DEDICA Project : Project TE 2005 TE - PowerPoint PPT Presentation

About This Presentation

Title:

DEDICA Project : Project TE 2005 TE

Description:

DEDICA Project : Project TE 2005 (TE) Directory Based ... Manuel Medina, Juan Carlos Cruellas, Montse Rubia (DAC/UPC) ... SEMPER Project. ICE-TEL Project. E2S ... – PowerPoint PPT presentation

Number of Views:83

Avg rating:3.0/5.0

Slides: 35

Provided by: Port112

Learn more at: https://research.ac.upc.edu

Category:

more less

Transcript and Presenter's Notes

Title: DEDICA Project : Project TE 2005 TE

1
DEDICA Project Project TE 2005 (TE)

Directory Based EDI Certificate Access and
Management
Manuel Medina, Juan Carlos Cruellas, Montse Rubia
(DAC/UPC)
URL http//.www.ac.upc.es/recerca/DISTR/DEDICA/de
fault.htm

2
DEDICA PARTNERS
Project Manager Téléport Paris Ile de France
List of partners

Organization Role Country
Software and Systems
Engineering Limited C IE
Universitat Politecnica
de Catalunya C ES
R3 Security Engineering ag A CH
Cryptomatic A/S A DK
G.M.D A DE

Organization Role Country
Alcatel Business Systems C FR
Intrasoft C GR
Athens C.C.I A GR
Interbank A GR
Finsiel C IT
Sogei A IT
Indra SSI (Eritel) C ES

3
AIM OF DEDICA

The aim of the project is the rapid and cost
effective provision of EDI Certificate management
infra-structure to EDI users.
Addressed to those interested in the use of open
standard UN/EDIFACT security services and
interworking with electronic mail and other
standard services.

4
OVERVIEW OF DEDICA PROJECT OBJECTIVES

To supply a gateway tool between the X.509
certification infrastructure, and the existing
EDI applications that are following the
UN/EDIFACT standards for certification and
electronic signature mechanisms.
To specify translation rules to convert X.509
certificates into EDIFACT certificates and
viceversa.
To set up demonstrators of its applications in
four experimental sites
Disseminate and exploit the results in an
operational and industrial way

5
DEDICA SCENARIO (I)
6
DEDICA SCENARIO (II)
7
DEDICA SCENARIO (II)

User A in an infrastructure IA gives his
certificate (generated by a CA of IA -initial
certificate-) and requests to DEDICA a
certificate in the other infrastructure IB
(derived certificate).
User A sends a message to user B in
infrastructure IB (with the certificate generated
by DEDICA)
User B requests DEDICA to validate the derived
certificate of A.
DEDICA verifies if the initial certificate of A
is still valid. He sends to B the answer to his
request.

8
BLOCK DIAGRAM OF THE DEDICA GATEWAY (I)
9
BLOCK DIAGRAM OF THE DEDICA GATEWAY (II)
CERTMAP
MANGMAP

Given a valid certificate generated by a CA
(initial certificate) in one format, to generate
a certificate in the other format (derived
certificate)
Mapping information from the initial to the
derived in the new format.
Usage of external tools ASN.1 and crypto tools.

Manage connections with users.
Collect requests for generating derived
certificates.
Verify the initial certificates arrived (access
to X.500)
Collect requests of validation of derived
certificates.
Build response messages

10
DEVELOPMENT OF CERTMAP

1 Technical analysis of X.509 and UN/EDIFACT
certificates
2 Definition and specification of the strategy
for the mapping of the names
3 Formal specification of the mapping of the
certificates.

11
CERT-MAP STRUCTURE (CM)
12
MAPPING FROM X.509 TO UN/EDIFACT
0. X.509 certificate arrives. 1. CM_KE passes DER
to ASN.1 tool. 2. ASN.1 tool returns X.509
certificate information in an intern
format. 3 to 6 Modules map data elements. 7.
CM_CE returns ToBeSigned part of EDIFACT
certificate. 8. CM_KE passes it to Cryptographic
module. 9. Cryptographic module returns
signature. 10. CM_FF filters signature. 11. CM_CE
generates EDIFACT derived certificate.
13
MAPPING FROM EDIFACT TO X.509
0. EDIFACT certificate arrives. 1. CM_CE returns
certificate information in an intern
format. 2 to 5 Modules perform mapping tasks
of X.509 derived certificate. 6. CM_KE passes
info to ASN.1 tool 7. ASN.1 tool returns
ToBeSigned. 8. CM_KE passes ToBeSigned to
Cryptographic tool. 9. Crypto tool returns
signature. 10. CM_KE passes signature to
ASN.1 tool. 11. ASN.1 tool returns X.509
certificate.
14
MANG-MAP STRUCTURE (I)
15
MANG-MAP STRUCTURE (II)

MK MangMap Kernel. Handles the requests arrived
to the gateway, passes them to the corresponding
module, requests the mapping of a given
certificate and coordinates the processing inside
the gateway
KH KEYMAN and EDIFACT Interchange Handling.
Handles the requesting interchanges and builds
the answer interchanges.
XH X.509 PKI messages Handling. Handles the
incoming messages from X.509 PKI and builds the
corresponding answer messages..

