Public Key Infrastructure PKI. National Digital Certification Center Information Technology Authority Sultanate of Oman

Similar documents
CERTIFICATE POLICY CIGNA PKI Certificates

Public Key Infrastructure

PAA PKI Mutual Recognition Framework. Copyright PAA, All Rights Reserved 1

SSL/TSL EV Certificates

CertDigital Certification Services Policy

PKI Knowledge Dissemination Program. PKI Standards. Dr. Balaji Rajendran Centre for Development of Advanced Computing (C-DAC) Bangalore

Public. Atos Trustcenter. Server Certificates + Codesigning Certificates. Version 1.2

Digital signatures: How it s done in PDF

Apple Inc. Certification Authority Certification Practice Statement

Apple Inc. Certification Authority Certification Practice Statement

TELIA MOBILE ID CERTIFICATE

DIGITALSIGN - CERTIFICADORA DIGITAL, SA.

SONERA MOBILE ID CERTIFICATE

Certification Practice Statement of the Federal Reserve Banks Services Public Key Infrastructure

Apple Inc. Certification Authority Certification Practice Statement Worldwide Developer Relations

Certification Policy of CERTUM s Certification Services Version 4.0 Effective date: 11 August 2017 Status: archive

Transforming the Document Signing Process

GlobalSign Certification Practice Statement

egov & PKI By: Alaa Eldin Mahmoud Aly YOUR LOGO

KeyOne. Certification Authority

TeliaSonera Gateway Certificate Policy and Certification Practice Statement

The Mobile Finnish Identity Certificate

Digitalisation and electronic signatures

AeroMACS Public Key Infrastructure (PKI) Users Overview

BlackVault Hardware Security Platform SECURE TRUSTED INTUITIVE. Cryptographic Appliances with Integrated Level 3+ Hardware Security Module

Digi-CPS. Certificate Practice Statement v3.6. Certificate Practice Statement from Digi-Sign Limited.

PKI-An Operational Perspective. NANOG 38 ARIN XVIII October 10, 2006

eidas Regulation eid and assurance levels Outcome of eias study

GlobalSign Certification Practice Statement

CORPME TRUST SERVICE PROVIDER

Identity management. Tuomas Aura CSE-C3400 Information security. Aalto University, autumn 2014

Certification Practice Statement

Getting to Grips with Public Key Infrastructure (PKI)

ING Public Key Infrastructure Technical Certificate Policy

Electronic and digital signatures in Adobe Sign for government.

An Overview of Secure and Authenticated Remote Access to Central Sites

Adobe Sign and 21 CFR Part 11

SSL Certificates Certificate Policy (CP)

Apple Inc. Certification Authority Certification Practice Statement. Apple Application Integration Sub-CA Apple Application Integration 2 Sub-CA

Apple Inc. Certification Authority Certification Practice Statement Worldwide Developer Relations Version 1.10 Effective Date: June 10, 2013

Electronic Signature Policy

The SafeNet Security System Version 3 Overview

PKI is Alive and Well: The Symantec Managed PKI Service

Dissecting NIST Digital Identity Guidelines

Certification Practice Statement of CERTUM s Certification Services Version 3.6 Date: 13 of September, 2013 Status: valid

Digital Certificates Demystified

Apple Corporate Certificates Certificate Policy and Certification Practice Statement. Apple Inc.

