Upload
rohit-bedi
View
249
Download
0
Embed Size (px)
Citation preview
7/31/2019 3.Security Issues in E-Procurement(PKI) (1)
1/50
Secu r ity is su es in ESecu r it y is su es in E --P r o c u r e m e n tP r o c u r e m e n t( P u b lic Ke y I n fr a s t r u ct u r e )( P u b lic Ke y I n fr a s t r u ct u r e )
2 8 th Se p t em b e r 2 0 0 9 , Tu n is
Sen io r Co n su lt an t , M r . Yo u n g jo o Ko
(keyguard@signga te . com)
7/31/2019 3.Security Issues in E-Procurement(PKI) (1)
2/50
1
1. Ne cess ity o f Na t ion a l P KI
2 . Se cu r it y in e -P r o cu r e m e n t s ys t e m
C o n t e n t s
3 . St e p o f N P KI E s ta b lis h m e n t
7/31/2019 3.Security Issues in E-Procurement(PKI) (1)
3/50
2
1. Ne cess ity o f Na t ion a l P KI
2 . Se cu r it y in e -P r o cu r e m e n t s ys t e m
C o n t e n t s
3 . St e p o f N P KI E s ta b lis h m e n t
7/31/2019 3.Security Issues in E-Procurement(PKI) (1)
4/503
www . sg co . k r Copyright 1999-2009@SG Inc. All rights reserved
7/31/2019 3.Security Issues in E-Procurement(PKI) (1)
5/50
4
Need fo r D igit a l Sign a tu r e
In d u s t r ia l S o cie t y
o n l i n eOf f lin e ( face-to -face)
In fo r m a t i o n a l S o cie t y
Risk o f d ece ivin gide n t it y o f s e n de r
Authen t i ca t ion Digit a l S ign a tu r e
R isk o f ch a n gin g in fo r m a t ion
o n t r a n s m is s io n
I n t e g r i t y Digit a l S ign a tu r e
Risk o f den yin g a fac tin fo r m a t io n t r a n s m it
N o n - r e p u d i a t i o n Digit a l S ign a tu r e
R isk o f e xpos in g in fo r m a t iono n t r a n s m is s io n Conf ident ia l i ty Enc r yp t ion
So l u t i o n sP r o b l e m s
www .sg co . k r Copyright 1999-2009@SG Inc. All rights reserved
7/31/2019 3.Security Issues in E-Procurement(PKI) (1)
6/50
5
Public Key System
Ke Kd
Each user have public key (KUa) and private key (KRa).
Public key open and private key keep secretly save.
Use digital signature.
R SA, Elgamal, ECC
sender receiver
P u b lic-Key Algo r ith m
www .sg co . k r Copyright 1999-2009@SG Inc. All rights reserved
7/31/2019 3.Security Issues in E-Procurement(PKI) (1)
7/50
6
Sender Receiver
Hash
AlgorithmHash Code Sign
Digital
Signature
Client Certificate
Hash Code
Hash Code
Compare
Private Key
Verify
Public Key
Hash
Algorithm
Cert i f icate
Verif icat ion
Digit a l Sign a tu r e Sign in g Digit a l Sign a tu r e ve r ifica t io nS e n d i n g
Au th en t ica t ion , In t egr it y, Non -Rep u d ia t ion
EncryptedPrivate Key
AESDecryption
Password
Message
Authenti
cation
Integr
ity
Non-R
epudia
tion
P u b lic-Key Algo r ith m
www .sg co . k r Copyright 1999-2009@SG Inc. All rights reserved
7/31/2019 3.Security Issues in E-Procurement(PKI) (1)
8/50
7
Mechanisms of Encryption and Decryption
M : plaintext C : cipher text E : Encryption Algorithm
D : Decryption Algorithm, Ke : Encryption Key, Kd : Decryption Key
Symmetric Algorithm Ke = Kd
Use the same key between sender and receiver
difficulty of key distribution
DES, Skipjack, IDEA, FEAL, LOKI, GOST, SEED, AE S
Sym m et r ic Algo r it h m
www .sg co . k r Copyright 1999-2009@SG Inc. All rights reserved
7/31/2019 3.Security Issues in E-Procurement(PKI) (1)
9/50
8
Sym m et r ic Algo r it h m
Sender Receiver
Message Encrypt ion Message Decrypt ionSending
Confidentiality
Receiver
Certificate
MessageCipher Text
SessionKey
Public Key Private Key
MessageCipher Text
Encrypted
Session Key
SessionKey
Encrypted
Session Key
Confi
denti
ality
www .sg co . k r Copyright 1999-2009@SG Inc. All rights reserved
7/31/2019 3.Security Issues in E-Procurement(PKI) (1)
10/50
9
Sym m etr ic vs . Pu b lic-Key Cr yp tos ys te m
In d e x Sym m et r ic Cr yp to sys t e m P u b lic-Ke y Cr yp to sys t e mKey Type
Encryption Key
Decryption Key
Encryption AlgorithmTransfer of Private Key
Number of Key
Encryption Key = Decryption Key Encryption Key Decryption Key
Secret Public
Secret Secret
DES/AES/SEED RSA Need Need Not
n(n-1)/2 2n
Encryption Speed
Key Distribution
High Low
Difficult Easy
U s e s a m e K e y
E n c r y p t i o n
Algor i thm
E n c r y p t i o n
Algor i thmE n c r y p t e d
M essage
E n c r y p t e d
M essage
Decryp t ion
Algor i thm
Decryp t ion
Algor i thm
Decryp ted
M essage
Decryp ted
M essage
Secre t Key
Key gener a t ion
Algor i thm
Key gener a t ion
Algor i thm
Pla in
tex t
P la in
text
E n c r y p t e d
M essage
E n c r y p t e d
M essage
Use D i ff e ren t
k e y
Public
Key
PrivateKey
PublicRepository
Ch e c k t h e t r u t h o f
t h e P u b l i c k e y
E n c r y p t i o n
Algor i thm
E n c r y p t i o n
Algor i thmE n c r y p t e d
M essage
E n c r y p t e d
M essagePla in
text
P la in
text
Decryp t ion
Algor i thm
Decryp t ion
Algor i thm
D e c r y p t e d
M essage
Decryp ted
M essage
E n c r y p t e d
M essage
E n c r y p t e d
M essage
www .sg co . k r Copyright 1999-2009@SG Inc. All rights reserved
7/31/2019 3.Security Issues in E-Procurement(PKI) (1)
11/50
10
P K I (P u b lic Ke y I n fr a s t r u ct u r e ) ?
