prof.dr.victor patriciu, romania itu- e-commerce centers for the cee, cis & baltic states...
TRANSCRIPT
Prof.Dr.Victor PATRICIU, ROMANIA
ITU- E-Commerce Centers for the CEE, CIS & Baltic States Regional Seminar on E-Commerce
May, 14-17, 2002, Bucharest, ROMANIA
Trust & Securityin
E-Commerce
Professor Dr. VICTOR-VALERIU PATRICIUBucharest, ROMANIA
Prof.Dr.Victor PATRICIU, ROMANIA
Contents
• Trust Infrastructure for E-Commerce
• PKI Technology for Trusting E-commerce New Cryptography Basics PKI basic principles & Architectures Digital certificates & Certificate Authorities CRL-s Applications
• PKI & CSP Legislation & Reglementation Certification Policies & Practices PKI & CSP Assessment & Accreditation Legislation, Reglementation & Guidelines EU Electronic Signature Directive
• Romanian legislation on electronic signature Romanian Law on Electronic Signature Government’s Decree for Electronic Signature Application
Prof.Dr.Victor PATRICIU, ROMANIA
A Trust Infrastructure A Trust Infrastructure for for
E-CommerceE-Commerce
• Electronic commerce promises vast revenues; • It looks attractive in theory, but the truth is that :
only a small percentage use e-commerce services and an even smaller percentage use regularly;
• Diverse sectors – IT, telecommunications, financial institutions, retailers and governments – are driving towards a future where we conduct transactions electronically: everyday anytime and anywhere;
Prof.Dr.Victor PATRICIU, ROMANIA
A Trust Infrastructure A Trust Infrastructure for for
E-CommerceE-Commerce
• But all of this comes to nought until one crucial obstacle is overcome – the question of security;
• Fraudsters & hackers will actively target: all e- commerce services, service providers and the infrastructure;
• Security weaknesses become a major concern when conducting online transactions over Internet because: sensitive financial details for online paying ; trade secrets and other confidential information; privacy of e-commerce actions: pay bills, trade stocks and
shares, file our income tax returns, conduct legally transactions and vote in government elections;
Prof.Dr.Victor PATRICIU, ROMANIA
A Trust Infrastructure A Trust Infrastructure for for
E-CommerceE-Commerce
• Trust Services are an emerging enabler for e-commerce.• Deliver trust & confidence at various stages of business
interaction, including: establishing and maintaining trust, negotiations, contract formation, fulfilment, dispute resolution.
• There are significant technical, legal and business problems. • Trust Service Providers must :
be accountable for the service they provide be around for the long term (disputes can occur years after
transaction) have a trust infrastructure the services must make life simpler for e-commerce participants.
Prof.Dr.Victor PATRICIU, ROMANIA
A Trust Infrastructure A Trust Infrastructure for for
E-CommerceE-Commerce
• It is not yet very clear what the range of trust services will be.
• They can certainly be expected to include services to support trust establishment, negotiation, agreement and fulfilment: Identity services, Authorisation service, Anonymity services, Trust rating and recommendation services, Assured message delivery, Auditable receipt generation, Storage (archival), Notarisation, Delivery (storage & notarization), Timestamping services, E-signature.
Prof.Dr.Victor PATRICIU, ROMANIA
A Trust Infrastructure A Trust Infrastructure for for
E-CommerceE-Commerce
Example of Trust Services required for:
• Negotiation a contract• Contract signing
Prof.Dr.Victor PATRICIU, ROMANIA
A Trust Infrastructure A Trust Infrastructure for for
E-CommerceE-Commerce
Business
Trust Services
ContactExchang
e
Find Partner
s
Credi-bility Check
Nego-tiatin
g
Contract Signing
Authentication yes
Authorization yes
Assured Messag. yes yes yes
Secure Storage yes yes
Timestamping yes yes yes
E-Signature yes yes yes
Certification/Rating
yes yes
Prof.Dr.Victor PATRICIU, ROMANIA
PKI Technology PKI Technology for Trusting E-Commerce for Trusting E-Commerce
• Public Key Infrastructure (PKI) technology has emerged as the most reliable framework for ensuring Security and Trust over the Internet.
