PINS USER ID PASSWORDS BIOMETRIC SSL ABN DSC COOKIES SOLUTIONS PKI. STRATEGY ONLINE trust. online authentication //

Size: px
Start display at page:

Download "PINS USER ID PASSWORDS BIOMETRIC SSL ABN DSC COOKIES SOLUTIONS PKI. STRATEGY ONLINE trust. online authentication //"

Transcription

1 PASSWORDS PINS USER ID ABN CRYPTO PGP BIOMETRIC SSL ABN DSC COOKIES SOLUTIONS PKI STRATEGY ONLINE trust online authentication //

2

3 trust a guide for government managers

4 Commonwealth of Australia 2002 ISBN ISBN ONLINE This work is copyright. The Commonwealth grants a royalty-free, irrevocable, worldwide, perpetual, non-exclusive licence, including the right to sub-license, to reproduce this work for purposes permitted under the Copyright Act Otherwise, no part may be reproduced by any process without prior written permission from the National Office for the Information Economy. Requests and inquiries concerning reproduction rights should be addressed to: Manager Government Authentication National Office for the Information Economy Level 3, Centenary House 19 National Circuit BARTON ACT authentication@noie.gov.au Phone: (02)

5 foreword // The Internet is an inherently open system, cheap and easy to access. It is therefore important that appropriate solutions are available so users can be confident that they know who they are transacting with when using the Internet. In progressing the Commonwealth Government s objective of increasing Australians involvement with the information economy, it is imperative to encourage confidence in online transactions, and to ensure trust in the Government s web presence and those transacting with it. The Government is also keen to ensure that agencies maximise the potential of the Internet for online service delivery. The Government Online strategy, which was released in April 2000, placed considerable emphasis on ensuring enablers such as authentication, privacy and security are in place. That strategy also provided a framework for federal agencies to meet the Prime Minister s commitment (made in 1997) to have all appropriate services online by December We have made great strides across Commonwealth Government agencies in terms of providing better, higher quality services for the community. The Prime Minister recently announced at the World Congress on Information Technology in Adelaide that the 2001 target had been achieved. In effect we have reached the end of the first stage of online service delivery in Australia. Later this year the Government will be releasing a new policy framework designed to facilitate fully fledged e-government in the Commonwealth sector in Australia. Trust is an essential element in the provision of these sophisticated government online services. Agencies and their customers alike need to establish a degree of trust or confidence about the identity of parties to online transactions. Where an agency may be providing online access to services and benefits it will need to ensure that these are being delivered to the correct customer. Authentication policies and technologies are essential in providing a trusted online environment. This guide has been developed by the National Office for the Information Economy to provide agencies with advice and guidance on key issues when considering the implementation of authentication in their e-business strategies. I commend this report to agencies, and encourage them to adopt appropriate authentication policies as the Commonwealth moves towards a more developed and integrated e-government. THE HON SENATOR RICHARD ALSTON Minister for Communications, Information Technology and the Arts July 2002 Online Authentication National Office for the Information Economy i

6 contents // trust Foreword Contents i ii 1 Introduction National Office for the Information Economy Government Online Strategy 2 2 Authentication 3 Key points to remember What is it and why is it needed? What alternatives are there? Passwords, PINs and User IDs One-time passwords Challenge and response systems Cookies Biometrics Conventional encryption Public key cryptography (digital certificates) Public Key Infrastructure (PKI) Pretty Good Privacy (PGP) SSL and TLS Australian Business Register (ABR) and Australian Business Number (ABN) 10 ii Online Authentication National Office for the Information Economy

7 3 Identification 11 Key points to remember Identity documents and value Levels of identification Identity fraud Registration fraud Validation Individual identification Business identification 13 4 What level of authentication is required? 15 Key points to remember A business decision Comparing authentication options Risk management Risk assessment What benefits should agencies consider regarding authentication? What are the benefits? What risk factors should agencies consider? What is the relationship between the parties? What is the value of the transaction? What is the risk of intrusion? Risk matrix Developing a business case Non-repudiation ANAO Better Practice Guide ANAO Performance Audit Internet Security within Commonwealth Agencies Authentication options for online transactions 28 5 Public Key Infrastructure (PKI) 29 Key points to remember Overview Employing digital certificates Business continuity and implementation considerations Recordkeeping implications Public Key Technology How PKI works A typical PKI process flow Is a digital signature the same as a digitised signature? How can we use digital signatures? 33 Online Authentication National Office for the Information Economy iii

8 5.2 Gatekeeper Background Government requirements The ABN-DSC Background Government requirements The ABN-DSC and Project Angus Business Authentication Framework (BAF) 36 6 Conclusion Next steps 37 7 Further information 39 Glossary 41 Annex A Legal and Privacy Issues with PKI 47 A.1 What laws govern digital signatures? 47 A.1.1 What laws govern the relationships between entities within Gatekeeper? 47 A.2 Management by agencies of PKI liability risks 48 A.2.1 The need for agencies to manage PKI risks 48 A.2.2 Scope of these recommendations 48 A.2.3 Recommended liability guidelines for Commonwealth Agencies 49 A.2.4 Implementing the suggested recommendations among agencies and accredited service providers 51 A.2.5 Public statements about Gatekeeper 52 A.3 Privacy issues with PKI 53 iv Online Authentication National Office for the Information Economy

9 1. Introduction // confidence As Internet usage continues to grow, government agencies will increasingly want to make more services available online. However, providing services via the Web requires consideration of many issues. One of the most important of these is authentication: making sure that clients are who they claim to be. Authentication has always been an issue when providing government services, but online authentication presents a fresh set of challenges. This guide provides managers in government agencies with an understanding of authentication issues to be considered when delivering government services online. It will provide you with a basic insight into the need for authentication, examine options available and discuss the selection and implementation of appropriate options. This guide is not intended to be a technical reference, but it will help you assess authentication options as part of agency planning. More detailed information can be found on the websites mentioned throughout this guide. Please contact NOIE on (02) for further information. 1.1 National Office for the Information Economy The National Office for the Information Economy (NOIE) is Australia s lead Commonwealth agency for information economy issues. The National Office for the Information Economy (NOIE) is Australia s lead Commonwealth agency for information economy issues. It was established in NOIE is helping Australians create a world-class online economy and society through its work developing, overseeing and coordinating Commonwealth Government policy on electronic commerce, online services and the Internet. NOIE has direct responsibility for the development and coordination of advice to the government on information economy issues, including: The drivers of broadband; Economic transformation through better Information & Communications Technology (ICT) use economy-wide; Transforming government information, services and administration through use of ICT; Long term strategic environment for the ICT industry; Accelerating the uptake of e-business and e-procurement by SMEs; and Implementing our parts of the e-security National Agenda. In addition, it will be responsible for the promotion domestically of the benefits of the information economy and Australia s position within it. Online Authentication National Office for the Information Economy 1

10 NOIE aims to promote and facilitate understanding of authentication for use in government to business, government to government and business to business e-commerce communications. It aims to ensure authentication is broadly accepted as a critical element for secure and trustworthy e-commerce communications. A related document to this guide provides advice and assistance about authentication to small businesses operating in an online environment. Trusting the Internet, produced by the National Electronic Authentication Council (NEAC), is available at The NEAC was established in 1999 by the Government to enhance business and consumer confidence in e-commerce by providing a national focal point on authentication matters. NOIE also supports the operations of the Online Council, which is the peak ministerial forum across Commonwealth, State and Territory governments for consultation and coordination on the information economy. Membership comprises the Commonwealth Minister for Communications, Information Technology and the Arts (Chairman), a senior Minister from each State and Territory and the President of the Australian Local Government Association. 1.2 Government Online Strategy In 1997 the Prime Minister, the Hon John Howard MP, announced that federal agencies should have all appropriate services online by December The Government Online Strategy, which was released in April 2000, mapped out a strategic framework for agencies to meet that commitment. The strategy provides the framework for: increasing the range of government services available online; improving access to online services; reducing the complexity of dealing online with government; and promoting community and business confidence in dealing online with government. The Government Online Strategy can be found on the NOIE website at In February 2002, the Prime Minister announced at the World Congress on Information Technology in Adelaide that the December 2001 online services target had been met. In effect, Commonwealth agencies are at the end of the first stage of government electronic service delivery the provision of information. They have almost completed this stage of getting information online and structuring easy access to it through coordinated Web entry points (portals). In this respect Australia is like many other leading e-government countries which are finding the next stage of information and service delivery is more complex and harder than the first. In this new era of e-government, citizens are at the core of the process. It will be their demand for particular services that will drive the nature and delivery mechanism of the services provided by agencies. This will entail providing many more sophisticated online services with transactional capability. It will also require associated services to be integrated wherever possible so as to provide online clients with a more complete package of linked services. The need to promote the confidence of Australians in these services will remain a priority in the new era of e-government, including the need to authenticate users of government services. This guide is intended to promote understanding and provide insights regarding this element of the next phase of e-government. A new overall policy framework is being developed for federal agencies which will map out the direction of the next phase of online service delivery fully fledged e-government. 2 Online Authentication National Office for the Information Economy

11 2. Authentication // KEY POINTS TO REMEMBER Authenticating individual identities online requires new solutions but is essential to making online transactions reliable. Online authentication operates as part of an overall plan for both online activities and general agency security. Several different technologies can be used for authentication, and these may operate in conjunction with one another. Managers need to consider the costs, risks and benefits of different authentication solutions. More effective solutions are generally more expensive. Public key cryptography solutions have typically been adopted by agencies for areas where strong authentication is necessary. 2.1 What is it and why is it needed? solutions Authentication is the solution to the need for certainty in the identity of the other party to a transaction. Authentication is the solution to the need for certainty in the identity of the other party to a transaction. Where services are provided via traditional, non-electronic systems, various authentication mechanisms are used. Clients are required to sign forms or letters or other types of correspondence as proof that they supplied the information contained in those documents. Clients may be required to supply an identification number or a case number, and they may be required to provide evidence that they are who they say they are, such as a driver s licence or a birth certificate. In some cases, clients may need to attend the relevant government office in person. Most of these methods will not work online. Where services are provided online, agencies will need to reassess how they authenticate users. Notably, the use of existing methods of authentication requiring physical presence may reduce or eliminate the convenience of the online service. Failure to properly authenticate a transacting party may lead to situations such as the illegal transfer of funds, unauthorised ordering of goods or the mischievous alteration of data. Authentication therefore underpins confidence in electronic transactions and is a vital component of e-commerce, which depends upon transactions being accepted as valid and binding. Broadly speaking, authentication relies on one or more of the following: something you know, such as a password or PIN number; something you have, such as a smart card or hardware token; or something you are, such as a fingerprint or iris scan. These can be implemented in a number of ways, as described in the following section. It is important to note that authentication is not the same as security. Authentication must operate in conjunction with an organisation s overall security framework. Online Authentication National Office for the Information Economy 3

12 2.2 What alternatives are there? An organisation may implement online authentication in a number of ways, including: passwords, personal identification numbers (PINs) and user identification (User IDs); one-time passwords; challenge and response systems; cookies; biometrics; conventional encryption; public key cryptography (digital certificates); Pretty Good Privacy (PGP); Secure Sockets Layer (SSL) and Transport Layer Security (TLS); and Australian Business Register (ABR) and Australian Business Number (ABN). Each method or technology has its own strengths and weaknesses, including cost and ease of implementation and use. They may also be used in combination Passwords, PINs and User IDs The most common method of authentication for computer systems today is password based. In its report, A digital certificate road map, research company Forrester calculates that 98 per cent of companies still use passwords as the primary method of authentication internally. A roughly similar percentage of e-business sites use passwords as the primary method of client authentication. Outside of traditional IT systems, magnetic stripe cards are the most pervasive authentication technology. For example: When entering a password-protected website, the client would be asked for a User ID and password which has been supplied to them via . If the password and User ID match, access is granted. These details must be entered correctly each time the site is accessed, ensuring it can only be viewed by authorised users. The most common method of authentication for computer systems today is password based. Under a password system, a client accessing an agency s electronic application is requested to enter a shared secret such as a password or PIN number along with their User ID. (The secret is shared as it is known both to the user and the system.) The system checks that password against information in a database to ensure its correctness and thereby authenticates the client. Multiple passwords and password encryption may be utilised to strengthen this technique. User IDs are usually used in combination with passwords. They are generally created from easily remembered or referenced information known to the client and an agency. The User ID is not necessarily kept private and may be made up of several simple pieces of information. For example, John Smith may have the User ID jsmith. User IDs may also contain numbers to help distinguish between clients with similar or identical names e.g. jsmith572. Typically, password based authentication requires no third party products or services. It is thus much cheaper to implement than most rival systems. However, it only provides a limited degree of authentication, and relies on users keeping their passwords secret. 4 Online Authentication National Office for the Information Economy

