300 likes | 411 Views
EDUCAUSE PKI Summit Meeting Snowmass Village, CO August 9-10, 2001. Russel Weiser Principal Scientist Digital Signature Trust Salt Lake City, UT. Casey Lide Director, Education Services Digital Signature Trust Washington DC. Topical Agenda. Why PKI, why outsource it … why DST?
E N D
EDUCAUSE PKI Summit MeetingSnowmass Village, COAugust 9-10, 2001 Russel Weiser Principal Scientist Digital Signature Trust Salt Lake City, UT Casey Lide Director, Education Services Digital Signature Trust Washington DC
Topical Agenda • Why PKI, why outsource it … why DST? • E-signing, form-signing • TrustExchange • Education Perspectives • Three Big Issues • New DST Offering • Alice Goes to College...
About Digital Signature Trust • First licensed Certification Authority (CA) in U.S. • Offices: Salt Lake City, UT; Washington, D.C. • First (and one of three) approved vendor for GSA ACES program (providing CA services for federal government agencies). Awarded majority of ACES task orders serving various federal agencies • Provider of comprehensive PKI services for first major state installations (States of Washington, Utah) • Ownership interests: Zions Bancorp, American Bankers Association
About Digital Signature Trust • Financial Services • Education • Healthcare • Federal Government • State & Local Government • Commercial Markets
DST Services • Outsourced CA services • PKI Policy Development, Risk Absorption • Registration, Identification & Authentication Services • Certificate Lifecycle Management • Electronic signatures & e-form signing/creation • Workflow/ BPR • Applications development/consulting • Secure Archival • Training
About Digital Signature Trust • Certification Authority for TrustID® Digital Certificates • Persistent, interoperable digital credential, usable by anyone who wants to • TrustID® warranty for Authorized Relying Parties: • $100,000/transaction, $250,000/certificate • Certificate Policy administered by American Bankers Association • Modeled after credit card industry • Operations hosted at DST SecFac (Salt Lake City, UT)
Why PKI … why outsource it … why DST • Ideally, enables: • Mutual authentication technology and legal construct for anyone who wants/needs to use it • Confidentiality • Non-repudiation • Data integrity/staying power But, scalability of the security mechanism is equally important...
Technical Scalability • PKI = • Established or evolving standards (X.509v3, OCSP, LDAPv3) • Single infrastructure (vs multiple passwords) • Proven technology. • Certificate-enabled e-signing applications improving dramatically
Economic Scalability • PKI = • No duplicative PIN/password administration (very inefficient, non-interoperable) • One interoperable infrastructure, with cost spread among users • Organizations either purchase/sponsor issuance of certificates, or pay a validation fee for guaranteed reliance (DST model) • Ideal issuers: entities that can/will use the certificate for a wide variety of applications & transactions. (And that can be RAs…)
Policy Scalability • DST Model: • Contractual framework, administered by the CA/PMA, that allocates risk and establishes rules among any and all: • issuers • relying parties • subscribers • Warranty encourages adoption and acceptance by Relying Parties, CA encouraged to find them (it scaled for Visa…) • Liability shifts away from the Relying Party (which may previously have run a PIN infrastructure) and to the Certificate Authority • DST model: TrustID = single Certificate Policy = simplest policy interoperability
Risk Management Certification Authority Repository Risk Subscriber Relying Party • Risks Outsourced / Transferred to CA (or that should be) • PKI Technology • Identity & Authentication • Staffing & Operations • Repository Operations • Certificate Maintenance • Reliance Liability • Setup Cost & Time • Leverage PKI Expertise
Technical + Economic + Policy Scalability = TrustID®: A persistent, guaranteed digital credential that can serve an entire community of interest, and beyond: • Standardized testing agencies/services • Colleges and universities • Government agencies • Anyone who touches the student financial aid system • Anyone else who chooses to be a relying party (which the CA has an incentive to go out and sign up, adding to the value of the certificate, increasing use…)
