8/14/2019 III PKI exp 07152007

1/20

IIIs experience inPKI and its application

International Group

Institute for Information Industry

Aug. 2007

8/14/2019 III PKI exp 07152007

2/20

Foundation and Functions of PKI

PKI is to Ensure Confidentiality

Integrity

Authentication

Non-repudiation

Foundation of a PKI infrastructure Public trust in the operation unit

Provision of the accountability

Comprehensive and reliable audit trail, ..

Ability for key pairs management

Generation, issuance, revocation, Provision of services regarding certificate inquiry

Convenient, fast, timely to the inquiry for certificates validity,applicability,

8/14/2019 III PKI exp 07152007

3/20

PKI infrastructure in Taiwan

PCA

Foreign Private

PKI CA in Taiwan

Foreign PKI

Foreign Govt

PKI Root

Foreign Private

PKI Root

PCAGCAGCAPrivateGovt

CA

Taiwan PKI

Digital Certificate

Task Force

General GovtMgt. Center

Biz. Adm.

CA

Other

CA CA

BCA

Citizen

CA

CACACACA

8/14/2019 III PKI exp 07152007

4/20

The ePKI system

CHT Developed and maintained

Used and operating for GCA, BACA, CCA,

8/14/2019 III PKI exp 07152007

5/20

Complying Standards

Certificate Policy and Certification Practices Framework RFC 2527

Certificate format: ITU-T Recommendation X.509

V3(1997)

Certificate revocation: ITU-T Recommendation X.509V2(1997)

Privilege Management Infrastructure: ITU-T X.509 4th

Edition Draft V4

ASN.1syntax: ITU-T X.680, X.681, X.682 and X.208,X.209

Certificate Management Protocol: RFC 2510

Certificate Request Message Format: RFC 2511

8/14/2019 III PKI exp 07152007

6/20

Complying Standards

On-line Certificate Status Protocol: RFC 2560

Public keys encryption algorithm: PKCS #1 RSA1024~2048 bits

Data encryption algorithm: PKCS #7

Private keys encryption algorithm: Triple DES (CBC Mode,with 2 Keys or 3 Keys)

Hash function: SHA-1

Signature algorithm: RSA with SHA-1

Private key syntax and protection: PKCS #8 PKCS #5 Private Key storage: diskette, IC card, or special designed

hardware (for CA and RA)

Key management: X.9.17

8/14/2019 III PKI exp 07152007

7/20

Key Features

Highly reliable RA and CA security architecture,meeting ITSEC E3 and FIPS 140-1.

Flexible design to support all kinds of certificate

policies for various business models.

Unified RA solution to minimize cost and expedite

implementation.

Distributed architecture with expandability and

scalability (from enterprise to national infrastructure). Interface with SQL and ODBC.

8/14/2019 III PKI exp 07152007

8/20

Key Features

Support DSA and RSA signature algorithms, with

extension mechanism for other algorithms.

Key pairs are easily integrated and used in

applications of secured browsing and emails.

Integrated into IC card and related applications.

Interoperable with other standardized PKI

schemes and applications.

Interface with LDAP directory services.

Support both windows and UNIX systems.

8/14/2019 III PKI exp 07152007

9/20

Registration Authority

Certificate Authority

Certificate

Repository

Certification Server

Regis. counterCert.

Applicant

Cert.

concerned

1. Get cert. sw

2. Apply for cert.

Application

approved

3. Application data

4. Request for cert. issuance

5. Publish issued cert.

d. Publish revoked cert.

Get cert.

Get CRL

Inquire cert. status

a. Apply for revocation

b. Revocation data

c. Request for cert. revocation

Cert. user

Cert. application: 1? 2? 3? 4?

Cert. revocation: a? b? c? d

Registration Server

8/14/2019 III PKI exp 07152007

10/20

Certificate Subject

Can be person, organization, server, application

program

Naming: distinguished name in X.500

8/14/2019 III PKI exp 07152007

11/20

eCA

Subordinate

CA2

RA11

Subordinate

CA1

Subordinate

CAn

RA12 RA1a RA21 RA22 RA2b RAn1RAn2 RAnn

RAC111 RAC112 RACnnnRAC11n

Hierarchical CA and RA

8/14/2019 III PKI exp 07152007

12/20

Scope of applications and Level oftrust

Scope of applications

Companys Intranet

Inter-companies

Company individuals

Individual - individual Level of trust

Class 1

Class 2

Class 3

Class 4

8/14/2019 III PKI exp 07152007

13/20

Reasons for using BA_cert

Facilitate trust mechanism for online transactions

Strengthen enterprise competition through G2B

services

Create business values by integrating G2B and

B2B services Facilitate other secured business models

8/14/2019 III PKI exp 07152007

14/20

Application for a BA_cert.

Card making

center

Ha nd in ap p.form w/i ID

Internet F/WF/W App. processing site

Reg. Server

& repository

Desig. Reg.

unit

RA

App li cation for mdownlo ad

ApplicantBA-system

(1)

(3)

(4)

Cert.. issuance

(5)Print /

Issuing cert.

(6) Deliver cert.

(7)Open the

Cert.

Corporation

(2)Fill the form

County govt

Service

windowapp.Form

(batch)

Revie

w

Cert. Server

Secured op center

8/14/2019 III PKI exp 07152007

15/20

Applications of BA_cert

BA_cert Facilitate trust mechanism for secured

online transaction G2B, B2B,

G2B applications Registration of corporation and related items

Online Govt procurement procedure G2B document exchange,

Company income tax filing,

Employee insurance registration,

Electronic invoice

B2B applications Electronic invoice

Electronic payment

8/14/2019 III PKI exp 07152007

16/20

Business certificates used in the systems

DOC - Online registration of corporationhttp://eicm.moea.gov.tw

Tendering procedures in govt electronicprocurement

http://www.geps.gov.tw

Government document exchange inSecurity administration

http://eweb.tse.com.tw

Labor insurance registration and inquiry

to Labor insurance agency

http://www.blia.gov.tw

Customs declaration procedures

http://asp.dgoc.gov.tw

96979933

2003/08/07

MG00000000000001

8/14/2019 III PKI exp 07152007

17/20

Govt online service with fund transfer (ft) toGovt online service with fund transfer (ft) to

treasurytreasury

PaymentgatewayParticipatin

gbank(a pplic an t)Corporation Serv. site

Cashier

Receipt(e_mailed with

approved permit)

BA_Cert

account

Password

account

password

CHTo vt agenc y

account

password

Che ckupunit

Acc ount ing Treasury

Authen.Authen.

ft data validatedChecking

result file

BOT

CBC

OCB

Paying-in slip

Paid-in fund

Checking

(amount)

Notice Fund

withdraw

Fund

withdrawFund

withdraw

Check sheet

De sig. a ge ntbankCheck sheet (daily)Paid-in fund Check

sheet

checking result

Paid-in notice

A li ti f th

8/14/2019 III PKI exp 07152007

18/20

Applications of othercertificates

Government document exchange with G_cert by

officals

Citizen income tax filing with C_cert

Medical payment application with H_cert by

doctors Vehicle administration/services with C-cert

Online trading of stocks with X_cert

8/14/2019 III PKI exp 07152007

19/20

Why III in PKI management

III has a great experience in implement Taiwan e-

Gov PKI system

III plays the leading role in Taiwan PKI police for

government

III has good global connection on internationalPKI community

III develops many PKI enabling system for

Taiwan government

8/14/2019 III PKI exp 07152007

20/20

Thank you very much