1 / 35

PKI: The View from Down Under

PKI: The View from Down Under. Presentation to 2001 Institutional Web Management Workshop Queen’s University Belfast Monday 25 June 2001 Ed Bristow, PKI Technical Manager, Australian Taxation Office. Agenda. Who am I? Why am I here? The what, why and wherefore of PKI The Australian Scene

rosine
Download Presentation

PKI: The View from Down Under

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. PKI: The View from Down Under Presentation to 2001 Institutional Web Management Workshop Queen’s University Belfast Monday 25 June 2001 Ed Bristow, PKI Technical Manager, Australian Taxation Office EB IMW Belfast

  2. Agenda • Who am I? Why am I here? • The what, why and wherefore of PKI • The Australian Scene • The ATO PKI • The Future EB IMW Belfast

  3. Canberra • Canberra EB IMW Belfast

  4. Some definitions • PKI - Public Key Infrastructure • The technology, policies and processes involved in generation, signing, issue and use of asymmetric ciphers and digital certificates • ATO - Australian Taxation Office • BAS - Business Activity Statement • Monthly or quarterly business tax report completed by all Australian businesses • SSL - Secure Sockets Layer • Standard for encryption of connection between web server and browser. Now at Version 3.0. • S/MIME - Secure Multipurpose Internet Mail Extensions (RFC 1521) • A standard for creating securely wrapped messages EB IMW Belfast

  5. More Definitions • OCSP - Online Certificate Status Protocol. • Standard (RFC 2560) for the checking of a certificate’s revocation status in real time • CRL - Certificate revocation list • List of serial numbers of revoked certificates, published periodically by CA. Part of X.509 (RFC 2459) • DMZ - Demilitarised zone. • Area between outer and inner firewalls where elements of a site’s security architecture is deployed • X.500 - Standard for Internet directories • LDAP - Lightweight Directory Access Protocol • PKCS - Proprietary (but industry-wide) standards developed and maintained by RSA Security Inc EB IMW Belfast

  6. Why PKI • E-commerce on the rise • The Internet is a dangerous place • The importance of standards • Digital signatures promise remote, un-repudiable authentication • The dream of PKI - certificate once, authenticate everywhere EB IMW Belfast

  7. Key Topics • Confidentiality • Authentication • Authorisation EB IMW Belfast

  8. Confidentiality • Is SSL good enough? • Data is vulnerable on the server • Enforce strong cipher suites • Consider use of S/MIME • Decryption is done deeper in DMZ • Need to pay attention to web site design • Some products don’t support two key pairs EB IMW Belfast

  9. Authentication • What to use? • User ID & Password • Simple for users, but have to be administered & can be cracked • Shared Secret • Just how secure is the secret? • Doesn’t also provide integrity & non-repudiation • Digital Certificates • It’s not a trivial decision EB IMW Belfast

  10. Authorisation • The next big challenge • The unrealised potential of X.500 & LDAP • Products starting to emerge • Active Directory & Kerberos in Windows 2000 • Solutions are policy & directory based • What’s the degree of fit? EB IMW Belfast

  11. Can PKI be made to work? • It does cost! • But it does also deliver • Many standards based components • But overall solution will need to be customised • Native browser based PKI is just not up to it at present EB IMW Belfast

  12. What are the major issues? • Registration • Key & Certificate distribution • End-user application design • Server side design EB IMW Belfast

  13. Registration • Binds the identity to the public key • Get this wrong and there’s no point in worrying about the rest • Can be logistically difficult (and expensive) • Especially with geographically dispersed population • Are there opportunities to leverage another progress? EB IMW Belfast

  14. End-User application design • Native browser, applet or fat client • What platforms to support? • Windows & Mac • IE & Netscape • How are private keys stored & accessed • Smart card (PKCS#11) • ‘Soft Key’ (PKCS#12) EB IMW Belfast

  15. Server Side Design • Performance • Availability • Certificate validation • OCSP vs CRL • Do responses need to be signed? • Accept keys and certificates from multiple CA’s or just one? EB IMW Belfast

  16. Overall • Assess the value and importance of transactions • Threat and risk analysis as first step • look for leverage opportunities EB IMW Belfast

  17. Australia - Land of Contrasts • Strengths • Innovative culture • Early adopters • Government sector prepared to lead • Small enough for national solutions to be viable • ‘Can do’ attitude EB IMW Belfast

  18. Australia - Land of Contrasts • Weaknesses • 7 + 2 Governments • Short electoral cycle • Small population base • Geographic Isolation • ‘Branch Office’ Economy • Slow telecoms in rural and remote areas • ‘The Tyranny of Distance’ EB IMW Belfast

