Openhouse session Mauritian PKI

About This Presentation

Title:

Openhouse session Mauritian PKI

Description:

INFORMATION AND COMMUNICATION TECHNOLOGIES (ICT) AUTHORTITY OF MAURITIUS ... Anonymous surfing was enough. No need for identity ... – PowerPoint PPT presentation

Number of Views:79

Avg rating:3.0/5.0

Slides: 57

Provided by: certifi

Category:

more less

Transcript and Presenter's Notes

Title: Openhouse session Mauritian PKI

1
Open-house session Mauritian PKI

for e-services

2
Public Key InfrastructureOpen Houseorganised by
the ICT Authority

Part I
Legal framework
Setting the scene
The security infrastructure
What is PKI?
Part II
Power of Digital signatures
How does the system work?
What do I need?
What is a Digital key?
What can I do with my key? And how?
Part III
Mauritian PKI model
Part IV
PKI-based applications
Sessions summary

3
Session I

Starting premises
Electronic Transaction Act 2000 (ETA)
ICT Act 2001
Setting the scene
PKI concepts
Defining PKI

4
Overview of the Electronic Transaction Act 2000
(ETA)

In the nonelectronic environment, the document
is the record of the parties agreement
The signature is the stamp of a persons identity
and marks his intention to commit himself
However, in the electronic environment, there is
neither paper, pen nor ink , not to mention the
fact that parties may not even meet each other
How can these parties write a signature on
something that is neither physical nor tangible?

The solution is to use an electronic signature on
an electronic record
Like written signatures, electronic signatures
can be used to establish the identity of the
person who signed the document
More importantly, a special form of electronic
signature such as a digital signature is used to
guarantee that the signed electronic document
has not been altered or tampered with
The Act gives legal recognition to electronic and
digital signatures

"electronic signature" means an electronic sound,
symbol, or process attached to or logically
associated with an electronic record and executed
or adopted by a person with the intent to sign
the electronic record.
"digital signature" -
(a) means an electronic signature
consisting of a transformation of an electronic
record using an asymmetric cryptosystem such that
a person having the initial untransformed
electronic record and the signer's public key can
accurately be determined
(i) whether the transformation was
created using the private key that
corresponds to the signer's public key and
(ii) whether the initial electronic
record has been altered since the transformation
was made and
(b) includes voice recognition features,
digital fingerprinting or suchother biotechnology
features or process, as may be prescribed

It also establishes the legal framework that will
provide for the setting up of a Public Key
Infrastructure
It gives legal sanction for records, files or
documents that are retained in electronic form
It also enables public institutions to accept
electronic filing, creation and retention of
documents, to permits, licenses or approvals
electronically and to provide for electronic
payment

On the overall
The ETA act brings the law up to date with
technological developments
It puts in place legal standards for the use of
electronic transactions, both in the public and
the private sector,
It provides the legal framework for bringing in
the crucial element of TRUST in electronic
transactions!

ICT Act 2001
Under section 18 (1) (z) of the ICT Act 2001 the
ICT Authority is to act as the Controller of
Certification Authorities
Implications
ICT Authority is responsible for
Licensing of Certifying Authorities (CAs) and
establishment of PKI
Certification of the public keys of the CAs
laying down the standards to be maintained by the
CAs
performing several other functions to regulate
the functioning of CAs

10
Objective

PKI made simple!
Setting the scene
The changing face of the Internet
Security trends
Next Security Trend baseline is Simplicity
The concept of an infrastructure
The Security infrastructure

11
Setting the scene

With the Internet, a new communication model has
been established.
E-Business uses the Internet to get over the
constraints of time or geographical barriers for
better productivity
It encompasses e-commerce, e-government and any
other online application sector.
However, the primary concerns in establishing and
participating in e-business is the lack of trust
due to related risks

12
The changing face of the Internet

Not that many years ago, the Web was little more
than a library.
Anonymous surfing was enough. No need for
identity
After a while, goods and services were described,
along with
some contact information so that you could order
the items. This
led to ordering and paying online
With the use of credit card online, there
was a need for security. However, identity was
still unimportant so long the merchant had a
credit card number and somewhere to send the
goods, the merchant got its money.

13
The changing face of the Internet

These days, there is still plenty of shopping
available on the Web, but the service side is
growing tremendously.
Example online banking instead of a personal
visit to the bank.
Identity is becoming increasingly important
for accountability
for access and manipulation of very personal
information about you that resides at some server
site.

14
but in e-transactions, it is important to Know
if you are dealing with a dog
15
The changing face of
the Internet Identification through the Secure
Sockets Layer (SSL) protocol with server-end
authentication creates an encrypted channel of
communication SSL once the protected channel
is established, a person can send a username and
password over the channel to authenticate
herself. Weaknesses of SSL passwords are
weak. Servers are left with no evidence of the
occurrence of any transaction (because the
password used to authenticate all communications
is known at the server side). Risky foundation
upon which to build a service business that deals
with financial or other highly personal customer
data.
16
Security Trends

Until recently, information security was a matter
of protecting access to data.
With the use of the Internet which is an open
network, new security vulnerabilities are
inherent to it.
Internet as a basis for e-business has moved this
security model.
Today, it is more about how to maximise access
to the right people

17
Next Security Trend - Simplicity

Security challenges are becoming tougher, so that
the complexity of the solutions is increasing.
However, to reach mass deployment, security
solutions must be simple.
Therefore, these solutions, even though complex,
should be wrapped up in such a way that they are
transparent to users
A proper security infrastructure need to be
designed to attend to these vulnerabilities.

