1 / 51

Digital Certificate Based Common Access Card for UW-Madison Presented by Nicholas Davis, DoIT

Digital Certificate Based Common Access Card for UW-Madison Presented by Nicholas Davis, DoIT. Overview. Digital Certificates 101 Examples of usage of digital certificates Why current technologies on campus are inferior and outdated Benefits Costs What we know so far.

ebrandl
Download Presentation

Digital Certificate Based Common Access Card for UW-Madison Presented by Nicholas Davis, DoIT

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Digital Certificate Based Common Access Card for UW-MadisonPresented by Nicholas Davis, DoIT

  2. Overview • Digital Certificates 101 • Examples of usage of digital certificates • Why current technologies on campus are inferior and outdated • Benefits • Costs • What we know so far

  3. Favorite Quote Sums Things Up “The nice thing about Standards is that there are so many of them to choose from.”

  4. Wait, My Disclaimer! My wife tells me I don’t know everything—she is right! I won’t be offended if you correct me about your systems

  5. Digital Certificates

  6. What is a Digital Certificate? • A digital certificate is an electronic credential, which can be thought of as an electronic passport with extra benefits. Based on global X.509 standard • Provides ID proof • Issued by a trusted authority • Not possible to forge • A single file with two distinct parts

  7. What Does a Digital Certificate Look Like? (Two Parts) • -----BEGIN CERTIFICATE----- MIIDXTCCAsagAwIBAgICAwcwDQYJKoZIhvcNAQEFBQAwgYkxCzAJBgNVBAYTAlVT MSswKQYDVQQKEyJEaXZpc2lvbiBvZiBJbmZvcm1hdGlvbiBUZWNobm9sb2d5MSMwIQYDVQQLExpGYWN1bHR5IC0gU3RhZmYgLSBTdHVkZW50czEoMCYGA1UEAxMfVW5pdmVyc2l0eSBvZiBXaXNjb25zaW4tTWFkaXNvbjAeFw0wNzA0MDQxODExMjlaFw0wODA2MjgxODExMjlaMIHrMQswCQYDVQQGEwJVUzESMBAGA1UECBMJV2lzY29uc2luMRAwDgYDVQQHEwdNYWRpc29uMSgwJgYDVQQKEx9Vbml2ZXJzaXR5IG9mIFdpc2NvbnNpbi1NYWRpc29uMSMwIQYDVQQLExpGYWN1bHR5IC0gU3RhZmYgLSBTdHVkZW50czEQMA4GA1UECxMHVG9rZW4gLTErMCkGA1UEAxMiTGV0dGVycyBhbmQgU2NpZW5jZSBIb25vcnMgUHJvZ3JhbTEoMCYGCSqGSIb3DQEJARYZaG9ub3JzQGhvbm9ycy5scy53aXNjLmVkdTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAnno7RR1cJwwGE5A7Sd466tWM9qNDVuq5qpUtsvQq5Z+HoUZ3g2Z1+0wmXSZvBydOcjGT3U4hSnahShQeYls7C7zXYcELUV0WVEvwjy3zmDWXp01Tol9IYrT8tAWRBcNpVDrRYmYlVqly31OHabJWqTAnLemfSmm/3COOunqAr6MCAwEAAaNwMG4wDgYDVR0PAQH/BAQDAgXgMDsGA1UdHwQ0MDIwMKAuoCyGKmh0dHA6Ly9jcmwuZ2VvdHJ1c3QuY29tL2NybHMvd2lzY29uc2luLmNybDAfBgNVHSMEGDAWgBQcnlJSGwRiRyxrLAG4afGpNywjJDANBgkqhkiG9w0BAQUFAAOBgQC5LrMkMlBWuXuIlFKCjfS98LSdpgBPRWwYRLWk9HzdPeu0WpvHf0zVW4fx/F+RBFsDNaJWTbF02FFz+mSFbFlh6cLIbeMOmX96twZ/2ZX3/B1WtwYKXmxgLk1Vs9UAmssn/vPRO2pnMd6XlFZ+fRjIDzrSATsl0e0zciecP860 HQ== • -----END CERTIFICATE-----

  8. Two Parts, Public and Private Keys • Public key is used to encrypt data intended for Nicholas Davis and to verify his digital signature. Public key is published in LDAP directory and is available to everyone • Private key is used by Nicholas Davis to decrypt data which was encrypted for him and for him to digitally sign things. Kept private, only one copy of this key.

