Slides for a talk on "PKI: the View from Down Under" given by Ed Bristow at the IWMW 2001 event held at Queen's University Belfast on 25-27 June 2001.
See http://www.ukoln.ac.uk/web-focus/events/workshops/webmaster-2001/sessions.html#speaker-4
1. PKI: The View from Down
Under
Presentation to 2001 Institutional Web
Management Workshop
Queenâs University Belfast
Monday 25 June 2001
Ed Bristow, PKI Technical Manager,
Australian Taxation Office
2. Agenda
⢠Who am I? Why am I here?
⢠The what, why and wherefore of PKI
⢠The Australian Scene
⢠The ATO PKI
⢠The Future
4. Some definitions
⢠PKI - Public Key Infrastructure
â The technology, policies and processes involved in generation,
signing, issue and use of asymmetric ciphers and digital
certificates
⢠ATO - Australian Taxation Office
⢠BAS - Business Activity Statement
â Monthly or quarterly business tax report completed by all
Australian businesses
⢠SSL - Secure Sockets Layer
â Standard for encryption of connection between web server and
browser. Now at Version 3.0.
⢠S/MIME - Secure Multipurpose Internet Mail Extensions
(RFC 1521)
â A standard for creating securely wrapped messages
5. More Definitions
⢠OCSP - Online Certificate Status Protocol.
â Standard (RFC 2560) for the checking of a certificateâs revocation
status in real time
⢠CRL - Certificate revocation list
â List of serial numbers of revoked certificates, published
periodically by CA. Part of X.509 (RFC 2459)
⢠DMZ - Demilitarised zone.
â Area between outer and inner firewalls where elements of a siteâs
security architecture is deployed
⢠X.500 - Standard for Internet directories
⢠LDAP - Lightweight Directory Access Protocol
⢠PKCS - Proprietary (but industry-wide) standards
developed and maintained by RSA Security Inc
6. Why PKI
⢠E-commerce on the rise
⢠The Internet is a dangerous place
⢠The importance of standards
⢠Digital signatures promise remote, un-
repudiable authentication
⢠The dream of PKI - certificate once,
authenticate everywhere
8. Confidentiality
⢠Is SSL good enough?
â Data is vulnerable on the server
â Enforce strong cipher suites
⢠Consider use of S/MIME
â Decryption is done deeper in DMZ
⢠Need to pay attention to web site design
⢠Some products donât support two key pairs
9. Authentication
⢠What to use?
â User ID & Password
⢠Simple for users, but have to be administered &
can be cracked
â Shared Secret
⢠Just how secure is the secret?
⢠Doesnât also provide integrity & non-repudiation
â Digital Certificates
⢠Itâs not a trivial decision
10. Authorisation
⢠The next big challenge
⢠The unrealised potential of X.500 &
LDAP
⢠Products starting to emerge
⢠Active Directory & Kerberos in Windows
2000
⢠Solutions are policy & directory based
⢠Whatâs the degree of fit?
11. Can PKI be made to work?
⢠It does cost!
⢠But it does also deliver
⢠Many standards based components
⢠But overall solution will need to be
customised
⢠Native browser based PKI is just not up
to it at present
12. What are the major issues?
⢠Registration
⢠Key & Certificate distribution
⢠End-user application design
⢠Server side design
13. Registration
⢠Binds the identity to the public key
⢠Get this wrong and thereâs no point in
worrying about the rest
⢠Can be logistically difficult (and
expensive)
â Especially with geographically dispersed
population
⢠Are there opportunities to leverage
another progress?
14. End-User application design
⢠Native browser, applet or fat client
⢠What platforms to support?
â Windows & Mac
â IE & Netscape
⢠How are private keys stored &
accessed
â Smart card (PKCS#11)
â âSoft Keyâ (PKCS#12)
15. Server Side Design
⢠Performance
⢠Availability
⢠Certificate validation
â OCSP vs CRL
⢠Do responses need to be signed?
⢠Accept keys and certificates from
multiple CAâs or just one?
16. Overall
⢠Assess the value and importance of
transactions
⢠Threat and risk analysis as first step
⢠look for leverage opportunities
17. Australia - Land of Contrasts
⢠Strengths
â Innovative culture
â Early adopters
â Government sector prepared to lead
â Small enough for national solutions to be
viable
â âCan doâ attitude
18. Australia - Land of Contrasts
⢠Weaknesses
â 7 + 2 Governments
â Short electoral cycle
â Small population base
â Geographic Isolation
â âBranch Officeâ Economy
â Slow telecoms in rural and remote areas
â âThe Tyranny of Distanceâ
19. Gatekeeper
⢠Federal Government has
provided a lead
⢠Accreditation scheme for CAâs
and RAâs
⢠Mandated for Federal
government agencies
⢠Also signed-up to by states (no
mean feat!)
⢠Cross-recognition of Australian
Identrus CAâs
20. Gatekeeper - Drawbacks
⢠High barrier to entry
⢠Onerous accreditation requirements
â ATO completed 33 different documents
â Can be too slow for commercial
requirements
⢠Focus to date has been on business
â PKI for individuals still some way off
⢠But Gatekeeper2 is coming ...
