500 likes | 729 Views
ITU- E-Commerce Centers for the CEE, CIS & Baltic States Regional Seminar on E-Commerce May, 14-17, 2002, Bucharest, ROMANIA. Trust & Security in E-Commerce Professor Dr. VICTOR-VALERIU PATRICIU Bucharest, ROMANIA. Contents. Trust Infrastructure for E-Commerce
E N D
ITU- E-Commerce Centers for the CEE, CIS & Baltic States Regional Seminar on E-CommerceMay, 14-17, 2002, Bucharest, ROMANIA Trust & Security in E-Commerce Professor Dr. VICTOR-VALERIU PATRICIU Bucharest, ROMANIA Prof.Dr.Victor PATRICIU, ROMANIA
Contents • Trust Infrastructure for E-Commerce • PKI Technology for Trusting E-commerce • New Cryptography Basics • PKI basic principles & Architectures • Digital certificates & Certificate Authorities • CRL-s • Applications • PKI & CSP Legislation & Reglementation • Certification Policies & Practices • PKI & CSP Assessment & Accreditation • Legislation, Reglementation & Guidelines • EU Electronic Signature Directive • Romanian legislation on electronic signature • Romanian Law on Electronic Signature • Government’s Decree for Electronic Signature Application Prof.Dr.Victor PATRICIU, ROMANIA
A Trust Infrastructure for E-Commerce • Electronic commerce promises vast revenues; • It looks attractive in theory, but the truth is that: • only a small percentage use e-commerce servicesand • an even smaller percentage use regularly; • Diverse sectors – IT, telecommunications, financial institutions, retailers and governments – are driving towards a future where we conducttransactionselectronically: • everyday • anytime and • anywhere; Prof.Dr.Victor PATRICIU, ROMANIA
A Trust Infrastructure for E-Commerce • But all of this comes to nought until one crucial obstacle is overcome – the question of security; • Fraudsters & hackers will actively target: • all e- commerceservices, • service providers and • the infrastructure; • Security weaknesses become a major concern when conducting online transactions over Internet because: • sensitive financial details for online paying ; • trade secrets and other confidential information; • privacy of e-commerce actions: pay bills, trade stocks and shares, file our income tax returns, conduct legally transactions and vote in government elections; Prof.Dr.Victor PATRICIU, ROMANIA
A Trust Infrastructure for E-Commerce • Trust Services are an emerging enabler for e-commerce. • Deliver trust & confidence at various stages of business interaction, including: • establishing and maintaining trust, • negotiations, • contract formation, • fulfilment, • dispute resolution. • There are significant technical, legal and businessproblems. • Trust Service Providers must : • be accountable for the service they provide • be around for the long term (disputes can occur years after transaction) • have a trust infrastructure • the services must make life simpler for e-commerce participants. Prof.Dr.Victor PATRICIU, ROMANIA
A Trust Infrastructure for E-Commerce • It is not yet very clear what the range of trust services will be. • They can certainly be expected to include services to support trust establishment, negotiation, agreement and fulfilment: • Identity services, • Authorisation service, • Anonymity services, • Trust rating and recommendation services, • Assured message delivery, • Auditable receipt generation, • Storage (archival), • Notarisation, • Delivery (storage & notarization), • Timestamping services, • E-signature. Prof.Dr.Victor PATRICIU, ROMANIA
A Trust Infrastructure for E-Commerce • Example of Trust Services required for: • Negotiation a contract • Contract signing Prof.Dr.Victor PATRICIU, ROMANIA
A Trust Infrastructure for E-Commerce Prof.Dr.Victor PATRICIU, ROMANIA
PKI Technology for Trusting E-Commerce • Public Key Infrastructure (PKI) technology has emerged as the most reliable framework for ensuring Security and Trust over the Internet. • It is based on the principle of Asymmetric Cryptography. • In the PKI model: • A Key is a long string of data used to encrypt or decrypt a given piece of information. • Every user has a unique key pair – the Public Key and corresponding Private Key. • The private key is kept confidential, whereas the public key is made available to the public. • Messages encrypted with a Public Key can only be decrypted with the corresponding Private Key, and vice-versa. • The Public Key is predominantly used for encryption and the private key for Digital Signatures. Prof.Dr.Victor PATRICIU, ROMANIA
