Smart cards and document exchange security - PowerPoint PPT Presentation

1 / 16
About This Presentation
Title:

Smart cards and document exchange security

Description:

Smart cards and document exchange security ... Striving for Market Monopoly Position ... Certificate validation online (via OCSP, CRL), offline (via CRL) ... – PowerPoint PPT presentation

Number of Views:41
Avg rating:3.0/5.0
Slides: 17
Provided by: todorpetro
Category:

less

Transcript and Presenter's Notes

Title: Smart cards and document exchange security


1
Smart cards and document exchange security
legal requirements in EU and Bulgaria.
Practical implementation in eConfidence SystemTM
International Symposium Recent Developments in
Cryptography and Information Security
August 29-31, 2007 National
Institute of Education, Oriahovitza, Bulgaria
Miroslav Nachev
Robert Kuenstler
Todor Petrov
2
Requirements of the Business in connection to
globalization in all parts of public life and IT
technologies
  • confidentiality of business information trusted
    protected document exchange
  • reliable Authentication of parts in data exchange
  • guarantee Integrity of information
  • Non-repudiation of business transactions
  • Digital Signing and Encrypting of exchanged
    information
  • Effective interaction of application software
  • Vertically connections to SW of Certification
    Service Provider (CSP)
  • Horizontally between different application SW.
  • user friendly application software

3
Some real problems with current digital
certificates, by CSP
  • Non-conformity of the certificate format to the
    structures of validation data (CRL)
  • very common (and frequently inexact) revoke
    reasons
  • presence of CRL with revoke reason, incongruous
    to inscribed in the generated certificates CRL
    reasons
  • Different schemes and certificate paths for
    access to authority certificates
  • Absence in the certificates store of higher level
    certificates
  • Incorrect application of the authority
    certificates in the certificate path

? onerous vertical interoperability
  • Support of own structures of digital signature,
    regarding to the applicable algorithms as
    company secrets.

? next to impossible horizontal interoperability
4
Problem reasons
  • IETF standards (RFCs) cover a wide variety of
    computer and communications applications and
    provide great flexibility in technical aspects
    (communication protocols, data formats,
    procedures, etc.). For the realization of
    interoperable applications, the standards may be
    too flexible
  • at some aspects they offer too many
    implementation alternatives to choose from

Choice of irrelevant profiles
  • other aspects relevant for the specific
    application area may not be covered by them
  • Striving for Market Monopoly Position
  • Interpretation of company know-how by CSP and
    application developers
  • forcing the use of explicit indicated
    application SW

for instance XML exchanged documents
  • evasion (or ignorance) of structures with exact
    definition and interpretation
  • Statutory regulations
  • often very common recommendations and regulations
    for data structures, protocols ? algorithms
  • do not regulate the application of the modern IT
    technologies
  • Etc.

5
Main directions for problem solving
The problems are not Bulgarian patent
  • XML Advanced Electronic Signatures (XAdES) - ETSI
    TS 101 903
  • compliant with the European Directive
  • include validity confirmations
  • the signature remains valid over long periods
  • Estonian DigiDoc System - www.sk.ee
  • XAdES structures
  • personal ID card digital certificate
  • ISIS-MTT Common specifications for interoperable
    PKI applications

www.isis-mtt.org
  • specifying a selection of the numerous technical
    standards that are relevant for the target
    application area and that are to be followed by
    implementers
  • restricting the possible implementation
    alternatives in order to promote interoperability
    as well as to reduce the costs of implementation
    and conformity tests
  • extends the international standards to cover
    specific needs or aspects that are not covered by
    those standards, but that need regulation for the
    sake of interoperability

6
Time Stamp Service
ISIS-MTT Model
data structures protocols
procedures
validated data
signature format
algorithms
7
About eConfidence SystemTM
eConfidence SystemTM is a trade mark of Plan C
Ltd. www.planc.biz
  • Enterprise version server and client modules,
    complete functionality
  • Standalone (Lite) version module eCS Protector
  • Free of charge module eCS CheckUp - for checkup
    and decrypting of eCS-documents

8
Basic concepts and models in eConfidence SystemTM
  • Digital certificate
  • ?509 v.3
  • store (media) for the private key

smart card (PKCS11)
p12 / pfx file (PKCS12)
  • Cryptographic operations
  • digital signature generation (digital signing)
  • check-up digital signature validity (validation)
  • encrypting / decrypting
  • file protection (self-encrypting)
  • Binary operations

9
Basic concepts and models in eConfidence SystemTM
  • Digital signature
  • Advanced electronic signatures based on a
    qualified certificates Directive 1999/93/EC
  • More than 1 signature
  • Signing methods
  • hierarchical (embedded, nested)
  • independent, co-sign
  • mixed embedded and independent
  • Signing policies
  • Certificate validation online (via OCSP, CRL),
    offline (via CRL)
  • when the key is applied
  • user check-up

10
Basic concepts and models in eConfidence SystemTM
  • One-time encrypting
  • The last operation by security reasons
  • Combined (mixed) encrypting for higher
    cryptographic reliability and high speed
    processing
  • Symmetrical encrypting - the document content is
    compressed and ciphered with a symmetrical random
    session key
  • Asymmetrical encrypting the symmetrical random
    session key is ciphered asymmetrically with the
    public key of the addressee of the enciphered
    document

11
Basic concepts and models in eConfidence SystemTM
  • XML structure
  • Container for the document, digital signatures
    and other qualified security information
  • Sequence of digital signatures
  • European standard for application in electronic
  • Commerce ETSI TS 101 903 XML Advanced
    Electronic Signatures (XAdES)
  • Evidence for legality of certificate and digital
    signature
  • Protection from illegal actions and changes
  • Long-term digital signatures

12
Basic concepts and models in eConfidence SystemTM
  • Serial document processing package generation
  • Uniform operations single user action at all
    documents (files) in the package
  • Documents from different sources / folders
  • Dispatch with additional recipients information
  • Input file types (file extension)
  • principle excluding of forbidden file types
  • Exchange of protected documents
  • E-mail with attachments

13
Main functionality of eCS Protector
Serial crypto-processing
Formation of file package
Self-encrypting
Digital signing
Encrypting
  • Type of the signature

Final operations
  • List of recipient
  • Text of e-mail message
  • Final operation
  • Sending of e-mail
  • Encrypting sending of e-mail
  • Encrypting sending of e-mail

14
Reverse crypto-processing
Select file
Decrypt
Validation
  • XML contents
  • signature

Optional operations
  • Save encrypted file
  • Extract save original document
  • Save correspondent certificate

15
Process flow of eConfidence SystemTM
Customer 1
IS
Customer 2
User 3
User 1
User 2
16
Features of eConfidence SystemTM
  • Completely compliance with Bulgarian and EC
    legislation for electronic certificate, digital
    signature and electronic commerce
  • Open structure and easy integration with others
    IT systems / corporate PKI system through
    standard XML structure)
  • Interoperable with different CSP
  • Support different signing schemes (signing
    policies)
  • User-friendly GUI usual for Windows
    applications
  • Independent Java application independent by
    operation system, e-mail client , etc...

Pursuit of interoperability standardization
Write a Comment
User Comments (0)
About PowerShow.com