3.security Issues in E-Procurement (PKI)

Security issues in E-Procurement (Public Key Infrastructure)
28th September 2009, Tunis

Senior Consultant, Mr. Young joo Ko (keyguard@signgate.com)
Contents
1. Necessity of National PKI 2. Security in e-Procurement system 3. Step of NPKI Establishment
Contents
www.sgco.kr
Copyright 1999-2009@SG Inc. All rights reserved
Need for Digital Signature

Industrial Society
Offline (face-to-face)
Informational Society
online
Problems
Risk of deceiving identity of sender Risk of changing information on transmission Risk of denying a fact information transmit Risk of exposing information on transmission
www.sgco.kr Copyright 1999-2009@SG Inc. All rights reserved
Solutions
Authentication Integrity Non-repudiation Confidentiality Digital Signature Digital Signature Digital Signature Encryption
4
Public-Key Algorithm
Public Key System
Ke Kd Each user have public key (KUa) and private key (KRa). Public key open and private key keep secretly save. Use digital signature. RSA, Elgamal, ECC
sender
receiver
www.sgco.kr
Public-Key Algorithm
Authentication, Integrity, Non-Repudiation
Digital Signature Signing Sending Digital Signature verification
Message
Hash Algorithm
Hash Code
ty gri e Int Compare

Hash Code
Hash Algorithm
Password
Hash Code
Encrypted Private Key
p AES Re Decryption on N
ia ud
ion
Sign
Digital Signature
Verify
Public Key Private Key
nt he t Au Certificate
on at i ic
Verification Client Certificate
Sender
Receiver
6
Symmetric Algorithm
Mechanisms of Encryption and Decryption
M : plaintext C : cipher text E : Encryption Algorithm D : Decryption Algorithm, Ke : Encryption Key, Kd : Decryption Key
Symmetric Algorithm
Ke = Kd Use the same key between sender and receiver difficulty of key distribution DES, Skipjack, IDEA, FEAL, LOKI, GOST, SEED, AES
www.sgco.kr
Symmetric Algorithm
Confidentiality
Message Encryption Sending Message Decryption
Message
Cipher Text
Session Key
e fid n Co
ty ali nti
Message Cipher Text Session Key
Encrypted Session Key
Encrypted Session Key
Receiver Certificate
Public Key
Private Key
Sender
Receiver
8
Symmetric vs. Public-Key Cryptosystem

Index Key Type Encryption Key Decryption Key Encryption Algorithm Transfer of Private Key Number of Key Encryption Speed Key Distribution Symmetric Cryptosystem Encryption Key = Decryption Key Secret Secret DES/AES/SEED Need n(n-1)/2 High Difficult Public-Key Cryptosystem Encryption Key Decryption Key Public Secret RSA Need Not 2n Low Easy
Plain Plain text text
Encryption Encryption Algorithm Algorithm
Encrypted Encrypted Message Message
Plain Plain text text Check the truth of the Public key Public Repository
Encryption Encryption Algorithm Algorithm Public Key
Key generation Key generation Algorithm Algorithm
Use same Key Secret Key Decryption Decryption Algorithm Algorithm Decrypted Decrypted Message Message
Use Different key Private Key Decryption Decryption Algorithm Algorithm Decrypted Decrypted Message Message
www.sgco.kr
PKI (Public Key Infrastructure)?

PKI Accredited CA
Applications
System
System (CA, RA, DS, OCSP, TS, Firewall, IDS, SMS, NMS etc)
Operation
Killer Applications
Certification Center
Policy
CPS (Certification Practice Statement)

Electronic Signature Certification Technology PKI Standards CA Systems Law
IETF PKIX RFC RSA PKCS 1~15 Digital Signature, Hash, Encryption Algorithm
www.sgco.kr
Electronic Signature Act Electronic Transaction Basic Act Personnel Information Protection Act
10
Component of PKI
Personnel, policy, procedures, components and facilities to bind user names to electronic keys so that applications can provide the desired security services.
Server Cert
Server-side software
certificate repository PKI Server
Digital Signature
Certificate Authority
Directory Server
Client-side software
Registration Authority
Client Cert
PKI Client (PC/Phone/PDA)