13 Good password management contributes to the reliability of authentication systems. Password policies generally cover the following elements: length (specifying a minimum number of characters for the password); use of dictionary words, extended characters, numbers, mixed case (a secure policy would ban dictionary words and force a mixture of all other characters); expiry periods (passwords must be changed within a set period, often 90 days); history (records kept of password access attempts); grace logins (can users ever log in without a password, and if so, how often?); number of failed attempts (before the password is cancelled permanently); issue and re-issue procedures; and suspension. User awareness of the need to protect and maintain passwords is essential to maintaining good password practice. Consider whether the system will be accessed often enough to eliminate the risk that users will forget their passwords and need to have new passwords issued. In some cases, the costs involved in resetting and reissuing forgotten passwords can be substantial. Agencies may wish to develop their password management practices based on a risk assessment. The Defence Signals Directorate (DSD) has provided an example in ACSI 33 Handbook 3 Risk Management. For more information, visit: One-time passwords Because passwords can be lost, forgotten or stolen, they are not suitable for some applications. A one-time password eliminates this risk by using a hardware device that generates a unique password to be entered each time the application is accessed. For example: When entering a website protected by a one-time password, the client could be asked for a password that is automatically generated by a connected piece of hardware. This password must be associated with a unique User ID. If the appropriate password and User ID match, access is granted. A token of this type might use a symmetric key (see 2.2.6) to generate the passwords. The agency s IT system knows which password is valid at that time for that user. This process makes it difficult for unauthorised individuals to access or determine the password at any given time. However, all clients would need to be issued with suitable hardware and software systems, which could increase costs significantly. For more information on one-time passwords, visit: Challenge and response systems This authentication method can be implemented either manually (using registered information) or automatically (using a hardware device or token). In a manual process a customer might enter a User ID and password to gain initial access to a system. They could then be asked to respond to a random challenge that is based on information in their client record, or on secret phrases lodged with the agency. Online Authentication National Office for the Information Economy 5

14 For example: When entering a challenge and response website, the client will first be asked for a User ID and password. They would then be asked for unique information, such as the middle name of their second child. If all data matches, access is granted. An automatic method could be based on asymmetric cryptography (see 2.2.7). For example, clients would be issued with a private key on a hardware device. The associated public key would be securely held by the agency. When logging in, the client would enter their User ID and password. The agency would then automatically send a random number for the user to key into their device. The device employs the private key to process the random number and produces a result which the user enters into the agency s login process. If the agency is able to retrieve the original random number by reversing the process with the corresponding public key, then the client is authentic. For more information on challenge and response systems, visit: Cookies A cookie is a small piece of data that is placed on the user s hard drive by some websites. This piece of data acts as a form of authentication to identify the user when the user next enters the same website. For example: When entering a password-protected website, the client is asked for a User ID and password. When these are verified the website downloads a cookie to the client s hard drive, saving the login details. When the client next enters the website the cookie activates the login details so that the client does not have to enter this information again. A cookie is a small piece of data that is placed on the user s hard drive. Not only can cookies help websites recognise returning users, they can provide access to specific resources, track online purchases or provide customised web pages. Properly used, cookies can greatly enhance the user s experience of web resources and increase convenience. However, it is possible for cookies to be used to track the activities of users over time and across different websites. Where cookies are linked with personal identification information, they can be used to track the browsing habit of individuals. Stolen cookies can also be used to gain access to resources. Misuse of cookies raises obvious privacy and security issues, and because of this some users may be reluctant to visit government sites that use cookies. Before making use of cookies agencies should conduct an assessment to identify the relevant risks and benefits. If cookies are used, it should be mentioned in the website privacy statement. Agencies considering the use of cookies can find more information in the NOIE Better Practice Checklist Number 4. Visit: Biometrics Biometric technologies use physiological or behavioural characteristics to identify an individual. Examples include iris scans, retina scans, facial scans, finger scans, hand geometry, voice verification and dynamic signature verification. Unique physical characteristics such as voice patterns, fingerprints and the blood vessel patterns on the retina of one or both eyes can be converted into digital form and interpreted by a computer. Among these are voice patterns (where an individual s spoken words are converted into a special electronic representation), fingerprints and the blood vessel patterns present on the retina (or rear) of one or both eyes. 6 Online Authentication National Office for the Information Economy

15 With biometric technology, the physical characteristic is measured (by a microphone, optical reader or some other device) and converted into digital form. This information is then compared with a copy already stored in the computer and authenticated as belonging to a particular person. If they match, the authentication will be accepted by the software and the transaction allowed to proceed. For example: Before being allowed to access a secure PC, a client passes their finger through a scanner. This fingerprint is compared to one stored in the system. If they match, access is granted. Biometric applications can provide very high levels of authentication, especially when the identifier is obtained in the presence of a third party to verify its authenticity. However, as with any shared secret, if the digital form is compromised, impersonation becomes a serious risk. As with passwords or PINs, such information should not be sent over open networks without being encrypted or otherwise protected. As well, measurement and recording of a physical characteristic can raise privacy concerns. As well, measurement and recording of a physical characteristic can raise privacy concerns. If biometric data is compromised, substituting a different, new biometric identifier may have limitations. For instance, you may be able to employ the fingerprint of a different finger but people only have one voice. Agencies need to verify the identity of the individual using conventional methods prior to employing the biometric solution. This may include the presentation of a birth certificate or some other appropriate identification method to satisfy the agency that the individual is who they say they are. Biometric authentication is best suited for access to individual devices. It is less suited for authentication to software systems over open networks such as the Internet. Applications for biometrics include automatic teller machine access, personal computer network logon, time and attendance, enterprise-level data security, physical access and customer verification. Biometrics is currently used in a number of government applications in the United States. The Commonwealth Scientific & Industrial Research Organisation (CSIRO) is also investigating applications for this technology. For more information on biometric authentication, visit: and Biometrics%20for%20tomorrows%20industry Conventional encryption Conventional encryption is a form of cryptography (the encoding and decoding of text). It is sometimes referred to as symmetric cryptography. The system uses a secret key, which is a computer file that includes a mathematical value. This can be used in conjunction with an algorithm to encrypt or decrypt a message. Conventional encryption is used for both encryption and decryption of information, and can be performed very quickly by modern PCs. However, there are problems associated with secure key distribution. For a sender and recipient to communicate securely using conventional encryption, they must agree upon a key and keep it secret between themselves. If they are in different physical locations, they must trust a courier or some other secure communication medium to prevent the disclosure of the secret key during transmission. This can be expensive in cost and resource terms. Online Authentication National Office for the Information Economy 7

16 2.2.7 Public key cryptography (digital certificates) The problems of key distribution associated with conventional encryption are solved by public key cryptography. Public key cryptography uses separate pairs of keys for authentication (or signing) and encryption (or confidentiality). The key pairs are referred to as public keys and private keys. Public key cryptography is often referred to as asymmetric, as the public and private keys are different. Public key cryptography handles authentication and encryption in the following fashion: Authentication (or signing). When using an authentication key pair, you publish your public key to the world while keeping your private signing key secret. Anyone with a copy of your public key can decrypt something encrypted with your private signing key. This will provide them with a level of assurance of your identity. On its own, the public key cannot be used to sign a document; it can only be used to verify who has signed it. The problems of key distribution associated with conventional encryption are solved by public key cryptography. Encryption (or confidentiality). In the same fashion, to use an encryption key pair you publish your public key to the world while keeping your private confidentiality key secret. Anyone with a copy of your public key can then encrypt information that only you can read. The information encrypted with your public confidentiality key can only be decrypted using your private confidentiality key. The primary benefit of public key cryptography is that it allows people who have no pre-existing security arrangement to exchange messages securely. The need for sender and receiver to share secret keys via some secure channel is eliminated; all communications involve only public keys, and no private key is ever transmitted or shared. Several prominent authentication solutions make use of public key cryptography. These include PKI, PGP and SSL/TLS, each of which is discussed below Public Key Infrastructure (PKI) PKI is a set of procedures and technology that enables users of a network such as the Internet to authenticate identity, and to securely and privately exchange information through the use of public key cryptography. To achieve this, public and private keys and a digital certificate can be obtained through a trusted third party authority, known as a Certification Authority (CA). The CA links the public key to the digital certificate and vouches for the identity of the key holder. Registration Authorities (RAs) collect and manage the appropriate levels of Evidence of Identity (EOI) from applicants for digital certificates. Dependent upon the PKI business model employed, appropriately accredited RAs may also create keys and certificates. The use of PKI ensures authentication, integrity, non-repudiation and confidentiality for e-commerce applications. Authentication provides a level of assurance about the identity of the sender and receiver of information ( Who is sending this message? ). Confidentiality provides a level of assurance as to the exclusivity of the communication between you and your trading partner ( Has anyone else seen this message? ). Non-repudiation means that neither party can deny that a transmission was sent or received ( Has this message been sent? ). Integrity means that you can verify that the transaction was not changed during transmission ( Has this message been altered? ). These features are provided with some or all of the following systems: A digital signature is a cryptographic technique that applies a mathematical algorithm to a document based on a certificate holder s private key. This creates a unique identifier which cannot be forged and that can be checked by the receiver to verify authenticity and integrity, thus providing non-repudiation and confirming that the document or file has not been altered or interfered with. 8 Online Authentication National Office for the Information Economy

17 A digital certificate is an electronic document signed by a CA which identifies a key holder and the business entity (if appropriate) he or she represents. It binds the key holder to a key pair by specifying the public key of that key pair. It should also contain any other information required by the profile for that certificate. A digital signature certificate is a combination of the above two systems. Server (or device) authentication is where only one party is required to authenticate. This means only one party has to have a digital certificate but both parties must be able to execute PKI cryptography. Most web servers and browsers have this functionality built in. This allows secure (encrypted) transmission and storage of data. Server authentication is typically used where many remote parties need to connect securely to a web server and there is no need to fully authenticate the remote parties. The web server is set up with a digital certificate so that it can authenticate itself to remote parties. Client authentication is necessary when transacting parties require authentication of the other party (either businesses or individuals). For example, to authenticate businesses, agencies can use the Australian Business Number Digital Signature Certificates (ABN-DSCs) issued by Gatekeeper-accredited Certification Authorities (CAs) and Registration Authorities (RAs). (Also see 5.3.) Section 5 (Public Key Infrastructure) provides more information on this topic Pretty Good Privacy (PGP) PGP is a security software application that enables you and known transacting parties to exchange information securely with each other. PGP can be utilised for small groups of people who know each other and wish to communicate securely. In these instances it is easy to manually exchange diskettes or s containing each owner s public key rather than publishing public keys to the world. Each member of the group holds a copy of each other s public key. Difficulties associated with holding large numbers of public keys means that PGP is practical only to a certain point. Beyond that point, it is necessary to put systems into place that can provide the necessary security, storage and exchange mechanisms for co-workers, business partners or strangers to communicate if need be. PKI systems (discussed above) provide these kinds of features. While PGP is a widely used technology, implementations can vary widely. Therefore PGP is not listed on the Defence Signals Directorate (DSD) Evaluated Products List. For further advice on the use of PGP in any application, consult with the Information Security Group at DSD. For more information on PGP, visit: SSL and TLS The Secure Sockets Layer (SSL) protocol is a set of rules governing authentication of servers (such as web servers), and encrypted communication between clients and servers. The protocol was developed to secure the transmission of data over the Internet. The authentication process under SSL uses public key encryption and digital signatures to confirm that a server is in fact the server it claims to be. It does not authenticate the user. Once the server has been authenticated, the client and server use techniques of symmetric key encryption to encrypt the information they exchange. A different session key is used for each transaction. This impedes a hacker s ability to decrypt messages. Online Authentication National Office for the Information Economy 9

18 It should be noted that SSL and Transport Layer Security (TLS) only provide confidentiality and integrity for the server. They do not provide non-repudiation and unless supported by a combination of appropriate private key protection, user willingness and ability to validate digital certificates, they do not provide effective authentication. SSL is well known because of its use in Netscape Navigator and Internet Explorer web browsers. In May 1996, development of SSL became the responsibility of an international standards organisation, the Internet Engineering Task Force (IETF), which develops many of the protocol standards for the Internet. TLS, an enhanced version of SSL, was released in early SSL is a widely used technology and versions of the product may be suitable for use by Commonwealth agencies. However, SSL implementations can vary widely and therefore SSL is not listed on the DSD Evaluated Products List. If further advice is required on the use of SSL in any application, consult with the Information Security Group at DSD. Information and guidance on use of SSL by agencies is available from the DSD website: Australian Business Register (ABR) and Australian Business Number (ABN) Agencies wishing to authenticate the existence of a business can look up the ABR to associate a business name with an ABN. The ABR contains all the publicly available information provided by businesses when they register for an ABN. It was established under s.24 of the A New Tax System (Australian Business Number) Act The ABR is a publicly available register of businesses. Its benefits are: it will streamline the way in which business is conducted with other businesses; it can quickly and easily find or verify information such as GST (Goods and Services Tax) details for order invoicing; it will allow businesses to securely change their own information on the ABR; and it will transmit updated business details to agencies that access the ABR. An ABN is an 11 digit number issued by the Australian Business Registrar, currently the Commissioner of Taxation. If an enterprise already has an Australian Company Number (ACN), their ABN will consist of two digits plus their existing ACN. Unincorporated and new enterprises will be given a new ABN by the Australian Business Registrar. To be entitled to an ABN a business must be: a company registered under the Corporations Act (Cth 2001) in Australia; a government department or agency; or an entity carrying on an enterprise in Australia. For more information, visit: 10 Online Authentication National Office for the Information Economy