IETF PKIX RFC
RSA PKCS 1~15
Digital Signature, Hash, EncryptionAlgorithm
Electronic Signature Act
Electronic Transaction Basic Act
Personnel Information Protection Act
System
(CA, RA, DS,
OCSP, TS,Firewall, IDS,
SMS, NMS etc)
Certification Center
CPS (Certification Practice Statement)
Killer
Applications
Operation
Accredited CA
LawPKI Standards
CA SystemsElectronic Signature
Certification Technology
Applications
System
Policy
PKI
www .sg co . k r Copyright 1999-2009@SG Inc. All rights reserved
7/31/2019 3.Security Issues in E-Procurement(PKI) (1)
12/50
11
Co m p o n e n t o f P KI
Client
Cer t
Se rve r
Cer t
certificate
Dir ect o r y
S e r v e r
repository PKI Se r ve r
Server-side softw are
Client-side softw are
P e r s o n n e l, p o licy, p r o ce d u r e s , co m p o n e n t s a n d fa c ilit ie s t o b in d u s e r
n a m e s t o e le ct r o n ic k e ys s o t h a t a p p lica t io n s ca n p r o vid e t h e d e s ir e dsecu r ity s e r vices .
Cert i f ica te
Au tho r i t y
Reg is t r a t ion
Au tho r i t y( P C / P h o n e / P D A )
PKI Clien t
Digital
S
ignature
www .sg co . k r Copyright 1999-2009@SG Inc. All rights reserved
7/31/2019 3.Security Issues in E-Procurement(PKI) (1)
13/50
12
P KI Cen te r Sys t em Co n figu r a t io n
I n t e r n e t
TS
Ad m in P C
DB
DS
OCSP
Use r
F i rewa l l
R A
TSA
KRS/
Etc .
Ad m in : Ad m in i s tr a t o r P r o gr a m
U s e r : U se r S / W
CA: Cer t i fica te Au th or i ty Ser ver
RA: Reg is t r a t ion Au th or i ty Se rve r
DS: D ir ec to r y Se rve r
OCSP: On l in e Cer t i fica te
S ta t u s P r o t o c o l S e r v e r
VA: Val ida t ion Au th or i ty Ser ver
H S M : H a r d w a r e S e cu r it y M o d u le
(Acce le ra to r )
T S: Ti m e S t a m p M o d u l e
GPS: Tim e Accu r acy Ma in ta in e r
TSA: T im e S tam p Au th or i ty
Se rve r
DVCS: Data Val ida t ion
Cer t i fica t ion Ser ver
KRS: Key Roam ing Se rve r
Etc .: O the r Se rv ice Se r ve r
All n e t w o r k s a n d s e r v er s a r e
d o u b l e c o n n e c te d ( F a u l t To le r a n t )
L4 Switch
n e t H S MGPS Receiver
CA
www .sg co . k r Copyright 1999-2009@SG Inc. All rights reserved
7/31/2019 3.Security Issues in E-Procurement(PKI) (1)
14/50
13
I dent if icat ion and Signat ure
For Aut hent icat ion
NameSSN
AddressIssued DateFinger Print
: Young joo Ko: XX0921-152XXXX
: SG, Seoul, Kr: 2002/6/1:
National ID Card
Reusable
Real World
NameSerial No
AddressValidity
Public Key
: Young joo Ko: 883XXX8377
: SG, Seoul, Kr: 2008/6/1~2009/5/31
:
Accredited Certificate
CAsSignature
I mpossible to reuse
Digital signat ure usingasymm etr ic encrypt ion /
decrypt ion met hod
EncryptedPrivate Key
+
Digital Signature
Cyberspace (Internet)
Signature orSignature-seal
www .sg co . k r Copyright 1999-2009@SG Inc. All rights reserved
7/31/2019 3.Security Issues in E-Procurement(PKI) (1)
15/50
14
"Certificate" means information in electronic form verifying and certifying thecorrespondence of a public key to a private key owned by a natural or juridicalperson.
Certificate version
Certificate serial numberSignature algorithm id for CA
Issuer X.500 name
Validity period
Subject X.500 nameSubject public key info
Issuer unique identifier
Subject unique identifier
Type Criticality ValueType Criticality Value
Type Criticality Value
CA Sign a t u r e
V1
V2
V3
version 3 (2)
12345678
RSA with SHA-1
cn=SignGATE CA,ou=Accredited CA,ou=KICA, c=K
start=01/01/08, expiry=12/31/09
RSA with SHA-1
(not used)
(not used)
Extensions
cn=Ko,ou=Accredited CA,o=KICA,c=KR
Digita l Ce r t i fica te s
www .sg co . k r Copyright 1999-2009@SG Inc. All rights reserved
7/31/2019 3.Security Issues in E-Procurement(PKI) (1)
16/50
15
Types of Cert if icat es
Cert if icate Wit hout Accredit ation (or Private Cert if icate)
A certificate is issued by a certification organization that is not accreditedby the government. It is used for a limited number of e-transactions
Accredited Cert if icat e
The accredited certificate is issued by a CA, which in turn is designated bythe government pursuant to the laws after thorough screening, to be usedfor various e-transactions.
