Presentation is loading. Please wait.

Presentation is loading. Please wait.

Encryption and the Law: The need for a legal regulatory framework for PKI Yee Fen Lim Department of Law Macquarie University.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Encryption and the Law: The need for a legal regulatory framework for PKI Yee Fen Lim Department of Law Macquarie University."— Presentation transcript:

1 Encryption and the Law: The need for a legal regulatory framework for PKI Yee Fen Lim Department of Law Macquarie University

2 Yee Fen Lim 2 Outline Introduction Handwritten signatures Requirements of electronic signatures Digital Signatures Public Key Cryptography Public Key Infrastructure Digital Certificates Allocation of Liability

3 Yee Fen Lim 3 Introduction Signature issues in the digital environment Importance –Commercial: e-commerce (all sectors) –Non-commercial

4 Yee Fen Lim 4 Handwritten Signatures Signature v. autograph –Intention of the signer Signature is any mark that has been affixed by the signer with the intent to be bound by the contents of the document Once affixed, the signature and the document becomes one composite thing Integrity

5 Yee Fen Lim 5 Proof of Handwritten Signatures If a handwritten signature is disputed, then call on the following: –witness to the signature –a person with intimate knowledge of the person’s signature –handwriting expert Authentication and Non-repudiation

6 Yee Fen Lim 6 Requirements of Electronic Signatures – “legal status” Integrity –“I love you” does not become “I love you not” Non-repudiation –“Not me!” Authentication –Did Superman really write the message? Confidentiality –Superman wants to keep his messages private

7 Yee Fen Lim 7 Types of Electronic Signatures Biometric signatures –eg iris scans, finger-prints, voice (none totally perfect yet). Non-biometric signatures –eg digital signatures

8 Yee Fen Lim 8 Digital Signatures Insecure – eg initials at the end of emails Secure –Uses encryption to code and decode –Ensures confidentiality –but what about integrity, authentication, non-repudiation?

9 Yee Fen Lim 9 Public Key Cryptography 2 key pairs: 1 private key and an associated public key Private key kept secret by owner Public key published widely Golden rule: anything encrypted with a public key can only be decoded with the private key, and vice versa

10 Yee Fen Lim 10 Public Key Cryptography: Superman example Superman writes: “I love you” Superman encrypts message with his private key Anyone with Superman’s public key can decode the message Authenticity

11 Yee Fen Lim 11 Public Key Cryptography: Superman example How does Superman ensure only Lois Lane can read his message? Superman encrypts his already encrypted message with Lois Lane’s public key Only Lois Lane can decode the message as she is the one with the private key Confidentiality

12 Yee Fen Lim 12 Public Key Cryptography: Superman example What about integrity? Include a pre-agreed one-way hash function with the original message eg “I love you” –Use a=1 b=2 c=3 ….z=26 –i=9 l=12 o=15 v=22 e=5 y=25 o=15 u=21 –Use sum: 9+12+15+22+5+25+15+21=124 –Hash is 124

13 Yee Fen Lim 13 Public Key Cryptography: Superman example Include the hash of 124 in the message that is double encrypted. When Lois Lane receives the message, she can run the message through the pre-agreed hash function If she gets 124 as the result, then integrity is ensured. If not, then the message may have been tampered with.

14 Yee Fen Lim 14 Public Key Cryptography: Superman example To save on processing, rather than encrypt the full message with the private key, most systems just encrypt the hash with the private key, and this becomes the digital signature ie different every time The private-key-encrypted hash plus the message is then encrypted with the recipient’s public key to ensure only the recipient can read the message.