19 3. Identification // KEY POINTS TO REMEMBER Establishing identities can be a difficult task, and identity fraud is a common problem both generally and in the online world. Agencies are encouraged to adopt a consistent approach when determining what forms of identification and registration will be accepted for particular transactions. Consistent and distinct procedures should be adopted for identifying individuals and businesses involved in agency transactions. validate It is generally accepted in Australia that in order to do business with an organisation an entity (individual or business) must first identify itself to that organisation. Most organisations, whether in the government or private sector, have established appropriate identification procedures which a new entity must satisfy to prove they are who they say they are. 3.1 Identity documents and value To determine identity document types and the value or points associated with these documents, agencies can use the Financial Transaction Reports Act 1988 (FTR Act) Identification Record for a Signatory to an Account (AUSTRAC Form 201). Another example of identity document types and the value or points associated with documents can be found by visiting the Centrelink website. The FTR Act 1988 identification record can be found at: Centrelink s ID information can be found at: An inter-agency Authentication of External Clients working group is moving towards standardising identity documents so that the documents used across agencies will be the same. 3.2 Levels of identification Agencies usually require a certain level of identification for certain types of transaction. In some instances, no physical identification or associated identity points value are required, based on the type of transaction and associated risk assessment. In other instances, a particular identity point value might be required. The number of points required for various transactions is generally the result of a risk management decision. Agencies should discuss their requirements with other agencies to ensure a consistent approach. Online Authentication National Office for the Information Economy 11

20 The inter-agency Authentication of External Clients working group is working towards a whole-ofgovernment approach to authentication processes for users of government services. It is hoped that a set of identification levels can be determined and applied consistently across the Commonwealth Government. A whole-of-government approach will mean customers experience consistency when conducting transactions across government. 3.3 Identity fraud In a report entitled The Changing Nature of Fraud in Australia (2000), the Office of Strategic Crime Assessments (OSCA) points out: Technology has weakened the integrity of many identifiers currently in use birth certificates can be reproduced using desktop publishing software; counterfeit passports and counterfeit smart cards can be purchased over the Internet. Easier access to these false identifiers facilitates a range of fraudulent behaviour, including tax evasion, immigration malpractice, fraudulent claims against social security and health insurance companies. It also assists in hiding the proceeds of frauds. Technology has weakened the integrity of many identifiers currently in use... To view the report, visit: Similarly, statistical evidence published in Numbers on the Run (2000), a report produced by the House of Representatives Standing Committee on Economics, Finance and Public Administration, supports these concerns: An estimated 25 per cent of reported frauds to the Australian Federal Police involve the assumption of false identities. A pilot of a certificate validation service conducted by Westpac and the NSW Registry of Births, Deaths and Marriages found 13 per cent of birth certificates to be false. Centrelink detected about $12 million worth of fraud involving false identity in A survey by KPMG of over 1,800 of Australia s largest businesses found 11.9 per cent of fraud committed by outsiders involved the use of false documents. To view the report, visit: There are significant issues associated with identity fraud. It is important that identity registering staff have the necessary education and skills so that they are aware of the existence of fraud, and that every effort is made to minimise this risk. 3.4 Registration fraud Registration fraud is where agency staff approve fraudulent identities, either deliberately or through inattention to detail. To mitigate risks in these instances, staff must be appropriately skilled in registration procedures. To reduce risks associated with both identity and registration fraud, agencies should seriously consider implementing additional background identity verification processes. These include verifying the validity of identity documents with issuing authorities (wherever possible) and checking telephone directories and other publicly available sources. 12 Online Authentication National Office for the Information Economy

21 3.5 Validation The identification processes employed by agencies are based on identifying documents presented by the entity (individual or business). The identification processes employed by agencies are based on identifying documents presented by the entity (individual or business). However, confirmation of the authenticity of the identifying documents is difficult to substantiate with any certainty. As mentioned above, the wide availability and simplicity of desktop publishing technology has increased the ability of a much greater proportion of the community to produce very good reproductions of genuine documents. It is therefore more difficult for an agency to identify forged identification documents. It is important to try to verify a document s details with the issuing authority as an assurance that the information it contains is accurate. Document validation reduces the need to train customer service staff to visually appraise a document for particular security features and decide on its authenticity. The ability to validate the accuracy of details recorded on identity documents will add significantly to the robustness of the identification process. Although document validation will not prevent all false identity fraud, it will provide a substantial impediment to the registration of false identities using forged or altered documents. Different processes are generally needed for individuals and businesses. These are discussed below. 3.6 Individual identification When identifying individuals, different processes are needed for new and existing customers. Notably, when it comes to personal identification, driver s licences are currently the most pervasive items used by agencies. New customers. Agencies need to ensure that new customers wishing to conduct transactions provide evidence of their identity. In instances where positive evidence of a customer s identity is required, the agency will need to: bind the physical person to the name of the individual on the identity document(s); and validate to the greatest extent possible the authenticity of the identity documents (confirming identity document details with the document issuing authority). Agencies may choose to conduct transactions online (generally low-level transactions) without the requirement for a physical presence. In these cases, agencies will need to decide whether or not they require some other online authentication process, such as passwords and PIN/User IDs, one-time password generators or a challenge and response process. Existing customers. Existing customers are those who have already been identified either through their physical presence at an agency or through an online process. Agencies need to ensure that the individual is in fact the same individual previously identified. 3.7 Business identification The Australian Business Number (ABN) is the single business identifier for dealings with the Australian Taxation Office (ATO) and for dealings with other government departments and agencies. The Australian Business Registrar (ABR) records and issues ABNs. New customers. Agencies wishing to authenticate a business should implement a process to confirm that the Business Entity exists. The agency may also need to authenticate the existence of the individual acting on behalf of the business. This may require a combination of individual and business identification processes. Online Authentication National Office for the Information Economy 13

22 An example of a combined process would be to: bind a business to a business name and to an Australian Business Number (ABN) (look up the ABR); bind the physical person to the name of the individual acting on behalf of the business (individual identification process); validate to the greatest extent possible the authenticity of the identity documents (confirm identity document details with the document issuing authority); and bind the person acting on behalf of the business to the business (letter of authority from the business). Agencies may choose to conduct transactions online (generally low level transactions) without the requirement for a physical presence. In these cases, agencies will need to decide whether or not they require some other online authentication process, such as passwords and PIN/User IDs, one-time password generators or a challenge and response process. Existing customers. Existing customers are those that have already been identified either through the physical presence at an agency of an individual acting on behalf of a business, or through an online process. Agencies need to ensure that the business and individual are in fact the same business and individual previously identified. Agencies may choose to conduct transactions online (generally low level transactions) without the requirement for a physical presence. 14 Online Authentication National Office for the Information Economy

23 4. What level of authentication is required // KEY POINTS TO REMEMBER Different applications will demand different levels of authentication. Agencies should carry out a risk assessment to determine which authentication solution will be used. Risk management should be part of the overall business planning process. Agencies should consider using the ANAO Better Practice Guide when choosing their authentication solution. manage Which authentication solution is required? This is an important question and there is no single right answer. The approach adopted should be determined by the outcome of a risk assessment and subject to the preparation of an associated business case. Agencies should also consider the needs and expectations of their customers. 4.1 A business decision An effective approach to authentication is to understand that technology is not the sole solution. Authentication is as much about management and cultural issues as it is about technical solutions. One of the early issues for consideration is that online authentication may be a costly exercise in comparison to a manual authentication process. Agencies will need to consider cost in relation to an identified level of risk associated with failure to properly authenticate a party to an online transaction. The likelihood and consequences of such a failure, set against the cost of implementing authentication, should be fully analysed. The consequences may be measured in a number of ways including financial, legal/liability and political outcomes. If managed as a business issue rather than a technical issue, agency authentication needs can be effectively addressed and implemented in a cost-effective manner as the benefits of transacting online are realised. 4.2 Comparing authentication options In developing a risk assessment for their agency, managers may wish to include a narrative comparing some of the authentication options. The following information is provided to help managers with the development of their risk assessments. Online Authentication National Office for the Information Economy 15

24 Non-PKI models of authentication and security have the benefits of lower implementation and maintenance costs, and are particularly attractive to less sensitive, smaller or short duration projects. For example, the password and PIN/User ID model is generally cheap to implement and ideally suited to one-off use or use in circumstances where the data or system to be protected has a low security threshold. A weakness of this model is that passwords can often be stolen, accidentally revealed, shared, observed or forgotten. This will require agencies to support and manage clients throughout the period of activity. Passwords are also susceptible to brute force or dictionary attacks. Passwords using a mixture of case/special characters have been shown to be harder to break. The important aspect to note is to base the number and mix of characters on the level of risk. If password requirements are too onerous, passwords are more likely to be written down or circumvented by users. Stronger authentication may be required for privileged accounts or in areas of high risk. Stronger authentication includes: one-time passwords; challenge and response devices; conventional encryption; or public key cryptography (digital certificates). Alternative authentication and security models are often based on combinations of measures such as passwords and PIN/User IDs, conventional or public cryptography tools and server authentication. These models allow choice from the simplest to the most sophisticated measures to be employed. While these measures form a generic set, the combinations used must be determined on a case by case basis to meet the particular requirements of each application. Challenge and response can prove complicated in operation, and the development of management processes to deal with it may incur significant cost and ongoing resource implications for the agency. Agencies may wish to take this into consideration in their risk assessment. Cookies. It should be remembered that cookies are linked to the machine on which they are placed. As a result, they cannot be relied upon to authenticate a particular identity and do not have a great deal of acceptance by users. The use of cryptography can be an important adjunct to authentication. Strong security can be achieved by combining basic authentication measures with cryptography. Agencies are able to deploy conventional encryption, but the downside is management of the cryptographic keys. These keys are typically only used for relatively short duration and then need to be changed. These problems are expensive to solve using manual key distribution methods. A less expensive solution is the use of server authentication. Server authentication using only a server certificate (a digital certificate that strongly authenticates a server and not an individual), combined with a password and PIN/User ID may be an acceptable solution. Public key cryptography (digital certificates). A key factor for agencies to consider when employing digital certificates is to ensure that users are aware of the need to protect the private key securely. Lost or compromised private keys provide unauthorised users with the potential to severely impact an agency s security arrangements. If private keys are lost the fact should be reported immediately to the agency security officer and the issuing Certification Authority (CA) so that the key can be publicly listed as revoked. One of the ways to reduce the likelihood of private keys being accessed by unauthorised persons is to ensure that the private key is held by the user on a hard token or smart card with access protected by a strong password. Other factors in implementing digital certificates include initial and ongoing cost factors and ease of use. 16 Online Authentication National Office for the Information Economy

25 Tokens, such as smart cards, magnetic stripe cards, physical keys and so forth, can be lost, stolen, duplicated or left at home. Such issues need to be considered when determining whether or not tokens will meet the needs of the agency. Biometrics. A potential weakness with this technology is that unless the biometric is protected by a password or other suitable method, it can be copied and replayed at a later stage to authenticate an unauthorised individual. Timestamping or tying the biometric in some way to a document through a hashing technique are recommended protective measures. Another issue to consider with respect to biometrics is the determination of false accept or false reject rates. The biometric technology provider should be able to provide this sort of information. Once known, agencies can assess the likelihood and consequence in their risk assessment. Other factors in implementing a biometric system include initial and ongoing cost factors and ease of use. 4.3 Risk management The level of risk an agency accepts depends on a number of factors, including the correct identification of risks, the level of funding available to manage those risks, and the potential damage that could be caused to life, property and services. Risk management consists of steps... Risk management consists of steps which, when undertaken in sequence, enable a systematic analysis of risk to which an agency is exposed and results in the selection of an appropriate mix of strategies to manage those risks. The entire process is repetitive and may be re-entered at any point when the inbuilt review mechanisms indicate such a necessity. Risk management in organisations generally has three audiences: executives accountable for the management of an organisation; personnel who are responsible for initiating, implementing, managing and/or monitoring generic risk management systems within their organisation; and personnel who are responsible for initiating, implementing, managing and/or maintaining authentication within their organisation Risk assessment To evaluate the suitability of authentication alternatives for particular applications, the agency needs to perform a risk assessment. The assessment identifies the particular technologies and management controls best suited to minimising the risk and cost to acceptable levels, while maximising the benefits to the parties involved. Often parts of the assessment can be quantified, but some factors particularly the risk analysis usually can only be estimated qualitatively. Availability of data affects the extent to which risk can be reliably quantified. A quantitative approach to risk analysis generally attempts to estimate the monetary cost of risk compared to the cost of risk reduction techniques based on: the likelihood that a damaging event will occur; the costs of potential losses; and the costs of mitigating actions that could be taken. Reliable data on likelihood and costs may not be available. In this case a qualitative approach can be taken by defining risk in more subjective and general terms such as high, medium and low. In this regard, qualitative analyses depend more on the expertise, experience and good judgment of the managers conducting them than on quantified factors. Online Authentication National Office for the Information Economy 17

