View
1.669
Download
0
Category
Preview:
DESCRIPTION
Presentation at the Health Informatics Workshop at the Hong Kong Medical Association, 21 June 2010.
Citation preview
The Hong Kong Public Key Infrastruture 2010
- Presentation to Hong Kong Medical Association, June 2010
S.C. LeungCISSP CISA CBCP
Page 2The Hong Kong Public Key Infrastructure
About the Speaker
■ S.C. Leung
■ Professional affiliations Secretary of Internet Society Hong Kong
Found Chairperson of Professional Information Security Association
Professional designations: CISSP, CISA and CBCP
■ Work Information Senior Consultant
■ Contactsc@itvoice.hk
www.facebook.com/scleung.hk
Page 3The Hong Kong Public Key Infrastructure
Why Public Key Infrastructure?
■Internet is not a trusted mediumConfidentiality
Data travels in different path so can be intercepted and sniffed
Integrity
Content of data can be modified during transit
Identity of sender or author of data can be spoofed (e.g. phishing, identity theft)
■Public Key Infrastructure (PKI) tries to provide a solution
Page 4The Hong Kong Public Key Infrastructure
Before PKI
■Traditional symmetric (private only) key encryptionEncryption and Decryption by the same (symmetric) private key
which is a secret
Share private keys before transaction not scalable
Page 5The Hong Kong Public Key Infrastructure
Basics of PKI
■ Asymmetric Public Key EncryptionPublic / Private Key Pair
Public key is made available to everyone
Private key is secured by owner
Sender encrypts data using recipient’s public key
Recipient decrypts data using own private key
Page 6The Hong Kong Public Key Infrastructure
Chain of Trust and CA Management
■Root Certificate Authority and Chain of TrustTrust is given to a small number of Root CA Certificates
Inherit Trust from the Root CA Certificates to Intermediate CA Certificate, etc. Chain of Trust
CAs have obligation to verify server/client authenticity (manual procedure) before issuing the digital certificates
Root CA has to maintain a physically and logically secure repository for the digital certificate
Page 7The Hong Kong Public Key Infrastructure
Certificate Policy Statement
■Certificate Policy Statement
Page 8The Hong Kong Public Key Infrastructure
Chain of Trust
■ Untrusted root certificate
Root CA certServer Cert
Root CA certIntermediate CA certServer Cert
Example: a public certificate of an online banking web site
Page 9The Hong Kong Public Key Infrastructure
Root Certificates Stores
Ultimate Trust goes to Root Certificates in the Certificate Store
Microsoft Windows has HongKong Post root certificates installed (2004 onwards) IE, some Window based
browsers (such as Safari, Chrome) and email clients use this certificate store
Linux has its own crypto store
MacOS keychain
Page 10The Hong Kong Public Key Infrastructure
Root Certificate Store
■ Firefox has own certificate store with HongKong Post root cert. loaded by default
■ Opera don’t have HongKong Post root cert. by default
Page 11The Hong Kong Public Key Infrastructure
Browser settings for SSL digital certificate
■ In IE browser, choose Internet Options | Advanced
CRLCRL
Use of PKI
Page 13The Hong Kong Public Key Infrastructure
Use of PKI : User Authentication
■ Computer Login
■ Critical System login
■Remote Access / VPN AuthenticationNo removable media
policy
Image source www.pisa.org.hk
Image source www.apple.com
Page 14The Hong Kong Public Key Infrastructure
Use of PKI : Two-Factor Authentication
■Using Client Certificates for online transaction, or access to critical systemsClient certificate in addition to PIN
Client certificate can be held in Smart ID Card, iKey USB token, etc.