11
PKI Center System Configuration

Internet Admin PC User Admin: Administrator Program User: User S/W CA: Certificate Authority Server RA: Registration Authority Server DS: Directory Server OCSP: Online Certificate Status Protocol Server VA: Validation Authority Server HSM: Hardware Security Module (Accelerator) TS: Time Stamp Module GPS: Time Accuracy Maintainer TSA: Time Stamp Authority Server DVCS: Data Validation Certification Server KRS: Key Roaming Server Etc.: Other Service Server
Firewall L4 Switch DS
TSA
TS
GPS Receiver RA
OCSP CA netHSM
DB
KRS/ Etc.
All networks and servers are double connected (Fault Tolerant)
www.sgco.kr
12
Identification and Signature

Real World
National ID Card
Name SSN Address Issued Date Finger Print : : : : : Young joo Ko XX0921-152XXXX SG, Seoul, Kr 2002/6/1
Cyberspace (Internet)
Accredited Certificate
Name Serial No Address Validity : : : : Young joo Ko 883XXX8377 SG, Seoul, Kr 2008/6/1~ 2009/5/31
CAs Signature
Public Key :
+
Encrypted Private Key
For Authentication Signature or Signature-seal
Digital Signature
Digital signature using asymmetric encryption / decryption method
Reusable
Impossible to reuse
13
Digital Certificates
"Certificate" means information in electronic form verifying and certifying the correspondence of a public key to a private key owned by a natural or juridical person. Certificate version Certificate serial number Signature algorithm id for CA Issuer X.500 name Validity period Subject X.500 name Subject public key info Issuer unique identifier Subject unique identifier Type Criticality Value Type Criticality Value Type Criticality CA Signature
www.sgco.kr Copyright 1999-2009@SG Inc. All rights reserved 14
version 3 (2) 12345678
V1
RSA with SHA-1 cn=SignGATE CA,ou=Accredited CA,ou=KICA, c=KR start=01/01/08, expiry=12/31/09 cn=Ko,ou=Accredited CA,o=KICA,c=KR RSA with SHA-1 (not used) (not used)
V2
V3
Extensions
Value
Types of Certificates
The accredited certificate is issued by a CA, which in turn is designated by the government pursuant to the laws after thorough screening, to be used for various e-transactions.
Certificate Without Accreditation (or Private Certificate)

A certificate is issued by a certification organization that is not accredited by the government. It is used for a limited number of e-transactions
Category Accredited Certificate Certificate Without Accreditation
Level of technology Passage of thorough screening Impossible to verify and security pursuant to the law Legal effect Compensation Valid as provided by the laws Easy to get compensated Valid only by agreement Hard to get compensated Narrow
15
Scope of applicable Wide services

Contents
16
Issues of e-Procurement
Issues of e-procurement.
Off-Line Procurement The Agency Handy work process making mistakes (Negative) Needs much time for document management Issues On-Line Procurement The Agency
Difficult to verify user in on-line Breach information Easy to make forgery
Less mistakes No more paper documents Easily give procurement information
A Subscriber Complex and time consumption Difficult and inefficiently Prepare many document
A Subscriber
Repudiate transactions
Can be used anywhere , anytime(24h). Easily present document to agencies Easily join the bidding
17
Security of e-Bidding
KONEPS
e-Bidding Server e-Bidding Server With security add-on With security add-on for Web Application Server for Web Application Server
Integrity Authentication
Verify forgery and modification bid document
Company Authentication
Company identity Ban a bid of illegal company
Accuracy dead line by time stamping