PKI Technology for Trusting E-Commerce-Public Key Cryptography- • Public key cryptography- for every person a key pair: • Public key (for encryption or signature verification) • Private key (for decryption or signature creation) Prof.Dr.Victor PATRICIU, ROMANIA
PKI Technology for Trusting E-Commerce-Digital Signatures- Prof.Dr.Victor PATRICIU, ROMANIA
PKI Technology for Trusting E-Commerce- Pillars of Trust- • PKI is the only security and trust framework that fulfils the four vital requirements of e-commerce, known as the Four Pillars of Trust: • Authentication- the means of identification employed. For e-Commerce transactions, the absence of face-to-face interaction creates the need for a foolproof method of identification. PKI offers the most secure means of authentication available today through Digital Certificates. • Confidentiality-Secure transmission of data over open networks and preventing data access by unauthorized entities is of paramount importance. PKI ensures confidentiality through the use of time tested Encryption Algorithms. • Integrity- Data transferred through open networks should not be altered or modified during transit. Integrity of data is ensured through Data Hashing. • Non-Repudiation- It is necessary to ensure that the sender does not disown data sent. There should be a trustworthy means to guarantee the ownership of the electronic document. PKI ensures non-repudiation through the use of Digital Signatures. Prof.Dr.Victor PATRICIU, ROMANIA
Key Distribution PKI Technology for Trusting E-Commerce -Certification Authorities- Prof.Dr.Victor PATRICIU, ROMANIA
PKI Technology for Trusting E-Commerce -ITU X.509 v3 Digital Certificate- Prof.Dr.Victor PATRICIU, ROMANIA
PKI Technology for Trusting E-Commerce -PKI Architecture- • PKI- Set of components (hard & soft), that work together for using public-key technology • CA- a trusted authority -which provides a statement (the Digital Certificate) that the enclosed public key belongs to the person whose name is attached • CA- a central administration that issues certificates: • organization to its employees • company to its employees • university to its students • public CA (like VeriSign) Prof.Dr.Victor PATRICIU, ROMANIA
PKI Technology for Trusting E-Commerce-CA Hierarchies- Root CA CA CA CA CA Prof.Dr.Victor PATRICIU, ROMANIA
PKI Technology for Trusting E-Commerce-Certificate Revocation Lists, CRL’s- • A certificate must be revoked when: • the private key pair is compromised; • the private key pair is lost; • a personleaves the company. • All users can know to no longer trust in a certificate; • Relaying parties are expected to check CRL before using a certificate; • Use a sufficiently scalable and powerful CR server. If a CRL is being used by applications for certificate validation, provisions must be in place for adequate availability of the CRL service (or applications should incorporate some backup procedures in case the CRL service is unavailable). • OCSP-On-line Certificate Status Protocol: inquires of issuing CA whether a certificate is still valid. (resp. YES/NO) Prof.Dr.Victor PATRICIU, ROMANIA
Standards that rely on a PKI • S/MIME- PKI for digitally signing and encrypting messages and attachments • SSL/TLS - secure access to Web Servers • SET-secure electronic bankcard payments • IPSec- in VPN for encryption & authentication Prof.Dr.Victor PATRICIU, ROMANIA
PKIApplications in Securing E-commerce • Securing e-Business applications • Online Auction Markets / Exchange Sites • Online Procurement Solutions & Web Catalogues • Corporate Purchasing • Online Contracting • Security solutions for traditional EDI • Online delivery of intellectual products • Secure e-Governance • Security solutions for government documentation • Online tax filing and payment solutions • Online payment of public utility charges and government levies • Online application and receipt of government approvals Prof.Dr.Victor PATRICIU, ROMANIA
PKIApplications in Securing E-commerce • Security solutions for e-Banking • Electronic Funds Transfer / Payments • Trade Finance / Letter of Credit • Bill Presentment and Payment • Statement Delivery • Securing Electronic Office Applications • Transformation to paperless office systems through digital signatures • Encryption Archiving facilities for document storage • Secure E-mail Communication Prof.Dr.Victor PATRICIU, ROMANIA
