1 / 43

РУП «Национальный центр электронных услуг»

Опыт применения и тенденции развития технологий электронной цифровой подписи и инфраструктуры открытых ключей в Республике Беларусь Комисаренко Владимир. РУП «Национальный центр электронных услуг». Client Cert. Server Cert. PKI Client. Registration Authority. Certificate Authority.

cole
Download Presentation

РУП «Национальный центр электронных услуг»

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Опыт применения и тенденции развития технологий электронной цифровой подписи и инфраструктуры открытых ключей в Республике Беларусь Комисаренко Владимир РУП «Национальный центр электронных услуг»

  2. Client Cert Server Cert PKI Client Registration Authority Certificate Authority PKI Structure A public-key infrastructure(PKI) is a system for the creation, storage, and distribution of digital certificates which is used in digital signature to verify that a particular public key belongs to a certain entity. Server-side software share key info. Digital Signature certificate PKI Server reposit reposit Directory Server Client-side software reposit Requests Service Share Cert. information Provides service (PC/Phone/PDA)

  3. B Subscriber Subscriber Interaction between NPKI and GPKI CTL Model in Korea National PKI Government PKI GCC Directory (Root CA) KISA Directory (Root CA) Issues a CTL Issues a CTL CTL (List : KISA) (Singer : GCC) KISA(Root CA) GCC(Root CA) CTL (List : GCC) (Singer : KISA) Accredited CA Sub CA Obtainsa CTL Obtains a CTL CTL : Certificate Trust List

  4. Best Practice : National tax service Tax service Electronic tax payment $ The year-end tax adjustment service Online tax civil petition service Cash receipt service Enable tax affairs of Fairness, Clearness

  5. Best Practice : Online civil petition service Online Printing Online Verification Online Claim About to 150 Services Are Available On ONLINE No more need to WAIT!

  6. Best Practice : Education Service • All Education affairs are managed on Internet National Education Information System (NEIS) School Education affairs Management System (SEMS) Student Parents Service Education Information Service (EDUNET) NEIS HELP System (HELPSYS) Education civil service

  7. Best Practice : Internet Banking Internet Banking • 19 Banks and Post Office provide internet banking service based on accredited certificate • Internet banking users must use the accredited certificate for secure online transaction ('02. 9)

  8. Best Practice : Internet Shopping Internet Shopping : Credit Card • Credit card should be used with accredited certificate to enhance the security of electronic payment process • Regarding the transaction of over 300,000 won in Internet shopping, purchasers are required to use accredited certificate ('05. 11)

  9. Best Practice : Mobile Banking Mobile Banking • Mobile banking service with certificate ('07~) • Transferring a certificate from PC to mobile phone • Generating electronic signature in mobile phone Certificate Management S/W in Mobile Phone

  10. Number of Digital Certificates • 5 Accredited CAs issued accredited certificates to subscriber around 28 million in total. • Major PKI Applications • Internet Banking, Online Stock, Internet Shopping, Procurement, e-Government Services Numbers of annual issuance of certificates (2012.09, published by KISA)

  11. ИСТОРИЯ (законодательство, стандартизация)

  12. СТБ 1176.1-1999 «Информационная технология. Защита информации. Процедура хэширования» Стандарт разработан белорусскими криптографами

  13. СТБ 1176.2-1999 «Информационная технология. Защита информации. Процедуры выработки и проверки электронной цифровой подписи» Стандарт разработан белорусскими криптографами с использованием схемы Шнора (Schnorr C. P. Efficient Signature Generation by Smart Cards, J. Cryptology, 4(3): 161–174, 1991) Безопасность основана на практической неразрешимости задачи дискретного логарифмирования в конечных полях. Позволяет быстро вырабатывать и проверять подпись. Значение подписи – короткое (посравнению с другими алгоритмами). Включает алгоритм генерации простых чисел как параметров

  14. the main steps of the algorithm signature verification

  15. LAW OF THE REPUBLIC OF BELARUS The Electronic Document January 10, 2000 Electronic document is equivalent todocument on paper and have the samelegal himforce

  16. UNCITRALUnited Nations Commission on International Trade LawModel Law on ElectronicSignatures with Guide to Enactment UNITED NATIONS

  17. NOW 2013

  18. Means of digital signature - software, software and hardware, or technical means by which implements one or more of the following functions: generation of digital signature, digital signature verification, development of the private key and the public key. Means of electronic digital signatures must be certified in the national system of certification

  19. Belinvest Bank Certificate Authority BelSwiss Bank Certificate Authority Belarus Bank Certificate Authority PKI BelarusBanking

  20. Custom Certificate Authority Social Protection Found Certificate Authority Tax Certificate Authority Mailgov Certificate Authority PKI BelarusState

  21. LAW OF THE REPUBLIC OF BELARUS The electronic document and electronic digital signature December 28, 2009

  22. State Certificate Authority Other Certificate Authority BelSwiss Bank Registration Authority Belarus Bank Registration Authority Banking Certificate Authority PKI Belarus Root CA

  23. ARTICLE 17. THE STRUCTURE OF AN ELECTRONIC DOCUMENT Electronic document consists of two integral parts - general and special. The general part of the electronic document consists of information that forms the content of the document. The special part of the electronic document consists of one or more digital signatures, and may also contain additional data needed to verify digital signatures (digital signatures) and identification of an electronic document, which establishes the technical regulations

  24. ARTICLE 19. ORIGINAL ELECTRONIC DOCUMENT Original electronic document exists only in electronic form. All identical copies of electronic documents are originals and have the same legal effect.

