Information security - PowerPoint PPT Presentation

1 / 27
About This Presentation
Title:

Information security

Description:

information security is a state of affairs where information, ... http://www.verisign.com. http://www.ulapland.fi/home/oiffi/julkaisut/ISLCommentary_pdf.pdf ... – PowerPoint PPT presentation

Number of Views:34
Avg rating:3.0/5.0
Slides: 28
Provided by: yul8
Category:

less

Transcript and Presenter's Notes

Title: Information security


1
Information security
  • An introduction to Technology and law with focus
    on e-signature, encryption and third party
    service
  • Yue Liu
  • Feb.2008

2
What ?
  • Understanding the information security
  • Electronic signature and encryption
  • Trusted third party (CSP)

3
Information security
  • General technical definition
  • information security is a state of affairs where
    information, information processing and
    communication is protected against the
    confidentiality, integrity and availability of
    information and information processing. In the
    context of information networks this also covers
    reliable identification and authentication.

4
Information security
  • Legal definition
  • the obligation to take adequate measures for the
    purpose of safeguarding the state of affairs
    corresponding the required level of security, and
    notably the protection of rights related to
    informational assets

5
Information security
  • Trust
  • The basic elements of information security
  • Confidentiality
  • Integrity
  • Availability

6
Information security provisions in current law
  • OECD Recommendations
  • E-commerce and E-signature
  • Privacy regulations
  • Telecommunications
  • Electronic administration
  • Public access to information laws
  • Penal law concerning the computer crime and
    misuse
  • Critical infrastructure protection

7
Electronic signature
  • Time frame Jan 19,2000, July 19 2001, march 15,
    2006
  • Underline principles.
  • Technical neutral
  • Non-discrimination
  • Party-autonomy/contractual freedom
  • No-harmonization of national civil law

8
Electronic signature
  • Definition
  • Electronic signature data in electronic form
    which are attached to or logically associated
    with other electronic data and which serve as a
    method of authentication
  • (Directive 99/93/EC)
  • Advanced electronic signature any electronic
    signature which meets the following requirements
    uniquely linked, capable of identifying, maintain
    sole control, change detectable


9
Electronic signature
  • Form conditions
  • QC (annex I) CSP (annex II) secure signature
    creation device (annext III)

10
Electronic signature
  • Legal effects of the e-signature article 5 of the
    Directive
  • Art5 (2) non-discrimination electronic form,
    not certified, not certified by accredited CSP
    (certified service provider) not created by
    secure signature device
  • Art5 (1) qualified advanced e-signature the
    validity in transaction as handwritten signature
    and evidence effect at court

11
Electronic signature
  • Cryptography basis
  • The conversion of data into a secret code for
    transmission over a public network.
  • Encrypt convent plain text into cipher text
  • Decrypt convert cipher text into plain text
  • Symmetric key encryption (secret key)
  • Asymmetric key encryption (public key)

12
Electronic signature
13
Electronic signature
  • Public key encryption (PKE) in detail
  • problem of PKE
  • More computational intensive
  • Large amounts of encrypted data vulnerable of
    hacking
  • Solution hashing of the data message

14
Electronic signature
  • Digital signature 1

15
Electronic signature
  • Digital signature 2

16
Electronic signature
  • Problem With digital signature
  • Trustworthy linkage between public key and real
    world identity of accountable person
  • Secure distribution of public keys over open
    networks
  • Integrity?
  • Solution Public key infrastructure (PKI)

17
Electronic signature
  • PKI Process Flow
  • Step 1. Subscriber applies to Certification
    Authority for Digital Certificate
  • Step 2. CA verifies identity of Subscriber and
    issues Digital Certificate.
  • Step 3. CA publishes Certificate to Repository.
  • Step 4. Subscriber digitally signs electronic
    message with Private Key to ensure Sender
    Authenticity, Message Integrity and
    Non-Repudiation and sends to Relying Party.
  • Step 5. Relying Party receives message, verifies
    Digital Signature with Subscriber's Public Key,
    and goes to Repository to check status and
    validity of Subscriber's Certificate.
  • Step 6.Repository returns results of status check
    on Subscriber's Certificate to Relying Party.

p
18
Electronic signature
19
Electronic signature
  • agenda
  • The legality issues
  • The technical answers
  • The liability issues
  • -UNCITRAL e-sign ML, EU e-sign Directive

20
UNICITRAL e-sign ML
  • E-sign ML-liability concept

CA
Reasonable allocation of responsibilities in
accordance with domains under the specific
control of PKI participants
Relying party
signatory
21
UNICTRAL e-sign ML
  • Approach
  • Soft law
  • Technology neutrality
  • comprehensive
  • Responsibility of the signatory (art8)
  • Responsibility of the relying party(art11)
  • Responsibility of the CSP(art9,10)

22
EU e-sign Directive
  • Approach
  • Hard law
  • Technology neutrality
  • Liability rules

CAs liability
23
EU e-sign Directive
  • Minimum liability for CA (art6)
  • accuracy
  • completeness
  • the signatory identified in the qualified
    certificate held the private key corresponding to
    the public key identified in the certificate
  • the private key and the public key can be used in
    a complementary manner if the CSP guarantees them
    both
  • Principle of negligence
  • Reversed burden of proof
  • Excuse and limitation
  • Proves he has not act negligently
  • Exceed intended use
  • Exceed intended value of transaction

24
Electronic signature
  • Market access
  • no prior authorization (art 3.1 )
  • voluntary accreditation (art 3.2)

25
EU e-sign Directive
  • Other provisions
  • data protection issues (art8)
  • International aspects (art7)
  • Committee (art9. 10)
  • Notification (art 11)
  • Review (art 12)

26
Encryption
  • Export control measures
  • Wassennar agreement
  • EU dual use regulation of Dec.1994
  • Domestic control measures
  • Key escrow and key recovery systems
  • Privacy considerations

27
  • Additional links
  • http//www.verisign.com
  • http//www.ulapland.fi/home/oiffi/julkaisut/ISLCom
    mentary_pdf.pdf
  • Thank you for your attention!
Write a Comment
User Comments (0)
About PowerShow.com