Professional Documents
Culture Documents
Contents
Contents
www.sgco.kr
Informational Society
online
Problems
Risk of deceiving identity of sender Risk of changing information on transmission Risk of denying a fact information transmit Risk of exposing information on transmission
www.sgco.kr Copyright 1999-2009@SG Inc. All rights reserved
Solutions
Authentication Integrity Non-repudiation Confidentiality Digital Signature Digital Signature Digital Signature Encryption
4
Public-Key Algorithm
Public Key System
Ke Kd Each user have public key (KUa) and private key (KRa). Public key open and private key keep secretly save. Use digital signature. RSA, Elgamal, ECC
sender
receiver
www.sgco.kr
Public-Key Algorithm
Authentication, Integrity, Non-Repudiation
Digital Signature Signing Sending Digital Signature verification
Message
Hash Algorithm
Hash Code
Hash Algorithm
Password
Hash Code
p AES Re Decryption on N
ia ud
ion
Sign
Digital Signature
Verify
nt he t Au Certificate
on at i ic
Sender
www.sgco.kr Copyright 1999-2009@SG Inc. All rights reserved
Receiver
6
Symmetric Algorithm
Mechanisms of Encryption and Decryption
M : plaintext C : cipher text E : Encryption Algorithm D : Decryption Algorithm, Ke : Encryption Key, Kd : Decryption Key
Symmetric Algorithm
Ke = Kd Use the same key between sender and receiver difficulty of key distribution DES, Skipjack, IDEA, FEAL, LOKI, GOST, SEED, AES
www.sgco.kr
Symmetric Algorithm
Confidentiality
Message Encryption Sending Message Decryption
Message
Cipher Text
Session Key
e fid n Co
ty ali nti
Receiver Certificate
Public Key
Private Key
Sender
www.sgco.kr Copyright 1999-2009@SG Inc. All rights reserved
Receiver
8
Plain Plain text text Check the truth of the Public key Public Repository
Use same Key Secret Key Decryption Decryption Algorithm Algorithm Decrypted Decrypted Message Message
Use Different key Private Key Decryption Decryption Algorithm Algorithm Decrypted Decrypted Message Message
www.sgco.kr
System
System (CA, RA, DS, OCSP, TS, Firewall, IDS, SMS, NMS etc)
Operation
Killer Applications
Certification Center
Policy
IETF PKIX RFC RSA PKCS 1~15 Digital Signature, Hash, Encryption Algorithm
www.sgco.kr
Electronic Signature Act Electronic Transaction Basic Act Personnel Information Protection Act
10
Component of PKI
Personnel, policy, procedures, components and facilities to bind user names to electronic keys so that applications can provide the desired security services.
Server Cert
Server-side software
Digital Signature
Certificate Authority
Directory Server
Client-side software
Registration Authority
www.sgco.kr Copyright 1999-2009@SG Inc. All rights reserved
Client Cert
Firewall L4 Switch DS
TSA
TS
GPS Receiver RA
OCSP CA netHSM
DB
KRS/ Etc.
www.sgco.kr
12
Cyberspace (Internet)
Accredited Certificate
Name Serial No Address Validity : : : : Young joo Ko 883XXX8377 SG, Seoul, Kr 2008/6/1~ 2009/5/31
CAs Signature
Public Key :
+
Encrypted Private Key
Digital Signature
Digital signature using asymmetric encryption / decryption method
Reusable
www.sgco.kr Copyright 1999-2009@SG Inc. All rights reserved
Impossible to reuse
13
Digital Certificates
"Certificate" means information in electronic form verifying and certifying the correspondence of a public key to a private key owned by a natural or juridical person. Certificate version Certificate serial number Signature algorithm id for CA Issuer X.500 name Validity period Subject X.500 name Subject public key info Issuer unique identifier Subject unique identifier Type Criticality Value Type Criticality Value Type Criticality CA Signature
www.sgco.kr Copyright 1999-2009@SG Inc. All rights reserved 14
V1
RSA with SHA-1 cn=SignGATE CA,ou=Accredited CA,ou=KICA, c=KR start=01/01/08, expiry=12/31/09 cn=Ko,ou=Accredited CA,o=KICA,c=KR RSA with SHA-1 (not used) (not used)
V2
V3
Extensions
Value
Types of Certificates
Accredited Certificate
The accredited certificate is issued by a CA, which in turn is designated by the government pursuant to the laws after thorough screening, to be used for various e-transactions.