Category Accredit ed Cert if icateCert if icate Wit hout
Accreditation
Level of technology
and security
Passage of thorough screening
pursuant to the law
Impossible to verify
Legal effect Valid as provided by the laws Valid only by agreement
Compensation Easy to get compensated Hard to get compensated
Scope of applicableservices
Wide Narrow
www .sg co . k r Copyright 1999-2009@SG Inc. All rights reserved
C o n t e n t s
7/31/2019 3.Security Issues in E-Procurement(PKI) (1)
17/50
16
1. Ne cess ity o f Na t ion a l P KI
2 . Se cu r it y in e -P r o cu r e m e n t s ys t e m
C o n t e n t s
3 . St e p o f N P KI E s ta b lis h m e n t
7/31/2019 3.Security Issues in E-Procurement(PKI) (1)
18/50
17
I s s u e s o f e -P r o cu r e m e n t
I s su e s o f e -p r o cu r e m e n t .
OffOff--Lin e P r o cu r e m e n tLin e P r o cu r e m e n t OnOn --Lin e P r o c u r e m e n tLin e P r o cu r e m e n tI s s u e sI s s u e s
Difficu l t to ver ify
u s e r in o n -lin e
Br e a ch in fo r m a t io n
E a s y t o m a k e fo r ge r y
R e p u d i a t et r a n s a c t i o n s
The Agen cy
A Sub sc r ibe r
The Agen cy
A Sub sc r ibe r
H a n d y w o r k p r o ce s s
m a k in g m is t a k es
(Nega t ive)
N e e d s m u c h t im e fo r
d o cu m e n t m a n a ge m e n t
Co m p le x a n d t im e
c o n s u m p t i o n
Difficu lt a n d
ineff ic ient ly
P r ep a r e m a n yd o c u m e n t
Le ss m is t a ke s
N o m o r e p a p e r
d o c u m e n t s
Ea s i ly g ive p r oc u r e m e n t
i n f o r m a t i o n
Ca n b e u s e d a n yw h e r e ,
a n y t i m e ( 2 4 h ) .
Ea s i ly p r e se n t
d o c u m e n t to a ge n cie s
Eas i ly jo in t h e b idd ing
www .sg co . k r Copyright 1999-2009@SG Inc. All rights reserved
S i f Bid d i
7/31/2019 3.Security Issues in E-Procurement(PKI) (1)
19/50
18
Secu r ity o f e -Bid d in g
IntegrityIntegrity
AuthenticationAuthenticationCompanyCompany
AuthenticationAuthenticationAccuracy dead lineAccuracy dead line
by time stampingby time stampingNonNon--repudiationrepudiation
KONEPS
e-Bidding ServerWit h securit y add-on
for Web Applicat ion Server
e-Bidding ServerWit h securit y add-on
for Web Applicat ion Server
Verify forgery andVerify forgery and
modification bidmodification bid
documentdocument
Company identityCompany identity
BanBan a bid of illegala bid of illegal
companycompany
Prevention of troubles forPrevention of troubles for
the bidding deadlinethe bidding deadline
Fairness for a time andFairness for a time andgrantgrant legal forcelegal force
NonNon--repudiation forrepudiation for
sending a tendersending a tender
www .sg co . k r Copyright 1999-2009@SG Inc. All rights reserved
O ll Bid d i P d b P KI
7/31/2019 3.Security Issues in E-Procurement(PKI) (1)
20/50
19
Over a ll e -Bid d in g P r oces se s s ecu r ed by P KI
Bid InvitationBid Invitation
SG as a tr usted t hir dpart y issues a
encryptioncert ifi cate for eachbiddingannouncement
Private key of t hesecurity certificate
must be st ored onlyin t he biddingadminist rators PC
Privat e key isdivided into t w oparts to be reservedby SG and KONEPSseparately againstthe loss of t heprivat e key and notto be retrievedarbitrarily
Bidding price andother information
are submi t t edafter digit allysigned andenveloped usingthe encrypt ioncertificate
Financier makesmult iplepredetermined
pr ices in his PC The predet ermined
pr ices aresubmit t ed aft erdigitally signedand envelopedusing theencryption
certificate
Biddingadministratoropens theenveloped biddingpr ice andpredeterminedpri ces using theprivate key of t hesecurit y cert ificateand administ rate
t he bidding
TenderTenderMaking mult iplePredetermined
price
Making mult iplePredetermined
priceBid EvaluationBid Evaluation
Every bidding price and evaluation relevant information must be stored
in DB, digitally signed and enveloped until bid evaluation date
Every bidding relevant process must be logged
Each original document must be reserved for later verification
www .sg co . k r Copyright 1999-2009@SG Inc. All rights reserved
C t ifi t I P f Bid d
7/31/2019 3.Security Issues in E-Procurement(PKI) (1)
21/50
20
User visits a respective RA with certificateapplication form and his ID card
RA conducts user identification
RA manager registers information on userapplication form to CA
As results on registration, reference number,authentication code and user manual aredelivered to user
User goes to RAs homepage to install
Management S/W and create a key pairUser enters the number and code and selects astorage medium and enter his certificatepassword in order to issue his certificate
CA issues the certificate after confirmingusers request
CA publishes the certificate issued toDirectory server (Optional)
CA delivers the certificate to user
User saves the certificate to a storage mediumhe selected
DescriptionNo.
1
2
3
4
5
6
7
8
9
10
On-lineNote
Off-line
(Certificate AuthorityCA)
User Directory Server (DS)
Registration Authority(RA)
Issue Online Certificate
Identification2
Install CertificateManagement S/WCreate Key pair
5
RegistrationRequest
1
Reference number/Authentication code/User Manual Distribution
4
Certificate Issuance Request (CMP)6
Certificate Download9
User Registration3
Save Certificate10 Issue Certificate7
PublishCertificate
8
Certificate Issuance Process for the company
Cer t ifica t e I s su a n ce P r o ces s fo r Bid d e r
www .sg co . k r Copyright 1999-2009@SG Inc. All rights reserved
T f t A th t i t i t l
7/31/2019 3.Security Issues in E-Procurement(PKI) (1)
22/50
21
Two -fa cto r Au th en t ica t ion to log-on
Independently of the user type(bidder, bid administrator) two-factor authentication is the expected minimal level ofauthentication for log-on to the e-procurement system
Best uesr authentication method in log-on to the system relieson s o m e t h in g yo u k n o w (e.g dedicated PIN code or
certificate password), supplemented by an additionals o m e t h in g yo u h a ve authentication factor in order toimplement two-factor authentication
Also to log-on to the system user should be able to generate
proper digital signature for the random value which is send bye-procurement system to prevent replay attack.
