Trusted Electronic Transactions - PowerPoint PPT Presentation

1 / 49
About This Presentation
Title:

Trusted Electronic Transactions

Description:

Trusted Electronic Transactions Key Pairs A key is a unique digital identifier Keys are produced using a random number generator A key pair consists ... – PowerPoint PPT presentation

Number of Views:28
Avg rating:3.0/5.0
Slides: 50
Provided by: ecomplian
Category:

less

Transcript and Presenter's Notes

Title: Trusted Electronic Transactions


1
Trusted Electronic Transactions
2
TOPICS COVERED
  • Why conduct transactions electronically?
  • Three Characteristics that ensure trust in
    electronic transactions
  • How we achieve trust in paper-based transactions
  • Problems with common electronic transactions

3
TOPICS COVERED
  • Achieving trust in electronic transactions with
    Digital Signature technology and an effective
    archiving scheme
  • What are digital Signatures? An introduction to
    Public Key Infrastructure
  • An introduction to Archiving digitally signed
    transactions using XML.

4
TOPICS COVERED
  • Applying Public Key Infrastructure to address
    security risks when granting public access to
    community-right-to-know data
  • Relevant Legislation regarding Digital Signatures
    and electronic government transactions

5
ELECTRONIC TRANSACTIONS
  • Streamline Reporting Process
  • Reduce burden on regulated community
  • Efficient Record Retention
  • Timely and Accurate Data Retrieval and Access
  • Emergency Response (24/7 access)
  • Community-Right-to-Know

6
  • Accuracy and Authenticity
  • Decisions regarding Environmental Health and
    Impact
  • Security
  • Protection from unauthorized access
  • Tamper-resistant
  • Accidental human errors
  • Intentional - Fraud
  • Credibility in Judicial Proceedings
  • Effective Enforcement
  • Plaintiff/Defendant Subpoena

7
JUDICIAL CREDIBILITY is the Highest Standard for
Trusted Data
  • Evidence must be unambiguous to be admissible in
    court
  • Once admitted into Court, evidence must be
    persuasive to a jury

National Governors Association (NGA) State
Guide to Environmental Reporting
8
WHAT DETERMINES A LEGALLY BINDING REPORT ?
  • AUTHENTICATION the ability to prove the senders
    identity
  • 2. REPORT INTEGRITY the ability to prove that
    there has been no change during transmission,
    storage, or retrieval
  • 3. NON-REPUDIATION the ability to prove that
    the originator of a report intended to be bound
    by the information contained in the report

9
NON-REPUDIATION
REPORT INTEGRITY
AUTHENTICATION
10
(No Transcript)
11
(No Transcript)
12
FROM PAPER TO ELECTRONIC Repudiation Risks in
Basic Electronic Transactions
  • I did not send that report !
  • That report is not the one I sent !
  • I did not mean that !

13
I did not send that report !
  • Identity of user is unknown
  • Possible Solutions
  • Telephone call follow-up
  • Terms and Conditions Agreement (TCA) / Mailed
    Certification Agreement
  • Mail a Diskette Containing Electronic Data

14
That report is not the one I sent !
  • Electronic reports contain no evidence of
    tampering in transmission, storage or retrieval
  • Sources of possible loss of data integrity
  • Human Error
  • Data Corruption
  • Fraud

15
Ensuring Authenticity and Report Integrity in
Electronic Transactions
  • Digital Signatures
  • Public Key Infrastructure

16
Public Key Infrastructure (PKI)
  • PKI is a combination of software, encryption
    technologies and facilities that can facilitate
    trusted electronic transactions.
  • PKI Components
  • Key Pairs
  • Certificate Authority
  • Public Key Cryptography

17
Key Pairs
  • A key is a unique digital identifier
  • Keys are produced using a random number generator
  • A key pair consists of two mathematically
    related keys
  • The private key is secret and under the sole
    control of the individual
  • The public key is open and published

18
(No Transcript)
19
Certificate Authority
  • A trusted authority
  • Responsible for creating the key pair,
    distributing the private key, publishing the
    public key and revoking the keys as necessary
  • The Passport Office of the Digital World

20
Digital Certificates
  • A unique electronic signifier issued by a
    Certificate Authority that functions like a
    passport to verify a users identity.
  • The certificate authority binds the unique key
    to the following
  • Name of the Certificate Authority
  • Certificate Expiration Date
  • Certificate Identity Number
  • Certificate Storage
  • software tokens
  • browser certificate stores
  • hardware tokens (Smart Cards, USB Tokens)

21
(No Transcript)
22
Public Key Cryptography
Complimentary Algorithms are used to encrypt and
decrypt documents
Encryption key
_at__at__at_56455908283923542_at_
Decryption key
Unreadable Format
23
Public Key Infrastructure in Action
Public Key
Private Key
Secure Transmission
Decrypting
Encrypting
Signatures
Encrypting
Decrypting
24
Digital Signatures
Private key
Report Encryption Algorithm
Digitally Signed An individual digitally
signs a document using the private key component
of his certificate.
25
Authentication and Verification
The individuals public key, published by the CA
decrypts and verifies the digital signature.
Public Key
Decryption Algorithm
Digitally Signed
26
Authentication and Verification
  • Any changes made to the report will invalidate
    the signature
  • Provides evidence of report integrity
  • Provides proof of report originators identity
    - Authentication

