Prof.Dr.Victor PATRICIU, ROMANIA ITU- E-Commerce Centers for the CEE, CIS & Baltic States Regional Seminar on E-Commerce May, 14-17, 2002, Bucharest, ROMANIA

Prof.Dr.Victor PATRICIU, ROMANIA

ITU- E-Commerce Centers for the CEE, CIS & Baltic States Regional Seminar on E-Commerce

May, 14-17, 2002, Bucharest, ROMANIA

Trust & Securityin

E-Commerce

Professor Dr. VICTOR-VALERIU PATRICIUBucharest, ROMANIA


Contents

• Trust Infrastructure for E-Commerce

• PKI Technology for Trusting E-commerce New Cryptography Basics PKI basic principles & Architectures Digital certificates & Certificate Authorities CRL-s Applications

• PKI & CSP Legislation & Reglementation Certification Policies & Practices PKI & CSP Assessment & Accreditation Legislation, Reglementation & Guidelines EU Electronic Signature Directive

• Romanian legislation on electronic signature Romanian Law on Electronic Signature Government’s Decree for Electronic Signature Application


A Trust Infrastructure A Trust Infrastructure for for

E-CommerceE-Commerce

• Electronic commerce promises vast revenues; • It looks attractive in theory, but the truth is that :

only a small percentage use e-commerce services and an even smaller percentage use regularly;

• Diverse sectors – IT, telecommunications, financial institutions, retailers and governments – are driving towards a future where we conduct transactions electronically: everyday anytime and anywhere;




• But all of this comes to nought until one crucial obstacle is overcome – the question of security;

• Fraudsters & hackers will actively target: all e- commerce services, service providers and the infrastructure;

• Security weaknesses become a major concern when conducting online transactions over Internet because: sensitive financial details for online paying ; trade secrets and other confidential information; privacy of e-commerce actions: pay bills, trade stocks and

shares, file our income tax returns, conduct legally transactions and vote in government elections;




• Trust Services are an emerging enabler for e-commerce.• Deliver trust & confidence at various stages of business

interaction, including: establishing and maintaining trust, negotiations, contract formation, fulfilment, dispute resolution.

• There are significant technical, legal and business problems. • Trust Service Providers must :

be accountable for the service they provide be around for the long term (disputes can occur years after

transaction) have a trust infrastructure the services must make life simpler for e-commerce participants.




• It is not yet very clear what the range of trust services will be.

• They can certainly be expected to include services to support trust establishment, negotiation, agreement and fulfilment: Identity services, Authorisation service, Anonymity services, Trust rating and recommendation services, Assured message delivery, Auditable receipt generation, Storage (archival), Notarisation, Delivery (storage & notarization), Timestamping services, E-signature.




Example of Trust Services required for:

• Negotiation a contract• Contract signing




Business

Trust Services

ContactExchang

e

Find Partner

s

Credi-bility Check

Nego-tiatin

g

Contract Signing

Authentication yes

Authorization yes

Assured Messag. yes yes yes

Secure Storage yes yes

Timestamping yes yes yes

E-Signature yes yes yes

Certification/Rating

yes yes


PKI Technology PKI Technology for Trusting E-Commerce for Trusting E-Commerce

• Public Key Infrastructure (PKI) technology has emerged as the most reliable framework for ensuring Security and Trust over the Internet.

• It is based on the principle of Asymmetric Cryptography.

• In the PKI model: A Key is a long string of data used to encrypt or decrypt a given

piece of information. Every user has a unique key pair – the Public Key and

corresponding Private Key. The private key is kept confidential, whereas the public key is

made available to the public. Messages encrypted with a Public Key can only be decrypted

with the corresponding Private Key, and vice-versa. The Public Key is predominantly used for encryption and the

private key for Digital Signatures.



-Public Key Cryptography--Public Key Cryptography-

• Public key cryptography- for every person a key pair:

Public key (for encryption or signature verification)

Private key (for decryption or signature creation)



-Digital Signatures--Digital Signatures-



- Pillars of Trust-- Pillars of Trust-

• PKI is the only security and trust framework that fulfils the four vital requirements of e-commerce, known as the Four Pillars of Trust: Authentication- the means of identification employed. For e-Commerce

transactions, the absence of face-to-face interaction creates the need for a foolproof method of identification. PKI offers the most secure means of authentication available today through Digital Certificates.

