A simple tscheme guide to securing electronic transactions



Similar documents
ELECTRONIC SIGNATURES FACTSHEET

Controller of Certification Authorities of Mauritius

Fundamentals Explained

INTRODUCTION TO CRYPTOGRAPHY

An Introduction to Cryptography and Digital Signatures

Strong Encryption for Public Key Management through SSL

ziplogix Digital Ink Training

Digitally Signing Acrobat PDF Files

Overview Keys. Overview

A Guide to Information Technology Security in Trinity College Dublin

Online Security Awareness - UAE Exchange - Foreign Exchange Send Money UAE Exchange

User Manual. For. Digitally Signing of your application

Guide for Securing With WISeKey CertifyID Personal Digital Certificate (Personal eid)

User Guide for HSBC Premier Credit Card

Smart Card- An Alternative to Password Authentication By Ahmad Ismadi Yazid B. Sukaimi


Digital Certificates (Public Key Infrastructure) Reshma Afshar Indiana State University

Hang Seng HSBCnet Security. May 2016

5 FAM 140 ACCEPTABILITY AND USE OF ELECTRONIC SIGNATURES

Securing your Online Data Transfer with SSL

What security and assurance standards does Trustis use for TMDCS certificate services?

Digital certificates. Name Vivek kumar EM No Subject E-Business technologies Prof. Dr. Eduard heindl

Implementation guide. BACSTEL-IP for direct submitters

What Are They, and What Are They Doing in My Browser?

Computer Networks. Network Security and Ethics. Week 14. College of Information Science and Engineering Ritsumeikan University

User Guide Using Certificate in Microsoft Outlook Express

Understanding Digital Signature And Public Key Infrastructure

Cloud (educational apps) software services and the Data Protection Act

Pre requisites for Digital Signature

Contents Security Centre

Entrust Managed Services PKI. Getting started with digital certificates and Entrust Managed Services PKI. Document issue: 1.0

Online Security Information. Tips for staying safe online

Institute of Southern Punjab, Multan

ARTL PKI. Certificate Policy PKI Disclosure Statement

Guidelines Related To Electronic Communication And Use Of Secure Central Information Management Unit Office of the Prime Minister

CHAPTER 4 DEPLOYMENT OF ESGC-PKC IN NON-COMMERCIAL E-COMMERCE APPLICATIONS

State of Arkansas Policy Statement on the Use of Electronic Signatures by State Agencies June 2008

SSLPost Electronic Document Signing

Why Use Electronic Transactions Instead of Paper? Electronic Signatures, Identity Credentialing, Digital Timestamps and Content Authentication

Connected from everywhere. Cryptelo completely protects your data. Data transmitted to the server. Data sharing (both files and directory structure)

NATIONAL CYBER SECURITY AWARENESS MONTH

A Guide to Cover Letter Writing

Strong Security in Multiple Server Environments

Many of these tips are just common sense and others are tips to keep in mind when doing a transaction, at ATMs, restaurants and merchants.

21 CFR PART 11 ELECTRONIC RECORDS, ELECTRONIC SIGNATURES CFR Part 11 Compliance PLA 2.1

Advanced Authentication

Remote Access Securing Your Employees Out of the Office

IDENTITY PROTECTION MEMBER. Protect Your Identity. Security of Personal Information is Our Top Priority

The Case For Secure

It s All About Authentication

Britepaper. How to grow your business through events 10 easy steps

Pretty Good Privacy (PGP)

ELECTRONIC SIGNATURES AND ASSOCIATED LEGISLATION

Document Management Getting Started Guide

Why you need secure

UKAS Guidance for bodies operating certification of Trust Service Providers seeking approval under tscheme

Electronic and Digital Signatures

Fraud Detection and Prevention. Timothy P. Minahan Vice President Government Banking TD Bank

Public Key Encryption and Digital Signature: How do they work?

Alternative authentication what does it really provide?

Digital identity: Toward more convenient, more secure online authentication

10 Hidden IT Risks That Might Threaten Your Law Firm

Exam Papers Encryption Project PGP Universal Server Trial Progress Report

OUR CODE OF ETHICS. June 2013

SPEAR PHISHING TESTING METHODOLOGY

Seminar report Digital Signature Submitted in partial fulfillment of the requirement for the award of degree Of Computer Science

How To Secure Cloud Computing

Our Code is for all of us

ITSC Training Courses Student IT Competence Programme SIIS1 Information Security

STRONGER ONLINE SECURITY

Internet basics 2.2 Staying safe online. Beginner s guide to. Basics

What s wrong with FIDO?

Article. Robust Signature Capture Using SigPlus Software. Copyright Topaz Systems Inc. All rights reserved.

Den Gode Webservice - Security Analysis

Data Storage Security in Cloud Computing

Secure Mail Registration and Viewing Procedures

Sage 50 Accounts Construction Industry Scheme (CIS)

Online Banking Security Guide Internet-based version

Explaining the difference your project makes A BIG guide to using an outcomes approach. Sara Burns and Joy MacKeith Triangle Consulting October 2006

SPICE EduGuide EG0015 Security of Administrative Accounts

What is personal data? A quick reference guide

Advice about online security

Chapter 11 Security+ Guide to Network Security Fundamentals, Third Edition Basic Cryptography

Information Security

How to use PGP Encryption with iscribe

How Retweets Work and Using Them to Grow Your Traffic

Atlantic Automation. Document Storage and Retrieval System. Administrator s Guide

Social Return on Investment

50 Tough Interview Questions

Transcription:

A simple tscheme guide to securing electronic transactions 1 A simple tscheme guide to securing electronic transactions Electronic Transactions An electronic transaction is best thought of as a type of electronic message that changes the relationship between the sender and receiver in some important way. For example, wishing someone happy birthday is a message, but booking the theatre tickets is a transaction. Electronic transactions offer speed of execution regardless of distance. They also offer accuracy and precision. The key benefit is a considerable potential for saving time and cost, which is in everyone s interests. Electronic Security When we send a message across the Internet, it passes through the hands of unknown strangers. The possibilities for interference are endless. Usually we rely on the sheer volume of messages to hide ours from special attention. This may be good enough for casual messages, but it certainly is not for things of value - in other words for electronic transactions. What we need for our transactions is security: Integrity the content should arrive exactly as sent. If there has been any change the receiver should be alerted.

A simple tscheme guide to securing electronic transactions 2 Authenticity the sender and the receiver should be who they claim they to be. It should not be possible for someone to impersonate someone else. Non-repudiation we must avoid any later doubt that the sender sent or the receiver received a given message as part of a business transaction. Confidentiality (or privacy) if required, only the sender and receiver can read the message. To everyone else the content should be meaningless. Business operators also have a wide range of responsibilities covering legal, financial and operational aspects of their companies. These include the protection of personal data and the maintenance of accurate transaction records for audit purposes. Fortunately, there is a way of meeting all of these business requirements through cryptography the art and science of making electronic transactions secure. Security and Cryptography Cryptography deals with ways of ensuring that alterations to messages cannot go undetected, and of providing assurance regarding the identity of a message's originator. It can also deal with ways of scrambling electronic messages so that they become unintelligible to everyone except the intended recipients. However, we do not have to become expert cryptographers to sign and secure electronic transactions.

A simple tscheme guide to securing electronic transactions 3 Identity and PIN Security An alternative approach in common use employs a name (or other obvious identity) and a unique PIN (Personal Identification Number) which is secret and typically comprises four numeric digits. Sometimes a password replaces the PIN and typically comprises eight or so letters and numbers. However, a truly secure password one that is not easy to guess or to discover by repeated trial has to be long and difficult to memorise. PINs and passwords are never long enough to be truly secure. Since each separate type of transaction is likely to depend on its own particular choice of name and PIN or password, this multiplies the problem of keeping track of all the secret values. The temptation is to record all the combinations on paper further risking compromise. Hence what appears to be a simple solution quickly turns into a potential nightmare and a security risk. The solution is to use one single unique identity your real one and one complex PIN, derived through cryptography, to create your own digital signature. You can then use this for every transaction. Some websites, for example the UK government gateway, already encourage this approach and it's set to spread. The whole point of digital signatures is to make the handling of identity both secure and convenient. Digital Signatures We sign things to show that we agree with them. This has to apply to things which we agree electronically just as much as it does for things on paper. For an electronic transaction, we can use a digital signature. For any form of signature to provide a reliable confirmation an individual's agreement, it has to satisfy some very important tests:

A simple tscheme guide to securing electronic transactions 4 It must be uniquely and exclusively connected to the signer. We don't want impersonation. It must attach correctly to what is being signed. We don't want fraudulent re-use of old signatures on new documents. It must guard against later alteration of what has been signed. We don't want deception. When correctly used, a digital signature meets all of these tests. In fact, a digital signature actually can provide greater confidence than an ink signature. Not only does it provide integrity, it also applies to every detail of the whole document signed, rather than simply to the last page. To do this, it employs special cryptographic techniques. The signer holds a digital key which he alone uses, known as his private key. He doesn't allow anyone else to see it or copy it. When he wants to sign an electronic message or document, he uses this private key and his computer system to create the signed message or document. Popular software usually turns this task into simply pointing and clicking at the right moment and inputting a secret pass phrase. The signer also has a second digital key - his public key - which is uniquely linked to his private key, but this time he makes this public key known to everyone that needs to be able to recognise and validate his signature. Other popular software, using the public key, can then check that something apparently signed by our friend really has been signed by him. But someone might attempt to fool us into believing that his public key belongs to someone else, and use this to impersonate that someone else. In other words, how do we know that the public key which we've used, genuinely belongs to the right person?

A simple tscheme guide to securing electronic transactions 5 Public Key Infrastructures In the electronic world, one highly effective way of checking credentials actually someone's public key is known as a public key infrastructure or PKI. Remember that the adjective "public" refers to the keys and not to the infrastructure. The crucial point is that, for us to rely on an electronic signature, we have to be certain that the public key associated with the signature genuinely belongs to the person who claims to have done the signing. We can check this using a PKI. For a simple analogy, think no further than referring to a bank for a reference. This is simply achieved by putting the public key into a tiny electronic document called a digital certificate. The certificate is then signed by the PKI operator or other trustworthy organisation, which can then be verified from their certificate and so on in a hierarchy of trust. Although any organisation can operate a PKI for its internal use, it is usual for expert third parties to operate the PKIs which allow organisations and individuals to transact with each other across the Internet. These PKI operators are sometimes known as trusted third parties, although the title electronic trust service providers is becoming more popular. But whatever we call them, we have to trust them. Our transactions depend on it. Electronic Trust Services Senders and receivers of electronic transactions need to establish trust in each other. Cryptography allows them to do this simply and cost-effectively, by using third parties whom they each trust. Electronic trust services can provide any of a number of useful functions, including the creation, distribution and management of

A simple tscheme guide to securing electronic transactions 6 digital certificates on which digital signatures depend to secure electronic transactions. Electronic trust service providers clearly have to be beyond suspicion regarding the duty of care inherent in their services. tscheme provides significant assurance that this is the case, by indicating through its mark of approval that appropriate service practices apply and are being maintained. tscheme and Approvals Technology is never the whole solution. Electronic signatures supported by PKIs ultimately depend on the way humans behave. Those who rely on a service expect and deserve high standards. While it is never possible to eradicate with complete certainty every possible flaw, it is always possible for an electronic trust service provider to adopt current best practice. For the nonexpert, there has to be a way of identifying whether a service does indeed follow current best practice criteria. tscheme answers this need. tscheme describes in public documents what expert practitioners consider to be current best practice for electronic trust services. It recognises independent experts who assess individual services against its published best practice criteria. It then grants approval to those services which meet the criteria, provided that their suppliers agree to continue to operate to the same high standards. Only approved services may display the tscheme approval mark. This means that tscheme reduces the cost of evaluation hardly an easy task for the non-expert - in the choice of a service, by ensuring transparency at all stages. The tscheme web site contains details of all the services currently enjoying approval. For each service approved, there is

A simple tscheme guide to securing electronic transactions 7 a Grant of Approval naming the service and its provider, providing a short description of the service, listing the best practice criteria which it meets, and setting out commencement and expiry dates. Anyone wishing to validate any claimed approval can do this by visiting the tscheme website. What To Do Electronic transactions offer considerable benefits to almost any organisation keen to reduce cost and optimise its service or operations. All organisations should therefore strive to identify the key areas in which electronic transactions could be used. The steps are: Assess the risk inherent in the transaction. Optimise the process through electronic transactions. Identify where digital signatures are required in the process. Reduce evaluation time and cost by relying on the tscheme approval process to check for best practice operation. Select an appropriate trust service provider by reference to the tscheme approved services directory at www.tscheme.org/directory Users of electronic trust services should therefore look for the tscheme approval mark, whether they are seeking a provider for a trust service or simply wishing to gain confidence in a service on which they are about to rely. Those who operate Internet-based businesses should make tscheme approval a procurement condition for their out-sourced provision of all electronic trust services. This is the best way to ensure that what is provided operates as it should and does not introduce hidden risk.

A simple tscheme guide to securing electronic transactions 8 Electronic trust service providers should obtain tscheme approval for their services. While providing a valuable credential in the market place, the rigour of an independent check against best practice criteria helps ensure that everything is in place and operating as it should. Those with an interest in the rapid growth of electronic transactions, whether public or private sector, whether as supplier or user, should become supporting members of tscheme. tscheme's authority depends on having a wide membership, representing a broad range of interests. Ultimately everyone has an interest in encouraging the growth of electronic transactions, based on a secure and trustworthy foundation. The complete tscheme Guide to Securing Electronic Transactions (30 pages), together with details of how to join, contribute to or seek approval from tscheme can be found at www.tscheme.org/library

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information