21. Gatekeeper - Progress
⢠ATO was first to achieve full accreditation
⢠Commercial sector (eSign & Baltimore)
now also fully accredited
⢠Government-sponsored standard for
certificates
â Contains Australian Business Number (ABN)
â Can be used by businesses to deal with
government at all levels
â Can be issued by any accredited or cross-
recognized CA
22. The ATO
⢠Main revenue collection authority for
Commonwealth Government
⢠Collects Income Tax, GST, Excise and
other taxes
⢠Approx 20,000 Staff
⢠Facing the âelectronic challengeâ
â Improve services
â Reduce costs
â Change the paradigm of interaction
23. ATO Electronic Initiatives
⢠Agent lodged Income Tax returns via
X.25 and proprietary s/w since 1991
â Now accounts for > 75% of all returns
⢠Self-lodged Income Tax returns via pre-
Gatekeeper PKI-enabled âe-taxâ system
â Now in 4th year of operation
â Expect 400,000 lodgments this year
24. PKI in the ATO
⢠First full Gatekeeper accreditation
⢠Support of tax Reform
â GST (VAT type tax) from 1/7/2001
â New reporting regime for business
⢠Not our core business!
⢠100k certificate pairs issued
25. The ATO PKI Project
⢠Created and rolled-out an accredited
PKI in less than 9 months
⢠High pressure project
â Short time frame
â Legislative deadline
â Complex requirements
⢠Breaking new ground
26. Features
⢠Rely on business registration process to
feed the RA
â Integrated with legacy (DB2/OS390)
database
⢠Centrally-generated keys
⢠Distribution via Internet
⢠Two key pairs/certificates
â Authentication (Signing)
â Confidentiality (Encryption)
27. Constraints
⢠Very rapid roll-out required
â 145,000 in first month (achieved)
⢠Security requirements on certificate
download
⢠Use Baltimore technology (UniCERT)
⢠Drop dead deadline (legislative)
⢠Outsourced infrastructure
28. The Good
⢠100,000 sets of keys and certificates distributed in
first year of operation
⢠70,000 businesses registered to deal electronically
⢠Over 500,000 e-BASâs lodged
⢠Most find process fairly straightforward
⢠Businesses appear happy with authentication and
confidentiality provided
⢠Vastly lower rejection and intervention rates on e-
BASâs
⢠Quicker refunds (where payable)
29. The Bad
⢠Teething problems - rapid roll-out
⢠Design issues - eg including ATO-specific
data in certificate
⢠User experience (eg download) still not
satisfactory
⢠Lack of perceived value to business
⢠Process to get certificates and e-BAS
complex - plenty of opportunities for
problems
⢠logistical delays (eg PIC mailer printing)
⢠Marketing in a saturated environment
30. The Ugly
⢠Keys and certificates delivered in
browser unfriendly package
⢠Changes in external S/W (eg IE 5.5
SP1) can have near-catastrophic
effects
⢠Technical (il)literacy of some users
⢠Security can have serious effects on
useability
⢠Data quality (esp. e-mail addresses)
31. Learnings
⢠Key success factors
â âDrop deadâ deadline
â Strong corporate support
â Small, strongly focussed team
â Exploitation of skills and knowledge of partners
⢠Pay attention to useability
â Otherwise - help desk gets very busy!
⢠Understand the customer - market
segmentation
32. The Future - Some Questions
⢠Will PKI become universal, or is it just
too hard?
⢠Is the Internet too dangerous a place to
do business?
⢠Can schemes like Gatekeeper ever
really succeed?
⢠Can anyone make serious money out of
PKI?
33. The Future - Some Answers
⢠RSA appears to be unassailable - for now
â We can be confident about the technology
⢠Success of PKI depends on
â Robust and trustable registration processes
â Useful applications - there must be a value
proposition
â Making the technology transparent
⢠Australian model has significant strengths
â Universal scheme
â Standards based - vendor neutral
â Public-Private sector partnership
The Java language provides a high degree of platform independence and a smaller download size than any alternative technology.
Full 128 bit encryption, the strongest available commercially, is used.
HTTP (Hyper Text Transport Protocol) allows less different types of data to be carried than FTP (File Transfer Protocol), thereby reducing the ability of hackers to attack the system.
Only Windows95, Windows98 and Windows NT are supported at present. A web browser (either Microsoft Internet Explorer Version 4.07 or Netscape Navigator (Version 4.01 or better) is required.
There is a practical limit of about 50,000 records in a file. Beyond this the limitations of the physical connections over the Internet mean that transmission start to drop out. Higher numbers may be possible with ISDN lines. Tests indicate that a 50,000 record files takes about 20-25 minutes to transmit using a 28.8 Kbps modem.
The files are compressed before transmission, which reduces their size by a up to a factor of 10.
We have been trialing the system with three organisations, and have successfully received and transmitted files and messages in both directions.
We are preparing to extend the pilot to up to 50 participants, in time for the lodgment of AVAs for the 1997/98 assessments, due in June 1999.
We hope to have the system generally available to Surcharge reporters by October 1999, in time to be used for lodgment of 1998/99 MCS files. One major dependency that may affect this timeframe is the ability to issue and register keys.
ECI not intended to replace other communication channels entirely, but to complement them.
Developed as a direct response to Industry requests for an alternative to paper for small volumes of data.
Designed to be easy to use - just get your key, connect to the Internet and youâre away.
The only software you need is a browser - everything else is supplied - and browsers are free!
The validation before sending means that you will only get back errors that result from data you supply being compared with data that the ATO holds.
Build your lodgment file on the computer using SDCS and transmit using ECI. No paper anywhere in sight!
Reduced costs for the ATO are always desirable.
Improved data quality means less glitches in assessments
Superannuation is breaking ground for the rest of the ATO - Tax Reform initiatives will use the same technology and there are a host of applications that will follow.