Controller of Certification Authorities of Mauritius

Similar documents
Entrust Managed Services PKI. Getting started with digital certificates and Entrust Managed Services PKI. Document issue: 1.0

State of Arkansas Policy Statement on the Use of Electronic Signatures by State Agencies June 2008

Overview of CSS SSL. SSL Cryptography Overview CHAPTER

Cryptosystems. Bob wants to send a message M to Alice. Symmetric ciphers: Bob and Alice both share a secret key, K.

Digital Certificates (Public Key Infrastructure) Reshma Afshar Indiana State University

Guide for Securing With WISeKey CertifyID Personal Digital Certificate (Personal eid)

Trustis FPS PKI Glossary of Terms

esign Online Digital Signature Service

Guidelines Related To Electronic Communication And Use Of Secure Central Information Management Unit Office of the Prime Minister

Business Issues in the implementation of Digital signatures

Class 3 Registration Authority Charter

SSLPost Electronic Document Signing

Public Key Infrastructure. A Brief Overview by Tim Sigmon

HKUST CA. Certification Practice Statement

User Guide Supplement. S/MIME Support Package for BlackBerry Smartphones BlackBerry Pearl 8100 Series

Neutralus Certification Practices Statement

Content Teaching Academy at James Madison University

OFFICE OF THE CONTROLLER OF CERTIFICATION AUTHORITIES TECHNICAL REQUIREMENTS FOR AUDIT OF CERTIFICATION AUTHORITIES

esign FAQ 1. What is the online esign Electronic Signature Service? 2. Where the esign Online Electronic Signature Service can be used?

CERTIFICATION PRACTICE STATEMENT UPDATE

Danske Bank Group Certificate Policy

Arkansas Department of Information Systems Arkansas Department of Finance and Administration

Lecture VII : Public Key Infrastructure (PKI)

Installing your Digital Certificate & Using on MS Out Look 2007.

Transnet Registration Authority Charter

Expert Reference Series of White Papers. Fundamentals of the PKI Infrastructure

documents Supplier handbook - Introduction to Digital Signature - Rome, January 2012

Public Key Encryption and Digital Signature: How do they work?

Digital certificates. Name Vivek kumar EM No Subject E-Business technologies Prof. Dr. Eduard heindl

Pre requisites for Digital Signature

The DoD Public Key Infrastructure And Public Key-Enabling Frequently Asked Questions

Savitribai Phule Pune University

Eskom Registration Authority Charter

Overview. SSL Cryptography Overview CHAPTER 1

CHAPTER 4 DEPLOYMENT OF ESGC-PKC IN NON-COMMERCIAL E-COMMERCE APPLICATIONS

Digital Signatures on iqmis User Access Request Form

RESEARCH ON DIGITAL SIGNATURE Aanchal Chanana, Akash Sharma, Amit Yadav

Advanced Authentication

Understanding Digital Certificates and Secure Sockets Layer (SSL)

Public Key Infrastructure (PKI)

Public-Key Infrastructure

ING Public Key Infrastructure Technical Certificate Policy

TELSTRA RSS CA Subscriber Agreement (SA)

UNCITRAL United Nations Commission on International Trade Law Introduction to the law of electronic signatures

Understanding Digital Signature And Public Key Infrastructure

Information on secure communication. ALDI SOUTH group

Information Security

ELECTRONIC SIGNATURES FACTSHEET

A simple tscheme guide to securing electronic transactions

Ericsson Group Certificate Value Statement

Public Key Infrastructure for a Higher Education Environment

SEZ SEZ Online Manual Digital Signature Certficate [DSC] V Version 1.2

6. Is it mandatory to have the digital certificate issued from NICCA? Is it mandatory for the sender and receiver to have a NIC id?...

Simple Guide to Digital Signatures

Electronic and Digital Signatures

Public Key Applications & Usage A Brief Insight

Exploring ADSS Server Signing Services

Concept of Electronic Approvals

How To Understand And Understand The Security Of A Key Infrastructure

StartCom Certification Authority

An Act to provide for the facilitation of the use of electronic transactions and signatures and for related matters.

Network Security. Computer Networking Lecture 08. March 19, HKU SPACE Community College. HKU SPACE CC CN Lecture 08 1/23

You re FREE Guide SSL. (Secure Sockets Layer) webvisions

Network Security. Gaurav Naik Gus Anderson. College of Engineering. Drexel University, Philadelphia, PA. Drexel University. College of Engineering

User Guide. Digital Signature

CERTIFICATION POLICY OF KIR for TRUSTED NON-QUALIFIED CERTIFICATES

CS 392/681 - Computer Security

Den Gode Webservice - Security Analysis

Secure Data Exchange Solution

Research Article. Research of network payment system based on multi-factor authentication

