egov & PKI By: Alaa Eldin Mahmoud Aly YOUR LOGO
e-government Survey 2014 United Nations Page 2 EGDI: E-Government Development Index
National ID & Digital Signature Estonian Prime Minister Andrus Ansip signs an e-services agreement. (Estonian government) Estonia and Finland become first in the world to digitally sign international agreement December 10 2013 Japanese Prime Minister becomes Estonian e-resident Announced April 9 2015 Japan is the first large country who is going to implement a digital personal identification card, following Estonia s example Announced October 23 2015 Page 3
Information needs of Gov Services (and almost every business) Information Availability Make Information available for designated users Receive Information Allow Citizens and business to provide information (Fill forms), request and apply for services and perform transactions Processing and Decisions Data Integrity Allow employees and decision makers to process the requests and transactions, and record their decisions proofs to hold citizens, employees and decision makers accountable for the information they provide and the transactions they perform Protect the integrity of information from tampering both in motion and at rest Authorized Access Allow information access to authorized citizens and employees and deny access to anyone else Unified Identity Allow Citizens to use a unified way to prove their identities for various government organizations Data Exchange Exchange data between organizations Page 4
Ministry 2 Ministry 1 Manual paper based services Information Availability Authorized Access Document Verification Decisions Process requests Request a Service Provide Information Data Exchange Unified Identity Page 5
Ministry 2 Ministry 1 Business Transformation Information Availability Authorized Access Validation Decisions Process requests Request a Service Provide Information Data Exchange Page 6
Is it likely to be under Cyber Attack? 100% 317M 1.36M New Malware created in a year According to Symantec Business networks generate malicious traffic According to Cisco Records stolen every day 31% from Government According to Gemalto Page 7
How to respond to information security threats? Many techniques, protocols, mechanisms and products beyond the presentation scope Public key Infrastructure (PKI) utilization is a common factor in most if not all information security solutions - SSL/TLS certificates, SSH, IPSEC, S/MIME - epassport - Code signing - PAdES for PDF digital signature - XAdES for XML digital signature Page 8
PKI Overview What s PKI? PKI Definition - An approach for protecting data - A set of hardware, software, technical mechanisms, people, policies and procedures that collectively provide a framework for addressing the fundamentals of security PKI Role - The cornerstone in information security - Establishes the trust in electronic data and communication PKI basic capabilities - Protecting data confidentiality (encryption) without the need to have a shared secret - Assurance of data authenticity i.e. data source and data integrity Page 9
PKI Fundamentals Key Pair Correlated Randomly Generated Public Key and Private Key - Private Key: - Confidential value not known to anyone - Protected by machine/device and can be only used by its owner - In case of compromise, must be reported immediately to revoke the trust - Public Key: - Not a secret - Shared and published Digital Certificate - Contains the Public Key but not the Private Key - Proof of the certificate holder by a trusted issuing authority - Contains identification attributes of the certificate holder and the issuing authority - Has an expiration date and can be revoked even before its expiration PKI Cryptographic operations - Certificate holder (Private Key): Digital Signature, Decryption - Others (Public key): Verify Digital Signature, Encrypt Page 10
Public Key and Private Key 30 82 01 0a 02 82 01 01 00 84 06 52 99 26 9d a6 ad ab 44 f9 3f 43 e1 41 b3 c8 96 ba 8f 38 88 0c 1f c4 8b db 8a 19 0f a9 5e 40 3c fa ea 2c b9 8a 2e 22 fd 09 34 fa fb 07 51 6e 19 cd 9c 98 bd c1 5e 24 91 2f 60 e4 04 f1 55 f4 75 3e 0a 73 1b b2 1e 7b 43 fe 5b 1b b1 8b 30 6f 6b ac 6c 8f 23 58 a0 c5 0e 55 2f ac c7 ae ba bb b9 b8 80 3c 6d ed 9c ed a9 e9 aa 9d 3a 47 45 1b ba 54 58 1a 7b 81 0b 9f 2d 95 12 52 f1 86 9e d1 dd fa 34 86 81 c0 63 50 26 33 b1 53 66 b9 2d d7 b6 0c 4a bd 28 19 2a 40 6f e6 75 1e 22 fc 18 44 2e 38 99 34 7e ea 80 33 a2 09 e7 a3 5b 35 28 e5 4c 9b f9 6a c3 85 30 1f eb 88 fd e3 d9 04 c1 92 4e 31 65 ec c2 dc 79 4a 5f bc 6b 76 f2 5f e1 4f 09 1d 38 4e 92 32 4a ce c8 7e 73 33 91 e0 4f c0 98 c8 72 1b 5d 06 ee 8b 18 bc d5 1f b1 8e 05 23 ff c6 62 5c 4f 3e d8 19 ce 9e 8a 0e 00 c8 97 02 03 01 00 01 ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## Page 11
How does the certificate look like Page 12
PKI Trust Hierarchy Overview Page 13
Kuwait PKI Trust Hierarchy Kuwait National Root CA Government Root CA Private Root CA Oil Sector Root CA MOF CA PAI CA Diyar United CA ABC Co CA KOC CA KNPC CA Page 14
Why should we trust the root anyway? Page 15
PKI Benefits Email Signature Document Signing Logical Access & VPN SSO Email Encryption File Encryption Secure Web Identity Revocation Page 16
Sample Applications Page 17
Ministry 2 Ministry 1 PKI & Government eservices Information Availability Authorized Access Validation Decisions Process requests Request a Service Fill Information Page 18
Why PKI is essential for Smart Governments? Security is a chain. It s as strong as the weakest link Smart Government is Citizen Centric Information is the most valuable asset PKI is used to protect the systems that serves the citizens and manages the Information Assets It s logical to protect as well user identities and information assets PKI is InfoSec Cornerstone User centric egov Information is the most valuable asset Use PKI to protect user identity and information Page 19
Common questions about PKI If there is a certificate, Should we trust the identity? - The certificate is only trusted if its issuer is trusted - Certificate revocation status must be checked To build a trusted PKI, we need secure PKI HW and SW. Anything else? - A trusted PKI requires as well trustworthy and knowledgeable people, policies, procedures, physical and logical security controls We have a trusted PKI system, Are we secure? - A trusted PKI system provides trusted certificates. It s the well designed and correctly implemented utilization of the certificates to address a specific security threat that adds protection against this specific threat PKI based security is unbreakable. Isn t it? - It s always a race between attackers and defense systems. It s crucial to keep up to date to remain ahead of attackers. - Sometimes, vulnerabilities arise from mistakes in implementing systems that use PKI certificates. It s crucial to remain alert and apply patches and fixes as soon as they are available Does PKI = Smart Card? - A smart card with cryptographic capabilities is one of the secure options to host PKI keys. There are other options If someone gets access to my certificate, can he/she use it to digitally sign documents under my name? - The certificate doesn t contain the Private Key. The signing process requires the possession of the Private Key. The certificate itself is not a secret and it s shared with others to be able to verify the digital signature you create using your Private Key Page 20
Page 21 Thank you