egov & PKI By: Alaa Eldin Mahmoud Aly YOUR LOGO

Transcription

1 egov & PKI By: Alaa Eldin Mahmoud Aly YOUR LOGO

2 e-government Survey 2014 United Nations Page 2 EGDI: E-Government Development Index

3 National ID & Digital Signature Estonian Prime Minister Andrus Ansip signs an e-services agreement. (Estonian government) Estonia and Finland become first in the world to digitally sign international agreement December Japanese Prime Minister becomes Estonian e-resident Announced April Japan is the first large country who is going to implement a digital personal identification card, following Estonia s example Announced October Page 3

4 Information needs of Gov Services (and almost every business) Information Availability Make Information available for designated users Receive Information Allow Citizens and business to provide information (Fill forms), request and apply for services and perform transactions Processing and Decisions Data Integrity Allow employees and decision makers to process the requests and transactions, and record their decisions proofs to hold citizens, employees and decision makers accountable for the information they provide and the transactions they perform Protect the integrity of information from tampering both in motion and at rest Authorized Access Allow information access to authorized citizens and employees and deny access to anyone else Unified Identity Allow Citizens to use a unified way to prove their identities for various government organizations Data Exchange Exchange data between organizations Page 4

5 Ministry 2 Ministry 1 Manual paper based services Information Availability Authorized Access Document Verification Decisions Process requests Request a Service Provide Information Data Exchange Unified Identity Page 5

6 Ministry 2 Ministry 1 Business Transformation Information Availability Authorized Access Validation Decisions Process requests Request a Service Provide Information Data Exchange Page 6

7 Is it likely to be under Cyber Attack? 100% 317M 1.36M New Malware created in a year According to Symantec Business networks generate malicious traffic According to Cisco Records stolen every day 31% from Government According to Gemalto Page 7

8 How to respond to information security threats? Many techniques, protocols, mechanisms and products beyond the presentation scope Public key Infrastructure (PKI) utilization is a common factor in most if not all information security solutions - SSL/TLS certificates, SSH, IPSEC, S/MIME - epassport - Code signing - PAdES for PDF digital signature - XAdES for XML digital signature Page 8

9 PKI Overview What s PKI? PKI Definition - An approach for protecting data - A set of hardware, software, technical mechanisms, people, policies and procedures that collectively provide a framework for addressing the fundamentals of security PKI Role - The cornerstone in information security - Establishes the trust in electronic data and communication PKI basic capabilities - Protecting data confidentiality (encryption) without the need to have a shared secret - Assurance of data authenticity i.e. data source and data integrity Page 9

10 PKI Fundamentals Key Pair Correlated Randomly Generated Public Key and Private Key - Private Key: - Confidential value not known to anyone - Protected by machine/device and can be only used by its owner - In case of compromise, must be reported immediately to revoke the trust - Public Key: - Not a secret - Shared and published Digital Certificate - Contains the Public Key but not the Private Key - Proof of the certificate holder by a trusted issuing authority - Contains identification attributes of the certificate holder and the issuing authority - Has an expiration date and can be revoked even before its expiration PKI Cryptographic operations - Certificate holder (Private Key): Digital Signature, Decryption - Others (Public key): Verify Digital Signature, Encrypt Page 10

11 Public Key and Private Key a d a6 ad ab 44 f9 3f 43 e1 41 b3 c8 96 ba 8f c 1f c4 8b db 8a 19 0f a9 5e 40 3c fa ea 2c b9 8a 2e 22 fd fa fb e 19 cd 9c 98 bd c1 5e f 60 e4 04 f1 55 f4 75 3e 0a 73 1b b2 1e 7b 43 fe 5b 1b b1 8b 30 6f 6b ac 6c 8f a0 c5 0e 55 2f ac c7 ae ba bb b9 b8 80 3c 6d ed 9c ed a9 e9 aa 9d 3a b ba a 7b 81 0b 9f 2d f1 86 9e d1 dd fa c b b9 2d d7 b6 0c 4a bd a 40 6f e6 75 1e 22 fc e e ea a2 09 e7 a3 5b e5 4c 9b f9 6a c f eb 88 fd e3 d9 04 c1 92 4e ec c2 dc 79 4a 5f bc 6b 76 f2 5f e1 4f 09 1d 38 4e a ce c8 7e e0 4f c0 98 c8 72 1b 5d 06 ee 8b 18 bc d5 1f b1 8e ff c6 62 5c 4f 3e d8 19 ce 9e 8a 0e 00 c ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## Page 11

12 How does the certificate look like Page 12

13 PKI Trust Hierarchy Overview Page 13

14 Kuwait PKI Trust Hierarchy Kuwait National Root CA Government Root CA Private Root CA Oil Sector Root CA MOF CA PAI CA Diyar United CA ABC Co CA KOC CA KNPC CA Page 14

15 Why should we trust the root anyway? Page 15

16 PKI Benefits Signature Document Signing Logical Access & VPN SSO Encryption File Encryption Secure Web Identity Revocation Page 16

17 Sample Applications Page 17

18 Ministry 2 Ministry 1 PKI & Government eservices Information Availability Authorized Access Validation Decisions Process requests Request a Service Fill Information Page 18

19 Why PKI is essential for Smart Governments? Security is a chain. It s as strong as the weakest link Smart Government is Citizen Centric Information is the most valuable asset PKI is used to protect the systems that serves the citizens and manages the Information Assets It s logical to protect as well user identities and information assets PKI is InfoSec Cornerstone User centric egov Information is the most valuable asset Use PKI to protect user identity and information Page 19

20 Common questions about PKI If there is a certificate, Should we trust the identity? - The certificate is only trusted if its issuer is trusted - Certificate revocation status must be checked To build a trusted PKI, we need secure PKI HW and SW. Anything else? - A trusted PKI requires as well trustworthy and knowledgeable people, policies, procedures, physical and logical security controls We have a trusted PKI system, Are we secure? - A trusted PKI system provides trusted certificates. It s the well designed and correctly implemented utilization of the certificates to address a specific security threat that adds protection against this specific threat PKI based security is unbreakable. Isn t it? - It s always a race between attackers and defense systems. It s crucial to keep up to date to remain ahead of attackers. - Sometimes, vulnerabilities arise from mistakes in implementing systems that use PKI certificates. It s crucial to remain alert and apply patches and fixes as soon as they are available Does PKI = Smart Card? - A smart card with cryptographic capabilities is one of the secure options to host PKI keys. There are other options If someone gets access to my certificate, can he/she use it to digitally sign documents under my name? - The certificate doesn t contain the Private Key. The signing process requires the possession of the Private Key. The certificate itself is not a secret and it s shared with others to be able to verify the digital signature you create using your Private Key Page 20

21 Page 21 Thank you