Upload
cole
View
87
Download
0
Tags:
Embed Size (px)
DESCRIPTION
Опыт применения и тенденции развития технологий электронной цифровой подписи и инфраструктуры открытых ключей в Республике Беларусь Комисаренко Владимир. РУП «Национальный центр электронных услуг». Client Cert. Server Cert. PKI Client. Registration Authority. Certificate Authority. - PowerPoint PPT Presentation
Citation preview
1
РУП «Национальный центр электронных услуг»
- 2 -
Client Cert
Server Cert
certificate
Directory Server
PKI Server
Server-side software
Client-side software
A public-key infrastructure(PKI) is a system for the creation, storage, and distribution of digital certificates which is used in digital signature to verify that a particular public key belongs to a certain entity.
Certificate Authority
Registration Authority
(PC/Phone/PDA)
PKI Client
Dig
ital
Sig
natu
re
PKI Structure
Requests Service
Provides service
share key info.
reposit re
posit
reposit
Share Cert. information
- 3 -
NNational ational PKIPKI GGovernment overnment PKIPKI
CTL(List : GCC)(Singer : KISA)
CTL(List : KISA)(Singer : GCC)
KISA DirectoryKISA Directory(Root CA)(Root CA)
GCC DirectoryGCC Directory(Root CA)(Root CA)
Issues a CTL
Obtains a CTL Obtains a CTL
KISA(Root CA)
Accredited CA
Subscriber Subscriber
Sub CA
GCC(Root CA)Issues a CTL
B
CTL Model in Korea
Interaction between NPKI and GPKI
CTL : Certificate Trust ListCTL : Certificate Trust List
- 4 -
The year-end tax adjustment service
Tax service
Online tax civil petition service
Cash receipt service
Electronic tax payment
$
Enable tax affairs of Fairness, Clearness
Best Practice : National tax service
- 5 -
Online Printing
About to 150 ServicesAre Available On ONLINE ONLINE
Online Verification
Online Claim
Best Practice : Online civil petition service
No more need to WAIT!
- 6 -
Student Parents Service
National EducationInformation System (NEIS)
NEIS HELP System (HELPSYS)
Education InformationService (EDUNET)
Education civil service
School Education affairsManagement System (SEMS)
• All Education affairs are managed on Internet
Best Practice : Education Service
- 7 -
19 Banks and Post Office provide internet banking service based on accredited certificate
Internet banking users must use the accredited certificate for secure online transaction ('02. 9)
Best Practice : Internet Banking
- 8 -
Credit card should be used with accredited certificate to enhance the security of electronic payment process
Regarding the transaction of over 300,000 won in Internet shopping, purchasers are required to use accredited certificate ('05. 11)
Best Practice : Internet Shopping
- 9 -
Mobile banking service with certificate ('07~)
• Transferring a certificate from PC to mobile
phone
• Generating electronic signature in mobile phone
Certificate Management S/W in Mobile Phone
Best Practice : Mobile Banking
- 10 -
Number of Digital Certificates 5 Accredited CAs issued accredited certificates to
subscriber around 28 million in total. Major PKI Applications
* Internet Banking, Online Stock, Internet Shopping, Procurement, e-Government Services
Numbers of annual issuance of certificates (2012.09, published by KISA)
0
500
1,000
1,500
2,000
2,500
3,000
2003 2004 2005 2006 2007 2008 2009 2010 2011 2012.9
782
9501,100
1,437
1,7161,856
2,192
2,3662,684
2,811
1999 Стандарты на функцию хэширования, электронную цифровую подпись
2000 Закон «Об электронном документе»
2009 Закон «Об электронном документе и электронной цифровой подписи»
2009 Стандарт на синтаксис обмена персональной информацией
2011 Новая функция хэширования, ЭЦП на эллиптических кривых
2012 Формат сертификатов и списка отозванных сертификатов, синтаксис запроса
ИСТОРИЯ (законодательство, стандартизация)
СТБ 1176.1-1999 «Информационная технология. Защита информации.
Процедура хэширования»Стандарт разработан белорусскими криптографами
СТБ 1176.2-1999 «Информационная технология. Защита информации. Процедуры выработки и проверки
электронной цифровой подписи»
1. Стандарт разработан белорусскими криптографами с использованием схемы Шнора (Schnorr C. P. Efficient Signature Generation by Smart Cards, J. Cryptology, 4(3): 161–174, 1991)
2. Безопасность основана на практической неразрешимости задачи дискретного логарифмирования в конечных полях. Позволяет быстро вырабатывать и проверять подпись. Значение подписи – короткое (посравнению с другими алгоритмами).