• It is based on the principle of Asymmetric Cryptography.
• In the PKI model: A Key is a long string of data used to encrypt or decrypt a given
piece of information. Every user has a unique key pair – the Public Key and
corresponding Private Key. The private key is kept confidential, whereas the public key is
made available to the public. Messages encrypted with a Public Key can only be decrypted
with the corresponding Private Key, and vice-versa. The Public Key is predominantly used for encryption and the
private key for Digital Signatures.
Prof.Dr.Victor PATRICIU, ROMANIA
PKI Technology PKI Technology for Trusting E-Commerce for Trusting E-Commerce
-Public Key Cryptography--Public Key Cryptography-
• Public key cryptography- for every person a key pair:
Public key (for encryption or signature verification)
Private key (for decryption or signature creation)
Prof.Dr.Victor PATRICIU, ROMANIA
PKI Technology PKI Technology for Trusting E-Commerce for Trusting E-Commerce
-Digital Signatures--Digital Signatures-
Prof.Dr.Victor PATRICIU, ROMANIA
PKI Technology PKI Technology for Trusting E-Commerce for Trusting E-Commerce
- Pillars of Trust-- Pillars of Trust-
• PKI is the only security and trust framework that fulfils the four vital requirements of e-commerce, known as the Four Pillars of Trust: Authentication- the means of identification employed. For e-Commerce
transactions, the absence of face-to-face interaction creates the need for a foolproof method of identification. PKI offers the most secure means of authentication available today through Digital Certificates.
Confidentiality-Secure transmission of data over open networks and preventing data access by unauthorized entities is of paramount importance. PKI ensures confidentiality through the use of time tested Encryption Algorithms.
Integrity- Data transferred through open networks should not be altered or modified during transit. Integrity of data is ensured through Data Hashing.
Non-Repudiation- It is necessary to ensure that the sender does not disown data sent. There should be a trustworthy means to guarantee the ownership of the electronic document. PKI ensures non-repudiation through the use of Digital Signatures.
Prof.Dr.Victor PATRICIU, ROMANIA
Key Distribution
PKI Technology PKI Technology for Trusting E-Commercefor Trusting E-Commerce
-Certification Authorities--Certification Authorities-
Prof.Dr.Victor PATRICIU, ROMANIA
PKI Technology PKI Technology for Trusting E-Commercefor Trusting E-Commerce
-ITU X.509 v3 Digital Certificate--ITU X.509 v3 Digital Certificate-
Prof.Dr.Victor PATRICIU, ROMANIA
•PKI- Set of components (hard & soft), that work together for using public-key technology
•CA- a trusted authority -which provides a statement (the Digital Certificate) that the enclosed public key belongs to the person whose name is attached
•CA- a central administration that issues certificates:
organization to its employees
company to its employees university to its students public CA (like VeriSign)
PKI Technology PKI Technology for Trusting E-Commercefor Trusting E-Commerce
-PKI Architecture--PKI Architecture-
Prof.Dr.Victor PATRICIU, ROMANIA
CA
Root CA
PKI Technology PKI Technology for Trusting E-Commercefor Trusting E-Commerce
-CA Hierarchies--CA Hierarchies-
CA
CACA
Prof.Dr.Victor PATRICIU, ROMANIA
PKI Technology PKI Technology for Trusting E-Commercefor Trusting E-Commerce
-Certificate Revocation Lists, CRL’s--Certificate Revocation Lists, CRL’s-
• A certificate must be revoked when:the private key pair is compromised;the private key pair is lost;a person leaves the company.
• All users can know to no longer trust in a certificate;• Relaying parties are expected to check CRL before using
a certificate;• Use a sufficiently scalable and powerful CR server. If a
CRL is being used by applications for certificate validation, provisions must be in place for adequate availability of the CRL service (or applications should incorporate some backup procedures in case the CRL service is unavailable).