27
(No Transcript)
28
Security in Transmission
  • Secure Socket Layer (SSL)
  • https
  • Submission is encrypted by the sender with
    recipients public key
  • After receipt, submission is decrypted with
    recipients private key

29
(No Transcript)
30
What Should Be Signed ?
  • Balance between capturing the entire content of
    the transaction vs. ease of data integration
  • Data that is Machine readable but which
    separates user entry content from context
    database, comma delimited, spreadsheet, etc
  • Data that records content and context but which
    are not easily integrated into databases word,
    pdf, image, html, etc

31
Ensuring Non-repudiation in Electronic
Transactions
  • Capturing Complete Transactions in Archive
  • Signing the content and context of a transaction
  • Storing the signed transaction in a data
    warehouse without manual intervention

32
XML
  • eXtensible Markup Language
  • XML can be used to store both the questions on
    the form (context) and the data entered by the
    user (content).
  • The entire form can be stored as one object
  • Default Values
  • Lookup values (ie chemical classifications)
  • Questions
  • Physical Characteristics

33
XML Schema
From the W3C http//www.w3.org/1999/05/06-xmlsche
ma-1/ define and describe a class of XML
documents by using these constructs to constrain
and document the meaning, usage and relationships
of their constituent parts datatypes, elements
and their content, attributes and their values,
entities and their contents and notations. Schema
constructs may also provide for the specification
of implicit information such as default values.
Schemas are intended to document their own
meaning, usage, and function through a common
documentation vocabulary. Business Plan Schema
34
  • XML Transaction Instance conforming to Schema
  • Public Key Cryptography via Web Browser plugin

35
Granting Public Access to paper reports
  • Public comes into agency office
  • Public provides drivers license or other
    identification
  • Agency can monitor who is accessing data

36
Providing Trusted Electronic Access to Data
  • Identity of user is unknown
  • Access cannot be monitored
  • Relying on the Certificate Authority

37
Digital Certificate
Public
In order to obtain access to Community Right to
Know Data, individuals first obtain digital
Certificates.
38
Digital Certificates
Public
Agency
After contributing a certificate to gain access,
The individuals certificate can be
cross-referenced with other security databases to
monitor suspect individuals.
39
RELEVANT LEGISLATION
  • TITLE 27, Part 2, Article 5
  • CA Title 2, Division 7, Ch.10 Digital
    Signatures

40
TITLE 27 CUPA Legislation
41
California Digital Signature Regulations
California Code of Regulations Title 2.
Administration DIVISION 7. CHAP 10. DIGITAL
SIGNATUREShttp//www.ss.ca.gov/digsig/regulations
.htm
  • Definitions
  • Digital Signatures Must Be Created By An
    Acceptable Technology- Criteria For Determining
    Acceptability
  • List of Acceptable Technologies
  • Provisions For Adding New Technologies to the
    List of Acceptable Technologies
  • Issues to Be Addressed By Public Entities When
    Using Digital Signatures

42
California Digital Signature Regulations
  • The technology known as Public Key Cryptography
    is an acceptable technology for use by public
    entities in California, provided that the digital
    signature is created consistent with the
    provisions in Section 22003(a)1-5.
  • "Acceptable Certification Authorities" means a
    certification authority that meets the
    requirements of either Section 22003(a)6(C) or
    Section 22003(a)6(D).
  • "Approved List of Certification Authorities"
    means the list of Certification Authorities
    approved by the Secretary of State to issue
    certificates for digital signature transactions
    involving public entities in California.

43
(No Transcript)
44
Summary Electronic Report Transactions are
subject to fraud and easily repudiated
  • Unsigned Web forms can be sent by anyone. They
    can be tampered in transmission and the sender
    cant be legally verified
  • Unsigned Data in a database can be altered and
    does not provide adequate evidence in a court of
    law
  • Data on Diskette can be altered without visible
    evidence

45
Summary, cont.
  • Digitally signed reports can also be repudiated,
    if the signed data is stored independently of the
    form question data.

46
Conclusion Ensuring Trusted Electronic
Transactions
  • 1. PKI supports trusted electronic report
    transactions
  • Authentication- authenticates the
  • sender of a report
  • Report Integrity- invalidates a report if it
    has been tampered.
  • Non-repudiation- sender and document
  • are authenticated- the sender cannot
  • deny having sent the report

47
Conclusion, cont.
  • 2. PKI supports trusted access to Public Data
  • Agencies require individuals to contribute
    digital certificates in order to gain access.
  • Agencies can track who gains access at what time
  • The names of individuals who seek access can be
    cross-referenced with additional security
    databases to protect public safety

48
Conclusion, cont.
  • 3. Complete Archiving ensures that a legal record
    of a transaction can be trusted
  • Non-repudiation- Storing a copy of the entire
    data (including questions on the form) with the
    digital signature.

49
Resources
  • eCompliance, Inc. http//www.ecompliance.net
  • White paper/ Electronic Transactions
  • Copy of presentation
  • Environmental Protection Agency
  • Central Data Exchange http//www.epa.gov/cdx/cde
    .html
  • National Governors Association
  • State Guide to Electronic Reporting of
    Environmental Data http//www.nga.org/center/divis
    ions/1,1188,C_ISSUE_BRIEF5ED_1139,00.html
Write a Comment
User Comments (0)
About PowerShow.com