16
SEQUENCE OF OPERATIONS
UN/EDIFACT derived certificate request (I)

User X, with X.509 certificate requests to the
gateway the production of a derived EDIFACT
certificate.
User X sends KEYMAN X.509 DER encoded within an
EDIFACT package (UNO-UNP segments).
DEDICA gateway answers with an EDIFACT
certificate within a KEYMAN message

User E
User X
17
SEQUENCE OF OPERATIONS
UN/EDIFACT derived certificate request (II)
18
SEQUENCE OF OPERATIONS

User X sends to user E a secured EDIFACT
interchange including the derived EDIFACT
certificate.

User E
User X
19
SEQUENCE OF OPERATIONS
UN/EDIFACT derived certificate validation request
(I)

User E receives secured interchange with the
derived EDIFACT certificate.
User E requests validation of the certificate to
the gateway.
The gateway answers the request.
User E proceeds with the interchange.

KEYMAN( EDIFACT Cert )
KEYMAN (Valid. result)
User E
User X
20
SEQUENCE OF OPERATIONS
UN/EDIFACT derived certificate validation request
(II)
21
SEQUENCE OF OPERATIONS

MangMap access to X.500 Directory by using LDAP
in order to validate the X.509 initial
certificate.
MangMap validates
Signature in X.509 certificate.
Revocation List in X.509 initial certificate
issuers site.
Certification Path for the X.509 initial
certificate.

22
DEDICA AND X.500 ACCESS
X.500 DIRECTORY
KH
XH
MK
DUA
LDAP SERVER
23
OTHER POSSIBLE USAGES

DEDICA TOOLS could also be used in other
environments
CAs with DEDICA modules could issue both kind of
certificates without needing to duplicate
infrastructure (revocation lists, etc.)
Currently existing X.509 CAs could become an
EDIFACT CA by incorporating DEDICA tools.

24
CURRENT STATUS

Conversion rules for X.509 and EDIFACT
certificates specified.
CertMap developed and working in the sense X.509
-gt EDIFACT.
MangMap finished.
Pilots starting. Certification services for
EDIFACT users.

25
COOPERATION ACTIVITIES WITH OTHER PROJECTS AND
PROGRAM SECTORS

SEMPER Project
ICE-TEL Project
E2S

26
PLANS FOR DEMONSTRATION, EXPLOITATION,
IMPLEMENTATION AND EXPECTED ACHIEVEMENTS

ETS, European Trusted third parties Services
Demonstration phase with the involvement of
European wide users communities
Development and/or enhancement of services.

27
COMMITMENT AND ABILITY OF THE PARTICIPANTS TO
OPERATE IN THE MARKET AREAS INVOLVED

INTRASOFT/ INTERBANK
HEDIVAN project
FINSIEL
Italian Custom Administration

28
TRANSITION TO A SUCCESSFUL EXPLOITATION PHASE

A second users meeting will be organised to
demonstrate the capabilities of the DEDICA
gateway to different users comunities, and to
developers of EDI applications.

29
X.509 INITIAL CERTIFICATE (I) SHORT DN

SEQUENCE (331)
toBeSigned SEQUENCE (310)
version 0 INTEGER (1) 0x00
(0) DEFAULT
serialNumber INTEGER (2) 0x04D2
(1234)
signature SEQUENCE (13)
algorithm OBJECT IDENTIFIER (9)
pkcs1-md5WithRSAEncryption
parameters TYPE (2) with
NULL (0)
issuer SEQUENCE OF (49) RDN
OCARoot, OCASP, OCA_UPC
validity SEQUENCE (30)
notBefore UTCTime (13) "961218111200Z"
notAfter UTCTime (13) "971218111200Z"
subject SEQUENCE OF (44) RDN
Ces, Oupc, CNmedina