Page 15The Hong Kong Public Key Infrastructure
Use of PKI : Traffic Encryption and Authentication
■Web site using Server Certificate (SSL) onlyServer authentication (yellow padlock in IE)
Traffic (data in transit) encryption
■Email Messaging SystemEncrypt Email Message Transport
Authenticate email sender
■ Server to Server connectionCritical private systems
Page 16The Hong Kong Public Key Infrastructure
Use of PKI
■ File / Folder EncryptionUseful for removable disk storage encryption
■ Files / Record SigningExamination report, patient report signing
Validate if signed file (e.g. security patch or virus definition update file) is original and untampered
Image source www.pisa.org.hk
Management of Certificates
Page 18The Hong Kong Public Key Infrastructure
Scope of Use of Certificate
■Trust CAEncipherment (Encryption)
Digital Signature
Trust the CA to identify a web site
Trust the CA to identify an email user
Trust the CA to identify a software developer
Page 19The Hong Kong Public Key Infrastructure
Validity of Certificate
■ Valid Date ■ Expired Certificate
Page 20The Hong Kong Public Key Infrastructure
Revocation of Certificate
■ Certificate Revocation List ■ Revoked certificate
Legal Framework for PKI
Page 22The Hong Kong Public Key Infrastructure
Legal Foundation of Hong Kong PKI
■Electronic Transactions Ordinance (Cap. 553)Enacted in 2000
Modelled under UN Commission on International Trade (UNCITRAL) Model Law on Electronic Commerce
Major ContentProvides a legal framework for the conduct of electronic transactionsEstablish e-records and digital signature to enjoy same legal status as
paper counterpart (i.e. non-repudiation) Digital signature used for G2G and G2B
Establish a voluntary recognition scheme for Certificate Authorities, empower the Government Chief Information Office (“GCIO”) to grant recognition to CAs and digital certificates
Page 23The Hong Kong Public Key Infrastructure
ETO 2004 update
■Facilitate e-transactions not involving government bodyB2B transactions under contract: any form of electronic signatures,
provided it is reliable and appropriate
Common Law approach: a matter to be determined by parties to the contract technology neutral
Electronic signatureany letters, characters, numbers or other symbols in digital form attached to
or logically associated with an electronic record, and executed or adopted for the purpose of authenticating or approving the electronic record. Digital signature is one form of electronic signature. PIN is another. *But biometrics was not included
Page 24The Hong Kong Public Key Infrastructure
GCIOGCIO
Recognized CAs in Hong Kong
Digi-Sign ID-Cert Digi-Sign ID-Cert
Electronic Transactions OrdinanceElectronic Transactions Ordinance
Voluntary Recognition SchemeVoluntary Recognition Scheme
■ Code of Practice for Recognized CAs Publish Certification Practice Statement (CPS) Issue and revoke certificates Publish certificates issued and the certificate revocation list (CRL) Annual Assessment Report (on trustworthiness) by independent
party. Operation Report by officer of CA.
Page 25The Hong Kong Public Key Infrastructure
CAs
■Hongkong Post was appointed the HKSAR CA in 1999Operation outsourced to E-Mice Apr-2007 to Mar 2012
Types of e-Certs
Issues recognized “e-Cert” for personal and organizational uses
■Digi-Sign Certification Service LimitedPreviously under Tradelink
Issues recognized “ID-Certs” for personal and organizational use
Act as gateway between Govt and Trade Community
Page 26The Hong Kong Public Key Infrastructure
e-Cert Applications
Online Banking
Online Betting
E-Government
Online Shopping
Online Securities Trading
Page 27The Hong Kong Public Key Infrastructure
Government Online Services (through GovHK) using digital signatures
Page 28The Hong Kong Public Key Infrastructure
Cross-border Recognition
■ Certificates recognized by ETO of Hong Kong may not be recognized by other jurisdiction, and vice versa
■ Mutual Recognition of Electronic Signature Certificates Issued by Hong Kong and Guangdong
promote investment facilitation
enhance the security of e-transactions
2008 Working Group
2010-Apr Pilot Project started. Recognized CAs in both places and their partners can submit applications
CA CA
reverse cross-cert.
forward cross-cert.
local remote
Useful References
Page 30The Hong Kong Public Key Infrastructure
Useful Further References
■ The Electronic Transactions Ordinance, HKSARG, 2004 http://www.ogcio.gov.hk/eng/eto/eeto.htm
■ Use of Public Key Technology, Johnson & Johnson, 2004 http://www.dartmouth.edu/~deploypki/summit04/presentations/
JNJ_case_study.ppt
■ “Japan Medical and Healthcare Network” in Asia PKI Application Casebook Nov 2005, BAWG, Asia PKI Forum
http://www.japanpkiforum.jp/shiryou/APKI-F/PKI_App_CaseBook_1st.pdf
■ Case Study: Denmark’s Achievement with Healthcare Information Exchange
http://www-03.ibm.com/industries/ca/en/healthcare/files/gartner-case_study-denmarks_achievementswHIE.pdf
Point of Contact
Name: SC Leung
Email : sc@itvoice,hk
FB : scleung.hk
Recommended