1. Lifecycle of a certificate



Similar documents
Public Key Infrastructure (PKI)

Brocade Engineering. PKI Tutorial. Jim Kleinsteiber. February 6, Page 1

Understanding Digital Certificates and Secure Sockets Layer (SSL)

Understanding Digital Certificates & Secure Sockets Layer (SSL): A Fundamental Requirement for Internet Transactions

TELE 301 Network Management. Lecture 18: Network Security

Guide for Securing With WISeKey CertifyID Personal Digital Certificate (Personal eid)

Certificates. Noah Zani, Tim Strasser, Andrés Baumeler

Controller of Certification Authorities of Mauritius

The Estonian ID Card and Digital Signature Concept

An Introduction to Cryptography and Digital Signatures

Extended SSL Certificates

Key Management and Distribution

Understanding Digital Certificates and Wireless Transport Layer Security (WTLS)

Key Management and Distribution

7 Key Management and PKIs

Public Key Infrastructure

Entrust Managed Services PKI. Getting started with digital certificates and Entrust Managed Services PKI. Document issue: 1.0

X-Road. egovernment interoperability framework

Part III-a. Universität Klagenfurt - IWAS Multimedia Kommunikation (VK) M. Euchner; Mai Siemens AG 2001, ICN M NT

User Guide Supplement. S/MIME Support Package for BlackBerry Smartphones BlackBerry Pearl 8100 Series

Chapter 8 Security. IC322 Fall Computer Networking: A Top Down Approach. 6 th edition Jim Kurose, Keith Ross Addison-Wesley March 2012

Apple Corporate Certificates Certificate Policy and Certification Practice Statement. Apple Inc.

Computer Networks. Network Security and Ethics. Week 14. College of Information Science and Engineering Ritsumeikan University

CSC/ECE 574 Computer and Network Security. What Is PKI. Certification Authorities (CA)

Digital Certificates (Public Key Infrastructure) Reshma Afshar Indiana State University

Dr. Cunsheng DING HKUST, Hong Kong. Security Protocols. Security Protocols. Cunsheng Ding, HKUST COMP685C

Understanding Digital Certificates & Secure Sockets Layer A Fundamental Requirement for Internet Transactions

TELSTRA RSS CA Subscriber Agreement (SA)

VeriSign Code Signing Digital Certificates for Adobe AIR Technology

Securing your Online Data Transfer with SSL

Content Teaching Academy at James Madison University

NIST ITL July 2012 CA Compromise

Class 3 Registration Authority Charter


Using Microsoft Windows Encrypted File System (EFS)

HKUST CA. Certification Practice Statement

Asymmetric cryptosystems fundamental problem: authentication of public keys

Contents. Identity Assurance (Scott Rea Dartmouth College) IdM Workshop, Brisbane Australia, August 19, 2008

WHITE PAPER Usher Mobile Identity Platform

Network Security. Computer Networking Lecture 08. March 19, HKU SPACE Community College. HKU SPACE CC CN Lecture 08 1/23

Web Payment Security. A discussion of methods providing secure communication on the Internet. Zhao Huang Shahid Kahn

GEOSURE PROTECTION PLAN

SwissSign Certificate Policy and Certification Practice Statement for Gold Certificates

Secure Data Exchange Solution

Neutralus Certification Practices Statement

Certification Practice Statement

SSL Protect your users, start with yourself

Internet Programming. Security

What is an SSL Certificate?

How To Make A Trustless Certificate Authority Secure

What Are Certificates?

INTRODUCTION TO CRYPTOGRAPHY

Djigzo encryption. Djigzo white paper

Overview of CSS SSL. SSL Cryptography Overview CHAPTER

Module 7 Security CS655! 7-1!

An Introduction to Entrust PKI. Last updated: September 14, 2004

Identity Theft PROTECT YOUR INFORMATION AND YOUR IDENTITY HIGHLIGHTS

Information Security

Clearswift Information Governance

Digital Signatures on iqmis User Access Request Form

CSE543 - Introduction to Computer and Network Security. Module: Public Key Infrastructure

Public Key Infrastructure in idrac

Connected from everywhere. Cryptelo completely protects your data. Data transmitted to the server. Data sharing (both files and directory structure)

Introduction to Cryptography

TR-GRID CERTIFICATION AUTHORITY

HMRC Secure Electronic Transfer (SET)

Public Key Encryption and Digital Signature: How do they work?

