IWMW 2001: PKI: the View from Down Under
Transcript of IWMW 2001: PKI: the View from Down Under
25 June 2001 EB IMW Belfast
PKI: The View from Down Under
Presentation to 2001 Institutional Web Management Workshop
Queen’s University BelfastMonday 25 June 2001
Ed Bristow, PKI Technical Manager,Australian Taxation Office
25 June 2001 EB IMW Belfast
Agenda• Who am I? Why am I here?
• The what, why and wherefore of PKI
• The Australian Scene
• The ATO PKI
• The Future
25 June 2001 EB IMW Belfast
Canberra
•Canberra
25 June 2001 EB IMW Belfast
Some definitions• PKI - Public Key Infrastructure
– The technology, policies and processes involved in generation, signing, issue and use of asymmetric ciphers and digital certificates
• ATO - Australian Taxation Office• BAS - Business Activity Statement
– Monthly or quarterly business tax report completed by all Australian businesses
• SSL - Secure Sockets Layer– Standard for encryption of connection between web server and
browser. Now at Version 3.0.• S/MIME - Secure Multipurpose Internet Mail Extensions (RFC
1521)– A standard for creating securely wrapped messages
25 June 2001 EB IMW Belfast
More Definitions• OCSP - Online Certificate Status Protocol.
– Standard (RFC 2560) for the checking of a certificate’s revocation status in real time
• CRL - Certificate revocation list– List of serial numbers of revoked certificates, published
periodically by CA. Part of X.509 (RFC 2459)• DMZ - Demilitarised zone.
– Area between outer and inner firewalls where elements of a site’s security architecture is deployed
• X.500 - Standard for Internet directories• LDAP - Lightweight Directory Access Protocol • PKCS - Proprietary (but industry-wide) standards
developed and maintained by RSA Security Inc
25 June 2001 EB IMW Belfast
Why PKI• E-commerce on the rise• The Internet is a dangerous place• The importance of standards• Digital signatures promise remote,
un-repudiable authentication• The dream of PKI - certificate once,
authenticate everywhere
25 June 2001 EB IMW Belfast
Key Topics
• Confidentiality
• Authentication
• Authorisation
25 June 2001 EB IMW Belfast
Confidentiality• Is SSL good enough?
– Data is vulnerable on the server– Enforce strong cipher suites
• Consider use of S/MIME– Decryption is done deeper in DMZ
• Need to pay attention to web site design• Some products don’t support two key
pairs
25 June 2001 EB IMW Belfast
Authentication• What to use?
– User ID & Password• Simple for users, but have to be
administered & can be cracked– Shared Secret
• Just how secure is the secret?• Doesn’t also provide integrity & non-
repudiation– Digital Certificates
• It’s not a trivial decision
25 June 2001 EB IMW Belfast
Authorisation• The next big challenge• The unrealised potential of X.500 &
LDAP• Products starting to emerge• Active Directory & Kerberos in
Windows 2000• Solutions are policy & directory based• What’s the degree of fit?
25 June 2001 EB IMW Belfast
Can PKI be made to work?• It does cost!• But it does also deliver• Many standards based components• But overall solution will need to be
customised• Native browser based PKI is just not
up to it at present
25 June 2001 EB IMW Belfast
What are the major issues?
• Registration• Key & Certificate distribution
• End-user application design
• Server side design
25 June 2001 EB IMW Belfast
Registration• Binds the identity to the public key• Get this wrong and there’s no point
in worrying about the rest• Can be logistically difficult (and
expensive)– Especially with geographically
dispersed population• Are there opportunities to leverage
another progress?
25 June 2001 EB IMW Belfast
End-User application design
• Native browser, applet or fat client• What platforms to support?
– Windows & Mac– IE & Netscape
• How are private keys stored & accessed– Smart card (PKCS#11) – ‘Soft Key’ (PKCS#12)
25 June 2001 EB IMW Belfast
Server Side Design• Performance• Availability• Certificate validation
– OCSP vs CRL• Do responses need to be signed?• Accept keys and certificates from
multiple CA’s or just one?
25 June 2001 EB IMW Belfast
Overall• Assess the value and importance
of transactions• Threat and risk analysis as first
step• look for leverage opportunities
25 June 2001 EB IMW Belfast
Australia - Land of Contrasts
• Strengths– Innovative culture– Early adopters– Government sector prepared to lead– Small enough for national solutions to
be viable– ‘Can do’ attitude
25 June 2001 EB IMW Belfast
Australia - Land of Contrasts
• Weaknesses– 7 + 2 Governments– Short electoral cycle– Small population base– Geographic Isolation– ‘Branch Office’ Economy– Slow telecoms in rural and remote areas– ‘The Tyranny of Distance’
25 June 2001 EB IMW Belfast
Gatekeeper• Federal Government has
provided a lead• Accreditation scheme for
CA’s and RA’s • Mandated for Federal
government agencies• Also signed-up to by states
(no mean feat!)• Cross-recognition of
Australian Identrus CA’s
25 June 2001 EB IMW Belfast
Gatekeeper - Drawbacks• High barrier to entry• Onerous accreditation requirements
– ATO completed 33 different documents– Can be too slow for commercial
requirements• Focus to date has been on business
– PKI for individuals still some way off• But Gatekeeper2 is coming ...
