iwmw 2001: pki: the view from down under

25 June 2001 EB IMW Belfast

PKI: The View from Down Under

Presentation to 2001 Institutional Web Management Workshop

Queen’s University BelfastMonday 25 June 2001

Ed Bristow, PKI Technical Manager,Australian Taxation Office


Agenda• Who am I? Why am I here?

• The what, why and wherefore of PKI

• The Australian Scene

• The ATO PKI

• The Future


Canberra

•Canberra


Some definitions• PKI - Public Key Infrastructure

– The technology, policies and processes involved in generation, signing, issue and use of asymmetric ciphers and digital certificates

• ATO - Australian Taxation Office• BAS - Business Activity Statement

– Monthly or quarterly business tax report completed by all Australian businesses

• SSL - Secure Sockets Layer– Standard for encryption of connection between web server and

browser. Now at Version 3.0.• S/MIME - Secure Multipurpose Internet Mail Extensions (RFC

1521)– A standard for creating securely wrapped messages


More Definitions• OCSP - Online Certificate Status Protocol.

– Standard (RFC 2560) for the checking of a certificate’s revocation status in real time

• CRL - Certificate revocation list– List of serial numbers of revoked certificates, published

periodically by CA. Part of X.509 (RFC 2459)• DMZ - Demilitarised zone.

– Area between outer and inner firewalls where elements of a site’s security architecture is deployed

• X.500 - Standard for Internet directories• LDAP - Lightweight Directory Access Protocol • PKCS - Proprietary (but industry-wide) standards

developed and maintained by RSA Security Inc


Why PKI• E-commerce on the rise• The Internet is a dangerous place• The importance of standards• Digital signatures promise remote,

un-repudiable authentication• The dream of PKI - certificate once,

authenticate everywhere


Key Topics

• Confidentiality

• Authentication

• Authorisation


Confidentiality• Is SSL good enough?

– Data is vulnerable on the server– Enforce strong cipher suites

• Consider use of S/MIME– Decryption is done deeper in DMZ

• Need to pay attention to web site design• Some products don’t support two key

pairs


Authentication• What to use?

– User ID & Password• Simple for users, but have to be

administered & can be cracked– Shared Secret

• Just how secure is the secret?• Doesn’t also provide integrity & non-

repudiation– Digital Certificates

• It’s not a trivial decision


Authorisation• The next big challenge• The unrealised potential of X.500 &

LDAP• Products starting to emerge• Active Directory & Kerberos in

Windows 2000• Solutions are policy & directory based• What’s the degree of fit?


Can PKI be made to work?• It does cost!• But it does also deliver• Many standards based components• But overall solution will need to be

customised• Native browser based PKI is just not

up to it at present


What are the major issues?

• Registration• Key & Certificate distribution

• End-user application design

• Server side design


Registration• Binds the identity to the public key• Get this wrong and there’s no point

in worrying about the rest• Can be logistically difficult (and

expensive)– Especially with geographically

dispersed population• Are there opportunities to leverage

another progress?


End-User application design

• Native browser, applet or fat client• What platforms to support?

– Windows & Mac– IE & Netscape

• How are private keys stored & accessed– Smart card (PKCS#11) – ‘Soft Key’ (PKCS#12)


Server Side Design• Performance• Availability• Certificate validation

– OCSP vs CRL• Do responses need to be signed?• Accept keys and certificates from

multiple CA’s or just one?


Overall• Assess the value and importance

of transactions• Threat and risk analysis as first

step• look for leverage opportunities


Australia - Land of Contrasts

• Strengths– Innovative culture– Early adopters– Government sector prepared to lead– Small enough for national solutions to

be viable– ‘Can do’ attitude


Australia - Land of Contrasts

• Weaknesses– 7 + 2 Governments– Short electoral cycle– Small population base– Geographic Isolation– ‘Branch Office’ Economy– Slow telecoms in rural and remote areas– ‘The Tyranny of Distance’


Gatekeeper• Federal Government has

provided a lead• Accreditation scheme for

CA’s and RA’s • Mandated for Federal

government agencies• Also signed-up to by states

(no mean feat!)• Cross-recognition of

Australian Identrus CA’s


Gatekeeper - Drawbacks• High barrier to entry• Onerous accreditation requirements

– ATO completed 33 different documents– Can be too slow for commercial

requirements• Focus to date has been on business

– PKI for individuals still some way off• But Gatekeeper2 is coming ...


