Presentation is loading. Please wait.

Presentation is loading. Please wait.

Copyright © 2008, CIBER Norge AS 1 Using eID and PKI – Status from Norway Nina Ingvaldsen and Mona Naomi Lintvedt 22 nd October 2008.

Published byNathaniel May Modified over 8 years ago

Similar presentations

Presentation on theme: "Copyright © 2008, CIBER Norge AS 1 Using eID and PKI – Status from Norway Nina Ingvaldsen and Mona Naomi Lintvedt 22 nd October 2008."— Presentation transcript:

1 Copyright © 2008, CIBER Norge AS 1 Using eID and PKI – Status from Norway Nina Ingvaldsen and Mona Naomi Lintvedt 22 nd October 2008

2 Copyright © 2008, CIBER Norge AS 2 Agenda Short introduction to PKI Framework for using PKI –Norwegian framework for eID and PKI –The PKI specification: Levels of security –The common framework: Levels of risk –The common framework: Levels of security Concepts within PKI –Definitions –Creating a signature –Validating a signature –Signed Data Objects Using eID in Norway

3 Copyright © 2008, CIBER Norge AS 3 Short introduction to PKI Public Key Infrastructure An arrangement that binds public keys with respective user identities by means of a certificate authority (CA) Identification and authentication Signature Encryption PKI provides the highest level of authentication, but the use of electronic ID with lower security is more common. The use should always be based on necessary and adequate security.

4 Copyright © 2008, CIBER Norge AS 4 Norwegian framework for eID and PKI EU Directive 1999/93 Community framework for electronic signatures Norwegian Electronic Signatures Act -Concerning the secure and efficient use of electronic signatures -Requirements for qualified certificates and the issuers of certificates A common Requirements specification for PKI for the public sector:Requirements specification for PKI for the public sector -A general, functional specification of the requirements applicable to the procurement of PKI for use in electronic communication with and within the public sector -Specifies three security levels for PKI A common framework for Authentication and Repudiation: -Advise on assessing adequate security of egovernment services to establish common criteria and practice -Divided into two categories: Level of risks and level of security

5 Copyright © 2008, CIBER Norge AS 5 The PKI specification: Levels of security Person High: Transactions where there is a need for a high degree of certainty about the identity of the originator; eg. access to particularly sensitive information or where damage caused by compromise would be extensive Person Standard: Transactions where there is a need for a reasonable degree of certainty about the identity of the originator or where the damage caused by compromise would be medium level Enterprise: Transactions where there is a need for a high degree of certainty that the originator is/represents a specified enterprise or where the damage caused by compromise would be extensive

6 Copyright © 2008, CIBER Norge AS 6 The common framework: Levels of risk -Level 1: No risk for negative consequences if there occurs a security breach during authentication/signing -Level 2: Low or minimal damages or consequences -Level 3: Moderate damages or consequences -Level 4: Large and possibly permanent damages or consequences -Risk = Probability x Consequences -Criteria’s for deciding the risk level -Consequences for life and health -Financial losses -Loss of reputation / integrity -Prevention of prosecution -Negligently contribution to violation of the law -Inconvenience

7 Copyright © 2008, CIBER Norge AS 7 The common framework: Levels of security -Level 1: No or low security requirements, open information -Level 2: One authentification factor -Level 3: Two authentification factors, where one is dynamic -Level 4: PKI -Criteria’s for deciding the security level -Requirements for authentication factors and their security properties -Requirements for distributing electronic IDs to the users -How stored authentication factors must be secured -Requirements to repudiation -Requirements to public approval

8 Copyright © 2008, CIBER Norge AS 8 Concepts of PKI Definitions: Electronic signatures –Electronic IDs –Public and private keys –Certificates Creating a signature Validating a signature –Validating the signature –Validating the certificate Signed data objects –How to store validated signatures over time

9 Copyright © 2008, CIBER Norge AS 9 Definitions: Electronic signature An electronic signature is used for signing electronic information in order to give the receiver a proof of the senders identity (authentication) and the documents integrity. This is done by encrypting the information using the signers private key [1]. The user receiving the information can validate the signature using the signers public key [2], that is sent together with the shipment. The public signature is also made available at a Certificate Authority, CA [3]. [1][1] A private key is a key that only is available for the owner of the key. It is used for encrypting a document or creating an electronic signature. [2][2] A public key is a key that is made public for all communication parts, and is used for decrypting an encrypted document or validating an electronic signature. [3][3] The CA is a trusted authority that issues the private / public key pair to a user (certificate), and holds a list of valid public keys for users, in addition to a Certificate Revocation List (CRL) for expired key pairs, stolen keys or other keys that no longer can be trusted.

