1 / 24

e-Government Security and necessary Infrastructures

e-Government Security and necessary Infrastructures. Dimitrios Lekkas Dept. of Systems and Products Design Engineering University of the Aegean dlek @aegean.gr. Review. Do we really need security in the networks of Public Sector? What security requirements do we have?

libra
Download Presentation

e-Government Security and necessary Infrastructures

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. e-Government Security and necessary Infrastructures Dimitrios Lekkas Dept. of Systems and Products Design Engineering University of the Aegean dlek@aegean.gr

  2. Review • Do we really need security in the networks of Public Sector? • What security requirements do we have? • What solutions may we propose to cover the requirements?

  3. The traditional way of communication

  4. The modern way of communication within the public sector

  5. Possible problems (1) Confidentiality

  6. Possible problems (2) Integrity

  7. Possible problems (3) Availability

  8. Possible problems (4) I did not send it! I have never received it! Non-repudiation

  9. Possible problems (5) Secure Timestamping

  10. Possible problems (6) Authenticity

  11. We identified the following security requirements: • Confidentiality of the exchanged information • Integrity of the exchanged information • Availability of information and communication • Non-repudiation of (a) origin and (b) receipt • Timestamping of electronic documents • Authenticity of transacting parties

  12. Satisfy the requirements • Confidentiality: Public key Cryptography • Integrity: Digital signatures • Authenticity: Digital certificates and signatures • Availability: Lower level protocols, such as IPsec • Value-added services: Time-stamping, non-repudiation of origin and receipt, notary, privilege management

  13. Solutions; • Asymmetric and Symmetric cryptography • Public Key Infrastructure • Smart cards • Relevant Legal framework

  14. Cryptography • Symmetric (Traditional) cryptography • Same key for data encryption/decryption • Prior key agreement of transacting parties • Problems: protection of key distribution • Symmetric (Public Key) cryptography • Key pair: One private and one public • Data encrypted with on key can only be decrypted with the other • A private key is the property of one only physical entity • A public key is freely distributed

  15. Items of PKI

  16. Basic services Registration Certificate management Cryptographic functions Directory Services Data repository Certification Services Provision • Support • Administration • Audit and Control • Logging • User support

  17. Value-added Services • A CSP as Time-Stamping Authority • A CSP as Key Distribution Center • A CSP as Privilege Management Authority • A CSP as Notary • A CSP as Evidence Provider

  18. CSP Requirements in e-gov • Reliability demonstration • Physical security • Publishing of certification policies and practices • Risk analysis • Protection of Personal Data • Long-term repositories of signature verification data • Insurance ? • ISO 9000 certification ?

  19. Digital Signature • Definition • A Digital Signature is data attached or co-related to an electronic document, that are used to verify its authenticity. • Characteristics • It is uniquely related to the signer • Provides a means to identify the signer • It is created by means under the absolute control of the signer • It is uniquely related to the document • It assures the integrity of the document

  20. Digital Certificate • A Digital Certificate is a Signed Data Structure that binds a physical entity to a public key that possesses. • The certificate is digitally signed by an Authority (Trusted Third Party) Trusted and Qualified to act as a Certification Services Provider (CSP). • It assures by Technical and Legal means that a public key belongs to a specific entity and consequently that this entity legally possesses the relevant private key.

  21. Smart Cards • Special Smart Cards with crypto-processor are used in PKI • Ideal solution for private key storage: • Key pairs produced within the card • Digital signature creation is performed within the card • Private key is never exported from the smart card • Mobile • PIN protected • Reliability and Physical durability

  22. Legal framework • Digital signatures are internationally recognised as equivalent to handwritten signatures and in some cases as stronger • The European Directive EC/93/99 on Digital Signatures is already adopted by the 15 member states • The Directive is adopted in Greece by the Presidential Decree 150/2001 • National Telecommunication Authorities (e.g. EETT) publish regulations for the provision of Qualified Certification Services.

  23. Do we need something else; • Information Systems Security does not succeed with the simple raising of physical or electronic barriers. • An integrated Security Policy is needed, that will be the basis for the construction of security procedures.

  24. Summary • Electronic Government is close. • Secure e-Government is still at a distance. • … but it must (and it can) come closer! • The Public Sector must face the ICT Security as a fundamental issue.

More Related