26 Some factors, such as the value of deterring fraud, are difficult to quantify. If a new automated solution is less secure than an old paper-based process, attempts to commit fraud or to repudiate transactions may increase. It usually is not possible to quantify in monetary terms attitudes such as increased customer satisfaction and willingness to cooperate with an agency which may result from electronic processes designed to be user-friendly. However, many costs (design, development and implementation) and benefits (such as reduced transaction costs or saved time) can be quantified, as is the case for other IT projects. Clearly, then, the assessment should use a combination of quantitative and qualitative methods to judge the practicability of any electronic transaction method and should include a comprehensive risk analysis when warranted by the sensitivity of the data and/or the transaction. Some factors, such as the value of deterring fraud, are difficult to quantify. Those alternatives that minimise risk to an acceptable level should be assessed in terms of net benefit to the agency and the customer in order to determine the authentication process most appropriate for the transaction. If the net benefits are negative, the agency may determine that using an authentication process is not practical at this time. All risk analyses are exercises in managerial judgment. Consider the costs of risk mitigation. The assessment must recognise that not all authentication solutions are totally reliable and secure. Every method of authentication can be compromised with enough skill and resources, or due to poor security procedures, practices or implementation. Setting up a very secure, but expensive, automated system may in fact buy only a marginal benefit of deterrence or risk reduction over other alternatives and may not be worth the extra cost. For example, past experience with fraud risks, and a careful analysis of those risks, show that exposure is often low. If this is the case a less expensive solution that substantially deters fraud is warranted rather than an absolutely secure solution. Conduct a cost-benefit analysis to determine if authentication is practicable. The primary goal of a cost-benefit analysis should be to find a cost-effective package of security mechanisms and management controls that can support automated solutions using electronic communications. In estimating the cost of any solution, agencies should include costs associated with hardware, software, administration and support of the system, both short-term and long-term What benefits should agencies consider regarding authentication? Benefits from moving to electronic transactions and authentication include reduction in transaction costs for the agency and the customer. Transactions are quicker and it is often easier to access information related to the transaction because it is in electronic form. The electronic form often allows more effective data analysis because the information is easier to access. Better data analysis often improves the operation of the new electronic transaction. In addition, if many transactions are electronic and data analysis can be done across transactions the benefits can spill over into the rest of the agency as operational awareness of the entire organisation is improved. Moreover, business process reengineering should accompany all attempts to facilitate a transaction through information technology. Often the full benefits will be realised only by restructuring the process to take advantage of the technology. Merely moving an existing paper-based process to an electronic one is unlikely to reap the maximum benefits from the electronic solution. In order to account for all the benefits associated with electronic transactions, agencies should keep common information technology benefits in mind and look at the benefits realised by other agencies. 18 Online Authentication National Office for the Information Economy

27 What are the benefits? Agencies should identify all the benefits of automating program transactions and making those transactions secure, such as: Increased speed of the transaction. The customer and the agency may spend less time completing the transaction. The quicker speed combined with putting the transaction online allows real-time help to the transaction customer, providing a benefit not found in a paper-based transaction. Increased customer participation and satisfaction. Often a decrease in customer transaction costs leads to more customers completing the transaction. In addition, customers tend to have a more positive view of the process given its speed and ease of use. Improved recordkeeping efficiency and data analysis opportunities. If data is easier to access and store then program evaluation is enhanced and awareness of the effects of the government program in question is expanded. Increased employee productivity and improved quality of the final product. Electronic transactions tend to have fewer errors because often the system minimises retyping and automatically detects certain errors. These benefits allow the employees to concentrate more time on other matters. Greater information benefits to the public. Moving to electronic transactions and authentication can often make the related information more accessible to the public. Improved security. Designed, implemented and managed properly, electronic transactions can have fewer opportunities for fraud and more robust security measures than paper and envelope transactions. Extensive security for highly sensitive information. Even though implementing a more secure option is often more expensive initially than implementing less secure alternatives, there could be larger expected benefits if the information being protected is particularly sensitive What risk factors should agencies consider? Properly implemented solutions can offer greater degrees of confidence in authenticating identity than manual authentication processes. Properly implemented solutions can offer greater degrees of confidence in authenticating identity than manual authentication processes. These digital tools should be used to control risks in a cost-effective manner. In determining whether a particular authentication solution is sufficiently reliable for a particular purpose, agency risk analyses need at a minimum to consider the relationships between the parties, the value of the transaction and the risk of intrusion. In addition, agencies should consider any other risks relevant to the particular process. Once these factors are considered separately, an agency should consider them together to evaluate the sensitivity to risk of a particular process, relative to the benefit that the process can bring What is the relationship between the parties? Agency transactions can fall into a number of categories, each of which may be vulnerable to differing security risks. The following are examples: intra-agency transactions (those which remain within the same agency); inter-agency transactions (those between agencies); transactions between a Commonwealth agency and State/Territory or local government agencies; transactions between an agency and a private organisation such as a contractor, business, university, non-profit organisation or other entity; transactions between an agency and a member of the general public; and transactions between an agency and a foreign government, foreign private organisation or foreign citizen. Online Authentication National Office for the Information Economy 19

28 Risks tend to be relatively low in cases where there is an ongoing relationship between the parties. Generally speaking, there will be little risk of a partner later repudiating inter- or intra-governmental transactions of a relatively routine nature, and almost no risk of the governmental trading partner committing fraud. Similarly, transactions between an agency and a publicly traded corporation or other known entity can often bear a relatively low risk of repudiation or fraud, particularly where the agency has an ongoing relationship with the entity. For the same reasons, risks tend to be relatively low within rule making contexts, as all parties can view the submissions of others so the risk of imposture is minimised. Other types of transactions, involving an ongoing relationship between an agency and non-governmental entities (both individual and businesses), can have varying degrees of risk depending on the nature of the relationship between the parties. The same would apply in the case of those government programs in which the ongoing relationship is between entities that are acting on behalf of an agency and such non-governmental entities and persons e.g. transactions between a lender, agency or other institution participating in a loan or financial aid program and another program participant or a member of the general public, such as a borrower or grant recipient. Risks tend to be relatively low in cases where there is an ongoing relationship between the parties. On the other hand, the highest risk of fraud or repudiation is for a one-time transaction between a person and an agency that has legal or financial implications. Agencies should also pay attention to transactions with non-agency entities, where the agency has a law enforcement responsibility but does not have an ongoing relationship. Transactions between an agency and a foreign entity may entail unique legal risks due to varying national laws and regulations. In all cases, the relative value of the transaction must also be considered What is the value of the transaction? Agency risk analysis should attempt to identify the relative value of the type of transaction being automated and factor that against the costs associated with implementing technological and management controls to mitigate risk. Note that the value of the transaction depends on the perspective of the agency and the transaction customer. In general, authentication might be considered least necessary in very low value transactions and might not be used unless specifically required by law or regulation. Where authentication is necessary, the method of authentication should be appropriate to the level of risk What is the risk of intrusion? The probability of a security intrusion on the transaction can depend on the benefit to the potential attackers and their knowledge that the transaction will take place. Indicators of agency transactions in this area are: Regular or periodic transactions between parties are at a higher risk than intermittent transactions because of their predictability, making it more likely that an outside party would know of the scheduled transaction and be able to intrude on it; The value of the information to outside parties could also determine their motivation to compromise the information. Information that is relatively unimportant to an agency may have high value to an outside party; and Certain agencies, because of their perceived image or mission, may be more likely to be attacked independent of the information or transaction. The act of disruption can be an end in itself. 20 Online Authentication National Office for the Information Economy

29 4.3.2 Risk matrix Having taken into consideration the issues identified above, agencies may wish to develop a risk matrix. The level of risk is determined by the relationship between both the likelihood of the event and the consequence of the impact, against the background of any existing risk reduction measures. Neither consequence nor likelihood should dominate the determination of the level of risk. The greatest risks to an agency are those which have extreme consequences and are almost certain to occur. Conversely, a rare event with negligible consequences may be considered trivial. An event which occurs rarely but which has extreme consequences could be considered a significant risk. The risk matrix shown below is provided for illustrative purposes only. Agencies should develop their own mapping tables to determine the level of risk by mapping the relationship between likelihoods and consequences in a matrix. CONSEQUENCE LIKELIHOOD EXTREME VERY HIGH MEDIUM LOW NEGLIGIBLE Almost certain severe severe high major significant Likely severe high major significant moderate Moderate high major significant moderate low Unlikely major significant moderate low trivial Rare significant moderate low trivial trivial Definitions for the level of consequence EXTREME: VERY HIGH: MEDIUM: LOW: NEGLIGIBLE: The consequences would threaten the provision of key services, causing major problems for clients and for government. The consequences would threaten the continued effective provision of services and require top level management or ministerial intervention. The consequences would not threaten the provision of services, but would mean the agency could be subject to significant review or changed ways of functioning. The consequence would threaten the efficiency or effectiveness of some services, but could be dealt with internally. The consequences would be dealt with by routine operations. Risk definitions and management implications Severe: High: Major: Significant: Moderate: Low: Trivial: Must be managed promptly by senior management with detailed cost-effective continuity management strategies. Continuity management required at senior levels. Senior management attention is needed. Continuity management responsibilities must be specified. Manage by specific monitoring or response procedures. Manage by routine procedures. Unlikely to need specific application of resources. Online Authentication National Office for the Information Economy 21

30 Guidelines on risk management can be found in the following documents: Australian/New Zealand Standard AS/NZS 4360:1999 Risk Management Australian Communications Electronic Security Instruction 33 (ACSI 33) Handbook 3 Risk Management Commonwealth Protective Security Manual (PSM) Part B Guidelines on Managing Security Risk Developing a business case There are several issues that should be considered when developing a business case for the type or combination of authentication solutions to implement in an agency. The points identified below are intended to provide managers within agencies with a range of issues that may require investigation. They are not necessarily exhaustive and additional issues not covered here may need to be considered and addressed on a case by case basis. Identify services to be delivered Specific services to be delivered online and requiring authentication need to be identified. Determine the value of the service and information being processed to the agency. Determine customer accessibility requirements. This will help to identify the type or strength of the authentication required. Risk assessment An assessment of the risk to an agency through not implementing appropriate authentication will help to strengthen a business case. The risk assessment should include different authentication options, and identify associated risks with each, for later consideration by management. There are several issues that should be considered when developing a business case for the type or combination of authentication solutions to implement in an agency. Identify internal and external clients Identify the number of internal and external clients and how well they need to be known to the agency. Determine interoperability requirements This is dependent upon the number and type of clients and the possibility that clients will have different types of desktops and different applications on each desktop. As a result each client s technology implementation may respond differently to an authentication process. This issue should be identified and investigated early in the process because it may have cost and time implications. Identify registration of client requirements Prior to the issue or implementation of an authentication solution, agencies may wish to consider whether or not existing processes for authenticating or registering the identity or existence of an agency s clients need to be investigated or refined. Agencies may consider that existing processes for identifying clients will suffice. However, if moving to an online environment, agencies may wish to take the opportunity to implement a more rigorous approach to client registration. Identify privacy requirements Agencies will need to ensure that measures implemented to protect personal information comply with privacy regulations. The Office of the Federal Privacy Commissioner has issued a document titled Privacy in Australia which will assist agencies in their decision making process. It can be found at 22 Online Authentication National Office for the Information Economy