25 June 2001 EB IMW Belfast
Gatekeeper - Progress• ATO was first to achieve full accreditation • Commercial sector (eSign & Baltimore) now also
fully accredited• Government-sponsored standard for certificates
– Contains Australian Business Number (ABN)– Can be used by businesses to deal with government
at all levels– Can be issued by any accredited or cross-recognized
CA– Simplifies the applications development task
25 June 2001 EB IMW Belfast
The ATO• Main revenue collection authority
for Commonwealth Government• Collects Income Tax, GST, Excise
and other taxes• Approx 20,000 Staff• Facing the ‘electronic challenge’
– Improve services– Reduce costs– Change the paradigm of interaction
25 June 2001 EB IMW Belfast
ATO Electronic Initiatives• Agent lodged Income Tax returns
via X.25 and proprietary s/w since 1991– Now accounts for > 75% of all returns
• Self-lodged Income Tax returns via pre-Gatekeeper PKI-enabled ‘e-tax’ system– Now in 4th year of operation– Expect 400,000 lodgments this year
25 June 2001 EB IMW Belfast
PKI in the ATO• First full Gatekeeper accreditation• Support of tax Reform
– GST (VAT type tax) from 1/7/2001– New reporting regime for business
• Not our core business!• 100k certificate pairs issued
25 June 2001 EB IMW Belfast
The ATO PKI Project• Created and rolled-out an
accredited PKI in less than 9 months
• High pressure project– Short time frame– Legislative deadline– Complex requirements
• Breaking new ground
25 June 2001 EB IMW Belfast
Features• Rely on business registration
process to feed the RA– Integrated with legacy (DB2/OS390)
database• Centrally-generated keys• Distribution via Internet• Two key pairs/certificates
– Authentication (Signing)– Confidentiality (Encryption)
25 June 2001 EB IMW Belfast
Constraints• Very rapid roll-out required
– 145,000 in first month (achieved)• Security requirements on certificate
download• Use Baltimore technology (UniCERT)• Drop dead deadline (legislative)• Outsourced infrastructure
25 June 2001 EB IMW Belfast
The Good• 100,000 sets of keys and certificates distributed in
first year of operation• 70,000 businesses registered to deal electronically• Over 500,000 e-BAS’s lodged• Most find process fairly straightforward• Businesses appear happy with authentication and
confidentiality provided• Vastly lower rejection and intervention rates on e-
BAS’s• Quicker refunds (where payable)
25 June 2001 EB IMW Belfast
The Bad• Teething problems - rapid roll-out• Design issues - eg including ATO-specific data
in certificate• User experience (eg download) still not
satisfactory• Lack of perceived value to business• Process to get certificates and e-BAS complex
- plenty of opportunities for problems• logistical delays (eg PIC mailer printing)• Marketing in a saturated environment
25 June 2001 EB IMW Belfast
The Ugly• Keys and certificates delivered in
browser unfriendly package• Changes in external S/W (eg IE 5.5
SP1) can have near-catastrophic effects
• Technical (il)literacy of some users• Security can have serious effects on
useability• Data quality (esp. e-mail addresses)
25 June 2001 EB IMW Belfast
Learnings• Key success factors
– ‘Drop dead’ deadline– Strong corporate support– Small, strongly focussed team– Exploitation of skills and knowledge of
partners• Pay attention to useability
– Otherwise - help desk gets very busy!• Understand the customer - market
segmentation
25 June 2001 EB IMW Belfast
The Future - Some Questions
• Will PKI become universal, or is it just too hard?
• Is the Internet too dangerous a place to do business?
• Can schemes like Gatekeeper ever really succeed?
• Can anyone make serious money out of PKI?
25 June 2001 EB IMW Belfast
The Future - Some Answers
• RSA appears to be unassailable - for now– We can be confident about the technology
• Success of PKI depends on– Robust and trustable registration processes– Useful applications - there must be a value
proposition– Making the technology transparent
• Australian model has significant strengths– Universal scheme– Standards based - vendor neutral– Public-Private sector partnership
25 June 2001 EB IMW Belfast
Linkswww.ato.gov.au www.taxreform.ato.gov.auwww.ato-pki.ato.gov.auwww.govonline.gov.auwww.baltimore.comwww.esign.com.auwww.identrus.com
25 June 2001 EB IMW Belfast
Thank You