3.Security Issues in E-Procurement(PKI) (1)

7/31/2019 3.Security Issues in E-Procurement(PKI) (1)

1/50

Secu r ity is su es in ESecu r it y is su es in E --P r o c u r e m e n tP r o c u r e m e n t( P u b lic Ke y I n fr a s t r u ct u r e )( P u b lic Ke y I n fr a s t r u ct u r e )

2 8 th Se p t em b e r 2 0 0 9 , Tu n is

Sen io r Co n su lt an t , M r . Yo u n g jo o Ko

(keyguard@signga te . com)


2/50

1

1. Ne cess ity o f Na t ion a l P KI

2 . Se cu r it y in e -P r o cu r e m e n t s ys t e m

C o n t e n t s

3 . St e p o f N P KI E s ta b lis h m e n t


3/50

2



C o n t e n t s



4/503

www . sg co . k r Copyright 1999-2009@SG Inc. All rights reserved


5/50

4

Need fo r D igit a l Sign a tu r e

In d u s t r ia l S o cie t y

o n l i n eOf f lin e ( face-to -face)

In fo r m a t i o n a l S o cie t y

Risk o f d ece ivin gide n t it y o f s e n de r

Authen t i ca t ion Digit a l S ign a tu r e

R isk o f ch a n gin g in fo r m a t ion

o n t r a n s m is s io n

I n t e g r i t y Digit a l S ign a tu r e

Risk o f den yin g a fac tin fo r m a t io n t r a n s m it

N o n - r e p u d i a t i o n Digit a l S ign a tu r e

R isk o f e xpos in g in fo r m a t iono n t r a n s m is s io n Conf ident ia l i ty Enc r yp t ion

So l u t i o n sP r o b l e m s

www .sg co . k r Copyright 1999-2009@SG Inc. All rights reserved


6/50

5

Public Key System

Ke Kd

Each user have public key (KUa) and private key (KRa).

Public key open and private key keep secretly save.

Use digital signature.

R SA, Elgamal, ECC

sender receiver

P u b lic-Key Algo r ith m



7/50

6

Sender Receiver

Hash

AlgorithmHash Code Sign

Digital

Signature

Client Certificate

Hash Code

Hash Code

Compare

Private Key

Verify

Public Key

Hash

Algorithm

Cert i f icate

Verif icat ion

Digit a l Sign a tu r e Sign in g Digit a l Sign a tu r e ve r ifica t io nS e n d i n g

Au th en t ica t ion , In t egr it y, Non -Rep u d ia t ion

EncryptedPrivate Key

AESDecryption

Password

Message

Authenti

cation

Integr

ity

Non-R

epudia

tion

P u b lic-Key Algo r ith m



8/50

7

Mechanisms of Encryption and Decryption

M : plaintext C : cipher text E : Encryption Algorithm

D : Decryption Algorithm, Ke : Encryption Key, Kd : Decryption Key

Symmetric Algorithm Ke = Kd

Use the same key between sender and receiver

difficulty of key distribution

DES, Skipjack, IDEA, FEAL, LOKI, GOST, SEED, AE S

Sym m et r ic Algo r it h m



9/50

8

Sym m et r ic Algo r it h m

Sender Receiver

Message Encrypt ion Message Decrypt ionSending

Confidentiality

Receiver

Certificate

MessageCipher Text

SessionKey

Public Key Private Key

MessageCipher Text

Encrypted

Session Key

SessionKey

Encrypted

Session Key

Confi

denti

ality



10/50

9

Sym m etr ic vs . Pu b lic-Key Cr yp tos ys te m

In d e x Sym m et r ic Cr yp to sys t e m P u b lic-Ke y Cr yp to sys t e mKey Type

Encryption Key

Decryption Key

Encryption AlgorithmTransfer of Private Key

Number of Key

Encryption Key = Decryption Key Encryption Key Decryption Key

Secret Public

Secret Secret

DES/AES/SEED RSA Need Need Not

n(n-1)/2 2n

Encryption Speed

Key Distribution

High Low

Difficult Easy

U s e s a m e K e y

E n c r y p t i o n

Algor i thm

E n c r y p t i o n

Algor i thmE n c r y p t e d

M essage

E n c r y p t e d

M essage

Decryp t ion

Algor i thm

Decryp t ion

Algor i thm

Decryp ted

M essage

Decryp ted

M essage

Secre t Key

Key gener a t ion

Algor i thm

Key gener a t ion

Algor i thm

Pla in

tex t

P la in

text

E n c r y p t e d

M essage

E n c r y p t e d

M essage

Use D i ff e ren t

k e y

Public

Key

PrivateKey

PublicRepository

Ch e c k t h e t r u t h o f

t h e P u b l i c k e y

E n c r y p t i o n

Algor i thm

E n c r y p t i o n

Algor i thmE n c r y p t e d

M essage

E n c r y p t e d

M essagePla in

text

P la in

text

Decryp t ion

Algor i thm

Decryp t ion

Algor i thm

D e c r y p t e d

M essage

Decryp ted

M essage

E n c r y p t e d

M essage

E n c r y p t e d

M essage



11/50

10

P K I (P u b lic Ke y I n fr a s t r u ct u r e ) ?

IETF PKIX RFC

RSA PKCS 1~15

Digital Signature, Hash, EncryptionAlgorithm

Electronic Signature Act

Electronic Transaction Basic Act

Personnel Information Protection Act

System

(CA, RA, DS,

OCSP, TS,Firewall, IDS,

SMS, NMS etc)

Certification Center

CPS (Certification Practice Statement)

Killer

Applications

Operation

Accredited CA

LawPKI Standards

CA SystemsElectronic Signature

Certification Technology

Applications

System

Policy

PKI



12/50

11

Co m p o n e n t o f P KI

Client

Cer t

Se rve r

Cer t

certificate

Dir ect o r y

S e r v e r

repository PKI Se r ve r

Server-side softw are

Client-side softw are

P e r s o n n e l, p o licy, p r o ce d u r e s , co m p o n e n t s a n d fa c ilit ie s t o b in d u s e r

n a m e s t o e le ct r o n ic k e ys s o t h a t a p p lica t io n s ca n p r o vid e t h e d e s ir e dsecu r ity s e r vices .

Cert i f ica te

Au tho r i t y

Reg is t r a t ion

Au tho r i t y( P C / P h o n e / P D A )

PKI Clien t

Digital

S

ignature



13/50

12

P KI Cen te r Sys t em Co n figu r a t io n

I n t e r n e t

TS

Ad m in P C

DB

DS

OCSP

Use r

F i rewa l l

R A

TSA

KRS/

Etc .

Ad m in : Ad m in i s tr a t o r P r o gr a m

U s e r : U se r S / W

CA: Cer t i fica te Au th or i ty Ser ver

RA: Reg is t r a t ion Au th or i ty Se rve r

DS: D ir ec to r y Se rve r

OCSP: On l in e Cer t i fica te

S ta t u s P r o t o c o l S e r v e r

VA: Val ida t ion Au th or i ty Ser ver

H S M : H a r d w a r e S e cu r it y M o d u le

(Acce le ra to r )

T S: Ti m e S t a m p M o d u l e

GPS: Tim e Accu r acy Ma in ta in e r

TSA: T im e S tam p Au th or i ty

Se rve r

DVCS: Data Val ida t ion

Cer t i fica t ion Ser ver

KRS: Key Roam ing Se rve r

Etc .: O the r Se rv ice Se r ve r

All n e t w o r k s a n d s e r v er s a r e

d o u b l e c o n n e c te d ( F a u l t To le r a n t )

L4 Switch

n e t H S MGPS Receiver

CA



14/50

13

I dent if icat ion and Signat ure

For Aut hent icat ion

NameSSN

AddressIssued DateFinger Print

: Young joo Ko: XX0921-152XXXX

: SG, Seoul, Kr: 2002/6/1:

National ID Card

Reusable

Real World

NameSerial No

AddressValidity

Public Key

: Young joo Ko: 883XXX8377

: SG, Seoul, Kr: 2008/6/1~2009/5/31

:

Accredited Certificate

CAsSignature

I mpossible to reuse

Digital signat ure usingasymm etr ic encrypt ion /

decrypt ion met hod

EncryptedPrivate Key

+

Digital Signature

Cyberspace (Internet)

Signature orSignature-seal



15/50

14

"Certificate" means information in electronic form verifying and certifying thecorrespondence of a public key to a private key owned by a natural or juridicalperson.

Certificate version

Certificate serial numberSignature algorithm id for CA

Issuer X.500 name

Validity period

Subject X.500 nameSubject public key info

Issuer unique identifier

Subject unique identifier

Type Criticality ValueType Criticality Value

Type Criticality Value

CA Sign a t u r e

V1

V2

V3

version 3 (2)

12345678

RSA with SHA-1

cn=SignGATE CA,ou=Accredited CA,ou=KICA, c=K

start=01/01/08, expiry=12/31/09

RSA with SHA-1

(not used)

(not used)

Extensions

cn=Ko,ou=Accredited CA,o=KICA,c=KR

Digita l Ce r t i fica te s



16/50

15

Types of Cert if icat es

Cert if icate Wit hout Accredit ation (or Private Cert if icate)

A certificate is issued by a certification organization that is not accreditedby the government. It is used for a limited number of e-transactions

Accredited Cert if icat e

The accredited certificate is issued by a CA, which in turn is designated bythe government pursuant to the laws after thorough screening, to be usedfor various e-transactions.

Category Accredit ed Cert if icateCert if icate Wit hout

Accreditation

Level of technology

and security

Passage of thorough screening

pursuant to the law

Impossible to verify

Legal effect Valid as provided by the laws Valid only by agreement

Compensation Easy to get compensated Hard to get compensated

Scope of applicableservices

Wide Narrow


C o n t e n t s


17/50

16



C o n t e n t s



18/50

17

I s s u e s o f e -P r o cu r e m e n t

I s su e s o f e -p r o cu r e m e n t .

OffOff--Lin e P r o cu r e m e n tLin e P r o cu r e m e n t OnOn --Lin e P r o c u r e m e n tLin e P r o cu r e m e n tI s s u e sI s s u e s

Difficu l t to ver ify

u s e r in o n -lin e

Br e a ch in fo r m a t io n

E a s y t o m a k e fo r ge r y

R e p u d i a t et r a n s a c t i o n s

The Agen cy

A Sub sc r ibe r

The Agen cy

A Sub sc r ibe r

H a n d y w o r k p r o ce s s

m a k in g m is t a k es

(Nega t ive)

N e e d s m u c h t im e fo r

d o cu m e n t m a n a ge m e n t

Co m p le x a n d t im e

c o n s u m p t i o n

Difficu lt a n d

ineff ic ient ly

P r ep a r e m a n yd o c u m e n t

Le ss m is t a ke s

N o m o r e p a p e r

d o c u m e n t s

Ea s i ly g ive p r oc u r e m e n t

i n f o r m a t i o n

Ca n b e u s e d a n yw h e r e ,

a n y t i m e ( 2 4 h ) .

Ea s i ly p r e se n t

d o c u m e n t to a ge n cie s

Eas i ly jo in t h e b idd ing


S i f Bid d i


19/50

18

Secu r ity o f e -Bid d in g

IntegrityIntegrity

AuthenticationAuthenticationCompanyCompany

AuthenticationAuthenticationAccuracy dead lineAccuracy dead line

by time stampingby time stampingNonNon--repudiationrepudiation

KONEPS

e-Bidding ServerWit h securit y add-on

for Web Applicat ion Server

e-Bidding ServerWit h securit y add-on

for Web Applicat ion Server

Verify forgery andVerify forgery and

modification bidmodification bid

documentdocument

Company identityCompany identity

BanBan a bid of illegala bid of illegal

companycompany

Prevention of troubles forPrevention of troubles for

the bidding deadlinethe bidding deadline

Fairness for a time andFairness for a time andgrantgrant legal forcelegal force

NonNon--repudiation forrepudiation for

sending a tendersending a tender


O ll Bid d i P d b P KI


20/50

19

Over a ll e -Bid d in g P r oces se s s ecu r ed by P KI

Bid InvitationBid Invitation

SG as a tr usted t hir dpart y issues a

encryptioncert ifi cate for eachbiddingannouncement

Private key of t hesecurity certificate

must be st ored onlyin t he biddingadminist rators PC

Privat e key isdivided into t w oparts to be reservedby SG and KONEPSseparately againstthe loss of t heprivat e key and notto be retrievedarbitrarily

Bidding price andother information

are submi t t edafter digit allysigned andenveloped usingthe encrypt ioncertificate

Financier makesmult iplepredetermined

pr ices in his PC The predet ermined

pr ices aresubmit t ed aft erdigitally signedand envelopedusing theencryption

certificate

Biddingadministratoropens theenveloped biddingpr ice andpredeterminedpri ces using theprivate key of t hesecurit y cert ificateand administ rate

t he bidding

TenderTenderMaking mult iplePredetermined

price

Making mult iplePredetermined

priceBid EvaluationBid Evaluation

Every bidding price and evaluation relevant information must be stored

in DB, digitally signed and enveloped until bid evaluation date

Every bidding relevant process must be logged

Each original document must be reserved for later verification


C t ifi t I P f Bid d


21/50

20

User visits a respective RA with certificateapplication form and his ID card

RA conducts user identification

RA manager registers information on userapplication form to CA

As results on registration, reference number,authentication code and user manual aredelivered to user

User goes to RAs homepage to install

Management S/W and create a key pairUser enters the number and code and selects astorage medium and enter his certificatepassword in order to issue his certificate

CA issues the certificate after confirmingusers request

CA publishes the certificate issued toDirectory server (Optional)

CA delivers the certificate to user

User saves the certificate to a storage mediumhe selected

DescriptionNo.

1

2

3

4

5

6

7

8

9

10

On-lineNote

Off-line

(Certificate AuthorityCA)

User Directory Server (DS)

Registration Authority(RA)

Issue Online Certificate

Identification2

Install CertificateManagement S/WCreate Key pair

5

RegistrationRequest

1

Reference number/Authentication code/User Manual Distribution

4

Certificate Issuance Request (CMP)6

Certificate Download9

User Registration3

Save Certificate10 Issue Certificate7

PublishCertificate

8

Certificate Issuance Process for the company

Cer t ifica t e I s su a n ce P r o ces s fo r Bid d e r


T f t A th t i t i t l


22/50

21

Two -fa cto r Au th en t ica t ion to log-on

Independently of the user type(bidder, bid administrator) two-factor authentication is the expected minimal level ofauthentication for log-on to the e-procurement system

Best uesr authentication method in log-on to the system relieson s o m e t h in g yo u k n o w (e.g dedicated PIN code or

certificate password), supplemented by an additionals o m e t h in g yo u h a ve authentication factor in order toimplement two-factor authentication

Also to log-on to the system user should be able to generate

proper digital signature for the random value which is send bye-procurement system to prevent replay attack.

Smartcards USB Tokens


K M t S t


23/50

22

Ke y M a n a ge m e n t Sys t e m

Encrypt Cert ifi cate I ssue

Public Key Private Key

Encrypt Cert ifi cate Server

Key Manager System

Signatu re for Bidding

announcement E-Bidd ing System

SG(Korea Information Certificate Authority)

KONEPS

Bidding announcement +Encrypt Certificate

I nsert Biddingannouncement

Half Private Key Store

Encrypt Certificate Issue

Bid AdministratorsSign Certificate

Divide Private Key

Key Manager System

Half Private Key Store

Bid Administrators PC

Administrators encryption certificate is issued on bidding announcement and stored in the biddingadministrators PCPrivate key of the encryption certificate is divided and reserved by SG and KONEPS separatelyagainst the loss of the private key and not to be retrieved arbitrarily

Administrators encryption certificate is issued on bidding announcement and stored in the biddingadministrators PCPrivate key of the encryption certificate is divided and reserved by SG and KONEPS separatelyagainst the loss of the private key and not to be retrieved arbitrarily


P r o ce s s o f Se cu r in g Bid d in g D o cu m e n t s in e -


24/50

23

g g

Bid d in g Sys tem

Bidding documents are submitted after digitally signed and envelopedKONEPS e-Procurement system checks integrity of the bidding documents and stores the envelopeddocuments in DBOn bidding evaluation the documents are opened and integrity of the documents are verified usingdigital signature

Bidding documents are submitted after digitally signed and envelopedKONEPS e-Procurement system checks integrity of the bidding documents and stores the envelopeddocuments in DBOn bidding evaluation the documents are opened and integrity of the documents are verified usingdigital signature

BidderKONEPS

Signed and Envelope forProposal

(Use Bid executersencrypt certificate)

MakeProposal

Signed and Envelope forSend Message (use Servers

encrypt Certificate)

Bids EncryptPrivate Key

Award Result

Decrypt and Verify

Signature for Send Message(Use Servers Private Key)

Signed and EncryptedProposal data store

Te

nder

Award Decrypt and Verify

Signature for Propsal(Use Bids Private Key)

Bid Executer


Tim e Sta m p in g P r o to co l (TSP )


25/50

24


Gu a r a n t e e t im e ly fa ir n e s s a n d t r a n s p a r e n cy t h r o u g h

t im es t am p se r vice p r o vid ed b y accr ed it ed CA

Need for the proof of existence of certain dataTime-sensitive serviceBidding end date and timeBidding documents submission date and time

Need for the proof of existence of certain dataTime-sensitive serviceBidding end date and time

Bidding documents submission date and time

Cert if icat ion Aut horit y

TSA

KONEPS

TimestampServiceCompany

Organization

Proposal

BiddingAdministrator

E-Bidding System

Check Closing




26/50

25


TSA (Time Stamping Authority)

- The TSA's role is to time-stamp a datum to establishevidence indicating that a datum existed before a particulartime.

- can used to verify that a digital signature was applied to amessage before the corresponding certificate was revoked

- can also be used to indicate the time of submission when adeadline is critical, or to indicate the time of transaction for

entries in a log.

E-ProcurementSystem

RequestTimestamping

Token

TimestampingToken Admin

Audit/Management

TSA Daemon

HSM

Time Stamp Authority

DB

GPS satellite

WinSync

TS Client


On lin e Cer t ifica te Own er Ver ifica t ion


27/50

26

On lin e Cer t ifica te Own er Ver ifica t ion

Subscriber Identification Base on Virtual ID- Virtual ID is a the certificate user's unique identifier.- Virtual ID is a form of a hash value.

< P r i va t e Ke y in c lu d e R a n d o m N u m b e r >

< Cer t i fi ca t e for Digi t a l S ign ing >

VID = H(H(IDN,R)

R

I D N : R e s id e n t R e gis t r a t i o n N u m b e r o r

B u s in e s s R e gis t r a t i o n N u m b e r

VID : Vir tu a l ID

H : H a sh Algo r it hm

Information forIdentification

Verification Method


On lin e Cer t ifica te S ta tu s P r o to co l (OCSP )


28/50

27

On lin e Cer t ifica te S ta tu s P r o to co l (OCSP )

Online Certificate Status Protocol (OCSP)- OCSP is an Internet protocol used for obtaining the

revocation status of an X.509 digital certificate.

- OCSP can confirm a current status of the certificate

immediately.

< Au th or i ty Access In fo rm a t ion F ie ld >

< O CS P S tr u c t u r e >

OCSP

DSCA

CRL Publish

CRL

CRL File

Publisher

HTTP(S)

CRLCRL

USER Serve r

Certificate

CertificateVerification

CertificateVerification

CRL

CRL

CRL

CRL


W h a t is P KI Cr yp to Too lk it (1/ 2 )


29/50

28

Deve lop e r ju s t ca ll APIs t o ap p ly

P KI F un c tion s t o t h e ir App lic a t ion s

Deve lop e r ju s t ca l l APIs t o ap p ly

P KI F un c tion s t o t h e ir App lic a t ion s

P H PApp.

P H PP H PApp.App .

AS PApp.

ASPASPApp.App .

J a v aApp .

J a v aJ a v aApp .App .

O t h e rApp .

O t h e rO t h e rApp .App.

P KI Cor e M od u le

Cr yp tog r a ph ic Lib r a r y

( Toolki t )CipherM o d u l e

Cert i f ica te

M o d u l e

S i g n a t u r e

M o d u l e

Cipher

M o d u l e

Cert i f ica te

M o d u l e

S i g n a t u r e

M o d u l e

Dyna m ic L ink L ib ra r y

CO M

ja va

sc r ip t

Visual

Bas ic

P o w e r

Bui lde r

C/C++

HT ML Client App l ica t ion

Sha r ed Object / Arch iveJ ava Cla s s Lib ra r y

Crypto API

S t a n d a r d

J CE / J CA

I n t e r f a c e

P H P CGI J SP Servle t

Ser ver App l ica t ion

Clie n t To o lk it Se r ve r To o lk it

z Cryptographic Library (Toolkit) z Application Development

Conf iden t i a l i t yConf iden t i a l i t y

I n t e g r i t yI n t e g r i t y

N o n - R e p u d i a t i o nN o n - R e p u d i a t i o n

Authen t i ca t ionAuthen t i ca t ion

z Problems of Electronics transaction

Toolk i t p r ov ide s ea sy ways fo r ap p l ic a t ion deve lop e r s

to use c ryp togr ap h ic se r vi ce s

Risk o f dece ivin g id en t i t y o f sen d e rRi sk o f dece iv in g id en t i t y o f sen de r

R is k o f D e n y in g a fa c t in fo r m a t io n t r a n s m itR isk o f De n yin g a fa c t in fo r m a t i on t r a n sm it

R is k o f ch a n gin g in fo r m a t io n o n t r a n s m is s io nR is k o f ch a n gin g in fo r m a t io n o n t r a n s m is s io n

R is k o f e xp o s i n g in fo r m a t io n o n t r a n s m is s io nR is k o f e x p o s in g in fo r m a t io n o n t r a n s m is s io n

P r o b le m o f

E lec t ron ic s

t r a n s a c t i o n

W h a t is P KI Cr yp to Too lk it (1/ 2 )


W h a t is PKI Cr yp to Too lk it (2 / 2 )


30/50

29

USER TCP/IP

INTERNET

E -P r o c u r e m e n t S e r v e r

In t e r n e t Br o w se r W EB Se r ve r

HTML HTML

Clien t Cr ypto

Toolki t

(Active-X)

Serve r Cryp to

Toolki t

(J AVA)

Clie n t Se r ve r

Clien t Cr ypto

Toolki t

(Active-X)

Serve r Cryp to

Toolki t

(J AVA)

HTTP

Digi ta l

S i g n a t u r e

D a t a E n c r yp t i o n

Aut he n t i c a t i on

I n t e g r i t y

Conf iden t i a l i t y

Non- R e pud i a t i on

Certificate

Certificate Certificate

Certificate

W h a t is PKI Cr yp to Too lk it (2 / 2 )


Fu n ct ion s of P KI Cr yp to Too lk it


31/50

30

Fu n ct ion s o f P KI Cr yp to Too lk it

Cla s s ifica t io n sect io n M a in Fu n ct io n

Certificate InformationConfirmation

A function to confirm detailed information in a certificate

Electronic SignatureCreation

A function to create and process electronic signature

Cipher Message Creation A function for cipher message creation and processing

Certificate verification A function to verify certificate validity

Algorithms Module A function for electronic signature and encryption algorithms

Directory Module A function to get a certificate and directory access

Private key Module An Encryption process function for a certificate private key

Identification Module A function to confirm identification information in a certificate

Basic

Cert i f ica t ion

Storage Medium Module A function to read and write a certificate in a smart-card or a hard disk

Certificate Selection A function to manage certificates in each storage mediaUser

I n t e r f a c e Certificate View A view function of the selected certificate

Certification ProcessFunction

An web-based user certification function

Encryption Function An Web document (HTML) encryption function

A function to support a script-based web server with JSP and PHP

W e b

S e c u r i t y

Supporting LanguageA function to support a script-based web server with ASP


C o n t e n t s


32/50

31




E-Government Framew ork


33/50

32

E Government Framew ork

Economic Developm ent (G2B)e-Customse-Support for Foreign Firmse-Intellectual Propertye-Procurement

Public Service(G2C)Publ ic Admin.Reform(G2G)

e-Agriculture e-Land Registrye-National ID

Shared Services National ID DBLand Resources DB

InfrastructurePublic Key I nfrast ructure

Public Access PointGovernment Information Network

Database

Management

Organization

Budget

HRD

Standards

SecurityIT Management

Privacy

e-Government for National Developmente-Government for National Development


Framew ork of Nat ional PKI


34/50

33

NPKI (Nat ional Public Key I nfr ast ructure)NPKI (Nat ional Public Key I nf rast ruct ure)

PreparationPreparation

PKI SchemePKI SchemePKI SchemeRequirements for

PKI SystemRequirements forRequirements for

PKI SystemPKI System

OperationRequirements

OperationOperationRequirementsRequirementsPKI StandardsPKI Standards

PKI Standards

EducationEducationEducation

PromotionPromotionPromotion Pilot ProjectPilot ProjectPilot Project

Law &Regulations

Law &Regulations

PKI DecreeRecommendation

PKI DecreePKI DecreeRecommendationRecommendation

AccreditationGeneralsAccreditationAccreditationGeneralsGeneralsOrganization of

PKI TFTOrganization ofOrganization ofPKI TFTPKI TFT

ImplementationPlanning

ImplementationImplementationPlanningPlanning

Facilities andEquipment

Facilities andFacilities andEquipmentEquipment

CPSFramework

CPSCPSFrameworkFramework

long-termSecurity planlonglong--termterm

Security planSecurity plan

RAConstruction

RARAConstructionConstruction

PKI Cent erPKI Cent erEducat ion &Promotion

Educat ion &Promotion

PKIApplications

PKIApplications

I mplementat ion stepsI mplementat ion st eps


Se t u p o f I n fr a s t r u ct u r e fo r I n t e r n e t Se cu r it y


35/50

34

p y

G o v e r n m e n t

Accredi ted

CA

Application Service organizations or companies

USER

Roo t CA

P K I M o d e l

Accredi t ed

Cert i f ica te

Accr ed i t ed E le c tr on ic Signa t u r e

To e s t a b lish s a f e a n d r e lia b l eI n f o r m a t io n s o cie t y

EstablishmentLaw

(ElectronicSignature),

PKI Standards

Building PKICenter

Developing PKIenabled

Applications

License

Law , Po l icy,

S t a n d a r d s

Cert i f ica t ion

Service

E - p r o c u r e m e n t ,

I n t e r n e t B a n k i n g ,

E -co m m e r c e , e tc


R ela t ed la w a n d P o licy in Ko r ea


36/50

35

y

Minist ry of Know ledge & Economy

Established in 1999/ revised in 2002, 2005, 2007

Legal effectiveness for digital documents

Minist ry of Publi c Administ rat ion and Secur it y ( MOPAS)

Established in 1999/ revised in 2001, 2005 Legal force clarification for a digital signature NPKI

Minist ry of Public Administ rat ion and Secur it y ( MOPAS) Established in 2001

Regulations for official documents in government GPKI

ElectronicTrade

Basic Law

Digital

SignatureLaw

Digital

GovernmentLaw


P K I Sys t e m o r ga n iza t io n in Ko r e a


37/50

36

y g

Law & Policy arrangement

National authentication plan management Licensed CA management

MOPAS

Digital Signatu reAuthentication

Management Center

Licensed CA

Root CA

Government

SGSG KOSCOM KFTC

1st1st1st 2nd2nd 3rd3rd 4th4th Authentication management Provide CA service

Certificate issuance

Certificate termination / renewal

National authentication &

system operation Field test for licensed CA accreditation

Issue a certificate for a licensed CA

MOPAS (Min ist ry Of Publ icAdmin ist rat ion and Securit y)

KI SA (Root CA)

Accredi t ed CA

Korea Information Security Agency

5th5th

CROSSCERT KTNET


N u m b e r o f a c cr e d it e d ce r t ifica t e s in Ko r e a


38/50

37

(Scale: number)

26,845

1,501,535

4,934,143

7,824,368

9,479,919

11,000,073

14,374,988

17,155,333

0

2,000,000

4,000,000

6,000,000

8,000,000

10,000,000

12,000,000

14,000,000

16,000,000

18,000,000

200 0 2001 2002 2003 200 4 2005 2006 2007

Number of annual issuance of certificates (2008, published by KISA)

Type Entity Usage Field

personal All e-transaction

Corporate All e-transaction

- G2C, bank, insurance

- G2C, bank, insurance

- G4C, credit card

specific

General


Proj ect Scope


39/50

38

IETF4) RFC5) PKIX StandardRSA PKCS6) Standard

Electronic Signature CertificationTechnologies

(Certificate and CRL profile, CertificateManagement Protocol, Hash, Encryption,Digital Signature algorithm)

Electronic Signature Act, Decrees andOrdinances

CPS (Certificate Practice Statements)Operation guidelines for a PKI Center

Governm ent CA or Accredi ted CA

Interoperabi l i ty

CPS Identification Guidelines

PKI standards (International and domestic) Law and Regulations

Digital Signature and Encryption based technologies

Public Key Infrastructure

1) IETF : Internet Engineering Task Force,2) RFC : Request For Comments3) PKCS : Public Key Cryptography Standard

The Establishment of Nat ional PKI and

t he Pilot Proj ect of Digit al Signature

EquipmentSupport

Dispatch ofExperts

TraineesInvitation

SystemConstruction

Root CA


Im p le m e n t a t io n St ep s


40/50

39

Ph ase 1.

P r e p a r a t i o n s

Designing of PKI scheme

Launching of PKI TFT

Finding ways to finance

Ph ase 1.

P r e p a r a t i o n s

Designing of PKI scheme

Launching of PKI TFT

Finding ways to finance

National PKINational PKINational PKI

P h a s e 2 .

Law & Regu la t i on Se tup

Revision of IRR (E.S)

Administrative Orders

Executive Orders

P h a s e 2 .

Law & Regula t i on Se tup

Revision of IRR (E.S)

Administrative Orders

Executive Orders

P h a s e 3 .

P KI Ce n t e r C ons t r u c tion

PKI systems

Facilities / Equipment

Operation guideline

P h a s e 3 .

P KI Ce n t e r C ons t r u c tion

PKI systems

Facilities / Equipment

Operation guideline

P h a s e 5.

PKI App l ica t ion

D e v e l o p m e n t

Pilot project

RA Constructions

Planning of long-term

national PKI services

P h a s e 5 .

PKI App l ica t ion

D e v e l o p m e n t

Pilot project

RA Constructions

Planning of long-term

national PKI services

P h a s e 4 .

E d u c a t io n & P r o m o t io n

Education & Training

Development of

Promotional policies

P h a s e 4 .

E d u c a t io n & P r o m o t io n

Education & Training

Development of

Promotional policies


Proposed PKI Scheme


41/50

40

RA Management

Subscr ibers Subscr ibers

RA Management

RA

Accreditation

Annual Auditing

General Purpose certificatesSpecial Purpose certificates

Operation on ACA

Accredit at ion Unit

Root CA Unit Audit ing Unit

Accredi t ed CA

Issuing certificates

Agency 1Agency 1

Agency 2Agency 2

Agency NAgency N

Operation on Root CA

ACA ACA

RARA

RARA

RARA

(ACA: Accredited CA)

Cross Certification

Foreign

Certification

Authority


Project Overview


42/50

41

Category Contents

Const ruct ion of facil it iesRoot CA

Government CA or Accredited CA

Provision of Equipment

Root CA, Government CA System

Network system , System management system

Physical equipment

Dispatch of Korean

experts

Experts for a master Plan regarding law and policy

Experts for system and equipment installation

Experts for PKI systems establishmentExperts for PKI-enabled application development

Technical t rainings foryour personnel in Korea

Training for Operators

Training for Managers

Training for Developers

The Establishment of Nat ional PKI andthe Pilot Proj ect of Digit al Signature


Proposed Schedule


43/50

42

Year

M M+1 M+2 M+3 M+4 M+5 M+6 M+7 M+8 M+9 M+10 M+11 2 YearsCategory

Dispatch of

Korean

experts

Development

of PKI

System

Provision of

Equipment

Technical

training in

Korea

PKIConsulting

LocalResearch

Equipment

Installation PKI SystemEstablishment PKI Pilot

Project

PKI Systemdevelopment

OrderEquipment

Inspectionin Korea

Shippingequipment

EquipmentInstallation

Training forManagers

Training foroperators

2 Weeks 2 Weeks

2 Weeks 8 Weeks12 Weeks

8 Weeks

3 Weeks

Maintenance

Training forAdministrator

2 Weeks


PKI Consult ing


44/50

43

Policy

Law

Standards

CA Syst emsElectronic Signature

Certification Technology

PKI

Operation

the guideline related to law of electronic signature. design the operational model of certification service

plan for the designation and management of accredited CA

provide plan for the best fit

PKI system for country provide the guideline for

S/W, H/W for certification services

provide the guideline for national technology standardfor certification technology

provide the guideline how to use PKI in applications.

provide certification

practice statement provide the guideline of

security plan for developing PKI provide examples of the

successful applications using PKI

Global Technology provision

provide overview of the overall PKI technology

Project scope is the establishment of roadmap and guideline for PKI including

objective model which can be derived from analyzing the subject of citizen,business, and government.

Provide the operating know-how of CA System Provide the guideline build and operate the

certification management system


PKI Equipment I nstallat ion


45/50

44

H

H

H

KGS, CA,DB, RA

NMS, SMS,Backup, DNS,

WEB

DS (m aster)DS ( repli ca)

U

SP

AccessManagement

KGS,ROOT CA

A/ C

A/C

A/C

A/C

Air conditioner

CCTV

Fingerprint recognition

Fire extinguisher

Shock sensor

Noise sensor

H

A/ C

AccessManagement

Root CA Rack Accredited CA Rack #1

01

U ID

NI C1

N I C2

01

U ID

NI C1

N I C2

Root CARoot CA

Accredited CA Rack #2 Monitoring Rack

01

U ID

N IC1

N IC2

01

U ID

N IC1

N IC2H

PKI CenterPKI Center


P K I Sys t e m E s ta b lis h m e n t (1/ 2 )


46/50

45

Cert i f ica t ion

Policies

P i lo t Ope r a t ion

Op e r a t o r Tr a in in g

CA sys te m

ins ta l la t ion

Te s t a n d Au d i t

PKI Sys tem

Cer t i fica t ion cen te r

C ons t r uc t i on

Pilot operation of services issuing certificates Checking system operation by an operatorand compensating for week points

Providing the most suitable CertificationSystem for country

Providing the best hardware andsoftware for certification services

Concept training for general PKI-related skills Training for PKI system operation and maintenance Training for emergency measures when obstacles occur

CPS Guideline Guideline for operating the CertificationCenter.

Successful cases of the applicationsusing PKI

Unit/Integration Test for PKI software Takeover after thorough audit for

PKI software

Delivering how to operate the Certification System

Providing the guideline on Certification Systemconstruction and operation

www.sgco.kr Copyright 1999-2009@SG Inc. All rights reserved

P KI Sys t em Co n figu r a t io n (2 / 2 )


47/50

46

Generates an e-signature generation keyof Root CA

Records audits

Government CA

Key Generation SystemKey Generation System

Publish ARLs Publishes CPS

Homepage(WEB)

Homepage(WEB)

HSM Certificate Issuance/Management System(Root CA)

Certificate Issuance/Management System(Root CA)

Root CA

Generates an e-signature generation keyof Government CA

Records Audits

Key Generation SystemKey Generation System

Issues/Reissues/Renews/Suspends/Revokes CAcertificates Manages certificate policies and audits

Publishes certificates Publishes certificate revocation lists/

suspension lists Provides search support via LDAP

Directory SystemDirectory SystemHSMCertificate Issuance/

Management System(CA)

Certificate Issuance/Management System(CA)

Homepage(WEB)

Homepage(WEB)

Manages user certificates Publishes CPS

Registration ManagementSystem (RA)

Registration ManagementSystem (RA)

Registers/Modifies/Deletes/Viewsuser information Revokes/Suspends/Recovers certificates

Service Servers

PKI toolkits

SubscriberServerCRL

Server

Subscribers

PKItoolkits

Subscribers

Server Certificate Registration

Subscriber

Registration

RA Administrator

Certificate Authority

Certificate

CRL/Certificate Policy

Server Certificate IssueCertificate Issue

LDAP

CA Administrator

CMP

Certificate/CRL

Publication

ARLDistribution

Issues/Reissues/Renews/Suspends/Revokes RootCA certificates Manages certificate policies and audits

E-Signature/Encryption


P KI-en a b led Ap p lica t io n Deve lo p m en t


48/50

47

e -Gove r n m e n t App lica t i ons

Pet it ion S erv ice

- Identify oneself online bycertificates

E-S u p p ly (G2B )

- Online bidding with certificate

4 M a j or I n s u r a n c e s d a t a

e x c h a n g e

- Labor, Medical care, Pension,Industrial disaster- Internet access with certificate

N a t ion a l Fi n a n cin g

In fo r m a t ion S y s t em

- Based on Internetbanking, etc

T a x a t i o n

- National Tax Agency- Access with certificates

R eg io n a l A d m in is t r a t ion- Service for counties- Access with certificates

Pe r so n a l M a n a g em e n t i n s id e Go v e r n m e n t

- All employees insideGovernment

Elect r ic d ocu m en t sy s t em- Interoperable with other systems

Dig it a l S ig n a t u r e & S ea l

-Distribute certificates-Develop and enhance systemadopting certificates

En h a n ce

co m p u t e r iz a t i on

- Sharing national resource

information

P u b lic Ke y I n fr a s t r u ctu r e( P KI Ce n t e r )

Ed u ca t ion A d m in is t r a t io n S y s t em

-Teachers can assess with cert.


Effec t iven es s o f Exp ecta t ion s


49/50

48

Law , Po l ic iesSt a n d a r d s &

Techno logy

P KI e n a b l e d

Appl ica t ions

Accr ed i ted CA

Reduce the time and cost.

Convenience of application likeOnline Civil Service, InternetBanking etc.

Convert offline business toonline.

Provide more secure and safe ofservice.

Increase the trust of company.

Increase the confidence and trust. Ensure interoperability of PKI

infrastructure with otherGovernment.

Establishment of NationalSecurity Plan.

USER Corporation

BackgroundBackground

Government

N a t io n a l P KI E s ta b lis h m e n tW in ( Us e r ) W in ( Go ve r n m e n t ) W in ( Co m p a n y)

P K I is m a k in g u p t h e s a fe a n d t r u s t fu l e n vir o n m e n t u s in g e le ct r o n ic

s i g n a t u r e .



50/50

49

Th a n k yo u !

You n g-joo KoSenior Consultant/Global Business Task Force

E. [email protected] T. +82-2-360-3215

Documents

3.Security Issues in E-Procurement(PKI) (1)