Smartcards USB Tokens
www .sg co . k r Copyright 1999-2009@SG Inc. All rights reserved
K M t S t
7/31/2019 3.Security Issues in E-Procurement(PKI) (1)
23/50
22
Ke y M a n a ge m e n t Sys t e m
Encrypt Cert ifi cate I ssue
Public Key Private Key
Encrypt Cert ifi cate Server
Key Manager System
Signatu re for Bidding
announcement E-Bidd ing System
SG(Korea Information Certificate Authority)
KONEPS
Bidding announcement +Encrypt Certificate
I nsert Biddingannouncement
Half Private Key Store
Encrypt Certificate Issue
Bid AdministratorsSign Certificate
Divide Private Key
Key Manager System
Half Private Key Store
Bid Administrators PC
Administrators encryption certificate is issued on bidding announcement and stored in the biddingadministrators PCPrivate key of the encryption certificate is divided and reserved by SG and KONEPS separatelyagainst the loss of the private key and not to be retrieved arbitrarily
Administrators encryption certificate is issued on bidding announcement and stored in the biddingadministrators PCPrivate key of the encryption certificate is divided and reserved by SG and KONEPS separatelyagainst the loss of the private key and not to be retrieved arbitrarily
www .sg co . k r Copyright 1999-2009@SG Inc. All rights reserved
P r o ce s s o f Se cu r in g Bid d in g D o cu m e n t s in e -
7/31/2019 3.Security Issues in E-Procurement(PKI) (1)
24/50
23
g g
Bid d in g Sys tem
Bidding documents are submitted after digitally signed and envelopedKONEPS e-Procurement system checks integrity of the bidding documents and stores the envelopeddocuments in DBOn bidding evaluation the documents are opened and integrity of the documents are verified usingdigital signature
Bidding documents are submitted after digitally signed and envelopedKONEPS e-Procurement system checks integrity of the bidding documents and stores the envelopeddocuments in DBOn bidding evaluation the documents are opened and integrity of the documents are verified usingdigital signature
BidderKONEPS
Signed and Envelope forProposal
(Use Bid executersencrypt certificate)
MakeProposal
Signed and Envelope forSend Message (use Servers
encrypt Certificate)
Bids EncryptPrivate Key
Award Result
Decrypt and Verify
Signature for Send Message(Use Servers Private Key)
Signed and EncryptedProposal data store
Te
nder
Award Decrypt and Verify
Signature for Propsal(Use Bids Private Key)
Bid Executer
www .sg co . k r Copyright 1999-2009@SG Inc. All rights reserved
Tim e Sta m p in g P r o to co l (TSP )
7/31/2019 3.Security Issues in E-Procurement(PKI) (1)
25/50
24
Tim e Sta m p in g P r o to co l (TSP )
Gu a r a n t e e t im e ly fa ir n e s s a n d t r a n s p a r e n cy t h r o u g h
t im es t am p se r vice p r o vid ed b y accr ed it ed CA
Need for the proof of existence of certain dataTime-sensitive serviceBidding end date and timeBidding documents submission date and time
Need for the proof of existence of certain dataTime-sensitive serviceBidding end date and time
Bidding documents submission date and time
Cert if icat ion Aut horit y
TSA
KONEPS
TimestampServiceCompany
Organization
Proposal
BiddingAdministrator
E-Bidding System
Check Closing
www .sg co . k r Copyright 1999-2009@SG Inc. All rights reserved
Tim e Sta m p in g P r o to co l (TSP )
7/31/2019 3.Security Issues in E-Procurement(PKI) (1)
26/50
25
Tim e Sta m p in g P r o to co l (TSP )
TSA (Time Stamping Authority)
- The TSA's role is to time-stamp a datum to establishevidence indicating that a datum existed before a particulartime.
- can used to verify that a digital signature was applied to amessage before the corresponding certificate was revoked
- can also be used to indicate the time of submission when adeadline is critical, or to indicate the time of transaction for
entries in a log.
E-ProcurementSystem
RequestTimestamping
Token
TimestampingToken Admin
Audit/Management
TSA Daemon
HSM
Time Stamp Authority
DB
GPS satellite
WinSync
TS Client
www .sg co . k r Copyright 1999-2009@SG Inc. All rights reserved
On lin e Cer t ifica te Own er Ver ifica t ion
7/31/2019 3.Security Issues in E-Procurement(PKI) (1)
27/50
26
On lin e Cer t ifica te Own er Ver ifica t ion
Subscriber Identification Base on Virtual ID- Virtual ID is a the certificate user's unique identifier.- Virtual ID is a form of a hash value.
< P r i va t e Ke y in c lu d e R a n d o m N u m b e r >
< Cer t i fi ca t e for Digi t a l S ign ing >
VID = H(H(IDN,R)
R
I D N : R e s id e n t R e gis t r a t i o n N u m b e r o r
B u s in e s s R e gis t r a t i o n N u m b e r
VID : Vir tu a l ID
H : H a sh Algo r it hm
Information forIdentification
Verification Method
www .sg co . k r Copyright 1999-2009@SG Inc. All rights reserved
On lin e Cer t ifica te S ta tu s P r o to co l (OCSP )
7/31/2019 3.Security Issues in E-Procurement(PKI) (1)
28/50
27
On lin e Cer t ifica te S ta tu s P r o to co l (OCSP )
Online Certificate Status Protocol (OCSP)- OCSP is an Internet protocol used for obtaining the
revocation status of an X.509 digital certificate.