Prevention of troubles for the bidding deadline Fairness for a time and grant legal force
Non-repudiation
Non-repudiation for Nonsending a tender
www.sgco.kr
18
Overall e-Bidding Processes secured by PKI
Bid Invitation
SG as a trusted third party issues a encryption certificate for each bidding announcement Private key of the security certificate must be stored only in the bidding administrators PC Private key is divided into two parts to be reserved by SG and KONEPS separately against the loss of the private key and not to be retrieved arbitrarily
Tender
Bidding price and other information are submitted after digitally signed and enveloped using the encryption certificate
Making multiple Predetermined price

Financier makes multiple predetermined prices in his PC The predetermined prices are submitted after digitally signed and enveloped using the encryption certificate
Bid Evaluation
Bidding administrator opens the enveloped bidding price and predetermined prices using the private key of the security certificate and administrate the bidding
Every bidding price and evaluation relevant information must be stored in DB, digitally signed and enveloped until bid evaluation date Every bidding relevant process must be logged Each original document must be reserved for later verification
www.sgco.kr
19
Certificate Issuance Process for Bidder

Certificate Issuance Process for the company
Note
On-line Off-line
2 Identification Registration Authority(RA)
No. 1
Description User visits a respective RA with certificate application form and his ID card RA conducts user identification RA manager registers information on user application form to CA As results on registration, reference number, authentication code and user manual are delivered to user User goes to RAs homepage to install Management S/W and create a key pair User enters the number and code and selects a storage medium and enter his certificate password in order to issue his certificate CA issues the certificate after confirming users request CA publishes the certificate issued to Directory server (Optional) CA delivers the certificate to user User saves the certificate to a storage medium he selected
2 3 4
Install Certificate 5 Management S/W Create Key pair
1 Registration
Request
3 User Registration
4 Authentication code/
User Manual Distribution
Reference number/
5 Issue Online Certificate 6 7
6 Certificate Issuance Request (CMP)
8 Publish
Certificate
9 Certificate Download User 10 Save Certificate (Certificate Authority Directory CA) Server (DS) Issue Certificate 7 9 10
www.sgco.kr
20
Two-factor Authentication to log-on

Independently of the user type(bidder, bid administrator) twofactor authentication is the expected minimal level of authentication for log-on to the e-procurement system Best uesr authentication method in log-on to the system relies on something you know(e.g dedicated PIN code or certificate password), supplemented by an additional something you have authentication factor in order to implement two-factor authentication Also to log-on to the system user should be able to generate proper digital signature for the random value which is send by e-procurement system to prevent replay attack.
Smartcards
USB Tokens
21
Key Management System

Administrators encryption certificate is issued on bidding announcement and stored in the bidding Administrators encryption certificate is issued on bidding announcement and stored in the bidding administrators PC administrators PC Private key of the encryption certificate is divided and reserved by SG and KONEPS separately Private key of the encryption certificate is divided and reserved by SG and KONEPS separately against the loss of the private key and not to be retrieved arbitrarily against the loss of the private key and not to be retrieved arbitrarily Bid Administrators PC
Insert Bidding announcement Encrypt Certificate Issue
Encrypt Certificate Issue Encrypt Certificate Server
SG(Korea Information Certificate Authority)
Public Key
Private Key Key Manager System Divide Private Key Half Private Key Store
KONEPS
Half Private Key Store Bid Administrators Sign Certificate Key Manager System Bidding announcement + Encrypt Certificate E-Bidding System 22
Signature for Bidding announcement
www.sgco.kr
Process of Securing Bidding Documents in eBidding System

Bidding documents are submitted after digitally signed and enveloped Bidding documents are submitted after digitally signed and enveloped KONEPS e-Procurement system checks integrity of the bidding documents and stores the enveloped KONEPS e-Procurement system checks integrity of the bidding documents and stores the enveloped documents in DB documents in DB On bidding evaluation the documents are opened and integrity of the documents are verified using On bidding evaluation the documents are opened and integrity of the documents are verified using digital signature digital signature
Bidder
KONEPS
Decrypt and Verify Signature for Send Message (Use Servers Private Key)
www.sgco.kr
Tender Award
Make Proposal
Signed and Envelope for Signed and Envelope for Proposal Send Message (use Servers (Use Bid executers encrypt Certificate) encrypt certificate)
Signed and Encrypted Proposal data store
Bid Executer
Bids Encrypt Private Key
Decrypt and Verify Signature for Propsal (Use Bids Private Key)
Award Result
23
Time Stamping Protocol (TSP)

