Egypt s E-Signature & PKInfrastructure

EGYPT-MCIT ITIDA Egypt s E-Signature & PKInfrastructure Seminar on Electronic Signature Algeria 8-9 Dec. 2009 By: Hisham Mohamed Abdel Wahab Head of the E-Signature CA Licensing ITIDA- MCIT EGYPT Email: hwahab@mcit.gov.eg

Agenda Egypt s PKI Model Operational requirements for CSPs in Egypt Applying ISO 27001 as Main CSP requirements CSPs Auditing Procedures

Background : ITIDA Established in 2004 by law 15, financially supported by IT co s. E-Signature regulator, promoter, and root CA. IPR protector for software and databases (Copy Right Office). Empowers IT companies. Recognizes best practices in E-Content development. Launches E-business initiatives, especially for SMEs Supports R&D.

Background : E-Signature mile stones E-Signature Law issued 2004. Executive directives of the law issued in 2005. 4 CSP (e-signature certificate service providers) are licensed by ITIDA in 2006 Therefore the Root CA & Gov CA tendered in 2006 Root CA started work in Sep 2009 1 st CSP got the official permission to work from ITIDA in Oct. 2009

Background: Getting the experience Germany Ireland Singapore South Korea Malaysia Hong Kong

PKI Model in Egypt.(1/2) ITIDA Licensing Root CA CSP CSP CSP CSP GOV. CA Public Use Gov. employees For public & interaction gov applications For Internal use only

PKI Model in Egypt.(2/2) Regulating E-Signature Information Technology Industry Development Agency (E-Signature regulator) Request for digital certificates Certificate Authorities CSP Digital Certificates Client Organizations

PKI Model in Egypt: Licensing section...(1/2) Managing the application process for CSPs in Egypt. Implement the criteria for licensing CSPs. Auditing the licensed CSPs. Tracking the Technology to guarantee having the most secure e-signature technology.

PKI Model in Egypt: Licensing Section...(2/2) Licensing Requirements Licensing Auditing Awareness Customer services

PKI Model in Egypt : Root CA...(1/2) Operates a Root-CA according to the highest security standards. Offers a continuous 24hx7d operation Personalizes the CA-and other service-chip cards for other CSPs, Operates an electronic directory service that includes the certificates of all licensed CSPs. Achieves the interoperability among CSPs and other countries. Handling the CRLs and E-Signature data of clients in case of licensed CSPs failure

PKI Model in Egypt : Root CA...(2/2) How works? Self Signed Root CA Root CA Certificate Info Root CA's Private Key Root Signature Sub CA Subordinate CA Certificate Info Root CA's Private Key Root Signature Subscriber Certificate Info Subordinate CA's Private Key SubCA's Signature Text Document Subscriber's Private Key Subscriber's Signature

PKI Model in Egypt : Licensed Public CSPs (4) Must be under the Root CA. Provide Gov. and public certificate services, including SSCD. Working as RAs (Registration Authorities). Must full fill with ITIDA requirements. Use the most recognized world wide standards for PKI (2048/4096 Keys- RSA etc). 12

PKI Model in Egypt : Licensed Gov CA (1 CA) Issue certificates to Gov. employees only for internal gov use only & SSCD. Provide Gov. certificate services. Under ITIDA Root CA. Working as RAs (Registration Authorities) for Gov. employees. Must full fill ITIDA requirements. Use Specific type of encryption standards. 13

PKI Model in Egypt : Strategic Decisions...(1/5) The E-Signature Definition in Egyptian market. 1- Only one type of e-signature is considered in front of court 2- Another types, transactions and e-documents are considered just e-document or e- writing 3- Using third level smart card / token as SSCD is must. 4- Physical identification is must. Why?? Avoid conflict, because if one type of e-signature is compromised then the market will think that strong types are compromised too! Strengthen the working environment

PKI Model in Egypt : Strategic Decisions...(1/5) IS E-Signature Digital Certificate Signer Private Key Signer Public Key ALG Syria 8-9 1-2 Dec. July 2009 2008 +Pin Code +Secure pin entry

PKI Model in Egypt : Strategic Decisions...(1/5) E-Signature specification Smart Cards are able to store private e-signature keys for a card holder without delivering the key to the outside world. Therefore the calculation of the signature algorithm as well as its storage is performed in a highly secure environment inside a smart card. Thus, it is required to have smart cards (Reader / Readerless / contactless) which use the most advanced security standard available in the market. -Secure PIN code entry -Complete separation between E-Signature application and any other applications. Security evaluation ITSEC E4 Or NIST FIPS PUB 140-1 Level 2 or higher X.509v3 certificates ISO 7816 Cryptographic algorithms must include RSA, SHA-1 Microsoft PC/SC Recommended : PKCS #11 (interface) Recommended: CAPI Microsoft Cryptographic Recommended : PKCS #15 (syntax standard) ALG Syria KSA 8-9 1-2 15-16 Dec. July Dec 2009 2008

PKI Model in Egypt : Strategic Decisions...(2/5) Gov CA will use its own encryption technique and provide only services for use in internal gov transactions 1- Executive directive mentioned that gov CA could use it own encryption. 2- The services provided by gov CA for use only in internal gov transaction 3- If end user needs e-signature service to be used between gov and private then he must get it from Public CSP 4- Physical identification is must. Why?? To secure the sensitive transactions. To encourage the private investment according to the national strategy.

