ENISA perspective on Electronic Trust Services

Transcription

1 ENISA perspective on Electronic Trust Services Udo Helmbrecht ENISA, Executive Director SECURE Conference, Warsaw, 23 October

2 ENISA activities Recommendations Mobilising Communities Policy Implementation Hands on 2

3 Evolution of threat landscape Threat landscape timeline Phishing 1. Drive-by-exploits 2. Worms /Trojans 3. Code Injection 4. Exploit Kits 5. Botnets Future trend: Threats going... Mobile, Cloud, Wireless Targeted attacks (e.g. Stuxnet) Stable Spying Computer virus 1995 Time

4 Threat landscape trends 4

5 Regulation on electronic identification and trust services Regulation (EU) 910/2014 on electronic identification and trust services for electronic transactions in the internal market Mutual recognition of electronic identification and trust services among Member States (electronic signatures, electronic seals, time stamping, certified electronic delivery or website authentication) Article 19 of the Regulation addresses security requirements including notification of breaches 5

6 Example of a breach under Art.19 Who: Diginotar, a Certification Authority What: A security breach, allowed attackers to generate fake PKI certificates Why: Shortcomings in the security policy allowed intruders to take control of the issuing authority Where: In the Netherlands and on cyberspace When: Summer 2011 How: The intruders leveraged on fake certificates to wiretap online communications of ca. half a million Iranian citizens Fallout: Following the breach many egovernment websites went offline or they were declared unsafe to visit. Diginotar went bankrupt. 6

7 Overview of provisions on breach notification in EU law Victims Art 4 Art 32 Art 13a, Art 4 Art 19, Art 14 Network or service provider Art 19, Art 30, Art 14 Art 13a, Art 4, Art 19, Art 31, Art 14 Competent national authority Art 13a, Art 4, Art 13a of the Framework directive Art 4 of the e-privacy directive Art 30, 31, 32 of the proposed Data protection regulation. Art 19 of the Regulation on eids and Trust Service Providers Art 14 of the proposed NIS directive Art 13a, Art 4, Art 19, Art 30, Art 14 Art 13a, Art 19, Art 14 Art 13a, Art 19, Art 14 Art 13a, Art 19, Art 14 Public National authorities abroad, EC and ENISA ( network of competent authorities ) 7

8 Functional models for Article 19 Article 13a (Framework Directive) Analogous articles in terms of wording Obligation to implement technical and organisational security measures Obligation to notify competent supervisory bodies National supervisory bodies must inform about security breaches ENISA and supervisory NRAs in other EU Member States The NRA: may inform the public sends an annual summary of breaches to ENISA and to the European Commission Article 4 (e-privacy Directive) Similar types of breaches While the Article 13a serves as model as regards procedures, Article 4 is instrumental as regards content issues Similar content to be reported 8

9 Security requirements for Trust Service Providers Security framework of trust service providers with ca. 60 TSPs interviewed Risk assessment of assets of trust service providers Mitigating the impact of security incidents in trust service providers by using procedures that take into account the need to notify incidents 9

10 Practices of Trust Service Providers Relatively rarely performed Business Risk Assessment (72%), Security Policy at 96% External audit in 89%, only internal 9% Algorithms/key sizes that are most in use include the following: CAs: RSA 4096 (67%), 2048 (52%) Subjects: RSA 2048 (96%), 1024 (33%) Hash CAs: SHA1 (65%), SHA256 (63%) Hash subjects: SHA1 (67%), SHA256 (59%)

11 Estimated impact Impact of incidents [0-10] 10,0 9,0 8,0 8,7 7,0 7,6 6,0 6,7 6,6 5,0 5,7 5,4 4,0 4,7 4,5 4,3 3,0 2,0 1,0 0,0 Compromise of the Certificate Authority Compromise of the Cryptographic Algorithms Compromise of a Registration Authority Compromise of the Revocation Services Personal Data Breach Impersonation Accidental Loss of Availability of the Certification Services Repudiation Claim by Certificate Subject Compromise of a Subject s Key Pair 11

12 EStimated probability Probability of occurrence of attack vectors [0-5] 4,5 4,0 3,5 3,0 2,5 2,0 4,0 3,8 3,5 3,4 3,1 2,9 2,7 2,4 1,5 1,0 0,5 0,9 0,0 12

13 Recommendations for TSPs Trust service providers in the EU and a national regulatory framework Standardisation in the area of trust services Supervision and audit of trust service providers Certification of electronic signature products Cryptographic algorithms in certification services Incident handling procedures

14 Recommended crypto measures References to minimum security requirements for personal data protection, using state-of-the-art techniques How cryptography may contribute to personal data protection Case study on the lifecycle of personal data Classification of attacks leading to data breaches & the technical countermeasures Collaboration with ETSI ESI ETSI TS Algo paper

15 Auditing framework for trust services Overview of the dedicated means of auditing for TSP Subjects discussed Obligations, warranties and liability of TSPs Standards applicable to TSPs and CABs Audit methodologies TSPs documentation (policies, procedures) Implementation Available soon! 15

16 Contact us, work with us Information Security & Data Protection Unit For more information see ENISA s website: Follow ENISA s twitter Follow ENISA: European Union Agency for Network and Information Security