subjectPublicKey BIT STRING (141) Encapsulates
TYPE (140) with
rSAPublicKey SEQUENCE (137)
modulus INTEGER (129)
0x00BF2B9E56769AAEB79564F63D9CE6759FC8CD851761F13C
D63EC6DABF08A5FE6C2219E888D48DB753E141BE0169D3F404
F993D7F389DAF1D27370F5D6E173A75BFB9D75E13D11DAFDA2
D197084355BA0159EE60AE34B1F1C50426D323F1E748CF34C1
E0B0FA7EC94CF0FFCD41A3D66C5B6AF7B64008D6CDD14806D4
3A0D461D6F
exponent INTEGER (3) 0x010001
(65537)
issuerUId 1 IMPLICIT BIT STRING
OPTIONAL NOT PRESENT
subjectUId 2 IMPLICIT BIT STRING
OPTIONAL NOT PRESENT
extensions 3 SEQUENCE OF
OPTIONAL NOT PRESENT
signatureAlgorithm SEQUENCE (13)
algorithm OBJECT IDENTIFIER (9)
pkcs1-md5WithRSAEncryption
parameters TYPE (2) with
NULL (0)

30
EDIFACT CERTIFICATE CONTENTS AND CODIFICATION (I)

USC (v3) CERTIFICATE SEGMENT
0536....CERTIFICATE REFERENCE
1
S500 SECURITY IDENTIFICATION DETAILS
0577....Security party qualifier
3
0538....Key name
Manel Medina Key 1
0586....Security party name
EDI Manuel Medina
S500 SECURITY IDENTIFICATION DETAILS
0577....Security party qualifier
4
0586....Security party name
DEDICAName
0544....FORMAT CERTIFICATE VERSION
XXY
0505....FILTER FUNCTION, CODED
5

USA (v3) SECURITY ALGORITHM
S502 SECURITY ALGORITHM
0523....Use of algorithm, coded
3
0527....Algorithm, coded
10
USA (v3) SECURITY ALGORITHM
S502 SECURITY ALGORITHM
0523....Use of algorithm, coded
4
0527....Algorithm, coded
6
USA (v3) SECURITY ALGORITHM
S502 SECURITY ALGORITHM
0523....Use of algorithm, coded
6
0527....Algorithm, coded
10
S503_V3 ALGORITHM PARAMETER

31
X.509 INITIAL CERTIFICATE (II)LONG DN

SEQUENCE (439)
toBeSigned SEQUENCE (418)
version 0 INTEGER (1) 0x00
(0) DEFAULT
serialNumber INTEGER (2) 0x04D2
(1234)
signature SEQUENCE (13)
algorithm OBJECT IDENTIFIER (9)
pkcs1-md5WithRSAEncryption
parameters TYPE (2) with
NULL (0)
issuer SEQUENCE OF (49) RDN
OCARoot, OCASP, OCA_UPC
validity SEQUENCE (30)
notBefore UTCTime (13) "961218111200Z"
notAfter UTCTime (13) "971218111200Z"
subject SEQUENCE OF (151) RDN
Ces, OThis is an example of very long
organisation name, OUorganisational unit name,
CNlong DN for the subject (Part 1)

subjectPublicKey BIT STRING (141) Encapsulates
TYPE (140) with
rSAPublicKey SEQUENCE (137)
modulus INTEGER (129)
0x00BF2B9E56769AAEB79564F63D9CE6759FC8CD851761F13C
D63EC6DABF08A5FE6C2219E888D48DB753E141BE0169D3F404
F993D7F389DAF1D27370F5D6E173A75BFB9D75E13D11DAFDA2
D197084355BA0159EE60AE34B1F1C50426D323F1E748CF34C1
E0B0FA7EC94CF0FFCD41A3D66C5B6AF7B64008D6CDD14806D4
3A0D461D6F
exponent INTEGER (3) 0x010001
(65537)
issuerUId 1 IMPLICIT BIT STRING
OPTIONAL NOT PRESENT
subjectUId 2 IMPLICIT BIT STRING
OPTIONAL NOT PRESENT
extensions 3 SEQUENCE OF
OPTIONAL NOT PRESENT
signatureAlgorithm SEQUENCE (13)
algorithm OBJECT IDENTIFIER (9)
pkcs1-md5WithRSAEncryption
parameters TYPE (2) with
NULL (0)