15 Yee Fen Lim 15 Public Key Cryptography: Superman example What about non-repudiation? Who is the signer? Was it really Superman? Related to authentication Public key infrastructure (PKI)

16 Yee Fen Lim 16 Public Key Infrastructure (PKI) System for distribution of public keys –Reliability eg a web page simply listing the public keys of persons is not reliable as to source “Web of trust” Trusted third party to verify that the public key really does belong to whom it is said to belong

17 Yee Fen Lim 17 Public Key Infrastructure (PKI) Trusted third party is Certification Authority (CA) CA issues digital certificate verifying the owner of the public key A CA may use a third-party, a Registration Authority (RA), to perform the necessary checks on the person or entity requesting the certificate

18 Yee Fen Lim 18 Public Key Infrastructure (PKI) Can we trust the CA? Higher CA, Root CA (self-authenticates) Cross-verification creating certificate chain - web of trust

19 Yee Fen Lim 19 Public Key Infrastructure (PKI): Digital Certificates Serial number - unique number from CA Key length Signature algorithm – identity of algorithm Hashing algorithm Issuer name Validity period Subscriber – details of owner of public key Subject public key - actual key certified Signature of CA

20 Yee Fen Lim 20 Public Key Infrastructure (PKI): Digital Certificates Digital Certificates should: provide strong and substantial evidence of the identity of the owner of public key (signer) Be used during operational period of valid digital certificate Have the rebuttable presumption that the digital signature on the digital certificate is that of the subscriber listed

21 Yee Fen Lim 21 PKI: Rebutting the presumption Was the CA in the wrong? Was it an imposter’s public key that the CA has registered? Did someone else use Superman’s public/private key without permission? Did Superman safeguard his private key properly?

22 Yee Fen Lim 22 PKI: Revocation of Digital Certificates Credit card analogy: If Superman’s private key has been compromised, he should notify the CA CA can revoke Superman’s digital certificate CA then posts the certificate on the certificate revocation list (CRL) Limitations upon the right of a recipient of a digital certificate to rely upon them Unreliable Digital Signatures; Reasonable of Reliance

23 Yee Fen Lim 23 PKI: Allocation of Liability Hardest Legal Issues involve the allocation of liability among Subscriber (key owner), CA and Relying Party –eg1 Liability of CA to a Relying Party for binding the wrong public key to the identity of the subscriber named in the certificate. –eg2 Liability of the Subscriber to the Relying Party upon unauthorised use of Subscriber’s private key following compromise of the private key

24 Yee Fen Lim 24 PKI: Allocation of Liability For a Relying Party, the allocation of liability is paramount If a Relying Party does not know whether the CA can be trusted, or if the Subscriber is genuinely who they claim to be, then the Relying Party would not rely on the Digital Certificate

25 Yee Fen Lim 25 PKI: Allocation of Liability Examples of where problems arise: Inaccuracies in the Certificate Misrepresentation in the Certificate CA fails to revoke an invalid Certificate

26 Yee Fen Lim 26 PKI: Allocation of Liability Closed systems Open systems (Internet)

27 Yee Fen Lim 27 PKI: Allocation of Liability – closed system example Gatekeeper Health eSignature Authority (RA) –Betrusted (formerly Securenet) is CA –Individual certificates, location certificates –Referrals, reports

28 Yee Fen Lim 28 PKI: Allocation of Liability – closed system example 5.4 Keys and Certificates should only be used for Health related messages in transactions with HIC, or in transactions created by subscribers within the Health Sector but not where the transaction value is greater than $10,000 Lists obligations and duties for each party Limit on liability - $1,000/$5,000

29 Yee Fen Lim 29 PKI – Australia Contract law (if there is a contract) –including protection against unfair contractual liability allocation eg undue influence, unconscionable dealing, Contracts Review Act, ss51AA, 51AB & 51AC TPA Law of negligence s52 Trade Practices Act Consumer protection legislation $500 transaction?

30 Yee Fen Lim 30 PKI Regulation – Preferred approach Strict liability –avoidance of concepts of negligence Reliance limits Actions key can be used for

31 Yee Fen Lim 31 Thank you Yeefen.lim@mq.edu.au

Download ppt "Encryption and the Law: The need for a legal regulatory framework for PKI Yee Fen Lim Department of Law Macquarie University."

