Presentation on theme: "Prof.Dr.Victor PATRICIU, ROMANIA ITU- E-Commerce Centers for the CEE, CIS & Baltic States Regional Seminar on E-Commerce May, 14-17, 2002, Bucharest, ROMANIA."— Presentation transcript:
Prof.Dr.Victor PATRICIU, ROMANIA ITU- E-Commerce Centers for the CEE, CIS & Baltic States Regional Seminar on E-Commerce May, 14-17, 2002, Bucharest, ROMANIA Trust & Security in E-Commerce Professor Dr. VICTOR-VALERIU PATRICIU Bucharest, ROMANIA
Prof.Dr.Victor PATRICIU, ROMANIA Contents Trust Infrastructure for E-Commerce PKI Technology for Trusting E-commerce New Cryptography Basics PKI basic principles & Architectures Digital certificates & Certificate Authorities CRL-s Applications PKI & CSP Legislation & Reglementation Certification Policies & Practices PKI & CSP Assessment & Accreditation Legislation, Reglementation & Guidelines EU Electronic Signature Directive Romanian legislation on electronic signature Romanian Law on Electronic Signature Governments Decree for Electronic Signature Application
Prof.Dr.Victor PATRICIU, ROMANIA A Trust Infrastructure for E-Commerce Electronic commerce promises vast revenues; It looks attractive in theory, but the truth is that : only a small percentage use e-commerce services and an even smaller percentage use regularly; Diverse sectors – IT, telecommunications, financial institutions, retailers and governments – are driving towards a future where we conduct transactions electronically: everyday anytime and anywhere;
Prof.Dr.Victor PATRICIU, ROMANIA A Trust Infrastructure for E-Commerce But all of this comes to nought until one crucial obstacle is overcome – the question of security; Fraudsters & hackers will actively target: all e- commerce services, service providers and the infrastructure; Security weaknesses become a major concern when conducting online transactions over Internet because: sensitive financial details for online paying ; trade secrets and other confidential information; privacy of e-commerce actions: pay bills, trade stocks and shares, file our income tax returns, conduct legally transactions and vote in government elections;
Prof.Dr.Victor PATRICIU, ROMANIA A Trust Infrastructure for E-Commerce Trust Services are an emerging enabler for e-commerce. Deliver trust & confidence at various stages of business interaction, including: establishing and maintaining trust, negotiations, contract formation, fulfilment, dispute resolution. There are significant technical, legal and business problems. Trust Service Providers must : be accountable for the service they provide be around for the long term (disputes can occur years after transaction) have a trust infrastructure the services must make life simpler for e-commerce participants.
Prof.Dr.Victor PATRICIU, ROMANIA A Trust Infrastructure for E-Commerce It is not yet very clear what the range of trust services will be. They can certainly be expected to include services to support trust establishment, negotiation, agreement and fulfilment: Identity services, Authorisation service, Anonymity services, Trust rating and recommendation services, Assured message delivery, Auditable receipt generation, Storage (archival), Notarisation, Delivery (storage & notarization), Timestamping services, E-signature.
Prof.Dr.Victor PATRICIU, ROMANIA A Trust Infrastructure for E-Commerce Example of Trust Services required for: Negotiation a contract Contract signing
Prof.Dr.Victor PATRICIU, ROMANIA A Trust Infrastructure for E-Commerce Business Trust Services Contact Exchange Find Partners Credi- bility Check Nego- tiating Contract Signing Authentication yes Authorization yes Assured Messag. yes Secure Storage yes Timestamping yes E-Signature yes Certification/Rating yes
Prof.Dr.Victor PATRICIU, ROMANIA PKI Technology for Trusting E-Commerce Public Key Infrastructure (PKI) technology has emerged as the most reliable framework for ensuring Security and Trust over the Internet. It is based on the principle of Asymmetric Cryptography. In the PKI model: A Key is a long string of data used to encrypt or decrypt a given piece of information. Every user has a unique key pair – the Public Key and corresponding Private Key. The private key is kept confidential, whereas the public key is made available to the public. Messages encrypted with a Public Key can only be decrypted with the corresponding Private Key, and vice-versa. The Public Key is predominantly used for encryption and the private key for Digital Signatures.