- OCSP can confirm a current status of the certificate
immediately.
< Au th or i ty Access In fo rm a t ion F ie ld >
< O CS P S tr u c t u r e >
OCSP
DSCA
CRL Publish
CRL
CRL File
Publisher
HTTP(S)
CRLCRL
USER Serve r
Certificate
CertificateVerification
CertificateVerification
CRL
CRL
CRL
CRL
www .sg co . k r Copyright 1999-2009@SG Inc. All rights reserved
W h a t is P KI Cr yp to Too lk it (1/ 2 )
7/31/2019 3.Security Issues in E-Procurement(PKI) (1)
29/50
28
Deve lop e r ju s t ca ll APIs t o ap p ly
P KI F un c tion s t o t h e ir App lic a t ion s
Deve lop e r ju s t ca l l APIs t o ap p ly
P KI F un c tion s t o t h e ir App lic a t ion s
P H PApp.
P H PP H PApp.App .
AS PApp.
ASPASPApp.App .
J a v aApp .
J a v aJ a v aApp .App .
O t h e rApp .
O t h e rO t h e rApp .App.
P KI Cor e M od u le
Cr yp tog r a ph ic Lib r a r y
( Toolki t )CipherM o d u l e
Cert i f ica te
M o d u l e
S i g n a t u r e
M o d u l e
Cipher
M o d u l e
Cert i f ica te
M o d u l e
S i g n a t u r e
M o d u l e
Dyna m ic L ink L ib ra r y
CO M
ja va
sc r ip t
Visual
Bas ic
P o w e r
Bui lde r
C/C++
HT ML Client App l ica t ion
Sha r ed Object / Arch iveJ ava Cla s s Lib ra r y
Crypto API
S t a n d a r d
J CE / J CA
I n t e r f a c e
P H P CGI J SP Servle t
Ser ver App l ica t ion
Clie n t To o lk it Se r ve r To o lk it
z Cryptographic Library (Toolkit) z Application Development
Conf iden t i a l i t yConf iden t i a l i t y
I n t e g r i t yI n t e g r i t y
N o n - R e p u d i a t i o nN o n - R e p u d i a t i o n
Authen t i ca t ionAuthen t i ca t ion
z Problems of Electronics transaction
Toolk i t p r ov ide s ea sy ways fo r ap p l ic a t ion deve lop e r s
to use c ryp togr ap h ic se r vi ce s
Risk o f dece ivin g id en t i t y o f sen d e rRi sk o f dece iv in g id en t i t y o f sen de r
R is k o f D e n y in g a fa c t in fo r m a t io n t r a n s m itR isk o f De n yin g a fa c t in fo r m a t i on t r a n sm it
R is k o f ch a n gin g in fo r m a t io n o n t r a n s m is s io nR is k o f ch a n gin g in fo r m a t io n o n t r a n s m is s io n
R is k o f e xp o s i n g in fo r m a t io n o n t r a n s m is s io nR is k o f e x p o s in g in fo r m a t io n o n t r a n s m is s io n
P r o b le m o f
E lec t ron ic s
t r a n s a c t i o n
W h a t is P KI Cr yp to Too lk it (1/ 2 )
www .sg co . k r Copyright 1999-2009@SG Inc. All rights reserved
W h a t is PKI Cr yp to Too lk it (2 / 2 )
7/31/2019 3.Security Issues in E-Procurement(PKI) (1)
30/50
29
USER TCP/IP
INTERNET
E -P r o c u r e m e n t S e r v e r
In t e r n e t Br o w se r W EB Se r ve r
HTML HTML
Clien t Cr ypto
Toolki t
(Active-X)
Serve r Cryp to
Toolki t
(J AVA)
Clie n t Se r ve r
Clien t Cr ypto
Toolki t
(Active-X)
Serve r Cryp to
Toolki t
(J AVA)
HTTP
Digi ta l
S i g n a t u r e
D a t a E n c r yp t i o n
Aut he n t i c a t i on
I n t e g r i t y
Conf iden t i a l i t y
Non- R e pud i a t i on
Certificate
Certificate Certificate
Certificate
W h a t is PKI Cr yp to Too lk it (2 / 2 )
www .sg co . k r Copyright 1999-2009@SG Inc. All rights reserved
Fu n ct ion s of P KI Cr yp to Too lk it
7/31/2019 3.Security Issues in E-Procurement(PKI) (1)
31/50
30
Fu n ct ion s o f P KI Cr yp to Too lk it
Cla s s ifica t io n sect io n M a in Fu n ct io n
Certificate InformationConfirmation
A function to confirm detailed information in a certificate
Electronic SignatureCreation
A function to create and process electronic signature
Cipher Message Creation A function for cipher message creation and processing
Certificate verification A function to verify certificate validity
Algorithms Module A function for electronic signature and encryption algorithms
Directory Module A function to get a certificate and directory access
Private key Module An Encryption process function for a certificate private key
Identification Module A function to confirm identification information in a certificate
Basic
Cert i f ica t ion
Storage Medium Module A function to read and write a certificate in a smart-card or a hard disk
Certificate Selection A function to manage certificates in each storage mediaUser
I n t e r f a c e Certificate View A view function of the selected certificate
Certification ProcessFunction
An web-based user certification function
Encryption Function An Web document (HTML) encryption function
A function to support a script-based web server with JSP and PHP
W e b
S e c u r i t y
Supporting LanguageA function to support a script-based web server with ASP
www .sg co . k r Copyright 1999-2009@SG Inc. All rights reserved
C o n t e n t s
7/31/2019 3.Security Issues in E-Procurement(PKI) (1)
32/50
31
1. Ne cess ity o f Na t ion a l P KI
2 . Se cu r it y in e -P r o cu r e m e n t s ys t e m
3 . St e p o f N P KI E s ta b lis h m e n t
E-Government Framew ork
7/31/2019 3.Security Issues in E-Procurement(PKI) (1)
33/50
32
E Government Framew ork
Economic Developm ent (G2B)e-Customse-Support for Foreign Firmse-Intellectual Propertye-Procurement
Public Service(G2C)Publ ic Admin.Reform(G2G)
e-Agriculture e-Land Registrye-National ID
Shared Services National ID DBLand Resources DB
InfrastructurePublic Key I nfrast ructure
Public Access PointGovernment Information Network
Database
Management
Organization
Budget
HRD
Standards
SecurityIT Management
Privacy
