A National Public Key Directory

Similar documents
Verifying emrtd Security Controls

Experiences of w S itz w e itz rland

The epassport: What s Next?

VALIDATING E-PASSPORTS AT THE BORDER: THE ROLE OF THE PKD R RAJESHKUMAR CHIEF EXECUTIVE AUCTORIZIUM PTE LTD

Copyright

This paper focuses on the issue of increased biometric content. We have also published a paper on inspection systems.

AeroMACS Public Key Infrastructure (PKI) Users Overview

EU Passport Specification

September OID: Public Document

Future Expansion for emrtd PKI Mark Joynes, Entrust

Public. Atos Trustcenter. Server Certificates + Codesigning Certificates. Version 1.2

Introduction to Electronic Identity Documents

Certification Authority

Whitepaper: GlobalTester Prove IS

A Trust Infrastructure for epassports

How To Secure Electronic Passports. Marc Witteman & Harko Robroch Riscure 02/07/07 - Session Code: IAM-201

LDS2 Concept and Overview: Exploring Possibilities in Travel Border Clearance

Conformity and Interoperability Key Prerequisites for Security of eid documents. Holger Funke, 27 th April 2017, ID4Africa Windhoek

2 Electronic Passports and Identity Cards

The New Seventh Edition of Doc Barry J. Kefauver Nairobi, Kenya November 2015

E-Passport Validation: A practical experience

Apple Inc. Certification Authority Certification Practice Statement

QuoVadis Trustlink Schweiz AG Teufenerstrasse 11, 9000 St. Gallen

Apple Inc. Certification Authority Certification Practice Statement

Technical Trust Policy

Certification Practice Statement of the Federal Reserve Banks Services Public Key Infrastructure

Roadmap for Implementation of New Specifications for MRTDs

Apple Inc. Certification Authority Certification Practice Statement. Apple Application Integration Sub-CA Apple Application Integration 2 Sub-CA

Apple Corporate Certificates Certificate Policy and Certification Practice Statement. Apple Inc.

Advanced Security Mechanisms for Machine Readable Travel Documents and eidas Token

Introduction of the Seventh Edition of Doc 9303

Managing Certificates

PCI DSS Compliance. White Paper Parallels Remote Application Server

PKI-An Operational Perspective. NANOG 38 ARIN XVIII October 10, 2006

An Overview of Secure and Authenticated Remote Access to Central Sites

Disclosure text - PDS (PKI Disclosure Statement) for electronic signature and authentication certificates

Microsoft Exam Windows Server 2008 Active Directory, Configuring Version: 41.0 [ Total Questions: 631 ]

Volvo Group Certificate Practice Statement

Apple Inc. Certification Authority Certification Practice Statement Worldwide Developer Relations Version 1.10 Effective Date: June 10, 2013

TECHNICAL ADVISORY GROUP ON MACHINE READABLE TRAVEL DOCUMENTS (TAG/MRTD)

The EAC for MRTD. 26 January 2010

ICBWG Guide on Procurement of MRTD-related Systems Introduction to the What and the Why of the Guide

ING Corporate PKI G3 Internal Certificate Policy

Security Mechanism of Electronic Passports. Petr ŠTURC Coesys Research and Development

NETWORK AND CERTIFICATE SYSTEM SECURITY REQUIREMENTS

Next Generation Physical Access Control Systems A Smart Card Alliance Educational Institute Workshop

CSE 565 Computer Security Fall 2018

XenApp 5 Security Standards and Deployment Scenarios

FPKIPA CPWG Antecedent, In-Person Task Group

PAA PKI Mutual Recognition Framework. Copyright PAA, All Rights Reserved 1

Prototype PKD Interface Specification

Can eid card make life easier and more secure? Michal Ševčík Industry Solution Consultant Hewlett-Packard, Slovakia ITAPA, November 9 th, 2010

ING Public Key Infrastructure Technical Certificate Policy

Security of Biometric Passports ECE 646 Fall Team Members : Aniruddha Harish Divya Chinthalapuri Premdeep Varada

Apple Inc. Certification Authority Certification Practice Statement Worldwide Developer Relations

Symantec Managed PKI Overview. v8.15

SFT User Manual C:D. Secure File Transfer with Connect:Direct. Document date: 15 November 2016 Classification: Open Version: 4.0

TELIA MOBILE ID CERTIFICATE

KeyOne. Certification Authority

Authenticating SMTP Sessions Using Client Certificates

Biometric Passport from a Security Perspective

SSL/TSL EV Certificates

This is an HTML working draft that led to an article publication. A reference to this work should always be done using the following citation:

BlackVault Hardware Security Platform SECURE TRUSTED INTUITIVE. Cryptographic Appliances with Integrated Level 3+ Hardware Security Module

Version Date Description / Status Responsible V0.1 20/12/2004 TOC KVA V0.2 10/01/2005 First Draft JBL V1.0 25/01/2005 Final version WCL

INFORMATION TECHNOLOGY COMMITTEE ESCB-PKI PROJECT

Thirteenth Symposium on the ICAO Traveller Identification Programme

EXPOSURE DRAFT. Based on: CA/Browser Forum. Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates Version 1.1.

