Digital Certificate Based Common Access
Card for UW-Madison
Presented by Nicholas Davis, DoIT
/ca/eecert
Overview
• Digital Certificates 101
• Examples of usage of digital
certificates
• Why current technologies on
campus are inferior and
outdated
• Benefits
• Costs
• What we know so far
Favorite Quote Sums
Things Up
“The nice thing about
Standards is that there
are so many of
them to choose from.”
Wait, My Disclaimer!
My wife tells me I don’t know
everything—she is right!
I won’t be offended if you
correct me about your systems
Digital Certificates
What is a Digital Certificate?
• A digital certificate is an electronic
credential, which can be thought of
as an electronic passport with
extra benefits. Based on global
X.509 standard
–
–
–
–
Provides ID proof
Issued by a trusted authority
Not possible to forge
A single file with two distinct parts
What Does a Digital Certificate
Look Like? (Two Parts)
•
•
-----BEGIN CERTIFICATE----MIIDXTCCAsagAwIBAgICAwcwDQYJKoZIhvcNAQEFBQAwgYkxCzAJBgNVBAYTAlVT
MSswKQYDVQQKEyJEaXZpc2lvbiBvZiBJbmZvcm1hdGlvbiBUZWNobm9sb2d5MSM
wIQYDVQQLExpGYWN1bHR5IC0gU3RhZmYgLSBTdHVkZW50czEoMCYGA1UEAxMf
VW5pdmVyc2l0eSBvZiBXaXNjb25zaW4tTWFkaXNvbjAeFw0wNzA0MDQxODExMjla
Fw0wODA2MjgxODExMjlaMIHrMQswCQYDVQQGEwJVUzESMBAGA1UECBMJV2lzY2
9uc2luMRAwDgYDVQQHEwdNYWRpc29uMSgwJgYDVQQKEx9Vbml2ZXJzaXR5IG9
mIFdpc2NvbnNpbi1NYWRpc29uMSMwIQYDVQQLExpGYWN1bHR5IC0gU3RhZmYgL
SBTdHVkZW50czEQMA4GA1UECxMHVG9rZW4gLTErMCkGA1UEAxMiTGV0dGVycyB
hbmQgU2NpZW5jZSBIb25vcnMgUHJvZ3JhbTEoMCYGCSqGSIb3DQEJARYZaG9ub3
JzQGhvbm9ycy5scy53aXNjLmVkdTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgY
EAnno7RR1cJwwGE5A7Sd466tWM9qNDVuq5qpUtsvQq5Z+HoUZ3g2Z1+0wmXSZ
vBydOcjGT3U4hSnahShQeYls7C7zXYcELUV0WVEvwjy3zmDWXp01Tol9IYrT8tAWR
BcNpVDrRYmYlVqly31OHabJWqTAnLemfSmm/3COOunqAr6MCAwEAAaNwMG4wD
gYDVR0PAQH/BAQDAgXgMDsGA1UdHwQ0MDIwMKAuoCyGKmh0dHA6Ly9jcmwuZ
2VvdHJ1c3QuY29tL2NybHMvd2lzY29uc2luLmNybDAfBgNVHSMEGDAWgBQcnlJSG
wRiRyxrLAG4afGpNywjJDANBgkqhkiG9w0BAQUFAAOBgQC5LrMkMlBWuXuIlFKCjfS
98LSdpgBPRWwYRLWk9HzdPeu0WpvHf0zVW4fx/F+RBFsDNaJWTbF02FFz+mSFbFl
h6cLIbeMOmX96twZ/2ZX3/B1WtwYKXmxgLk1Vs9UAmssn/vPRO2pnMd6XlFZ+fRjI
DzrSATsl0e0zciecP860 HQ==
-----END CERTIFICATE-----
Two Parts, Public and Private
Keys
• Public key is used to encrypt data
intended for Nicholas Davis and to
verify his digital signature. Public
key is published in LDAP directory
and is available to everyone
• Private key is used by Nicholas
Davis to decrypt data which was
encrypted for him and for him to
digitally sign things. Kept private,
only one copy of this key.
With Do We Do With Our ID
• We gain physical access to secure
places
• We perform secure electronic
transactions
• Digital certificates can do both,
better than other systems
Building Access Example
• Nicholas digitally signs a request
to enter a building by placing his
card in a reader outside the
building
• Authenticating system takes his
digital signature and computes
validity based on Nicholas’s public
key, also checks validity period,
makes decision
Secure Transaction Example
• Nicholas Davis wants to drop a
class, uses browser to log in
to system, by sending a digital
signature
• System verifies digital
signature, grants or denies
access to resources, similar to
way WebISO works
How Does One Get a Digital
Certificate?