• OCSP-On-line Certificate Status Protocol: inquires of issuing CA whether a certificate is still valid. (resp. YES/NO)
Prof.Dr.Victor PATRICIU, ROMANIA
Standards that rely on a PKIStandards that rely on a PKI
• S/MIME- PKI for digitally signing and encrypting messages and attachments
• SSL/TLS - secure access to Web Servers
• SET-secure electronic bankcard payments
• IPSec- in VPN for encryption &
authentication
Prof.Dr.Victor PATRICIU, ROMANIA
PKIPKI Applications in Securing Applications in Securing E-commerceE-commerce
• Securing e-Business applicationsOnline Auction Markets / Exchange SitesOnline Procurement Solutions & Web CataloguesCorporate PurchasingOnline ContractingSecurity solutions for traditional EDIOnline delivery of intellectual products
• Secure e-GovernanceSecurity solutions for government documentationOnline tax filing and payment solutionsOnline payment of public utility charges and
government leviesOnline application and receipt of government approvals
Prof.Dr.Victor PATRICIU, ROMANIA
PKIPKI Applications in Securing Applications in Securing E-commerceE-commerce
• Security solutions for e-BankingElectronic Funds Transfer / PaymentsTrade Finance / Letter of CreditBill Presentment and PaymentStatement Delivery
• Securing Electronic Office ApplicationsTransformation to paperless office systems through
digital signaturesEncryption Archiving facilities for document storageSecure E-mail Communication
Prof.Dr.Victor PATRICIU, ROMANIA
PKIPKI Applications in Securing Applications in Securing E-commerceE-commerce
• Security solutions for healthcareSecure delivery of online medical adviceStorage and authenticated access to health RecordsPrivacy solutions for medical transcriptions
• Security solutions for educationSecurity & authentication solutions for distance
education and online examinationsSecurity solutions for electronic certificates and
credentialsOnline university application solutionsSolutions for student identity along with smart cards
Prof.Dr.Victor PATRICIU, ROMANIA
Legislation & ReglementationLegislation & Reglementation
Legal and reglementation problems to be solved:
• Certification Policies & Practices for: Public CA’s (Certificate Service Providers, CSP) and Organizational CA’s
• PKI & CSP Assessment & Accreditation, wide accepted criteria from national/international bodies
• Legislations, Reglementations & Guidelines for PKI & electronic signatures
Prof.Dr.Victor PATRICIU, ROMANIA
Certification Policies & PracticesCertification Policies & Practices
CPs and CPSs are tools to help establish trust in interactions between Certification Authorities (CAs) and permit cross-certification, i.e., trust other CA’s certificates
CPs help answer questions such as:• what can the certificate be used for?• which algorithms have been used?
CPSs help answer questions such as:• how are users enrolled by the CA?• how is the CA managed?
RFC 2527 -framework for CP & CPS structure.
Prof.Dr.Victor PATRICIU, ROMANIA
Certification Policies & PracticesCertification Policies & Practices
GENERAL PROVISIONS OBLIGATIONS
CA obligations RA obligations Subscriber obligations
REQUIREMENTS FOR ISSUING TO NON-US GOVERNMENT SUBSCRIBERS
INTERPRETATION AND ENFORCEMENT PUBLICATION AND REPOSITORY CONFIDENTIALITY INTELLECTUAL PROPERTY RIGHTS
Prof.Dr.Victor PATRICIU, ROMANIA
Certification Policies & PracticesCertification Policies & Practices
IDENTIFICATION AND AUTHENTICATION INITIAL REGISTRATION CERTIFICATE RENEWAL, UPDATE, AND ROUTINE REKEY REPLACING KEY AFTER REVOCATION REVOCATION REQUEST
OPERATIONAL REQUIREMENTS CERTIFICATE APPLICATION CERTIFICATE ISSUANCE CERTIFICATE ACCEPTANCE CERTIFICATE SUSPENSION AND REVOCATION SECURITY AUDIT PROCEDURES CA KEY CHANGE COMPROMISE AND DISASTER RECOVERY
Prof.Dr.Victor PATRICIU, ROMANIA
Certification Policies & PracticesCertification Policies & Practices
PHYSICAL, PROCEDURAL, AND PERSONNEL SECURITY CONTROLS
TECHNICAL SECURITY CONTROLS KEY PAIR GENERATION AND INSTALLATION PRIVATE KEY PROTECTION COMPUTER SECURITY CONTROLS LIFE CYCLE TECHNICAL CONTROLS NETWORK SECURITY CONTROLS CRYPTOGRAPHIC MODULE ENGINEERING