e-Government for National Developmente-Government for National Development
www .sg co . k r Copyright 1999-2009@SG Inc. All rights reserved
Framew ork of Nat ional PKI
7/31/2019 3.Security Issues in E-Procurement(PKI) (1)
34/50
33
NPKI (Nat ional Public Key I nfr ast ructure)NPKI (Nat ional Public Key I nf rast ruct ure)
PreparationPreparation
PKI SchemePKI SchemePKI SchemeRequirements for
PKI SystemRequirements forRequirements for
PKI SystemPKI System
OperationRequirements
OperationOperationRequirementsRequirementsPKI StandardsPKI Standards
PKI Standards
EducationEducationEducation
PromotionPromotionPromotion Pilot ProjectPilot ProjectPilot Project
Law &Regulations
Law &Regulations
PKI DecreeRecommendation
PKI DecreePKI DecreeRecommendationRecommendation
AccreditationGeneralsAccreditationAccreditationGeneralsGeneralsOrganization of
PKI TFTOrganization ofOrganization ofPKI TFTPKI TFT
ImplementationPlanning
ImplementationImplementationPlanningPlanning
Facilities andEquipment
Facilities andFacilities andEquipmentEquipment
CPSFramework
CPSCPSFrameworkFramework
long-termSecurity planlonglong--termterm
Security planSecurity plan
RAConstruction
RARAConstructionConstruction
PKI Cent erPKI Cent erEducat ion &Promotion
Educat ion &Promotion
PKIApplications
PKIApplications
I mplementat ion stepsI mplementat ion st eps
www .sg co . k r Copyright 1999-2009@SG Inc. All rights reserved
Se t u p o f I n fr a s t r u ct u r e fo r I n t e r n e t Se cu r it y
7/31/2019 3.Security Issues in E-Procurement(PKI) (1)
35/50
34
p y
G o v e r n m e n t
Accredi ted
CA
Application Service organizations or companies
USER
Roo t CA
P K I M o d e l
Accredi t ed
Cert i f ica te
Accr ed i t ed E le c tr on ic Signa t u r e
To e s t a b lish s a f e a n d r e lia b l eI n f o r m a t io n s o cie t y
EstablishmentLaw
(ElectronicSignature),
PKI Standards
Building PKICenter
Developing PKIenabled
Applications
License
Law , Po l icy,
S t a n d a r d s
Cert i f ica t ion
Service
E - p r o c u r e m e n t ,
I n t e r n e t B a n k i n g ,
E -co m m e r c e , e tc
www .sg co . k r Copyright 1999-2009@SG Inc. All rights reserved
R ela t ed la w a n d P o licy in Ko r ea
7/31/2019 3.Security Issues in E-Procurement(PKI) (1)
36/50
35
y
Minist ry of Know ledge & Economy
Established in 1999/ revised in 2002, 2005, 2007
Legal effectiveness for digital documents
Minist ry of Publi c Administ rat ion and Secur it y ( MOPAS)
Established in 1999/ revised in 2001, 2005 Legal force clarification for a digital signature NPKI
Minist ry of Public Administ rat ion and Secur it y ( MOPAS) Established in 2001
Regulations for official documents in government GPKI
ElectronicTrade
Basic Law
Digital
SignatureLaw
Digital
GovernmentLaw
www .sg co . k r Copyright 1999-2009@SG Inc. All rights reserved
P K I Sys t e m o r ga n iza t io n in Ko r e a
7/31/2019 3.Security Issues in E-Procurement(PKI) (1)
37/50
36
y g
Law & Policy arrangement
National authentication plan management Licensed CA management
MOPAS
Digital Signatu reAuthentication
Management Center
Licensed CA
Root CA
Government
SGSG KOSCOM KFTC
1st1st1st 2nd2nd 3rd3rd 4th4th Authentication management Provide CA service
Certificate issuance
Certificate termination / renewal
National authentication &
system operation Field test for licensed CA accreditation
Issue a certificate for a licensed CA
MOPAS (Min ist ry Of Publ icAdmin ist rat ion and Securit y)
KI SA (Root CA)
Accredi t ed CA
Korea Information Security Agency
5th5th
CROSSCERT KTNET
www .sg co . k r Copyright 1999-2009@SG Inc. All rights reserved
N u m b e r o f a c cr e d it e d ce r t ifica t e s in Ko r e a
7/31/2019 3.Security Issues in E-Procurement(PKI) (1)
38/50
37
(Scale: number)
26,845
1,501,535
4,934,143
7,824,368
9,479,919
11,000,073
14,374,988
17,155,333
0
2,000,000
4,000,000
6,000,000
8,000,000
10,000,000
12,000,000
14,000,000
16,000,000
18,000,000
200 0 2001 2002 2003 200 4 2005 2006 2007
Number of annual issuance of certificates (2008, published by KISA)
Type Entity Usage Field
personal All e-transaction
Corporate All e-transaction
- G2C, bank, insurance
- G2C, bank, insurance
- G4C, credit card
specific
General
www .sg co . k r Copyright 1999-2009@SG Inc. All rights reserved
Proj ect Scope
7/31/2019 3.Security Issues in E-Procurement(PKI) (1)
39/50
38
IETF4) RFC5) PKIX StandardRSA PKCS6) Standard
Electronic Signature CertificationTechnologies
(Certificate and CRL profile, CertificateManagement Protocol, Hash, Encryption,Digital Signature algorithm)
Electronic Signature Act, Decrees andOrdinances
CPS (Certificate Practice Statements)Operation guidelines for a PKI Center
Governm ent CA or Accredi ted CA
Interoperabi l i ty
CPS Identification Guidelines
PKI standards (International and domestic) Law and Regulations
Digital Signature and Encryption based technologies
Public Key Infrastructure
1) IETF : Internet Engineering Task Force,2) RFC : Request For Comments3) PKCS : Public Key Cryptography Standard
The Establishment of Nat ional PKI and
t he Pilot Proj ect of Digit al Signature
EquipmentSupport
Dispatch ofExperts
TraineesInvitation
SystemConstruction
Root CA
www .sg co . k r Copyright 1999-2009@SG Inc. All rights reserved
Im p le m e n t a t io n St ep s
7/31/2019 3.Security Issues in E-Procurement(PKI) (1)
40/50
39
Ph ase 1.