Prof.Dr.Victor PATRICIU, ROMANIA PKI Technology for Trusting E-Commerce -Public Key Cryptography- Public key cryptography- for every person a key pair: Public key (for encryption or signature verification) Private key (for decryption or signature creation)
Prof.Dr.Victor PATRICIU, ROMANIA PKI Technology for Trusting E-Commerce -Digital Signatures-
Prof.Dr.Victor PATRICIU, ROMANIA PKI Technology for Trusting E-Commerce - Pillars of Trust- PKI is the only security and trust framework that fulfils the four vital requirements of e-commerce, known as the Four Pillars of Trust: Authentication- the means of identification employed. For e-Commerce transactions, the absence of face-to-face interaction creates the need for a foolproof method of identification. PKI offers the most secure means of authentication available today through Digital Certificates. Confidentiality-Secure transmission of data over open networks and preventing data access by unauthorized entities is of paramount importance. PKI ensures confidentiality through the use of time tested Encryption Algorithms. Integrity- Data transferred through open networks should not be altered or modified during transit. Integrity of data is ensured through Data Hashing. Non-Repudiation- It is necessary to ensure that the sender does not disown data sent. There should be a trustworthy means to guarantee the ownership of the electronic document. PKI ensures non-repudiation through the use of Digital Signatures.
Prof.Dr.Victor PATRICIU, ROMANIA Key Distribution PKI Technology for Trusting E-Commerce -Certification Authorities-
Prof.Dr.Victor PATRICIU, ROMANIA PKI Technology for Trusting E-Commerce -ITU X.509 v3 Digital Certificate-
Prof.Dr.Victor PATRICIU, ROMANIA PKI- Set of components (hard & soft), that work together for using public-key technology CA- a trusted authority -which provides a statement (the Digital Certificate) that the enclosed public key belongs to the person whose name is attached CA- a central administration that issues certificates: organization to its employees company to its employees university to its students public CA (like VeriSign) PKI Technology for Trusting E-Commerce -PKI Architecture-
Prof.Dr.Victor PATRICIU, ROMANIA CA Root CA PKI Technology for Trusting E-Commerce -CA Hierarchies- CA
Prof.Dr.Victor PATRICIU, ROMANIA PKI Technology for Trusting E-Commerce -Certificate Revocation Lists, CRLs- A certificate must be revoked when: the private key pair is compromised; the private key pair is lost; a person leaves the company. All users can know to no longer trust in a certificate; Relaying parties are expected to check CRL before using a certificate; Use a sufficiently scalable and powerful CR server. If a CRL is being used by applications for certificate validation, provisions must be in place for adequate availability of the CRL service (or applications should incorporate some backup procedures in case the CRL service is unavailable). OCSP-On-line Certificate Status Protocol: inquires of issuing CA whether a certificate is still valid. (resp. YES/NO)
Prof.Dr.Victor PATRICIU, ROMANIA Standards that rely on a PKI S/MIME- PKI for digitally signing and encrypting messages and attachments SSL/TLS - secure access to Web Servers SET-secure electronic bankcard payments IPSec- in VPN for encryption & authentication
Prof.Dr.Victor PATRICIU, ROMANIA PKIApplications in Securing E-commerce PKI Applications in Securing E-commerce Securing e-Business applications Online Auction Markets / Exchange Sites Online Procurement Solutions & Web Catalogues Corporate Purchasing Online Contracting Security solutions for traditional EDI Online delivery of intellectual products Secure e-Governance Security solutions for government documentation Online tax filing and payment solutions Online payment of public utility charges and government levies Online application and receipt of government approvals
Prof.Dr.Victor PATRICIU, ROMANIA PKIApplications in Securing E-commerce PKI Applications in Securing E-commerce Security solutions for e-Banking Electronic Funds Transfer / Payments Trade Finance / Letter of Credit Bill Presentment and Payment Statement Delivery Securing Electronic Office Applications Transformation to paperless office systems through digital signatures Encryption Archiving facilities for document storage Secure Communication
Prof.Dr.Victor PATRICIU, ROMANIA PKIApplications in Securing E-commerce PKI Applications in Securing E-commerce Security solutions for healthcare Secure delivery of online medical advice Storage and authenticated access to health Records Privacy solutions for medical transcriptions Security solutions for education Security & authentication solutions for distance education and online examinations Security solutions for electronic certificates and credentials Online university application solutions Solutions for student identity along with smart cards
Prof.Dr.Victor PATRICIU, ROMANIA Legislation & Reglementation Legal and reglementation problems to be solved: Certification Policies & Practices for: Public CAs (Certificate Service Providers, CSP) and Organizational CAs PKI & CSP Assessment & Accreditation, wide accepted criteria from national/international bodies Legislations, Reglementations & Guidelines for PKI & electronic signatures
Prof.Dr.Victor PATRICIU, ROMANIA Certification Policies & Practices n CPs and CPSs are tools to help establish trust in interactions between Certification Authorities (CAs) and permit cross-certification, i.e., trust other CAs certificates n CPs help answer questions such as: what can the certificate be used for? which algorithms have been used? n CPSs help answer questions such as: how are users enrolled by the CA? how is the CA managed? n RFC framework for CP & CPS structure.