3. Включает алгоритм генерации простых чисел как параметров
1 To generate random k )1( qk ;
2 )(: kat ;
3 To convert:
1
0
8 )2(n
i
iitt ;
4 ),...,,,...,,(: 1110 znt mmtttM ;
5 .: tMhU
If U = 0, then go to 1; 6 qUxkV mod)(: .
If V = 0, tnen go to 1;
7 VUS r 2: . S is signature.
1 rSV 2mod: ;
2 rVSU 2/: ;
3 Check: .020 1 qVandU r
4 UV yat : ;
5 Convert: in
iitt 8
1
0
2
;
6 znt mmtttM ...,,,...,,,: 1110 ;
7 tMhW : ;
8 Check: UW .
the main steps of the algorithm signature verification
LAW OF THE REPUBLIC OF BELARUS
The Electronic Document
January 10, 2000
Electronic document is equivalent to document on paper and have the same legal him force
UNITED NATIONS
UNCITRALUnited Nations Commission on
International Trade Law
Model Law on Electronic Signatures
with
Guide to Enactment
18
NOW2013
19
Means of digital signature - software, software and hardware, or technical means by which implements one or more of the following functions: generation of digital signature, digital signature verification, development of the private key and the public key.
Means of electronic digital signatures must be certified in the national system of certification
PKI BelarusBanking
Belarus BankCertificate Authority
BelSwiss BankCertificate Authority
Belinvest BankCertificate Authority
PKI BelarusState
MailgovCertificate Authority
CustomCertificate Authority
TaxCertificate Authority
Social Protection FoundCertificate Authority
LAW OF THE REPUBLIC OF BELARUSThe electronic document and
electronic digital signature
December 28, 2009
PKI BelarusRoot CA
BankingCertificate Authority
StateCertificate Authority
OtherCertificate Authority
Belarus BankRegistration Authority
BelSwiss BankRegistration Authority
ARTICLE 17. THE STRUCTURE OF AN ELECTRONIC DOCUMENT
Electronic document consists of two integral parts - general and special.
The general part of the electronic document consists of information that forms the content of the document.
The special part of the electronic document consists of one or more digital signatures, and may also contain additional data needed to verify digital signatures (digital signatures) and identification of an electronic document, which establishes the technical regulations
ARTICLE 19. ORIGINAL ELECTRONIC DOCUMENT
Original electronic document exists only in electronic form. All identical copies of electronic documents are originals and have the same legal effect.
ARTICLE 22. LEGAL VALIDITY OF ELECTRONIC DOCUMENTSOriginal electronic document equivalent to a paper
document, signed by his own hand, and with it has the same legal effect.
Electronic document, signed after the revocation public key, is not legally binding.
Original electronic document and its copy, corresponding to the requirements specified in Article 20 of this Act, have the same legal force.
If, in accordance with the legislation requires that the document be made in writing, the electronic document and its copy are considered relevant to this requirement.
ARTICLE 29. THE STATE SYSTEM OF PUBLIC KEY MANAGEMENT
State public-key management system is designed to provide opportunities for all interested organizations and individuals information about the public key and their owners in the Republic of Belarus, is a system of interconnected and accredited in its service providers.
The main functions of the State public-key management system are:registration owners of private keys;publication, distribution and storage of public key certificates and certificate revocation lists of public keys;creation and maintenance of databases of current and revocation of public keys;introduction of public key certificates to the database of existing public key certificates;accessibility database of current and revoked public key certificates;a review of public key certificates;reliable confirmation accessories public key specific organization or individual.
PRESIDENTIAL DECREE OF NOVEMBER 8, 2011 № 515"ON SOME ISSUES OF THE INFORMATION SOCIETY IN THE REPUBLIC OF BELARUS“To establish that Operatively Analytical Center under the President shall regulate in the area:operation of the State public keys management systems of verify digital signatures, the Republic of Belarus;cryptographic protection of information that does not contain information classified as state secrets
PRESIDENTIAL DECREE OF NOVEMBER 8, 2011 № 515"ON SOME ISSUES OF THE INFORMATION SOCIETY IN THE REPUBLIC OF BELARUS“To establish that the National Center Electronics Services has operated a root certification authorities and other State system of management of public keys
STB P 34.101.45-2011Information technology and security.
Digital signature and key transport algorithms based on elliptic curves
1. Generation and verification of the parameters of the elliptic curve. 2. Generation and verification keys. 3. One-time private key generation. 4. The development and verification of digital signatures. 5. Key exchange.
