Security Lecture -- Info...
 
Student Presentation Sample (Netflix) -- Information Security 365/765 -- UW-M...
Student Presentation Sample (Netflix) -- Information Security 365/765 -- UW-M...Student Presentation Sample (Netflix) -- Information Security 365/765 -- UW-M...
Student Presentation Sample (Netflix) -- Information Security 365/765 -- UW-M...
 
Information Security Fall Semester 2016 - Course Wrap Up Summary
Information Security Fall Semester 2016 - Course Wrap Up SummaryInformation Security Fall Semester 2016 - Course Wrap Up Summary
Information Security Fall Semester 2016 - Course Wrap Up Summary
 
Organizational Phishing Education
Organizational Phishing EducationOrganizational Phishing Education
Organizational Phishing Education
 
Security Operations -- An Overview
Security Operations -- An OverviewSecurity Operations -- An Overview
Security Operations -- An Overview
 
Network Design, Common Network Terminology and Security Implications
Network Design, Common Network Terminology and Security ImplicationsNetwork Design, Common Network Terminology and Security Implications
Network Design, Common Network Terminology and Security Implications
 
Survey Presentation About Application Security
Survey Presentation About Application SecuritySurvey Presentation About Application Security
Survey Presentation About Application Security
 
Information Security 365/765 Lecture 13 – Legal Regulations, Industry Compli...
Information Security 365/765 Lecture 13 – Legal Regulations, Industry Compli...Information Security 365/765 Lecture 13 – Legal Regulations, Industry Compli...
Information Security 365/765 Lecture 13 – Legal Regulations, Industry Compli...
 

Último

A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersNicole Novielli
 
Generative AI - Gitex v1Generative AI - Gitex v1.pptx
Generative AI - Gitex v1Generative AI - Gitex v1.pptxGenerative AI - Gitex v1Generative AI - Gitex v1.pptx
Generative AI - Gitex v1Generative AI - Gitex v1.pptxfnnc6jmgwh
 
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...panagenda
 
Generative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfGenerative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfIngrid Airi González
 
4. Cobus Valentine- Cybersecurity Threats and Solutions for the Public Sector
4. Cobus Valentine- Cybersecurity Threats and Solutions for the Public Sector4. Cobus Valentine- Cybersecurity Threats and Solutions for the Public Sector
4. Cobus Valentine- Cybersecurity Threats and Solutions for the Public Sectoritnewsafrica
 
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Alkin Tezuysal
 
Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...
Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...
Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...Jeffrey Haguewood
 
Microservices, Docker deploy and Microservices source code in C#
Microservices, Docker deploy and Microservices source code in C#Microservices, Docker deploy and Microservices source code in C#
Microservices, Docker deploy and Microservices source code in C#Karmanjay Verma
 
Testing tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesTesting tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesKari Kakkonen
 
Top 10 Hubspot Development Companies in 2024
Top 10 Hubspot Development Companies in 2024Top 10 Hubspot Development Companies in 2024
Top 10 Hubspot Development Companies in 2024TopCSSGallery
 
JET Technology Labs White Paper for Virtualized Security and Encryption Techn...
JET Technology Labs White Paper for Virtualized Security and Encryption Techn...JET Technology Labs White Paper for Virtualized Security and Encryption Techn...
JET Technology Labs White Paper for Virtualized Security and Encryption Techn...amber724300
 
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality AssuranceInflectra
 
Infrared simulation and processing on Nvidia platforms
Infrared simulation and processing on Nvidia platformsInfrared simulation and processing on Nvidia platforms
Infrared simulation and processing on Nvidia platformsYoss Cohen
 
Landscape Catalogue 2024 Australia-1.pdf
Landscape Catalogue 2024 Australia-1.pdfLandscape Catalogue 2024 Australia-1.pdf
Landscape Catalogue 2024 Australia-1.pdfAarwolf Industries LLC
 
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesHow to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesThousandEyes
 
React JS; all concepts. Contains React Features, JSX, functional & Class comp...
React JS; all concepts. Contains React Features, JSX, functional & Class comp...React JS; all concepts. Contains React Features, JSX, functional & Class comp...
React JS; all concepts. Contains React Features, JSX, functional & Class comp...Karmanjay Verma
 
React Native vs Ionic - The Best Mobile App Framework
React Native vs Ionic - The Best Mobile App FrameworkReact Native vs Ionic - The Best Mobile App Framework
React Native vs Ionic - The Best Mobile App FrameworkPixlogix Infotech
 
Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Hiroshi SHIBATA
 
Irene Moetsana-Moeng: Stakeholders in Cybersecurity: Collaborative Defence fo...
Irene Moetsana-Moeng: Stakeholders in Cybersecurity: Collaborative Defence fo...Irene Moetsana-Moeng: Stakeholders in Cybersecurity: Collaborative Defence fo...
Irene Moetsana-Moeng: Stakeholders in Cybersecurity: Collaborative Defence fo...itnewsafrica
 
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentEmixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentPim van der Noll
 

Último (20)

A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software Developers
 
Generative AI - Gitex v1Generative AI - Gitex v1.pptx
Generative AI - Gitex v1Generative AI - Gitex v1.pptxGenerative AI - Gitex v1Generative AI - Gitex v1.pptx
Generative AI - Gitex v1Generative AI - Gitex v1.pptx
 
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...
 
Generative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfGenerative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdf
 
4. Cobus Valentine- Cybersecurity Threats and Solutions for the Public Sector
4. Cobus Valentine- Cybersecurity Threats and Solutions for the Public Sector4. Cobus Valentine- Cybersecurity Threats and Solutions for the Public Sector
4. Cobus Valentine- Cybersecurity Threats and Solutions for the Public Sector
 
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
 
Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...
Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...
Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...
 
Microservices, Docker deploy and Microservices source code in C#
Microservices, Docker deploy and Microservices source code in C#Microservices, Docker deploy and Microservices source code in C#
Microservices, Docker deploy and Microservices source code in C#
 
Testing tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesTesting tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examples
 
Top 10 Hubspot Development Companies in 2024
Top 10 Hubspot Development Companies in 2024Top 10 Hubspot Development Companies in 2024
Top 10 Hubspot Development Companies in 2024
 
JET Technology Labs White Paper for Virtualized Security and Encryption Techn...
JET Technology Labs White Paper for Virtualized Security and Encryption Techn...JET Technology Labs White Paper for Virtualized Security and Encryption Techn...
JET Technology Labs White Paper for Virtualized Security and Encryption Techn...
 
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
 
Infrared simulation and processing on Nvidia platforms
Infrared simulation and processing on Nvidia platformsInfrared simulation and processing on Nvidia platforms
Infrared simulation and processing on Nvidia platforms
 
Landscape Catalogue 2024 Australia-1.pdf
Landscape Catalogue 2024 Australia-1.pdfLandscape Catalogue 2024 Australia-1.pdf
Landscape Catalogue 2024 Australia-1.pdf
 
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesHow to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
 
React JS; all concepts. Contains React Features, JSX, functional & Class comp...
React JS; all concepts. Contains React Features, JSX, functional & Class comp...React JS; all concepts. Contains React Features, JSX, functional & Class comp...
React JS; all concepts. Contains React Features, JSX, functional & Class comp...
 
React Native vs Ionic - The Best Mobile App Framework
React Native vs Ionic - The Best Mobile App FrameworkReact Native vs Ionic - The Best Mobile App Framework
React Native vs Ionic - The Best Mobile App Framework
 
Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024
 
Irene Moetsana-Moeng: Stakeholders in Cybersecurity: Collaborative Defence fo...
Irene Moetsana-Moeng: Stakeholders in Cybersecurity: Collaborative Defence fo...Irene Moetsana-Moeng: Stakeholders in Cybersecurity: Collaborative Defence fo...
Irene Moetsana-Moeng: Stakeholders in Cybersecurity: Collaborative Defence fo...
 
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentEmixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
 