DIGITALSIGN - CERTIFICADORA DIGITAL, SA.

Independent Accountants Report. Utrecht, 28 January To the Management of GBO.Overheid:

MCSE Server Infrastructure. This Training Program prepares and enables learners to Pass Microsoft MCSE: Server Infrastructure exams

CERTIFICATE POLICY CIGNA PKI Certificates

SONERA MOBILE ID CERTIFICATE

BT Managed Secure Messaging. Non-Repudiation Policy

Google Cloud Platform: Customer Responsibility Matrix. December 2018

CertAgent. Certificate Authority Guide

Enterprise Certificate Console. Simplified Control for Digital Certificates from the Cloud

An Overview of Electronic Passport Security Features

PostSignum CA Certification Policy applicable to qualified certificates for electronic signature

PASS4TEST. IT Certification Guaranteed, The Easy Way! We offer free update service for one year

dataedge CA Certificate Issuance Policy

Canada Education Savings Program

Security Target Lite SK e-pass V1.0

Lecture 13. Public Key Distribution (certification) PK-based Needham-Schroeder TTP. 3. [N a, A] PKb 6. [N a, N b ] PKa. 7.

Grandstream Networks, Inc. GWN7000 OpenVPN Site-to-Site VPN Guide

egov & PKI By: Alaa Eldin Mahmoud Aly YOUR LOGO

THE BUSINESS VALUE OF EXTENDED VALIDATION

Federated Access. Identity & Privacy Protection

Configuring SSL CHAPTER

Overview of cryptovision's eid Product Offering. Presentation & Demo

Certification Policy of CERTUM s Certification Services Version 4.0 Effective date: 11 August 2017 Status: archive

Digi-CPS. Certificate Practice Statement v3.6. Certificate Practice Statement from Digi-Sign Limited.

Towards a more secure and scalable verifying PKI of emrtd

ACCP-V6.2Q&As. Aruba Certified Clearpass Professional v6.2. Pass Aruba ACCP-V6.2 Exam with 100% Guarantee

Cryptography and Network Security

CoSign Hardware version 7.0 Firmware version 5.2

The Future of Smart Cards: Bigger, Faster and More Secure

Technical Guideline TR eid-server. Part 2: Security Framework for eid-server operations

THE WALT DISNEY COMPANY PUBLIC KEY INFRASTRUCTURE CERTIFICATE POLICY. November 2015 Version 4.0. Copyright , The Walt Disney Company

What is a Digital Certificate? Basic Problem. Digital Certificates, Certification Authorities, and Public Key Infrastructure. Sections

Transcription:

A National Public Key Directory Version 1.0 definite Date 21 July 2015 Author Jeen de Swart Judicial Information services Ministry of Security and Justice, Netherlands

ABSTRACT This white paper is about a possible setup of a National Public Key Directory (NPKD) containing Certificates for all kind of e-documents (like e-mrtd, e-residence Permit, e-driver License, et cetera). The responsibility for such a NPKD is a National Government. As national trustworthy source these certificates can be provided to the national borders for checking e-documents like Automatic or Assisted Border Control (ABC) gates. Beside the national borders these certificates could also be provided for (Military) Police Control, Immigration Services or Commercial Purposes. This document describes a possible infrastructure with some components without any vendor named or commercial influences. The benefit of a NPKD is the fact that a responsible government is in charge of providing necessary certificates as a trustworthy source to national- and commercial bodies with the purpose of checking the genuinity of the e-document chips content. It s up to the national government to decide to which bodies these certificates or part of the certificates - are provided. A NPKD is part of a total (private) infrastructure which serves different domains (for different inspection bodies or organizations) each disclosed by a National Single Point of Contact (NSPOC). Not only the NPKD but also the Verification PKI necessary for the private sensitive information on the e- document chip can be disclosed through a NSPOC and even the possibility of necessary registers or databases. Terminals (devices with an e-document reader) can be managed by a Terminal Control Center (TCC). These TCC s are connected to the domain s NSPOC and have a specific interface specification to provide all the necessary functionality to the terminals like providing the certificates from the NPKD. To be a trustworthy provider of certificates through a National Public Key Directory a government must have an organization of trustworthy employees with enough skills, awareness and knowledge. Procedures must be in place before adapting certificates into the NPKD. To be trustworthy, Risk Management must be an overall adaption. Invited and encouraged by the ICAO PKD Border Engagement Subgroup (as mentioned in the ICAO PKD paper B-Pub/56) the delegation of the Netherlands was delighted to create this white paper. The Netherlands will present this paper with examples on the ICAO PKD meeting of October 2015 in Montreal. 2

