Presentation is loading. Please wait.

Presentation is loading. Please wait.

Securing e Government Public Key Infrastructure Prof Dr Mohamed Kouta Chairman Of MIS Department Arab Academy For Science And Technology.

Similar presentations


Presentation on theme: "Securing e Government Public Key Infrastructure Prof Dr Mohamed Kouta Chairman Of MIS Department Arab Academy For Science And Technology."— Presentation transcript:

1 Securing e Government Public Key Infrastructure Prof Dr Mohamed Kouta Chairman Of MIS Department Arab Academy For Science And Technology

2 Outline Security Requirements. Security Requirements. Symmetric Key Cryptosystem. Symmetric Key Cryptosystem. Asymmetric (Public) Key Cryptosystem. Asymmetric (Public) Key Cryptosystem. Over View of Digital Signature. Over View of Digital Signature. Secure Socket Layer Protocol. Secure Socket Layer Protocol. Digital Certificate. Digital Certificate. Certificate Authority. Certificate Authority. PKI Components. PKI Components. PKI Implementation. PKI Implementation. Using biometrics and Smart Token. Using biometrics and Smart Token. PKI Assessment. PKI Assessment.

3 Security Requirements Privacy. Privacy. Authenticity. Authenticity. Non repudiation Non repudiation Integrity. Integrity.

4 Symmetric Key Cryptosystem Poly alphabetic Cipher Consider a key length = 4 Key = BAND 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 A B C D E F G H I J K L M N O P Q R S T U V W X Y Z Plain Text M= E BUS INES S B AND BAND B Cipher Text E(M)= G CIW KOSW U

5 Symmetric-key Cryptosystems Encryption E s Decryption D s SenderReceiver M M C Secret Key Secret Key Secure Channel Secret Key Intruder Overview

6 Symmetric-key Cryptosystems Encryption E s Decryption D s SenderReceiver M M C Secret Key Secret Key Secure Channel Secret Key Intruder Overview

7 Asymmetric-key Cryptosystems Encryption E K Decryption D K Sender Receiver M M C Public Key Private Key Intruder Overview

8 Overview of Digital Signature Signers Private Key Signed Document Encrypted Digest Hash Algorithm Digest Remember, a digital signature involves services provided by Certificate Authority (CA)

9 Verifying the Digital Signature for Authentication and Integrity Hash Algorithm Digest ? ? Signers Public Key And so does the process of verifying the validity of a digital signature

10 Senders Computer Senders Private Signature Key Senders Certificate + + Message + Digital Signature Receivers Certificate Encrypt Symmetric Key Encrypted Message Receivers Key-Exchange Key Encrypt Digital Envelope Message Message Digest 10 © Prentice Hall, 2000

11 Receivers Computer Decrypt Symmetric Key Encrypted Message Senders Certificate + + Message compare Digital Envelope Receivers Private Key-Exchange Key Decrypt Message Digest Digital Signature Senders Public Signature Key Decrypt Message Digest 11 © Prentice Hall, 2000

12 Digital Certificate Digital Certificate X509 Standard X509 Standard Each certificate contains the public-key of a user and is signed with the private-key of a trusted certificate authority

13 Certificate Authority In an uncontrolled system, anyone could publish a new public-key and assume a new identity. In an uncontrolled system, anyone could publish a new public-key and assume a new identity. Any Participant can send his public-key to any other one broadcast the key Any Participant can send his public-key to any other one broadcast the key

14 Certificate Authority This would be like allowing anyone to issue his or her own passport or driving licenses This would be like allowing anyone to issue his or her own passport or driving licenses This is clearly unacceptable for any application that, like electronic commerce, requires authentication and non-repudiation. This is clearly unacceptable for any application that, like electronic commerce, requires authentication and non-repudiation. In order to assure a proper information exchange mechanism, an important entity should be involved in the process which is the Certificate Authority (CA). In order to assure a proper information exchange mechanism, an important entity should be involved in the process which is the Certificate Authority (CA).

15 Certificate Authority Certificate Authority Cont. Distribution of Public Keys Cont. Distribution of Public Keys Public key Certificate Public key Certificate

16 Certificate Authority Requirements of setting up the CA Requirements of setting up the CA 1. Compatibility with existing Internet based Certificate Authorities It should be possible to use the certificates in applications such as Netscape navigators, secure email, and custom built business-to-business e- commerce applications. It should be possible to use the certificates in applications such as Netscape navigators, secure email, and custom built business-to-business e- commerce applications. Certificates must be consistent with accepted standards; such the widely recognized X.509 certificate formats. Certificates must be consistent with accepted standards; such the widely recognized X.509 certificate formats.