Prof.Dr.Victor PATRICIU, ROMANIA Certification Policies & Practices n GENERAL PROVISIONS n OBLIGATIONS n CA obligations n RA obligations n Subscriber obligations n REQUIREMENTS FOR ISSUING TO NON-US GOVERNMENT SUBSCRIBERS n INTERPRETATION AND ENFORCEMENT n PUBLICATION AND REPOSITORY n CONFIDENTIALITY n INTELLECTUAL PROPERTY RIGHTS
Prof.Dr.Victor PATRICIU, ROMANIA Certification Policies & Practices n IDENTIFICATION AND AUTHENTICATION n INITIAL REGISTRATION n CERTIFICATE RENEWAL, UPDATE, AND ROUTINE REKEY n REPLACING KEY AFTER REVOCATION n REVOCATION REQUEST n OPERATIONAL REQUIREMENTS n CERTIFICATE APPLICATION n CERTIFICATE ISSUANCE n CERTIFICATE ACCEPTANCE n CERTIFICATE SUSPENSION AND REVOCATION n SECURITY AUDIT PROCEDURES n CA KEY CHANGE n COMPROMISE AND DISASTER RECOVERY
Prof.Dr.Victor PATRICIU, ROMANIA Certification Policies & Practices n PHYSICAL, PROCEDURAL, AND PERSONNEL SECURITY CONTROLS n TECHNICAL SECURITY CONTROLS n KEY PAIR GENERATION AND INSTALLATION n PRIVATE KEY PROTECTION n COMPUTER SECURITY CONTROLS n LIFE CYCLE TECHNICAL CONTROLS n NETWORK SECURITY CONTROLS n CRYPTOGRAPHIC MODULE ENGINEERING CONTROLS n CERTIFICATE AND CRL PROFILES n CERTIFICATE n CRL PROFILE
Prof.Dr.Victor PATRICIU, ROMANIA PKI & CSP Assessment and Accreditation Role of PKI assessment: Necessary for licence & accreditation Necessary for PKI interoperation and trust Enhances PKI support for non-repudiation Required for insurance purposes Necessary for risk management Assessment targets: PKI environment Systems & subsystems Discrete components Cryptomodules Main subjects for PKI assessment: CA policies, practices and management controls Key & device management controls Certificate life-cycle controls
Prof.Dr.Victor PATRICIU, ROMANIA PKI & CSP Assessment and Accreditation PKI assessment types: Self-assessment Internal audits External audits PKI assessment requirement : Provision of certain documents Certification of technical systems Review of specified policies and practices PKI assessment models: Information security evaluation criteria (Common Criteria,ITSEC, TCSEC, BS Code of Practice for Information Security Management) Australian Gatekeeper program-GPKA UK tScheme, a self-regulation scheme ABA – PAG PKI Assessment Guidelines American Institute of Certified Public Accountants -Web Trust
Prof.Dr.Victor PATRICIU, ROMANIALegislation General E-Commerce Legislation and Regulation EFTA, Electronic Funds Transfer Act- (USA), 1978 UN Model Law on E-Commerce-1996 (UNCITRAL) UCITA, Uniform Computer Transaction Act,, 1999 (NCCUSL-USA) UNICID, Uniform Rules for Interchange of Trade Data by Teletransmission-(ICC-International Chamber of Commerce) OECD Guidelines, E-Terms, (ICC) Electronic Signature Legislation and Regulation UETA, Uniform Electronic Transaction Act - (NCCUSL-USA), 1999 Federal E-Sign Act, 2000 (USA) EU Electronic Signature Directive, 1999 UN Draft Model Law on Electronic Signature (UNCITRAL) Digital Signature Guidelines (ABA, USA), 1996
Prof.Dr.Victor PATRICIU, ROMANIALegislation DIRECTIVE 1999/93/EC of the EUROPEAN PARLIAMENT AND COUNCIL of 13 December 1999 on a Community Framework for Electronic Signatures
Prof.Dr.Victor PATRICIU, ROMANIA Legal recognition of electronic signatures Technology neutral Free flow of Products and Services Excludes prior authorisation or licensing scheme for Certification Service Providers Mandates supervision scheme for CSPs Calls for monitoring of Voluntary Accreditation Scheme Directive highlights
Prof.Dr.Victor PATRICIU, ROMANIA Electronic signature Certification Service Provider (CSP) Advanced electronic signature Signature creation/verification data Signature creation/verification device Qualified certificate Qualified Signature Definitions
Prof.Dr.Victor PATRICIU, ROMANIA Scope of Directive
Prof.Dr.Victor PATRICIU, ROMANIA forbidden allowed Internal Market 1. Authorisation (obligatory) 2. Accreditation (voluntary) CSP issuing qualified certificates to the public Obligation for Member States to control via supervision E.g. self-declaration scheme with subsequent control by governmental body or private institution 3. Supervision
Prof.Dr.Victor PATRICIU, ROMANIA Legal Recognition General principle: Legal effect for all electronic signatures; Second principle: Certain electronic signatures get the same legal effect as hand-written signature; Electronic signatures Advanced electronic signatures Qualified signature: advanced electronic signature + qualified certificate + secure signature creation device. Qualified signatures
Prof.Dr.Victor PATRICIU, ROMANIA The Annexes Requirements Annex I: Qualified certificate Annex II: Certification Service Providers issuing qualified certificates Annex III: Secure Signature Creation Device Recommendations Annex IV: Signature Verification
Prof.Dr.Victor PATRICIU, ROMANIA International aspects if Foreign CA fulfils same requirements + accreditation by Member State or A European CA guarantees for the foreign CA or Recognition by treaty with EU Foreign certificates = Qualified certificates
Prof.Dr.Victor PATRICIU, ROMANIA EESSI: European Electronic Signature Standardization Initiative Industry Initiative led by ICT Standards Board (CEN, ETSI,...) Based on a mandate from European Commission Support the requirements of the EU Directive Interoperability standards for electronic signature Standards for CSPs Standards for signature creation and verification products Signature format: simple, co-signature, contra-signature, XML signature format A better understanding of the signature policies Defining protocols for: Time Stamping, Access to a repository with certificates and revocation, etc.
Prof.Dr.Victor PATRICIU, ROMANIA Although technology neutral, the Directive implicitly defines a technical framework A proposed first set of components that can be used: Asymmetric cryptography: RSA, DSA, ECDSA Certificate based verification using ITU X.509 Public Key Infrastructure with CAs and Directories Smart-cards/hardware tokens for private key protection Reasons for this selection: Generally accepted, existing standards Urgent need for standardized use of these technologies! Technical Framework for Qualified Electronic Signatures
Prof.Dr.Victor PATRICIU, ROMANIA EESSI Standards overview Signature creation process and environment Signature validation process and environment Signature format and syntax Creation device Requirements for CSPs Trustworthy system Certificate Service Provider User/signer Relying party/ verifier CEN E-SIGN ETSI ESI Qualified certificate Time Stamp
Prof.Dr.Victor PATRICIU, ROMANIA ROMANIA Law on Electronic Signatures Adopted by Romanian Parliament in July 2001; Establishes: Legal regime of electronic documents, The condition of issuing certificate services for digital signatures
Prof.Dr.Victor PATRICIU, ROMANIA on Electronic Signatures -Definitions- Law on Electronic Signatures -Definitions- Electronic signature Extended (Advanced) Electronic Signature : it is uniquely linked to the signatory; it is capable of identifying the signatory; it is created using means that the signatory can maintain under his sole control; it is linked to the data to which it relates in such a manner that any subsequent change of the data is detectable Signature-creation/verification data; Secure-signature-creation/verification device ; Certificate/Qualified certificate; Certification-service-provider (CSP) Voluntary accreditation
Prof.Dr.Victor PATRICIU, ROMANIA on Electronic Signatures -Legal specifications for electronic documents - Law on Electronic Signatures -Legal specifications for electronic documents - Electronic document with: Extended electronic signature, Based on a qualified certificate Generated using a secure-signature-creation device is assimilated este with a document with hand- written signature;
Prof.Dr.Victor PATRICIU, ROMANIA demonstrate reliability for providing certification services; ensure a secure directory and a revocation service; ensure the precise date/time when a certificate is issued / revoked; verify, by appropriate means identity & attributes of the person to which a qualified certificate is issued; employ personnel with knowledge, experience, and qualifications; use trustworthy systems and products; maintain sufficient financial resources for liability for damages, by obtaining appropriate insurance; record all relevant information concerning a qualified certificate for an appropriate period of time; not store or copy signature-creation data of the person to whom the CSP provided key management services; on Electronic Signatures CSP-Certificate Services Providers Law on Electronic Signatures CSP-Certificate Services Providers
Prof.Dr.Victor PATRICIU, ROMANIA on Electronic Signatures CSP-Certificate Services Providers Law on Electronic Signatures CSP-Certificate Services Providers It is created a National Body (The Romanian Authority for Reglementation and Supervision) which: Conducts the CSPs accreditation process Conducts homologation process of the SSCD-Secure-Signature-Creation Device Makes a periodical supervision of CSPs Publishes on Internet The Romanian CSP Register with specifications for accredited CSPs
Prof.Dr.Victor PATRICIU, ROMANIA Decree for the application of Electronic Signatures Law Adopted in December 2001 Contain Methodological and technical regulations for the use of Electronic signatures Contents: Definitions Practical specifications for the activity of Romanian Authority for Reglementation and Supervision Practical specifications for the activity of CSPs CSP accreditation procedure Procedures for using electronic signatures Technical specifications for: Private keys Algorithms Certificate revocation conditions
Prof.Dr.Victor PATRICIU, ROMANIA Decree for the application of Electronic Signatures Law The ANEXES containe: The STRUCTURE of The Romanian CSP Register The STRUCTURE of Qualified Certificate The STRUCTURE of the CSP Notification for beginning activity The STANDARD EXTENSIONS of a Certificate The STRUCTURE of Certificates Register at CSP The Liability Letter Client Information necessary for obtaining a Certificate
Prof.Dr.Victor PATRICIU, ROMANIA Decree Technical Details The generation of private key of Romanian Authority for Reglementation and Supervision (ARS) must be make on a isolated and reliable dedicated system ARS uses only SHA hash-code function and RSA for digital signature; it is prohibited to use CRT method; For extended electronic signatures: 1024 bits for RSA; 1024 bits for DSA; 160 de bits for DSA based on elliptic curves; RIPEMD – 160 or SHA-1 hash functions; The formats for Certificate & CRL Register at CSPs : CCITT (ITU-T) X.500 / ISO IS9594 RFC 2587 Internet X.509 PKI LDAPv3 Schema RFC 2587 Internet X.509 PKI Certificate and CRL Profile
Prof.Dr.Victor PATRICIU, ROMANIA Other Necessary Romanian Regulations The methodology for the homologation of secure signature creation devices The Regulations for the activity of Romanian Authority for Reglementation and Supervision The methodology for supervision of CSPs The methodology for accreditation of CSPs, based on: Certification Policy Certification Practices Framework Information Security Policy Internet Security Policy Emergency Response Plan Business Continuity Plan The methodology for the audit of information security.
Prof.Dr.Victor PATRICIU, ROMANIA Conclusions PKI technology ensures trust & security in e-commerce; Five key ingredients that trust service providers must offer: Accountability: At a minimum this must mean assurance that their processes will stand up to scrutiny in disputes. Survivability/Longevity: Each service must produce technology and businesses that will be available to resolve disputes decades after. Confidentiality: The customer giving their sensitive data to the trust services, providers must ensure confidentiality even within their own organisation. Integrity: Linked with accountability and longevity, but worth distinguishing. Because digital data is so easily created and forged, providers must be able to demonstrate the integrity of their information or the information they keep. Simplicity: To be successful, trust services must make life simpler for e- traders, and they must take account of existing infrastructure. PKI technology is in progress, that need to solve a lot of legal, technological and business prolemes