So Why Outsource CA Services? • Why do you want to be a CA??? • High operational overhead for CAs • CA = audits, audits, audits • VERY high policy/legal overhead for CAs • CA worries about bridging, etc. • Running a CA requires uncommon expertise, or lots of time and effort to learn about it • In-house takes a LOT longer (Your time isn’t free) • Having several thousand institutional CAs is not the quickest, simplest, or best route to an effective, interoperable community-of-interest (and beyond) PKI • Aggregation of demand = quantity discounts • The RP may require it (e.g., warranted certificate)
The Problem With the Enterprise CA Model 2 1 Trading partners that will require multiple legal relationships, certificates, policy mappings... 3 1 = Enterprise CA (each w/own CP) = Enterprise trading partner/subscriber
TrustID® Model TrustID Holders TrustID Relying Parties TrustID Issuers DST Cust 1 RP 1 Bank Cust 2 RP 2 School RP n Cust 3 Cust n
DST TrustID® Cost Model • Either sponsor the issuance of certificates, or pay a validation fee for guaranteed reliance (modeled on credit card industry) • Spread the cost among the users of the contractual and technical infrastructure • Startup • Certificate Pricing • Volume Pricing for Certificate Sponsors • RA Pricing (no transaction fees!) • Transaction Pricing (Relying Parties) • OCSP • Warranty Included • Flat Monthly Fee or Per Transaction
Digital Signatures and E-Signing • Made for each other! • But, need another piece for interaction between private key and form • Enterprise-focused form-signing applications • Zions E-Commerce group eSign consortium • iLumin • E-Lock • icomXpress • thinkXML • DST: eSign n.0 • SimpleSign
TrustExchange® • TrustExchange Coordinator - Certificate access control server • Simple Access Control • API or full Proxy Modes of operation • Audit logging of transactions • NT or Solaris Platform • How it works! • Present certificate (Optional second factor authentication via password) • OCSP validation • Signed OCSP requests • Signed OCSP responses • Supports Multiple CA hierarchies CRL or OCSP in proxy mode.
Education Perspectives & Other Stuff • “Issuers” • RA = no validation fees for those certificates • Relying Parties • Student Financial Aid • Tokens & Mobility • Smart cards, USB • CyberMark • Bridge CAs • dc= naming • Levels of Assurance
TrustID KickStart™ For a one-time setup fee: TrustID common policy infrastructure (TrustID CP) TrustID ARP Warranty TrustExchange® Validation and Access Control Software Installation by DST Professional Services (one day) Training by DST Professional Services (one day) One additional day of DST Professional Services DST first-level customer support 500 TrustID certificate vouchers (any type, including SSL/server) Available RA option (RAMP, TSRA) Concept of Operations Five-day implementation
3 Big Issues ...1. Roaming, usability (private key management) 2. Certificate distribution & timing3. Legacy/PIN migration
So, what we REALLY need is... • Security, nonrepudiation and scalability provided by digital signatures • combined with • usability and roaming of a PIN infrastructure
New DST Offering! DST Roaming & PIN Migration Solution: Password-Based TrustID®
DST Roaming & PIN Migration Solution • Technology licensed to DST for use with TrustID®. • Regular 2-key RSA mandates that the user have and manage somehow a long private key (1024 bits). Hence, low usability or need for smart cards. Hence, poor adoption. • 3-key RSA system instead of usual 2-key RSA. Long private key broken into two pieces; one derived from the user’s chosen password, the other stored on an appliance hosted by DST. User only needs a password! • It has been mathematically proven that the 3-key system is exactly as secure from an attacker as 2-key RSA • It can be informally thought of as a network-based “soft” smart card that is created at whichever desktop the user is present (and which has a 400kb plug-in, downloaded once). • Uses and interoperates with usual PKI standards
CA d2 d2 PKI Appliance DST Roaming Solution Password • Alice has password P, which ONLY she knows. Password Pexpands to key d1 on computer. d1 d1 • The Practical PKI appliance has key d2 for Alice which ONLY it knows. • Alice has pre-existing public certificate, with public key signed by a CA (sent to Alice or to RP application via DST) ID: Castle Corp FN: Castle LN: Corp . . CA M CC • Process • Alice authenticates to appliance, sets up secure channel and sends message, M. • Appliance performs partial signature on M with its key for Alice d2. • Alice completes signature with her key d1.
