Public Key Infrastructure PKI. National Digital Certification Center Information Technology Authority Sultanate of Oman

Similar documents
CERTIFICATION PRACTICE STATEMENT UPDATE

Entrust Managed Services PKI. Getting an end-user Entrust certificate using Entrust Authority Administration Services. Document issue: 2.

Enhancing Web Application Security

Schlumberger PKI /Corporate Badge Deployment. Neville Pattinson Director of Business Development & Technology IT & Public Sector

Digital Certificates (Public Key Infrastructure) Reshma Afshar Indiana State University

Entrust Managed Services PKI. Getting started with digital certificates and Entrust Managed Services PKI. Document issue: 1.0

Server based signature service. Overview

Arkansas Department of Information Systems Arkansas Department of Finance and Administration

Mobility, Security and Trusted Identities: It s Right In The Palm of Your Hands. Ian Wills Country Manager, Entrust Datacard

Government CA Government AA. Certification Practice Statement

Citizen CA Certification Practice statement

Meeting the FDA s Requirements for Electronic Records and Electronic Signatures (21 CFR Part 11)

National Certification Authority Framework in Sri Lanka

How To Understand And Understand The Security Of A Key Infrastructure

HKUST CA. Certification Practice Statement

Danske Bank Group Certificate Policy

Neutralus Certification Practices Statement

Apple Inc. Certification Authority Certification Practice Statement Worldwide Developer Relations Version 1.14 Effective Date: September 9, 2015

OFFICE OF THE CONTROLLER OF CERTIFICATION AUTHORITIES TECHNICAL REQUIREMENTS FOR AUDIT OF CERTIFICATION AUTHORITIES

Operating a CSP in Switzerland or Playing in the champions league of IT Security

Lecture VII : Public Key Infrastructure (PKI)

SAP NetWeaver Single Sign-On. Product Management SAP NetWeaver Identity Management & Security June 2011

The DoD Public Key Infrastructure And Public Key-Enabling Frequently Asked Questions

Managed Services PKI 60-day Trial Quick Start Guide

PKI - current and future

Controller of Certification Authorities of Mauritius

MCTS Guide to Configuring Microsoft Windows Server 2008 Active Directory. Chapter 11: Active Directory Certificate Services

Vodafone Group CA Web Server Certificate Policy

Arcot Systems, Inc. Securing Digital Identities. FPKI-TWG Mobility Solutions Today s Speaker Tom Wu Principal Software Engineer

Comparing Cost of Ownership: Symantec Managed PKI Service vs. On- Premise Software

Ericsson Group Certificate Value Statement

PKI Disclosure Statement

Agenda. How to configure

eid Security Frank Cornelis Architect eid fedict All rights reserved

Den Gode Webservice - Security Analysis

This Working Paper provides an introduction to the web services security standards.

Smart Card- An Alternative to Password Authentication By Ahmad Ismadi Yazid B. Sukaimi

X.509 Certificate Policy for the Australian Department of Defence Root Certificate Authority and Subordinate Certificate Authorities

Future directions of the AusCERT Certificate Service

TIB 2.0 Administration Functions Overview

OECD workshop on digital identity management BELGIAN approach

Certification Practice Statement

PRIVACY, SECURITY AND THE VOLLY SERVICE

Apache Milagro (incubating) An Introduction ApacheCon North America

PRIME IDENTITY MANAGEMENT CORE

Class 3 Registration Authority Charter

apple WWDR Certification Practice Statement Version 1.8 June 11, 2012 Apple Inc.

State of Arkansas Policy Statement on the Use of Electronic Signatures by State Agencies June 2008

Public Key Infrastructure for a Higher Education Environment

Certum QCA PKI Disclosure Statement

GlobalSign CA Certificate Policy

CALIFORNIA SOFTWARE LABS

Public-Key Infrastructure

TELSTRA RSS CA Subscriber Agreement (SA)

Metropolitan Police Service Enterprise PKI. Root Certificate Authority, Certificate Policy. Version th February 2012 NOT PROTECTIVELY MARKED

REGISTRATION AUTHORITY (RA) POLICY. Registration Authority (RA) Fulfillment Characteristics SECURITY DATA SEGURIDAD EN DATOS Y FIRMA DIGITAL, S.A.

Trust Service Principles and Criteria for Certification Authorities

SAML Security Option White Paper

INDEPENDENT AUDIT REPORT BASED ON THE REQUIREMENTS OF ETSI TS Aristotle University of Thessaloniki PKI ( WHOM IT MAY CONCERN

Ford Motor Company CA Certification Practice Statement

ING Public Key Infrastructure Technical Certificate Policy

Obtaining a digital signature certificate

Certification Practice Statement

New Single Sign-on Options for IBM Lotus Notes & Domino IBM Corporation

DigiCert. Certificate Policy. DigiCert, Inc. Version 4.03 May 3, 2011

e-authentication guidelines for esign- Online Electronic Signature Service

CERTIFICATION PRACTICE STATEMENT (CPS)

esign Online Digital Signature Service

Dr. Cunsheng DING HKUST, Hong Kong. Security Protocols. Security Protocols. Cunsheng Ding, HKUST COMP685C

TeliaSonera Public Root CA. Certification Practice Statement. Revision Date: Version: Rev A. Published by: TeliaSonera Sverige AB

epki Root Certification Authority Certification Practice Statement Version 1.2

Electronic Submission of Medical Documentation (esmd) CDA Digital Signatures. January 8, 2013

Research Article. Research of network payment system based on multi-factor authentication

Key Management and Distribution

Trustwave Holdings, Inc

Best prac*ces in Cer*fying and Signing PDFs

Certificate Policy for. SSL Client & S/MIME Certificates

An introduction to EJBCA and SignServer

A KIND OF IMPLEMENT ABOUT MOBILE SIGNATURE SERVICE BASED ON MOBILE TELEPHONE TERMINAL

Certificate Authority Product Overview Technology White Paper

SSLPost Electronic Document Signing

Incorporating Digital Signing & Encryption in Transactions in the Payment System of Sri Lanka

Security Model in E-government with Biometric based on PKI

THE RSA ROOT SIGNING SERVICE Certification Practice Statement For RSA Certificate Authorities (CAs) Published By: RSA Security Inc.

Card Management System Integration Made Easy: Tools for Enrollment and Management of Certificates. September 2006

thawte Certification Practice Statement Version 2.3

Digital Signature Verification using Historic Data

Certificate Policy. SWIFT Qualified Certificates SWIFT

Part III-a. Universität Klagenfurt - IWAS Multimedia Kommunikation (VK) M. Euchner; Mai Siemens AG 2001, ICN M NT

Land Registry. Version /09/2009. Certificate Policy

CA Certificate Policy. SCHEDULE 1 to the SERVICE PROVIDER AGREEMENT

SAFE Digital Signatures in PDF

ESnet SSL CA service Certificate Policy And Certification Practice Statement Version 1.0

PKI: Public Key Infrastructure

Certification Practice Statement

Bangladesh Bank Certification Authority (BBCA) Certification Practice Statement (CPS)

PKI Uncovered. Cisco Press. Andre Karamanian Srinivas Tenneti Francois Dessart. 800 East 96th Street. Indianapolis, IN 46240

AD CS.

Apple Corporate Certificates Certificate Policy and Certification Practice Statement. Apple Inc.

Transcription:

Public Key Infrastructure PKI National Digital Certification Center Information Technology Authority Sultanate of Oman

Agenda Objectives PKI Features etrust Components Government eservices Oman National PKI Hierarchy 2

Agenda PKI Implementations Electronic Identity Gateway Mobile PKI Signature Verification Accreditation Service 3

Objectives Public key infrastructure is a system of policies, procedures, people, hardware, software and services that support the use of public key cryptography to obtain secure communication PKI aims to increase the number of e-services of Government and Private entities to empower the e-government Transformation as PKI provides: Electronic transactions protection against identity fraud Data integrity, data confidentiality, strong authentication, and non-repudiation Trust, confidence and easiness to use online services for citizens and residents 4

About PKI PKI enables the online service providers to identify and authenticate their clients electronically and enables electronic signature for online transactions with nonrepudiation service PKI is security architecture provides an increased level of confidence to exchange information over Internet through the use of public and private cryptographic key pairs PKI leverage Data Protection as it is compliant with e-transaction laws. 5

About PKI PKI enables the online service providers to identify and authenticate their clients electronically and enables electronic signature for online transactions with nonrepudiation service PKI is security architecture provides an increased level of confidence to exchange information over Internet through the use of public and private cryptographic key pairs PKI leverage Data Protection as it is compliant with e-transaction laws. 6

PKI Features Enables strong authentication for the participants requesting electronic services from E-Government agencies. 1 Mature and proven technology adopted for financial, governments, service providers offering highly and valuable services 6 2 Digital signing electronic form using private keys and protecting the integrity of the data. Leverage Data protection Acts and compliances with vast government Electronics Laws and regulations all around the world. 5 3 4 Avoid unauthorized disclosure of personal data using public keys for encryption Provide a reliable mechanism to support non repudiation services through the utilization of digital signature services. 7

etrust Pyramid Components Secure eservices & Applications Public Key Infrastructure Trust Services Legal Framework 8

etrust Pyramid Components Legal Framework Oman E-transaction Law/69-2008. Public Key Infrastructure Policies, Procedures, People, Hardware and Software required for to generate, share and manage digital certificates. Trust Services Signature Validation Services, Time Stamping, On Line Revocation Services, Publication of digital certificates and revocation list. Secure eservices & Applications E-Services require strong means of authentication, digital signing and data protection in accordance with the country laws and regulations. 9

Government eservices As Is Manual means of identification and Signature services Limited availability of human resources and time constraints Electronic transaction are not fully compliant with Oman E-Law/69-2008 Limited capabilities for verifying and approving e-transactions Lack of segregation between personal and corporate liabilities Lack of strong mechanisms to protect highly valuable transactions or personal information Roll out Oman PKI People & Organization Policies & Standards Processes & procedures Tools & Technologies Metrics & Measurement To be Electronic means of Authentication and Signature requirements No human intervention and time constraints E-transaction are fully compliant with Oman E-Law/69-2008. Segregation between personal and corporate liabilities using Oman eid, Mobile PKI, or Secure Tokens Strong mechanism to protect digital identities Means to protect and avoid disclosure of data to unauthorized parties Secure single-sign-on for e-government services 10

PKI Hierarchy Level 1: Offline Root CA Level 2: Offline Government CA Commercial CA Level 3: Online Corporate CA eid CA Devices CA Corporate CA Email Encry. Signing Auth Auth Signing SSL IPSec/VPN email Encry Siging Auth Devices CA Individual CA Mobile PKI CA SSL IPSec/VPN July 2013 11 Encry. Auth Signing Signing Auth.

PKI Implementations Authentication Electronic Signing Email Signing and Email encryption Server SSL Authentication Client SSL Authentication IPSec VPN Security Time Stamping OCSP Responder 12

Oman National PKI Electronic Identity Gateway 13

Electronic Identity Gateway is a web based application hosted in Oman National PKI Center. Organizations are welcome to integrate their online services to get use of it. Advantages to users IDP Integration Single Sign On -- No need to remember dozen of usernames and passwords. A single authentication will provide access to multiple service providers integrated No need to install any client software in user s computer. End-users can access online services in a secure and convenient way. Advantages to service providers Strong user authentication by a trusted identity provider authority; ITA Transactions performed with non-repudiation service (using electronic signature with time stamping) 14

IDP Integration Service Provider (SP) SSO,SLO,DSS Through the browser Identity Gateway Database Web server Logout Access to eservice Communicate with smart card 15

IDP Integration Authentication Service End user Smart card SConnect Web Browser SP Identity Gateway Open SP website Login request Redirect the request to IDP Signed SAML SSO request Authentication with password/smartcard/usb token Redirect the request to SP Signed SAML response Check SAML response session.put(samlcredential) SP website page Extracting attributes 16

IDP Integration Digital Signature Service Web SP End user Smart card SConnect Browser IDP Submit secure web form to SP Redirect the request to IDP Signed DSS request to IDP Format data to sign Check request is from a trusted party and if user is logged in Digital Signature with smartcard/usb Token Redirect the request to SP Signed DSS response with signature to SP Check DSS response Log signature result Response page verifying certificate used to sign belongs to the currently logged in user 17

Oman National PKI Mobile PKI 18

Mobile PKI ITA Mobile PKI is a solution for mobile authentication and signing by a PIN code using a mobile phone Combines superior security and end user convenience Enables strong authentication and legally binding signatures October 2013 19

Mobile PKI Architecture Service Provider (Bank) Signature request, encrypted Request (SSL) Validation status, Signature (SSL) Mobile PKI solution Public key, private key solution - Private key stored in SIM card - Private key never leaves SIM card - Private key is known by nobody - On-board key generator User PIN - Personal and created by user itself - Used for authentication and signing - PIN never leaves SIM card Signature response, encrypted Validation - Signature validation - Certificate validation - Revocation checking (OCSP) 20

Mobile PKI Integration End User Service Providers Service Provider e.g. Bank Customer Database ITA VSS SDK Integration Library ETSI 102 204 Operator Trust Center Services require strong authentication can be integrated to ITA Signature Server using the ITA VSS SDK library Mobile Activation Client (ITA-VMAC) RSA cryptography for digital signatures User controlled PIN management ITA Messaging Server Card Database Transaction Database ITA Signature Server User Database ITA Registration Server 21

Mobile PKI Transaction Flow 1 Service Provider (Bank) 11 1. Signing or authentication process has been started from Service Provider application. 2. Signature request has been sent to ITA-SS. 3. ITA-SS will enquery subscriber certificate details from ITA-RS. 2 10 4. ITA-RS will return subscriber certificate details to ITA-SS. ITA Signature Server 5 9 4 3 ITA Registration Server 5. ITA-SS will check that returned certificate is valid and will send signature request to ITAMS. 6. ITA-MS will reroute message to mobile phone. 7. User will see signature request and confirm transaction by entering signing or authentication pin. 8. User data is sent back to ITA-MS. ITA Messaging Server 8 6 7 9. ITAMS will reroute data to ITA-SS. 10. ITA-SS will validate signature, check certificate revocation status from CA and send result to Service Provider. 11. User can see certificate details from Service Provider interface. 22

Online signature verification Provides web service interface If successfully verified (signature is trusted) Returns proof of verification (PDF document) No archiving of proof document Else (verification failure) Returns error code. Certify Center uses OCSP and Time Stamping services Supports: CMS Cryptographic Message Syntax, IETF RFC 5652 Derived of PKCS#7 (RSA) Detached or encapsulated PDF Standard ISO 32000-1 ETSI PADES (PDF Advanced Electronic Signature) Embedded signature Signature Verification 23

RA and Sub-CA Accreditation External Registration Authority (RA): An Entity can be accredited as an External RA to manage its own subscribers More convenient for conducting subscribers identifications Registration and Validation Teams will be trained by ITA Entity must be aligned with National PKI policies and accreditation agreement ITA will conduct auditing activities periodically and according to the auditing report, PMC might renew or suspend the accreditation Sub-CA accreditation An Entity can be accredited as a Sub-CA and build its own technical solution Entity must request license according to the licensing processes Entity should meet all the policies and the accreditation agreements approved by ITA ITA will conduct auditing activities periodically and according to the auditing report, PMC might renew or suspend the accreditation 24

Oman National PKI 20.10.13 Thank You

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information