Key & Data Storage on Mobile Devices

Understanding Digital Certificates & Secure Sockets Layer A Fundamental Requirement for Internet Transactions

Meeting the FDA s Requirements for Electronic Records and Electronic Signatures (21 CFR Part 11)

Digital identity: Toward more convenient, more secure online authentication

Land Registry. Version /09/2009. Certificate Policy

TERMS OF USE FOR PUBLIC LAW CORPORATION PERSONAL CERTIFICATES FOR QUALIFIED DIGITAL SIGNATURE

Key Management and Distribution

IT Networks & Security CERT Luncheon Series: Cryptography

Dr. Cunsheng DING HKUST, Hong Kong. Security Protocols. Security Protocols. Cunsheng Ding, HKUST COMP685C

How To Create A Digital Signature Certificate

1. Lifecycle of a certificate

CERTIMETIERSARTISANAT and ELECTRONIC SIGNATURE SERVICE SUBSCRIPTION CONTRACT SPECIFIC TERMS AND CONDITIONS

Encryption, Data Integrity, Digital Certificates, and SSL. Developed by. Jerry Scott. SSL Primer-1-1

TERMS OF USE TITLE CERTIFICATES FOR ELECTRONIC SIGNATURE

Federal Law No. (1) of 2006 On Electronic Commerce and Transactions

Understanding Digital Certificates & Secure Sockets Layer (SSL): A Fundamental Requirement for Internet Transactions

SBClient SSL. Ehab AbuShmais

How to use Certificate in Microsoft Outlook

ELECTRONIC SIGNATURES AND ASSOCIATED LEGISLATION

Certification Practice Statement

Smart Card- An Alternative to Password Authentication By Ahmad Ismadi Yazid B. Sukaimi

Securing your Microsoft Internet Information Services (MS IIS) Web Server with a thawte Digital Certificate thawte thawte thawte thawte thawte 10.

LAWS OF BRUNEI CHAPTER 196 ELECTRONIC TRANSACTIONS ACT

to hide away details from prying eyes. Pretty Good Privacy (PGP) utilizes many

Web Payment Security. A discussion of methods providing secure communication on the Internet. Zhao Huang Shahid Kahn

Certification Practice Statement

Strong Security in Multiple Server Environments

Electronic And Digital Signatures

Introduction to Network Security Key Management and Distribution

Transcription:

Contents Pg. Introduction 2 Public key Infrastructure Basics 2 What is Public Key Infrastructure (PKI)? 2 What are Digital Signatures? 3 Salient features of the Electronic Transactions Act 2000 (as amended) in Mauritius 3 Salient features of PKI Regulations 4 Financial Standing 4 Operational Criteria 5 Government Certification Authorities 5 Foreign Certification Authorities 5 Summary of the Legal Framework 6 Operational Aspects 6 Management of Certificates 6 Digital Certificates 7 Obtaining a Certificate 8 Certificate Storage 8 PKI Provides Four Security Assurances 9 Confidentiality 9 Digital Signature Generation 10 Verifying a Digital Signature 10 Authenticity, Integrity & Non - repudiation with Certificates 11 PKI based Application 12 Signed and Encrypted Email - S/MIME 12 Securing Online Application with Digital Certificates 12 Typical Scenario 12 mbanking Authentication 13 mbanking: transaction Validation 14 Conclusion 14 Date of Publication: June 2012 1

Mauritian Public key Infrastructure Introduction With the coming into operation of the first Certification Authority (CA) in Mauritius in May 2012, the Mauritian Public Key Infrastructure (PKI) is now operational. This CA will start its operation by issuing digital certificates to Mauritian end-users who will in turn use these certificates to secure their online transactions in a comprehensive manner. The purpose of this guide is to fllag out to the public in general the basic information they need to be availed of in order to understand the PKI concepts so as to be able to make full use of this dedicated security infrastructure which is the PKI. Public Key Infrastructure Basics What is Public Key Infrastructure (PKI)? PKI stands for Public Key Infrastructure, an architecture put in place to prove the identities of people, websites, computer programmes and other applications on the Internet as well to secure online transactions. In simple terminology, PKI can best be described and understood if we make a comparison between the non-electronic and electronic world. In the non-electronic environment Signature of someone represents and validates the person s identity In electronic environment, the reality is that : There is No paper and No pen; Further, the Parties may not even meet each other The solution to address the electronic environment reality is : The use of digital signatures The use of the legislation gives legal sanctity to digital signatures, as: It gives legal sanctity to records, files or documents that are retained in electronic form. Puts in place legal standards for the use of electronic transactions, both in the public as well as in the private sector. 2