Guarantee timely fairness and transparency through timestamp service provided by accredited CA
Need for the proof of existence of certain data Need for the proof of existence of certain data Time-sensitive service Time-sensitive service Bidding end date and time Bidding end date and time Bidding documents submission date and time Bidding documents submission date and time KONEPS
E-Bidding System Timestamp Service
Proposal
Company
Certification Authority
TSA
Check Closing
Organization
Bidding Administrator
www.sgco.kr
24
Time Stamping Protocol (TSP)

TSA (Time Stamping Authority)
- The TSA's role is to time-stamp a datum to establish evidence indicating that a datum existed before a particular time. - can used to verify that a digital signature was applied to a message before the corresponding certificate was revoked - can also be used to indicate the time of submission when a deadline is critical, or to indicate the time of transaction for entries in a log.
Time Stamp Authority
WinSync GPS satellite
TS Client
Request Timestamping Token Timestamping Token
DB
HSM
Audit/ Management Admin

25
TSA Daemon
E-Procurement System www.sgco.kr Copyright 1999-2009@SG Inc. All rights reserved
Online Certificate Owner Verification

Subscriber Identification Base on Virtual ID
- Virtual ID is a the certificate user's unique identifier. - Virtual ID is a form of a hash value.
< Private Key include Random Number >
Information for Identification
< Certificate for Digital Signing > Verification Method
VID = H(H(IDN,R)
IDN : Resident Registration Number or Business Registration Number VID : Virtual ID H : Hash Algorithm
26
www.sgco.kr
Online Certificate Status Protocol (OCSP)

Online Certificate Status Protocol (OCSP)
- OCSP is an Internet protocol used for obtaining the revocation status of an X.509 digital certificate. - OCSP can confirm a current status of the certificate immediately.
CRL Publish
CA
CRL HTTP(S) CRL CRL
CRL CRL
DS
CRL
CRL File CRL Publisher
OCSP
Certificate Verification < Authority Access Information Field > Certificate Certificate Verification
USER
< OCSP Structure >
Server
27
What is PKI Crypto Toolkit(1/2)

Problems of Electronics transaction
Risk of exposing information on transmission
Problem of Electronics transaction Confidentiality Confidentiality Integrity Integrity Non-Repudiation Non-Repudiation Authentication Authentication
Risk of changing information on transmission Risk of Denying a fact information transmit Risk of deceiving identity of sender
Cryptographic Library (Toolkit)

HTML java script Client Application Visual Power Basic Builder C/C++ COM Crypto API Server Application
Application Development
Developer just call APIs to apply Developer just call APIs to apply PKI Functions to their Applications PKI Functions to their Applications
Servlet
PHP
CGI
JSP
Standard JCE / JCA Interface
Java Java App. App.
PHP PHP App. App.
ASP ASP App. App.
Other Other App. App.
Dynamic Link Library Cipher Module Certificate Module Signature Module
Java Shared Object/Archive Class Library Cipher Module Certificate Module Signature Module
Cryptographic Library ( Toolkit ) PKI Core Module

28
Client Toolkit
Server Toolkit
Toolkit provides easy ways for application developers to use cryptographic services
What is PKI Crypto Toolkit(2/2)

INTERNET
USER
TCP/IP HTTP

E-Procurement Server
Client
Certificate
Certificate
Server
Client Crypto Toolkit (Active-X)
Digital Signature
Server Crypto Toolkit (JAVA)
Authentication
Certificate
Integrity Confidentiality
HTML HTML
Certificate
Internet Browser
Non-Repudiation
WEB Server
Client Crypto Toolkit (Active-X)
Data Encryption
Server Crypto Toolkit (JAVA)
www.sgco.kr
29
Functions of PKI Crypto Toolkit