INDEX ABSTRACT... 2 INDEX... 3 THE ARCHITECTURE... 4 THE INFRASTRUCTURE... 6 THE ORGANIZATION... 6 THE SETUP AND COSTS... 7 APPENDIX 1, CONNECTCA... 8 APPENDIX 2, OVERVIEW NPKD... 10 APPENDIX 3, GOVERNANCE RESPONSIBILITIES AND ROLES... 11 APPENDIX 4, TERMS AND ABBREVIATIONS... 12 3

THE ARCHITECTURE A National Public Key Directory (NPKD) is a LDAP Directory containing national and international certificates from the signing hierarchy of e-documents. These certificates are necessary for terminals (devices with e-document readers connected) to check the genuinity of e-documents (called Passive Authentication). A NPKD can contain certificates (CSCA certificates and DS certificates), Certificate Revoke Lists (CRLs), Masterlists and Defectlists. Masterlists and Defectlists can be seen as a signed container of certificates. The responsibility of a NPKD is a National Government. The National Public Key Directory is a trustworthy source for the Inspecting Bodies like Border Control. The process of importing certificates into the NPKD is never automatic. There is a role of a NPKD Manager who is responsible for the import of certificates. Masterlists and Defectlists are available from trustworthy sources (like ICAO PKD) but it is the NPKD Manager (as Governmental Employee) who decides which certificate will be imported. The same responsibility is there for importing certificates from bilateral sources or websites. A Government should have a Policy Authority as a responsible body who has the governance for the process of importing and how the NPKD Manager should handle the certificates. With these procedures the NPKD Manager is able to import certificates. A part of this procedure is to check the NPKD certificates against the ICAO 9303 specifications. It is the NPKD Manager who decides within the NPKD for which Inspection Body the certificates are available. A NPKD is part of a total (private) infrastructure which serves different domains (groups of inspection bodies with a same functionality) each disclosed by a National Single Point of Contact (NSPOC). For example: Border Control NSPOC as inspection bodies are connected to one NSPOC and National Police Force as inspection bodies are connected to another NSPOC both getting different or the same certificates. NSPOC s can be seen as virtual querying users to the NPKD. The communication to and from the NPKD is always secure using special certificates. The NPKD is manageable through a Graphical User Interface (GUI) which can be a web interface with a connection for the NPKD management. This is also a secure connection using special certificates. For the purpose of all secure connections the responsible Government could produce TLS certificates them with an own, so called, CONNECTCA. A possible solution for such a CONNECTCA is given in Appendix 1. This solution is part of the security and input for a Risk Analysis. 4