PKIApplications in Securing E-commerce • Security solutions for healthcare • Secure delivery of online medical advice • Storage and authenticated access to health Records • Privacy solutions for medical transcriptions • Security solutions for education • Security & authentication solutions for distance education and online examinations • Security solutions for electronic certificates and credentials • Online university application solutions • Solutions for student identity along with smart cards Prof.Dr.Victor PATRICIU, ROMANIA
Legislation & Reglementation Legal and reglementation problems to be solved: • Certification Policies & Practices for: • Public CA’s (Certificate Service Providers, CSP) and • Organizational CA’s • PKI & CSP Assessment & Accreditation, wide accepted criteria from national/international bodies • Legislations, Reglementations & Guidelines for PKI & electronic signatures Prof.Dr.Victor PATRICIU, ROMANIA
Certification Policies & Practices • CPs and CPSs are tools to help establish trust in interactions between Certification Authorities (CAs) and permit cross-certification, i.e., trust other CA’s certificates • CPs help answer questions such as: • what can the certificate be used for? • which algorithms have been used? • CPSs help answer questions such as: • how are users enrolled by the CA? • how is the CA managed? • RFC 2527 -framework for CP & CPS structure. Prof.Dr.Victor PATRICIU, ROMANIA
Certification Policies & Practices • GENERAL PROVISIONS • OBLIGATIONS • CA obligations • RA obligations • Subscriber obligations • REQUIREMENTS FOR ISSUING TO NON-US GOVERNMENT SUBSCRIBERS • INTERPRETATION AND ENFORCEMENT • PUBLICATION AND REPOSITORY • CONFIDENTIALITY • INTELLECTUAL PROPERTY RIGHTS Prof.Dr.Victor PATRICIU, ROMANIA
Certification Policies & Practices • IDENTIFICATION AND AUTHENTICATION • INITIAL REGISTRATION • CERTIFICATE RENEWAL, UPDATE, AND ROUTINE REKEY • REPLACING KEY AFTER REVOCATION • REVOCATION REQUEST • OPERATIONAL REQUIREMENTS • CERTIFICATE APPLICATION • CERTIFICATE ISSUANCE • CERTIFICATE ACCEPTANCE • CERTIFICATE SUSPENSION AND REVOCATION • SECURITY AUDIT PROCEDURES • CA KEY CHANGE • COMPROMISE AND DISASTER RECOVERY Prof.Dr.Victor PATRICIU, ROMANIA
Certification Policies & Practices • PHYSICAL, PROCEDURAL, AND PERSONNEL SECURITY CONTROLS • TECHNICAL SECURITY CONTROLS • KEY PAIR GENERATION AND INSTALLATION • PRIVATE KEY PROTECTION • COMPUTER SECURITY CONTROLS • LIFE CYCLE TECHNICAL CONTROLS • NETWORK SECURITY CONTROLS • CRYPTOGRAPHIC MODULE ENGINEERING CONTROLS • CERTIFICATE AND CRL PROFILES • CERTIFICATE • CRL PROFILE Prof.Dr.Victor PATRICIU, ROMANIA
PKI & CSP Assessment and Accreditation • Role of PKI assessment: • Necessary for licence & accreditation • Necessary for PKI interoperation and trust • Enhances PKI support for non-repudiation • Required for insurance purposes • Necessary for risk management • Assessment targets: • PKI environment • Systems & subsystems • Discrete components • Cryptomodules • Main subjects for PKI assessment: • CA policies, practices and management controls • Key & device management controls • Certificate life-cycle controls Prof.Dr.Victor PATRICIU, ROMANIA
PKI & CSP Assessment and Accreditation • PKI assessment types: • Self-assessment • Internal audits • External audits • PKI assessment requirement : • Provision of certain documents • Certification of technical systems • Review of specified policies and practices • PKI assessment models: • Information security evaluation criteria (Common Criteria,ITSEC, TCSEC, BS 77 99-Code of Practice for Information Security Management) • Australian Gatekeeper program-GPKA • UK tScheme, a self-regulation scheme • ABA – PAG PKI Assessment Guidelines • American Institute of Certified Public Accountants -Web Trust Prof.Dr.Victor PATRICIU, ROMANIA
Legislation • General E-Commerce Legislation and Regulation • EFTA, Electronic Funds Transfer Act- (USA), 1978 • UN Model Law on E-Commerce-1996 (UNCITRAL) • UCITA, Uniform Computer Transaction Act,, 1999 (NCCUSL-USA) • UNICID, Uniform Rules for Interchange of Trade Data by Teletransmission-(ICC-International Chamber of Commerce) • OECD Guidelines, • E-Terms, (ICC) • Electronic Signature Legislation and Regulation • UETA, Uniform Electronic Transaction Act - (NCCUSL-USA), 1999 • Federal E-Sign Act, 2000 (USA) • EU Electronic Signature Directive, 1999 • UN Draft Model Law on ElectronicSignature -2000 (UNCITRAL) • Digital Signature Guidelines (ABA, USA), 1996 Prof.Dr.Victor PATRICIU, ROMANIA
Legislation DIRECTIVE 1999/93/EC of the EUROPEAN PARLIAMENT AND COUNCILof 13 December 1999on a Community Framework for Electronic Signatures Prof.Dr.Victor PATRICIU, ROMANIA