Classification section
Certificate Information Confirmation Electronic Signature Creation Cipher Message Creation
Main Function
A function to confirm detailed information in a certificate A function to create and process electronic signature A function for cipher message creation and processing A function to verify certificate validity A function for electronic signature and encryption algorithms A function to get a certificate and directory access An Encryption process function for a certificate private key A function to confirm identification information in a certificate A function to read and write a certificate in a smart-card or a hard disk A function to manage certificates in each storage media A view function of the selected certificate An web-based user certification function An Web document (HTML) encryption function A function to support a script-based web server with JSP and PHP A function to support a script-based web server with ASP
30
Basic Certification
Certificate verification Algorithms Module Directory Module Private key Module Identification Module Storage Medium Module
User Interface
Certificate Selection Certificate View Certification Process Function
Web Security
Encryption Function Supporting Language
www.sgco.kr
Contents
31
E-Government Framework
e-Government for National Development
Economic Development (G2B)
e-Customs e-Support for Foreign Firms e-Intellectual Property e-Procurement
Management
Organization Budget HRD Standards Security IT Management Privacy
Public Service(G2C)
e-Agriculture
e-Land Registry e-National ID
Public Admin. Reform(G2G) Database
Shared Services
National ID DB Land Resources DB
Infrastructure
Public Key Infrastructure Public Access Point Government Information Network
32
Framework of National PKI

CPS CPS Framework Framework Implementation Implementation Planning Planning Organization of Organization of PKI TFT PKI TFT
PKI Standards PKI Standards Accreditation Accreditation Generals Generals
Operation Operation Requirements Requirements
long-term long-term Security plan Security plan Promotion Promotion Education Education Pilot Project Pilot Project RA RA Construction Construction
Facilities and Facilities and Equipment Equipment
PKI Scheme PKI Scheme Preparation Preparation
PKI Decree Requirements for PKI Decree Requirements for Recommendation PKI System Recommendation PKI System
Law & Law & Regulations Regulations
PKI Center PKI Center
Education & PKI Education & PKI Promotion Promotion Applications Applications
NPKI (National Public Key Infrastructure) NPKI (National Public Key Infrastructure)
Implementation steps
www.sgco.kr
33
Setup of Infrastructure for Internet Security

Establishment Law (Electronic Signature), PKI Standards
Government
License PKI Model
Law, Policy, Standards
Building PKI Center
Root CA
Accredited CA
Certification Service
Developing PKI enabled Applications
E-procurement, Internet Banking, E-commerce, etc
Application Service organizations or companies

Accredited Electronic Signature
To establish safe and reliable Information society

USER
34
Related law and Policy in Korea
Electronic Trade Basic Law
Ministry of Knowledge & Economy Established in 1999/ revised in 2002, 2005, 2007 Legal effectiveness for digital documents
Digital Signature Law
Ministry of Public Administration and Security (MOPAS) Established in 1999/ revised in 2001, 2005 Legal force clarification for a digital signature NPKI
Digital Government Law
Ministry of Public Administration and Security (MOPAS) Established in 2001 Regulations for official documents in government GPKI
www.sgco.kr
35
PKI System organization in Korea
Government
MOPAS
Root CA
Digital Signature Authentication Management Center

Korea Information Security Agency
MOPAS (Ministry Of Public Administration and Security) Law & Policy arrangement National authentication plan management Licensed CA management KISA (Root CA) National authentication & system operation Field test for licensed CA accreditation Issue a certificate for a licensed CA
Licensed CA
1st 1st
SG
2nd 2nd
KOSCOM
3rd 3rd
KFTC
4th 4th
CROSSCERT
5th 5th
KTNET
Accredited CA Authentication management Provide CA service Certificate issuance Certificate termination / renewal
www.sgco.kr
36
Number of accredited certificates in Korea