The concept of an
infrastructure
In order to understand this concept, lets see a
familiar infrastructure which is the
Electric power infrastructure
This infrastructure enables equipment to get
voltage and current needed for operation
It exists so that one can simply tap onto it
and use it when needed

Security
Infrastructure
Similarly, an infrastructure for security
purposes must apply the same principle and offer
the same benefits.
How it does this need not be known by the users
But that it does this consistently and correctly
is essential
The entry points into the security
infrastructure must be convenient and accessible,
like the power socket in the wall.
This approach will provide us with a
comprehensive set of integrated security solution.

20
In short

In the physical world, responsibility to mitigate
risks is well understood
Infrastructure, in the forms of legal, financial
and physical controls, has been developed to do
so.
What do we want to achieve?
To be able to sustain the same level of risk
management for e-business in the cyber
environment.
For this to happen, a new security infrastructure
and trust model must be established.

21
Security in the paper world
In electronic commerce, security covers four
separate things that we usually take for granted
in paper transactions.
22
Security in the paper world
Authenticity Assurance of a letters
source. If on company letterhead, most take
authenticity for granted.
Authenticity
Integrity
Non-repudiation
Confidentiality
23
Security in the paper world
Integrity Assurance a letter is unaltered since
sent. Paper is tamper-evident, so most take
integrity for granted.
Authenticity
Integrity
Non-repudiation
Confidentiality
24
Security in the paper world
Non-repudiation the originators inability to
deny having sent it. A signature is usually
sufficient for this purpose.
Authenticity
Integrity
Non-repudiation
Confidentiality
25
Security in the paper world
Confidentiality The inability to read it other
than the sender and addressee. Confidentiality is
usually assumed if it is sealed in a
tamper-evident envelope.
Authenticity
Integrity
Non-repudiation
Confidentiality
26
Public key cryptography

Each party is assigned a pair of keys
private known only by the owner
public - known by everyone
Information encrypted with the private key can
only be decrypted by the corresponding public key
vice versa
Fulfils requirements of confidentiality,
integrity, authenticity and non-repudiation
No need to communicate private keys

27
Encryption Technologies Symmetric Key Cryptography
Document to be sent
Encoded Document
Encoded Document
Received Document
Symmetric key
Symmetric Key

Identical keys are used for encryption and
decryption.
Requires both parties to do a digital
conversation to know the key

28
Asymmetric Encryption
Clear-text Input
Clear-text Output
Cipher-text
An intro to PKI and few deploy hints
Py75cbn)9fDebDzjF_at_g5nmdFgegMs
An intro to PKI and few deploy hints
RSA
RSA
Encryption
Decryption
Different keys
29
Example Confidentiality
Clear-text Input
Clear-text Output
Cipher-text
An intro to PKI and few deploy hints
Py75cbn)9fDebDzjF_at_g5nmdFgegMs
An intro to PKI and few deploy hints
Decryption
Encryption
Different keys
Recipients private key
Recipients public key
30
Example Authenticity
Clear-text Input
Clear-text Output
Cipher-text
An intro to PKI and few deploy hints
Py75cbn)9fDebDzjF_at_g5nmdFgegMs
An intro to PKI and few deploy hints
Decryption
Encryption
Different keys
31
Public key encryption system

Example RSA
Advantages
No secret sharing risk
Provides authentication, non-repudiation
Infeasible to determine one key from the other
Disadvantages
Computationally intense (in software, DES is at
least 100 times faster than RSA)
Requires authentication of public keys

32
Creating a Digital Signature
Message or File
Digital Signature
Message Digest
This is the document created by Bob
This is the document created by Bob
(Typically 128 bits)
3kJfgf
3kJfgf
Py75cbn
RSA
SHA, MD5
Asymmetric Encryption
Generate Hash
Calculate a short message digest from even a long
input using a one-way message digest function
(hash). Ii is a check that protects data against
most modifications
Signatory's private key
33
Verifying a Digital Signature
RSA
34
Digital Signature

Guarantees
Integrity of documentOne bit change in document
changes the digest
Authentication of senderSigners public key
decrypts digest sent and decrypted digest matches
computed digest
Non-repudiationOnly signers private key can
encrypt digest that is decrypted by his/her
public key and matches the computed digest.
Non-repudiation prevents reneging on an agreement
by denying a transaction.