Level of technology Passage of thorough screening Impossible to verify and security pursuant to the law Legal effect Compensation Valid as provided by the laws Easy to get compensated Valid only by agreement Hard to get compensated Narrow
15
Contents
16
Issues of e-Procurement
Issues of e-procurement.
Off-Line Procurement The Agency Handy work process making mistakes (Negative) Needs much time for document management Issues On-Line Procurement The Agency
A Subscriber Complex and time consumption Difficult and inefficiently Prepare many document
www.sgco.kr Copyright 1999-2009@SG Inc. All rights reserved
A Subscriber
Repudiate transactions
Can be used anywhere , anytime(24h). Easily present document to agencies Easily join the bidding
17
Security of e-Bidding
KONEPS
e-Bidding Server e-Bidding Server With security add-on With security add-on for Web Application Server for Web Application Server
Integrity Authentication
Verify forgery and modification bid document
Company Authentication
Company identity Ban a bid of illegal company
Non-repudiation
Non-repudiation for Nonsending a tender
www.sgco.kr
18
Bid Invitation
SG as a trusted third party issues a encryption certificate for each bidding announcement Private key of the security certificate must be stored only in the bidding administrators PC Private key is divided into two parts to be reserved by SG and KONEPS separately against the loss of the private key and not to be retrieved arbitrarily
Tender
Bidding price and other information are submitted after digitally signed and enveloped using the encryption certificate
Bid Evaluation
Bidding administrator opens the enveloped bidding price and predetermined prices using the private key of the security certificate and administrate the bidding
Every bidding price and evaluation relevant information must be stored in DB, digitally signed and enveloped until bid evaluation date Every bidding relevant process must be logged Each original document must be reserved for later verification
www.sgco.kr
19
No. 1
Description User visits a respective RA with certificate application form and his ID card RA conducts user identification RA manager registers information on user application form to CA As results on registration, reference number, authentication code and user manual are delivered to user User goes to RAs homepage to install Management S/W and create a key pair User enters the number and code and selects a storage medium and enter his certificate password in order to issue his certificate CA issues the certificate after confirming users request CA publishes the certificate issued to Directory server (Optional) CA delivers the certificate to user User saves the certificate to a storage medium he selected
2 3 4
Install Certificate 5 Management S/W Create Key pair
1 Registration
Request
3 User Registration
4 Authentication code/
User Manual Distribution
Reference number/
8 Publish
Certificate
9 Certificate Download User 10 Save Certificate (Certificate Authority Directory CA) Server (DS) Issue Certificate 7 9 10
www.sgco.kr
20
Smartcards
www.sgco.kr Copyright 1999-2009@SG Inc. All rights reserved
USB Tokens
21
Public Key
Private Key Key Manager System Divide Private Key Half Private Key Store
KONEPS
Half Private Key Store Bid Administrators Sign Certificate Key Manager System Bidding announcement + Encrypt Certificate E-Bidding System 22
www.sgco.kr
Bidder
KONEPS
Decrypt and Verify Signature for Send Message (Use Servers Private Key)
www.sgco.kr
Tender Award
Make Proposal
Signed and Envelope for Signed and Envelope for Proposal Send Message (use Servers (Use Bid executers encrypt Certificate) encrypt certificate)
Bid Executer
Bids Encrypt Private Key
Decrypt and Verify Signature for Propsal (Use Bids Private Key)
Award Result
23
Proposal
Company
Certification Authority
TSA
Check Closing
Organization
Bidding Administrator
www.sgco.kr
24
TS Client
DB
HSM
TSA Daemon
VID = H(H(IDN,R)
IDN : Resident Registration Number or Business Registration Number VID : Virtual ID H : Hash Algorithm
26
www.sgco.kr
CA
CRL HTTP(S) CRL CRL
CRL CRL
DS
CRL
OCSP
Certificate Verification < Authority Access Information Field > Certificate Certificate Verification
USER
www.sgco.kr Copyright 1999-2009@SG Inc. All rights reserved
Server
27
Risk of changing information on transmission Risk of Denying a fact information transmit Risk of deceiving identity of sender