31 Identify resource requirements The level of complexity involved in the application and ongoing management of the chosen authentication solution directly impacts the required number of resources. As a result, identifying resource requirements is an important part of the business case. Management will need to take into consideration the risks associated with each of the authentication options identified in the risk assessment, and availability of resources, to assist them in deciding which is the most appropriate authentication solution for their agency. Identify recordkeeping requirements Agencies should consider the need to make and keep records of their business activities to satisfy legislative obligations, accountability requirements and community expectations. These records must be managed in such a way that they retain their integrity and remain accessible for as long as they are required. The integrity and accessibility of records may be affected by the authentication solutions adopted by an agency. The National Archives of Australia can provide further advice at Non-repudiation Non-repudiation is emerging as an important objective of authentication. Non-repudiation is emerging as an important objective of authentication. It provides irrefutable evidence that an action took place. It protects one party to a transaction against the denial of the other party that a particular event took place. It also protects all parties from a false claim that a record was tampered with, or not sent or received. While non-repudiation is more of a legal construct than a technical process, agencies can take certain precautions to minimise the risk of a transaction being repudiated. However, agencies should determine the requirement for non-repudiation from their risk assessment. For example, agencies may decide that transactions involving non-verified signatures may not attract non-repudiation status. Non-repudiation is necessary to: protect against abuse and/or misuse of e-transaction information and systems; indemnify an agency against loss; provide accountability of users; and guarantee user authenticity and right of access. According to International Standards Organisation (ISO) Standard the key elements of a robust non-repudiation regime are as follows: Approval proof of who is responsible for approval of the content of a message; Sending proof of who sent a message; Origin proof of origin derives from information provided in the approval and sending services; Transport proof for the message originator that a delivery authority has given the message to the intended recipient; Receipt proof that the recipient received the message; Knowledge proof that the recipient recognised the content of the received message; and Delivery proof that the recipient received and recognised the content of the message. Online Authentication National Office for the Information Economy 23

32 To achieve the above, agencies need to consider six fundamental requirements for any system that aims for a high level of trustworthiness and non-repudiation: Security policy there must be an explicit and well-defined security policy enforced by the system; Marking access control labels must be associated with objects; Identification individual users must be identified; Accountability audit information must be selectively kept and protected so that actions affecting security can be traced to the responsible party; Assurance systems must contain hardware and software mechanisms that can be independently evaluated to provide sufficient assurance that the system enforces the security requirements; and Continuous protection the trusted mechanism enforcing these basic requirements must be continuously protected against tampering and unauthorised changes. In a legal sense all allegations put forward by a party to litigation may be disputed by the other party. As there has yet to be a judicial decision dealing with an interpretation of the electronic signature requirements in the Electronic Transactions Act, the choice of authentication provider and what they have to offer by way of non-repudiation is a business decision for agencies. For more information on non-repudiation, visit: ANAO Better Practice Guide One approach to determining the level of authentication required for an online application is to consider the four-stage approach to delivering government services online, as outlined in the Australian National Audit Office (ANAO) better practice guide, Internet Delivery Decisions (available from the ANAO website at These stages can be summarised as follows: Stage 1 permits an agency with a website to provide or publish information about its services to those who access it. Publications are available online and can be downloaded. There is a limited inquiry and search facility. The information is made available in a static display. There are no limits to public access to the information. A current example is the ANAO s website. Other examples are the Australian Taxation Office s placement of its tax determinations online, the Attorney-General s Department provision of considerable legal information and the Australian Institute of Health and Welfare s website. An example of Stage 1 electronic service delivery The Australian National Audit Office (ANAO) website at provides information about the ANAO, links to other audit or government-related sites and the ability to read and download ANAO publications, including ANAO reports to Parliament. The ANAO does not have publicly available databases and does not obtain information from the public or business, except in the course of its audit activity. One approach to determining the level of authentication required for an online application is to consider the fourstage approach to delivering government services online... Authentication requirements for Stage 1 Agencies may decide that no authentication requirements are needed in this stage. 24 Online Authentication National Office for the Information Economy

33 Stage 2 permits an individual who visits a website to access or interact with the agency s database. The individual can calculate an entitlement, subsidy or debt, or conduct research using part or all of the database. Interactive facilities are limited. There are no limits to public access to information on the website. A current example is the Australian Bureau of Statistics site, which gives access to much of its statistical information. Other agencies with databases of publicly available information have made those databases searchable online. Agencies providing services at Stages 1 and 2 are not committing themselves to functions with significant risks of security, privacy or financial breaches. An example of Stage 2 electronic service delivery The Australian Communications Authority (ACA) website at offers real-time information on radiocommunications and cabling licences. Users can extract details of who holds radiocommunication licences, technical aspects of those licences and the transmitter site details. Searches can be conducted by licence holder, licence number, frequency, site or postcode. Inquiries about cabling licences can yield details of the name, postal address, contact phone number if available, licence number, licence type and licence endorsements where applicable, of all current holders of ACA cabling licences. Licensed cablers are able to install, connect, remove or maintain all types of cabling connected to, or intended for connection to, a telecommunications network. Authentication requirements for Stage 2 There are no specific authentication requirements for Stage 2 although agencies may consider that access to some interactive facilities should be limited and therefore require some degree of authentication and security by applying passwords, PIN/User ID, SSL or cookies. Online Authentication National Office for the Information Economy 25

34 Stage 3 involves exchange of information between the agency and the individual Internet user once the agency has verified his or her identity. Stage 3 requires authentication or verification of the individual s identity, used by the agency to control access to its data and to authenticate data being provided. The interaction can have financial implications. The major difference between Stage 3 and Stages 1 and 2 is that agencies embarking on Stage 3 need to authenticate the identity of the person or business entering the information. This stage covers secure, authenticated financial transactions. In the future, financial transactions on the Internet are likely to be more secure and more agencies may advance to supporting them. An example of Stage 3 is the Australian Taxation Office s project for individual taxpayer s electronic lodgement of tax returns (e-tax), or the Department of Employment and Workplace Relations (DEWR) Jobsearch site discussed below. These examples are major projects in which agencies are fully addressing the risks of security, privacy and financial obligations. An example of Stage 3 electronic service delivery DEWR s Jobsearch website at allows employment seekers to search a database of employment opportunities by location, occupation, postcode or suburb, and perform more sophisticated searches. The site is considered a Stage 3 because employers can lodge jobs for placement in the database. The employer is able to provide details of employment, which are screened for defamatory, obscene or discriminatory material before entry in the database. The major difference between Stage 3 and Stages 1 and 2 is that agencies embarking on Stage 3 need to authenticate the identity of the person or business entering the information. Authentication requirements for Stage 3 Authentication requirements for this stage are aimed at ensuring the user(s) only gain access to, or have the ability to change, the information they are entitled to. Common methods of identifying and authenticating the user include passwords and PIN/User IDs over SSL and PKI using, for instance, Australian Business Number Digital Signature Certificates (ABN-DSCs). The authentication solution will be determined by assessing the nature of the interaction: whether the transaction needs to be digitally signed; the sensitivity of the information; the risk profile; any liability issues; and the need to strengthen the chain of evidence for legal requirements. 26 Online Authentication National Office for the Information Economy

35 Stage 4 involves government agencies exchanging information provided by individuals, organisations or businesses with their prior consent. For example, an agency notified of a change of address would recognise it as an event of which other agencies should be notified, and would do so with the prior knowledge of the original data provider. A few agencies have or are proposing interchange of information at this level. A future likely example of Stage 4 will be the Department of Industry, Tourism and Resources Business Entry Point s Transaction Manager ( This web-based tool aims to ease the compliance burden on small business by providing a single entry point for users to discover, complete and manage their online transactions with Federal, State and local government agencies. An example of Stage 4 electronic service delivery The Australian Customs Service s CMR development will allow clients to submit documents online for clearance of transporting goods across Australia s borders. Clients will also be able to update personal information and business details via Customs Client Register. It is proposed that client information amendments concerning information associated with an individual or business will be used to update the Australian Business Register (ABR) where appropriate. The ABR contains all the publicly available information provided by businesses when they register for an Australian Business Number (ABN). The ABN is a new single identifier for dealings with all government agencies, including Customs, and will be used to supply the core information for Customs Client Register. Customs will appropriately seek clients permission for the intended use of this information. Authentication requirements for Stage 4 Authentication requirements for this stage match those for Stage ANAO Performance Audit Internet Security within Commonwealth Agencies In 2001, the ANAO completed an audit of Commonwealth agencies management of Internet security with the principle objective of forming an opinion on the adequacy of those systems. The audit addressed: Internet security risk assessments, policies and plans; Agencies Internet security management procedures to determine whether these were consistent with relevant Commonwealth guidelines and requirements, and with examples of industry better practice; Internet site management, including virus protection and detection strategies, prevention and detection of unauthorised access and incident response arrangements; and Test performances of selected sites. While not specifically addressing authentication, the ANAO report should be considered as part of an agency s overall online business plan. The report can be found at: Online Authentication National Office for the Information Economy 27

36 4.8 Authentication options for online transactions The following table is for illustrative purposes only. It provides example Information and Transaction types, Identification requirements, Authentication and Confidentiality requirements and Non- Repudiation expectations against four stages based upon the ANAO stages discussed at 4.6. As indicated in Section 3, further work is being undertaken to take a whole-of-government approach to authentication to provide greater consistency for the government s customers. This may result in further enhancements to this approach in the future. Agencies should treat their authentication requirements for each transaction on a case by case basis. STAGE INFORMATION TYPE TRANSACTION IDENTIFICATION AUTHENTICATION NON-REPUDIATION REQUIREMENTS & CONFIDENTIALITY 1 This is the equivalent of a website that publishes information about the agency and its services. Public This includes information that does not have any security implications and can be made freely available to the public. Any member of the public can view agency services and publications. Generally speaking, none required, but is dependent upon agency requirements. Generally speaking, none required, but is dependent upon agency requirements. X or (Dependent upon agency requirements) 2 This stage allows Internet users to browse and interact with the agency s database(s). Agency Official Agency specific information whose compromise may or may not cause embarrassment to the agency. Customers may be provided with browse or update of limited personal information privileges based upon their relationship with the agency. Whether identification is required, or achieved online, or requires the physical presence of the customer at an agency shopfront is a decision for agencies to make. Password and PIN/User ID (and cookies) orchallenge and response or one-time password. 3 This includes stages 1 & 2 and permits users to enter information on the website, exchange or transact secure information with the agency. In-Confidence Information whose compromise could cause damage to the Commonwealth, the Government, commercial entities or members of the public. Customers may be given privileges to declare personal circumstances based upon their relationship with the agency. Agencies may decide that the physical presence of the Customer is required to confirm their identity. Evidence Of Identity (EOI) documents should be provided by the customer and verified by the agency. Password and PIN/User ID with SSL or PKI. 4 This is the same as stage 3 but in addition the agency, with the user s prior approval, shares that user s information with other government agencies. In-Confidence Same as above. Normally associated with the repayment of debts or payment for services. Protected or Highly Protected Information whose compromise could cause serious damage to the Commonwealth, the Government, commercial entities or members of the public. Passage of Protected or Highly Protected information across the Internet. Physical presence of the customer is required to confirm their identity. Physical presence of the customer is required to confirm their identity. Password and PIN/User ID with SSL or PKI; PKI business requirements are 100 points of EOI for an ABN-DSC. PKI (Digital Certificate) requirements are determined by the agency. PKI required for Protected/Highly Protected 28 Online Authentication National Office for the Information Economy

37 5. Public Key Infastructure (PKI) // KEY POINTS TO REMEMBER PKI enables secure, authenticated transactions, and is supported by the Commonwealth Gatekeeper strategy. Digital certificates, the central component of PKI, require a dedicated management strategy to be used effectively. The ABN-DSC provides a convenient central solution for many agencies seeking to use digital certificates. 5.1 Overview ABN-DSC While Public Key Infrastructure (PKI) applications only constitute a small percentage of authentication solutions currently in use, it is expected that PKI will play a greater role in authentication in the future. PKI is also a complex area. The remaining sections of this guide focus on PKI in order to cover the relevant material comprehensively. This should not be interpreted as placing undue emphasis on PKI solutions. PKI enables users of a basically unsecured public network such as the Internet to securely exchange information through the use of public and private cryptographic key pairs that are obtained and shared through a trusted evaluated infrastructure. The central function of a PKI is the provision of digital certificates that can identify an organisation or an individual. It also provides management, storage, distribution and revocation of those digital certificates. A PKI is often referred to as a PKI hierarchy or trust hierarchy. For example, Gatekeeper, the Commonwealth s strategy for PKI use in government (see 5.2) is a hierarchical PKI. A PKI consists of several components including: Certification Authorities (CAs) are trusted by one or more users to create and assign public-key certificates. Optionally the CA may create the users keys; Registration Authorities (RAs) include functions such as an Evidence of Identity check to process requests for new certificates, requests for renewal of certificates and requests for revocation of certificates. In some business models (e.g. Health esignature Authority) RAs may also generate keys and certificates; Certificate or key holders (also subscribers or end users) are issued keys and certificates and can digitally sign and encrypt electronic documents; Relying parties receive, validate and accept digital signatures from key holders/subscribers; Repositories store and make available certificates and Certificate Revocation Lists (CRLs). CRLs are maintained by CAs and contain all revoked certificates issued by the CA that have not expired. Online Authentication National Office for the Information Economy 29