  9. With Do We Do With Our ID • We gain physical access to secure places • We perform secure electronic transactions • Digital certificates can do both, better than other systems

  10. Building Access Example • Nicholas digitally signs a request to enter a building by placing his card in a reader outside the building • Authenticating system takes his digital signature and computes validity based on Nicholas’s public key, also checks validity period, makes decision

  11. Secure Transaction Example • Nicholas Davis wants to drop a class, uses browser to log in to system, by sending a digital signature • System verifies digital signature, grants or denies access to resources, similar to way WebISO works

  12. How Does One Get a Digital Certificate? • Currently applies through DoIT Tech Store • User then downloads certificate via their browser • Saves on PC or on secure hardware token/card • Certificates can also be generated in batch and placed directly on token

  13. What can be done with a digital certificate? • Authenticate to computers, networks and applications • Digitally sign, legally enforceable • Encrypt data, email and docuemnts • Control physical access

  14. Revoking a Certificate • Certificates expire after a set period of time called the validity period • Can be revoked beforehand as well • Check the CRL to see if the certificate has been revoked • Certificate can also be renewed prior to expiration

  15. A 10,000 Foot View of Campus ID Systems • Campus has no authoritative ID • Multiple systems, which don’t directly communicate with each other • How can we manage an identity when one single identity does not exist?

  16. Student/Faculty/Staff ID CardA Stalker’s Delight! • ID number • Photo • Student/Faculty/Staff Designation • Bar code • Magnetic stripe / Wiscard • Cost? • Not safe! • Easily copied • Easily used if stolen • Too much personal information on card

  17. UW Police Building Access Card • HID iClass RFID proximity based card • Controls physical access to buildings • Cost? • True Security? • Single factor vs. Dual Factor

  18. Parking Permit • Issued by FP&M • Magnetic stripe • Controls Access to parking ramps • Reissued every year • Security? • Cost?

  19. NetID • Issued by DoIT • Controls access to many UW-Madison electronic resources • Security? • Cost?

  20. Kerberos • Controls access to computer lab machines • Kiosks remain unprotected around campus • Cost? • Other uses?

  21. Digtial Certificates • Currently used for email, document and PDF digital signing and encryption • Cost?

  22. Why are these systems discrete? • Different technologies • Different storage devices • Distributed ownership of associated systems • Different cost centers for funding • Why not bring them all together?

  23. Why not bring them All Together? • Cost • Loss of control • Incompatible technologies • Legacy Systems • So, what can be done?

  24. Consolidate & Converge • It is possible to consolidate these technologies onto one card today! Saves us nothing, actually costs more! • Such a Common Access Card (CAC) could contain all technologies in use around campus at the present time which makes the users happy, but makes us sad

  25. Common Card is Nice--But • Consolidating on one card is nice for end user but results in wastage • Many faculty/staff and students will NEVER need a card with an HID core on it or a parking permit • The key is to find ONE technology that everyone on campus can use, not one card with a different technology for each person

  26. To Save Money, We Need One Common Technology • HID works for physical access, trustworthy, but does nothing else • Magnetic stripe good for access control and cheap, but is easily copied • Bar code, nice for checking out books from library, but won’t work in parking or building access due to ease of copying • None of these address electronic access

  27. What We Need • Something which can be centrally generated and managed locally • Something secure • Something that controls physical access • Something that controls electronic access • Something that can be audited • Something that can be real time if we want it to be

  28. What We Need • Something that EVERY application can use • Something that binds our physical identity to our electronic identity • Something that is easy to manage and can be user self service or delegated administration

  29. Making Our Systems Cheaper • One card means fewer distinct administrators of system needed • Customer can get building access added to their card from their home computer because we trust it is REALLY them at their home computer

  30. Digital Certificates Can Do Everything and Do It More Securely • All physical access, parking, buildings, etc • All property access, Wiscard vending, library book checkout • All electronic access, my.wisc.edu, WebISO for web apps • Can’t be stolen

  31. Decisions About Bucky Can Be Made Based on Certificate Contents • Verify it really is Bucky based on his digital signature • Add Bucky’s public key to the groups you want him in • Make a yes/no decision based on validity of Bucky’s signature and which groups he is in

  32. Digital Ceritifcates Can Do New Things Too • Allow people to encrypt email • Allow people to encrypt files to protect intellectual property • Allow people to digitally sign email to Wisconsin State Government legal standards • HIPAA, FERPA, GLB, PHI compliance – PRIVACY!

