Digital CertificatesSecuring Email Communication

Nicholas Davis, IS Consultant/Admin DoIT Middleware

Overview

What are digital certificates?What can digital certificatesbe used for?How could digital certificateshave been used avoid datatheft at Ameritrade?Other methods of authenticationSocial EngineeringSummary & Discussion

What is a Digital Certificate?

A digital certificatecan be thought of asan electronicpassportIt is used it todigitally sign emailand documentsIt’s components canbe used to encryptemail andattachments for endto end security.It can securedatabases and otherserver data

Public Key Cryptography

Digital Certificates Functions

• Authentication – Proof that you are who you claim to be

• Encryption – encoding information in such a way as to make it unreadable

• Non-repudiation – Inability to deny having sent specific information or having accessed a specific system

• Data Integrity – Proof that the data has not been altered since it was originally sent

Public Key Cryptography

• A digital certificate is made up of two keys, a private key and a public key

• Public key is used for encrypting and verifying a person’s digital signature

• Private key is used for decrypting and digitally signing

Digital Certificates Are For Machines Too

• SSL – Secure Socket Layer

• Protection of data in transit

• Protection of data at rest

• Where is the greater threat?

Using a Digital Signature for Email Signing

Provides proof that the email came from the purported sender (Authenticating theuser)

Provides proof that the contents of theemail have not been altered from theOriginal form (Message Integrity)

Why Is Authenticating the Sender So Important?

What if This Happens at UW-Madison?

Could cause harm ina critical situationCase Scenario

Multiple hoax emails sent with Chancellor’s name and email. When real crisis arrives, people might not believe the warning.

It is all about trust!

Digital Signing Summary

• Provides proof of the author

• Testifies to message integrity

• Valuable for both individual or mass email

• Supported by Wiscmail Web client (used by 80% of students)

What Encryption Does

Encrypting data with a digital certificate

securesIt end to end.While in transit

Across the networkWhile sitting on email servers

While in storageOn your desktop computerOn your laptop computerOn a server

Encryption Protects the Data

Physical theft from officePhysical theft from airportVirtual theft over the network

Why Encryption is Important

• Keeps private information private• HIPAA, FERPA, SOX, GLB• Proprietary research• Human Resource issues• Legal Issues• PR Issues

Where is my Certificate Stored?• You digital certificate is stored

either on your machine or on a cryptographic USB hardware device

• Dual factor authentication

What does it actually look like in practice? -Sending-

What does it actually look like in practice (unlocking my private key)

-receiving-

What does it actually look like in practice?-receiving- (decrypted)

Digitally signed and verified; Encrypted

What does it actually look like in practice?-receiving- (intercepted)

Benefits of Using Digital Certificates

Provide global assurance of your identity,both internally and externally to the UW-MadisonProvide assurance of message authenticityand data integrityKeeps private information private, end toend, while in transit and storageYou don’t need to have a digital certificateTo verify someone else’s digital signatureCan be used for individual or generic mailaccounts.

Who Uses Digital Certificates at UW-Madison?

DoITUW Police and SecurityOffice of the RegistrarOffice of Financial AidOffice of AdmissionsPrimate Research LabMedical SchoolOthers

Who Uses Digital Certificates Besides UW-Madison?

US Department of DefenseUS Department of Homeland

SecurityAll Western European countriesDartmouth CollegeUniversity of Texas at AustinJohnson & JohnsonRaytheonOthers

The Telephone Analogy

When thetelephone wasinvented, it washard to sell.It needed toreach criticalMass and theneveryone wantedOne.

That All Sounds Great In Theory…..But

• The world seems to get along just fine without digital certificates…

• Oh, really?• Let’s talk about

Ameritrade

• 1971, Ameritrade is founded• Provides securities brokerage services and

technology-based financial services • 2006, TD Ameritrade reported more than 6.2

million accounts and average client trades of 216,970 per day. The company had $276 billion in client assets.

• Summer, 2007, Ameritrade customers begin receiving stock pump and dump spam

• September 14, 2007, Ameritrade states that it has found and removed “unauthorized code” from one of its databases.

• What went wrong? How could it have been avoided? Are legacy systems to blame?

Unauthorized code in database allowednames and mailing addresses to beharvested and used for spamminginvestment related email

How did this code get there?

Ameritrade claims that the investigation isongoing and that they don’t have all thefacts yet….You decide who is responsible.

Are Usernames and Passwords to blame?• Why do we have usernames and

passwords? • Authenticate and Authorize, control

access rights• Why are usernames and passwords a

bad idea?• Theft, sniffing, shoulder surfing, brute

force attacks, concurrent usage, intentional sharing to thwart technical controls.

• Would authenticating with digital certificates have helped?

Digital Certificates vs. Passwords

• Password = something you know

• Digital Certificate = something you have

• Digital Certificate on a hardware token = dual factor authentication

Database Information

• Storing data in the clear• Storing data in encrypted form• Both have their advantages• Could Ameritrade had

benefited from using an encrypted database?

Summary of Ameritrade Issue

• Using a digital certificate for authentication would have provided additional assurance

• Using a digital certificate to encrypt the data within the database

• Dual tiered approach to data protection

Other Authentication Technologies

Proximity BasedAuthentication

Biometrics

One Time Passworddevices

Proximity Based Authentication and Authorization

• Usually radio-frequency responders

• Base station recognizes token

• Communicates with access-control system

• Initiates automatic logon

• Can have two-factor authentication

• Immediate screen lock when user leaves

One Time Password Devices

• RSA SecurID• Addresses many

username/password concerns• Time based• Event based• Only good for authentication

Social Engineering Threats

• If you insist on username/password, beware of:– Threatening behavior– Authoritarian behavior– Flattery

The Importance of Maintaining a Trusted Network

• Control who has access to your systems with dual factor authentication

• Do daily data comparisons• Keep critical data encrypted

when possible• Apply patches and updates• Look at the logs regularly

Question and Answer Sessionndavis1@wisc.edu

As you seek to find the truth,

don’t forget to protect your information!