Openhouse session Mauritian PKI - PowerPoint PPT Presentation

1 / 56
About This Presentation
Title:

Openhouse session Mauritian PKI

Description:

INFORMATION AND COMMUNICATION TECHNOLOGIES (ICT) AUTHORTITY OF MAURITIUS ... Anonymous surfing was enough. No need for identity ... – PowerPoint PPT presentation

Number of Views:80
Avg rating:3.0/5.0
Slides: 57
Provided by: certifi
Category:

less

Transcript and Presenter's Notes

Title: Openhouse session Mauritian PKI


1
Open-house session Mauritian PKI
  • for e-services

2
Public Key InfrastructureOpen Houseorganised by
the ICT Authority
  • Part I
  • Legal framework
  • Setting the scene
  • The security infrastructure
  • What is PKI?
  • Part II
  • Power of Digital signatures
  • How does the system work?
  • What do I need?
  • What is a Digital key?
  • What can I do with my key? And how?
  • Part III
  • Mauritian PKI model
  • Part IV
  • PKI-based applications
  • Sessions summary

3
Session I
  • Starting premises
  • Electronic Transaction Act 2000 (ETA)
  • ICT Act 2001
  • Setting the scene
  • PKI concepts
  • Defining PKI

4
Overview of the Electronic Transaction Act 2000
(ETA)
  • In the nonelectronic environment, the document
    is the record of the parties agreement
  • The signature is the stamp of a persons identity
    and marks his intention to commit himself
  • However, in the electronic environment, there is
    neither paper, pen nor ink , not to mention the
    fact that parties may not even meet each other
  • How can these parties write a signature on
    something that is neither physical nor tangible?

5
  • The solution is to use an electronic signature on
    an electronic record
  • Like written signatures, electronic signatures
    can be used to establish the identity of the
    person who signed the document
  • More importantly, a special form of electronic
    signature such as a digital signature is used to
    guarantee that the signed electronic document
    has not been altered or tampered with
  • The Act gives legal recognition to electronic and
    digital signatures

6
  • "electronic signature" means an electronic sound,
    symbol, or process attached to or logically
    associated with an electronic record and executed
    or adopted by a person with the intent to sign
    the electronic record.
  • "digital signature" -
  • (a) means an electronic signature
    consisting of a transformation of an electronic
    record using an asymmetric cryptosystem such that
    a person having the initial untransformed
    electronic record and the signer's public key can
    accurately be determined
  • (i) whether the transformation was
    created using the private key that
    corresponds to the signer's public key and
  • (ii) whether the initial electronic
    record has been altered since the transformation
    was made and
  • (b) includes voice recognition features,
    digital fingerprinting or suchother biotechnology
    features or process, as may be prescribed

7
  • It also establishes the legal framework that will
    provide for the setting up of a Public Key
    Infrastructure
  • It gives legal sanction for records, files or
    documents that are retained in electronic form
  • It also enables public institutions to accept
    electronic filing, creation and retention of
    documents, to permits, licenses or approvals
    electronically and to provide for electronic
    payment

8
  • On the overall
  • The ETA act brings the law up to date with
    technological developments
  • It puts in place legal standards for the use of
    electronic transactions, both in the public and
    the private sector,
  • It provides the legal framework for bringing in
    the crucial element of TRUST in electronic
    transactions!

9
  • ICT Act 2001
  • Under section 18 (1) (z) of the ICT Act 2001 the
    ICT Authority is to act as the Controller of
    Certification Authorities
  • Implications
  • ICT Authority is responsible for
  • Licensing of Certifying Authorities (CAs) and
    establishment of PKI
  • Certification of the public keys of the CAs
  • laying down the standards to be maintained by the
    CAs
  • performing several other functions to regulate
    the functioning of CAs

10
Objective
  • PKI made simple!
  • Setting the scene
  • The changing face of the Internet
  • Security trends
  • Next Security Trend baseline is Simplicity
  • The concept of an infrastructure
  • The Security infrastructure

11
Setting the scene
  • With the Internet, a new communication model has
    been established.
  • E-Business uses the Internet to get over the
    constraints of time or geographical barriers for
    better productivity
  • It encompasses e-commerce, e-government and any
    other online application sector.
  • However, the primary concerns in establishing and
    participating in e-business is the lack of trust
    due to related risks

12
The changing face of the Internet
  • Not that many years ago, the Web was little more
    than a library.
  • Anonymous surfing was enough. No need for
    identity
  • After a while, goods and services were described,
    along with
  • some contact information so that you could order
    the items. This
  • led to ordering and paying online
  • With the use of credit card online, there
    was a need for security. However, identity was
    still unimportant so long the merchant had a
    credit card number and somewhere to send the
    goods, the merchant got its money.

