Upload
ernest-mcgee
View
214
Download
0
Tags:
Embed Size (px)
Citation preview
TitleSub Title
Intra-ASEAN Secure Transactions Framework Project Progress Report
Chaichana [email protected]
TitleSub Title
Project Information
• Support AIM 2015 under • Strategic Thrust 2 :People Engagement and
Empowerment • Initiatives 2.4 : Building Trust • Action : Promote Secure transaction with
in ASEAN• Description : Promote the use of two-
factor authentication
TitleSub Title
Intra-ASEAN Secure Transactions Framework Project
Scope of worko Status update on : Laws, Policies, Regulations related to e-signature ,
certificationo Propose e-authentication recommendation for Intra-ASEAN secure
electronic transactions
Methodologyo Desk Research : Review from the data available to publico Questionnaire Survey : Distributed to 10 ASEAN member countries
Period : 1 yearBudget : 10,000 USD
TitleSub Title
Executive SummaryThree main components of e-authentication have been identified as follows:
Assurance Levels and Risk Assessments – Levels of assurance are defined so that different levels of importance of getting e-authentication right can be distinguished. Identity Proofing and Verification – For each level of assurance, an objective of authentication and a set of controls are defined. Then details about identity proofing and verification methods are provided for the registration process.
Authentication Mechanism – Different token technologies are listed and mapped to the levels of assurance. Moreover, how identity should be managed is recommended.
TitleSub Title
Executive SummaryStandards and Best Practices
Assurance Levels and Risk
Assessments
• ISO/IEC 29115:2013• OMB M-04-04• NeAF
Identity Proofing and Verification
• ISO/IEC 29115:2013
Authentication Mechanism
• NIST Special Publication 800-63
TitleSub Title
Executive SummaryAssurance Levels and Risk Assessment
Assurance Level Description1 – Low Little or no confidence in the asserted identity’s validity2 – Medium Some confidence in the asserted identity’s validity3 – High High confidence in the asserted identity’s validity4 – Very High Very high confidence in the asserted identity’s validity
TitleSub Title
Executive SummaryIdentity Proofing and Verification Approach
Assurance Level Objectives Control Method of processing
1 – Low Identity is unique within a context Self-claimed or self-asserted Local or remote
2 – Moderate Identity is unique within context and the entity to which the identity pertains exists objectively
Proof of identity through use of identity information from an authoritative source
Local or remote
3 – High Identity is unique within context, entity to which the identity pertains exists objectively, identity is verified, and identity is used in other contexts
Proof of identity through 1. use of identity information from
an authoritative source2. identity information verification
Local or remote
4 – Very High Identity is unique within context, entity to which the identity pertains exists objectively, identity is verified, and identity is used in other context
Proof of identity through1. use of identity information from
multiple authoritative sources2. identity information verification3. entity witnessed in-person
Local
TitleSub Title
Executive SummaryExamples of Token Types for Different LoAs
Token TypeAssurance Level
Level 1 Level 2 Level 3 Level 4
Memorized Secret Token ✓* ✓* Pre-registered Knowledge Token
✓* ✓*
Look-up Secret Token ✓ Out of Band Token ✓ Single-factor (SF) One-Time Password (OTP) Device ✓
Single-factor (SF) Cryptographic Device ✓
Multi-factor (MF) Software Cryptographic Token ✓
Multi-factor (MF) One-Time Password (OTP) Device ✓
Multi-factor (MF) Cryptographic Device ✓
TitleSub Title
Needs for ASEAN Legal InfrastructureThe cooperation among Member States is necessary in creation of the legal framework for Information Technology Legal Infrastructure development to be in equivalence and conform to international principle especially in the following matters:
– Legal Infrastructure for Cross Boarder Electronic transactions – Principle on organization or unit for supporting and controlling the reliance on
Electronic Transactions – Clear policy relating to Authentication technology in Electronic Transaction – Clear and appropriate principle on Identification and Authentication in
Electronic Transaction, for example, the principle that allows a Certification Authorities (Foreign CA) to issue foreign digital certificate
– Relevant measurements regarding data confirmation, such as, Electronic Signature and the responsibility of data owner for the accuracy of data.
– The principle on Personal Data Protection, including the principle on a request of data in Authentication system in Cross Boarder Transaction by authority or relating person, or data sharing between Government Sector and Private Sector.