17 Certificate Authority Effective Distribution mechanisms Effective Distribution mechanisms Directory server support:- Directory server support:- includes client certificates, and certificate validity status. includes client certificates, and certificate validity status. Certificates accompanying signatures:- Certificates accompanying signatures:- The certificate, being signed by the ECA, enables the receiving party to check the validity of both the certificate, and the accompanying signature. The certificate, being signed by the ECA, enables the receiving party to check the validity of both the certificate, and the accompanying signature. Support for certificate revocation:- Support for certificate revocation:-

18 Certificate Authority Revocation of Certificates Revocation of Certificates The users private key is compromised The users private key is compromised The user is no longer certified by this CA The user is no longer certified by this CA The CAs certificate is compromised The CAs certificate is compromised

19 Certificate management cycle User Certificate Authority Program Request a certificate Send browser form Send public key Request certificate for key linked with LIR ID Certificate CA never sees the private key Certificate Some time later the user wants to revoke the certificate… Revocation request Certificate is included in the Certificate Revocation List (CRL)

20 PKI Component Certificate Authority (CA). Certificate Authority (CA). Issues Digital Certificates Issues Digital Certificates Authorization Authority (AA). Authorization Authority (AA). Response for Digital Certificate (DC) request Response for Digital Certificate (DC) request Registration Authority (RA). Registration Authority (RA). Contains a database for DC and Certificate Revocation List Contains a database for DC and Certificate Revocation List CRL. CRL. Directory Services. Directory Services. Handles DC exchange. Handles DC exchange. Applications. Applications.

21 PKI Implementation Issuing the Certificate Practice Statement (CPS). Issuing the Certificate Practice Statement (CPS). A statement of Practices that CA employs in issuing DC. A statement of Practices that CA employs in issuing DC. Building the PKI as according CPS. Building the PKI as according CPS. Training for users and administration Staff. Training for users and administration Staff. Connections to secured systems that could circumvented the PKI must be ended. Connections to secured systems that could circumvented the PKI must be ended. Integration with the different applications. Integration with the different applications.

22 Using Biometrics and Smart Token in Electronic signature

23 How a citizen can apply for a Smart Token Step 1 Step 1 The citizen (Applicant A) provides his National Security Number Card (NSN) to one of the Service Provider (SP). The citizen (Applicant A) provides his National Security Number Card (NSN) to one of the Service Provider (SP). Step 2 Step 2 SP sends the NSN information to the CA. SP sends the NSN information to the CA. Step 3 Step 3 CA checks for Applicant already has a DC or revoked with RA. CA checks for Applicant already has a DC or revoked with RA. Step 4 Step 4 If A is applying first time, CA asks for authorization from AA. If A is applying first time, CA asks for authorization from AA. Step 5 Step 5 AA responses for CA. AA responses for CA. Step 6 Step 6 CA asks A to generate his keys pair. CA asks A to generate his keys pair. Step 7 Step 7 The Two pairs are generated inside the applicant smart Token. The Two pairs are generated inside the applicant smart Token. Step 8 Step 8 The public Key is sent to the CA. The public Key is sent to the CA. Step 9 Step 9 The CA generates and sends the DC back to the applicant Token. The CA generates and sends the DC back to the applicant Token. Step 10 Step 10 The token is trained for the applicant finger print. The token is trained for the applicant finger print.

24 Sender side Pre Session Stage Pre Session Stage CA 2 check validity Sender (S)Receiver (R) 1 S wants to communicate with R 3 SDC 3 RDC

25 Sender side ESM + DE Sender PC Sender Token Sender Data MD SDS + SDC 1- Selecting the message M to be sent from the sender PC (SPC). 2- According to the Hashing Algorithm (HA) stored in the SPC, M will be hashed and the message digest (MD) will be generated. 3- The message digest MD is transferred from the SPC to the sender Smart Token (SST). 6- Using a random number generator (RNG), a session key (SK) will be generated inside the SPC. 7- Encrypting M+SDS+SDC using symmetric key encryption algorithm SKEA and Sk as encryption key and call it the encrypted signed message (ESM). 8- Extracting the receiver public key (RPUK) from the RDC available in the SCL. 9- Encrypt the SK with RPUK using PKUK to create Digital Envelop (DE) send ESM+DE. 4- Using public key cryptographic algorithm (PKCA),the MD is encrypted with the sender private key (SPRK) to get the sender digital signature (SDS). 5- The SDS+ a copy from the sender digital certificate (SDC) are sent back to the SPC.