Pki the key to securing sensitive communications

  • 1. PKI, The Key to Securing Sensitive Electronic Communications Madison College April 24, 2014 Nicholas Davis, CISSP, CISA, Nice Person
  • 2. Agenda • Introduction • We will watch movies • We will find an error in the textbook • We will learn • We will chat • We will have fun
  • 3. Overview Why is electronic privacy such a hot topic these days? What is a digital certificate? What is PKI? Why are these technologies important? Trusted Root Authorities Using digital certificates for email encryption Key Escrow, the double edged sword Integrating digital certificates into email for Security How is PKI related to SSL? Using certificates for code signing of software Real world issues with PKI Chapter 12 top points!!! Discussion
  • 4. Whay is Electronic Privacy Such a Hot Topic Today? • Evolution of the Internet, commerce, banking, healt hcare • Dependence on Email and other trusted electronic communications • Government regulations, SOX, HIPAA, GLB, P CI, FERPA • Public Image • Business warehousing
  • 5. The Topic is More Interesting When It Affects You!
  • 7. Discussion Topic One • Do you think the threat of Email eavesdropping is real? • What about the government’s argument about Email being like a “postcard?” • Should Target be allowed to look at Walmart emails on a public network? • Are you angry now, or just afraid? • Who has the responsibility in this situation?
  • 8. What is a Digital Certificate?
  • 9. Digital Certificates Continued Digital Certificate Electronic Passport Good for authentication Good non-repudiation Proof of authorship Proof of non-altered content Encryption! Better than username - password
  • 10. What is in a Certificate?
  • 11. Public and Private Keys The digital certificate has two parts, a PUBLIC key and a PRIVATE key The Public Key is distributed to everyone The Private Key is held very closely And NEVER shared Public Key is used for encryption and verification of a digital signature Private Key is used for Digital signing and decryption
  • 13. Getting Someone’s Public Key The Public Key must be shared to be Useful It can be included as part of your Email signature It can be looked up in an LDAP Directory Can you think of the advantages and disadvantages of each method?
  • 14. Who Could This Public Key Possibly Belong To?
  • 15. What is PKI? • PKI is an acronym for Public Key Infrastructure • It is the system which manages and controls the lifecycle of digital certificates • The PKI has many features
  • 16. What Is In a PKI? • Credentialing of individuals • Generating certificates • Distributing certificates • Keeping copies of certificates • Reissuing certificates • Revoking certificates • Renews certificates • Providing proof of validity or revocation
  • 17. Credentialing • Non technical, but the most important part of a PKI! • A certificate is only as trustworthy as the underlying credentialing and management system • Certificate Policies and Certificate Practices Statement
  • 18. Certificate Generation and Storage • How do you know who you are dealing with in the generation process? • Where you keep the certificate is important
  • 19. Distributing Certificates • Can be done remotely – benefits and drawbacks • Can be done face to face – benefits and drawbacks
  • 20. Keeping Copies – Key Escrow • Benefit – Available in case of emergency • Drawback – Can be stolen • Compromise is the best! • Use Audit Trails, separatio n of duties and good accounting controls for key escrow
  • 21. Certificate Renewal • Just like your passport, digital certificates expire • This is for the safety of the organization and those who do business with it • Short lifetime – more assurance of validity but a pain to renew • Long lifetime – less assurance of validity, but easier to manage • Can be renewed with same keypair or new keypair depending on escrow situation
  • 22. Expiration • A rare moment for me…I get to point out and error in the textbook! (Page 418) • A message signed with an expired private key will show as invalid to the recipient • However, a private key can ALWAYS be used to decrypt a message, even an expired private key. • Nobody is perfect, forgive the textbook author!
  • 23. Revocation • Just like Stefan Wahe’s dirving license, it can be revoked prior to expiration • CRL – Certificate Revocation List • OCSP – Online Certificate Status Protocol • Both cam be real time, but CRL might be batched instead • In practice, both are rarely used
  • 24. Recovery • No escrow = no luck • But with escrow it must be easy, right? !!NOT!! • Proving identity • Getting copy from escrow • Secure delivery to recipient • Complex, tempting to cut corners, but resist temptation! • The book’s idea is even more complex!
  • 25. Trusted Root Authorities • A certificate issuer recognized by all computers around the globe • Root certificates are stored in the computer’s central certificate store • Requires a stringent audit and a lot of money!
  • 26. It Is All About Trust
  • 27. Using Certificates to Secure Email • Best use for certificates, in my opinion • Digital certificate provides proof that the email did indeed come from the purported sender • Public key enables encryption and ensures that the message can only be read by the intended recipient
  • 28. Secure Email is Called S/MIME • S/MIME = Secure Multipurpose Mail Extensions • S/MIME is the industry standard, not a point solution, unique to a specific vendor