What are Digital Signatures? Digital signatures Are not scanned paper-based signatures Mathematically generated through the use of asymmetric cryptosystem Stronger than paper based signatures Tamperproof Also guarantees integrity of the electronic document Digital signatures work on the basis that there is a third party whom both parties trust, who can verify that the electronic signature belongs to the sender, and the digital signature applied by the sender to an electronic message is the same electronic signature which the recipient extracts from the received message. This trusted third party is the certification authority, who is entrusted with the responsibility of verifying the message sender s identity. Salient features of the Electronic Transactions Act (ETA) 2000 (as amended) in Mauritius The ETA clarifies the rights and obligations of transacting parties by setting out provisions dealing with issues related to the formation of electronic contracts. It also gives legal recognition on the use of electronic records and signatures and their secure counterparts. The main features of the ETA are as follows: facilitate electronic communications by means of reliable electronic records; facilitate e-commerce and the promotion of the development of the legal and business infrastructure necessary to implement secure electronic commerce; 3

facilitate electronic filing of documents with government agencies and statutory corporations and to promote efficient delivery of government services by means of reliable electronic records; minimise the incidence of forged electronic records, the intentional and unintentional alteration of records, and fraud in electronic commerce and other electronic transactions; help to establish uniformity of rules, regulations and standards regarding the authentication and other electronic transactions; and promote public confidence in the integrity and reliability of electronic records and e-commerce, and foster the development of e-commerce through the use of electronic signatures to provide authenticity and integrity to correspondence in any electronic medium. Salient features of PKI regulations The Regulations put in place a licensing scheme for certification authorities (CAs). lay down the administrative framework for licensing by the Controller of CAs against payment of appropriate fees. stipulate the criteria for a CA in Mauritius to be licensed/recognised/approved and the continuing operational requirements after obtaining a licence. Criteria against which CAs will be evaluated: their financial standing; operational policies and procedures; and the trustworthiness of their personnel. Financial Standing The licensing scheme is intended for individuals/companies operating in Mauritius. The applicant must demonstrate through submission of its business plan that it has sufficient funds to operate a CA, and have adequate insurance coverage to cover major areas of liability. 4

Operational Criteria Prior to licensing, the applicant must undergo and pass an initial audit to demonstrate that it has met the requirements stipulated in the Act and the Regulation. In addition, the applicant will also be audited for compliance with its own Certificate Practice Statements (CPS). CPS are documents which stipulate the policies and procedures a CA adopts for the certificates it issues. Audits are also required again before a licence can be renewed. Government CAs Under the Act, a public sector agency may be approved by the Minister to act as a CA with the benefits of a licensed CA. With the exception of certain requirements (e.g. financial criteria), the Regulations will also apply to such government CAs. The Regulations which apply to licensed CAs will apply to Government/Approved CAs. Foreign CAs Criteria for the recognition of foreign CAs have been defined so as to ensure international recognition of certificates issued through the Mauritian PKI. The Regulations which apply to licensed CAs will apply to foreign/recognised CAs. This recognition element sets the basis for regional cooperation among SADC member countries to undertake PKI-based secured e-business practices. 5

Summary of the legal framework Electronic Transactions Act and Regulations The ETA and its corresponding Regulations aim to provide a legal framework that will establish trusted CA services in Mauritius, serving both the domestic and international markets. In the long term, they provide the foundation to establish Mauritius as a trusted hub by providing a wide range of security products and services. With a harmonised legal framework within the countries of the SADC region, a common operational framework for the region can be envisaged for cost-effectiveness purposes which can boost regional e-commerce/e-business activities. Operational Aspects How PKI works? The sender, who may be a user or an organisation, first registers with the CA for an electronic identity. This electronic identity takes the form of a certificate (public key) issued by the certification authority and stored by the CA in its online repository. This public key has a corresponding unique electronic key issued to the sender, which is only known to the sender (private key). Like a secret personal code, the sender uses this private key, which is normally stored on a secure device such as a smart card to digitally sign his identity on the message. Upon receipt of a digitally signed message, the recipient consults the CA repository to ascertain the sender s electronic identity. Management of Certificates In a PKI, the Certificate Authority (CA) issues Digital Certificates to applicants. A Digital Certificate on the Internet is similar to an ID card in the real world. The CA also verifies the identity of applicants, and publishes certificates on an on-line repository where people can look up others certificates. 6

The management of certificates is a core function of a CA and is subject to strict requirements. The Controller must approve the methods used by the licensed CA to verify the identity of a subscriber before granting or renewing a subscription for a certificate. In accordance with the provisions of the Act, a licensed CA must also publish: a notice of a certificate suspension or revocation immediately after receiving an authorised request for a certificate suspension or revocation. Digital Certificates A Digital Certificate is an X.509 defined data structure with a Digital Signature. The data represents who owns the certificate, who signed the certificate, and other relevant information. X.509 Certificate CA Authorised Version # Serial # Signature Algorithm Issuer Name Validity Period Subject Name Subject Public Key Issuer Unique ID Subject Unique ID Extensions When the signature is generated by a Certification Authority (CA), the signature can be viewed as trusted. Since the data is signed, it cannot be altered without detection. Extensions can be used to tailor certificates to meet the needs of end applications. Digital Signature 7