Certification Authority

Axway Validation Authority Suite

U.S. E-Authentication Interoperability Lab Engineer

KeyA3 Certificate Manager

MUTUAL RECOGNITION MECHANISMS. Tahseen Ahmad Khan

DECISION OF THE EUROPEAN CENTRAL BANK

ODYSSEY. cryptic by intent. Odyssey Certrix FAQs. Odyssey Technologies Ltd

EXBO e-signing Automated for scanned invoices

HARDWARE SECURITY MODULES (HSMs)

SAML-Based SSO Solution

Identity management. Tuomas Aura T Information security technology. Aalto University, autumn 2011

Afilias DNSSEC Practice Statement (DPS) Version

Hong Kong Access Federation (HKAF) Identity Management Practice Statement (IMPS)

PKCS #15: Conformance Profile Specification

CERTIFICATION PRACTICE STATEMENT OF KIR for TRUSTED NON-QUALIFIED CERTIFICATES

About & Beyond PKI. Blockchain and PKI. André Clerc Dipl. Inf.-Ing. FH, CISSP, CAS PM TEMET AG, Zürich. February 9, 2017

Public Key Infrastructures

SSH Communications Tectia SSH

Oracle Utilities Opower Solution Extension Partner SSO

ArcGIS Server and Portal for ArcGIS An Introduction to Security

Authentication Technology for a Smart eid Infrastructure.

Trusted Identities. Foundational to Cloud Services LILA KEE CHIEF PRODUCT OFFICER GLOBALSIGN

Belgian Certificate Policy & Practice Statement for eid PKI infrastructure Foreigner CA

United States Department of Defense External Certification Authority X.509 Certificate Policy

INFORMATION TECHNOLOGY COMMITTEE ESCB-PKI PROJECT

PKI Services. Text PKI Definition. PKI Definition #1. Public Key Infrastructure. What Does A PKI Do? Public Key Infrastructures

Design and Implementation of a RFC3161-Enhanced Time-Stamping Service

Access to RTE s Information System by software certificates under Microsoft Windows 7

SignCloud. Remote Digital Signature System

Volvo Group Certificate Practice Statement

Symantec Managed PKI Overview. v8.15

Xceedium Xsuite. Secured by RSA Implementation Guide for 3rd Party PKI Applications. Partner Information. Last Modified: February 10 th, 2014

PKI Configuration Examples

The Information Technology (Certifying Authority) Regulations, 2001

EDTA, itext and INBATEK Conference. Bangkok, July 27, 2017

MAESON MAHERRY. 3 Factor Authentication and what it means to business. Date: 21/10/2013

Validation Policy r tra is g e R ANF AC MALTA, LTD

Information Security. message M. fingerprint f = H(M) one-way hash. 4/19/2006 Information Security 1

Enabling a World-Class National ICT Sector

ASIA PKI Forum Overcome PKI Deployment Obstacles. Terry Leahy, CISSP Vice President, Wells Fargo Sept 15th, 2003

Electronic Seal Administrator Guide Published:December 27, 2017

Adding value to your MS customers

PKI Credentialing Handbook

SAP Single Sign-On 2.0 Overview Presentation

Identity & security CLOUDCARD+ When security meets convenience

thawte Certification Practice Statement Version 3.4

راهنماي استفاده از توکن امنيتي کيا 3 در نرمافزارهاي مبتني بر PKI توکن امنيتي سخت افزاري

HP Instant Support Enterprise Edition (ISEE) Security overview

Liferay Security Features Overview. How Liferay Approaches Security

X.509 Certificate Policy for the New Zealand Government PKI RSA Individual - Software Certificates (Medium Assurance)

ETSI TS V1.1.1 ( )

Inside Symantec O 3. Sergi Isasi. Senior Manager, Product Management. SR B30 - Inside Symantec O3 1

Leveraging the LincPass in USDA

Transcription:

Public Key Infrastructure PKI National Digital Certification Center Information Technology Authority Sultanate of Oman

Agenda Objectives PKI Features etrust Components Government eservices Oman National PKI Hierarchy 2

Agenda PKI Implementations Electronic Identity Gateway Mobile PKI Signature Verification Accreditation Service 3

Objectives Public key infrastructure is a system of policies, procedures, people, hardware, software and services that support the use of public key cryptography to obtain secure communication PKI aims to increase the number of e-services of Government and Private entities to empower the e-government Transformation as PKI provides: Electronic transactions protection against identity fraud Data integrity, data confidentiality, strong authentication, and non-repudiation Trust, confidence and easiness to use online services for citizens and residents 4

