Application of Public Key Infrastructure in E-Business



Similar documents
PKI implementation issues in B2B e-commerce Pita Jarupunphol and Chris J. Mitchell Information Security Group, Royal Holloway, University of London

Conclusion and Future Directions

A Model of a Localized Cross-Border E-Commerce

AITSF Position Paper. PKI Governance in Australia

The Importance of PKI Today

Asia-Pacific Application Performance Management Market CY 2013 Rapidly Changing Application Architecture and Business Environment Drives the Market

Certification Practice Statement

Cisco IOS Public-Key Infrastructure: Deployment Benefits and Features

Digital Certificates (Public Key Infrastructure) Reshma Afshar Indiana State University

Current Regulatory Barriers Against Foreign Lawyers Practicing In Malaysia

INFORMATION ECONOMY REPORT 2015: Unlocking The E-commerce Potential For Developing Countries

Singaporean exports set to accelerate due to Asian economic rebound and global trade agreements coming online

GLOBAL PAYMENTS AND CASH MANAGEMENT. Solutions For Asia-Pacific

Ericsson Group Certificate Value Statement

CONNECTING WITH CONFIDENCE: OPTIMISING AUSTRALIA S DIGITAL FUTURE. AIIA Response

Number of relevant issues

How To Manage An Ip Telephony Service For A Business

Certificate Policies and Certification Practice Statements

UNCITRAL United Nations Commission on International Trade Law Introduction to the law of electronic signatures

PKI for Supporting Cross-Border

Towards Securing E-Banking by an Integrated Service Model Utilizing Mobile Confirmation

SWIFT Response to ESMA s consultation paper on

Managed Service for Visual Communications

Which Root Certification Authority can you trust? Australia can show you the way.

Welcome to Paysec Delivering your Asia Payments

Flexible Cloud Services to Compete

TrustNet A proposal for establishing Trust and Interoperability over secure network infrastructures

Five Steps Towards Effective Fraud Management

MEDIA KIT Security Solutions: Digital Certificates in Asia. Page 1. CSA Media Kit 2015

Understanding Travel Performance Marketing in Asia

Frost & Sullivan. Publisher Sample

HKUST CA. Certification Practice Statement

Public Key Infrastructure for a Higher Education Environment

Cross-Certification and PKI Policy Networking

Eskom Registration Authority Charter

Norway Post s Electronic ID Case study on authentication. Oslo 17. June 1999 Terje Kolnes, Norway Post

Introducing competition between stock exchanges. Introducing competition between stock exchanges: the costs and benefits

INSITE. Dimension Data s monitoring offering

IT Security. Securing Your Business Investments

CMS Illinois Department of Central Management Services

Strategies for the implementation of a Public Key Authentication Framework (PKAF) in Australia

PKI - current and future

PKI Disclosure Statement

Evaluate the Usability of Security Audits in Electronic Commerce

UnionPay, Your access to China & Asia. June 2015

2016 ASIA PACIFIC HIGH TECH TOTAL REMUNERATION DATABASE

Class 3 Registration Authority Charter

best practice guide The Three Pillars of a Secure Hybrid Cloud Environment

Neutralus Certification Practices Statement

DATA SECURITY MANAGEMENT. Sanford Sherizen INSIDE

PUBLIC KEY INFRASTRUCTURE CERTIFICATE REVOCATION LIST VERSUS ONLINE CERTIFICATE STATUS PROTOCOL

Localize to Globalize: Your Next Growth Frontier

GROWING WITH THE NATION

encryption keys, signing keys are not archived, reducing exposure to unauthorized access to the private key.

Dimension Data s Uptime Support Service

10/6/2015 PKI. What Is PKI. Certificates. Certification Authorities (CA) PKI Models. Certificates

Cloud Channel Summit #RCCS15

Sybase Solutions for Healthcare Adapting to an Evolving Business and Regulatory Environment

Security Assessment and Compliance Services

IFS ApplIcAtIonS For Document management

UNDERSTANDING PKI: CONCEPTS, STANDARDS, AND DEPLOYMENT CONSIDERATIONS, 2ND EDITION

Cyber Security Recommendations October 29, 2002

The Importance of Corporate Governance for an International Financial Centre

ING Public Key Infrastructure Technical Certificate Policy

BALI MINISTERIAL CONFERENCE AD HOC EXPERTS' GROUP II REGIONAL WORKSHOP IDENTITY MANAGEMENT: CHALLENGES AND OPPORTUNITIES FOR COOPERATION

History of JASTPRO.

