Presentation is loading. Please wait.

Presentation is loading. Please wait.

TAG Presentation 18th May 2004 Paul Butler

Published bySharleen Samantha Powell Modified over 6 years ago

Similar presentations

Presentation on theme: "TAG Presentation 18th May 2004 Paul Butler"— Presentation transcript:

1 TAG Presentation 18th May 2004 Paul Butler
ABC’s of PKI TAG Presentation 18th May 2004 Paul Butler

2 Agenda Role of trust PKI concepts PKI components Management framework
Passport signing requirement Deployment issues Operational Issues Guidance

3 Security Model Must answer the questions:
What data are we protecting? integrity of biometric information on chip in passport Why are we protecting it? Maintain integrity of passport Who or what are we protecting it against? Those who would seek to alter data to falsify passport When are we protecting it? Throughout the life of the passport For passport issuers, the model revolves around TRUST

4 The Role of Trust Trust is usually based on some form of identity
Direct Trust Based on personal relationship, where trust is handled directly Breaks down when too many members in trusted relationship to handle directly Third Party trust Trust in individual changes to trust in a system Passports represent the national identity of an individual

5 PKI Concept Public Key Infrastructure based on asymmetric cryptography. Relies on a key pair, one private and one public Private key is secret Public key is freely available, linked to identity of certificate owner Private key cannot be computed from public key Concept is then applied into applications Mathematical construct known as trapdoor algorithm developed in the 1970’s supports concept of public and private keys implemented in software. Public key is readily available, private key is not. “Computationally unfeasible” to derive private key from public key. Used for electronic signature (signing key) or for encrypting data (encryption key). Need to ensure supporting technology 9encryption algorithm and key length stay current so this continues to be true

6 Public Key Infrastructure
Business uses include: Authentication of identity for individual, organization or device (authentication) Confirmation that data has not been tampered with (integrity) Confirmation that transaction took place (non-repudiation) Maintain data confidentiality (encryption) Guarantee that transaction took place at specific time (secure time stamp)

7 PKI Components Mechanism to issue certificates
Certificate authority (CA) Mechanism to validate certificates Directory services Certificate Revocation List Key history Potentially, source of trusted time for stamping Controlled Process to enroll and manage certificate holders - Registration Authority (RA) Process to revoke certificates which are no longer valid (distinct from rollover of expired certificate keys) Processes defined by certificate policy (CP) and certification practice statements (CPS)

8 Passport PKI Requirement
New passports to include biometric identifier on chip. Concerns about tampering (integrity) led to need for PKI signature to confirm data on chip unchanged since production of TD (integrity) PKI does NOT guarantee identity of passport holder – it guarantees that TD biometric is unchanged since production by a specific producer (non-repudiation) Based on DIGITAL SIGNATURE Use of encryption not a current requirement

9 Use of digital signature
During passport print process, data chip will be loaded CA will be requested for a signature Signature and certificate will be added to chip Chip is then locked to prevent further write operations

10 PKI Signing Process To sign a document:
A hash is prepared derived from the document content It is encoded with the signing algorithm from the signer’s PRIVATE KEY The signature and a copy of the public key certificate is attached to the document It is then available for validation

11 PKI Signing Process (2) To validate the signature:
The PUBLIC KEY is used to prepare a hash of the document using the same signing key algorithm as the private key The new hash is compared with the original If they are the same, it proves that the document is unchanged since it was signed For a TD, it means that TRUST can be placed on the validity of the document

12 PKI Signing Process (3) If relying party wishes to further validate the certificate, a path must exist to the CA which issued the certificate Check validity of issuer Check certificate not revoked Implies border crossing points must have internet facing capability linked to card readers which can go to a source and validate that the certificate presented is in fact valid No such infrastructure is yet in place

13

14 Deployment Issues Need for international standards among TD producers for mutual acceptance of biometric, PKI-authenticated TD’s Need for accreditation process to accept each new national CA into infrastructure Complex management challenge Need to incorporate passport CA with national policy for PKI administration Align with national trust model

15 Operational Issues Process for adoption of new technology standards
Essential to maintain underlying cryptographic technology current All nations move ahead together Avoid complexity of cross certification by publishing certificates in common location Location must be specified from outset in certificate

16 Key management To reduce risk of compromise, key should “roll over” frequently Need to maintain key history for lifetime of passport issued under that key In event of compromise, publish compromised certificate data to Certificate revocation list (directory) Secure time stamping could be used to determine when a compromise occurred, or for calculations regarding validity period of passport If key is compromised, all signatures issued by that key become invalid Therefore need to keep the “window” as small as operationally feasible

17 Guidance Common tendency to focus on underlying technology – wrong!
PKI is 20% technology, 80% process Key element lies in “trust model” To be trusted, technology must be supported by business processes which demonstrate the integrity of the PKI Entitlement processes must match integrity levels of entitlement process – no more, no less Setting up a CA is technically fairly simple Processes to manage

18 Questions?

Download ppt "TAG Presentation 18th May 2004 Paul Butler"

Similar presentations

© 1998-2003 ITU Telecommunication Development Bureau (BDT) – E-Strategy Unit.. Page - 1 Seminar on Standardization and ICT Development for the Information.