13
The changing face of the Internet
  • These days, there is still plenty of shopping
    available on the Web, but the service side is
    growing tremendously.
  • Example online banking instead of a personal
    visit to the bank.
  • Identity is becoming increasingly important
  • for accountability
  • for access and manipulation of very personal
    information about you that resides at some server
    site.

14
but in e-transactions, it is important to Know
if you are dealing with a dog
15
The changing face of
the Internet Identification through the Secure
Sockets Layer (SSL) protocol with server-end
authentication creates an encrypted channel of
communication SSL once the protected channel
is established, a person can send a username and
password over the channel to authenticate
herself. Weaknesses of SSL passwords are
weak. Servers are left with no evidence of the
occurrence of any transaction (because the
password used to authenticate all communications
is known at the server side). Risky foundation
upon which to build a service business that deals
with financial or other highly personal customer
data.  
16
Security Trends
  • Until recently, information security was a matter
    of protecting access to data.
  • With the use of the Internet which is an open
    network, new security vulnerabilities are
    inherent to it.
  • Internet as a basis for e-business has moved this
    security model.
  • Today, it is more about how to maximise access
    to the right people

17
Next Security Trend - Simplicity
  • Security challenges are becoming tougher, so that
    the complexity of the solutions is increasing.
  • However, to reach mass deployment, security
    solutions must be simple.
  • Therefore, these solutions, even though complex,
    should be wrapped up in such a way that they are
    transparent to users
  • A proper security infrastructure need to be
    designed to attend to these vulnerabilities.

18
  • The concept of an
    infrastructure
  • In order to understand this concept, lets see a
    familiar infrastructure which is the
  • Electric power infrastructure
  • This infrastructure enables equipment to get
    voltage and current needed for operation
  • It exists so that one can simply tap onto it
    and use it when needed

19
  • Security
    Infrastructure
  • Similarly, an infrastructure for security
    purposes must apply the same principle and offer
    the same benefits.
  • How it does this need not be known by the users
  • But that it does this consistently and correctly
    is essential
  • The entry points into the security
    infrastructure must be convenient and accessible,
    like the power socket in the wall.
  • This approach will provide us with a
    comprehensive set of integrated security solution.

20
In short
  • In the physical world, responsibility to mitigate
    risks is well understood
  • Infrastructure, in the forms of legal, financial
    and physical controls, has been developed to do
    so.
  • What do we want to achieve?
  • To be able to sustain the same level of risk
    management for e-business in the cyber
    environment.
  • For this to happen, a new security infrastructure
    and trust model must be established.

21
Security in the paper world
In electronic commerce, security covers four
separate things that we usually take for granted
in paper transactions.
22
Security in the paper world
Authenticity Assurance of a letters
source. If on company letterhead, most take
authenticity for granted.
Authenticity
Integrity
Non-repudiation
Confidentiality
23
Security in the paper world
Integrity Assurance a letter is unaltered since
sent. Paper is tamper-evident, so most take
integrity for granted.
Authenticity
Integrity
Non-repudiation
Confidentiality
24
Security in the paper world
Non-repudiation the originators inability to
deny having sent it. A signature is usually
sufficient for this purpose.
Authenticity
Integrity
Non-repudiation
Confidentiality
25
Security in the paper world
Confidentiality The inability to read it other
than the sender and addressee. Confidentiality is
usually assumed if it is sealed in a
tamper-evident envelope.
Authenticity
Integrity
Non-repudiation
Confidentiality
26
Public key cryptography
  • Each party is assigned a pair of keys
  • private known only by the owner
  • public - known by everyone
  • Information encrypted with the private key can
    only be decrypted by the corresponding public key
    vice versa
  • Fulfils requirements of confidentiality,
    integrity, authenticity and non-repudiation
  • No need to communicate private keys