Similar presentations

1 ABCs of PKI TAG Presentation 18 th May 2004 Paul Butler.

1 ABCs of PKI TAG Presentation 18 th May 2004 Paul Butler.
Cryptography and Network Security Chapter 14

Cryptography and Network Security Chapter 14
Certificates Last Updated: Aug 29, 2013. A certificate was originally created to bind a subject to the subject’s public key Intended to solve the key.

Certificates Last Updated: Aug 29, A certificate was originally created to bind a subject to the subject’s public key Intended to solve the key.
Grid Security Infrastructure Tutorial Von Welch Distributed Systems Laboratory U. Of Chicago and Argonne National Laboratory.

Grid Security Infrastructure Tutorial Von Welch Distributed Systems Laboratory U. Of Chicago and Argonne National Laboratory.
Digital Signatures Dan Fleck CS 469: Security Engineering These slides are modified with permission from Bill Young (Univ of Texas) Coming up: Digital.

Digital Signatures Dan Fleck CS 469: Security Engineering These slides are modified with permission from Bill Young (Univ of Texas) Coming up: Digital.
Public Key Management and X.509 Certificates

Public Key Management and X.509 Certificates
Chapter 14 From Cryptography and Network Security Fourth Edition written by William Stallings, and Lecture slides by Lawrie Brown, the Australian Defence.

Chapter 14 From Cryptography and Network Security Fourth Edition written by William Stallings, and Lecture slides by Lawrie Brown, the Australian Defence.
Authentication Cristian Solano. Cryptography is the science of using mathematics to encrypt and decrypt data. Public Key Cryptography –Problems with key.

Authentication Cristian Solano. Cryptography is the science of using mathematics to encrypt and decrypt data. Public Key Cryptography –Problems with key.
HIT Standards Committee: Digital Certificate Trust – Policy Question for HIT Policy Committee March 29, 2011.

HIT Standards Committee: Digital Certificate Trust – Policy Question for HIT Policy Committee March 29, 2011.
Information security An introduction to Technology and law with focus on e-signature, encryption and third party service Yue Liu Feb.2008.

Information security An introduction to Technology and law with focus on e-signature, encryption and third party service Yue Liu Feb.2008.
6/1/20151 Digital Signature and Public Key Infrastructure Course:COSC513-01 Instructor:Professor Anvari Student ID:106845 Name:Xin Wen Date:11/25/00.

6/1/20151 Digital Signature and Public Key Infrastructure Course:COSC Instructor:Professor Anvari Student ID: Name:Xin Wen Date:11/25/00.
Department of Information Engineering1 Major Concerns in Electronic Commerce Authentication –there must be proof of identity of the parties in an electronic.

Department of Information Engineering1 Major Concerns in Electronic Commerce Authentication –there must be proof of identity of the parties in an electronic.
16.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.

16.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 9: Planning and Managing Certificate Services.

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 9: Planning and Managing Certificate Services.
E-Procurement: Digital Signatures and Role of Certifying Authorities Jagdeep S. Kochar CEO, (n)Code Solutions.

E-Procurement: Digital Signatures and Role of Certifying Authorities Jagdeep S. Kochar CEO, (n)Code Solutions.
Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.

Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.
BY MUKTADIUR RAHMAN MAY 06, 2010 INTERODUCTION TO CRYPTOGRAPHY.

BY MUKTADIUR RAHMAN MAY 06, 2010 INTERODUCTION TO CRYPTOGRAPHY.
November 1, 2006Sarah Wahl / Graduate Student UCCS1 Public Key Infrastructure By Sarah Wahl.

November 1, 2006Sarah Wahl / Graduate Student UCCS1 Public Key Infrastructure By Sarah Wahl.
In the CA I trust. A look at Certification Authorities James E. Shearer CSEP 590 March 8 th 2006.

In the CA I trust. A look at Certification Authorities James E. Shearer CSEP 590 March 8 th 2006.
Presented by Xiaoping Yu Cryptography and PKI Cosc 513 Operating System Presentation Presented to Dr. Mort Anvari.

Presented by Xiaoping Yu Cryptography and PKI Cosc 513 Operating System Presentation Presented to Dr. Mort Anvari.

Similar presentations

Ads by Google