  25. ARTICLE 22. LEGAL VALIDITY OF ELECTRONIC DOCUMENTS Original electronic document equivalent to a paper document, signed by his own hand, and with it has the same legal effect. Electronic document, signed after the revocation public key, is not legally binding. Original electronic document and its copy, corresponding to the requirements specified in Article 20 of this Act, have the same legal force. If, in accordance with the legislation requires that the document be made ​​in writing, the electronic document and its copy are considered relevant to this requirement.

  26. ARTICLE 29. THE STATE SYSTEM OF PUBLIC KEY MANAGEMENT • State public-key management system is designed to provide opportunities for all interested organizations and individuals information about the public key and their owners in the Republic of Belarus, is a system of interconnected and accredited in its service providers. • The main functions of the State public-key management system are: • registration owners of private keys; • publication, distribution and storage of public key certificates and certificate revocation lists of public keys; • creation and maintenance of databases of current and revocation of public keys; • introduction of public key certificates to the database of existing public key certificates; • accessibility  database of current and revoked  public key certificates; • a review of public key certificates; • reliable confirmation accessories public key specific organization or individual.

  27. PRESIDENTIAL DECREE OF NOVEMBER 8, 2011 № 515 • "ON SOME ISSUES OF THE INFORMATION SOCIETY IN THE REPUBLIC OF BELARUS“ • To establish that Operatively Analytical Center under the President shall regulate in the area: • operation of the State public keys management systems of verify digital signatures, the Republic of Belarus; • cryptographic protection of information that does not contain information classified as state secrets

  28. PRESIDENTIAL DECREE OF NOVEMBER 8, 2011 № 515 "ON SOME ISSUES OF THE INFORMATION SOCIETY IN THE REPUBLIC OF BELARUS“ To establish that the National Center Electronics Services has operated a root certification authorities and other State system of management of public keys

  29. STB P 34.101.45-2011 Information technology and security. Digital signature and key transport algorithms based on elliptic curves

  30. MEANS • 1.Cryptographic software • cryptographic software must meet the requirements specified in the standards • 2.Hardware secure module • The goals of an HSM are: • onboardsecuregeneration • onboardsecurestorage • use of cryptographic and sensitive data material • offloading application servers for complete cryptography operations. • HSMs provide both logical and physical protection of these materials from non-authorized use and potential adversaries.

  31. TRUSTED THIRD PARTY Achievement of adequate levels of business confidence in the operation of IT systems is underpinned by the provision of practical and appropriate legal and technical controls. Business must have confidence that IT systems will offer positive advantages and that such systems can be relied upon to sustain business obligations and create business opportunities. An exchange of information between two entities implies an element of trust, e.g. with the recipient assuming that the identity of the sender is in fact the sender, and in turn, the sender assuming that the identity of the recipient is in fact the recipient for whom the information is intended. This "implied element of trust" may not be enough and may require the use of a Trusted Third Party (TTP) to facilitate the trusted exchange of information.

  32. SERVICES PROVIDED BY TTPS: key management, certificate management, identification and authentication support, privilege attribute service, non-repudiation, time stamping services, electronic public notary services

  33. Trusted third party (electronic public notary services) Russia TTPs Russia Kazakhstan TTPs Kazakhstan Belarus TTPs Belarus

  34. RFC 3029 Internet X.509 Public Key Infrastructure Data Validation and Certification Server Protocols 4 types of validation and certification services: - Certification of Possession of Data (cpd), - Certification of Claim of Possession of Data (ccpd), - Validation of Digitally Signed Document (vsd), - Validation of Public Key Certificates (vpkc).

  35. RFC 3161 Internet X.509 Public Key Infrastructure Time-Stamp Protocol (TSP) The TSA is a TTP that creates time-stamp tokens in order to indicate that a datum existed at a particular point in time.

  36. COMMISSION DECISION • of 25 February 2011 • establishing minimum requirements for the cross-border processing of documents signed electronically by competent authorities under Directive 2006/123/EC of the European Parliament and of the Council on services in the internal market • (notified under document C(2011) 1081) (Text with EEA relevance) (2011/130/EU) Specifications for an XML, CMS or PDF advanced electronic signature to be technically supported by the receiving Member State

  37. Common Criteria for Information Technology Security Evaluation Part 1: Introduction and general model Part 2: Security functional requirements Part 3: Security assurance requirements

  38. Опыт применения и тенденции развития технологий электронной цифровой подписи и инфраструктуры открытых ключей в Республике Беларусь Комисаренко Владимир, 229@tut.by РУП «Национальный центр электронных услуг»

More Related