38 5.1.1 Employing digital certificates The opportunity to use digital certificates has been available for a number of years, but generally they have only been implemented for single-use purposes. In these instances, applications have been developed for each user to ensure that the digital certificates can be used for the intended purpose. One of the primary reasons why digital certificates have been implemented using fit-for-purpose designed applications is that most applications employed by Internet users vary greatly in the manner in which they handle digital certificates. For example: A digital certificate employed from an platform might not operate in another environment. Service providers may offer a remedial patch or plug-in that will enable digital certificates to work with applications employed by an agency. However, the remedial action employed by one service provider may differ to that of another provider. This could mean that a digital certificate issued by one service provider and employed in an platform in one agency might not work with the same platform in an agency that employs a different provider s remedial application. This difficulty in employing digital certificates on a wide-scale is recognised globally. There is growing pressure on application developers to create open standards where digital certificates can be employed and used in the same manner across all Internet applications. In the meantime, central validation or trust centre type facilities, where digital certificates from multiple providers are validated, are warranted. However, this might be a short-term solution if market forces cause application developers to expedite their digital certificate interoperability developments. A rollout of interoperable digital certificates by a major employer of digital certificates might, to a large extent, resolve these difficulties. In developing a business case for the use of digital certificates, agencies will need to consider the intended deployment, customer base, applications employed by those customers and the solutions offered by service providers Business continuity and implementation considerations In developing a business case for the use of digital certificates, agencies will need to consider deployment, customer base, applications and service provider solutions. In developing a case for PKI, agencies will need to consider some important business continuity issues, particularly where information is encrypted. An agency s ability to continue business might be severely hampered if the information cannot be accessed for some reason. For example: Agencies need to consider how they will manage their information when it is in an encrypted form and can only be accessed by decrypting it with the agency s private key, which might be held by a staff member who is on leave, sick, overseas, or just cannot be contacted. Agencies also need to consider how they will manage lost or forgotten passwords by personnel needing access to private keys, without which these personnel cannot access the agency s information. To ensure business continuity, agencies may consider the use of a key recovery service from the agency s Certification Authority, or key escrow by a third party. Agencies may also consider backing up passwords or putting in place an unlocking process for lost or forgotten passwords. Any implementation of a business continuity process to manage such instances will need to ensure that agency personnel are fully aware and that a complete and reliable audit trail is maintained. The Certification Authority s key recovery service will need to be appropriately 30 Online Authentication National Office for the Information Economy

39 evaluated and accredited under the Gatekeeper strategy. If considering backing up passwords, agencies may wish to implement a two-person integrity process where two people from different parts of the agency are involved whenever these business continuity processes are employed. Agencies should seek legal and security guidance to ensure that these considerations are appropriate. Where the information being protected or signed is the property of the Commonwealth, the Commonwealth is at liberty to use such lawful methods of recovery as are deemed appropriate. The responsibility for Commonwealth policy on this issue rests with the Attorney-General s Department. The use of products where particular keys are held in escrow or key recovery outside Australia is not permitted under the Gatekeeper strategy Recordkeeping implications Agencies should adopt a risk-based approach and consult their records management personnel to develop appropriate management strategies. Agencies should consider how records subject to authentication and encryption processes will be managed and stored, taking into account privacy and security requirements. For example, access to encrypted information may be compromised when certificates and keys expire while software obsolescence and the degradation of storage mediums may also affect data integrity and accessibility. Agencies should adopt a risk-based approach and consult their records management personnel to develop appropriate management strategies. For example: Agencies could store unencrypted information in a suitably secure electronic recordkeeping system to ensure continued accessibility and integrity, rather than keep the information in encrypted form in an insecure system. Such information may need to be linked to records that document the authentication and encryption process such as digital certificates, digital signatures, subscriber identity, time and date stamps, revocation checks and message verifications. The National Archives of Australia is developing recordkeeping guidelines for agencies that use authentication and encryption processes. For further information about this project see the NAA website: Public Key Technology Public Key Technology (PKT) is used within PKI to provide users of the technology with the ability to communicate with confidence in an electronic environment. In order to do this they need to know: who sent the message (authentication); that the message content has not been altered in any way between sending and receiving (integrity); that the sender cannot dispute that they created and sent the message (non-repudiation); and that only the person the message is directed to can open it (confidentiality). Online Authentication National Office for the Information Economy 31

40 5.1.5 How PKI works Source: HIC For Alice and Bob to communicate electronically with each other, they need to digitally sign and protect their messages. To do this they use public and private keys to digitally sign and verify messages, prove who they are and encrypt (or protect) the content of their message A typical PKI process flow While the process may vary somewhat depending on the particular parties involved, the general process flow in a PKI environment is as follows: An applicant applies to a CA or RA (depending on the PKI model) for a digital certificate. Alternatively, a Commonwealth agency may commission a CA to offer digital certificates to its clients; The CA engages a Registration Authority (RA) to undertake verification of the applicant s identity. This will include verification of a business entity represented by the applicant where appropriate (such as for an ABN-DSC digital certificate); The RA advises the CA that identity has been established and that keys and certificates can be issued; The CA issues keys and certificates to the applicant (who now becomes a Subscriber ). This also involves the signing of a Subscriber agreement (i.e. a contract between the CA and the Subscriber) and the issue of the private and public keys, although this may vary according to the CA s business model; The Subscriber can then digitally sign an electronic message with their private key to ensure sender authentication, message integrity and non-repudiation and send the message to a relying party; The Relying Party receives the message, verifies the digital signature with the Subscriber s (sender s) public key and goes to a repository to check the status/validity of the certificate against a Certificate Revocation List (CRL); and The Relying Party then accepts or rejects the certificate depending on the result returned from the CRL and/or their own business judgement. 32 Online Authentication National Office for the Information Economy

COMMUNICATING ELECTRONICALLY WITH CUSTOMS

COMMUNICATING ELECTRONICALLY WITH CUSTOMS COMMUNICATING ELECTRONICALLY WITH CUSTOMS This fact sheet deals with communicating electronically with Customs via the Integrated Cargo System (ICS). The main elements covered by this fact sheet are: communication

More information

Advanced Authentication

Advanced Authentication White Paper Advanced Authentication Introduction In this paper: Introduction 1 User Authentication 2 Device Authentication 3 Message Authentication 4 Advanced Authentication 5 Advanced Authentication is

More information

Multi-factor authentication

Multi-factor authentication CYBER SECURITY OPERATIONS CENTRE (UPDATED) 201 (U) LEGAL NOTICE: THIS PUBLICATION HAS BEEN PRODUCED BY THE DEFENCE SIGNALS DIRECTORATE (DSD), ALSO KNOWN AS THE AUSTRALIAN SIGNALS DIRECTORATE (ASD). ALL

More information

Australian Business Number Digital Signature Certificate (ABN-DSC)

Australian Business Number Digital Signature Certificate (ABN-DSC) Australian Business Number Digital Signature Certificate (ABN-DSC) Broad Specification Version 3.6 September 2003 This work is copyright. The Commonwealth grants a royalty-free, irrevocable, world-wide,

More information

Smart Card- An Alternative to Password Authentication By Ahmad Ismadi Yazid B. Sukaimi

Smart Card- An Alternative to Password Authentication By Ahmad Ismadi Yazid B. Sukaimi Smart Card- An Alternative to Password Authentication By Ahmad Ismadi Yazid B. Sukaimi Purpose This paper is intended to describe the benefits of smart card implementation and it combination with Public

More information

Guidelines Related To Electronic Communication And Use Of Secure E-mail Central Information Management Unit Office of the Prime Minister

Guidelines Related To Electronic Communication And Use Of Secure E-mail Central Information Management Unit Office of the Prime Minister Guidelines Related To Electronic Communication And Use Of Secure E-mail Central Information Management Unit Office of the Prime Minister Central Information Management Unit Office of the Prime Minister

More information

Controller of Certification Authorities of Mauritius

Controller of Certification Authorities of Mauritius Contents Pg. Introduction 2 Public key Infrastructure Basics 2 What is Public Key Infrastructure (PKI)? 2 What are Digital Signatures? 3 Salient features of the Electronic Transactions Act 2000 (as amended)

More information

GT 6.0 GSI C Security: Key Concepts

GT 6.0 GSI C Security: Key Concepts GT 6.0 GSI C Security: Key Concepts GT 6.0 GSI C Security: Key Concepts Overview GSI uses public key cryptography (also known as asymmetric cryptography) as the basis for its functionality. Many of the

More information

Understanding Digital Certificates & Secure Sockets Layer (SSL): A Fundamental Requirement for Internet Transactions

Understanding Digital Certificates & Secure Sockets Layer (SSL): A Fundamental Requirement for Internet Transactions Understanding Digital Certificates & Secure Sockets Layer (SSL): A Fundamental Requirement for Internet Transactions February 2005 All rights reserved. Page i Entrust is a registered trademark of Entrust,

More information

Understanding Digital Certificates and Secure Sockets Layer (SSL)

Understanding Digital Certificates and Secure Sockets Layer (SSL) Understanding Digital Certificates and Secure Sockets Layer (SSL) Author: Peter Robinson January 2001 Version 1.1 Copyright 2001-2003 Entrust. All rights reserved. Digital Certificates What are they?

More information

Part I. Universität Klagenfurt - IWAS Multimedia Kommunikation (VK) M. Euchner; Mai 2001. Siemens AG 2001, ICN M NT

Part I. Universität Klagenfurt - IWAS Multimedia Kommunikation (VK) M. Euchner; Mai 2001. Siemens AG 2001, ICN M NT Part I Contents Part I Introduction to Information Security Definition of Crypto Cryptographic Objectives Security Threats and Attacks The process Security Security Services Cryptography Cryptography (code

More information

ELECTRONIC SIGNATURES FACTSHEET

ELECTRONIC SIGNATURES FACTSHEET ELECTRONIC SIGNATURES FACTSHEET Electronic signatures mean that you can exchange information with others electronically and securely safe in the knowledge that everyone is who they claim to be and that

More information

Information Security

Information Security Information Security Dr. Vedat Coşkun Malardalen September 15th, 2009 08:00 10:00 vedatcoskun@isikun.edu.tr www.isikun.edu.tr/~vedatcoskun What needs to be secured? With the rapid advances in networked

More information

WHITE PAPER. Let s do BI (Biometric Identification)

WHITE PAPER. Let s do BI (Biometric Identification) WHITE PAPER Let s do BI (Biometric Identification) Fingerprint authentication makes life easier by doing away with PINs, passwords and hint questions and answers. Since each fingerprint is unique to an

More information

Gatekeeper PKI Framework. Archived. February 2009. Gatekeeper Public Key Infrastructure Framework. Gatekeeper PKI Framework.

Gatekeeper PKI Framework. Archived. February 2009. Gatekeeper Public Key Infrastructure Framework. Gatekeeper PKI Framework. Gatekeeper Public Key Infrastructure Framework 1 October 2007 Department of Finance and Deregulation Australian Government Information Management Office Commonwealth of Australia 2009 This work is copyright.

More information

FAQs Electronic residence permit

FAQs Electronic residence permit FAQs Electronic residence permit General 1) When was the electronic residence permit introduced? Since 1 September 2011, foreigners in Germany have been issued with the new electronic residence permit

More information

State of Arkansas Policy Statement on the Use of Electronic Signatures by State Agencies June 2008

State of Arkansas Policy Statement on the Use of Electronic Signatures by State Agencies June 2008 State of Arkansas Policy Statement on the Use of Electronic Signatures by State Agencies June 2008 Background In the last ten years Arkansas has enacted several laws to facilitate electronic transactions

More information

esign FAQ 1. What is the online esign Electronic Signature Service? 2. Where the esign Online Electronic Signature Service can be used?

esign FAQ 1. What is the online esign Electronic Signature Service? 2. Where the esign Online Electronic Signature Service can be used? esign FAQ 1. What is the online esign Electronic Signature Service? esign Electronic Signature Service is an innovative initiative for allowing easy, efficient, and secure signing of electronic documents

More information

Securing your Online Data Transfer with SSL

Securing your Online Data Transfer with SSL Securing your Online Data Transfer with SSL A GUIDE TO UNDERSTANDING SSL CERTIFICATES, how they operate and their application 1. Overview 2. What is SSL? 3. How to tell if a Website is Secure 4. What does

More information

Research Article. Research of network payment system based on multi-factor authentication

Research Article. Research of network payment system based on multi-factor authentication Available online www.jocpr.com Journal of Chemical and Pharmaceutical Research, 2014, 6(7):437-441 Research Article ISSN : 0975-7384 CODEN(USA) : JCPRC5 Research of network payment system based on multi-factor

More information

Land Registry. Version 4.0 10/09/2009. Certificate Policy

Land Registry. Version 4.0 10/09/2009. Certificate Policy Land Registry Version 4.0 10/09/2009 Certificate Policy Contents 1 Background 5 2 Scope 6 3 References 6 4 Definitions 7 5 General approach policy and contract responsibilities 9 5.1 Background 9 5.2

More information

Meeting the FDA s Requirements for Electronic Records and Electronic Signatures (21 CFR Part 11)

Meeting the FDA s Requirements for Electronic Records and Electronic Signatures (21 CFR Part 11) Meeting the FDA s Requirements for Electronic Records and Electronic Signatures (21 CFR Part 11) Executive Summary...3 Background...4 Internet Growth in the Pharmaceutical Industries...4 The Need for Security...4

More information

Understanding Digital Signature And Public Key Infrastructure

Understanding Digital Signature And Public Key Infrastructure Understanding Digital Signature And Public Key Infrastructure Overview The use of networked personnel computers (PC s) in enterprise environments and on the Internet is rapidly approaching the point where

More information

Contents. Identity Assurance (Scott Rea Dartmouth College) IdM Workshop, Brisbane Australia, August 19, 2008

Contents. Identity Assurance (Scott Rea Dartmouth College) IdM Workshop, Brisbane Australia, August 19, 2008 Identity Assurance (Scott Rea Dartmouth College) IdM Workshop, Brisbane Australia, August 19, 2008 Contents Authentication and Identity Assurance The Identity Assurance continuum Plain Password Authentication

More information

Understanding Digital Certificates & Secure Sockets Layer A Fundamental Requirement for Internet Transactions

Understanding Digital Certificates & Secure Sockets Layer A Fundamental Requirement for Internet Transactions A Fundamental Requirement for Internet Transactions May 2007 Copyright 2007 Entrust. All rights reserved. Entrust is a registered trademark of Entrust, Inc. in the United States and certain other countries.