27
Encryption Technologies Symmetric Key Cryptography
Document to be sent
Encoded Document
Encoded Document
Received Document
Symmetric key
Symmetric Key
  • Identical keys are used for encryption and
    decryption.
  • Requires both parties to do a digital
    conversation to know the key

28
Asymmetric Encryption
Clear-text Input
Clear-text Output
Cipher-text
An intro to PKI and few deploy hints
Py75cbn)9fDebDzjF_at_g5nmdFgegMs
An intro to PKI and few deploy hints
RSA
RSA
Encryption
Decryption
Different keys
29
Example Confidentiality
Clear-text Input
Clear-text Output
Cipher-text
An intro to PKI and few deploy hints
Py75cbn)9fDebDzjF_at_g5nmdFgegMs
An intro to PKI and few deploy hints
Decryption
Encryption
Different keys
Recipients private key
Recipients public key
30
Example Authenticity
Clear-text Input
Clear-text Output
Cipher-text
An intro to PKI and few deploy hints
Py75cbn)9fDebDzjF_at_g5nmdFgegMs
An intro to PKI and few deploy hints
Decryption
Encryption
Different keys
31
Public key encryption system
  • Example RSA
  • Advantages
  • No secret sharing risk
  • Provides authentication, non-repudiation
  • Infeasible to determine one key from the other
  • Disadvantages
  • Computationally intense (in software, DES is at
    least 100 times faster than RSA)
  • Requires authentication of public keys

32
Creating a Digital Signature
Message or File
Digital Signature
Message Digest
This is the document created by Bob
This is the document created by Bob
(Typically 128 bits)
3kJfgf
3kJfgf
Py75cbn
RSA
SHA, MD5
Asymmetric Encryption
Generate Hash
Calculate a short message digest from even a long
input using a one-way message digest function
(hash). Ii is a check that protects data against
most modifications
Signatory's private key
33
Verifying a Digital Signature
RSA
34
Digital Signature
  • Guarantees
  • Integrity of documentOne bit change in document
    changes the digest
  • Authentication of senderSigners public key
    decrypts digest sent and decrypted digest matches
    computed digest
  • Non-repudiationOnly signers private key can
    encrypt digest that is decrypted by his/her
    public key and matches the computed digest.
    Non-repudiation prevents reneging on an agreement
    by denying a transaction.

35
How can we Enhance trust?
  • Confidentiality ? Encryption
  • Who am I dealing with? ? Authentication
  • Message integrity ? Message Digest
  • Non-repudiation ? Digital Signature
  • Third party evidence of authenticity ?
    Certificate
  • Trusted certificate ? Certification Authorities

36
How to achieve risk management in the cyber
environment?
  • Based on the use of Digital Signature which has
    already been defined in the Electronic
    Transaction Act 2000
  • More secure and powerful that handwritten
    signature
  • based on the generation use of key pair in
    terms of
  • Private Key Used for making digital signature
  • Public Key Used to verify the digital signature
  • Public key known to everyone Private key only
    to the owner

37
Why do we need PKI?
  • However, the generation of private-public key
    pair is not enough for the comprehensive use of
    public key cryptography
  • To use these keys, a system (PKI) is needed for
    managing the keys
  • The PKI is needed to define
  • how to distribute the public keys
  • How to pair the public key to a particular user,
    possessing the private key

38
What is PKI?
  • A Public Key Infrastructure (PKI) is a mechanism
    to support the binding of public keys with the
    user's identity.
  • A PKI provides the entire policy and technical
    framework for the issuance, management and
    revocation of digital certificates, that users
    can trust
  • This same infrastructure provides the basis for
    interoperability among different agencies, so
    that a person's digital certificate is accepted
    by organisations external to the one that issued
    it

39
  • The responsibility of the security Infrastructure
    is to deliver the trusted services, we now need
    to answer following questions
  •  
  • How is the entitys identity established in the
    first place?
  • Who binds the identity of the public key to the
    individual?
  • How do I know if an individuals private key has
    been compromised?
  • Most of these questions go back to the basic
    business need for trust
  • To build trust, the Public Key Infrastructure
    centers on the following main components
  • Controller Certification Authority,
  • Certification Authority
  • Registration Authority

40
Controller of Certification Authorities
  • The End entities of the CCA will be the Licensed
    CAs in Mauritius.
  • A CA wishing to get licensed will have to meet
    stringent licensing criteria in various aspects,
    including financial soundness, personnel
    integrity, strict security controls and
    procedures.
  • Only CAs that meet the high integrity and
    security standards set up by the Controller will
    be licensed.
  • Subscribers using the certificates issued by a CA
    need to be assured that the CA is licensed by the
    CCA.