  19. Gatekeeper • Federal Government has provided a lead • Accreditation scheme for CA’s and RA’s • Mandated for Federal government agencies • Also signed-up to by states (no mean feat!) • Cross-recognition of Australian Identrus CA’s EB IMW Belfast

  20. Gatekeeper - Drawbacks • High barrier to entry • Onerous accreditation requirements • ATO completed 33 different documents • Can be too slow for commercial requirements • Focus to date has been on business • PKI for individuals still some way off • But Gatekeeper2 is coming ... EB IMW Belfast

  21. Gatekeeper - Progress • ATO was first to achieve full accreditation • Commercial sector (eSign & Baltimore) now also fully accredited • Government-sponsored standard for certificates • Contains Australian Business Number (ABN) • Can be used by businesses to deal with government at all levels • Can be issued by any accredited or cross-recognized CA • Simplifies the applications development task EB IMW Belfast

  22. The ATO • Main revenue collection authority for Commonwealth Government • Collects Income Tax, GST, Excise and other taxes • Approx 20,000 Staff • Facing the ‘electronic challenge’ • Improve services • Reduce costs • Change the paradigm of interaction EB IMW Belfast

  23. ATO Electronic Initiatives • Agent lodged Income Tax returns via X.25 and proprietary s/w since 1991 • Now accounts for > 75% of all returns • Self-lodged Income Tax returns via pre-Gatekeeper PKI-enabled ‘e-tax’ system • Now in 4th year of operation • Expect 400,000 lodgments this year EB IMW Belfast

  24. PKI in the ATO • First full Gatekeeper accreditation • Support of tax Reform • GST (VAT type tax) from 1/7/2001 • New reporting regime for business • Not our core business! • 100k certificate pairs issued EB IMW Belfast

  25. The ATO PKI Project • Created and rolled-out an accredited PKI in less than 9 months • High pressure project • Short time frame • Legislative deadline • Complex requirements • Breaking new ground EB IMW Belfast

  26. Features • Rely on business registration process to feed the RA • Integrated with legacy (DB2/OS390) database • Centrally-generated keys • Distribution via Internet • Two key pairs/certificates • Authentication (Signing) • Confidentiality (Encryption) EB IMW Belfast

  27. Constraints • Very rapid roll-out required • 145,000 in first month (achieved) • Security requirements on certificate download • Use Baltimore technology (UniCERT) • Drop dead deadline (legislative) • Outsourced infrastructure EB IMW Belfast

  28. The Good • 100,000 sets of keys and certificates distributed in first year of operation • 70,000 businesses registered to deal electronically • Over 500,000 e-BAS’s lodged • Most find process fairly straightforward • Businesses appear happy with authentication and confidentiality provided • Vastly lower rejection and intervention rates on e-BAS’s • Quicker refunds (where payable) EB IMW Belfast

  29. The Bad • Teething problems - rapid roll-out • Design issues - eg including ATO-specific data in certificate • User experience (eg download) still not satisfactory • Lack of perceived value to business • Process to get certificates and e-BAS complex - plenty of opportunities for problems • logistical delays (eg PIC mailer printing) • Marketing in a saturated environment EB IMW Belfast

  30. The Ugly • Keys and certificates delivered in browser unfriendly package • Changes in external S/W (eg IE 5.5 SP1) can have near-catastrophic effects • Technical (il)literacy of some users • Security can have serious effects on useability • Data quality (esp. e-mail addresses) EB IMW Belfast

  31. Learnings • Key success factors • ‘Drop dead’ deadline • Strong corporate support • Small, strongly focussed team • Exploitation of skills and knowledge of partners • Pay attention to useability • Otherwise - help desk gets very busy! • Understand the customer - market segmentation EB IMW Belfast

  32. The Future - Some Questions • Will PKI become universal, or is it just too hard? • Is the Internet too dangerous a place to do business? • Can schemes like Gatekeeper ever really succeed? • Can anyone make serious money out of PKI? EB IMW Belfast

  33. The Future - Some Answers • RSA appears to be unassailable - for now • We can be confident about the technology • Success of PKI depends on • Robust and trustable registration processes • Useful applications - there must be a value proposition • Making the technology transparent • Australian model has significant strengths • Universal scheme • Standards based - vendor neutral • Public-Private sector partnership EB IMW Belfast

  34. Links www.ato.gov.au www.taxreform.ato.gov.au www.ato-pki.ato.gov.au www.govonline.gov.au www.baltimore.com www.esign.com.au www.identrus.com EB IMW Belfast

  35. Thank You EB IMW Belfast

More Related