More information

Secure Email Frequently Asked Questions

Secure Email Frequently Asked Questions Secure Email Frequently Asked Questions Frequently Asked Questions Contents General Secure Email Questions and Answers Forced TLS Questions and Answers SecureMail Questions and Answers Glossary Support

More information

HMRC Secure Electronic Transfer (SET)

HMRC Secure Electronic Transfer (SET) HMRC Secure Electronic Transfer (SET) How to use HMRC SET using PGP Desktop Version 2.0 Contents Welcome to HMRC SET 1 HMRC SET overview 2 Encrypt a file to send to HMRC 3 Upload files to the Government

More information

Entrust Managed Services PKI. Getting started with digital certificates and Entrust Managed Services PKI. Document issue: 1.0

Entrust Managed Services PKI. Getting started with digital certificates and Entrust Managed Services PKI. Document issue: 1.0 Entrust Managed Services PKI Getting started with digital certificates and Entrust Managed Services PKI Document issue: 1.0 Date of issue: May 2009 Copyright 2009 Entrust. All rights reserved. Entrust

More information

GLOSSARY. In these documents, the following capitalised words and phrases have the following meanings unless a contrary intention is evident:

GLOSSARY. In these documents, the following capitalised words and phrases have the following meanings unless a contrary intention is evident: GLOSSARY The Glossary applies to the following documents: 1. VeriSign Gatekeeper ABN-DSC CP 2. VeriSign Gatekeeper Individual CP 3. VeriSign Gatekeeper Non-Individual CP 4. VeriSign Gatekeeper CPS 5. VeriSign

More information

Securing your Online Data Transfer with SSL A GUIDE TO UNDERSTANDING SSL CERTIFICATES, how they operate and their application INDEX 1. Overview 2. What is SSL? 3. How to tell if a Website is Secure 4.

More information

Commonwealth Department of Family and Community Services. Submission to the Joint Committee of Public Accounts and Audit (JCPAA)

Commonwealth Department of Family and Community Services. Submission to the Joint Committee of Public Accounts and Audit (JCPAA) Commonwealth Department of Family and Community Services Submission to the Joint Committee of Public Accounts and Audit (JCPAA) Inquiry into the Management and Integrity of Electronic Information in the

More information

Digital Identity & Authentication Directions Biometric Applications Who is doing what? Academia, Industry, Government

Digital Identity & Authentication Directions Biometric Applications Who is doing what? Academia, Industry, Government Digital Identity & Authentication Directions Biometric Applications Who is doing what? Academia, Industry, Government Briefing W. Frisch 1 Outline Digital Identity Management Identity Theft Management

More information

Gatekeeper PKI Framework. February 2009. Registration Authority Operations Manual Review Criteria

Gatekeeper PKI Framework. February 2009. Registration Authority Operations Manual Review Criteria Gatekeeper PKI Framework ISBN 1 921182 24 5 Department of Finance and Deregulation Australian Government Information Management Office Commonwealth of Australia 2009 This work is copyright. Apart from

More information

Report to the Council of Australian Governments. A Review of the National Identity Security Strategy

Report to the Council of Australian Governments. A Review of the National Identity Security Strategy Report to the Council of Australian Governments A Review of the National Identity Security Strategy 2012 Report to COAG - Review of the National Identity Security Strategy 2012 P a g e i Table of contents

More information

Extended SSL Certificates

Extended SSL Certificates Introduction Widespread usage of internet has led to the growth of awareness amongst users, who now associate green address bar with security. Though people are able to recognize the green bar, there is

More information

ELECTRONIC SIGNATURES AND ASSOCIATED LEGISLATION

ELECTRONIC SIGNATURES AND ASSOCIATED LEGISLATION ELECTRONIC SIGNATURES AND ASSOCIATED LEGISLATION This can be a complex subject and the following text offers a brief introduction to Electronic Signatures, followed by more background on the Register of

More information

HKUST CA. Certification Practice Statement

HKUST CA. Certification Practice Statement HKUST CA Certification Practice Statement IN SUPPORT OF HKUST CA CERTIFICATION SERVICES Version : 2.1 Date : 12 November 2003 Prepared by : Information Technology Services Center Hong Kong University of

More information

Technical Safeguards is the third area of safeguard defined by the HIPAA Security Rule. The technical safeguards are intended to create policies and

Technical Safeguards is the third area of safeguard defined by the HIPAA Security Rule. The technical safeguards are intended to create policies and Technical Safeguards is the third area of safeguard defined by the HIPAA Security Rule. The technical safeguards are intended to create policies and procedures to govern who has access to electronic protected

More information

Computers and Society: Security and Privacy

Computers and Society: Security and Privacy 1 Chapter 12 Computers and Society: Security and Privacy 2 Chapter 12 Objectives 3 Computer Security: Risks and Safeguards What is a computer security risk? 4 Computer Security: Risks and Safeguards 1

More information

Security Digital Certificate Manager

Security Digital Certificate Manager System i Security Digital Certificate Manager Version 5 Release 4 System i Security Digital Certificate Manager Version 5 Release 4 Note Before using this information and the product it supports, be sure

More information

W.A.R.N. Passive Biometric ID Card Solution

W.A.R.N. Passive Biometric ID Card Solution W.A.R.N. Passive Biometric ID Card Solution Updated November, 2007 Biometric technology has advanced so quickly in the last decade that questions and facts about its cost, use, and accuracy are often confused

More information

Security Model in E-government with Biometric based on PKI

Security Model in E-government with Biometric based on PKI Security Model in E-government with Biometric based on PKI Jaafar.TH. Jaafar Institute of Statistical Studies and Research Department of Computer and Information Sciences Cairo, Egypt Nermin Hamza Institute

More information

Authentication Levels. White Paper April 23, 2014

Authentication Levels. White Paper April 23, 2014 Summary White Paper April 23, 2014 This document describes levels of authentication that can be utilized for users known and unknown to gain access to applications and solutions. Summary... 1 Description...

More information

Information Security Basic Concepts

Information Security Basic Concepts Information Security Basic Concepts 1 What is security in general Security is about protecting assets from damage or harm Focuses on all types of assets Example: your body, possessions, the environment,

More information

Mathematical Model Based Total Security System with Qualitative and Quantitative Data of Human

Mathematical Model Based Total Security System with Qualitative and Quantitative Data of Human Int Jr of Mathematics Sciences & Applications Vol3, No1, January-June 2013 Copyright Mind Reader Publications ISSN No: 2230-9888 wwwjournalshubcom Mathematical Model Based Total Security System with Qualitative

More information

Chapter 12 Objectives. Chapter 12 Computers and Society: Security and Privacy

Chapter 12 Objectives. Chapter 12 Computers and Society: Security and Privacy Chapter 12 Objectives Chapter 12 Computers and Society: and Privacy p. 12.2 Identify the various types of security risks that can threaten computers Recognize how a computer virus works and take the necessary

More information

ADVANCE AUTHENTICATION TECHNIQUES

ADVANCE AUTHENTICATION TECHNIQUES ADVANCE AUTHENTICATION TECHNIQUES Introduction 1. Computer systems and the information they store and process are valuable resources which need to be protected. With the current trend toward networking,

More information

Network Security Protocols

Network Security Protocols Network Security Protocols EE657 Parallel Processing Fall 2000 Peachawat Peachavanish Level of Implementation Internet Layer Security Ex. IP Security Protocol (IPSEC) Host-to-Host Basis, No Packets Discrimination

More information

Security & Privacy on the WWW. Topic Outline. Information Security. Briefing for CS4173

Security & Privacy on the WWW. Topic Outline. Information Security. Briefing for CS4173 Security & Privacy on the WWW Briefing for CS4173 Topic Outline 1. Information Security Relationship to safety Definition of important terms Where breaches can occur Web techniques Components of security

More information

May 2010. For other information please contact:

May 2010. For other information please contact: access control biometrics user guide May 2010 For other information please contact: British Security Industry Association t: 0845 389 3889 f: 0845 389 0761 e: info@bsia.co.uk www.bsia.co.uk Form No. 181.

More information

Overview of CSS SSL. SSL Cryptography Overview CHAPTER

Overview of CSS SSL. SSL Cryptography Overview CHAPTER CHAPTER 1 Secure Sockets Layer (SSL) is an application-level protocol that provides encryption technology for the Internet, ensuring secure transactions such as the transmission of credit card numbers

More information

Connected from everywhere. Cryptelo completely protects your data. Data transmitted to the server. Data sharing (both files and directory structure)

Connected from everywhere. Cryptelo completely protects your data. Data transmitted to the server. Data sharing (both files and directory structure) Cryptelo Drive Cryptelo Drive is a virtual drive, where your most sensitive data can be stored. Protect documents, contracts, business know-how, or photographs - in short, anything that must be kept safe.

More information

Belmont 16 Foot Sailing Club. Privacy Policy

Belmont 16 Foot Sailing Club. Privacy Policy Belmont 16 Foot Sailing Club Privacy Policy APRIL 2014 1 P age Belmont 16 Foot Sailing Club Ltd (the 16s ) respects your right to privacy and is committed to protecting your personal information. This

More information

Business Issues in the implementation of Digital signatures

Business Issues in the implementation of Digital signatures Business Issues in the implementation of Digital signatures Much has been said about e-commerce, the growth of e-business and its advantages. The statistics are overwhelming and the advantages are so enormous

More information

Application of Biometric Technology Solutions to Enhance Security

Application of Biometric Technology Solutions to Enhance Security Application of Biometric Technology Solutions to Enhance Security Purpose: The purpose of this white paper is to summarize the various applications of fingerprint biometric technology to provide a higher

More information

Dr. Cunsheng DING HKUST, Hong Kong. Security Protocols. Security Protocols. Cunsheng Ding, HKUST COMP685C

Dr. Cunsheng DING HKUST, Hong Kong. Security Protocols. Security Protocols. Cunsheng Ding, HKUST COMP685C Cunsheng Ding, HKUST Lecture 06: Public-Key Infrastructure Main Topics of this Lecture 1. Digital certificate 2. Certificate authority (CA) 3. Public key infrastructure (PKI) Page 1 Part I: Digital Certificates

More information

Encryption and Digital Signatures

Encryption and Digital Signatures GreenNet CSIR Toolkit Briefing no.3 How to protect privacy, and your identity, online Written by Paul Mobbs for the GreenNet Civil Society Internet Rights Project, 2002. http://www.internetrights.org.uk/

More information

WHITE PAPER Usher Mobile Identity Platform

WHITE PAPER Usher Mobile Identity Platform WHITE PAPER Usher Mobile Identity Platform Security Architecture For more information, visit Usher.com info@usher.com Toll Free (US ONLY): 1 888.656.4464 Direct Dial: 703.848.8710 Table of contents Introduction

More information

GNB RSA Token Standards and Procedures

GNB RSA Token Standards and Procedures Client Authentication Standards GNB RSA Token Standards and Procedures Concept The client authentication standard provides a formalized, secure and efficient methodology for proper identification of the

More information

Certification Practice Statement (ANZ PKI)

Certification Practice Statement (ANZ PKI) Certification Practice Statement March 2009 1. Overview 1.1 What is a Certification Practice Statement? A certification practice statement is a statement of the practices that a Certification Authority

More information

Glossary of Key Terms

Glossary of Key Terms and s Branch Glossary of Key Terms The terms and definitions listed in this glossary are used throughout the s Package to define key terms in the context of. Access Control Access The processes by which

More information

HIPAA Security. 4 Security Standards: Technical Safeguards. Security Topics

HIPAA Security. 4 Security Standards: Technical Safeguards. Security Topics HIPAA Security S E R I E S Security Topics 1. Security 101 for Covered Entities 2. Security Standards - Administrative Safeguards 3. Security Standards - Physical Safeguards 4. Security Standards - Technical

More information

What security and assurance standards does Trustis use for TMDCS certificate services?