IF YOU CHOOSE NOT TO ACCEPT THIS AGREEMENT, WHICH INCLUDES THE CERTIFICATE POLICY, THEN CLICK THE "DECLINE" BUTTON BELOW.

ReCentre. Our expertise. Is our people. Document No1 in the capability series. Insurance and reinsurance. Outsourcing and support leadership.

MasterCard SecureCode Building Consumer Confidence, Extending Your Market Reach

Keywords: Public Key Infrastructure, Cryptography, Certification Authority, Bridge Certificate Authority, B2B, and Electronic Commerce

Four steps to improving cloud security and compliance

The Coming Global Digital Stock Market

Private Cloud for Every Organization

Egypt s E-Signature & PKInfrastructure

APEC s evolving supply chain

CHAPTER 4 DEPLOYMENT OF ESGC-PKC IN NON-COMMERCIAL E-COMMERCE APPLICATIONS

TRADE BLOCS. Trade Blocs page 1

Governance, Risk and Compliance Assessment

The DoD Public Key Infrastructure And Public Key-Enabling Frequently Asked Questions

Whitepaper Online Selling in China in 3 Easy Steps

Some organizations implement ISO/IEC Information security INTERNATIONAL

What is a digital certificate, why do I need one, and how do I get it?

Content Protection & Security (CPS) Certification Program Overview

THAILAND B2C E-COMMERCE MARKET 2015

ARTL PKI. Certificate Policy PKI Disclosure Statement

White paper. Implications of digital certificates on trusted e-business.

Meet The Family. Payment Security Standards

SECURE DIGITAL SIGNATURES FOR APPRAISERS

APEC Business Travel Card (ABTC)

THE CPA AUSTRALIA ASIA-PACIFIC SMALL BUSINESS SURVEY 2015 HONG KONG REPORT

See your business in a new way.

Committee on National Security Systems

The World Bank Reports on the Observance of Standards and Codes (ROSC) Overview of the ROSC Accounting and Auditing Program

Doing Business in Australia and Hong Kong SAR, China

1 Public Key Cryptography and Information Security

BLACKICE ERA and PureData System for Analytics

Asia Insight: Online to Offline The Great Technology Migration

DIMACS Security & Cryptography Crash Course, Day 2 Public Key Infrastructure (PKI)

TWX-21 Business System Cloud for Global Corporations

Position Paper Cross Border e-logistics

Transcription:

Application of Public Key Infrastructure in E-Business A. Kazerooni, M. Adlband, O. Mahdiyar Department of Electrical Engineering, Kazerun Branch, Islamic Azad University IRAN A.kazerooni@kau.ac.ir Abstract: Public Key Infrastructures (PKIs) are bases of secure internal communications for an organization. Using PKIs for ultra-organization communications provides many advantages. However, it is too difficult to achieve required level of cooperation between PKIs. E-Business needs implementation of PKIs between domains which have different Certificate Authority (CA). Thus, some problems arise due to security policies and different coding methods in PKI of each firm business. This paper introduces the public key infrastructure and its implementation requirements for the firms. Then we investigate issues of PKI cooperation. Key-Words: E-Business,PKI,Public Key Infrastructure 1 Introduction Security is an important center of attention in the world of electronic commerce or electronic business which is done on the internet. In 1999, an audit found that reliance and privacy are main barriers for e-commerce from CEO view. E- commerce is broader than simple shopping on the Internet. Thus, security of e-commerce not only is necessary for online retail, but also it is required for every electronic task, whether B2C or B2B. Using digital certificate, it is more than 20 years that PKI technology is available. It seems that PKI includes privacy requirements, data integrity, identification, and access/denial control. Version is the best known company in the field of PKI management service. It is usually seen through pop up messages when one navigates webpages. A simple definition of PKI can be arranged as follows; a developed software infrastructure using public key technology which applies digital certificates and codding algorithms in order to secure data transfer over a public network such as internet [3]. Digital certificate is an official document which ensures dependency of key and ID. It covers following data; Key, ID, key application type and document validity period [7]. 1.1 Main Components of PKI PKI usually has one or more Trusted Third Porttes (TTPs) which are named as Certificate Authority (CA). A CA produces public key certificates (see Figure 1). generally, PKI includes a set of CAs, their produced certificates, policies of certificate propagation and other parties (Interface Protocols) which are supports for management production and distribution of public key certificates (see Figure 1). There are four main components in PKI: - Certificate Authority (CA) - Registration Authority (RA) for certificate content control and to make sure that it belongs to its owner. - Repository for distribution of certificates and certificate cancellation lists with maximum efficiency and accessibility. - Archive for the safe and long-term storage of information [1,7]. - 2 Smart Cards In PKI, unlike other methods of electronic signature, codes are unique to its owner and each operation. Digital signatures operate as if there is a printing and stamping machine in each smart card. They put an especial signal on each message or file produced by its career. Such digital signatures are valid indefinitely. That s, signal can always be evaluated to verify its source, easily. For processing of digital signature operation, receiving software needs a copy of sender certificate and special identified master code. The master code is used as root certificate for ISBN: 978-1-61804-039-8 189

evaluation of all certificates of a PKI project. Different master codes define different PKIs. Application software can include all required master codes. Alternately, one can install the required codes later. - Figure 1: Application and certification process [7]. Digital certificates can be canceled at any time, electronically. Cancellation may be applied when carrier has lost his/her smart card. Alternatively, you can automatically revoke the certificate of a business to cancel membership or being disqualified [2]. 3 Fundamentals of PKI Implementation The steps required to implement an organization PKI are; - Step One: Gathering Information - Step Two: Decision - Step Three: Selection of PKI vendors - Step Four: Preparing for Infrastructure - Step Five: Implementation of PKI 3. PKI Interoperability Issues in E-Commerce The most basic PKI architecture is a CA included type which contains production and provision of certificate information to all end users of PKI. Use and management of a PKI in a "controlled environment" seems to be relatively simple. It is similar to a single organization affiliated with several departments. However, B2B e-commerce requires a more complex architecture of PKI containing several CA, since it contains trades using digital tools between partners that usually each have their own CA. Apart from the security services, other related factors should also be considered, such as realtime services, delivery time of products and. To meet consumer needs, effective supply chain management is crucial for an e-commerce organization. General requirements for an organization with e-commerce are as follows; - Company should be able to be in touch with its suppliers and customers, safely and quickly. To operate at maximum efficiency and to provide timely services for consumers. - E-commerce companies should be able to cooperate with other companies to share and exchange information. To meet these needs, e-commerce organizations should be able to establish secure communication links. For instance, to manage value chain in real time, a staff from company A may need to communicate with financial unit of company B and the also supply unit of company C. This is quite natural that we try to use available PKIs previously provided for internal security of organization. Furthermore, there would be enormous potential benefits if such facilities are available. However, it is too difficult to gain required standards for interoperability of different PKIs. Basically, a PKI is normally based on a set of rules and understanding meanings and applications of public key certificates. The rule set may be frank such as certificate policy and/or it may be implicit such as certificate practice statements. Rule sets and their interpretations are inevitably different. Therefore, some difficulties may arise in PKI cooperation. That is, certificate interpretation as a component of a PKI is quietly confusing. As a result, interoperability has become a serious issue affecting the growth of PKI in e-commerce. However, there are some efforts for simplification of PKI cooperation (2001, PKI Forum), but it is still some problems as follows; - Different Developments of X.509 - Different policies for issued certificates. - Different requirements on certification issues. - Different Library Protection. - Different Properties of PKI Applications - Differrent standards for Storing and Retrieving Certificates. - Different PKI Knowledge among organization Staff. 4 PKI Interoperability Models There are some models available for definition of CA communication. Model selection affects interoperability. There are three models which are ISBN: 978-1-61804-039-8 190

usually discussed; Hierarchical Model, peer to peer model (or Mesh Model) and the Bridge Model. In these models, pairs of CAs have direct relationships. The relationship between CA includes confidential exchange of public keys and construction of a pair of specific public key certificates called Cross-Certificate. It means that if A and B communicate, then A signs a public key certificate for B, and vice versa. If an A client (an existence in PKI territory which contains A) is going to evaluate public key certificates signed by B, at first, It can evaluate Cross-Certificate. Therefore, the public key of B is evaluated and as a result, client is able to evaluate B signature on the public key certificate. The cross-certificate concept can be extended to certificate chain which evaluates a series of cross certificate connecting the pairs of CAs. 4.1 Hierarchical Model Many of current PKI implementations use hierarchical schema which contains public key rules. Hierarchical schema may also be signed by an authority. The authority may have a certificate issued by a higher reference. The chains of authority references may goes to the top authority, hierarchically. This is the approach which usually defines the infrastructure of certificate management or public key infrastructure [3]. In hierarchical models, all CAs are arranged in a clear and strict hierarchy. At the top, there is a Root CA. Each pair of CAs has an upper CA. Therefore, an end user can simply determine a unique chain of certificates. As a result, the end user is able to evaluate any public key. Although it is a simple and attractive issue, it is not a model for all of real world situations. CA hierarchy needs relationship with a trust adaption hierarchy. Otherwise, the implementation is not possible (See Figure 4). Trade entities, which are CA operators of B2B e-business, usually don't belong to a natural hierarchical authority. Thus, hierarchical model is not simply applicable. In addition, if a hierarchy of CAs can effectively be implemented, it exposes large load of trust on one point called as Root CA. It is noticeable that the trust concentration may be inevitable and it may happen in Bridge model [1]. In practice, PKI hierarchy is instantly implemented in well-defined administrative domains. Complicated operation methods between Registration Authority (RA) and Certificate Authority (CA) from one side, and CA to CA relations from other side arise several challenges in CA communications. One of considerable problems is Certificate Practice Statements (CPS) and the process of effective and timed management of cancelled certificate lists [3]. Figure 4: Hierarchical Model for CA communication in PKI [4] 4.2 Peer to Peer Model (Mesh Model) Peer-to-Peer model provide a cross-certificate for each pair of CA. This is very much related to business reality. Probably, it finely works for a small community organization (a few CAs) which each couple of CA can have one relationship. In this case, an end user needs to evaluate a crosscertificate, only (See Figure 5). Figure 5: Mesh Model for CA Communication in PKI [1]. Unfortunately, this model can t be used for many of CAs in the complicated multi-national world of e-business. However, it is discussable that we don't need to have a relationship for each pair of CA. There are two problem related to this model; i) it exposes unacceptable large amount of potential load on end user. ii) Using a non-public chain, effective transportation of trust (such as what is need for interoperability of PKI) is probably low. 4.3 Bridge Model Bridge model is roughly a compromise between two mentioned models. In this model, there is one or more CAs which communicates with other ISBN: 978-1-61804-039-8 191

CAs. In this case, a chain of certificates including pairs of cross-certificates is enough for enabling end user to evaluate public key certificate of other user. This model needs much less crosscertificates in comparison to basic peer-to-peer model. In addition, the end user can still make a short chain and well-defined certificate (see Figure 6). Figure 6: Bridge Model for CA Communication in PKI [1] The only problem is to determine proper authorities in order to provide and implement CA Bridge. Such an organization should have a trustable well-defined communication with other CAs. A possible candidate for implementation of Bridge CA can be a federal government such as US federal bridge. In addition, there are several positive results for federal bridge CA. However, such a solution cannot be used for international interoperability. 5 The goal of PKI interoperability issues There are the following issues for PKI interoperability. PKI profile Standards Development and application of Bridge Model Personnel education of PKI technology Rules of industrial forums and Merchants New models for establishing liability transfer Certificate Translation Services Government Support The relationships between Bridge CA PKI current situations After the passage of the hopelessness, public key infrastructure recovers slowly and trustfully about the year 2000. New interest in PKI is for better understanding of its unique properties and requirements of immediate security in many new types of e-business. In Asia, PKI applications are progressing rapidly. The progression is affected by many models of new and important vertical construction of PKI. Certain courts in the region, including Australia, Hong Kong, SAR and Singapore were PKI pioneers since 1990s. Public key infrastructure has had some success across the world in the past 10 years. Although some courts, such as Australia and America were quite disappointed, others such as China and Korea, considered PKI infrastructure necessary for e- Business. In Asia, PKI is in an optimal position, but its implementation is difficult and expensive. Specifically, regulators are bewildered in their proper duty. PKI licensing programs in places like Singapore, Hong Kong and Australia are not in large demand. All countries should carefully examine the new PKI test. Particularly, they should also be sure about having flexible governmental sites which have reference to the quality standards of authentication and identification. 6 Current Important PKI Designs New ways of thinking about PKI is based on previous transactions and communications between all parties of structured e-business. Contemporary PKI almost always includes the communities of fans. All users have a prior business relationship. This are remained PKI which are now in progress. They are vertical in nature with well-defined areas and strict controls on cooperation. Partners often have predefined communications such as governmental certificates and there are regular legal responsibilities. Therefore, PKI implementation is easy. Asia PKI Forum (APKIF) is a PKI coalition of national associations from China, Hong Kong, Japan, Korea, Singapore, Chinese Taipei and Vietnam. Observers from Thailand and Kazakhstan and international organizations (Organization for the Advancement of Structured information Standards) and (The European Tele Communications Standards Institude) ETSI also attend these activities. Malaysia and India are goaled membership countries. APKIF also links regional forums in Mexico, South America, Africa and the Middle East. APKIF works in four working groups: Applications and business, Interoperability and exchange, Legal infrastructure and global cooperation. ISBN: 978-1-61804-039-8 192

Their duty is to analyze legal responsibilities in cross-border e-commerce and online disputes. Asian Business Coalition (PAN Alliance Asia e- Commerce) supervise nine CA with 260000 commercial CA digital certificate in online documentation of trades between Hong Kong, China, Chinese Taipei, Korea and others [1]. In Korea, Six of the largest banks exchange 10 million certificates [2]. In Australian, There is a great interest in the publication of digital "communications certificate" for "known customers". That s, people who are already known to the certificate releaser. This is the new model for central core of current reforms for PKI accreditation program in commonwealth countries [2]. 7 Conclusions E-commerce security is a prerequisite. Good standards of security are trust prerequisite for economic actors operating in the electronic environment. In fact, security is considered as one of the major challenges in developing and developed countries. In the world of distributed services, timeless and network provide massive amounts of opportunities for vulnerabilities. E-commerce is entering a new generation of digital certificates. Using electronic signature, a big evolution occurs in relationships and interactions. Actually, using digital certificates, documents are identifiable and can be followed. Development of electronic commerce in areas such as transactions between the firms is of growing security of digital certificate. More than 80 percent of global e-commerce is based on B2B model (interaction between the firms). Reducing bureaucracy in the interaction, digital certificates helps development of this model and as a result the prosperity of macroeconomics. Using digital certificate, PKI technology platform regulates Internet transactions and virtual identity authentication. Using PKI for secure B2B e- commerce arena has a lot of advantages. Many organizations have implemented a PKI to support their internal security functions. PKI is a business, like most new technologies of information has its own difficulties. However, exclusive value of PKI in specific types of on-line transactions has been widely acknowledged. Today, we have more advance understanding of PKI. According to Australian IT Security; «overwhelming experience in the PKI is used for the automation of routine transactions, what removes existing relationships and creates most value." Thus, use of PKI in vertical marketplaces and specific applications spread, quickly [2]. Therefore, It is still a goal for future to promise an effective public key infrastructure which its data transfer is safe at anytime and anywhere and it needs no setup or pre-planned communication. Serious problems in interoperability limit PKI application for over boundaries of organizations. Removing such barriers for cooperation and promotion of PKI is critical for the future of B2B e-commerce. In this study, we study some issues of PKI implementation and cooperation in interactions between firms and we provide solutions to deal with them. 8 References [1] Pita Jarupunphol and Chris J.Mitchell, Information Security Group, Royal Holloway, University of London, "PKI Implementation Issues in B2B E-Commerce "EICAR Conference Best Paper Proceedings 2003 [2] Stephen Wilson, Managing Director, Lockstep Cosulting Pty Limited, Australia "The Importance of PKI Today", China Communications December 2005 [3] Eric C.Turner, School of Business and Public Management, The George Washigton University, "Public Key Infrastructure: Is this Digital ID system Having an Identity Crisis of Its Own?", Decision Line, September/October 2000 [4] Nura Information Technology center Public Key Infrastructure 87/12/15. In Persian. http://www.utm.ir/articles/faarticles/pki.html [5]http://www.valsanam.blogfa.com/post-38.aspx [6] Rahbar Anformatik Services Applcation of Electronic Certificate in Applied Systems (Digital Signature). In Persian. [7] Esfahaan University of Technology- Introduction of Public Key Infrastructure (PKI) and X.509 Standard. In Persian. [8] Trade Ministry, E-Commerce Development Office, ICT Performance Report and E- commerce. 1384. In Persian. http://prd.moc.gov.ir/to/reports/ministry%20of% 20Commerce%20ICT%20Performance%20Repor t.doc [9] Fannavaran e Ettela at, Interview of e- commerce development prime manager. 6th of Aban, 1386. In Persian. ISBN: 978-1-61804-039-8 193

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information