Workflow Guide. Establish Site-to-Site VPN Connection using Digital Certificates. For Customers with Sophos Firewall Document Date: November 2015

Digital Certificate for Corporate Internet Banking - User Guide

Overview Keys. Overview

Digital certificates. Name Vivek kumar EM No Subject E-Business technologies Prof. Dr. Eduard heindl

The DoD Public Key Infrastructure And Public Key-Enabling Frequently Asked Questions

Why Password- Enabled PKI

Apple Inc. Certification Authority Certification Practice Statement Worldwide Developer Relations Version 1.14 Effective Date: September 9, 2015

Comparing Cost of Ownership: Symantec Managed PKI Service vs. On- Premise Software

White Paper PalmSecure truedentity

Digital Certificates Demystified

Ericsson Group Certificate Value Statement

Egyptian Best Practices Securing E-Services

Sending s without the risk! Secure Communications with Rohde & Schwarz

What Are They, and What Are They Doing in My Browser?

The Concept of Trust in Network Security

Common security requirements Basic security tools. Example. Secret-key cryptography Public-key cryptography. Online shopping with Amazon

Websense Content Gateway HTTPS Configuration

KEY DISTRIBUTION: PKI and SESSION-KEY EXCHANGE. Mihir Bellare UCSD 1

Security & Privacy on the WWW. Topic Outline. Information Security. Briefing for CS4173

Land Registry. Version /09/2009. Certificate Policy

White Paper. The risks of authenticating with digital certificates exposed

eauthentication in Estonia and beyond Tarvi Martens SK

Embedding digital signature technology to other systems - Estonian practice. Urmo Keskel SK, DigiDoc Product Manager

Fraunhofer Corporate PKI. Certification Practice Statement

Transnet Registration Authority Charter

Estonian National CA Policy

CS 392/681 - Computer Security

Transcription:

1 1. Lifecycle of a certificate 1. Client generates Signing Request (CSR) in his secure computer or server where application will be used. Now client has two s a CSR (usually with CSR extension but it can be also with PEM ) and a (usually with KEY, but it can also be with PEM extension). To be precise, Key is used to sign CSR. Generate CSR CSR 2. CSR is being sent to Registry i.e. CA, for example Sertifitseerimiskeskus AS (www.sk.ee) and Key will be stored securely in client s computer. It should never be revealed or shared with anyone even not with Bank. Generate CSR CSR Stored securely in client server CSR is being delivered to CA 3. SK will issue certificate which will be instantly available in their LDAP and OCSP services. When SK is issuing certificate they will always provide it as a, too.

2 Generate CSR CSR Stored securely in client server CSR is being delivered to CA Public key is sent to client CA will issue OCSP service LDAP service 4. Every certificate has it s fixed lifetime B4B certificates for example 3 years this is useful for security purposes, since it can be cracked with computing power with brutal force with that time (3 years) in case the key length is not so long (currently we have 2048 bits). 5. Once certificate is issued and valid, everyone can download public certificate from LDAP service and check certificate data name, owner, expiration, etc. It is useful to check certificate status whether it is stolen or not. Everyone can also check this certificate against OCSP service to see if the certificate is valid or not. While certificate is used for signing purposes, OCSP service is used to add a timestamp to the signature that confirms the validity of a signature (that it was valid in specific time) that will add legal power to it every given signature is also stored in Sertifitseerimiskeskus AS log s that means, the security is very high.

3 Authority (SK) key is the only identifier of Owner i.e. key is your Digital Identity keep it secure! For signing documents, OCSP confirmation will be necessary to take Owner In Swedbank Gateway we enable clients to authenticate with B4B certificates OCSP service LDAP service Can sign documents Can decrypt documents sent only to him Authenticate Is certificate valid (active)? Check adressee to send encrypted DDOC: Signed CDOC: Encrypted Anyone 6. When certificate is stolen or compromised, the owner can close it. In case of Swedbank B4B certificates, clients should call to bank and bank will close it from Sertifitseerimiskeskus. 7. When certificate expires, new certificate should be ordered process starts from the beginning from making new CSR. The same data can be used in CSR but it will be DIFFERENT certificate. Both parties have to update their info-systems with new certificate then. 2. PKI in a nutshell Why do we need PKI? One of the main challenges in the Internet is how to identify other persons. Identity thefts. Computer viruses, man in the middle attacks and phishing attempts are becoming more and more common and threatening, therefore additional security measures are required, when confidential information is being exchanged. Currently the best solution to this problem is using Infrastructure (PKI). How can I believe you? Hi, I m Bob. Internet PKI will add neutral and trustworthy third party to the picture and the main goal is to help identifying persons. It is quite similar to State ID system where state officer identifies a person