(Scale: number)
18,000,000 16,000,000
specific General
Type
Entity
personal Corporate -
Usage Field
All e-transaction All e-transaction G2C, bank, insurance G2C, bank, insurance G4C, credit card
17,155,333
14,374,988
14,000,000 12,000,000 10,000,000
11,000,073 9,479,919 7,824,368
8,000,000 6,000,000 4,000,000 2,000,000 26,845 0 2000 2001 2002 2003 2004 2005 2006 2007 1,501,535 4,934,143
Number of annual issuance of certificates (2008, published by KISA)
www.sgco.kr
37
Project Scope
The Establishment of National PKI and the Pilot Project of Digital Signature
Equipment Support Dispatch of Experts Trainees Invitation System Construction
Root CA Government CA or Accredited CA Interoperability

CPS Identification Guidelines Digital Signature and Encryption based technologies
Public Key Infrastructure

PKI standards (International and domestic)
IETF4) RFC5) PKIX Standard RSA PKCS6) Standard Electronic Signature Certification Technologies (Certificate and CRL profile, Certificate Management Protocol, Hash, Encryption, Digital Signature algorithm) 1) IETF : Internet Engineering Task Force, 2) RFC : Request For Comments 3) PKCS : Public Key Cryptography Standard www.sgco.kr Copyright 1999-2009@SG Inc. All rights reserved
Law and Regulations

Electronic Signature Act, Decrees and Ordinances CPS (Certificate Practice Statements) Operation guidelines for a PKI Center
38
Implementation Steps
Phase 1. Phase 1.
Preparations Preparations
Designing of PKI scheme Designing of PKI scheme Launching of PKI TFT Launching of PKI TFT Finding ways to finance Finding ways to finance
Phase 2. Phase 2.
Law & Regulation Setup Law & Regulation Setup Revision of IRR (E.S) Revision of IRR (E.S) Administrative Orders Administrative Orders Executive Orders Executive Orders
Phase 3. Phase 3.
PKI Center Construction PKI Center Construction PKI systems PKI systems Facilities Equipment Facilities //Equipment Operation guideline Operation guideline
Phase 5. Phase 5.
PKI Application PKI Application Development Development
Phase 4. Phase 4.
Education & Promotion Education & Promotion Education & Training Education & Training Development of Development of Promotional policies Promotional policies
National PKI National PKI
Pilot project Pilot project RA Constructions RA Constructions
Planning of long-term Planning of long-term national PKI services national PKI services
www.sgco.kr
39
Proposed PKI Scheme

Accreditation
Accreditation Unit Foreign Certification Authority

Operation on Root CA Annual Auditing
Cross Certification
Root CA Unit
Issuing certificates
Auditing Unit
Operation on ACA
Accredited CA
ACA
ACA
(ACA: Accredited CA)
RA
RA Management
Agency 1 Agency 1 Agency 2 Agency 2
RA Management
Agency N Agency N RA RA RA RA RA RA
Subscribers Special Purpose certificates

Subscribers General Purpose certificates

40
Project Overview
The Establishment of National PKI and the Pilot Project of Digital Signature
Category
Construction of facilities Provision of Equipment
Contents
Root CA Government CA or Accredited CA Root CA, Government CA System Network system , System management system Physical equipment Experts Experts Experts Experts for for for for a master Plan regarding law and policy system and equipment installation PKI systems establishment PKI-enabled application development
Dispatch of Korean experts Technical trainings for your personnel in Korea
Training for Operators Training for Managers Training for Developers

41
www.sgco.kr
Proposed Schedule
Category M M+1 M+2 M+3 M+4 Year M+5 M+6
3 Weeks 12 Weeks 8 Weeks
M+7
M+8 M+9 M+10 M+11 2 Years
Dispatch of Korean experts Local
2 Weeks
8 Weeks
Research
PKI Consulting
Equipment Installation
PKI System Establishment
PKI Pilot Project
Maintenance
Development of PKI System
PKI System development
Provision of Equipment Order
Inspection Shipping Equipment Equipment in Korea equipment Installation