26 Sender side Third Process Third Process Receiver PC DE Encrypted Signed message (ESM) Encrypted session key By receiver public key (DE) Sender PC ESM +

27 1-DE is sent to the receiver smart token (RST). 4- By the SK the message will be Decrypted using the same SKEA Now we have : M+ SDS + SDC. 5- The SDC received from CA is compared with SDC received from the sender to assure its validity. If its valid the procedure continue, aborted otherwise. 6- Decrypt the SDS by the sender public key SPUK contained in the SDC to get MD. Call it MD1. 8- Using M generate a message digest MD using the same HA. Call it MD2. 7- Compare the two digests MD1 and MD2. If MD1 and MD2 are identical then message accepted otherwise the message is rejected. Receiver PC Receiver side 2- Using PKEA the DE is Decrypted by the RPRK to get the session key SK. 3- Send SK back to the RE PC Receiver Token ESM + DE Received Data DE SK

28 Token blank contain 1- RSA Encryption/decryption Algorithm. 1- RSA Encryption/decryption Algorithm. 2- USB Interface. 2- USB Interface. 3- Biometric sensor. 3- Biometric sensor. 4- Image processing. 4- Image processing. 5- Feature extraction & recognition. 5- Feature extraction & recognition. 6- ROM. 6- ROM. 7- RAM 7- RAM

29 Smart Token Block Biometric Device Interface Bus USB including power supply Token Block Diagram

30 SMART TOKEN BLOCK USB interface BUS Biometric Interface ROM Private Key Certificate contain Public Key Finger print of the owner RAM Processing and result storage RSA En /Dec Algorithm & Key Generation Biometric Device Interface Bus Power supply from USB Control unit Feature extraction & recognition Image processing USB BUS

31 Biometric Verification for Smart Token

32 AT77C101B-CB02V Sensor

33 Architecture of the automatic identity authentication system

34 Image processing and extraction of fingerprint minutia

35 Step (1) Input Image

36 Step (2) Region of Interest

37 Step (3) Orientation Field

38 Step (4) Ridge Detection Ridge ending and ridge bifurcation.

39 Step (5) Extracted Ridges

40 Step (6) Thinned Ridges

41 Step (7) Smoothing procedure The presence of undesired spikes and breaks present in a thinned ridge map may lead to many spurious minutiae being detected. The presence of undesired spikes and breaks present in a thinned ridge map may lead to many spurious minutiae being detected. Therefore, before the minutiae detection, a smoothing procedure is applied to remove spikes and to join broken ridges. Therefore, before the minutiae detection, a smoothing procedure is applied to remove spikes and to join broken ridges.

42 Step (8) Minutiae detection

43 Last Step Minutia Extraction

44

45 Minutiae M atching Alignment of the input ridge and the template ridge

46 Applying the matching algorithm to an input minutiae set and a template (a) input minutiae set(b) template minutiae set

47 Applying the matching algorithm to an input minutiae set and a template (Cont.) (c) alignment result based on the minutiae marked with green circles ( d) matching result where template minutiae and their correspondences are connected by green lines.

48 PKI Assessments CPS CPS CA CA AA AA RA RA CRL policies. CRL policies. Certificate Usage with applications. Certificate Usage with applications. Auditing. Auditing. Cryptographic devices and data Cryptographic devices and data Cryptographic Algorithms Cryptographic Algorithms Critical Information Flow. Critical Information Flow. Sensitive Software Applications. Sensitive Software Applications. Key Managements. Key Managements. Network Devices Hosts, Routers, firewalls, switches). Network Devices Hosts, Routers, firewalls, switches).

49 Examples for PKI applications E-mail. E-mail. E-Gov services (Pension,..). E-Gov services (Pension,..). E-Election (voting). E-Election (voting). Group decision making. Group decision making. Multi signature. Multi signature. Notarizing. Notarizing. E-payment. E-payment. Medical care. Medical care. Note: It is up to the application to deploy the smart token. Note: It is up to the application to deploy the smart token.


Download ppt "Securing e Government Public Key Infrastructure Prof Dr Mohamed Kouta Chairman Of MIS Department Arab Academy For Science And Technology."

Similar presentations


Ads by Google