  33. Everything is Related • UW Police Access scenario • System only as strong as weakest link. • Electronic ID verification is related to physical security • Same system that secures communications could also be system that controls access to buildings

  34. So What is Involved? • Lots of work to do • Issuing certificates • Getting them on secure devices • Upgrading applications to use WebISO for certificate based access • Upgrading physical readers to read certificate based cards • Educating campus

  35. Did Someone Say Cost? • More expensive than current UW Photo ID • Less expensive than current UW Photo ID + UWPD ID + Digital Certificate Token + Parking Permit

  36. A Standard is Established For the Future • Every student and every faculty/staff member gets one when they enter UW-Madison, addressing issue of how the cards are distributed • They can use the card for any application they wish, electronic or physical

  37. Why Should Digital Certificates Be the Standard? • They can authenticate users both physically and electronically • Digital certificates allow digital signing and encryption, not offered by other technologies. • Expiration dates can be extended remotely (Pay your tuition online and the system extends the validity of your certificate by 6 months, without you ever leaving home) • Stronger than username and password, as digital certificates can’t be shared or unknowingly stolen, secure

  38. Digital Certificates Can Do Everything that All Current ID Methods Do • Building (Authentication) • Parking (Authentication) • Wiscard (Authentication) • Library (Authentication) • Digital signing (non repudiation) • Encrypted communication via enail • Protecting data (file and whole disk encryption) • my.wisc.edu (electronic applications) • Computer labs • Kiosks

  39. What New Things Can Digital Certificates Do? • Guest access to UW facilities with short term limits • Help us comply with HIPAA and FERPA • Provide true real time issuance and revocation • Provide distance issuance, great for incoming students! • Provide centralized issuance and delegated administration • Decrease manual processes • Increase security – Username and password has to go if we want to advance our applications and user self service

  40. If Digital Certificates Are So Great, Why Don’t I See Them Everywhere? • How powerful is the telephone? • How widely adopted was it when it was first introduced • When you control the environment, you can make the telephone a “must have”

  41. Who Else Uses Digital Certificates in Higher Ed? • Dartmouth • University of Virginia • University of Texas • University of Michigan • MIT • Used to control electronic Access

  42. Who Outside of Higher Ed Uses Digital Certificates? • US Department of Defense • All European Union Countries • Johnson & Johnson • Disney • Used for physical access control

  43. What is in it for us? Save money long term Reduce complexity for end Users Provide better security Enable new functionality National recognition as a leader in this area of Identity Management Gives us a single authoritative campus identity to manage in our IDM system

  44. Important • Willingness of EVERYONE to accept that some departments will derive more benefit, some less, but overall, reduces work, decreases long term costs, makes life easier for users, increases security, adds new functionality, decreases manual labor and beginning of semester crunch for UW-Madison Systems

  45. What We Know So Far • Today we can consolidate all major ID cards, having a quick and somewhat easy win for the users • Common Access Card costs $10 to $60 depending on vendor and quantity

  46. Evolution Not Revolution • No major price shock associated with overhauling all current systems at once • Can phase out old systems as budget will allow • Users see immediate benefits • UW-Madison sees benefits both immediately and over time

  47. User Scenario • Logs into computer in lab • Signs up for classes • Pays tuition • Validates ID for 6 months, getting access to all facilities • Parks in ramp • Goes to SERF, sprains ankle • Sends HIPAA related email to doctor • All done with a combination of current technologies on a common card this year……In 5 years time, it could evolve application by application to be all digital certificate based

  48. Historic One Time Opportunity • If we only go part way, simply moving current technologies onto a single card, but not establishing a single technology standard, we will have played our best card without getting anything in return

  49. An Even Trade • Users want a single card • We want simple, more secure administration and new features • The only time campus will accept a new standard is when we change form factor, not afterwards

  50. Next Steps • Standardize on a single form factor containing all old technologies + digital certificates even if no applications use the digital certificate at first • Begin to migrate applications one by one. Since the cert will already be on card, migration will be seamless to end users and less painful for us

More Related