Gatekeeper - Progress• ATO was first to achieve full accreditation • Commercial sector (eSign & Baltimore) now also

fully accredited• Government-sponsored standard for certificates

– Contains Australian Business Number (ABN)– Can be used by businesses to deal with government

at all levels– Can be issued by any accredited or cross-recognized

CA– Simplifies the applications development task


The ATO• Main revenue collection authority

for Commonwealth Government• Collects Income Tax, GST, Excise

and other taxes• Approx 20,000 Staff• Facing the ‘electronic challenge’

– Improve services– Reduce costs– Change the paradigm of interaction


ATO Electronic Initiatives• Agent lodged Income Tax returns

via X.25 and proprietary s/w since 1991– Now accounts for > 75% of all returns

• Self-lodged Income Tax returns via pre-Gatekeeper PKI-enabled ‘e-tax’ system– Now in 4th year of operation– Expect 400,000 lodgments this year


PKI in the ATO• First full Gatekeeper accreditation• Support of tax Reform

– GST (VAT type tax) from 1/7/2001– New reporting regime for business

• Not our core business!• 100k certificate pairs issued


The ATO PKI Project• Created and rolled-out an

accredited PKI in less than 9 months

• High pressure project– Short time frame– Legislative deadline– Complex requirements

• Breaking new ground


Features• Rely on business registration

process to feed the RA– Integrated with legacy (DB2/OS390)

database• Centrally-generated keys• Distribution via Internet• Two key pairs/certificates

– Authentication (Signing)– Confidentiality (Encryption)


Constraints• Very rapid roll-out required

– 145,000 in first month (achieved)• Security requirements on certificate

download• Use Baltimore technology (UniCERT)• Drop dead deadline (legislative)• Outsourced infrastructure


The Good• 100,000 sets of keys and certificates distributed in

first year of operation• 70,000 businesses registered to deal electronically• Over 500,000 e-BAS’s lodged• Most find process fairly straightforward• Businesses appear happy with authentication and

confidentiality provided• Vastly lower rejection and intervention rates on e-

BAS’s• Quicker refunds (where payable)


The Bad• Teething problems - rapid roll-out• Design issues - eg including ATO-specific data

in certificate• User experience (eg download) still not

satisfactory• Lack of perceived value to business• Process to get certificates and e-BAS complex

- plenty of opportunities for problems• logistical delays (eg PIC mailer printing)• Marketing in a saturated environment


The Ugly• Keys and certificates delivered in

browser unfriendly package• Changes in external S/W (eg IE 5.5

SP1) can have near-catastrophic effects

• Technical (il)literacy of some users• Security can have serious effects on

useability• Data quality (esp. e-mail addresses)


Learnings• Key success factors

– ‘Drop dead’ deadline– Strong corporate support– Small, strongly focussed team– Exploitation of skills and knowledge of

partners• Pay attention to useability

– Otherwise - help desk gets very busy!• Understand the customer - market

segmentation


The Future - Some Questions

• Will PKI become universal, or is it just too hard?

• Is the Internet too dangerous a place to do business?

• Can schemes like Gatekeeper ever really succeed?

• Can anyone make serious money out of PKI?


The Future - Some Answers

• RSA appears to be unassailable - for now– We can be confident about the technology

• Success of PKI depends on– Robust and trustable registration processes– Useful applications - there must be a value

proposition– Making the technology transparent

• Australian model has significant strengths– Universal scheme– Standards based - vendor neutral– Public-Private sector partnership


Linkswww.ato.gov.au www.taxreform.ato.gov.auwww.ato-pki.ato.gov.auwww.govonline.gov.auwww.baltimore.comwww.esign.com.auwww.identrus.com


Thank You

iwmw 2001: pki: the view from down under

Education