Directive highlights • Legal recognition of electronic signatures • Technology neutral • Free flow of Products and Services • Excludes prior authorisation or licensing scheme for Certification Service Providers • Mandates supervision scheme for CSPs • Calls for monitoring of Voluntary Accreditation Scheme Prof.Dr.Victor PATRICIU, ROMANIA
Definitions • Electronic signature • Certification Service Provider (CSP) • Advanced electronic signature • Signature creation/verification data • Signature creation/verification device • Qualified certificate • Qualified Signature Prof.Dr.Victor PATRICIU, ROMANIA
Scope of Directive Prof.Dr.Victor PATRICIU, ROMANIA
forbidden allowed 1. Authorisation (obligatory) 2. Accreditation (voluntary) Obligation for Member States to control via supervision E.g. self-declaration scheme with subsequent control by governmental body or private institution CSP issuing qualified certificates to the public Internal Market 3. Supervision Prof.Dr.Victor PATRICIU, ROMANIA
Qualified signatures • Qualified signature: • advanced electronic signature + • qualified certificate + • secure signature creation device. Legal Recognition • General principle: Legal effect for all electronic signatures; • Second principle: Certain electronic signatures get the same legal effect as hand-written signature; Electronic signatures Advanced electronic signatures Prof.Dr.Victor PATRICIU, ROMANIA
Requirements Annex I: Qualified certificate Annex II: Certification Service Providers issuing qualified certificates Annex III: Secure Signature Creation Device Recommendations Annex IV: Signature Verification The Annexes Prof.Dr.Victor PATRICIU, ROMANIA
International aspects if • Foreign CA fulfils same requirements + accreditation by Member State or • A European CA guarantees for the foreign CA or • Recognition by treaty with EU Foreign certificates = Qualified certificates Prof.Dr.Victor PATRICIU, ROMANIA
EESSI: European Electronic Signature Standardization Initiative • Industry Initiative led by ICT Standards Board (CEN, ETSI, ...) • Based on a mandate from European Commission • Support the requirements of the EU Directive • Interoperability standardsfor electronic signature • Standards for CSPs • Standards for signature creation and verification products • Signature format: simple, co-signature, contra-signature, XML signature format • A better understanding of the signature policies • Defining protocols for: Time Stamping, Access to a repository with certificates and revocation, etc. Prof.Dr.Victor PATRICIU, ROMANIA
Technical Framework for Qualified Electronic Signatures • Although “technology neutral”, the Directive implicitly defines a technical framework • A proposed first set of components that can be used: • Asymmetric cryptography: RSA, DSA, ECDSA • Certificate based verification using ITU X.509 • Public Key Infrastructure with CAs and Directories • Smart-cards/hardware tokens for private key protection • Reasons for this selection: • Generally accepted, existing standards • Urgent need for standardized use of these technologies! Prof.Dr.Victor PATRICIU, ROMANIA
EESSI Standards overview Certificate Service Provider Requirements for CSPs Trustworthy system Time Stamp Qualified certificate Signature validation process and environment Signature creation process and environment Signature formatand syntax Creationdevice CEN E-SIGN ETSI ESI Relying party/verifier User/signer Prof.Dr.Victor PATRICIU, ROMANIA
ROMANIALaw on Electronic Signatures • Adopted by Romanian Parliament in July 2001; • Establishes: • Legal regime of electronic documents, • The condition of issuing certificate services for digital signatures Prof.Dr.Victor PATRICIU, ROMANIA
Law on Electronic Signatures-Definitions- • Electronic signature • Extended (Advanced) Electronic Signature: • it is uniquely linked to the signatory; • it is capable of identifying the signatory; • it is created using means that the signatory can maintain under his sole control; • it is linked to the data to which it relates in such a manner that any subsequent change of the data is detectable • Signature-creation/verification data; • Secure-signature-creation/verification device ; • Certificate/Qualified certificate; • Certification-service-provider (CSP) • Voluntary accreditation Prof.Dr.Victor PATRICIU, ROMANIA
Law on Electronic Signatures-Legal specifications for electronic documents - • Electronic documentwith: • Extended electronic signature, • Based on a qualified certificate • Generated using a secure-signature-creation device is assimilatedeste with a document with hand-written signature; Prof.Dr.Victor PATRICIU, ROMANIA
