Digital Certificates
Securing Email Communication
Nicholas Davis, IS Consultant/Admin
DoIT Middleware
Overview
What are digital certificates?
What can digital certificates
be used for?
How could digital certificates
have been used avoid data
theft at Ameritrade?
Other methods of authentication
Social Engineering
Summary & Discussion
What is a Digital Certificate?
A digital certificate
can be thought of as
an electronic
passport
It is used it to
digitally sign email
and documents
It’s components can
be used to encrypt
email and
attachments for end
to end security.
It can secure
databases and other
server data
Public Key Cryptography
Digital Certificates Functions
• Authentication – Proof that you are who
you claim to be
• Encryption – encoding information in
such a way as to make it unreadable
• Non-repudiation – Inability to deny
having sent specific information or
having accessed a specific system
• Data Integrity – Proof that the data has
not been altered since it was originally
sent
Public Key Cryptography
• A digital certificate is made up of
two keys, a private key and a
public key
• Public key is used for encrypting
and verifying a person’s digital
signature
• Private key is used for decrypting
and digitally signing
Digital Certificates Are For
Machines Too
• SSL – Secure
Socket Layer
• Protection of
data in transit
• Protection of
data at rest
• Where is the
greater threat?
Using a Digital Signature for
Email Signing
Provides proof that the email came from
the purported sender (Authenticating the
user)
Provides proof that the contents of the
email have not been altered from the
Original form (Message Integrity)
Why Is Authenticating the
Sender So Important?
What if This Happens at UWMadison?
Could cause harm in
a critical situation
Case Scenario
Multiple hoax
emails sent with
Chancellor’s name
and email.
When real crisis
arrives, people
might not believe
the warning.
It is all about trust!
Digital Signing Summary
• Provides proof of
the author
• Testifies to
message integrity
• Valuable for both
individual or mass
email
• Supported by
Wiscmail Web
client (used by
80% of students)
What Encryption Does
Encrypting data with a
digital certificate
secures
It end to end.
While in transit
Across the network
While sitting on
email servers
While in storage
On your desktop
computer
On your laptop
computer
On a server
Encryption Protects the Data
Physical theft from office
Physical theft from airport
Virtual theft over the network
Why Encryption is Important
•
•
•
•
•
•
Keeps private information private
HIPAA, FERPA, SOX, GLB
Proprietary research
Human Resource issues
Legal Issues
PR Issues
Where is my Certificate
Stored?
• You digital certificate is stored
either on your machine or on a
cryptographic USB hardware
device
• Dual factor authentication
What does it actually look like in practice?
-Sending-
What does it actually look like in
practice (unlocking my private key)
-receiving-
What does it actually look like in practice?
-receiving- (decrypted)
Digitally signed and verified;
Encrypted
What does it actually look like in
practice?
-receiving- (intercepted)
Benefits of Using Digital
Certificates
Provide global assurance of your identity,
both internally and externally to the
UW-Madison
Provide assurance of message authenticity
and data integrity
Keeps private information private, end to
end, while in transit and storage
You don’t need to have a digital certificate
To verify someone else’s digital signature
Can be used for individual or generic mail
accounts.
Who Uses Digital Certificates at
UW-Madison?
DoIT
UW Police and Security
Office of the Registrar
Office of Financial Aid
Office of Admissions
Primate Research Lab
Medical School
Others
Who Uses Digital Certificates
Besides UW-Madison?
US Department of Defense
US Department of Homeland
Security
All Western European countries
Dartmouth College
University of Texas at Austin
Johnson & Johnson
Raytheon
Others
The Telephone Analogy
When the
telephone was
invented, it was
hard to sell.
It needed to
reach critical
Mass and then
everyone wanted
One.
That All Sounds Great In
Theory…..But
• The world
seems to get
along just fine
without digital
certificates…
• Oh, really?
• Let’s talk about
Ameritrade
• 1971, Ameritrade is founded
• Provides securities brokerage services and
technology-based financial services
• 2006, TD Ameritrade reported more than
6.2 million accounts and average client
trades of 216,970 per day. The company
had $276 billion in client assets.
• Summer, 2007, Ameritrade customers
begin receiving stock pump and dump spam
• September 14, 2007, Ameritrade states that
it has found and removed “unauthorized
code” from one of its databases.
• What went wrong? How could it have been
avoided? Are legacy systems to blame?
Unauthorized code in database allowed
names and mailing addresses to be
harvested and used for spamming
investment related email
How did this code get there?
Ameritrade claims that the investigation is
ongoing and that they don’t have all the
facts yet….You decide who is responsible.
Are Usernames and Passwords
to blame?
• Why do we have usernames and
passwords?
• Authenticate and Authorize, control
access rights
• Why are usernames and passwords a
bad idea?
• Theft, sniffing, shoulder surfing, brute
force attacks, concurrent usage,
intentional sharing to thwart technical
controls.
• Would authenticating with digital
certificates have helped?
Digital Certificates vs.
Passwords
• Password = something you
know
• Digital Certificate = something
you have
• Digital Certificate on a
hardware token = dual factor
authentication
Database Information
• Storing data in the clear
• Storing data in encrypted form
• Both have their advantages
• Could Ameritrade had
benefited from using an
encrypted database?
Summary of Ameritrade Issue
• Using a digital certificate for
authentication would have
provided additional assurance
• Using a digital certificate to
encrypt the data within the
database
• Dual tiered approach to data
protection
Other Authentication
Technologies
Proximity Based
Authentication
Biometrics
One Time Password
devices
Proximity Based Authentication
and Authorization
• Usually radiofrequency
responders
• Base station
recognizes token
• Communicates with
access-control
system
• Initiates automatic
logon
• Can have two-factor
authentication
• Immediate screen
lock when user
leaves
One Time Password Devices
• RSA SecurID
• Addresses many
username/password concerns
• Time based
• Event based
• Only good for authentication
Social Engineering Threats
• If you insist on
username/password, beware of:
– Threatening behavior
– Authoritarian behavior
– Flattery
The Importance of Maintaining a
Trusted Network
• Control who has access to
your systems with dual factor
authentication
• Do daily data comparisons
• Keep critical data encrypted
when possible
• Apply patches and updates
• Look at the logs regularly
Question and Answer Session
[email protected]
As you seek to find the truth,
don’t forget to protect your information!