CONTROLS CERTIFICATE AND CRL PROFILES
CERTIFICATE CRL PROFILE
Prof.Dr.Victor PATRICIU, ROMANIA
PKI & CSP PKI & CSP Assessment and AccreditationAssessment and Accreditation
• Role of PKI assessment:Necessary for licence & accreditationNecessary for PKI interoperation and trustEnhances PKI support for non-repudiationRequired for insurance purposesNecessary for risk management
• Assessment targets:PKI environmentSystems & subsystemsDiscrete componentsCryptomodules
• Main subjects for PKI assessment:CA policies, practices and management controlsKey & device management controlsCertificate life-cycle controls
Prof.Dr.Victor PATRICIU, ROMANIA
PKI & CSP PKI & CSP Assessment and AccreditationAssessment and Accreditation
• PKI assessment types:Self-assessmentInternal auditsExternal audits
• PKI assessment requirement :Provision of certain documentsCertification of technical systemsReview of specified policies and practices
• PKI assessment models:Information security evaluation criteria (Common Criteria,ITSEC,
TCSEC, BS 77 99-Code of Practice for Information Security Management)
Australian Gatekeeper program-GPKAUK tScheme, a self-regulation schemeABA – PAG PKI Assessment Guidelines
American Institute of Certified Public Accountants -Web Trust
Prof.Dr.Victor PATRICIU, ROMANIA
LegislationLegislation
• General E-Commerce Legislation and Regulation EFTA, Electronic Funds Transfer Act- (USA), 1978 UN Model Law on E-Commerce-1996 (UNCITRAL) UCITA, Uniform Computer Transaction Act,, 1999 (NCCUSL-USA) UNICID, Uniform Rules for Interchange of Trade Data by
Teletransmission-(ICC-International Chamber of Commerce) OECD Guidelines, E-Terms, (ICC)
• Electronic Signature Legislation and Regulation UETA, Uniform Electronic Transaction Act - (NCCUSL-USA), 1999 Federal E-Sign Act, 2000 (USA) EU Electronic Signature Directive, 1999 UN Draft Model Law on Electronic Signature -2000 (UNCITRAL) Digital Signature Guidelines (ABA, USA), 1996
Prof.Dr.Victor PATRICIU, ROMANIA
LegislationLegislation
DIRECTIVE 1999/93/EC of the
EUROPEAN PARLIAMENT AND COUNCIL
of 13 December 1999on a
Community Framework for
Electronic Signatures
Prof.Dr.Victor PATRICIU, ROMANIA
Legal recognition of electronic signatures
Technology neutral
Free flow of Products and Services
Excludes prior authorisation or licensing scheme for Certification Service Providers
Mandates supervision scheme for CSPs
Calls for monitoring of Voluntary Accreditation Scheme
Directive highlightsDirective highlights
Prof.Dr.Victor PATRICIU, ROMANIA
Electronic signature
Certification Service Provider (CSP)
Advanced electronic signature
Signature creation/verification data
Signature creation/verification device
Qualified certificate
Qualified Signature
DefinitionsDefinitions
Prof.Dr.Victor PATRICIU, ROMANIA
Scope of DirectiveScope of Directive
The two main objectives of the directive
Free internal market for electronicsignatures and certification services
Legal equivalence of electronicsignatures with hand-written signatures
All kinds of electronic signatures
All kinds of certification services
All kinds of signature products
Only under certain conditions
Only for specific purposes
with many exceptions
Broad scope
Limited scope
Prof.Dr.Victor PATRICIU, ROMANIA
forbidden
allowed
Internal MarketInternal Market
1. Authorisation (obligatory)
2. Accreditation (voluntary)
CSP issuing qualified certificates to the public
Obligation for Member States to control via supervision
E.g. self-declaration scheme with subsequent control by governmental body or private institution
3. Supervision
Prof.Dr.Victor PATRICIU, ROMANIA
Legal RecognitionLegal Recognition
• General principle: Legal effect for all electronic signatures;
• Second principle: Certain electronic signatures get the same legal effect as hand-written signature;
Electronic signatures
Advanced electronic signatures
Qualified signature: advanced electronic signature +qualified certificate +secure signature creation device.
