Operating a CSP in Switzerland or Playing in the champions league of IT Security

Transcription

1 Operating a CSP in Switzerland or Playing in the champions league of IT Security

2 Agenda SwissSign Technology Products and Processes Legal Aspects and Standards Business Model Future Developments 2

3 SwissSign Founded in 2001 Proprietary CA Software Based on Open Source Since 07/2005 a subsidiary of Swiss Post Since 10/2006 ZertES certified 21 Employees 3

4 SwissSign Products Certificate Services Personal and SSL certificates PostZertifikat ZertES, ElDI-V and authentication certificates IncaMail Confidential message transport SwissSigner Digital signature on PDF/A documents SwissStick Driverless hardware plattform for applications Swiss Post Box Electronic delivery of physical mail 4

5 A Quick Introduction to X.509 Characteristics of a certificate CA hierarchies 5

6 Purpose of a Certificate Secure container for a public key Issued by a trusted third party Issued to a subscriber Valid for a limited time Usable for a limited purpose Information Fields 6

7 Structure of a PKI Root CA Issuing CA Certificates Root CA: - Self signed - Offline Issuing CA: - Online - Issues Certificates 7

8 Technical Issues Loss or theft of private keys Inadequate alogorithms/key sizes Incorrect verification (rfc 5280) Path validation Revocation status verification 8

9 Openssl RNG vulnerability Code optimizier removes unused code No entropy for pseudo random numbers PRNG generated primes can be fully calculated CSPs have informed customer s about bad keys Result: Customers are slow to change their keys and certificates. Affected keys are still being used today 9

10 Processes of a CSP Roles in a PKI Certificate Issuance Process Revocation Process Dissemination of Information 10

11 Roles in a PKI Relying Party Relying Party - Communicates with subscriber - Has no contract with RA or CA Requester / Subscriber Requester / Subscriber - Requests the certificate - Supplies the information Registration Registration Authority - May authorize the request - Obtains necessary authorization - Verifies the authorization Authority - Receives the certificate - Archives the documentation - Approves the request Certification Authority Certification Authority - Holds the CA private keys - Issues the certificate 11

12 Issuance of a Certificate 1. Requester Requests certificate Supplies information Provides authorization 2. RA Verifies information Verifies authorization Approves request 3. CA Issues certificate 4. RA Distributes certificate 5. Subscriber Installs certificate 12

13 Security Considerations Substantiate the data in the certificate Identity of the individual Authorized use of organization names Autorized use of domain names Process quality manages the risks 13

14 Revocation Declare a certificate invalid and prevent any future use of the private key. Security Considerations Denial of service attacks Timely processing 14

15 Dissemination of information LDAP = Certificates and CRL CRL = Certificate Revocation List OCSP = Online Certificate Status Protocol CP/CPS Security considerations: Availability requirements 15

16 Products of a CSP End User Products Managed PKI Solutions 16

17 Subscriber Certificates Customer CSP Subscriber Registration Authority Certification Authority 17

18 Security Considerations Correctness of suplied information Validity of authorization Quality of the registration process manages the risk and liability 18

19 Managed PKI: RA solutions Customer CSP Subscriber Registration Authority Certification Authority 19

20 Managed PKI: CA solutions Customer CSP Subscriber Registration Authority Certification Authority 20

21 Security Considerations Managed PKI requires managing liabilities Policies enforce contractual agreeements Rights and obligations are contractually agreed 21

22 Certifications and Audits Arguments for Certification Browser Trust Requirements for Certification 22

23 Certificates that require certification Qualified certificates Digital signature ElDI-V certificates Archiving VAT compliant bills EV SSL certificates are required for green address bar 23

24 Browser Trust CSP must be certified (WebTrust) Root CA must be of public value 3 Steps into the Browser 1. Application 2. Approval 3. Deployment 24

25 Legal Aspects in Switzerland ZertES (Signaturgesetz/ digital signature law) ElDI-V (Mehrwertsteuer/VAT) VwVG (Bundesgesetz über das Verwaltungsverfahren) GeBüV (Geschäftsbücherverordnung) 25

26 International laws and standards International Laws EU: Directive 1999/93/EC A Community Framework for Electronic Signatrures APEC TEL estg (Asia Pacific Economic Comunity) National Laws EU: 19 countries ROW: 17 countries International Standards ETSI , , , CWA ISO ITIL (ISO 20000) IETF rfc 5280, 3161, 3647, 2797 RSA PKCS#

27 Audits Initial Audit Preliminary Audit Main Audit Annual Re-audit Full audit every 3 years SAS Schweizerische Akkreditierungsstelle Certification Certification Bodies Certification Bodies Bodies (currently KPMG) CSP CSP CSP Certification Service Certification Providers Service Certification Providers Service Providers 27

28 The Commercial Side of the CSP People don t buy certificates people buy business solutions CSPs have high fixed costs - you can t do a little PKI. 28

29 SwissSign Approach High Value Businessprocesses Part of Partner Solutions Usability of products Swiss Technology and Cryptography Certified Based on the Values of the Swiss Post Globally available 29

30 Current and Future Challenges for CSP Standardization of certificates (CABforum) SuisseID Health Insurance Card (VK) Strength of cryptographic algorithms 30

31 SuisseID (standardization still ongoing) Part of the 3rd economic stimulus package Subsidize Certificate price Marketing measures Deploy certificate based solutions Combination of qualified signature certificate authentication certificate 31

32 E-Health Market Health Insurance Card (KVG art. 42a) CVC certificates (ech standard) Emergency Data stored on chip (VVK) Option for X.509 certificates Health Professional Card (VVK) X.509 certificate 10 Roles (VVK) CVC certificate 32

33 Algorithmic strenght (BNA) < 2007 < 2010 < 2014 RSA SHA

34 Impacts on the CSP EV SSL certificates must be 2048 RSA starting 2010 SHA-1 hash algorithm is no longer good enough for qualified certificates Microsoft manages CSPs to discontinue the usage of 1024 bit root certificates 34

35 Summary SwissSign Technology Products and Processes Legal Aspects and Standards Business Model Future Challenges 35

36