Confidentiality-Secure transmission of data over open networks and preventing data access by unauthorized entities is of paramount importance. PKI ensures confidentiality through the use of time tested Encryption Algorithms.

Integrity- Data transferred through open networks should not be altered or modified during transit. Integrity of data is ensured through Data Hashing.

Non-Repudiation- It is necessary to ensure that the sender does not disown data sent. There should be a trustworthy means to guarantee the ownership of the electronic document. PKI ensures non-repudiation through the use of Digital Signatures.


Key Distribution

PKI Technology PKI Technology for Trusting E-Commercefor Trusting E-Commerce

-Certification Authorities--Certification Authorities-



-ITU X.509 v3 Digital Certificate--ITU X.509 v3 Digital Certificate-


•PKI- Set of components (hard & soft), that work together for using public-key technology

•CA- a trusted authority -which provides a statement (the Digital Certificate) that the enclosed public key belongs to the person whose name is attached

•CA- a central administration that issues certificates:

organization to its employees

company to its employees university to its students public CA (like VeriSign)


-PKI Architecture--PKI Architecture-


CA

Root CA


-CA Hierarchies--CA Hierarchies-

CA

CACA



-Certificate Revocation Lists, CRL’s--Certificate Revocation Lists, CRL’s-

• A certificate must be revoked when:the private key pair is compromised;the private key pair is lost;a person leaves the company.

• All users can know to no longer trust in a certificate;• Relaying parties are expected to check CRL before using

a certificate;• Use a sufficiently scalable and powerful CR server. If a

CRL is being used by applications for certificate validation, provisions must be in place for adequate availability of the CRL service (or applications should incorporate some backup procedures in case the CRL service is unavailable).

• OCSP-On-line Certificate Status Protocol: inquires of issuing CA whether a certificate is still valid. (resp. YES/NO)


Standards that rely on a PKIStandards that rely on a PKI

• S/MIME- PKI for digitally signing and encrypting messages and attachments

• SSL/TLS - secure access to Web Servers

• SET-secure electronic bankcard payments

• IPSec- in VPN for encryption &

authentication


PKIPKI Applications in Securing Applications in Securing E-commerceE-commerce

• Securing e-Business applicationsOnline Auction Markets / Exchange SitesOnline Procurement Solutions & Web CataloguesCorporate PurchasingOnline ContractingSecurity solutions for traditional EDIOnline delivery of intellectual products

• Secure e-GovernanceSecurity solutions for government documentationOnline tax filing and payment solutionsOnline payment of public utility charges and

government leviesOnline application and receipt of government approvals



• Security solutions for e-BankingElectronic Funds Transfer / PaymentsTrade Finance / Letter of CreditBill Presentment and PaymentStatement Delivery

• Securing Electronic Office ApplicationsTransformation to paperless office systems through

digital signaturesEncryption Archiving facilities for document storageSecure E-mail Communication



• Security solutions for healthcareSecure delivery of online medical adviceStorage and authenticated access to health RecordsPrivacy solutions for medical transcriptions

• Security solutions for educationSecurity & authentication solutions for distance

education and online examinationsSecurity solutions for electronic certificates and

credentialsOnline university application solutionsSolutions for student identity along with smart cards


Legislation & ReglementationLegislation & Reglementation

Legal and reglementation problems to be solved:

• Certification Policies & Practices for: Public CA’s (Certificate Service Providers, CSP) and Organizational CA’s

• PKI & CSP Assessment & Accreditation, wide accepted criteria from national/international bodies

• Legislations, Reglementations & Guidelines for PKI & electronic signatures


Certification Policies & PracticesCertification Policies & Practices

CPs and CPSs are tools to help establish trust in interactions between Certification Authorities (CAs) and permit cross-certification, i.e., trust other CA’s certificates

CPs help answer questions such as:• what can the certificate be used for?• which algorithms have been used?