32
EDIFACT CERTIFICATE CONTENTS AND CODIFICATION (II)

0504. me...Ti
111200
USA (v3) SECURITY ALGORITHM
S502 SECURITY ALGORITHM
0523....Use of algorithm, coded
3
0527....Algorithm, coded
10
USA (v3) SECURITY ALGORITHM
S502 SECURITY ALGORITHM
0523....Use of algorithm, coded
4
0527....Algorithm, coded
6
USA (v3) SECURITY ALGORITHM
S502 SECURITY ALGORITHM
0523....Use of algorithm, coded
7

USC (v3) CERTIFICATE SEGMENT
0536....CERTIFICATE REFERENCE
1
S500 SECURITY IDENTIFICATION DETAILS
0577....Security party qualifier
3
0586....Security party name
1234RegSchemeID561 OUorganisationa
0586....Security party name
l unit name, CNlong DN for the sub
0586....Security party name
ject (Part 1) 0000000001
S500 SECURITY IDENTIFICATION DETAILS
0577....Security party qualifier
4
0586....Security party name
DEDICAName
0544....FORMAT CERTIFICATE VERSION
XXY

33
X.509 INITIAL CERTIFICATE (III) EXTENSIONS

SEQUENCE (424)
toBeSigned SEQUENCE (403)
version 0 INTEGER (1) 0x02
(2)
serialNumber INTEGER (2) 0x04D2
(1234)
signature SEQUENCE (13)
algorithm OBJECT IDENTIFIER (9)
pkcs1-md5WithRSAEncryption
parameters TYPE (2) with
NULL (0)
issuer SEQUENCE OF (49) RDN
OCARoot, OCASP, OCA_UPC
validity SEQUENCE (30)
notBefore UTCTime (13) "961218111200Z"
notAfter UTCTime (13) "971218111200Z"
subject SEQUENCE OF (44) RDN
Ces, Oupc, CNmedina

extensions 3 SEQUENCE OF (84)
extension SEQUENCE (14)
extnId OBJECT IDENTIFIER (3)
id-ce-keyUsage
critical BOOLEAN (1) TRUE
extnValue OCTET STRING (4) Encapsulates
TYPE (4) with
BIT STRING (2) 07 80
extension SEQUENCE (30)
extnId OBJECT IDENTIFIER (3)
id-ce-subjectKeyIdentifier
critical BOOLEAN (1) TRUE
extnValue OCTET STRING (20)
Encapsulates
TYPE (20) with
OCTET STRING (18) "Manel Medina Key
1"

34
EDIFACT CERTIFICATE CONTENTS AND CODIFICATION
(III)

USC (v3) CERTIFICATE SEGMENT
0536....CERTIFICATE REFERENCE
1
S500 SECURITY IDENTIFICATION DETAILS
0577....Security party qualifier
3
0538....Key name
Manel Medina Key 1
0586....Security party name
EDI Manel Medina
S500 SECURITY IDENTIFICATION DETAILS
0577....Security party qualifier
4
0586....Security party name
DEDICAName
0544....FORMAT CERTIFICATE VERSION
XXY
0505....FILTER FUNCTION, CODED
5

USA (v3) SECURITY ALGORITHM
S502 SECURITY ALGORITHM
0523....Use of algorithm, coded
3
0527....Algorithm, coded
10
USA (v3) SECURITY ALGORITHM
S502 SECURITY ALGORITHM
0523....Use of algorithm, coded
4
0527....Algorithm, coded
6
USA (v3) SECURITY ALGORITHM
S502 SECURITY ALGORITHM
0523....Use of algorithm, coded
6
0527....Algorithm, coded
10
S503_V3 ALGORITHM PARAMETER

USC13Manel Medina Key 1EDI Manel
Medina4DEDICANameXXY522319961218
111200419971218111200'USA310' USA4
6'USA61004J61TB/WLH,PH/D38MYV-1M5BSJO3A
8XH8TSLRM)QJDMAE/X3PAI.QJQUBQG94H08HTE)0TQKK7XU,U
DKT5- FRLTWCG0NCVQLYIV7/2KCZ50T0Y168B)G081X07O55OR
GRB.5G64/W0.STPQ(AOLRHNZAS2ZH-93XTTOCSAYCW8)9TVZS
//0.S81Q9UI2P12 05/0113102414'USRF93IFAG3.
94T8GIFH13O.INHVT/BPC8KIO3XN77LHHL4L214LOVYO83ZU.
86010Z6WL96O8G.1I004NSVWJR29U(L6JIUL /3J8HWYD7HIW
0C0RP1E4S52ZFDOHJO3J66/92.BT8,PIR1D5Z425T48E,51EP3
7I.M3FP2P1PB3CA4M(VU(,6OV8FHAG/YLY'
35
DELIVERABLES LIST