2 Weeks 2 Weeks
Technical training in Korea
2 Weeks
Training for Managers
Training for operators
Training for Administrator
www.sgco.kr
42
PKI Consulting
Project scope is the establishment of roadmap and guideline for PKI including objective model which can be derived from analyzing the subject of citizen, business, and government.
the guideline related to law of electronic signature. design the operational model of certification service plan for the designation and management of accredited CA Provide the operating know-how of CA System Provide the guideline build and operate the certification management system
Law Policy PKI
Operation CA Systems
Electronic Signature Certification Technology provide plan for the best fit PKI system for country provide the guideline for S/W, H/W for certification services
Standards
provide certification practice statement provide the guideline of security plan for developing PKI provide examples of the successful applications using PKI
provide the guideline for national technology standard for certification technology provide the guideline how to use PKI in applications.
Global Technology provision provide overview of the overall PKI technology

www.sgco.kr Copyright 1999-2009@SG Inc. All rights reserved 43
PKI Equipment Installation

PKI Center PKI Center
A/C Root CA Rack Accredited CA Rack #1
A/C
Air conditioner CCTV Fingerprint recognition Fire extinguisher Shock sensor Noise sensor 44
www.sgco.kr
KGS, CA, DB, RA
H H
A/C
KGS, ROOT CA
DS (master) DS (replica)
UP S
Root CA Root CA
Access Management
NMS, SMS, Backup, DNS, WEB
H
U ID
N IC 1 NIC 2
A/C
U ID
N IC 1 NIC 2
Accredited CA Rack #2
Monitoring Rack
U ID
N IC 1 N IC 2
U ID
N IC 1 N IC 2
A/C
PKI System Establishment(1/2)

Delivering how to operate the Certification System Providing the guideline on Certification System construction and operation Pilot operation of services issuing certificates Checking system operation by an operator and compensating for week points Providing the most suitable Certification System for country Providing the best hardware and software for certification services
Certification center Pilot Operation Construction CA system PKI System installation Certification Policies Operator TrainingTest and Audit Unit/Integration Test for PKI software
Takeover after thorough audit for PKI software
CPS Guideline Guideline for operating the Certification Center. Successful cases of the applications using PKI
Concept training for general PKI-related skills Training for PKI system operation and maintenance Training for emergency measures when obstacles occur
www.sgco.kr
45
PKI System Configuration(2/2)

Root CA
Generates an e-signature generation key of Root CA Records audits Issues/Reissues/Renews/Suspends/Revokes Root CA certificates Manages certificate policies and audits Publish ARLs Publishes CPS
Key Generation System
HSM
Certificate Issuance/ Management System(Root CA) Certificate Authority Certificate
ARL Distribution
Homepage (WEB)
Government CA
Generates an e-signature generation key of Government CA Records Audits Issues/Reissues/Renews/Suspends/Revokes CA certificates Manages certificate policies and audits Certificate/ Certificate Issuance/ CRL HSM Management System(CA) Publication Publishes certificates Publishes certificate revocation lists/ suspension lists Provides search support via LDAP
Key Generation System
Directory System Subscriber Server CRL CRL/ Certificate Policy
Registers/Modifies/Deletes/Views user information Revokes/Suspends/Recovers certificates
CMP CA Administrator
LDAP
RA Administrator
Registration Management System (RA)

Certificate Issue
Server Certificate Issue Server Certificate Registration
Manages user certificates Publishes CPS
Subscribers Subscribers
Subscriber Registration
Server Service Servers PKI toolkits
Homepage (WEB)
PKI toolkits
E-Signature/ Encryption
www.sgco.kr
46
PKI-enabled Application Development

Regional Administration - Service for counties - Access with certificates Taxation - National Tax Agency - Access with certificates Petition Service - Identify oneself online by certificates Personal Management inside Government - All employees inside Government Digital Signature & Seal -Distribute certificates -Develop and enhance system adopting certificates E-Supply (G2B) - Online bidding with certificate
e-Government Applications
National Financing Information System - Based on Internet banking, etc
Public Key Infrastructure