Application Development
Developer just call APIs to apply Developer just call APIs to apply PKI Functions to their Applications PKI Functions to their Applications
Servlet
PHP
CGI
JSP
Java Shared Object/Archive Class Library Cipher Module Certificate Module Signature Module
Client Toolkit
Server Toolkit
Toolkit provides easy ways for application developers to use cryptographic services
www.sgco.kr Copyright 1999-2009@SG Inc. All rights reserved
USER
TCP/IP HTTP
E-Procurement Server
Client
Certificate
Certificate
Server
Digital Signature
Authentication
Certificate
Integrity Confidentiality
HTML HTML
Certificate
Internet Browser
Non-Repudiation
WEB Server
Data Encryption
www.sgco.kr
29
Main Function
A function to confirm detailed information in a certificate A function to create and process electronic signature A function for cipher message creation and processing A function to verify certificate validity A function for electronic signature and encryption algorithms A function to get a certificate and directory access An Encryption process function for a certificate private key A function to confirm identification information in a certificate A function to read and write a certificate in a smart-card or a hard disk A function to manage certificates in each storage media A view function of the selected certificate An web-based user certification function An Web document (HTML) encryption function A function to support a script-based web server with JSP and PHP A function to support a script-based web server with ASP
30
Basic Certification
Certificate verification Algorithms Module Directory Module Private key Module Identification Module Storage Medium Module
User Interface
Web Security
www.sgco.kr
Contents
31
E-Government Framework
e-Government for National Development
Economic Development (G2B)
e-Customs e-Support for Foreign Firms e-Intellectual Property e-Procurement
Management
Organization Budget HRD Standards Security IT Management Privacy
Public Service(G2C)
e-Agriculture
Shared Services
Infrastructure
Public Key Infrastructure Public Access Point Government Information Network
www.sgco.kr Copyright 1999-2009@SG Inc. All rights reserved
32
long-term long-term Security plan Security plan Promotion Promotion Education Education Pilot Project Pilot Project RA RA Construction Construction
PKI Decree Requirements for PKI Decree Requirements for Recommendation PKI System Recommendation PKI System
Education & PKI Education & PKI Promotion Promotion Applications Applications
NPKI (National Public Key Infrastructure) NPKI (National Public Key Infrastructure)
Implementation steps
www.sgco.kr
33
Government
License PKI Model
Root CA
Accredited Certificate
Accredited CA
Certification Service
USER
34
Ministry of Knowledge & Economy Established in 1999/ revised in 2002, 2005, 2007 Legal effectiveness for digital documents
Ministry of Public Administration and Security (MOPAS) Established in 1999/ revised in 2001, 2005 Legal force clarification for a digital signature NPKI
Ministry of Public Administration and Security (MOPAS) Established in 2001 Regulations for official documents in government GPKI
www.sgco.kr
35
Government
MOPAS
Root CA
MOPAS (Ministry Of Public Administration and Security) Law & Policy arrangement National authentication plan management Licensed CA management KISA (Root CA) National authentication & system operation Field test for licensed CA accreditation Issue a certificate for a licensed CA
Licensed CA
1st 1st
SG
2nd 2nd
KOSCOM
3rd 3rd
KFTC
4th 4th
CROSSCERT
5th 5th
KTNET
Accredited CA Authentication management Provide CA service Certificate issuance Certificate termination / renewal
www.sgco.kr
36
Type
Entity
personal Corporate -
Usage Field
All e-transaction All e-transaction G2C, bank, insurance G2C, bank, insurance G4C, credit card
17,155,333
14,374,988
8,000,000 6,000,000 4,000,000 2,000,000 26,845 0 2000 2001 2002 2003 2004 2005 2006 2007 1,501,535 4,934,143
www.sgco.kr
37
Project Scope
The Establishment of National PKI and the Pilot Project of Digital Signature
Equipment Support Dispatch of Experts Trainees Invitation System Construction
38
Implementation Steps
Phase 1. Phase 1.
Preparations Preparations
Designing of PKI scheme Designing of PKI scheme Launching of PKI TFT Launching of PKI TFT Finding ways to finance Finding ways to finance
Phase 2. Phase 2.
