Operating a CSP in Switzerland or Playing in the champions league of IT Security

Operating a CSP in Switzerland or Playing in the champions league of IT Security

Agenda SwissSign Technology Products and Processes Legal Aspects and Standards Business Model Future Developments 2

SwissSign Founded in 2001 Proprietary CA Software Based on Open Source Since 07/2005 a subsidiary of Swiss Post Since 10/2006 ZertES certified 21 Employees 3

SwissSign Products Certificate Services Personal and SSL certificates PostZertifikat ZertES, ElDI-V and authentication certificates IncaMail Confidential message transport SwissSigner Digital signature on PDF/A documents SwissStick Driverless hardware plattform for applications Swiss Post Box Electronic delivery of physical mail 4

A Quick Introduction to X.509 Characteristics of a certificate CA hierarchies 5

Purpose of a Certificate Secure container for a public key Issued by a trusted third party Issued to a subscriber Valid for a limited time Usable for a limited purpose Information Fields 6

Structure of a PKI Root CA Issuing CA Certificates Root CA: - Self signed - Offline Issuing CA: - Online - Issues Certificates 7

Technical Issues Loss or theft of private keys Inadequate alogorithms/key sizes Incorrect verification (rfc 5280) Path validation Revocation status verification 8

Openssl RNG vulnerability Code optimizier removes unused code No entropy for pseudo random numbers PRNG generated primes can be fully calculated CSPs have informed customer s about bad keys Result: Customers are slow to change their keys and certificates. Affected keys are still being used today 9

Processes of a CSP Roles in a PKI Certificate Issuance Process Revocation Process Dissemination of Information 10

Roles in a PKI Relying Party Relying Party - Communicates with subscriber - Has no contract with RA or CA Requester / Subscriber Requester / Subscriber - Requests the certificate - Supplies the information Registration Registration Authority - May authorize the request - Obtains necessary authorization - Verifies the authorization Authority - Receives the certificate - Archives the documentation - Approves the request Certification Authority Certification Authority - Holds the CA private keys - Issues the certificate 11

Issuance of a Certificate 1. Requester Requests certificate Supplies information Provides authorization 2. RA Verifies information Verifies authorization Approves request 3. CA Issues certificate 4. RA Distributes certificate 5. Subscriber Installs certificate 12

Security Considerations Substantiate the data in the certificate Identity of the individual Authorized use of organization names Autorized use of domain names Process quality manages the risks 13

Revocation Declare a certificate invalid and prevent any future use of the private key. Security Considerations Denial of service attacks Timely processing 14

Dissemination of information LDAP = Certificates and CRL CRL = Certificate Revocation List OCSP = Online Certificate Status Protocol CP/CPS Security considerations: Availability requirements 15

Products of a CSP End User Products Managed PKI Solutions 16

Subscriber Certificates Customer CSP Subscriber Registration Authority Certification Authority 17

Security Considerations Correctness of suplied information Validity of authorization Quality of the registration process manages the risk and liability 18

Managed PKI: RA solutions Customer CSP Subscriber Registration Authority Certification Authority 19

Managed PKI: CA solutions Customer CSP Subscriber Registration Authority Certification Authority 20

Security Considerations Managed PKI requires managing liabilities Policies enforce contractual agreeements Rights and obligations are contractually agreed 21

Certifications and Audits Arguments for Certification Browser Trust Requirements for Certification 22

Certificates that require certification Qualified certificates Digital signature ElDI-V certificates Archiving VAT compliant bills EV SSL certificates are required for green address bar 23

Browser Trust CSP must be certified (WebTrust) Root CA must be of public value 3 Steps into the Browser 1. Application 2. Approval 3. Deployment 24

Legal Aspects in Switzerland ZertES (Signaturgesetz/ digital signature law) ElDI-V (Mehrwertsteuer/VAT) VwVG (Bundesgesetz über das Verwaltungsverfahren) GeBüV (Geschäftsbücherverordnung) 25

International laws and standards International Laws EU: Directive 1999/93/EC A Community Framework for Electronic Signatrures APEC TEL estg (Asia Pacific Economic Comunity) National Laws EU: 19 countries ROW: 17 countries International Standards ETSI 101.456, 101.862, 102.023, 101.861 CWA 14169 ISO 27001 ITIL (ISO 20000) IETF rfc 5280, 3161, 3647, 2797 RSA PKCS#1-15 26

Audits Initial Audit Preliminary Audit Main Audit Annual Re-audit Full audit every 3 years SAS Schweizerische Akkreditierungsstelle Certification Certification Bodies Certification Bodies Bodies (currently KPMG) CSP CSP CSP Certification Service Certification Providers Service Certification Providers Service Providers 27

The Commercial Side of the CSP People don t buy certificates people buy business solutions CSPs have high fixed costs - you can t do a little PKI. 28

SwissSign Approach High Value Businessprocesses Part of Partner Solutions Usability of products Swiss Technology and Cryptography Certified Based on the Values of the Swiss Post Globally available 29

Current and Future Challenges for CSP Standardization of certificates (CABforum) SuisseID Health Insurance Card (VK) Strength of cryptographic algorithms 30

SuisseID (standardization still ongoing) Part of the 3rd economic stimulus package Subsidize Certificate price Marketing measures Deploy certificate based solutions Combination of qualified signature certificate authentication certificate 31

E-Health Market Health Insurance Card (KVG art. 42a) CVC certificates (ech- 0064 standard) Emergency Data stored on chip (VVK) Option for X.509 certificates Health Professional Card (VVK) X.509 certificate 10 Roles (VVK) CVC certificate 32

Algorithmic strenght (BNA) < 2007 < 2010 < 2014 RSA 1024 1728 1976 SHA 1 1 224 33

Impacts on the CSP EV SSL certificates must be 2048 RSA starting 2010 SHA-1 hash algorithm is no longer good enough for qualified certificates Microsoft manages CSPs to discontinue the usage of 1024 bit root certificates 34

Summary SwissSign Technology Products and Processes Legal Aspects and Standards Business Model Future Challenges 35