Securing e government public key infrastructure
This presentation is the property of its rightful owner.
Sponsored Links
1 / 49

Securing e Government Public Key Infrastructure PowerPoint PPT Presentation


  • 79 Views
  • Uploaded on
  • Presentation posted in: General

Securing e Government Public Key Infrastructure. Prof Dr Mohamed Kouta Chairman Of MIS Department Arab Academy For Science And Technology. Outline. Security Requirements. Symmetric Key Cryptosystem. Asymmetric (Public) Key Cryptosystem. Over View of Digital Signature.

Download Presentation

Securing e Government Public Key Infrastructure

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Securing e government public key infrastructure

Securing e GovernmentPublic Key Infrastructure

Prof Dr Mohamed Kouta

Chairman Of MIS Department

Arab Academy For Science And Technology


Outline

Outline

  • Security Requirements.

  • Symmetric Key Cryptosystem.

  • Asymmetric (Public) Key Cryptosystem.

  • Over View of Digital Signature.

  • Secure Socket Layer Protocol.

  • Digital Certificate.

  • Certificate Authority.

  • PKI Components.

  • PKI Implementation.

  • Using biometrics and Smart Token.

  • PKI Assessment.


Security requirements

Security Requirements

  • Privacy.

  • Authenticity.

  • Non repudiation

  • Integrity.


Securing e government public key infrastructure

Symmetric Key Cryptosystem

Poly alphabetic Cipher

Consider a key length = 4

Key = BAND

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26

A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

Plain Text M= E BUS INES S

B AND BAND B

Cipher Text E(M)= G CIW KOSW U


Securing e government public key infrastructure

Secret

Key

Secure Channel

Secret

Key

Secret

Key

M

M

Encryption

Es

Decryption

Ds

C

Sender

Receiver

Intruder

Overview

Symmetric-key Cryptosystems


Securing e government public key infrastructure

Secret

Key

Secure Channel

Secret

Key

Secret

Key

M

M

Encryption

Es

Decryption

Ds

C

Sender

Receiver

Intruder

Overview

Symmetric-key Cryptosystems


Securing e government public key infrastructure

Public

Key

Private

Key

M

M

Encryption

EK

Decryption

DK

C

Receiver

Sender

Intruder

Overview

Asymmetric-key Cryptosystems


Securing e government public key infrastructure

Overview of Digital Signature

Signer’s Private Key

Encrypted

Digest

Digest

Signed

Document

Hash

Algorithm

Remember, a digital signature involves services provided by Certificate Authority (CA)


Securing e government public key infrastructure

?

Verifying the Digital Signaturefor Authentication and Integrity

Digest

Hash Algorithm

Digest

Signer’s

Public Key

And so does the process of verifying the validity of a digital signature


Securing e government public key infrastructure

Sender’s Computer

Message

Message Digest

Digital Signature

+

Message

+

Encrypt

+

Symmetric Key

Encrypted Message

Receiver’s

Certificate

Sender’s

Certificate

Encrypt

Digital

Envelope

Receiver’s

Key-Exchange Key

Sender’s Private Signature Key

10

© Prentice Hall, 2000


Securing e government public key infrastructure

Receiver’s Private Key-Exchange Key

Decrypt

Message Digest

Message Digest

Digital Signature

Message

+

Decrypt

Symmetric Key

+

compare

Encrypted Message

Decrypt

Sender’s

Certificate

Sender’s Public Signature Key

Digital

Envelope

Receiver’s Computer

11

© Prentice Hall, 2000


Securing e government public key infrastructure

Digital Certificate

  • X509 Standard

    Each certificate contains the

    public-key of a user and is signed

    with the private-key of a trusted

    certificate authority


Certificate authority

CertificateAuthority

  • In an uncontrolled system, anyone could publish a new public-key and assume a new identity.

  • Any Participant can send his public-key to any other one broadcast the key


Certificate authority1

CertificateAuthority

  • This would be like allowing anyone to issue his or her own passport or driving licenses

  • This is clearly unacceptable for any application that, like electronic commerce, requires authentication and non-repudiation.

  • In order to assure a proper information exchange mechanism, an important entity should be involved in the process which is the Certificate Authority (CA).


