25 June 2001EB IMW Belfast PKI: The View from Down Under Presentation to 2001 Institutional Web Management Workshop Queen’s University Belfast Monday 25.

25 June 2001 EB IMW Belfast

PKI: The View from Down Under

Presentation to 2001 Institutional Web Management Workshop

Queen’s University BelfastMonday 25 June 2001

Ed Bristow, PKI Technical Manager,Australian Taxation Office


Agenda

• Who am I? Why am I here?

• The what, why and wherefore of PKI

• The Australian Scene

• The ATO PKI

• The Future


Canberra

•Canberra


Some definitions• PKI - Public Key Infrastructure

– The technology, policies and processes involved in generation, signing, issue and use of asymmetric ciphers and digital certificates

• ATO - Australian Taxation Office• BAS - Business Activity Statement

– Monthly or quarterly business tax report completed by all Australian businesses

• SSL - Secure Sockets Layer– Standard for encryption of connection between web server and

browser. Now at Version 3.0.

• S/MIME - Secure Multipurpose Internet Mail Extensions (RFC 1521)

– A standard for creating securely wrapped messages


More Definitions• OCSP - Online Certificate Status Protocol.

– Standard (RFC 2560) for the checking of a certificate’s revocation status in real time

• CRL - Certificate revocation list– List of serial numbers of revoked certificates, published

periodically by CA. Part of X.509 (RFC 2459)

• DMZ - Demilitarised zone. – Area between outer and inner firewalls where elements of a

site’s security architecture is deployed

• X.500 - Standard for Internet directories• LDAP - Lightweight Directory Access Protocol • PKCS - Proprietary (but industry-wide) standards

developed and maintained by RSA Security Inc


Why PKI

• E-commerce on the rise

• The Internet is a dangerous place

• The importance of standards

• Digital signatures promise remote, un-repudiable authentication

• The dream of PKI - certificate once, authenticate everywhere


Key Topics

• Confidentiality

• Authentication

• Authorisation


Confidentiality

• Is SSL good enough?– Data is vulnerable on the server

– Enforce strong cipher suites

• Consider use of S/MIME– Decryption is done deeper in DMZ

• Need to pay attention to web site design

• Some products don’t support two key pairs


Authentication• What to use?

– User ID & Password• Simple for users, but have to be

administered & can be cracked

– Shared Secret• Just how secure is the secret?

• Doesn’t also provide integrity & non-repudiation

– Digital Certificates

• It’s not a trivial decision


Authorisation

• The next big challenge• The unrealised potential of X.500 &

LDAP• Products starting to emerge• Active Directory & Kerberos in

Windows 2000• Solutions are policy & directory

based• What’s the degree of fit?


Can PKI be made to work?

• It does cost!

• But it does also deliver

• Many standards based components

• But overall solution will need to be customised

• Native browser based PKI is just not up to it at present


What are the major issues?

• Registration

• Key & Certificate distribution

• End-user application design

• Server side design


Registration• Binds the identity to the public key

• Get this wrong and there’s no point in worrying about the rest

• Can be logistically difficult (and expensive)– Especially with geographically

dispersed population

• Are there opportunities to leverage another progress?


End-User application design

• Native browser, applet or fat client

• What platforms to support?– Windows & Mac

– IE & Netscape

• How are private keys stored & accessed– Smart card (PKCS#11)

– ‘Soft Key’ (PKCS#12)


Server Side Design

• Performance• Availability• Certificate validation

– OCSP vs CRL

• Do responses need to be signed?• Accept keys and certificates from

multiple CA’s or just one?


Overall

• Assess the value and importance of transactions

• Threat and risk analysis as first step

• look for leverage opportunities


Australia - Land of Contrasts

• Strengths– Innovative culture– Early adopters– Government sector prepared to lead– Small enough for national solutions to

be viable– ‘Can do’ attitude


Australia - Land of Contrasts

• Weaknesses– 7 + 2 Governments– Short electoral cycle– Small population base– Geographic Isolation– ‘Branch Office’ Economy– Slow telecoms in rural and remote

areas– ‘The Tyranny of Distance’


Gatekeeper

• Federal Government has provided a lead

• Accreditation scheme for CA’s and RA’s

• Mandated for Federal government agencies

• Also signed-up to by states (no mean feat!)