What security and assurance standards does Trustis use for TMDCS certificate services? Frequently Asked Questions What is a Digital Certificate? What is a Root Certificate? How do Digital Certificates Work? Who needs a Digital Certificate? How do I get a Digital Certificate Can I use my

More information

Security Digital Certificate Manager

Security Digital Certificate Manager IBM i Security Digital Certificate Manager 7.1 IBM i Security Digital Certificate Manager 7.1 Note Before using this information and the product it supports, be sure to read the information in Notices,

More information

CRS Report for Congress Received through the CRS Web

CRS Report for Congress Received through the CRS Web Order Code RS20344 Updated January 19, 2001 CRS Report for Congress Received through the CRS Web Summary Electronic Signatures: Technology Developments and Legislative Issues Richard M. Nunno Analyst in

More information

5 FAM 140 ACCEPTABILITY AND USE OF ELECTRONIC SIGNATURES

5 FAM 140 ACCEPTABILITY AND USE OF ELECTRONIC SIGNATURES 5 FAM 140 ACCEPTABILITY AND USE OF ELECTRONIC SIGNATURES 5 FAM 141 PURPOSE (CT-IM-112; 07-30-2010) (Office of Origin: IRM/OPS/ITI/SI/IIB) The purpose of this FAM chapter is to enable the Department to

More information

Specific recommendations

Specific recommendations Background OpenSSL is an open source project which provides a Secure Socket Layer (SSL) V2/V3 and Transport Layer Security (TLS) V1 implementation along with a general purpose cryptographic library. It

More information

Is your data safe out there? -A white Paper on Online Security

Is your data safe out there? -A white Paper on Online Security Is your data safe out there? -A white Paper on Online Security Introduction: People should be concerned of sending critical data over the internet, because the internet is a whole new world that connects

More information

Content Teaching Academy at James Madison University

Content Teaching Academy at James Madison University Content Teaching Academy at James Madison University 1 2 The Battle Field: Computers, LANs & Internetworks 3 Definitions Computer Security - generic name for the collection of tools designed to protect

More information

Economic and Social Council

Economic and Social Council UNITED NATIONS E Economic and Social Council Distr. GENERAL ECE/TRANS/WP.30/AC.2/2008/2 21 November 2007 Original: ENGLISH ECONOMIC COMMISSION FOR EUROPE Administrative Committee for the TIR Convention,

More information

Using etoken for SSL Web Authentication. SSL V3.0 Overview

Using etoken for SSL Web Authentication. SSL V3.0 Overview Using etoken for SSL Web Authentication Lesson 12 April 2004 etoken Certification Course SSL V3.0 Overview Secure Sockets Layer protocol, version 3.0 Provides communication privacy over the internet. Prevents

More information

Why you need secure email

Why you need secure email Why you need secure email WHITE PAPER CONTENTS 1. Executive summary 2. How email works 3. Security threats to your email communications 4. Symmetric and asymmetric encryption 5. Securing your email with

More information

Strong Security in Multiple Server Environments

Strong Security in Multiple Server Environments White Paper Strong Security in Multiple Server Environments VeriSign OnSite for Server IDs Contents 1. Introduction 1 2. Security Solutions: The Digital ID System 2 2.1. What Is a Digital ID? 2 2.2 How

More information

CHAPTER 4 DEPLOYMENT OF ESGC-PKC IN NON-COMMERCIAL E-COMMERCE APPLICATIONS

CHAPTER 4 DEPLOYMENT OF ESGC-PKC IN NON-COMMERCIAL E-COMMERCE APPLICATIONS 70 CHAPTER 4 DEPLOYMENT OF ESGC-PKC IN NON-COMMERCIAL E-COMMERCE APPLICATIONS 4.1 INTRODUCTION In this research work, a new enhanced SGC-PKC has been proposed for improving the electronic commerce and

More information

Audio: This overview module contains an introduction, five lessons, and a conclusion.

Audio: This overview module contains an introduction, five lessons, and a conclusion. Homeland Security Presidential Directive 12 (HSPD 12) Overview Audio: Welcome to the Homeland Security Presidential Directive 12 (HSPD 12) overview module, the first in a series of informational modules

More information

Guide for Securing E-mail With WISeKey CertifyID Personal Digital Certificate (Personal eid)

Guide for Securing E-mail With WISeKey CertifyID Personal Digital Certificate (Personal eid) The World Internet Security Company Solutions for Security Guide for Securing E-mail With WISeKey CertifyID Personal Digital Certificate (Personal eid) Wherever Security relies on Identity, WISeKey has

More information

Trustis FPS PKI Glossary of Terms

Trustis FPS PKI Glossary of Terms Trustis FPS PKI Glossary of Terms The following terminology shall have the definitions as given below: Activation Data Asymmetric Cryptosystem Authentication Certificate Certificate Authority (CA) Certificate

More information

Savitribai Phule Pune University

Savitribai Phule Pune University Savitribai Phule Pune University Centre for Information and Network Security Course: Introduction to Cyber Security / Information Security Module : Pre-requisites in Information and Network Security Chapter

More information

Web Payment Security. A discussion of methods providing secure communication on the Internet. Zhao Huang Shahid Kahn

Web Payment Security. A discussion of methods providing secure communication on the Internet. Zhao Huang Shahid Kahn Web Payment Security A discussion of methods providing secure communication on the Internet Group Members: Peter Heighton Zhao Huang Shahid Kahn 1. Introduction Within this report the methods taken to

More information

STRONGER ONLINE SECURITY

STRONGER ONLINE SECURITY STRONGER ONLINE SECURITY Enhanced online banking without compromise Manage your business banking efficiently and securely Internet banking has given business leaders and treasurers greater control of financial

More information

6. Is it mandatory to have the digital certificate issued from NICCA?...3. 7. Is it mandatory for the sender and receiver to have a NIC email id?...

6. Is it mandatory to have the digital certificate issued from NICCA?...3. 7. Is it mandatory for the sender and receiver to have a NIC email id?... FAQ FOR S/MIME 1. What is S/MIME?...2 2. What is digital certificate?...2 3. What is an encrypted email?...2 4. Is it mandatory to use this service?...2 5. What I need to do to start using S/MIME service?...2

More information

understanding SSL certificates THAWTE IS A LEADING GLOBAL PROVIDER OF SSL CERTIFICATES

understanding SSL certificates THAWTE IS A LEADING GLOBAL PROVIDER OF SSL CERTIFICATES understanding SSL certificates THAWTE IS A LEADING GLOBAL PROVIDER OF SSL CERTIFICATES contents UNDERSTANDING SSL CERTIFICATES...1 What Is SSL and What Are SSL Certificates?...1 Features of SSL...1 Encryption...1

More information

The DoD Public Key Infrastructure And Public Key-Enabling Frequently Asked Questions

The DoD Public Key Infrastructure And Public Key-Enabling Frequently Asked Questions The DoD Public Key Infrastructure And Public Key-Enabling Frequently Asked Questions May 3, 2004 TABLE OF CONTENTS GENERAL PKI QUESTIONS... 1 1. What is PKI?...1 2. What functionality is provided by a

More information

ARCHIVED PUBLICATION

ARCHIVED PUBLICATION ARCHIVED PUBLICATION The attached publication, NIST Special Publication 800-63 Version 1.0.2 (dated April 2006), has been superseded and is provided here only for historical purposes. For the most current

More information

SecureMail User Guide

SecureMail User Guide SecureMail User Guide Contents Secure email at HSBC. 2 About SecureMail... 2 Receiving a secure email sent via SecureMail 3 Opening a secure email sent via SecureMail... 4 Using SecureMail to reply to

More information

The IDA Catalogue. of GENERIC SERVICES. Interchange of Data between Administrations

The IDA Catalogue. of GENERIC SERVICES. Interchange of Data between Administrations Interchange of Data between Administrations EUROPEAN COMMISSION ENTERPRISE DIRECTORATE- GENERAL INTERCHANGE OF DATA BETWEEN ADMINISTRATIONS PROGRAMME Interchange of Data between Administrations 2 of Generic

More information

Email Protective Marking Standard Implementation Guide for the Australian Government

Email Protective Marking Standard Implementation Guide for the Australian Government Email Protective Marking Standard Implementation Guide for the Australian Government May 2012 (V2012.1) Page 1 of 14 Disclaimer The Department of Finance and Deregulation (Finance) has prepared this document

More information

Understanding SSL Certificates THAWTE IS A LEADING GLOBAL PROVIDER OF SSL CERTIFICATES

Understanding SSL Certificates THAWTE IS A LEADING GLOBAL PROVIDER OF SSL CERTIFICATES Understanding SSL Certificates THAWTE IS A LEADING GLOBAL PROVIDER OF SSL CERTIFICATES Understanding SSL Certificates 2 Secure Socket Layer (SSL) certificates are widely used to help secure and authenticate

More information

DigitalPersona Pro Enterprise

DigitalPersona Pro Enterprise DigitalPersona Pro Enterprise Version 5.3 Frequently Asked Questions 2012 DigitalPersona, Inc. All Rights Reserved. All intellectual property rights in the DigitalPersona software, firmware, hardware and

More information

AINSLIE BULLION COMPANY STORAGE ACCOUNT APPLICATION

AINSLIE BULLION COMPANY STORAGE ACCOUNT APPLICATION AINSLIE BULLION COMPANY STORAGE ACCOUNT APPLICATION Please complete the below, ensuring you have also provided FOR EACH PARTY a certified copy of THEIR drivers license and passport, and copies of any trust

More information

Electronic business conditions of use

Electronic business conditions of use Electronic business conditions of use This document provides Water Corporation s Electronic Business Conditions of Use. These are to be applied to all applications, which are developed for external users

More information

Alternative authentication what does it really provide?

Alternative authentication what does it really provide? Alternative authentication what does it really provide? Steve Pannifer Consult Hyperion Tweed House 12 The Mount Guildford GU2 4HN UK steve.pannifer@chyp.com Abstract In recent years many new technologies

More information

The 4 forces that generate authentication revenue for the channel

The 4 forces that generate authentication revenue for the channel The 4 forces that generate authentication revenue for the channel Web access and the increasing availability of high speed broadband has expanded the potential market and reach for many organisations and

More information

A simple tscheme guide to securing electronic transactions

A simple tscheme guide to securing electronic transactions A simple tscheme guide to securing electronic transactions 1 A simple tscheme guide to securing electronic transactions Electronic Transactions An electronic transaction is best thought of as a type of

More information

How To Accept A Card On The Internet

How To Accept A Card On The Internet Internet Merchant Procedure Guide Procedures for accepting Card transactions across the Internet Internet Merchant Procedure Guide www.barclaycardmerchantservices.co.uk Internet Merchant Procedure Guide

More information

PrivyLink Internet Application Security Environment *

PrivyLink Internet Application Security Environment * WHITE PAPER PrivyLink Internet Application Security Environment * The End-to-end Security Solution for Internet Applications September 2003 The potential business advantages of the Internet are immense.

More information

Securing your Microsoft Internet Information Services (MS IIS) Web Server with a thawte Digital Certificate thawte thawte thawte thawte thawte 10.

Securing your Microsoft Internet Information Services (MS IIS) Web Server with a thawte Digital Certificate thawte thawte thawte thawte thawte 10. Securing your Microsoft Internet Information Services (MS IIS) Web Server with a thawte Digital Certificate A STEP-BY-STEP GUIDE to test, install and use a thawte Digital Certificate on your MS IIS Web

More information

Pretty Good Privacy (PGP)

Pretty Good Privacy (PGP) Pretty Good Privacy (PGP) Contents...1 Abstract...2 Introduction...3 The importance of the cryptography...4 The idea about how (PGP) works...5 Legal issues surrounding (PGP)...6 The implementation and

More information

Terms and Conditions for Remote Data Transmission

Terms and Conditions for Remote Data Transmission Terms and Conditions for Remote Data Transmission (Status 31 October 2009) 1. Scope of services (1) The Bank is available to its Customers (account holders) for remote transmission of data by electronic

More information

Digital Certificates (Public Key Infrastructure) Reshma Afshar Indiana State University

Digital Certificates (Public Key Infrastructure) Reshma Afshar Indiana State University Digital Certificates (Public Key Infrastructure) Reshma Afshar Indiana State University October 2015 1 List of Figures Contents 1 Introduction 1 2 History 2 3 Public Key Infrastructure (PKI) 3 3.1 Certificate

More information