• Currently applies through
DoIT Tech Store
• User then downloads
certificate via their browser
• Saves on PC or on secure
hardware token/card
• Certificates can also be
generated in batch and placed
directly on token
What can be done with a digital
certificate?
• Authenticate to computers,
networks and applications
• Digitally sign, legally
enforceable
• Encrypt data, email and
docuemnts
• Control physical access
Revoking a Certificate
• Certificates expire after a set
period of time called the validity
period
• Can be revoked beforehand as well
• Check the CRL to see if the
certificate has been revoked
• Certificate can also be renewed
prior to expiration
A 10,000 Foot View of Campus
ID Systems
• Campus has no authoritative
ID
• Multiple systems, which don’t
directly communicate with
each other
• How can we manage an
identity when one single
identity does not exist?
Student/Faculty/Staff ID Card
A Stalker’s Delight!
•
•
•
•
•
•
•
ID number
Photo
Student/Faculty/Staff Designation
Bar code
Magnetic stripe / Wiscard
Cost?
Not safe!
– Easily copied
– Easily used if stolen
– Too much personal information on card
UW Police Building Access Card
• HID iClass RFID proximity
based card
• Controls physical access to
buildings
• Cost?
• True Security?
• Single factor vs. Dual Factor
Parking Permit
• Issued by FP&M
• Magnetic stripe
• Controls Access to parking
ramps
• Reissued every year
• Security?
• Cost?
NetID
• Issued by DoIT
• Controls access to many UWMadison electronic resources
• Security?
• Cost?
Kerberos
• Controls access to computer lab
machines
• Kiosks remain unprotected around
campus
• Cost?
• Other uses?
Digtial Certificates
• Currently used for email,
document and PDF digital
signing and encryption
• Cost?
Why are these systems
discrete?
• Different technologies
• Different storage devices
• Distributed ownership of
associated systems
• Different cost centers for
funding
• Why not bring them all
together?
Why not bring them All
Together?
• Cost
• Loss of control
• Incompatible technologies
• Legacy Systems
• So, what can be done?
Consolidate & Converge
• It is possible to consolidate these
technologies onto one card today!
Saves us nothing, actually costs
more!
• Such a Common Access Card
(CAC) could contain all
technologies in use around campus
at the present time which makes
the users happy, but makes us sad
Common Card is Nice--But
• Consolidating on one card is nice
for end user but results in wastage
• Many faculty/staff and students
will NEVER need a card with an
HID core on it or a parking permit
• The key is to find ONE technology
that everyone on campus can use,
not one card with a different
technology for each person
To Save Money, We Need One
Common Technology
• HID works for physical access,
trustworthy, but does nothing else
• Magnetic stripe good for access
control and cheap, but is easily
copied
• Bar code, nice for checking out
books from library, but won’t work
in parking or building access due to
ease of copying
• None of these address electronic
access
What We Need
• Something which can be
centrally generated and
managed locally
• Something secure
• Something that controls
physical access
• Something that controls
electronic access
• Something that can be audited
• Something that can be real
time if we want it to be
What We Need
• Something that EVERY
application can use
• Something that binds our
physical identity to our
electronic identity
• Something that is easy to
manage and can be user self
service or delegated
administration
Making Our Systems Cheaper
• One card means fewer distinct
administrators of system
needed
• Customer can get building
access added to their card
from their home computer
because we trust it is REALLY
them at their home computer
Digital Certificates Can Do
Everything and Do It More
Securely
• All physical access, parking,
buildings, etc
• All property access, Wiscard
vending, library book checkout
• All electronic access,
my.wisc.edu, WebISO for web
apps
• Can’t be stolen
Decisions About Bucky Can Be
Made Based on Certificate
Contents
• Verify it really is Bucky based
on his digital signature
• Add Bucky’s public key to the
groups you want him in
• Make a yes/no decision based
on validity of Bucky’s signature
and which groups he is in
Digital Ceritifcates Can Do New
Things Too
• Allow people to encrypt email
• Allow people to encrypt files to
protect intellectual property
• Allow people to digitally sign
email to Wisconsin State
Government legal standards
• HIPAA, FERPA, GLB, PHI
compliance – PRIVACY!
Everything is Related
• UW Police Access scenario
• System only as strong as
weakest link.
• Electronic ID verification is
related to physical security
• Same system that secures
communications could also be
system that controls access to
buildings
So What is Involved?