41
Certifying Authority
  • An organisation which issues public key
    certificates.
  • Must be widely known and trusted
  • Must have well defined methods of assuring the
    identity of the parties to whom it issues
    certificates.
  • Must confirm the attribution of a public key to
    an identified physical person by means of a
    public key certificate
  • Always maintains online access to the public key
    certificates issued.

42
Registration Authority (RA)
  •  
  • RA can be used to offload many of the
    administrative functions from the CA, including
    end-user registration

43
  • Mauritian PKI model

44
PKI operational framework
3. RA requests certificate for user
5. CA publishes certificates and CRLs
Certificate Authority
Registration Authority
Repository
4. CA issues certificates
2. RA verifies identity
App or other entity
Client
6. Apps and other systems use certificates
1. Users apply for certification
45
Handling Certificates
  • Certificates are safe to store
  • No need to protect them too much, as they are
    digitally signed
  • Private keys that match the public key are
    strictly confidential
  • Loosing the private key Loosing the identity
  • Must be very well protected
  • Use Protected Storage like a smart smartcard
    that will have crypto functionality on board or
    an i-Key enhanced with biometrics protection

46
Certificate Revocation List (CRL)
  • Private keys can get compromised, as a fact of
    life
  • Your CA issues a certificate revocation
    certificate and you do everything you can to let
    the world know that you issued it
  • Certificate Revocation Lists (CRL) are used
  • They require that the process of cert validation
    actively checks the CRL and keep it up-to-date
  • This explains why
  • Every certificate has an expiration date
  • short expiration policies are important

47
Certification Authority
  • The public key is issued and managed by CAs.
  • Because users of PKI rely on CAs to provide
    accurate subscriber information via digital
    certificates, section 24 of the ETA Act imposes a
    duty on a CA to use trustworthy systems when
    performing its services
  • This refers to all aspects of its services
    related to the issuance, renewal, suspension and
    revocation of a certificate
  • A trustworthy system refers to a system
  • comprising of hardware, software and procedures
    that are reasonably secure from intrusion and
    misuse,
  • that provide a reasonable level of availability,
    reliability and correct operation

48
Controller of Certification Authorities
  • Just as in the case of the CA, the CCA is also
    required to have a
  • trustworthy system
  • Under section 37 of the ETA act
  • The CCA is responsible for licensing, monitoring,
    and overseeing the activities of all CAs
  • In turn, the CCA is required to maintain a public
    database containing a CA disclosure record for
    each CA that it licenses, setting out the
    particulars of the licensed CA
  • Publicly accessible database and housing
  • Reinforced walls for room housing NRCA
  • 24-hour surveillance through CCTV
  • Access controls through proximity cards and
    biometric readers
  • Physical security including locks
  • Security personnel

49
Cost of Setting up Infrastructure
  • Root CA Rs 30 Million
  • CA Rs 60 Million
  • RA Rs 3 million

50
Recognition of foreign CAs
  • To ensure that the local PKI is able to interact
    with a PKI set up overseas, so that subscribers
    of the local PKI can rely and act upon digital
    signatures and certificates
  • section 50 (2) (n) of the ETA Act empowers the
    Minister to make regulations to allow the CCA to
    recognise foreign CAs outside Mauritius as long
    as they satisfy the required requirements

51
Mauritian PKI characteristics
  • Design of a cost-effective PKI model in view of
    relatively low volume of certificates to be
    issued initially
  • Low initial capital investment (divided by 10)
  • Operation within legal and regulatory framework
    of Govt. of Mauritius
  • Global acceptance of Mauritian PKI

52
MODELS
  • Own the infrastructure
  • Use of Infrastructure already available globally
  • A combination of these two

53
(No Transcript)
54
  • THANK YOU!

55
Summary
  • Changing trends in business
  • Reliance on the Internet for business
  • Enforcement of security in the cyber world
  • PKI as a security infrastructure
  • The Mauritian PKI model
  • PKI-based Applications

56
  • QUESTIONS?
Write a Comment
User Comments (0)
About PowerShow.com