Obtaining a Certificate Priv Pub User requests a certificate to CA CA generates certificate Private key and Certificate are sent to the user Pub Certification Authority DS Cert Certificate Storage Typically, private keys and certificates are stored in PC disk memory ( soft certificates ) or externally on user-centric hardware such as a smart card device or a USB token ( hardware certificates ). Mobile phones with PKI enabled SIM. Factors to be considered for storage choice: the value and content of the data, usability, compliance needs, and convenience of accessing the private key and certificate. The decision about how to store certificates and private keys should reflect a pragmatic balance of these factors. 8

PKI Provides Four Security Assurances Confidentiality (The inability to read it other than by the sender and addressee) Authenticity (Assurance of a message source) Integrity (Assurance that a message is unaltered since sent) Non-repudiation (The originator s inability to deny having sent the message) Confidentiality Enabling confidentiality with PKI Clear - text input An introduction to PKI Cipher - text Py75c %bn&*)9l fde^bdzjf@g5= &nmdfgegms Clear - text Output An introduction to PKI Encryption Decryption Recipient s public key Pub Different keys Priv Recipient s private key 9

Digital Signature Generation Message or file This is the document created Message Digest (Typically 128 blts) Py75c%bn Digital Signature 3KJf* $& SHA, MD5 Generate Hash RSA Asymmetric encryption Verifying a Digital Signature This is the document created Calculate a short message digest from even a long input using a one - way message digest function (hash) Generate Hash Signed Document Message Digest Py75c%bn Priv Signatory s private key 3KJf* $& Signed Document Digital Signature?Compare? Pub Asymmetric encryption Py75c%bn Sender s public key (from certificate) 10

Authenticity, Integrity & Non-repudiation with Certificates Alice Alice Pub DS Cert Priv &erd4%@ft% I Like Flowers Certificate is sent for authentication Decrypt using public key in certificate and compare? Bob Alice Pub DS Cert &erd4%@ft% I Like Flowers Bob verifies the digital signature on the certificate He can trust that the public key really belongs to Alice, but is it Alice standing in front of him? Bob challenges Alice to encrypt for him a random phrase he generated 11

PKI - Based Applications Signed and Encrypted Email - S/MIME S/MIME Secure Multipurpose Internet Mail Extensions Prevent email spoofing Helps preventing forged email Helps preventing spam Protect sensitive messages & documents Secure business processes Signed messages S/MIME-based applications Securing online applications with Digital Certificates Typical scenario Citizen connects to server (thru SSL) Client component is downloaded to the citizen s machine Citizen fills form & clicks submit button Citizen uses her private key to sign the data Signed data is encrypted with server public key & sent Server decrypts signed data and performs verification and validation checks Following Validation done Successful check will result in server generating and sending a receipt Date integrity verification Signer certificate is expired? Signer certificate is trusted? Signer certificate is compromised? 12

mbanking Authentication 1. End user accesses bank website with his mobile phone with PKI based SIM Card 2. Bank system sends authentication request to Operator s WPKI server, based on user credentials (phone number) 3. Users enters his authentication PIN 4. Access to the bank service is allowed Please authenticate yourself to enter Bank X Service. Enter PIN **** You are successfully authenticated ok Back ok Back ok An introduction page is shown to the user The user enters his PIN & the signature is sent The user is given feedback on the result of the signing 13

mbanking: Transaction Validation An introduction page is shown to the user Bank X wants you to validate the following transaction 1. 2. Bank sends validation request to Operator s WPKI service The signature process is WYSIWYS (what you see is what you sign) ok Back Money transfer to account: 122345-765475959 12.345.00 Enter Signing PIN **** Transaction Successfully Validated ok Back ok Back ok The text to be signed by the users is displayed Conclusion The user enters his PIN and the signature is sent The user is given feedback on the result of the signing The purpose of this guide is to give an insight into the PKI. Definitions of terms commonly employed have been defined in simple terms. The salient features of the laws related to the PKI are presented. The operating mechanics including typical examples depicting the illustrative uses of PKI have been presented. Please feel free to visit the website of the CCA of Mauritius on http://www.cca.mu for more detailed information on the PKI framework in Mauritius. A Discussion Forum has also been created on the website inviting any views and suggestions that you may have. 14

NOTES 15

NOTES 16 Controller of of Certification Authorities of of Mauritius

Level 12 - the Celicourt -, Sir Celicourt Antelme Street - Port Louis - Mauritius Tel: (230) 211 5333/4 Fax: (230) 211 9444 Email: icta@intnet.mu Website: http://www.icta.mu Email: info@cca.mu Website: http://www.cca.mu

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information