© ITU Telecommunication Development Bureau (BDT) – E-Strategy Unit.. Page - 1 Seminar on Standardization and ICT Development for the Information.
1 ABCs of PKI TAG Presentation 18 th May 2004 Paul Butler.

1 ABCs of PKI TAG Presentation 18 th May 2004 Paul Butler.
Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.

Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.
Public Key Infrastructure A Quick Look Inside PKI Technology Investigation Center 3/27/2002.

Public Key Infrastructure A Quick Look Inside PKI Technology Investigation Center 3/27/2002.
© Southampton City Council Sean Dawtry – Southampton City Council The Southampton Pathfinder for Smart Cards in public services.

© Southampton City Council Sean Dawtry – Southampton City Council The Southampton Pathfinder for Smart Cards in public services.
1st Expert Group Meeting (EGM) on Electronic Trade-ECO Cooperation on Trade Facilitation 23-25 May 2012, Kish Island, I.R.IRAN.

1st Expert Group Meeting (EGM) on Electronic Trade-ECO Cooperation on Trade Facilitation May 2012, Kish Island, I.R.IRAN.
Grid Security Infrastructure Tutorial Von Welch Distributed Systems Laboratory U. Of Chicago and Argonne National Laboratory.

Grid Security Infrastructure Tutorial Von Welch Distributed Systems Laboratory U. Of Chicago and Argonne National Laboratory.
6/1/20151 Digital Signature and Public Key Infrastructure Course:COSC513-01 Instructor:Professor Anvari Student ID:106845 Name:Xin Wen Date:11/25/00.

6/1/20151 Digital Signature and Public Key Infrastructure Course:COSC Instructor:Professor Anvari Student ID: Name:Xin Wen Date:11/25/00.
Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.

Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.
DESIGNING A PUBLIC KEY INFRASTRUCTURE

DESIGNING A PUBLIC KEY INFRASTRUCTURE
Department of Information Engineering1 Major Concerns in Electronic Commerce Authentication –there must be proof of identity of the parties in an electronic.

Department of Information Engineering1 Major Concerns in Electronic Commerce Authentication –there must be proof of identity of the parties in an electronic.
Lesson 12 Cryptography for E-Commerce. Approaches to Network Security Separate Security Protocol--SSL Application-Specific Security--SHTTP Security with.

Lesson 12 Cryptography for E-Commerce. Approaches to Network Security Separate Security Protocol--SSL Application-Specific Security--SHTTP Security with.
Chapter 9: Using and Managing Keys Security+ Guide to Network Security Fundamentals Second Edition.

Chapter 9: Using and Managing Keys Security+ Guide to Network Security Fundamentals Second Edition.
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 9: Planning and Managing Certificate Services.

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 9: Planning and Managing Certificate Services.
Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.

Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.
Presented by Xiaoping Yu Cryptography and PKI Cosc 513 Operating System Presentation Presented to Dr. Mort Anvari.

Presented by Xiaoping Yu Cryptography and PKI Cosc 513 Operating System Presentation Presented to Dr. Mort Anvari.
CN1276 Server Kemtis Kunanuraksapong MSIS with Distinction MCTS, MCDST, MCP, A+

CN1276 Server Kemtis Kunanuraksapong MSIS with Distinction MCTS, MCDST, MCP, A+
E-Government Security and necessary Infrastructures Dimitrios Lekkas Dept. of Systems and Products Design Engineering University of the Aegean

E-Government Security and necessary Infrastructures Dimitrios Lekkas Dept. of Systems and Products Design Engineering University of the Aegean
Introduction to Public Key Infrastructure (PKI) Office of Information Security The University of Texas at Brownsville & Texas Southmost College.

Introduction to Public Key Infrastructure (PKI) Office of Information Security The University of Texas at Brownsville & Texas Southmost College.
TrustPort Public Key Infrastructure. WWW.TRUSTPORT.COM Keep It Secure Table of contents  Security of electronic communications  Using asymmetric cryptography.

TrustPort Public Key Infrastructure. Keep It Secure Table of contents  Security of electronic communications  Using asymmetric cryptography.

Similar presentations

Ads by Google