Qualified signatures
Prof.Dr.Victor PATRICIU, ROMANIA
The Annexes
•Requirements Annex I: Qualified certificate
Annex II: Certification Service Providers issuing
qualified certificates
Annex III: Secure Signature Creation Device
•RecommendationsAnnex IV: Signature Verification
Prof.Dr.Victor PATRICIU, ROMANIA
International aspectsInternational aspects
if
• Foreign CA fulfils same requirements + accreditation by Member State
or
• A European CA guarantees for the foreign CA
or
• Recognition by treaty with EU
Foreign certificates = Qualified certificatesForeign certificates = Qualified certificates
Prof.Dr.Victor PATRICIU, ROMANIA
EESSIEESSI: European Electronic : European Electronic Signature Standardization Signature Standardization
Initiative Initiative •Industry Initiative led by ICT Standards Board (CEN, ETSI, ...)
• Based on a mandate from European Commission
• Support the requirements of the EU Directive
• Interoperability standards for electronic signature
• Standards for CSPs
• Standards for signature creation and verification products
•Signature format: simple, co-signature, contra-signature, XML signature format
•A better understanding of the signature policies
• Defining protocols for: Time Stamping, Access to a repository with certificates and revocation, etc.
Prof.Dr.Victor PATRICIU, ROMANIA
• Although “technology neutral”, the Directive implicitly defines a technical framework
• A proposed first set of components that can be used:Asymmetric cryptography: RSA, DSA, ECDSACertificate based verification using ITU X.509Public Key Infrastructure with CAs and DirectoriesSmart-cards/hardware tokens for private key protection
Reasons for this selection:Generally accepted, existing standardsUrgent need for standardized use of these technologies!
Technical Framework for Qualified Technical Framework for Qualified Electronic SignaturesElectronic Signatures
Prof.Dr.Victor PATRICIU, ROMANIA
EESSI Standards overview
Signature creation
process and environment
Signature validation
process and environment
Signature format
and syntax
Creation
device
Requirements for CSPs
Trustworthy system
CertificateService Provider
User/signerRelying party/
verifier
CEN E-SIGN
ETSI ESI
Qualified certificate
Time Stam
p
Prof.Dr.Victor PATRICIU, ROMANIA
ROMANIAROMANIALaw on Electronic SignaturesLaw on Electronic Signatures
• Adopted by Romanian Parliament in July 2001;
• Establishes:Legal regime of electronic documents, The condition of issuing certificate services for
digital signatures
Prof.Dr.Victor PATRICIU, ROMANIA
Law on Electronic Signatureson Electronic Signatures -Definitions--Definitions-
• Electronic signature• Extended (Advanced) Electronic Signature :
it is uniquely linked to the signatory; it is capable of identifying the signatory; it is created using means that the signatory can maintain
under his sole control; it is linked to the data to which it relates in such a manner
that any subsequent change of the data is detectable
• Signature-creation/verification data;• Secure-signature-creation/verification device ;• Certificate/Qualified certificate;• Certification-service-provider (CSP)• Voluntary accreditation
Prof.Dr.Victor PATRICIU, ROMANIA
Law on Electronic Signatureson Electronic Signatures -Legal specifications for electronic documents --Legal specifications for electronic documents -
• Electronic document with:Extended electronic signature, Based on a qualified certificateGenerated using a secure-signature-creation
device
is assimilated este with a document with hand-written signature;
Prof.Dr.Victor PATRICIU, ROMANIA
demonstrate reliability for providing certification services; ensure a secure directory and a revocation service; ensure the precise date/time when a certificate is issued /
revoked; verify, by appropriate means identity & attributes of the person
to which a qualified certificate is issued; employ personnel with knowledge, experience, and
qualifications; use trustworthy systems and products; maintain sufficient financial resources for liability for damages,
by obtaining appropriate insurance; record all relevant information concerning a qualified certificate