CPSs help answer questions such as:• how are users enrolled by the CA?• how is the CA managed?

RFC 2527 -framework for CP & CPS structure.



GENERAL PROVISIONS OBLIGATIONS

CA obligations RA obligations Subscriber obligations

REQUIREMENTS FOR ISSUING TO NON-US GOVERNMENT SUBSCRIBERS

INTERPRETATION AND ENFORCEMENT PUBLICATION AND REPOSITORY CONFIDENTIALITY INTELLECTUAL PROPERTY RIGHTS



IDENTIFICATION AND AUTHENTICATION INITIAL REGISTRATION CERTIFICATE RENEWAL, UPDATE, AND ROUTINE REKEY REPLACING KEY AFTER REVOCATION REVOCATION REQUEST

OPERATIONAL REQUIREMENTS CERTIFICATE APPLICATION CERTIFICATE ISSUANCE CERTIFICATE ACCEPTANCE CERTIFICATE SUSPENSION AND REVOCATION SECURITY AUDIT PROCEDURES CA KEY CHANGE COMPROMISE AND DISASTER RECOVERY



PHYSICAL, PROCEDURAL, AND PERSONNEL SECURITY CONTROLS

TECHNICAL SECURITY CONTROLS KEY PAIR GENERATION AND INSTALLATION PRIVATE KEY PROTECTION COMPUTER SECURITY CONTROLS LIFE CYCLE TECHNICAL CONTROLS NETWORK SECURITY CONTROLS CRYPTOGRAPHIC MODULE ENGINEERING

CONTROLS CERTIFICATE AND CRL PROFILES

CERTIFICATE CRL PROFILE


PKI & CSP PKI & CSP Assessment and AccreditationAssessment and Accreditation

• Role of PKI assessment:Necessary for licence & accreditationNecessary for PKI interoperation and trustEnhances PKI support for non-repudiationRequired for insurance purposesNecessary for risk management

• Assessment targets:PKI environmentSystems & subsystemsDiscrete componentsCryptomodules

• Main subjects for PKI assessment:CA policies, practices and management controlsKey & device management controlsCertificate life-cycle controls


PKI & CSP PKI & CSP Assessment and AccreditationAssessment and Accreditation

• PKI assessment types:Self-assessmentInternal auditsExternal audits

• PKI assessment requirement :Provision of certain documentsCertification of technical systemsReview of specified policies and practices

• PKI assessment models:Information security evaluation criteria (Common Criteria,ITSEC,

TCSEC, BS 77 99-Code of Practice for Information Security Management)

Australian Gatekeeper program-GPKAUK tScheme, a self-regulation schemeABA – PAG PKI Assessment Guidelines

American Institute of Certified Public Accountants -Web Trust


LegislationLegislation

• General E-Commerce Legislation and Regulation EFTA, Electronic Funds Transfer Act- (USA), 1978 UN Model Law on E-Commerce-1996 (UNCITRAL) UCITA, Uniform Computer Transaction Act,, 1999 (NCCUSL-USA) UNICID, Uniform Rules for Interchange of Trade Data by

Teletransmission-(ICC-International Chamber of Commerce) OECD Guidelines, E-Terms, (ICC)

• Electronic Signature Legislation and Regulation UETA, Uniform Electronic Transaction Act - (NCCUSL-USA), 1999 Federal E-Sign Act, 2000 (USA) EU Electronic Signature Directive, 1999 UN Draft Model Law on Electronic Signature -2000 (UNCITRAL) Digital Signature Guidelines (ABA, USA), 1996


LegislationLegislation

DIRECTIVE 1999/93/EC of the

EUROPEAN PARLIAMENT AND COUNCIL

of 13 December 1999on a

Community Framework for

Electronic Signatures


Legal recognition of electronic signatures

Technology neutral

Free flow of Products and Services

Excludes prior authorisation or licensing scheme for Certification Service Providers

Mandates supervision scheme for CSPs

Calls for monitoring of Voluntary Accreditation Scheme

Directive highlightsDirective highlights


Electronic signature

Certification Service Provider (CSP)

Advanced electronic signature

Signature creation/verification data

Signature creation/verification device

Qualified certificate

Qualified Signature

DefinitionsDefinitions


Scope of DirectiveScope of Directive

The two main objectives of the directive

Free internal market for electronicsignatures and certification services

Legal equivalence of electronicsignatures with hand-written signatures

All kinds of electronic signatures

All kinds of certification services

All kinds of signature products

Only under certain conditions

Only for specific purposes

with many exceptions

Broad scope

Limited scope


forbidden

allowed

Internal MarketInternal Market

1. Authorisation (obligatory)

2. Accreditation (voluntary)

CSP issuing qualified certificates to the public

Obligation for Member States to control via supervision

E.g. self-declaration scheme with subsequent control by governmental body or private institution

3. Supervision


Legal RecognitionLegal Recognition

• General principle: Legal effect for all electronic signatures;

• Second principle: Certain electronic signatures get the same legal effect as hand-written signature;

Electronic signatures

Advanced electronic signatures

Qualified signature: advanced electronic signature +qualified certificate +secure signature creation device.

Qualified signatures


The Annexes

•Requirements Annex I: Qualified certificate

Annex II: Certification Service Providers issuing

qualified certificates

Annex III: Secure Signature Creation Device

•RecommendationsAnnex IV: Signature Verification


International aspectsInternational aspects

if

• Foreign CA fulfils same requirements + accreditation by Member State

or

• A European CA guarantees for the foreign CA

or

• Recognition by treaty with EU

Foreign certificates = Qualified certificatesForeign certificates = Qualified certificates


EESSIEESSI: European Electronic : European Electronic Signature Standardization Signature Standardization

Initiative Initiative •Industry Initiative led by ICT Standards Board (CEN, ETSI, ...)

• Based on a mandate from European Commission

• Support the requirements of the EU Directive

• Interoperability standards for electronic signature

• Standards for CSPs

• Standards for signature creation and verification products

•Signature format: simple, co-signature, contra-signature, XML signature format

•A better understanding of the signature policies

• Defining protocols for: Time Stamping, Access to a repository with certificates and revocation, etc.


• Although “technology neutral”, the Directive implicitly defines a technical framework

• A proposed first set of components that can be used:Asymmetric cryptography: RSA, DSA, ECDSACertificate based verification using ITU X.509Public Key Infrastructure with CAs and DirectoriesSmart-cards/hardware tokens for private key protection

Reasons for this selection:Generally accepted, existing standardsUrgent need for standardized use of these technologies!

Technical Framework for Qualified Technical Framework for Qualified Electronic SignaturesElectronic Signatures


EESSI Standards overview

Signature creation

process and environment

Signature validation

process and environment

Signature format

and syntax

Creation

device

Requirements for CSPs

Trustworthy system

CertificateService Provider

User/signerRelying party/

verifier

CEN E-SIGN

ETSI ESI

Qualified certificate

Time Stam

p


ROMANIAROMANIALaw on Electronic SignaturesLaw on Electronic Signatures

• Adopted by Romanian Parliament in July 2001;

• Establishes:Legal regime of electronic documents, The condition of issuing certificate services for

digital signatures


Law on Electronic Signatureson Electronic Signatures -Definitions--Definitions-

• Electronic signature• Extended (Advanced) Electronic Signature :

it is uniquely linked to the signatory; it is capable of identifying the signatory; it is created using means that the signatory can maintain

under his sole control; it is linked to the data to which it relates in such a manner

that any subsequent change of the data is detectable

• Signature-creation/verification data;• Secure-signature-creation/verification device ;• Certificate/Qualified certificate;• Certification-service-provider (CSP)• Voluntary accreditation


Law on Electronic Signatureson Electronic Signatures -Legal specifications for electronic documents --Legal specifications for electronic documents -

• Electronic document with:Extended electronic signature, Based on a qualified certificateGenerated using a secure-signature-creation

device

is assimilated este with a document with hand-written signature;


demonstrate reliability for providing certification services; ensure a secure directory and a revocation service; ensure the precise date/time when a certificate is issued /

revoked; verify, by appropriate means identity & attributes of the person

to which a qualified certificate is issued; employ personnel with knowledge, experience, and

qualifications; use trustworthy systems and products; maintain sufficient financial resources for liability for damages,

by obtaining appropriate insurance; record all relevant information concerning a qualified certificate

for an appropriate period of time; not store or copy signature-creation data of the person to whom

the CSP provided key management services;

Law on Electronic Signatureson Electronic Signatures CSP-Certificate Services ProvidersCSP-Certificate Services Providers


Law on Electronic Signatureson Electronic Signatures CSP-Certificate Services ProvidersCSP-Certificate Services Providers

• It is created a National Body (The Romanian Authority for Reglementation and Supervision) which:Conducts the CSPs accreditation process Conducts homologation process of the

SSCD-Secure-Signature-Creation DeviceMakes a periodical supervision of CSPsPublishes on Internet The Romanian CSP

Register with specifications for accredited CSPs


DecreeDecree for the application of for the application of Electronic Signatures LawElectronic Signatures Law

• Adopted in December 2001• Contain Methodological and technical

regulations for the use of Electronic signatures• Contents:

Definitions Practical specifications for the activity of Romanian

Authority for Reglementation and SupervisionPractical specifications for the activity of CSPsCSP accreditation procedure Procedures for using electronic signaturesTechnical specifications for:

Private keys Algorithms Certificate revocation conditions


DecreeDecree for the application of for the application of Electronic Signatures LawElectronic Signatures Law

The ANEXES containe: The STRUCTURE of The Romanian CSP Register The STRUCTURE of Qualified Certificate The STRUCTURE of the CSP Notification for beginning

activity The STANDARD EXTENSIONS of a Certificate The STRUCTURE of Certificates Register at CSP The Liability Letter Client Information necessary for obtaining a Certificate


DecreeDecree Technical Details Technical Details

• The generation of private key of Romanian Authority for Reglementation and Supervision (ARS) must be make on a isolated and reliable dedicated system• ARS uses only SHA hash-code function and RSA for digital signature; it is prohibited to use CRT method;• For extended electronic signatures:

1024 bits for RSA;1024 bits for DSA;160 de bits for DSA based on elliptic curves; RIPEMD – 160 or SHA-1 hash functions;

• The formats for Certificate & CRL Register at CSPs : CCITT (ITU-T) X.500 / ISO IS9594RFC 2587 Internet X.509 PKI LDAPv3 SchemaRFC 2587 Internet X.509 PKI Certificate and CRL Profile


Other Other Necessary Romanian Regulations Necessary Romanian Regulations

• The methodology for the homologation of secure signature creation devices

• The Regulations for the activity of Romanian Authority for Reglementation and Supervision

• The methodology for supervision of CSPs • The methodology for accreditation of CSPs, based on:

Certification Policy Certification Practices Framework Information Security Policy Internet Security Policy Emergency Response Plan Business Continuity Plan

• The methodology for the audit of information security.


ConclusionsConclusions

• PKI technology ensures trust & security in e-commerce;• Five key ingredients that trust service providers must offer:

Accountability: At a minimum this must mean assurance that their processes will stand up to scrutiny in disputes.Survivability/Longevity: Each service must produce technology and businesses that will be available to resolve disputes decades after.Confidentiality: The customer giving their sensitive data to the trust services, providers must ensure confidentiality even within their own organisation.Integrity: Linked with accountability and longevity, but worth distinguishing. Because digital data is so easily created and forged, providers must be able to demonstrate the integrity of their information or the information they keep.Simplicity: To be successful, trust services must make life simpler for e-traders, and they must take account of existing infrastructure.

• PKI technology is in progress, that need to solve a lot of legal, technological and business prolemes

Documents

Prof.Dr.Victor PATRICIU, ROMANIA ITU- E-Commerce Centers for the CEE, CIS & Baltic States Regional Seminar on E-Commerce May, 14-17, 2002, Bucharest, ROMANIA