(PKI Center)
Enhance computerization - Sharing national resource information 4 Major Insurances data exchange - Labor, Medical care, Pension, Industrial disaster - Internet access with certificate
Electric document system - Interoperable with other systems Education Administration System -Teachers can assess with cert.
www.sgco.kr
47
Effectiveness of Expectations
PKI is making up the safe and trustful environment using electronic signature.
National PKI Establishment

Win (User) Win (Government) Win (Company)
USER
Reduce the time and cost. Convenience of application like
Government
Increase the confidence and trust. Ensure interoperability of PKI
Corporation
Convert offline business to
Online Civil Service, Internet Banking etc.
infrastructure with other Government. Establishment of National Security Plan.
online. Provide more secure and safe of service. Increase the trust of company.
Background
Law, Policies
Standards & Technology
Accredited CA
PKI enabled Applications

48
www.sgco.kr
Thank you!
Young-joo Ko Senior Consultant/Global Business Task Force E. keyguard@signgate.com T. +82-2-360-3215
49

3.security Issues in E-Procurement (PKI)

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

3.security Issues in E-Procurement (PKI)

Uploaded by

Copyright:

Available Formats

Security issues in E-Procurement (Public Key Infrastructure)

28th September 2009, Tunis

1. Necessity of National PKI 2. Security in e-Procurement system 3. Step of NPKI Establishment

1. Necessity of National PKI 2. Security in e-Procurement system 3. Step of NPKI Establishment

Copyright 1999-2009@SG Inc. All rights reserved

Need for Digital Signature

Copyright 1999-2009@SG Inc. All rights reserved

ty gri e Int Compare

Encrypted Private Key

Public Key Private Key

Verification Client Certificate

Copyright 1999-2009@SG Inc. All rights reserved

Message Cipher Text Session Key

Encrypted Session Key

Encrypted Session Key

Symmetric vs. Public-Key Cryptosystem

Plain Plain text text

Encryption Encryption Algorithm Algorithm

Encrypted Encrypted Message Message

Encryption Encryption Algorithm Algorithm Public Key

Encrypted Encrypted Message Message

Key generation Key generation Algorithm Algorithm

Encrypted Encrypted Message Message

Encrypted Encrypted Message Message

Copyright 1999-2009@SG Inc. All rights reserved

PKI (Public Key Infrastructure)?

CPS (Certification Practice Statement)

Copyright 1999-2009@SG Inc. All rights reserved

certificate repository PKI Server

PKI Client (PC/Phone/PDA)

PKI Center System Configuration

All networks and servers are double connected (Fault Tolerant)

Copyright 1999-2009@SG Inc. All rights reserved

Identification and Signature

For Authentication Signature or Signature-seal

version 3 (2) 12345678

Certificate Without Accreditation (or Private Certificate)

Scope of applicable Wide services

1. Necessity of National PKI 2. Security in e-Procurement system 3. Step of NPKI Establishment

Difficult to verify user in on-line Breach information Easy to make forgery

Less mistakes No more paper documents Easily give procurement information

Accuracy dead line by time stamping

Copyright 1999-2009@SG Inc. All rights reserved

Overall e-Bidding Processes secured by PKI

Making multiple Predetermined price

Copyright 1999-2009@SG Inc. All rights reserved

Certificate Issuance Process for Bidder

2 Identification Registration Authority(RA)

5 Issue Online Certificate 6 7

6 Certificate Issuance Request (CMP)

Copyright 1999-2009@SG Inc. All rights reserved

Two-factor Authentication to log-on

Key Management System

SG(Korea Information Certificate Authority)

Signature for Bidding announcement

Copyright 1999-2009@SG Inc. All rights reserved

Process of Securing Bidding Documents in eBidding System

Signed and Encrypted Proposal data store

Copyright 1999-2009@SG Inc. All rights reserved

Time Stamping Protocol (TSP)

Copyright 1999-2009@SG Inc. All rights reserved

Time Stamping Protocol (TSP)

Request Timestamping Token Timestamping Token