Public Key Infrastructure Cryptography

Category: Security

Notice: Please delay upgrading to Java 9 until we are able to upgrade our PKI software. Java 9 is NOT compatible with our current software and it will NOT allow you to login and/or recover passwords if you have it installed.

DoIT received certification in 2001 as a self-signed Public Key Infrastructure (PKI) Certificate Authority (CA) and Registration Authority (RA) following an independent audit and "root key" generation ceremony. Annual third party audits ensure the digital certificates issued are secure and trustworthy.

DoIT, by Legislative directive, is the sole source of digital certificates for State of Illinois agencies, boards, commissions, universities and those who do business with them. Additionally, local, county and municipal governmental entities are permitted to utilize these services.

Illinois' public key infrastructure (PKI) is necessary to assist with determining the identity of different people, devices and services. PKI goes beyond the use of user ID and password by employing cryptographic technology such as digital certificates and digital signatures which create unique credentials that are validated by a third party. Illinois' PKI is governed by roles, policies and procedures to ensure the appropriate management of digital certificates and public-key encryption. Illinois' PKI functions through the creation and issuance of cryptographic keys by the Illinois Certificate Authority (CA) which provides a public key for distribution throughout the user base and a secret key for private use by the entity (or individual) to which it belongs. The private key is typically used for decryption or digital signatures.

 
Digital Certificates

Digital certificates provide identity information, resist forgery and can be verified by an official third party (Illinois' PKI).  Illinois certificates obtain information such as the name of the certificate holder, a serial number, expiration dates, a copy of the holder's public key and a digital signature of Illinois CA to assist recipients with certificate validation.  Illinois' digital certificates conform to the X.509 standard. 

Service recipients can utilize digital certificates for digitally signing documents, files and emails.  When sending digital messages and documents, the digital signature associated with the certificate ensures the messages originate with a known sender (i.e., authentication) who cannot deny sending the message (i.e., non-repudiation) and ensures the message has not been altered (i.e., integrity).

A simple way of viewing this is that when two persons or two machines want to communicate electronically, both ends of the exchange are validated by a central (third party) Certificate Authority assuring that each end of the conversation is:

  1. Who it is supposed to be;
  2. Exchange between the two ends is both private and secured;
  3. Contents of the document have not been altered.
A digital certificate used for encryption ensures that a file, document, or email can only be read by the intended recipient or recipients. Complex mathematical algorithms are used to ensure that the data cannot be decrypted by brute force attempts.
 

Encrypted Communications

Encrypted communication, the second cryptographic service available, ensures that the method of transporting the message, document or data is secure and not compromised.  Secure Socket Layer (SSL) communications, as an example, creates an exchange between two machines ensuring that the server of origination is valid, the receiving server is valid and that the exchange between the sender and receiver is encrypted and cannot be "sniffed" or read when traversing the public network.

When going to the login page of a website or making a purchase online via providing a credit card, a "lock" appears at the bottom or top of the browser indicating the communication with the receiving server is secure and verified.  DoIT can assist with setting up SSL security. 

Product Features and Descriptions

Standard

Certificate Type

  • Personal (e.g., individuals)
  • Device (e.g., servers) certificates

Trust Levels

  • Level 1 certificates: uses an online interface to verify information from your State of Illinois driver's license or ID card
  • Level 2 certificates: initial "face to face" identity verification along with two forms of identification
  • Level 3 certificates: requires Level 2 verifications plus a background check
  • Level 4 certificates: requires all verifications through Level 3 plus a biometric validation such as a fingerprint, retinal scan, etc., before the appropriate system access is granted

​Supporting Software

  • ​Encryption & Signing requires Entrust Entelligence Security Provider (EESP) -desktop client that manages certificates and enables certificate services within the native user OS environment.  Meets DoD secure delete requirements.
  • Entrust Entelligence Security Provider for Outlook - Outlook plugin for encrypting and signing emails

Non-Standard

  • Organizational level certificates
  • Development support 

Rates and Billing

DoIT fees waived at this time.

Ordering and Provisioning

Service can be procured, modified or cancelled by selecting the "Order Services" button near the top of the right pane.

DoIT Responsibilities

  • Service provisioning and implementation
  • Incident resolution
  • Routine maintenance
  • Provide 24/7 support for questions and/or problems
  • Maintain contracts with vendor
  • Notify customer of any changes to the product
  • Provide instructions to complete the creation of the digital ID

Agency Responsibilities

  • Develop and implement agency governance to ensure staff compliance with DoIT incident reporting and request requirements
  • Identify requirements and assess the assurance level needed for accessing your application 
  • Work with the PKI Team to identify service requirements and develop implementation plans. Depending on the scale of the plan, the DoIT governance process may be required
  • Provide end-user training as needed 

Service Levels and Metrics

Service Fulfillment/Provisioning
Staff will respond to service requests during the published business hours. DoIT targets to provision this service as follows: 
  • Certificates for in-state applicants completed on-line within 5 minutes
  • Out-of-state applications processed within 2 business days of receipt
Incident Response and Resolution
All incidents reported to DoIT will be captured in the DoIT IT service management ticketing system and addressed according to the Incident Management Guidelines.
 
To report an incident, contact PKI Digital Certificate support group, Monday through Sunday, 8:00 AM to 4:30 PM at 866-465-9119.
 
Service Availability
This service will be available 24/7 excluding planned outages, maintenance windows and unavoidable events.