31
Standard of the Republic of Belarus International standard The object
1. GOST 28147-89 «Information processing system. Cryptographic Security. Cryptographic transformation algorithm»
national encryption
2. STB 1176.2-99 «Information technology. Data security. Procedure and check procedures of electronic digital signature»
national digital signature
3. STB 1176.1-99 « Information technology. Data security. Hashing function»
national hashing function
4. STB 34.101.27-2011 «Information technology and security. Security requirements for software cryptographic modules»
national software cryptographic modules
5. STB P 34.101.45-2011 «Information technology and security. Digital signature algorithms based on elliptic curves»
national digital signature
6. STB 34.101.47-2012 «Information technology and security. Cryptographic algorithms of pseudorandom number generation»
national number generation
7. STB 34.101.49-2012 «Information technology and security. Public key card format»
national public key card
32
Standard of the Republic of Belarus International standard The object 1. STB 34.101.17-2012 «Information technology and
security. Certification request syntax»PKCS #10: Certification request syntax standard. Version 1.7. RSA Laboratories, 2000
certification request
2. STB 34.101.18-2009 «Information technology. Personal information exchange syntax»
PKCS #12 v1.0:1999 Personal information exchange syntax
personal information exchange
3. STB 34.101.19-2012 «Information technology and security. Public key infrastructure certificate and certificate revocation list profile»
RFC 5280:2008 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile
certificate and certificate revocation list
4. STB 34.101.21 – 2009 «Information technology. Cryptographic Token Interface»
PKCS #11 v2.20:2004 Cryptographic Token Interface Standard
cryptographic token interface
5. STB 34.101.23-2012 «Information technology and security. Cryptographic message syntax»
PKCS #7: Cryptographic Message Syntax Standard
cryptographic message syntax
6. STB 34.101.26-2012 «Information technology and security. Online certificate status protocol (OCSP)»
X.509 Internet Public Key Infrastructure Online Certificate Status Protocol - OCSP
online certificate status protocol
33
MEANS1.Cryptographic software cryptographic software must meet the requirements specified in the standards 2.Hardware secure moduleThe goals of an HSM are:onboard secure generationonboard secure storageuse of cryptographic and sensitive data materialoffloading application servers for complete cryptography operations.HSMs provide both logical and physical protection of these materials from non-authorized use and potential adversaries.
TRUSTED THIRD PARTY
Achievement of adequate levels of business confidence in the operation of IT systems is underpinned by the provision of practical and appropriate legal and technical controls. Business must have confidence that IT systems will offer positive advantages and that such systems can be relied upon to sustain business obligations and create business opportunities.
An exchange of information between two entities implies an element of trust, e.g. with the recipient assuming that the identity of the sender is in fact the sender, and in turn, the sender assuming that the identity of the recipient is in fact the recipient for whom the information is intended. This "implied element of trust" may not be enough and may require the use of a Trusted Third Party (TTP) to facilitate the trusted exchange of information.
SERVICES PROVIDED BY TTPS:1.key management,2.certificate management,3.identification and authentication support,4.privilege attribute service, non-repudiation,5.time stamping services,6.electronic public notary services
Trusted third party(electronic public notary services)
Russia
TTPs Russia
Kazakhstan
TTPs Kazakhstan
Belarus
TTPs Belarus
RFC 3029 Internet X.509 Public Key InfrastructureData Validation and Certification Server Protocols
4 types of validation and certification services: - Certification of Possession of Data (cpd), - Certification of Claim of Possession of Data (ccpd), - Validation of Digitally Signed Document (vsd), - Validation of Public Key Certificates (vpkc).
RFC 3161 Internet X.509 Public Key Infrastructure Time-Stamp Protocol (TSP)
The TSA is a TTP that creates time-stamp tokens in order to indicate that a datum existed at a particular point in time.
COMMISSION DECISION
of 25 February 2011
establishing minimum requirements for the cross-border processing of documents signed electronically by competent
authorities under Directive 2006/123/EC of the European Parliament and of the Council on services in the internal market
(notified under document C(2011) 1081) (Text with EEA relevance) (2011/130/EU)
Specifications for an XML, CMS or PDF advanced electronic signature to be technically supported by the receiving Member State
41
Common Criteriafor Information Technology Security Evaluation
Part 1: Introduction and general modelPart 2: Security functional requirementsPart 3: Security assurance requirements
42
43
РУП «Национальный центр электронных услуг»