  • 29. Digital Signing of Email • Proves that the email came from you • Invalidates plausible denial • Proves through a checksum that the contents of the email were not altered while in transit • Provides a mechanism to distribute your public key
  • 30. Digital Signatures Do Not Prove When a Message or Document Was Signed You need a neutral third party time stamping service, similar to how hostages often have their pictures taken in front of a newspaper to prove they are still alive!
  • 31. Send Me a Signed Email, Please, I Need Your Public Key
  • 32. Using a Digital Signature for Email Signing Provides proof that the email came from the purported sender…Is this email really from Vice President Cheney? Provides proof that the contents of the email have not been altered from the original form…Should we really invade Mexico?
  • 33. A Digital Signature Can Be Invalid For Many Reasons
  • 34. Why Is Authenticating the Sender So Important?
  • 35. What if This Happens at Madison College? Could cause harm in a critical situation Case Scenario Multiple hoax emails sent with Chancellor’s name and email. When real crisis arrives, people might not believe the warning. It is all about trust!
  • 36. Digital Signing Summary • Provides proof of the author • Testifies to message integrity • Valuable for both individual or mass email • Supported by most email clients….Remember the 80-20 rule..Perfect in the enemy of good!
  • 37. What Encryption Does Encrypting data with a digital certificate Secures it end to end. • While in transit • Across the network • While sitting on email servers • While in storage • On your desktop computer • On your laptop computer • On a server
  • 38. Encryption Protects the Data At Rest and In Transit Physical theft from office Physical theft from airport Virtual theft over the network
  • 39. Why Encryption is Important • Keeps private information private • HIPAA, FERPA, SOX, GLB compliance • Proprietary research • Human Resource issues • Legal Issues • PR Issues • Industrial Espionage • Over-intrusive Government • You never know who is listening and watching!
  • 40. What does it actually look like in practice? -Sending-
  • 41. What does it actually look like in practice (unlocking my private key) -receiving-
  • 42. What does it actually look like in practice? -receiving- (decrypted)
  • 43. Digitally signed and verified; Encrypted
  • 44. What does it look like in practice? -receiving- (intercepted)
  • 45. Intercepting the Data in Transit • How might encrypted email be a security threat to your organization?
  • 46. Digital Certificates For Machines Too • SSL – Secure Socket Layer • Protection of data in transit • Protection of data at rest • Where is the greater threat? • Certs can protect both, but usually just in transit, and not at rest.
  • 47. Benefits of Using Digital Certificates Provide global assurance of your identity, both internally and externally to the organization Provide assurance of message authenticity and data integrity Keeps private information private, end to end, while in transit and storage You don’t need to have a digital certificate To verify someone else’s digital signature Can be used for individual or generic mail accounts.
  • 48. The Telephone Analogy When the telephone was invented, it was hard to sell. It needed to reach critical mass and then everyone wanted one.
  • 49. That All Sounds Great in Theory, But Do I Really Need It? • The world seems to get along just fine without digital certificates… • Oh, really? • Let’s talk about some recent stories
  • 50. We Have Internal Threats Too @ UW-Madison!
  • 51. How Do Users Feel About the Technology? • Ease of use • Challenges • Changes in how they do their daily work • Benefits • Drawbacks
  • 52. It Really Is Up To You! • Digital certificates / PKI is not hard to implement • It provides end to end security of sensitive communications • It is comprehensive, not a mix of point solutions • You are the leaders of tomorrow, make your choices count by pushing for secure electronic communications!
  • 53. Signatures - Evidence • What is a signature? • A signature is not part of the substance of a transaction, but rather, it represents an understanding, acceptance or indication of agreement • Evidence: A signature authenticates a person by linking the signer with the signed document. When the signer makes a mark in a distinctive manner, the writing becomes attributable to the signer. • Example: Credit card receipt
  • 54. Let’s Talk About Signatures • Traditional ink and paper • Electronic Signature vs Digital Signature
  • 55. Signatures – The Three Part Process • Ceremony, Approval and Commitment
  • 56. Signatures – The Three Part Process • Ceremony: • The act of signing a document calls to the signer's attention the significance of the signer's act, and thereby helps prevent reckless or careless commitments
  • 57. Signatures – The Three Part Process • Approval: • In certain contexts defined by law or custom, a signature expresses the signer's approval or authorization of the writing, or the signer's intention that it have legal effect
  • 58. Signatures – The Three Part Process • Commitment: • A signature on a written document often imparts a sense of clarity and finality to the transaction
  • 59. Signatures • Traditional signatures put the cart before the horse! • How can you be certain that a mortgage application with Nicholas Davis’s signature was indeed signed by Nicholas Davis? • As trusting people, we generally accept a written signature at face value
  • 60. Signatures • Trust – When the going gets tough, scoundrels can emerge, to challenge the signature on a document • Verification against other documents – Assumes that you have access to other signed documents and assumes that signatures on those documents were not forged
  • 61. Signature • Before a signature can be trusted, we must have proof that the signature does truly belong to the signer • This is not as easy at it sounds…..
  • 62. Signatures – Credentialing Process • Credentialing – An initial method of attestation to the truth of certain stated facts, such as identity. • Example: Government photo ID, address verification or proof of your SSN#, are all attestation methods used to credential people
  • 63. Signatures – Authentication Process • Authentication – The process of verifying that a person is in fact who they claim to be • Example: Showing your driver’s license to the guard at the front desk authenticates me as genuinely being Nicholas Davis
  • 64. Signatures – Authorization Process • Authorization -- The granting of power or authority to someone, to do something specific • Example: The information system authorizes Nicholas Davis the rights to view certain files
  • 65. Signatures -- Trust • In order for a signature to be relied upon and trusted for authorization of a transaction, the individual presenting the signature must first be credentialed and then authenticated, prior to allowing them to authorize a transaction • A three step process: Credentialing, Authentication, Authorization • In the world of written signatures, organizations rarely credential or authenticate people
  • 66. Signatures -- Trust • A written signature, provided without a solid credentialing and authentication process, can make an organization and its customers vulnerable to fraudulent transactions • To further protect the organization and our customers from fraud, we look to information technology and the use of digital signatures…..
  • 67. Digital Signatures vs. Written Signatures • A digital signature provides proof of: • Verified identity of the signer • Document integrity (The document has not been altered since it was digitally signed) • Non-repudiation (the signer can’t deny signing the document, as it was done with their digital certificate, which only they had access to) • A written signature provides proof of: • Unverified identity of the signer • Which type of signature provides a higher degree of trust?
  • 68. Digital Signatures – A Note About Identity Theft • As the Internet and E-Commerce continue to evolve and grow, it is important to understand what this change in business environment means • More and more traditional business processes are being converted to online applications • It is harder to impersonate someone in person than it is over the Internet
  • 69. Digital Signatures • Written signatures may be acceptable in person, but are impractical and risky when used in an online transaction because, we no longer can associate a face with the signature • If our processes are going digital, so must our signatures!
  • 70. Digital Signatures vs Electronic Signatures • “Electronic signature” and “Digital signature” are not synonymous. • An electronic signature can be a symbol, sound, or process used to sign a document or transaction. • A digital signature, on the other hand, is a secure electronic signature which uses encryption to authenticate the entity who signed the document, encapsulate document contents to protect from unauthorized alteration and provide proof of non-repudiation
  • 71. Digital Signatures vs Electronic Signatures • A digital signature is a form of an electronic signature, but an electronic signature is not necessarily a digital signature. • Electronic signatures at best provide only questionable proof of identity, and do not provide proof of information/message integrity or non-repudiation
  • 72. !!!Stop Sleeping!!! Chapter 12 – Most Important Stuff, in the next six slides!
  • 73. Types of Certificates • Certificate Authority (CA), issues and signs other types of certs, NEVER used for other functions • Server Certificates: Such as SSL, for identification and encryption of data for an entity • User Certificates: Such as P12 or PFX files, for identification and encryption of data of an individual
  • 74. Types of Certificates • Object Signing Certificates: Used by an entity to sign software code, to prove origin and integrity. • Signature Verification Certificates: Object or user certificate WITHOUT the signing key • DCM = Digital Certificate Manager, stores and organizes all of your certificates
  • 75. PKI Components • Certificate Authority (CA): Issues and verifies certificates • Registration Authority (RA): Verifies identity and enrolls a requestor, (machine or human) • Revocation Mechanism: CRL or OCSP • Publishing methods: Directories, databases, email, even floppy disk.
  • 76. PKI Components • Certificate Management System: CA, RA, CRLs, etc, all together, to keep track of certificates and their status, and change status, if necessary. • MOST important: PKI aware applications, such as S/MIME email, or Microsoft Word.
  • 77. PKI Management Tasks • Identity verification • Certificate issuance • Certificate validity checking • Certificate renewal • Certificate revocation • Certificate escrow • Certificate recovery
  • 78. Transport Protocols • SSL: Developed by Netscape, 1996 • TLS: Variation of SSL (RFC 2246) • HTTPS: Web server, Port 443, built into MOST browsers • SSH: Secure Shell, TCP Port 22 • SFTP: Secure File Transfer • SCP: Secure File Copy • IPSEC: TCP layer 3 packet encryption RFC 4301-4309
  • 79. How Can I Help You? ndavis1@wisc.edu Tel. 608-347-2486