10 Copyright © 2008, CIBER Norge AS 10 Creating a signature Signing modul Hash() Document private )( hash value SENDER Electronic signature

11 Copyright © 2008, CIBER Norge AS 11 Validating a signature Validating signature Validating certificate Electronic signature CA OK / not OK Hash() Document hash value SENDER hash value RECEIVER compare Certificate public )( Electronic signature

12 Copyright © 2008, CIBER Norge AS 12 Signed data objects A certificate will always end up in a CRL-list  Expired, stolen, lost… How can we in 10 years validate an electronic signature? -In Norway it is created a standard for storing validated signatures – SEID-SDO. -The standard makes it possible to store and exchange documents signed by electronic signatures over time. -It is solved by adding data into the signed data object at the time of validation; who validated the signature and the status of the signature at validation time. SEID-SDO Document Certificate Electronic signature Validation information

13 Copyright © 2008, CIBER Norge AS 13 Using eID in Norway Several private and public distributed eIDs are in use – mostly level 2 and 3. PKI is not commonly used Norway are developing an intercommunication hub called ’Samtrafikknavet’ ’Samtrafikknavet’ will validate already existing public eID (and possibly private), and provide Single Sign-On for the citizens of Norway in their use of e- Goverment services The project was assigned 80 MNOK on the budget for 2009 DIFI is managing the development and implementation project, and will be the administrator of the service A parallel project is to distribute a level 4 eID (PKI) in a national ID card developed by the Ministry of Justice

14 Copyright © 2008, CIBER Norge AS 14 Questions?

Download ppt "Copyright © 2008, CIBER Norge AS 1 Using eID and PKI – Status from Norway Nina Ingvaldsen and Mona Naomi Lintvedt 22 nd October 2008."

Similar presentations

Smart Certificates: Extending X.509 for Secure Attribute Service on the Web October 1999 Joon S. Park, Ph.D. Center for Computer High Assurance Systems.

Smart Certificates: Extending X.509 for Secure Attribute Service on the Web October 1999 Joon S. Park, Ph.D. Center for Computer High Assurance Systems.
Public Key Infrastructure and Applications

Public Key Infrastructure and Applications
Introduction of Grid Security

Introduction of Grid Security
1 ABCs of PKI TAG Presentation 18 th May 2004 Paul Butler.

1 ABCs of PKI TAG Presentation 18 th May 2004 Paul Butler.
Public Key Infrastructure A Quick Look Inside PKI Technology Investigation Center 3/27/2002.

Public Key Infrastructure A Quick Look Inside PKI Technology Investigation Center 3/27/2002.
© Southampton City Council Sean Dawtry – Southampton City Council The Southampton Pathfinder for Smart Cards in public services.

© Southampton City Council Sean Dawtry – Southampton City Council The Southampton Pathfinder for Smart Cards in public services.
Grid Computing, B. Wilkinson, 20045a.1 Security Continued.

Grid Computing, B. Wilkinson, 20045a.1 Security Continued.
Certificates Last Updated: Aug 29, 2013. A certificate was originally created to bind a subject to the subject’s public key Intended to solve the key.

Certificates Last Updated: Aug 29, A certificate was originally created to bind a subject to the subject’s public key Intended to solve the key.
Grid Security Infrastructure Tutorial Von Welch Distributed Systems Laboratory U. Of Chicago and Argonne National Laboratory.

Grid Security Infrastructure Tutorial Von Welch Distributed Systems Laboratory U. Of Chicago and Argonne National Laboratory.
CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.

CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.
Public Key Management and X.509 Certificates

Public Key Management and X.509 Certificates
Certification Authority. Overview  Identifying CA Hierarchy Design Requirements  Common CA Hierarchy Designs  Documenting Legal Requirements  Analyzing.

Certification Authority. Overview  Identifying CA Hierarchy Design Requirements  Common CA Hierarchy Designs  Documenting Legal Requirements  Analyzing.
Identity Standards (Federal Bridge Certification Authority – Certificate Lifecycle) Oct, 17 2012.

Identity Standards (Federal Bridge Certification Authority – Certificate Lifecycle) Oct,
Authentication Cristian Solano. Cryptography is the science of using mathematics to encrypt and decrypt data. Public Key Cryptography –Problems with key.

Authentication Cristian Solano. Cryptography is the science of using mathematics to encrypt and decrypt data. Public Key Cryptography –Problems with key.
HIT Standards Committee: Digital Certificate Trust – Policy Question for HIT Policy Committee March 29, 2011.

HIT Standards Committee: Digital Certificate Trust – Policy Question for HIT Policy Committee March 29, 2011.
6/1/20151 Digital Signature and Public Key Infrastructure Course:COSC513-01 Instructor:Professor Anvari Student ID:106845 Name:Xin Wen Date:11/25/00.

6/1/20151 Digital Signature and Public Key Infrastructure Course:COSC Instructor:Professor Anvari Student ID: Name:Xin Wen Date:11/25/00.
Encryption and the Law: The need for a legal regulatory framework for PKI Yee Fen Lim Department of Law Macquarie University.

Encryption and the Law: The need for a legal regulatory framework for PKI Yee Fen Lim Department of Law Macquarie University.
DESIGNING A PUBLIC KEY INFRASTRUCTURE

DESIGNING A PUBLIC KEY INFRASTRUCTURE
Department of Information Engineering1 Major Concerns in Electronic Commerce Authentication –there must be proof of identity of the parties in an electronic.

Department of Information Engineering1 Major Concerns in Electronic Commerce Authentication –there must be proof of identity of the parties in an electronic.
16.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.

16.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.

Similar presentations

Ads by Google