for an appropriate period of time; not store or copy signature-creation data of the person to whom
the CSP provided key management services;
Law on Electronic Signatureson Electronic Signatures CSP-Certificate Services ProvidersCSP-Certificate Services Providers
Prof.Dr.Victor PATRICIU, ROMANIA
Law on Electronic Signatureson Electronic Signatures CSP-Certificate Services ProvidersCSP-Certificate Services Providers
• It is created a National Body (The Romanian Authority for Reglementation and Supervision) which:Conducts the CSPs accreditation process Conducts homologation process of the
SSCD-Secure-Signature-Creation DeviceMakes a periodical supervision of CSPsPublishes on Internet The Romanian CSP
Register with specifications for accredited CSPs
Prof.Dr.Victor PATRICIU, ROMANIA
DecreeDecree for the application of for the application of Electronic Signatures LawElectronic Signatures Law
• Adopted in December 2001• Contain Methodological and technical
regulations for the use of Electronic signatures• Contents:
Definitions Practical specifications for the activity of Romanian
Authority for Reglementation and SupervisionPractical specifications for the activity of CSPsCSP accreditation procedure Procedures for using electronic signaturesTechnical specifications for:
Private keys Algorithms Certificate revocation conditions
Prof.Dr.Victor PATRICIU, ROMANIA
DecreeDecree for the application of for the application of Electronic Signatures LawElectronic Signatures Law
The ANEXES containe: The STRUCTURE of The Romanian CSP Register The STRUCTURE of Qualified Certificate The STRUCTURE of the CSP Notification for beginning
activity The STANDARD EXTENSIONS of a Certificate The STRUCTURE of Certificates Register at CSP The Liability Letter Client Information necessary for obtaining a Certificate
Prof.Dr.Victor PATRICIU, ROMANIA
DecreeDecree Technical Details Technical Details
• The generation of private key of Romanian Authority for Reglementation and Supervision (ARS) must be make on a isolated and reliable dedicated system• ARS uses only SHA hash-code function and RSA for digital signature; it is prohibited to use CRT method;• For extended electronic signatures:
1024 bits for RSA;1024 bits for DSA;160 de bits for DSA based on elliptic curves; RIPEMD – 160 or SHA-1 hash functions;
• The formats for Certificate & CRL Register at CSPs : CCITT (ITU-T) X.500 / ISO IS9594RFC 2587 Internet X.509 PKI LDAPv3 SchemaRFC 2587 Internet X.509 PKI Certificate and CRL Profile
Prof.Dr.Victor PATRICIU, ROMANIA
Other Other Necessary Romanian Regulations Necessary Romanian Regulations
• The methodology for the homologation of secure signature creation devices
• The Regulations for the activity of Romanian Authority for Reglementation and Supervision
• The methodology for supervision of CSPs • The methodology for accreditation of CSPs, based on:
Certification Policy Certification Practices Framework Information Security Policy Internet Security Policy Emergency Response Plan Business Continuity Plan
• The methodology for the audit of information security.
Prof.Dr.Victor PATRICIU, ROMANIA
ConclusionsConclusions
• PKI technology ensures trust & security in e-commerce;• Five key ingredients that trust service providers must offer:
Accountability: At a minimum this must mean assurance that their processes will stand up to scrutiny in disputes.Survivability/Longevity: Each service must produce technology and businesses that will be available to resolve disputes decades after.Confidentiality: The customer giving their sensitive data to the trust services, providers must ensure confidentiality even within their own organisation.Integrity: Linked with accountability and longevity, but worth distinguishing. Because digital data is so easily created and forged, providers must be able to demonstrate the integrity of their information or the information they keep.Simplicity: To be successful, trust services must make life simpler for e-traders, and they must take account of existing infrastructure.
• PKI technology is in progress, that need to solve a lot of legal, technological and business prolemes