P r e p a r a t i o n s
Designing of PKI scheme
Launching of PKI TFT
Finding ways to finance
Ph ase 1.
P r e p a r a t i o n s
Designing of PKI scheme
Launching of PKI TFT
Finding ways to finance
National PKINational PKINational PKI
P h a s e 2 .
Law & Regu la t i on Se tup
Revision of IRR (E.S)
Administrative Orders
Executive Orders
P h a s e 2 .
Law & Regula t i on Se tup
Revision of IRR (E.S)
Administrative Orders
Executive Orders
P h a s e 3 .
P KI Ce n t e r C ons t r u c tion
PKI systems
Facilities / Equipment
Operation guideline
P h a s e 3 .
P KI Ce n t e r C ons t r u c tion
PKI systems
Facilities / Equipment
Operation guideline
P h a s e 5.
PKI App l ica t ion
D e v e l o p m e n t
Pilot project
RA Constructions
Planning of long-term
national PKI services
P h a s e 5 .
PKI App l ica t ion
D e v e l o p m e n t
Pilot project
RA Constructions
Planning of long-term
national PKI services
P h a s e 4 .
E d u c a t io n & P r o m o t io n
Education & Training
Development of
Promotional policies
P h a s e 4 .
E d u c a t io n & P r o m o t io n
Education & Training
Development of
Promotional policies
www .sg co . k r Copyright 1999-2009@SG Inc. All rights reserved
Proposed PKI Scheme
7/31/2019 3.Security Issues in E-Procurement(PKI) (1)
41/50
40
RA Management
Subscr ibers Subscr ibers
RA Management
RA
Accreditation
Annual Auditing
General Purpose certificatesSpecial Purpose certificates
Operation on ACA
Accredit at ion Unit
Root CA Unit Audit ing Unit
Accredi t ed CA
Issuing certificates
Agency 1Agency 1
Agency 2Agency 2
Agency NAgency N
Operation on Root CA
ACA ACA
RARA
RARA
RARA
(ACA: Accredited CA)
Cross Certification
Foreign
Certification
Authority
www .sg co . k r Copyright 1999-2009@SG Inc. All rights reserved
Project Overview
7/31/2019 3.Security Issues in E-Procurement(PKI) (1)
42/50
41
Category Contents
Const ruct ion of facil it iesRoot CA
Government CA or Accredited CA
Provision of Equipment
Root CA, Government CA System
Network system , System management system
Physical equipment
Dispatch of Korean
experts
Experts for a master Plan regarding law and policy
Experts for system and equipment installation
Experts for PKI systems establishmentExperts for PKI-enabled application development
Technical t rainings foryour personnel in Korea
Training for Operators
Training for Managers
Training for Developers
The Establishment of Nat ional PKI andthe Pilot Proj ect of Digit al Signature
www .sg co . k r Copyright 1999-2009@SG Inc. All rights reserved
Proposed Schedule
7/31/2019 3.Security Issues in E-Procurement(PKI) (1)
43/50
42
Year
M M+1 M+2 M+3 M+4 M+5 M+6 M+7 M+8 M+9 M+10 M+11 2 YearsCategory
Dispatch of
Korean
experts
Development
of PKI
System
Provision of
Equipment
Technical
training in
Korea
PKIConsulting
LocalResearch
Equipment
Installation PKI SystemEstablishment PKI Pilot
Project
PKI Systemdevelopment
OrderEquipment
Inspectionin Korea
Shippingequipment
EquipmentInstallation
Training forManagers
Training foroperators
2 Weeks 2 Weeks
2 Weeks 8 Weeks12 Weeks
8 Weeks
3 Weeks
Maintenance
Training forAdministrator
2 Weeks
www .sg co . k r Copyright 1999-2009@SG Inc. All rights reserved
PKI Consult ing
7/31/2019 3.Security Issues in E-Procurement(PKI) (1)
44/50
43
Policy
Law
Standards
CA Syst emsElectronic Signature
Certification Technology
PKI
Operation
the guideline related to law of electronic signature. design the operational model of certification service
plan for the designation and management of accredited CA
provide plan for the best fit
PKI system for country provide the guideline for
S/W, H/W for certification services
provide the guideline for national technology standardfor certification technology
provide the guideline how to use PKI in applications.
provide certification
practice statement provide the guideline of
security plan for developing PKI provide examples of the
successful applications using PKI
Global Technology provision
provide overview of the overall PKI technology
Project scope is the establishment of roadmap and guideline for PKI including
objective model which can be derived from analyzing the subject of citizen,business, and government.