PKI Model in Egypt : Strategic Decisions...(3/5) ITIDA will run the Root CA 1- ITIDA will be the only body who is running Root CA for PKI in Egypt. 2- The main and backup site of Root CA is responsibility of ITIDA 3- The Root CA will be audited internally by ITIDA auditors, externally by ISO 27001 auditors, and other gov entities Why?? Ensure interoperable environment trust originate from a common Root CA (strict hierarchy model) A subordinate CA will have one superior, and only one Strict hierarchies are appropriate for many enterprises, especially where policy controls are to be enforced in a top-down fashion.

PKI Model in Egypt : Strategic Decisions...(4/5) Facilitating the financial requirements for licensing 1- The Licensee will pay only 0.5 M EGP instead of 1.5 M EGP. 2-20000 EGP as auditing expenses will be paid after 2 years of operation. 3- The payments will be annually instead of quarterly. 4-3% of the revenue will be paid at the end of 2 nd year instead of 1 st year. Why?? Based on companies suggestions and market studies To encourage this new industry

PKI Model in Egypt : Strategic Decisions...(5/5) Leaving the pricing model to the market forces 1- Licensed companies are free to put the price model according to their business model. 2- ITIDA must approve the price list or any modifications prior to publish. 3- ITIDA is responsible for control the pricing competition. Why?? Based on most companies suggestions. Comply with the current Egyptian market.

PKI Model in Egypt : E-Signature, when comes to apply!...(1/4) Applying for the service 1- Physical Identification (applicant must show himself up). 2- Delivering the service : Token/smart card CD - installed keys plus certificate. 3- Help desk and customer support (CSP ITIDA). 4- Providing applications (compatible with ITIDA & CSP requirements). 5- Using the e-signature with applications provided by Gov or CSPs or compatible applications provided by another vendors. 6- Renewing / Update the service, or Change the provider / Terminating the service.

PKI Model in Egypt : E-Signature, When comes to apply!...(2/4) Auditing the service 1- Surveillance and licensing audit by ITIDA. 2-Regular audit by ITIDA. 3- Receiving the complaints and providing support in case of disputes. 4-Setting up the compliance conditions (applications & operational). 5- Renewing / Extending / terminating the license.

PKI Model in Egypt : E-Signature, when comes to apply...(3/4) Proposed Market Applications 1- E-Government (All applications who needs physical existence of the users). 2- E-Tax 3- E-Money (money orders will be collected electronically). 4- E-Banking applications. 5- Stock market. 6- Mobile applications. 7-E-Commerce/Payment. 8- E-education. 9- E-Civil applications. 10- E-Archiving (time stamp is must). 11-E-Contracting. 12-Installed on National ID.

PKI Model in Egypt : E-Signature, when comes to apply...(4/4) Type of certificates Provided by the CSP - E-Signature Certificates (Regulated) for persons and organizations. -SSL. -Code signing certificates.

Current Situation For E-Signature Certificate Service Providers KSA ALG Syria 15-16 8-9 1-2 Dec. July 2009 2008

PKI Model in Egypt : Current Status...(1/2) 4 Licensed companies as CSP (E-Signature Certificates Service Provider). 1 Company finished its infrastructure and is audited, started work in Egyptian market in 1 Oct. 2009 (more than 2000 hours auditing time, team of 13 experts) The Root CA is established in Sep. 2009 The Ministry of finance got the license to provide E-Signature Service to gov. employees for internal transactions only.

PKI Model in Egypt : Current Status...(2/2) 4 Licensed Companies + GOV CA 1-ACT http://www.act-eg.com/ 2-MCDR http://www.mcdr.com.eg/ 3-EgyptTrust http://www.egypttrust.com/ 4-SNS http://www.snsegypt.com/ KSA ALG Syria 15-16 8-9 1-2 Dec. July 2009 2008

Agenda Egypt s PKI Model Licensing requirements for CSPs in Egypt Applying ISO 27001 as Main CSP requirements CSPs Auditing Procedures

Licensing Requirements:...(1) The detailed requirements are listed in License Form at: www.e-signature.gov.eg/materials/license-july-2006.doc (Arabic Language ) - More than 60 Page. - More than 250 item to be satisfied before getting the license - Categorized to financial, operational, technical and administrative. - References: The Law 15, Its Directive, NTRA license, ETSI TS 101 456

Licensing Requirements:...(2) License Sections Operational Financial Technical Legal

Licensing Requirements:...(3) Financial Requirements Insurance of $ 1.5 Million Licensing fee $ 85,000 for 5 years Insurance per certificate $ 200 3% of revenue of licensed services 31