If in a domain (group of inspection bodies with a same functionality) verification of private information (like fingerprints) in the chip DVRA is necessary for inspection purposes then the NSPOC can also be connected to the Document Verifier Registration Authority (DVRA). From this server the NSPOC necessary certificate chain for the Inspection Systems (IS) will be provided. The connection between the NSPOC and DVRA is a secure connection with TLS certificates from the CONNECTCA, see Appendix 1. The NSPOC delivers a secure web service with SOAP messages which can provide the Signing Certificates (CSCA s and DS ), CRL s, Masterlists and CA Chains (for verification PKI). Within this document we will not describe the complete functionality of the Verification PKI. From this point the white paper describes the example of Border Control with Terminal Control Centers (TCCs) which are connected to the NSPOC. In fact there are mostly two possibilities of terminals NSPOC RF01 - Router/Firewall (devices with e-document readers connected, like PublicNet: w.x.y.z IS_VLAN: 192.168.2.1 ABC gates) for Border Control. The manufacturer of the terminals delivers his own TCC or the manufacturer of the terminals depends on a ISMC IS Man. Console central TCC, see Appendix 2. In both cases there is IS_VLAN: 192.168.2.30 an Interface Specification for the necessary SOAP IS01a Inspectie Systeem IS01b Inspectie Systeem IS_VLAN: 192.168.2.20 IS_VLAN: 192.168.2.21 messages. A dedicated TCC consists at least two Inspection Systems (IS) and a Management IS_VLAN (3) console for the Inspection Systems (ISMC). The IS SW01 - IS Switch IS_VLAN (3) IS_VLAN (3) contains a certificate store of CSCA s and CRL s IS_VLAN: 192.168.2.2 IS_VLAN(3) IS_VLAN (3) (synchronized with the NPKD) and can contain LAN: IS_VLAN (3) LAN: IS_VLAN (3) Hardware Security Modules (HSM) for the verification chain (EAC PKI). The most common LB01 Load Balancer LB02 Load Balancer Shared_LAN: Shared_LAN: practice is that the ABC systems only needs the 192.168.2.10 IS_VLAN (3) 192.168.2.10 Shared_WAN: public-ip Shared_WAN: public-ip WAN:192.168.3.20 WAN:192.168.3.21 Country Signing Certificates (CSCA s) and for secondary inspection the Verification Chain (for RF02 Router/Firewall WAN: TERM_VLAN (4) WAN: TERM_VLAN (4) fingerprint inspection). A TCC is a secure black IS_VLAN: 192.168.2.3 TERM_VLAN: NONE Term-LAN:a.b.c.d box with two Router/Firewalls, one with a secure connection to the NSPOC and the other with secure connections to the terminals (devices with SW02 - IS Switch IS_VLAN: 192.168.2.4 e-document readers connected, like ABC gates). These secure connections are using TLS certificates from the CONNECTCA, see Appendix 1. Which Terminals functionality per terminal is allowed (in SOAP messages) can be managed by the ISMC. In the case of ABC systems there are two possibilities for getting the CSCA s and CRL s. There is a pull mechanism: the ABC gates implemented the interface specifications and asked (pull) for the certificates and CRL s every half an hour, or there is a push mechanism: the ABC gates are Web Service activated, implemented the interface specifications and 5

besides asking (pull) for the certificates, from the NPKD the certificates can be pushed to the ABC systems. It depends on the manufacturer of the ABC gates which mechanism can be implemented. THE INFRASTRUCTURE The systems described in the Architecture (see Appendix 2) needs to be placed in a secure environment. This can be done by creating several segmented and separated environments by VLAN s (Virtual Local Area Networks). VLAN s are mutually isolated and can only SERVICES be accessed by PUBLIC Private Routers and Firewalls. This solution is a part of the security and DMZI input for a Risk PROD ROOT MGMT ACPT Analysis. Within this architecture there is a WRKS demilitarized zone (DMZ) for the systems connecting to the private or public network (for example the NSPOC), a ROOT environment for example the Root CONNECTCA, a Production environment (PROD) for the NPKD, a Management environment (MGMT) for the Monitoring and Administrating systems and a Preproduction environment (ACPT). Besides these environments there is a Specimen environment (TEST) for creating, testing and developing. The VLAN s as environments can be stretched over a wide geographical area. Where possible the systems, as described in the Architecture (see Appendix 2), are virtualized (virtual machine) using servers with hypervisors. For systems needing a HSM there is a choice of using network attached HSM (nethsm) or within the server installed HSM (PCI-HSM). The benefit of nethsm s is that all the systems can be virtual machines. For storage the virtual machines can use the Storage Area Network (SAN). The final solitary virtual environment for PKI services depends on governmental security procedures regarding networks (firewalls and routers). THE ORGANIZATION Depending on the Governmental Organization there are different roles and responsibilities for the different systems as described in the architecture, see Appendix 2. The overall governance is a Policy Authority giving direction to the Signing and Verification PKI (including the CONNECTCA) and authorization to the TCC for connections of terminals and providing certificates. This white paper doesn t describe in detail all the responsibilities and roles for all the systems but gives a global view 6