About PKI PKI enables the online service providers to identify and authenticate their clients electronically and enables electronic signature for online transactions with nonrepudiation service PKI is security architecture provides an increased level of confidence to exchange information over Internet through the use of public and private cryptographic key pairs PKI leverage Data Protection as it is compliant with e-transaction laws. 5

About PKI PKI enables the online service providers to identify and authenticate their clients electronically and enables electronic signature for online transactions with nonrepudiation service PKI is security architecture provides an increased level of confidence to exchange information over Internet through the use of public and private cryptographic key pairs PKI leverage Data Protection as it is compliant with e-transaction laws. 6

PKI Features Strong authentication to electronic services 1 Mature and proven technology adopted for financial, governments, service providers offering highly and valuable services 6 2 Electronic Signature using private keys securing the data integrity Compliances with Electronics Laws and regulations Leverage Data protection Acts and all around the world. 5 3 4 Encryption to avoid unauthorized disclosure of data using public keys Non Repudiation provides a reliable mechanism using PKI digital signature 7

etrust Pyramid Components Secure eservices & Applications Public Key Infrastructure Trust Services Legal Framework 8

etrust Pyramid Components Legal Framework Oman E-transaction Law/69-2008. Public Key Infrastructure Policies, Procedures, People, Hardware and Software required for to generate, share and manage digital certificates. Trust Services Signature Validation Services, Time Stamping, On Line Revocation Services, Publication of digital certificates and revocation list. Secure eservices & Applications E-Services require strong means of authentication, digital signing and data protection in accordance with the country laws and regulations. 9

Government eservices As Is Manual means of identification and Signature services Limited availability of human resources and time constraints Electronic transaction are not fully compliant with Oman E-Law/69-2008 Limited capabilities for verifying and approving e-transactions Lack of segregation between personal and corporate liabilities Lack of strong mechanisms to protect highly valuable transactions or personal information Roll out Oman PKI People & Organization Policies & Standards Processes & procedures Tools & Technologies Metrics & Measurement To be Electronic means of Authentication and Signature requirements No human intervention and time constraints E-transaction are fully compliant with Oman E-Law/69-2008. Segregation between personal and corporate liabilities using Oman eid, Mobile PKI, or Secure Tokens Strong mechanism to protect digital identities Means to protect and avoid disclosure of data to unauthorized parties Secure single-sign-on for e-government services 10

PKI Hierarchy Level 1: Offline Root CA Level 2: Offline Government CA Commercial CA Level 3: Online Corporate CA eid CA Devices CA Corporate CA Email Encry. Signing Auth Auth Signing SSL IPSec/VPN email Encry Siging Auth Devices CA Individual CA Mobile PKI CA SSL IPSec/VPN Encry. Auth Signing Signing Auth. July 2013 11

PKI Implementations Authentication Electronic Signing Email Signing and Email encryption Server SSL Authentication Client SSL Authentication IPSec VPN Security Time Stamping OCSP Responder 12

Oman National PKI Electronic Identity Gateway 13

Electronic Identity Gateway is a web based application hosted in Oman National PKI Center. Organizations are welcome to integrate their online services to get use of it. Advantages to users IDP Integration Single Sign On -- No need to remember dozen of usernames and passwords. A single authentication will provide access to multiple service providers integrated No need to install any client software in user s computer. End-users can access online services in a secure and convenient way. Advantages to service providers Strong user authentication by a trusted identity provider authority; ITA Transactions performed with non-repudiation service (using electronic signature with time stamping) 14

IDP Integration Service Provider (SP) SSO,SLO,DSS Through the browser Identity Gateway Database Web server Logout Access to eservice Communicate with smart card 15