Licensing Requirements:...(4) Technical Requirements Complete PKI infrastructure. Disaster Recovery site. ISO 27001 for Info. Security. PKIX (PKI Based on X.509). Encryption Keys with length 1024-2048. Using Smart Cards as E-Signature creation device (SSCD). 32

Licensing Requirements:...(5) www.e-signature.gov.eg/materials/license-july-2006.doc (Arabic Language )

Agenda Egypt s PKI Model Operational requirements for CSPs in Egypt Applying ISO 27001 as Main CSP requirements CSPs Auditing Procedures

Why Implement an ISMS System? KSA Syria 15-16 1-2 Dec July 2009 2008

Main Requirement ISO27001: Information is an asset...(1/2) Information is an asset, which, like other important business assets, has value to an organization and consequently needs to be suitably protected. Information security protects information from a wide range of threats in order to ensure business continuity, minimize business damage and maximize return on investments and business opportunities. Quote ISO/IEC 17799-2000(E)

Main Requirement ISO27001: Information is an asset...(2/2) Stored on Computers Transmitted Printed Data Written Fax Microfilm Email Spoken

Main Requirement ISO27001: will satisfy... PROTECTION OF INFORMATION FOR: CONFIDENTIALITY Protecting sensitive information from unauthorised disclosure or intelligible interception INTEGRITY Safeguarding the accuracy and completeness of information and computer software AVAILABILITY Ensuring that information and vital services are available to users when required

Main Requirement ISO27001: Importance for PKI...(1/2) تخريبSABOTAGE MISUSE OF DATA خداع FRAUD VANDALISMتدمير تجسس ESPIONAGE خطأ ERROR NATURAL DISASTER ALG 8-9 Dec. 2009

Main Requirement ISO27001: Importance for PKI...(2/2) ISO27001 is providing complete security management system. Through:- Logical security Application security Physical & environmental security Network Security Personal Security. Need for dual control through third party audit. ISO2001 is complete ISMS, merges between business and technology. ISO27001 needs continual improvements. ALG 8-9 Dec. 2009

Accreditation and Certification for ISO 27001

Accreditation & Certification Everything you wanted to know EA about European accreditation.(in 30 seconds) Conformance at a European Level Accreditation Forum EA 7/02 Accredited by a State Organisation National Accreditation Board National Accreditation Board ISO Guide 66 EA 45012 Certified by a Certification Body European Certification Body ISO 27001 Company Company 2 Company 3 Wishes to be certified to national or international standards

Phase 1 : Pre-Audit Study Phase 2 : On Site Audit Certified Information Security Management System The Certification Process Information Security Management System Certification to ISO 27001 ISMS Standard ALG KSA 8-9 15-16 Dec. Dec 2009 2009

Agenda Egypt s PKI Model Operational requirements for CSPs in Egypt Applying ISO 27001 as Main CSP requirements CSPs Auditing Process

CSPs Auditing Process

CSPs Auditing Process Initiating (planning ) the audit Preparation phase Conducting Documentation review Preparing for Audit activities Conducting audit activities Preparing, approving & distributing the audit report Post Audit Phase Conducting audit follow up

CSPs Auditing Process Initiating (planning ) the audit Conducting Documentation review Preparing for Audit activities Conducting audit activities Scope, Objective, Criteria Determine feasibility & select audit team Write an audit plan Preparing, approving & distributing the audit report Contact the auditee Conducting audit follow up

CSPs Auditing Process Initiating (planning ) the audit Conducting Documentation review Preparing for Audit activities Conducting audit activities Request relevant documents Preparing, approving & distributing the audit report Conducting audit follow up Review prior to arriving on-site Review the previous audit report if any

CSPs Auditing Process Initiating (planning ) the audit Conducting Documentation review Preparing for Audit activities Conducting audit activities Finalize audit plan Preparing, approving & distributing the audit report Prepare work documents Assign audit team Conducting audit follow up

CSPs Auditing Process Initiating (planning ) the audit Conducting Documentation review Preparing for Audit activities Conducting audit activities Opening Meeting Preparing, approving & distributing the audit report Communication during the audit Conducting audit follow up Collecting objective evidences Closing meeting

CSPs Auditing Process Initiating (planning ) the audit Conducting Documentation review Preparing for Audit activities Conducting audit activities Preparing, approving & distributing the audit report Distribute it to the appropriate persons Conducting audit follow up Mention positive & negatives

CSPs Auditing Process Initiating (planning ) the audit Conducting Documentation review Preparing for Audit activities Conducting audit activities Preparing, approving & distributing the audit report Conducting audit follow up

Thank you very much hwahab@mcit.gov.eg www.itida.gov.eg

54

Cyberlaws & ICT-related Laws & Regulations A comprehensive IPR Law (Law No. 82/2002) A comprehensive Communications Act (Law No. 10/2003) An E-Signature law ( Law No. 15/2004) Children Protection Law (2008) Drafts: A Data Protection, Privacy, and Cyber Security law A Cyber Crime law Access to Information Law 55