Provide the operating know-how of CA System Provide the guideline build and operate the
certification management system
www .sg co . k r Copyright 1999-2009@SG Inc. All rights reserved
PKI Equipment I nstallat ion
7/31/2019 3.Security Issues in E-Procurement(PKI) (1)
45/50
44
H
H
H
KGS, CA,DB, RA
NMS, SMS,Backup, DNS,
WEB
DS (m aster)DS ( repli ca)
U
SP
AccessManagement
KGS,ROOT CA
A/ C
A/C
A/C
A/C
Air conditioner
CCTV
Fingerprint recognition
Fire extinguisher
Shock sensor
Noise sensor
H
A/ C
AccessManagement
Root CA Rack Accredited CA Rack #1
01
U ID
NI C1
N I C2
01
U ID
NI C1
N I C2
Root CARoot CA
Accredited CA Rack #2 Monitoring Rack
01
U ID
N IC1
N IC2
01
U ID
N IC1
N IC2H
PKI CenterPKI Center
www .sg co . k r Copyright 1999-2009@SG Inc. All rights reserved
P K I Sys t e m E s ta b lis h m e n t (1/ 2 )
7/31/2019 3.Security Issues in E-Procurement(PKI) (1)
46/50
45
Cert i f ica t ion
Policies
P i lo t Ope r a t ion
Op e r a t o r Tr a in in g
CA sys te m
ins ta l la t ion
Te s t a n d Au d i t
PKI Sys tem
Cer t i fica t ion cen te r
C ons t r uc t i on
Pilot operation of services issuing certificates Checking system operation by an operatorand compensating for week points
Providing the most suitable CertificationSystem for country
Providing the best hardware andsoftware for certification services
Concept training for general PKI-related skills Training for PKI system operation and maintenance Training for emergency measures when obstacles occur
CPS Guideline Guideline for operating the CertificationCenter.
Successful cases of the applicationsusing PKI
Unit/Integration Test for PKI software Takeover after thorough audit for
PKI software
Delivering how to operate the Certification System
Providing the guideline on Certification Systemconstruction and operation
www.sgco.kr Copyright 1999-2009@SG Inc. All rights reserved
P KI Sys t em Co n figu r a t io n (2 / 2 )
7/31/2019 3.Security Issues in E-Procurement(PKI) (1)
47/50
46
Generates an e-signature generation keyof Root CA
Records audits
Government CA
Key Generation SystemKey Generation System
Publish ARLs Publishes CPS
Homepage(WEB)
Homepage(WEB)
HSM Certificate Issuance/Management System(Root CA)
Certificate Issuance/Management System(Root CA)
Root CA
Generates an e-signature generation keyof Government CA
Records Audits
Key Generation SystemKey Generation System
Issues/Reissues/Renews/Suspends/Revokes CAcertificates Manages certificate policies and audits
Publishes certificates Publishes certificate revocation lists/
suspension lists Provides search support via LDAP
Directory SystemDirectory SystemHSMCertificate Issuance/
Management System(CA)
Certificate Issuance/Management System(CA)
Homepage(WEB)
Homepage(WEB)
Manages user certificates Publishes CPS
Registration ManagementSystem (RA)
Registration ManagementSystem (RA)
Registers/Modifies/Deletes/Viewsuser information Revokes/Suspends/Recovers certificates
Service Servers
PKI toolkits
SubscriberServerCRL
Server
Subscribers
PKItoolkits
Subscribers
Server Certificate Registration
Subscriber
Registration
RA Administrator
Certificate Authority
Certificate
CRL/Certificate Policy
Server Certificate IssueCertificate Issue
LDAP
CA Administrator
CMP
Certificate/CRL
Publication
ARLDistribution
Issues/Reissues/Renews/Suspends/Revokes RootCA certificates Manages certificate policies and audits
E-Signature/Encryption
www.sgco.kr Copyright 1999-2009@SG Inc. All rights reserved
P KI-en a b led Ap p lica t io n Deve lo p m en t
7/31/2019 3.Security Issues in E-Procurement(PKI) (1)
48/50
47
e -Gove r n m e n t App lica t i ons
Pet it ion S erv ice
- Identify oneself online bycertificates
E-S u p p ly (G2B )
- Online bidding with certificate
4 M a j or I n s u r a n c e s d a t a
e x c h a n g e
- Labor, Medical care, Pension,Industrial disaster- Internet access with certificate
N a t ion a l Fi n a n cin g
In fo r m a t ion S y s t em
- Based on Internetbanking, etc
T a x a t i o n
- National Tax Agency- Access with certificates
R eg io n a l A d m in is t r a t ion- Service for counties- Access with certificates
Pe r so n a l M a n a g em e n t i n s id e Go v e r n m e n t
- All employees insideGovernment
Elect r ic d ocu m en t sy s t em- Interoperable with other systems
Dig it a l S ig n a t u r e & S ea l
-Distribute certificates-Develop and enhance systemadopting certificates
En h a n ce
co m p u t e r iz a t i on
- Sharing national resource
information
P u b lic Ke y I n fr a s t r u ctu r e( P KI Ce n t e r )
Ed u ca t ion A d m in is t r a t io n S y s t em
-Teachers can assess with cert.
www.sgco.kr Copyright 1999-2009@SG Inc. All rights reserved
Effec t iven es s o f Exp ecta t ion s
7/31/2019 3.Security Issues in E-Procurement(PKI) (1)
49/50
48
Law , Po l ic iesSt a n d a r d s &
Techno logy
P KI e n a b l e d
Appl ica t ions
Accr ed i ted CA
Reduce the time and cost.
Convenience of application likeOnline Civil Service, InternetBanking etc.
Convert offline business toonline.
Provide more secure and safe ofservice.
Increase the trust of company.
Increase the confidence and trust. Ensure interoperability of PKI
infrastructure with otherGovernment.
Establishment of NationalSecurity Plan.
USER Corporation
BackgroundBackground
Government
N a t io n a l P KI E s ta b lis h m e n tW in ( Us e r ) W in ( Go ve r n m e n t ) W in ( Co m p a n y)
P K I is m a k in g u p t h e s a fe a n d t r u s t fu l e n vir o n m e n t u s in g e le ct r o n ic
s i g n a t u r e .
www.sgco.kr Copyright 1999-2009@SG Inc. All rights reserved
7/31/2019 3.Security Issues in E-Procurement(PKI) (1)
50/50
49
Th a n k yo u !
You n g-joo KoSenior Consultant/Global Business Task Force
E. [email protected] T. +82-2-360-3215