IDP Integration Authentication Service End user Smart card SConnect Web Browser SP Identity Gateway Open SP website Login request Redirect the request to IDP Signed SAML SSO request Authentication with password/smartcard/usb token Redirect the request to SP Signed SAML response Check SAML response session.put(samlcredential) SP website page Extracting attributes 16

IDP Integration Digital Signature Service Web SP End user Smart card SConnect Browser IDP Submit secure web form to SP Redirect the request to IDP Signed DSS request to IDP Format data to sign Check request is from a trusted party and if user is logged in Digital Signature with smartcard/usb Token Redirect the request to SP Signed DSS response with signature to SP Check DSS response Log signature result Response page verifying certificate used to sign belongs to the currently logged in user 17

Oman National PKI Mobile PKI 18

Mobile PKI ITA Mobile PKI is a solution for mobile authentication and signing by a PIN code using a mobile phone Combines superior security and end user convenience Enables strong authentication and legally binding signatures October 2013 19

Mobile PKI Architecture Service Provider (Bank) Signature request, encrypted Request (SSL) Validation status, Signature (SSL) Mobile PKI solution Public key, private key solution - Private key stored in SIM card - Private key never leaves SIM card - Private key is known by nobody - On-board key generator User PIN - Personal and created by user itself - Used for authentication and signing - PIN never leaves SIM card Signature response, encrypted Validation - Signature validation - Certificate validation - Revocation checking (OCSP) 20

Mobile PKI Integration End User Service Providers Service Provider e.g. Bank Customer Database ITA VSS SDK Integration Library ETSI 102 204 Operator Trust Center Services require strong authentication can be integrated to ITA Signature Server using the ITA VSS SDK library Mobile Activation Client (ITA-VMAC) RSA cryptography for digital signatures User controlled PIN management ITA Messaging Server Card Database Transaction Database ITA Signature Server User Database ITA Registration Server 21

Mobile PKI Transaction Flow 1 Service Provider (Bank) 11 1. Signing or authentication process has been started from Service Provider application. 2. Signature request has been sent to ITA-SS. 3. ITA-SS will enquery subscriber certificate details from ITA-RS. 2 10 4. ITA-RS will return subscriber certificate details to ITA-SS. ITA Signature Server 5 9 4 3 ITA Registration Server 5. ITA-SS will check that returned certificate is valid and will send signature request to ITAMS. 6. ITA-MS will reroute message to mobile phone. 7. User will see signature request and confirm transaction by entering signing or authentication pin. 8. User data is sent back to ITA-MS. ITA Messaging Server 8 6 7 9. ITAMS will reroute data to ITA-SS. 10. ITA-SS will validate signature, check certificate revocation status from CA and send result to Service Provider. 11. User can see certificate details from Service Provider interface. 22

Online signature verification Provides web service interface If successfully verified (signature is trusted) Returns proof of verification (PDF document) No archiving of proof document Else (verification failure) Returns error code. Certify Center uses OCSP and Time Stamping services Supports: CMS Cryptographic Message Syntax, IETF RFC 5652 Derived of PKCS#7 (RSA) Detached or encapsulated PDF Standard ISO 32000-1 ETSI PADES (PDF Advanced Electronic Signature) Embedded signature Signature Verification 23

RA and Sub-CA Accreditation External Registration Authority (RA): An Entity can be accredited as an External RA to manage its own subscribers More convenient for conducting subscribers identifications Registration and Validation Teams will be trained by ITA Entity must be aligned with National PKI policies and accreditation agreement ITA will conduct auditing activities periodically and according to the auditing report, PMC might renew or suspend the accreditation Sub-CA accreditation An Entity can be accredited as a Sub-CA and build its own technical solution Entity must request license according to the licensing processes Entity should meet all the policies and the accreditation agreements approved by ITA ITA will conduct auditing activities periodically and according to the auditing report, PMC might renew or suspend the accreditation 24

Oman National PKI 20.10.13 Thank You

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback