ITU Telecommunication Development Bureau (BDT) Strategies and Technologies for Building Trust and Security in e-Applications ITU/BDT Arab Regional Workshop on “e-Services Policies” Damascus, Syria - 27-29 April 2004 Alexander NTOKO Chief, E-Strategy Unit ITU Telecommunication Development Bureau (BDT)

Agenda for Presentation Main Security Threats Technology Framework Industry Solutions Technology Strategies

Typical transaction-based e-government infrastructure But how do we get governments, businesses and citizens to conduct critical government transactions online? When we examine various security solutions, it is clear that if we have to address authentication, confidentiality, data integrity and non-repudiation, agreed by most experts as key requirements for cyber security, we must look at technologies that address all these issues. Without wagging a technology war, public key infrastructure appears to address cyber security in a comprehensive manner.

Receiving online submissions to renew national identity cards. As many countries embark on the e-government bandwagon, governments, citizens and businesses are asking many questions – Can we trust these systems? Receiving online submissions to renew national identity cards. G: Am I dealing with the owner of the identity card? C: How do I know this really a government web site? Submitting confidential bids for government procurements. G: Is the bid from a registered company? B: Can my competitors see my bid? Transmitting sensitive government documents online. G: Can an unauthorized person view the document? G: How can access control be ensured?

Issuing birth certificates and land certificates via the Internet. As many countries embark on the e-government bandwagon, governments, citizens and businesses are asking many questions – Can we trust these systems? Issuing birth certificates and land certificates via the Internet. G: Can a citizen modify his or her date of birth? G: What if a citizen changes and size of his or her land? Conducting elections via the Internet – e-voting C: Can someone know whom I voted for? G: How do we guarantee that a citizen votes only once? G: Is this vote from a registered voter?

It is all about TRUST Having firm integrity in something or somebody An entity A, can be said to trust another entity B when A makes the assumption that B will behave exactly as A expects. And knowing whom you are dealing with vital for building trust.

Strong Authentication Non-repudiation Infrastructure of trust Technology Framework for Online Trust and Security for Critical Government Applications Data Confidentiality Information accessed only by those authorized. Data Integrity No information added, changed, or taken out. Strong Authentication Parties are who they pretend to be. Non-repudiation Originator cannot deny origin or transaction. Infrastructure of trust Automating the checking and verification of digital credentials. We see here some of the solutions provided by PKI

Used to determine if document has changed. Technology Framework for Online Trust 1. Data Integrity Message Digest Digest Plaintext 160, 256, 384 or 512 bit representation of document Hash Algorithm Used to determine if document has changed. Currently based on FIPS 180-2 approved algorithms (SHA-1, SHA-256, SHA-384 and SHA-512). Produces 160, 256, 284 or 512 bit “digests”. Infeasible to produce a document matching a digest A one bit change in the document affects about half the bits in the digest.

Same key is used to both encrypt and decrypt data Technology Framework for Online Trust 2. Data Confidentiality  Symmetric Encryption system Same key is used to both encrypt and decrypt data Examples of encryption systems: DES, 3DES, RC2, RC4, RC5, RC6, AES DES: Data Encryption Standard, US Gov 1977, developed at IBM now being replaced by NIST approved AES Rijndael encryption algorithm for Symmetric Encryption.

Recipient’s Public Key Recipient’s Private Key Technology Framework for Online Trust Key Exchange  Public Key Encryption System Recipient’s Public Key Recipient’s Private Key Each user has 2 keys: what one key encrypts, only the other key in the pair can decrypt. Public key can be sent in the open. Private key is never transmitted or shared.

Technology Framework for Online Trust Non-Repudiation  Digital Signature Signer’s Private Key Encrypted Digest Digest Signed Document Hash Algorithm

Technology Framework for Online Trust Digital Envelope One time encryption Key “Digital Envelope” Recipient’s Public Key Combines the high speed of symmetric encryption and the key management convenience of RSA (public key encryption)

Technology Framework for Online Trust Establishing Digital Credentials Digital Certificates ITU-T X.509 creates the framework for establishing digital identities – A key component for establishing security and trust for ICT applications in public networks (such as the Internet)

Industry Solutions for Online Trust and Security When we examine various security solutions, it is clear that if we have to address authentication, confidentiality, data integrity and non-repudiation, agreed by most experts as key requirements for cyber security, we must look at technologies that address all these issues. Without wagging a technology war, public key infrastructure appears to address cyber security in a comprehensive manner.

Why Public Key Infrastructure (PKI)? It’s Not about waging a technology war. The Issue is about providing comprehensive solutions. UNPAN - highly rated e-government countries have PKI as an important component of their e-government policy. PKI is not just about technologies. It is in most part policies.

Digital Signature Guarantees: Integrity of document One bit change in document changes the digest Authentication of sender Signer’s public key decrypts digest sent and decrypted digest matches computed digest Non-repudiation Only signer’s private key can encrypt digest that is decrypted by his/her public key and matches the computed digest. Non-repudiation prevents reneging on an agreement by denying a transaction.

Building Online Trust For E-Government Digital Signature – Issues and Challenges Acceptance of Digital Signatures Across Multi-Jurisdictional PKI Domains (National, Regional and Global). Adopting Policies for Generic Identity Certificates (PKI) and Attribute Certificates (PMI). Elaborating Harmonized and Technology Neutral E-Legislative Framework and Enforcement Mechanisms. Using identity management as a strategy for building trust and Confidence also raises some challenges. There are policy and Technology level interoperability. We need to clearly distinguish the roles Played by Attribute Authorities versus Certification Authorities and the Link between generic identities versus privileges. Governments have an Important role to play as they do today, in establishing national Ids and Passports used by citizens to acquire other privileges.

Strategy for E-Signatures and CAs Online Trust and Security for e-Government Needs to be part of a comprehensive policy framework dealing with e-applications/services A role-based and holistic framework for cyber security Will enable the elaboration of comprehensive policies and the Development of a generic security infrastructure on which various sectors can build secure applications and services. Cyber security Is a concern for all sectors. The common requirements for these Sectors have to be identified and addressed and the roles to be played By the various stakeholders including governments and other authorities Have to be well-defined.

What could be the Role of Governments? National/Regional Policies for the Management of IP Resources. Internet Protocol Addresses Domain Names (under ccTLDs) Enabling Environment for E-Applications. Accreditation of Certification Authorities Control and Enforcement Mechanisms (e.g., Spam,Spim and Data privacy). Central Role in Generic Digital Credentials. Harmonized Regional Framework E-Legislation Governments can and should play an important role in cyber security. Policies for the managements of Internet Protocol Addresses and country code Top Level Domain names need to be elaborated at the national and regional levels. The national framework for the management of digital identities need to be established to enable a clear definition of roles and proper management of identities. Governments, today, are already responsible for issuing identities (passports and national Ids). In the e-society, this role needs to be maintained so that identity managements becomes a horizontal service for various vertical sectors.

For e-government to move from simple web-based information dissemination systems to transaction-based services for critical applications, citizens, governments and businesses must all have TRUST in the solutions. When we examine various security solutions, it is clear that if we have to address authentication, confidentiality, data integrity and non-repudiation, agreed by most experts as key requirements for cyber security, we must look at technologies that address all these issues. Without wagging a technology war, public key infrastructure appears to address cyber security in a comprehensive manner.

For further information: Thank You for your attention For further information: Web: http://www.itu.int/ITU-D/e-strategy Email: e-strategy@itu.int