as presented in Appendix 3. The roles must be seen as descriptive and can be combined within employees. The total solution is a part of the security and input for a Risk Analysis. Very important is that there is enough knowledge within the Governmental Organization for managing and operating the different systems as described in Appendix 2. Furthermore the role of architect is necessary to keep track of all the changes worldwide and implementing these changes into the organizational architecture. THE SETUP AND COSTS In this white paper the estimate of costs will be given in time, personal and necessary devices and will be restricted to the architecture given in Appendix 2 (without terminals and EAC-PKI). The first step in the development must be an architecture, for example something like Appendix 2. The necessary (and possible future) functionality must be described for every system in this architecture. The setup of this architecture and the description of the systems will take approximately three to six months for one architect. The architecture will be input for own development or a tender. To develop the systems (applications), as described in the architecture, two developers need approximately six to twelve months. If it is a tender then it takes approximately eighteen to twentyfour months. During the setup an auditor and security officer should be involved. The infrastructure is also part of the architecture and must be setup with IT Management. Setting up the physical servers, storage, implement the hypervisor and setting up the virtual machines will take approximately one to two months. Together with IT Management, in the same months the Security Officer and Network Management will deal with the virtual network setup and firewall and router rules. To manage all this setup it should be a project with a project manager and Policy Authority already in place. There will be costs of physical hardware (servers), storage (SAN), Hypervisors, Firewalls and Routers. Extra costs will be HSM devices when necessary for CONNECTCA, Inspection Systems and future EAC-PKI. The virtual machines needs an Operating System (OS) which can be a free or paid OS. Depending if the Governmental Organization wants to tender there will be costs of the functional software releases to build the system (applications) as described in Appendix 2. For own development there will be costs of databases, middleware and application software (Web Services and GUI). With a tender the costs are hard to predict. There will be extra costs for training personal. 7

APPENDIX 1, CONNECTCA The CONNECTCA is the Root Certificate Authority (CA) of the Connect PKI. The Public Keys of the CONNECTCA are contained in self-signed CA certificates. The CONNECTCA issues CA certificates to its Subscribers, the Subordinate CA s (Sub-CA s). A Subordinate CA issues TLS client and server certificates to a group of Managed Systems that share a specific purpose. A Subordinate CA has a self-signed (Root) CA certificate and a CA certificate signed by the CONNECTCA. The following Subordinate CA s can be defined: TLSCA, ADMINCA, TERMINALTLSCA and ADMINMCCA. The ADMINCA is the Subordinate CA for issuing TLS certificates for secure connection for adminsystems (server and GUI), the TLSCA is the Subordinate CA for issuing TLS certificates for the secure connections between the servers. The ADMINMCCA is the Subordinate CA for issuing TLS certificates between the Inspection Systems and the Management of these Inspection Systems. For the secure connection of the Terminals (devices with an e-document reader) there is a TERMINALTLSCA as a Subordinate CA. There is a SPOCCA mentioned in this architecture. This is a special CA for the Verification PKI functionality within Europe. The SPOC functionality is not further described in this white paper. 8

9

APPENDIX 2, OVERVIEW NPKD 10

APPENDIX 3, GOVERNANCE RESPONSIBILITIES AND ROLES 11

APPENDIX 4, TERMS AND ABBREVIATIONS ABBREVIATION ABC CA CRL CSCA DMZ DS DVRA EAC e-mrtd GUI HSM ICAO IS ISMC IT LDAP NPKD NSPOC OS PA PCI PKI RA SAN SOAP TLS VLAN Full Form Automated / Assisted Border Control Certificate Authority Certificate Revocation List Country Signing CA Demilitarized Zone Document Signer Document Verifier Registration Authority Extended Access Control Electronic Machine Readable Travel Document Graphical User Interface Hardware Security Module International Civil Aviation Organization Inspection System IS Management Console Information Technology Lightweight Directory Access Protocol National Public Key Directory National Single Point of Contact Operating System Policy Authority Peripheral Component Interconnect Public Key Infrastructure Registration Authority Storage Area Network Simple Object Access Protocol Transport Layer Security Virtual Local Area Network TERM Certificate application Extended Access Control Public Key Infrastructure (EAC-PKI) Hardware security module (HSM) International Civil Aviation Organization (ICAO) Definition An application for the issuance of a certificate to a subscriber. The certificate application is submitted to the RA by a representative of the subscriber that is responsible for the intended Certificate Holder. A certificate application includes a certificate request and other data required for the validation of the application by the RA. The infrastructure required to control access to fingerprint biometrics on Passports and Travel Documents utilizing Extended Access Control. A hardware module for the safe storage of keys and the safe performance of cryptographic operations. An United Nations organization tasked with fostering the planning and development of international air transport. In this 12

TERM National Public Key Directory (NPKD) Registration Authority (RA) Definition role it sets international standards for MRTD s. The National Public Key Directory (NPKD) is a domestic PKD. The NPKD is responsible for the delivery of certificates and CRLs for Passive Authentication. The Registration Authority is responsible for identification and authentication of certificate applicants, approval or rejection of certificate applications and managing revocation of certificates. 13

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback