Presentation is loading. Please wait.

Presentation is loading. Please wait.

Prof.Dr.VICTOR PATRICIU

Similar presentations


Presentation on theme: "Prof.Dr.VICTOR PATRICIU"— Presentation transcript:

1 Prof.Dr.VICTOR PATRICIU
ITU- E-Commerce Centers for the CEE, CIS & Baltic States Regional Seminar on E-Commerce May, 14-17, 2002, Bucharest, ROMANIA Trust & Security in E-Commerce Professor Dr. VICTOR-VALERIU PATRICIU Bucharest, ROMANIA Prof.Dr.Victor PATRICIU, ROMANIA

2 Prof.Dr.Victor PATRICIU, ROMANIA
Contents Trust Infrastructure for E-Commerce PKI Technology for Trusting E-commerce New Cryptography Basics PKI basic principles & Architectures Digital certificates & Certificate Authorities CRL-s Applications PKI & CSP Legislation & Reglementation Certification Policies & Practices PKI & CSP Assessment & Accreditation Legislation, Reglementation & Guidelines EU Electronic Signature Directive Romanian legislation on electronic signature Romanian Law on Electronic Signature Government’s Decree for Electronic Signature Application Prof.Dr.Victor PATRICIU, ROMANIA

3 A Trust Infrastructure for E-Commerce
Prof.Dr.VICTOR PATRICIU A Trust Infrastructure for E-Commerce Electronic commerce promises vast revenues; It looks attractive in theory, but the truth is that : only a small percentage use e-commerce services and an even smaller percentage use regularly; Diverse sectors – IT, telecommunications, financial institutions, retailers and governments – are driving towards a future where we conduct transactions electronically: everyday anytime and anywhere; Prof.Dr.Victor PATRICIU, ROMANIA

4 A Trust Infrastructure for E-Commerce
Prof.Dr.VICTOR PATRICIU A Trust Infrastructure for E-Commerce But all of this comes to nought until one crucial obstacle is overcome – the question of security; Fraudsters & hackers will actively target: all e- commerce services, service providers and the infrastructure; Security weaknesses become a major concern when conducting online transactions over Internet because: sensitive financial details for online paying ; trade secrets and other confidential information; privacy of e-commerce actions: pay bills, trade stocks and shares, file our income tax returns, conduct legally transactions and vote in government elections; Prof.Dr.Victor PATRICIU, ROMANIA

5 A Trust Infrastructure for E-Commerce
Prof.Dr.VICTOR PATRICIU A Trust Infrastructure for E-Commerce Trust Services are an emerging enabler for e-commerce. Deliver trust & confidence at various stages of business interaction, including: establishing and maintaining trust, negotiations, contract formation, fulfilment, dispute resolution. There are significant technical, legal and business problems. Trust Service Providers must : be accountable for the service they provide be around for the long term (disputes can occur years after transaction) have a trust infrastructure the services must make life simpler for e-commerce participants. Prof.Dr.Victor PATRICIU, ROMANIA

6 A Trust Infrastructure for E-Commerce
Prof.Dr.VICTOR PATRICIU A Trust Infrastructure for E-Commerce It is not yet very clear what the range of trust services will be. They can certainly be expected to include services to support trust establishment, negotiation, agreement and fulfilment: Identity services, Authorisation service, Anonymity services, Trust rating and recommendation services, Assured message delivery, Auditable receipt generation, Storage (archival), Notarisation, Delivery (storage & notarization), Timestamping services, E-signature. Prof.Dr.Victor PATRICIU, ROMANIA

7 A Trust Infrastructure for E-Commerce
Prof.Dr.VICTOR PATRICIU A Trust Infrastructure for E-Commerce Example of Trust Services required for: Negotiation a contract Contract signing Prof.Dr.Victor PATRICIU, ROMANIA

8 A Trust Infrastructure for E-Commerce
Prof.Dr.VICTOR PATRICIU A Trust Infrastructure for E-Commerce Business Trust Services Contact Exchange Find Partners Credi-bility Check Nego-tiating Contract Signing Authentication yes Authorization Assured Messag. Secure Storage Timestamping E-Signature Certification/Rating Prof.Dr.Victor PATRICIU, ROMANIA

9 PKI Technology for Trusting E-Commerce
Prof.Dr.VICTOR PATRICIU PKI Technology for Trusting E-Commerce Public Key Infrastructure (PKI) technology has emerged as the most reliable framework for ensuring Security and Trust over the Internet. It is based on the principle of Asymmetric Cryptography. In the PKI model: A Key is a long string of data used to encrypt or decrypt a given piece of information. Every user has a unique key pair – the Public Key and corresponding Private Key. The private key is kept confidential, whereas the public key is made available to the public. Messages encrypted with a Public Key can only be decrypted with the corresponding Private Key, and vice-versa. The Public Key is predominantly used for encryption and the private key for Digital Signatures. Prof.Dr.Victor PATRICIU, ROMANIA

10 PKI Technology for Trusting E-Commerce -Public Key Cryptography-
Prof.Dr.VICTOR PATRICIU PKI Technology for Trusting E-Commerce -Public Key Cryptography- Public key cryptography- for every person a key pair: Public key (for encryption or signature verification) Private key (for decryption or signature creation) Prof.Dr.Victor PATRICIU, ROMANIA

11 PKI Technology for Trusting E-Commerce -Digital Signatures-
Prof.Dr.VICTOR PATRICIU PKI Technology for Trusting E-Commerce -Digital Signatures- Prof.Dr.Victor PATRICIU, ROMANIA

12 PKI Technology for Trusting E-Commerce - Pillars of Trust-
Prof.Dr.VICTOR PATRICIU PKI Technology for Trusting E-Commerce - Pillars of Trust- PKI is the only security and trust framework that fulfils the four vital requirements of e-commerce, known as the Four Pillars of Trust: Authentication- the means of identification employed. For e-Commerce transactions, the absence of face-to-face interaction creates the need for a foolproof method of identification. PKI offers the most secure means of authentication available today through Digital Certificates. Confidentiality-Secure transmission of data over open networks and preventing data access by unauthorized entities is of paramount importance. PKI ensures confidentiality through the use of time tested Encryption Algorithms. Integrity- Data transferred through open networks should not be altered or modified during transit. Integrity of data is ensured through Data Hashing. Non-Repudiation- It is necessary to ensure that the sender does not disown data sent. There should be a trustworthy means to guarantee the ownership of the electronic document. PKI ensures non-repudiation through the use of Digital Signatures. Prof.Dr.Victor PATRICIU, ROMANIA

13 Prof.Dr.VICTOR PATRICIU
PKI Technology for Trusting E-Commerce -Certification Authorities- Key Distribution Prof.Dr.Victor PATRICIU, ROMANIA

14 Prof.Dr.VICTOR PATRICIU
PKI Technology for Trusting E-Commerce -ITU X.509 v3 Digital Certificate- Prof.Dr.Victor PATRICIU, ROMANIA

15 Prof.Dr.VICTOR PATRICIU
PKI Technology for Trusting E-Commerce -PKI Architecture- PKI- Set of components (hard & soft), that work together for using public-key technology CA- a trusted authority -which provides a statement (the Digital Certificate) that the enclosed public key belongs to the person whose name is attached CA- a central administration that issues certificates: organization to its employees company to its employees university to its students public CA (like VeriSign) Prof.Dr.Victor PATRICIU, ROMANIA

16 PKI Technology for Trusting E-Commerce -CA Hierarchies-
Root CA CA CA CA CA Prof.Dr.Victor PATRICIU, ROMANIA

17 Prof.Dr.VICTOR PATRICIU
PKI Technology for Trusting E-Commerce -Certificate Revocation Lists, CRL’s- A certificate must be revoked when: the private key pair is compromised; the private key pair is lost; a person leaves the company. All users can know to no longer trust in a certificate; Relaying parties are expected to check CRL before using a certificate; Use a sufficiently scalable and powerful CR server. If a CRL is being used by applications for certificate validation, provisions must be in place for adequate availability of the CRL service (or applications should incorporate some backup procedures in case the CRL service is unavailable). OCSP-On-line Certificate Status Protocol: inquires of issuing CA whether a certificate is still valid. (resp. YES/NO) Prof.Dr.Victor PATRICIU, ROMANIA

18 Standards that rely on a PKI
Prof.Dr.VICTOR PATRICIU S/MIME- PKI for digitally signing and encrypting messages and attachments SSL/TLS - secure access to Web Servers SET-secure electronic bankcard payments IPSec- in VPN for encryption & authentication Prof.Dr.Victor PATRICIU, ROMANIA

19 PKI Applications in Securing E-commerce
Prof.Dr.VICTOR PATRICIU PKI Applications in Securing E-commerce Securing e-Business applications Online Auction Markets / Exchange Sites Online Procurement Solutions & Web Catalogues Corporate Purchasing Online Contracting Security solutions for traditional EDI Online delivery of intellectual products Secure e-Governance Security solutions for government documentation Online tax filing and payment solutions Online payment of public utility charges and government levies Online application and receipt of government approvals Prof.Dr.Victor PATRICIU, ROMANIA

20 PKI Applications in Securing E-commerce
Prof.Dr.VICTOR PATRICIU PKI Applications in Securing E-commerce Security solutions for e-Banking Electronic Funds Transfer / Payments Trade Finance / Letter of Credit Bill Presentment and Payment Statement Delivery Securing Electronic Office Applications Transformation to paperless office systems through digital signatures Encryption Archiving facilities for document storage Secure Communication Prof.Dr.Victor PATRICIU, ROMANIA

21 PKI Applications in Securing E-commerce
Prof.Dr.VICTOR PATRICIU PKI Applications in Securing E-commerce Security solutions for healthcare Secure delivery of online medical advice Storage and authenticated access to health Records Privacy solutions for medical transcriptions Security solutions for education Security & authentication solutions for distance education and online examinations Security solutions for electronic certificates and credentials Online university application solutions Solutions for student identity along with smart cards Prof.Dr.Victor PATRICIU, ROMANIA

22 Legislation & Reglementation
Prof.Dr.VICTOR PATRICIU Legislation & Reglementation Legal and reglementation problems to be solved: Certification Policies & Practices for: Public CA’s (Certificate Service Providers, CSP) and Organizational CA’s PKI & CSP Assessment & Accreditation, wide accepted criteria from national/international bodies Legislations, Reglementations & Guidelines for PKI & electronic signatures Prof.Dr.Victor PATRICIU, ROMANIA

23 Certification Policies & Practices
Prof.Dr.VICTOR PATRICIU Certification Policies & Practices CPs and CPSs are tools to help establish trust in interactions between Certification Authorities (CAs) and permit cross-certification, i.e., trust other CA’s certificates CPs help answer questions such as: what can the certificate be used for? which algorithms have been used? CPSs help answer questions such as: how are users enrolled by the CA? how is the CA managed? RFC framework for CP & CPS structure. Prof.Dr.Victor PATRICIU, ROMANIA

24 Certification Policies & Practices
Prof.Dr.VICTOR PATRICIU Certification Policies & Practices GENERAL PROVISIONS OBLIGATIONS CA obligations RA obligations Subscriber obligations REQUIREMENTS FOR ISSUING TO NON-US GOVERNMENT SUBSCRIBERS INTERPRETATION AND ENFORCEMENT PUBLICATION AND REPOSITORY CONFIDENTIALITY INTELLECTUAL PROPERTY RIGHTS Prof.Dr.Victor PATRICIU, ROMANIA

25 Certification Policies & Practices
Prof.Dr.VICTOR PATRICIU Certification Policies & Practices IDENTIFICATION AND AUTHENTICATION INITIAL REGISTRATION CERTIFICATE RENEWAL, UPDATE, AND ROUTINE REKEY REPLACING KEY AFTER REVOCATION REVOCATION REQUEST OPERATIONAL REQUIREMENTS CERTIFICATE APPLICATION CERTIFICATE ISSUANCE CERTIFICATE ACCEPTANCE CERTIFICATE SUSPENSION AND REVOCATION SECURITY AUDIT PROCEDURES CA KEY CHANGE COMPROMISE AND DISASTER RECOVERY Prof.Dr.Victor PATRICIU, ROMANIA

26 Certification Policies & Practices
Prof.Dr.VICTOR PATRICIU Certification Policies & Practices PHYSICAL, PROCEDURAL, AND PERSONNEL SECURITY CONTROLS TECHNICAL SECURITY CONTROLS KEY PAIR GENERATION AND INSTALLATION PRIVATE KEY PROTECTION COMPUTER SECURITY CONTROLS LIFE CYCLE TECHNICAL CONTROLS NETWORK SECURITY CONTROLS CRYPTOGRAPHIC MODULE ENGINEERING CONTROLS CERTIFICATE AND CRL PROFILES CERTIFICATE CRL PROFILE Prof.Dr.Victor PATRICIU, ROMANIA

27 PKI & CSP Assessment and Accreditation
Prof.Dr.VICTOR PATRICIU PKI & CSP Assessment and Accreditation Role of PKI assessment: Necessary for licence & accreditation Necessary for PKI interoperation and trust Enhances PKI support for non-repudiation Required for insurance purposes Necessary for risk management Assessment targets: PKI environment Systems & subsystems Discrete components Cryptomodules Main subjects for PKI assessment: CA policies, practices and management controls Key & device management controls Certificate life-cycle controls Prof.Dr.Victor PATRICIU, ROMANIA

28 PKI & CSP Assessment and Accreditation
Prof.Dr.VICTOR PATRICIU PKI & CSP Assessment and Accreditation PKI assessment types: Self-assessment Internal audits External audits PKI assessment requirement : Provision of certain documents Certification of technical systems Review of specified policies and practices PKI assessment models: Information security evaluation criteria (Common Criteria,ITSEC, TCSEC, BS Code of Practice for Information Security Management) Australian Gatekeeper program-GPKA UK tScheme, a self-regulation scheme ABA – PAG PKI Assessment Guidelines American Institute of Certified Public Accountants -Web Trust Prof.Dr.Victor PATRICIU, ROMANIA

29 Prof.Dr.VICTOR PATRICIU
Legislation General E-Commerce Legislation and Regulation EFTA, Electronic Funds Transfer Act- (USA), 1978 UN Model Law on E-Commerce-1996 (UNCITRAL) UCITA, Uniform Computer Transaction Act,, 1999 (NCCUSL-USA) UNICID, Uniform Rules for Interchange of Trade Data by Teletransmission-(ICC-International Chamber of Commerce) OECD Guidelines, E-Terms, (ICC) Electronic Signature Legislation and Regulation UETA, Uniform Electronic Transaction Act - (NCCUSL-USA), 1999 Federal E-Sign Act, 2000 (USA) EU Electronic Signature Directive, 1999 UN Draft Model Law on Electronic Signature (UNCITRAL) Digital Signature Guidelines (ABA, USA), 1996 Prof.Dr.Victor PATRICIU, ROMANIA

30 Prof.Dr.VICTOR PATRICIU
Legislation DIRECTIVE 1999/93/EC of the EUROPEAN PARLIAMENT AND COUNCIL of 13 December 1999 on a Community Framework for Electronic Signatures Prof.Dr.Victor PATRICIU, ROMANIA

31 Prof.Dr.Victor PATRICIU, ROMANIA
Directive highlights Legal recognition of electronic signatures Technology neutral Free flow of Products and Services Excludes prior authorisation or licensing scheme for Certification Service Providers Mandates supervision scheme for CSPs Calls for monitoring of Voluntary Accreditation Scheme Prof.Dr.Victor PATRICIU, ROMANIA

32 Prof.Dr.Victor PATRICIU, ROMANIA
Definitions Electronic signature Certification Service Provider (CSP) Advanced electronic signature Signature creation/verification data Signature creation/verification device Qualified certificate Qualified Signature Prof.Dr.Victor PATRICIU, ROMANIA