Law on Electronic SignaturesCSP-Certificate Services Providers • demonstrate reliability for providing certification services; • ensure a secure directory and a revocation service; • ensure the precise date/time when a certificate is issued / revoked; • verify, by appropriate means identity & attributes of the person to which a qualified certificate is issued; • employ personnel with knowledge, experience, and qualifications; • use trustworthy systems and products; • maintain sufficient financial resources for liability for damages, by obtaining appropriate insurance; • record all relevant information concerning a qualified certificate for an appropriate period of time; • not store or copy signature-creation data of the person to whom the CSP provided key management services; Prof.Dr.Victor PATRICIU, ROMANIA
Law on Electronic SignaturesCSP-Certificate Services Providers • It is created a National Body (The Romanian Authority for Reglementation and Supervision) which: • Conducts the CSPs accreditation process • Conducts homologation process of the SSCD-Secure-Signature-Creation Device • Makes a periodical supervision of CSPs • Publishes on Internet The Romanian CSP Register with specifications for accredited CSPs Prof.Dr.Victor PATRICIU, ROMANIA
Decree for the application of Electronic Signatures Law • Adopted in December 2001 • Contain Methodological and technical regulations for the use of Electronic signatures • Contents: • Definitions • Practical specifications for the activity of Romanian Authority for Reglementation and Supervision • Practical specifications for the activity of CSPs • CSP accreditation procedure • Procedures for using electronic signatures • Technical specifications for: • Private keys • Algorithms • Certificate revocation conditions Prof.Dr.Victor PATRICIU, ROMANIA
Decree for the application of Electronic Signatures Law The ANEXES containe: • The STRUCTURE of The Romanian CSP Register • The STRUCTURE of Qualified Certificate • The STRUCTURE of the CSP Notification for beginning activity • The STANDARD EXTENSIONS of a Certificate • The STRUCTURE of Certificates Register at CSP • The Liability Letter • Client Information necessary for obtaining a Certificate Prof.Dr.Victor PATRICIU, ROMANIA
Decree Technical Details • The generation of private key of Romanian Authority for Reglementation and Supervision (ARS) must be make on a isolated and reliable dedicated system • ARSuses only SHA hash-code function and RSA for digital signature; it is prohibited to use CRT method; • For extended electronic signatures: • 1024 bitsfor RSA; • 1024 bitsfor DSA; • 160 de bitsfor DSA based on elliptic curves; • RIPEMD – 160 or SHA-1 hash functions; • The formats for Certificate & CRL Register at CSPs: • CCITT (ITU-T) X.500 / ISO IS9594 • RFC 2587 Internet X.509 PKI LDAPv3 Schema • RFC 2587 Internet X.509 PKI Certificate and CRL Profile Prof.Dr.Victor PATRICIU, ROMANIA
Other Necessary Romanian Regulations • The methodology for the homologation of secure signature creation devices • The Regulations for the activity of Romanian Authority for Reglementation and Supervision • The methodology for supervision of CSPs • The methodology for accreditation of CSPs, based on: • Certification Policy • Certification Practices Framework • Information Security Policy • Internet Security Policy • Emergency Response Plan • Business Continuity Plan • The methodology for the audit of information security. Prof.Dr.Victor PATRICIU, ROMANIA
Conclusions • PKI technology ensures trust & security in e-commerce; • Five key ingredients that trust service providers must offer: • Accountability: At a minimum this must mean assurance that their processes will stand up to scrutiny in disputes. • Survivability/Longevity: Each service must produce technology and businesses that will be available to resolve disputes decades after. • Confidentiality: The customer giving their sensitive data to the trust services, providers must ensure confidentiality even within their own organisation. • Integrity: Linked with accountability and longevity, but worth distinguishing. Because digital data is so easily created and forged, providers must be able to demonstrate the integrity of their information or the information they keep. • Simplicity: To be successful, trust services must make life simpler for e-traders, and they must take account of existing infrastructure. • PKI technology is in progress, that need to solve a lot of legal, technological and business prolemes Prof.Dr.Victor PATRICIU, ROMANIA