•
•
•
•
Lots of work to do
Issuing certificates
Getting them on secure devices
Upgrading applications to use
WebISO for certificate based
access
• Upgrading physical readers to read
certificate based cards
• Educating campus
Did Someone Say Cost?
• More expensive than current
UW Photo ID
• Less expensive than current
UW Photo ID + UWPD ID +
Digital Certificate Token +
Parking Permit
A Standard is Established For
the Future
• Every student and every
faculty/staff member gets one
when they enter UW-Madison,
addressing issue of how the cards
are distributed
• They can use the card for any
application they wish, electronic or
physical
Why Should Digital Certificates
Be the Standard?
• They can authenticate users both
physically and electronically
• Digital certificates allow digital signing
and encryption, not offered by other
technologies.
• Expiration dates can be extended
remotely (Pay your tuition online and
the system extends the validity of your
certificate by 6 months, without you
ever leaving home)
• Stronger than username and password,
as digital certificates can’t be shared or
unknowingly stolen, secure
Digital Certificates Can Do
Everything that All Current ID
Methods Do
•
•
•
•
•
•
•
Building (Authentication)
Parking (Authentication)
Wiscard (Authentication)
Library (Authentication)
Digital signing (non repudiation)
Encrypted communication via enail
Protecting data (file and whole disk
encryption)
• my.wisc.edu (electronic applications)
• Computer labs
• Kiosks
What New Things Can Digital
Certificates Do?
• Guest access to UW facilities with short
term limits
• Help us comply with HIPAA and FERPA
• Provide true real time issuance and
revocation
• Provide distance issuance, great for
incoming students!
• Provide centralized issuance and
delegated administration
• Decrease manual processes
• Increase security – Username and
password has to go if we want to
advance our applications and user self
service
If Digital Certificates Are So
Great, Why Don’t I See Them
Everywhere?
• How powerful is the
telephone?
• How widely adopted was it
when it was first introduced
• When you control the
environment, you can make
the telephone a “must have”
Who Else Uses Digital
Certificates in Higher Ed?
• Dartmouth
• University of Virginia
• University of Texas
• University of Michigan
• MIT
• Used to control electronic
Access
Who Outside of Higher Ed Uses
Digital Certificates?
• US Department of Defense
• All European Union Countries
• Johnson & Johnson
• Disney
• Used for physical access
control
What is in it for us?
Save money long term
Reduce complexity for end
Users
Provide better security
Enable new functionality
National recognition as a leader
in this area of Identity
Management
Gives us a single authoritative campus
identity to manage in our IDM system
Important
• Willingness of EVERYONE to accept
that some departments will derive
more benefit, some less, but
overall, reduces work, decreases
long term costs, makes life easier
for users, increases security, adds
new functionality, decreases
manual labor and beginning of
semester crunch for UW-Madison
Systems
What We Know So Far
• Today we can consolidate all major
ID cards, having a quick and
somewhat easy win for the users
• Common Access Card costs $10 to
$60 depending on vendor and
quantity
Evolution Not Revolution
• No major price shock
associated with overhauling all
current systems at once
• Can phase out old systems as
budget will allow
• Users see immediate benefits
• UW-Madison sees benefits
both immediately and over
time
User Scenario
•
•
•
•
Logs into computer in lab
Signs up for classes
Pays tuition
Validates ID for 6 months, getting
access to all facilities
• Parks in ramp
• Goes to SERF, sprains ankle
• Sends HIPAA related email to doctor
• All done with a combination of current
technologies on a common card this
year……In 5 years time, it could evolve
application by application to be all digital
certificate based
Historic One Time Opportunity
• If we only go part way, simply
moving current technologies
onto a single card, but not
establishing a single
technology standard, we will
have played our best card
without getting anything in
return
An Even Trade
• Users want a single card
• We want simple, more secure
administration and new
features
• The only time campus will
accept a new standard is when
we change form factor, not
afterwards
Next Steps
• Standardize on a single form factor
containing all old technologies +
digital certificates even if no
applications use the digital
certificate at first
• Begin to migrate applications one
by one. Since the cert will already
be on card, migration will be
seamless to end users and less
painful for us
How Can I Help?
• I’ve kind of been here before
• This is the most exciting
opportunity I could imagine
• I don’t have all the questions
(That’s your job)
• I don’t know all the answers (but I
will work hard to find them)
• Please let me know what I can do,
research, presentations,
demonstrations, find out answers
to questions, vendor
communications, etc?