4 and the issues a passport. Thank you. Now I can believe that you are Bob. Well here is my passport you can compare it s data (photo, DNA, fingerprints etc) with me. Passport Issued by state How PKI works? In Internet, there are Authorities (CA) and Registry Authorities (RA) who can issue Electronic ID-s which are called s. CA will issue the certificate and RA will identify it s owner. CA and RA are usually the same institution but they can differ too. What can I do with your certificate? Please read further it is not so simple. Issued by CA The term can mean different things generally a certificate has two parts Public.Key and Key. can be shared with everyone - it can be used for following purposes: Grant authentication permissions (allow access for someone) Check who has Signed a document Encrypt messages that are addressed only to certificate owner can be accessed and downloaded from LDAP services at any time it acts as a white pages for certificates Key should be kept in secret and by no means shared or revealed to anyone (even not to Bank) - it can be used to identify that the certificate owner is really you in following occasions: Authenticate yourself (prove that you are really you, get access somewhere) Sign a document in order to do that, OCSP confirmation of signature s validity at certain time will be also added into document. Decrypt messages sent to you by other people

5 Authority (SK) I can confirm that the owner of this certificate is Bob: - when I issued it, I identified Bob - he hasn t closed it, so I assume it is not stolen I can get Bob s certificate and check if document is signed by Bob. I can send encrypted messages to Bob and grant permissions. Is certificate valid (active)? Who is owner? Check who has signed document OCSP service DDOC: Signed LDAP service OCSP confirmation of signature s validity is stored in document and also to OCSP log s Give Signature By having key (and it s protection PIN code) I can prove to others that I am the owner of my certificate i.e. others can trust me. Encrypt document to adressee CDOC: Encrypted Open encrypted s Grant some permissions to owner of this certificate Any system Authenticate himself (access systems) There are so many different certificates It is very important to determine who is the CA (the issuer) of the and what Policies (i.e. procedures) they do follow in order to issue a certificate. The more formal and strict the policies are, the more one can rely on the owner of the certificate. The main risk here is that actually anyone can become CA and issue certificates it is OK until two persons agree between each other, how to identify each other in Internet. The more reliable the CA is (for example state compared with private company), and the more precise procedures are followed when issuing a certificate, the more trustworthy a certificate is. Since everyone can issue certificates and only some CA s are really trustworthy, certificate CN (Common Name) matters only if it comes from reliable source. For example what makes Estonian ID-Card quite secure electronic ID (E-ID)? Those certificates can be issued only on physical security devices - every ID Card has a chip on it. s are stored in non-reproduceable manner one can be confident that there exists only one certificate like this. The owner of the certificate is being validated physically, before this device with certificate is handed over. Procedures followed here are with quite similar security as when issuing a passport for a private person. It is also backed up with legal force

6 3. In Swedbank Gateway what certificates are used? There are three types of certificates used in SGW: 1. ERP certificate that identifies that messages are sent by client s ERP (e.g. information system) to Bank. Bank uses this certificate to address all encrypted information that is being sent to client (only client can see the content). This certificate is issued by SK under B4B pro, therefore it is sometimes also called as B4B certificate. This certificate is issued from KLASS3 root. Read more about SK s certificate policies - http://www.sk.ee/en/repository/cp/ Since certificates are valid only for certain period, client has to monitor the validity of certificate and get new certificate when it will expire. For mission critical systems where interruptions are not allowed, therefore support of two certificates, can be planned during the switching period. Client should immediately inform Bank in case certificate private key has leaked or been compromised and certificate will be closed. In Lithuania, we also support ERP certificates that are being issued by Lithuanian Registru Centras - http://www.registrucentras.lt/rcsc/index_en.php 2. Transport certificate Transport certificate is being used in order to authenticate communication session from client s information system to SGW channel. In most cases when customer is connected directly to SGW channel (without other middle-man service providers), there is no need for separate certificates and only one certificate is being used i.e. ERP certificate also has the role of a transport certificate. 3. Signing certificate signing certificates are used for signing payments in SGW channel. Signing certificates should always be on a physical device (i.e. they are nonreproduceable) and issued by a CA that bank trusts. Signing certificates should always be issued to a person and not to organization. Signing certificates should always have non-repudiation key-usage. Currently accepted Signing certificates in SGW channel: o Estonian ID cards o Estonian Digi-ID o Estonian Mobile-ID (M-ID) o Lithuanian ID cards o Lithuanian Mobile-ID o Soon to be supported: Finnish E-ID In similar way, all SGW client s have to trust and monitor Bank s certificates: 1. Channel website certificate since SGW uses HTTPS connection with clients, we identify this by our website certificate, which in case of SGW is issued by SK. 2. Bank s public certificate which is used to sign all outgoing messages, so that clients can verify that all information is sent by Bank. All messages that clients are sending to Bank, will be encrypted addressing to Bank s public certificate so that only Bank can open them. Information regarding Bank s currently valid certificate is provided to you with SGW development toolbox. Since Bank s certificate is valid only for certain period, clients should be aware and plan tasks required on their side to update Bank s certificate. Since certificates can be issued from new roots, that may also mean trusting new root level certificates of CA.

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information