35
How can we Enhance trust?

Confidentiality ? Encryption
Who am I dealing with? ? Authentication
Message integrity ? Message Digest
Non-repudiation ? Digital Signature
Third party evidence of authenticity ?
Certificate
Trusted certificate ? Certification Authorities

36
How to achieve risk management in the cyber
environment?

Based on the use of Digital Signature which has
already been defined in the Electronic
Transaction Act 2000
More secure and powerful that handwritten
signature
based on the generation use of key pair in
terms of
Private Key Used for making digital signature
Public Key Used to verify the digital signature
Public key known to everyone Private key only
to the owner

37
Why do we need PKI?

However, the generation of private-public key
pair is not enough for the comprehensive use of
public key cryptography
To use these keys, a system (PKI) is needed for
managing the keys
The PKI is needed to define
how to distribute the public keys
How to pair the public key to a particular user,
possessing the private key

38
What is PKI?

A Public Key Infrastructure (PKI) is a mechanism
to support the binding of public keys with the
user's identity.
A PKI provides the entire policy and technical
framework for the issuance, management and
revocation of digital certificates, that users
can trust
This same infrastructure provides the basis for
interoperability among different agencies, so
that a person's digital certificate is accepted
by organisations external to the one that issued
it

The responsibility of the security Infrastructure
is to deliver the trusted services, we now need
to answer following questions
How is the entitys identity established in the
first place?
Who binds the identity of the public key to the
individual?
How do I know if an individuals private key has
been compromised?
Most of these questions go back to the basic
business need for trust
To build trust, the Public Key Infrastructure
centers on the following main components
Controller Certification Authority,
Certification Authority
Registration Authority

40
Controller of Certification Authorities

The End entities of the CCA will be the Licensed
CAs in Mauritius.
A CA wishing to get licensed will have to meet
stringent licensing criteria in various aspects,
including financial soundness, personnel
integrity, strict security controls and
procedures.
Only CAs that meet the high integrity and
security standards set up by the Controller will
be licensed.
Subscribers using the certificates issued by a CA
need to be assured that the CA is licensed by the
CCA.

41
Certifying Authority

An organisation which issues public key
certificates.
Must be widely known and trusted
Must have well defined methods of assuring the
identity of the parties to whom it issues
certificates.
Must confirm the attribution of a public key to
an identified physical person by means of a
public key certificate
Always maintains online access to the public key
certificates issued.

42
Registration Authority (RA)

RA can be used to offload many of the
administrative functions from the CA, including
end-user registration

Mauritian PKI model

44
PKI operational framework
3. RA requests certificate for user
5. CA publishes certificates and CRLs
Certificate Authority
Registration Authority
Repository
4. CA issues certificates
2. RA verifies identity
App or other entity
Client
6. Apps and other systems use certificates
1. Users apply for certification
45
Handling Certificates

Certificates are safe to store
No need to protect them too much, as they are
digitally signed
Private keys that match the public key are
strictly confidential
Loosing the private key Loosing the identity
Must be very well protected
Use Protected Storage like a smart smartcard
that will have crypto functionality on board or
an i-Key enhanced with biometrics protection

46
Certificate Revocation List (CRL)

Private keys can get compromised, as a fact of
life
Your CA issues a certificate revocation
certificate and you do everything you can to let
the world know that you issued it
Certificate Revocation Lists (CRL) are used
They require that the process of cert validation
actively checks the CRL and keep it up-to-date
This explains why
Every certificate has an expiration date
short expiration policies are important

47
Certification Authority

The public key is issued and managed by CAs.
Because users of PKI rely on CAs to provide
accurate subscriber information via digital
certificates, section 24 of the ETA Act imposes a
duty on a CA to use trustworthy systems when
performing its services
This refers to all aspects of its services
related to the issuance, renewal, suspension and
revocation of a certificate
A trustworthy system refers to a system
comprising of hardware, software and procedures
that are reasonably secure from intrusion and
misuse,
that provide a reasonable level of availability,
reliability and correct operation

48
Controller of Certification Authorities

Just as in the case of the CA, the CCA is also
required to have a
trustworthy system
Under section 37 of the ETA act
The CCA is responsible for licensing, monitoring,
and overseeing the activities of all CAs
In turn, the CCA is required to maintain a public
database containing a CA disclosure record for
each CA that it licenses, setting out the
particulars of the licensed CA
Publicly accessible database and housing
Reinforced walls for room housing NRCA
24-hour surveillance through CCTV
Access controls through proximity cards and
biometric readers
Physical security including locks
Security personnel

49
Cost of Setting up Infrastructure

Root CA Rs 30 Million
CA Rs 60 Million
RA Rs 3 million

50
Recognition of foreign CAs

To ensure that the local PKI is able to interact
with a PKI set up overseas, so that subscribers
of the local PKI can rely and act upon digital
signatures and certificates
section 50 (2) (n) of the ETA Act empowers the
Minister to make regulations to allow the CCA to
recognise foreign CAs outside Mauritius as long
as they satisfy the required requirements

51
Mauritian PKI characteristics

Design of a cost-effective PKI model in view of
relatively low volume of certificates to be
issued initially
Low initial capital investment (divided by 10)
Operation within legal and regulatory framework
of Govt. of Mauritius
Global acceptance of Mauritian PKI

52
MODELS