• Cross-recognition of Australian Identrus CA’s


Gatekeeper - Drawbacks

• High barrier to entry• Onerous accreditation requirements

– ATO completed 33 different documents– Can be too slow for commercial

requirements

• Focus to date has been on business – PKI for individuals still some way off

• But Gatekeeper2 is coming ...


Gatekeeper - Progress

• ATO was first to achieve full accreditation • Commercial sector (eSign & Baltimore) now

also fully accredited• Government-sponsored standard for

certificates– Contains Australian Business Number (ABN)– Can be used by businesses to deal with

government at all levels– Can be issued by any accredited or cross-

recognized CA– Simplifies the applications development task


The ATO

• Main revenue collection authority for Commonwealth Government

• Collects Income Tax, GST, Excise and other taxes

• Approx 20,000 Staff• Facing the ‘electronic challenge’

– Improve services– Reduce costs– Change the paradigm of interaction


ATO Electronic Initiatives

• Agent lodged Income Tax returns via X.25 and proprietary s/w since 1991– Now accounts for > 75% of all returns

• Self-lodged Income Tax returns via pre-Gatekeeper PKI-enabled ‘e-tax’ system– Now in 4th year of operation– Expect 400,000 lodgments this year


PKI in the ATO• First full Gatekeeper accreditation• Support of tax Reform

– GST (VAT type tax) from 1/7/2001– New reporting regime for business

• Not our core business!• 100k certificate pairs issued


The ATO PKI Project• Created and rolled-out an

accredited PKI in less than 9 months

• High pressure project– Short time frame– Legislative deadline– Complex requirements

• Breaking new ground


Features

• Rely on business registration process to feed the RA– Integrated with legacy (DB2/OS390)

database• Centrally-generated keys• Distribution via Internet• Two key pairs/certificates

– Authentication (Signing)– Confidentiality (Encryption)


Constraints

• Very rapid roll-out required– 145,000 in first month (achieved)

• Security requirements on certificate download

• Use Baltimore technology (UniCERT)• Drop dead deadline (legislative)• Outsourced infrastructure


The Good• 100,000 sets of keys and certificates distributed in

first year of operation

• 70,000 businesses registered to deal electronically

• Over 500,000 e-BAS’s lodged

• Most find process fairly straightforward

• Businesses appear happy with authentication and confidentiality provided

• Vastly lower rejection and intervention rates on e-BAS’s

• Quicker refunds (where payable)


The Bad• Teething problems - rapid roll-out• Design issues - eg including ATO-specific data

in certificate• User experience (eg download) still not

satisfactory• Lack of perceived value to business• Process to get certificates and e-BAS complex

- plenty of opportunities for problems• logistical delays (eg PIC mailer printing)• Marketing in a saturated environment


The Ugly

• Keys and certificates delivered in browser unfriendly package

• Changes in external S/W (eg IE 5.5 SP1) can have near-catastrophic effects

• Technical (il)literacy of some users• Security can have serious effects on

useability• Data quality (esp. e-mail addresses)


Learnings• Key success factors

– ‘Drop dead’ deadline

– Strong corporate support

– Small, strongly focussed team

– Exploitation of skills and knowledge of partners

• Pay attention to useability– Otherwise - help desk gets very busy!

• Understand the customer - market segmentation


The Future - Some Questions

• Will PKI become universal, or is it just too hard?

• Is the Internet too dangerous a place to do business?

• Can schemes like Gatekeeper ever really succeed?

• Can anyone make serious money out of PKI?


The Future - Some Answers

• RSA appears to be unassailable - for now– We can be confident about the technology

• Success of PKI depends on– Robust and trustable registration processes– Useful applications - there must be a value

proposition– Making the technology transparent

• Australian model has significant strengths– Universal scheme– Standards based - vendor neutral– Public-Private sector partnership


Links

www.ato.gov.au www.taxreform.ato.gov.auwww.ato-pki.ato.gov.auwww.govonline.gov.auwww.baltimore.comwww.esign.com.auwww.identrus.com


Thank You

25 June 2001EB IMW Belfast PKI: The View from Down Under Presentation to 2001 Institutional Web Management Workshop Queen’s University Belfast Monday 25.

Documents

eb imw belfast pki

eb imw belfast canberra

eb imw belfast authentication

eb imw belfast authorisation

eb imw belfast confidentiality

eb imw belfast agenda

eb imw belfast reg

design slide