Law & Regulation Setup Law & Regulation Setup Revision of IRR (E.S) Revision of IRR (E.S) Administrative Orders Administrative Orders Executive Orders Executive Orders
Phase 3. Phase 3.
PKI Center Construction PKI Center Construction PKI systems PKI systems Facilities Equipment Facilities //Equipment Operation guideline Operation guideline
Phase 5. Phase 5.
Phase 4. Phase 4.
Education & Promotion Education & Promotion Education & Training Education & Training Development of Development of Promotional policies Promotional policies
Planning of long-term Planning of long-term national PKI services national PKI services
www.sgco.kr
39
Cross Certification
Root CA Unit
Issuing certificates
Auditing Unit
Operation on ACA
Accredited CA
ACA
ACA
(ACA: Accredited CA)
RA
RA Management
Agency 1 Agency 1 Agency 2 Agency 2
RA Management
Agency N Agency N RA RA RA RA RA RA
Project Overview
The Establishment of National PKI and the Pilot Project of Digital Signature
Category
Construction of facilities Provision of Equipment
Contents
Root CA Government CA or Accredited CA Root CA, Government CA System Network system , System management system Physical equipment Experts Experts Experts Experts for for for for a master Plan regarding law and policy system and equipment installation PKI systems establishment PKI-enabled application development
www.sgco.kr
Proposed Schedule
Category M M+1 M+2 M+3 M+4 Year M+5 M+6
3 Weeks 12 Weeks 8 Weeks
M+7
2 Weeks
8 Weeks
Research
PKI Consulting
Equipment Installation
Maintenance
2 Weeks
www.sgco.kr
42
PKI Consulting
Project scope is the establishment of roadmap and guideline for PKI including objective model which can be derived from analyzing the subject of citizen, business, and government.
the guideline related to law of electronic signature. design the operational model of certification service plan for the designation and management of accredited CA Provide the operating know-how of CA System Provide the guideline build and operate the certification management system
Operation CA Systems
Electronic Signature Certification Technology provide plan for the best fit PKI system for country provide the guideline for S/W, H/W for certification services
Standards
provide certification practice statement provide the guideline of security plan for developing PKI provide examples of the successful applications using PKI
provide the guideline for national technology standard for certification technology provide the guideline how to use PKI in applications.
A/C
Air conditioner CCTV Fingerprint recognition Fire extinguisher Shock sensor Noise sensor 44
www.sgco.kr
H H
A/C
KGS, ROOT CA
DS (master) DS (replica)
UP S
Root CA Root CA
Access Management
H
U ID
N IC 1 NIC 2
A/C
U ID
N IC 1 NIC 2
Accredited CA Rack #2
Monitoring Rack
U ID
N IC 1 N IC 2
U ID
N IC 1 N IC 2
A/C
Certification center Pilot Operation Construction CA system PKI System installation Certification Policies Operator TrainingTest and Audit Unit/Integration Test for PKI software
Takeover after thorough audit for PKI software
CPS Guideline Guideline for operating the Certification Center. Successful cases of the applications using PKI
Concept training for general PKI-related skills Training for PKI system operation and maintenance Training for emergency measures when obstacles occur
www.sgco.kr
45
HSM
ARL Distribution
Homepage (WEB)
Government CA
Generates an e-signature generation key of Government CA Records Audits Issues/Reissues/Renews/Suspends/Revokes CA certificates Manages certificate policies and audits Certificate/ Certificate Issuance/ CRL HSM Management System(CA) Publication Publishes certificates Publishes certificate revocation lists/ suspension lists Provides search support via LDAP
CMP CA Administrator
LDAP
RA Administrator
Subscribers Subscribers
Subscriber Registration
Homepage (WEB)
PKI toolkits
E-Signature/ Encryption
www.sgco.kr
46
e-Government Applications
National Financing Information System - Based on Internet banking, etc
Electric document system - Interoperable with other systems Education Administration System -Teachers can assess with cert.
www.sgco.kr
47
Effectiveness of Expectations
PKI is making up the safe and trustful environment using electronic signature.
USER
Reduce the time and cost. Convenience of application like
Government
Increase the confidence and trust. Ensure interoperability of PKI
Corporation
Convert offline business to
online. Provide more secure and safe of service. Increase the trust of company.
Background
Law, Policies
Accredited CA
www.sgco.kr
Thank you!
49