33 Prof.Dr.Victor PATRICIU, ROMANIA
Scope of Directive Prof.Dr.Victor PATRICIU, ROMANIA

34 1. Authorisation (obligatory) 2. Accreditation (voluntary) forbidden
Internal Market 1. Authorisation (obligatory) 2. Accreditation (voluntary) forbidden allowed 3. Supervision CSP issuing qualified certificates to the public Obligation for Member States to control via supervision E.g. self-declaration scheme with subsequent control by governmental body or private institution Prof.Dr.Victor PATRICIU, ROMANIA

35 Electronic signatures Advanced electronic signatures
Legal Recognition General principle: Legal effect for all electronic signatures; Second principle: Certain electronic signatures get the same legal effect as hand-written signature; Electronic signatures Advanced electronic signatures Qualified signature: advanced electronic signature + qualified certificate + secure signature creation device. Qualified signatures Prof.Dr.Victor PATRICIU, ROMANIA

36 Prof.Dr.Victor PATRICIU, ROMANIA
The Annexes Requirements Annex I: Qualified certificate Annex II: Certification Service Providers issuing qualified certificates Annex III: Secure Signature Creation Device Recommendations Annex IV: Signature Verification Prof.Dr.Victor PATRICIU, ROMANIA

37 International aspects
Foreign certificates = Qualified certificates if Foreign CA fulfils same requirements + accreditation by Member State or A European CA guarantees for the foreign CA Recognition by treaty with EU Prof.Dr.Victor PATRICIU, ROMANIA

38 EESSI: European Electronic Signature Standardization Initiative
Industry Initiative led by ICT Standards Board (CEN, ETSI, ...) Based on a mandate from European Commission Support the requirements of the EU Directive Interoperability standards for electronic signature Standards for CSPs Standards for signature creation and verification products Signature format: simple, co-signature, contra-signature, XML signature format A better understanding of the signature policies Defining protocols for: Time Stamping, Access to a repository with certificates and revocation, etc. Prof.Dr.Victor PATRICIU, ROMANIA

39 Technical Framework for Qualified Electronic Signatures
Although “technology neutral”, the Directive implicitly defines a technical framework A proposed first set of components that can be used: Asymmetric cryptography: RSA, DSA, ECDSA Certificate based verification using ITU X.509 Public Key Infrastructure with CAs and Directories Smart-cards/hardware tokens for private key protection Reasons for this selection: Generally accepted, existing standards Urgent need for standardized use of these technologies! Prof.Dr.Victor PATRICIU, ROMANIA

40 EESSI Standards overview
Certificate Service Provider Requirements for CSPs Trustworthy system Time Stamp Qualified certificate Signature validation process and environment Signature creation process and environment Signature format and syntax Creation device CEN E-SIGN ETSI ESI Relying party/ verifier User/signer Prof.Dr.Victor PATRICIU, ROMANIA

41 ROMANIA Law on Electronic Signatures
Adopted by Romanian Parliament in July 2001; Establishes: Legal regime of electronic documents, The condition of issuing certificate services for digital signatures Prof.Dr.Victor PATRICIU, ROMANIA

42 Law on Electronic Signatures -Definitions-
Extended (Advanced) Electronic Signature : it is uniquely linked to the signatory; it is capable of identifying the signatory; it is created using means that the signatory can maintain under his sole control; it is linked to the data to which it relates in such a manner that any subsequent change of the data is detectable Signature-creation/verification data; Secure-signature-creation/verification device ; Certificate/Qualified certificate; Certification-service-provider (CSP) Voluntary accreditation Prof.Dr.Victor PATRICIU, ROMANIA

43 Prof.Dr.Victor PATRICIU, ROMANIA
Law on Electronic Signatures -Legal specifications for electronic documents - Electronic document with: Extended electronic signature, Based on a qualified certificate Generated using a secure-signature-creation device is assimilated este with a document with hand-written signature; Prof.Dr.Victor PATRICIU, ROMANIA

44 Law on Electronic Signatures CSP-Certificate Services Providers
demonstrate reliability for providing certification services; ensure a secure directory and a revocation service; ensure the precise date/time when a certificate is issued / revoked; verify, by appropriate means identity & attributes of the person to which a qualified certificate is issued; employ personnel with knowledge, experience, and qualifications; use trustworthy systems and products; maintain sufficient financial resources for liability for damages, by obtaining appropriate insurance; record all relevant information concerning a qualified certificate for an appropriate period of time; not store or copy signature-creation data of the person to whom the CSP provided key management services; Prof.Dr.Victor PATRICIU, ROMANIA

45 Law on Electronic Signatures CSP-Certificate Services Providers
It is created a National Body (The Romanian Authority for Reglementation and Supervision) which: Conducts the CSPs accreditation process Conducts homologation process of the SSCD-Secure-Signature-Creation Device Makes a periodical supervision of CSPs Publishes on Internet The Romanian CSP Register with specifications for accredited CSPs Prof.Dr.Victor PATRICIU, ROMANIA

46 Decree for the application of Electronic Signatures Law
Adopted in December 2001 Contain Methodological and technical regulations for the use of Electronic signatures Contents: Definitions Practical specifications for the activity of Romanian Authority for Reglementation and Supervision Practical specifications for the activity of CSPs CSP accreditation procedure Procedures for using electronic signatures Technical specifications for: Private keys Algorithms Certificate revocation conditions Prof.Dr.Victor PATRICIU, ROMANIA

47 Decree for the application of Electronic Signatures Law
The ANEXES containe: The STRUCTURE of The Romanian CSP Register The STRUCTURE of Qualified Certificate The STRUCTURE of the CSP Notification for beginning activity The STANDARD EXTENSIONS of a Certificate The STRUCTURE of Certificates Register at CSP The Liability Letter Client Information necessary for obtaining a Certificate Prof.Dr.Victor PATRICIU, ROMANIA

48 Decree Technical Details
The generation of private key of Romanian Authority for Reglementation and Supervision (ARS) must be make on a isolated and reliable dedicated system ARS uses only SHA hash-code function and RSA for digital signature; it is prohibited to use CRT method; For extended electronic signatures: 1024 bits for RSA; 1024 bits for DSA; 160 de bits for DSA based on elliptic curves; RIPEMD – 160 or SHA-1 hash functions; The formats for Certificate & CRL Register at CSPs :   CCITT (ITU-T) X.500 / ISO IS9594 RFC 2587 Internet X.509 PKI LDAPv3 Schema RFC 2587 Internet X.509 PKI Certificate and CRL Profile Prof.Dr.Victor PATRICIU, ROMANIA

49 Other Necessary Romanian Regulations
The methodology for the homologation of secure signature creation devices The Regulations for the activity of Romanian Authority for Reglementation and Supervision The methodology for supervision of CSPs The methodology for accreditation of CSPs, based on: Certification Policy Certification Practices Framework Information Security Policy Internet Security Policy Emergency Response Plan Business Continuity Plan The methodology for the audit of information security. Prof.Dr.Victor PATRICIU, ROMANIA

50 Prof.Dr.Victor PATRICIU, ROMANIA
Conclusions PKI technology ensures trust & security in e-commerce; Five key ingredients that trust service providers must offer: Accountability: At a minimum this must mean assurance that their processes will stand up to scrutiny in disputes. Survivability/Longevity: Each service must produce technology and businesses that will be available to resolve disputes decades after. Confidentiality: The customer giving their sensitive data to the trust services, providers must ensure confidentiality even within their own organisation. Integrity: Linked with accountability and longevity, but worth distinguishing. Because digital data is so easily created and forged, providers must be able to demonstrate the integrity of their information or the information they keep. Simplicity: To be successful, trust services must make life simpler for e-traders, and they must take account of existing infrastructure. PKI technology is in progress, that need to solve a lot of legal, technological and business prolemes Prof.Dr.Victor PATRICIU, ROMANIA


Download ppt "Prof.Dr.VICTOR PATRICIU"

Similar presentations


Ads by Google