The Big Issues, revisited: 1) Roaming and Usability Password (+ plugin) = full PKI, anywhere, with ease of use of a self-selected password 2) & 3) Certificate Distribution, Legacy PINs Can use pre-existing shared-secret PIN as an identity- proofing element to issue a digital certificate PIN acts as initial activation code, then changed by user to self-selected password (which then can act just like her original PIN, or, if the plug-in is present, her private key) Secure issuance of a PIN is all we need to get new users started (any accredited RA procedure...)
Alice Goes to College... • In her Junior year of high school, Alice registers to take a standardized test for college-bound students. She shows up at the testing facility and the test proctor, after checking her government-issued photo ID, hands her a small, sealed envelope. Inside are a PIN and some instructions. • A few weeks later, Alice gets on her laptop computer at home and visits the [testing service] website to check her score. She is prompted to enter her assigned PIN (logging onto the appliance), and to change her password. Behind the scenes (if she chooses to download the 400kb plugin at this time, which takes about 60 seconds because her Dad won’t get DSL), keys are generated and a digital certificate created. The testing service allows access to her score. • One day in September (while visiting her aunt in Paducah) Alice uses her relative’s computer and visits the Department of Education website to fill out a FAFSA. She gains access to the form application using her self-selected password, and partially completes the form. Unfortunately she doesn’t have all the required information with her, so she finishes it up the next week at home.
Alice Goes to College, cont’ • Shortly after, with her heart set on attending the University of Alabama at Birmingham, Florida State University, or Brigham Young, she electronically signs and submits applications for admission from a computer in her school library (which already has the plugin installed). The universities use and rely on her PKI digital credential to establish an initial account and provide other services for her. • Having received notice about her award and seeking a Direct Loan, Alice visits the Department of Education website using her laptop. She’s already downloaded the plug-in to her laptop (or if she hasn’t, she’s prompted to do so because the lender wants the increased security, data integrity, and warranty protection provided by a digital signature). She progresses through the promissory note e-signing application for Direct Loans, and executes a full-fledged digital signature on the signed note. The Department, as an ARP, is protected by the DST warranty. Alice prints out a PDF version of the electronically signed note that includes on it the 160-bit digital signature.
Alice Goes to College, cont’ • Finally at school, Alice takes advantage of the fast Internet connection provided by the university and during her first week signs up for an MP3 subscription service. The service, requiring guaranteed mutual authentication for access to its MP3 servers, has been set up by DST as a Relying Party and is configured to use the same digital credential Alice has been using for awhile now. • Over the months, Alice uses her password and digital credential to register for classes and access her confidential account maintained by the university, to obtain class reference materials from major publishers who have a contract with the university, to e-sign and electronically submit a lot of paperwork required by the school, to submit classwork to & receive feedback from professors, to renew her automobile registration with the state DMV, and to access and transfer funds at the local bank. To do this, Alice uses her laptop, her PDA, the various computer labs around campus, and her friend Bob’s desktop machine. • After about a year from receiving the first digital certificate, Alice is prompted to renew and get another one. Fortunately, her school sponsors the issuance of TrustID to its students, faculty and staff, (and is even considering offering it as a service to alumni...). ...THE END
Anyone can say . they’re somebody. . We can prove it. Russel Weiser Principal Scientist Digital Signature Trust Co Salt Lake City, UT russ.weiser@trustdst.com Casey Lide Director, Education Svcs Digital Signature Trust Washington, D.C. 202.543.6688 casey.lide@trustdst.com www.trustdst.com