Securing e government public key infrastructure

CertificateAuthority

  • Cont. Distribution of Public Keys

    • Public key Certificate


Certificate authority2

CertificateAuthority

  • Requirements of setting up the CA

  • Compatibility with existing Internet based Certificate Authorities

    • It should be possible to use the certificates in applications such as Netscape navigators, secure email, and custom built business-to-business e-commerce applications.

    • Certificates must be consistent with accepted standards; such the widely recognized X.509 certificate formats.


Certificate authority3

Certificate Authority

  • Effective Distribution mechanisms

    • Directory server support:-

      • includes client certificates, and certificate validity status.

    • Certificates accompanying signatures:-

      • The certificate, being signed by the ECA, enables the receiving party to check the validity of both the certificate, and the accompanying signature.

    • Support for certificate revocation:-


Securing e government public key infrastructure

Certificate Authority

  • Revocation of Certificates

    • The user’s private key is compromised

    • The user is no longer certified by this CA

    • The CA’s certificate is compromised


Securing e government public key infrastructure

Certificate management cycle

Request certificate

for key linked with LIR ID

Program

Certificate

Authority

Certificate

Revocation request

Certificate is included

in the Certificate Revocation List (CRL)

Request a certificate

Send browser form

Send public key

Certificate

User

CA never sees the private key

Certificate

Some time later the user wants to revoke the certificate…


Pki component

PKI Component

  • Certificate Authority (CA).

    Issues Digital Certificates

  • Authorization Authority (AA).

    Response for Digital Certificate (DC) request

  • Registration Authority (RA).

    Contains a database for DC and Certificate Revocation List

    CRL.

  • Directory Services.

    Handles DC exchange.

  • Applications.


Pki implementation

PKI Implementation

  • Issuing the Certificate Practice Statement (CPS).

    A statement of Practices that CA employs in issuing DC.

  • Building the PKI as according CPS.

  • Training for users and administration Staff.

  • Connections to secured systems that could circumvented the PKI must be ended.

  • Integration with the different applications.


Using biometrics and smart token in electronic signature

Using Biometrics and Smart Token in Electronic signature


How a citizen can apply for a smart token

How a citizen can apply for a Smart Token

  • Step 1

    The citizen (Applicant A) provides his National Security Number Card (NSN) to one of the Service Provider (SP).

  • Step 2

    SP sends the NSN information to the CA.

  • Step 3

    CA checks for Applicant already has a DC or revoked with RA.

  • Step 4

    If A is applying first time, CA asks for authorization from AA.

  • Step 5

    AA responses for CA.

  • Step 6

    CA asks A to generate his keys pair.

  • Step 7

    The Two pairs are generated inside the applicant smart Token.

  • Step 8

    The public Key is sent to the CA.

  • Step 9

    The CA generates and sends the DC back to the applicant Token.

  • Step 10

    The token is trained for the applicant finger print.


Pre session stage

Sender side

CA

2 check validity

1 S wants to communicate with R

3 SDC

3 RDC

Receiver (R)

Sender (S)

Pre Session Stage


Securing e government public key infrastructure

Sender PC

Sender side

Sender Token

1- Selecting the message M to be sent from the sender PC

(SPC).

2- According to the Hashing Algorithm (HA) stored in the

SPC , M will be hashed and the message digest (MD)

will be generated.

3- The message digest MD is transferred from the SPC to

the sender Smart Token (SST).

6- Using a random number generator (RNG), a session

key (SK) will be generated inside the SPC.

7- Encrypting M+SDS+SDC using symmetric key

encryption algorithm SKEA and Sk as encryption key

and call it the encrypted signed message (ESM).

8- Extracting the receiver public key (RPUK) from the

RDC available in the SCL.

9- Encrypt the SK with RPUK using PKUK to create Digital

Envelop (DE) send ESM+DE.

MD

4- Using public key cryptographic

algorithm (PKCA) ,the MD is

encrypted with the sender

private key (SPRK) to get the

sender digital signature (SDS).

5- The SDS+ a copy from the

sender digital certificate (SDC)

are sent back to the SPC.

Sender Data

SDS +

SDC

ESM + DE


Third process

Sender PC

ESM +

Encrypted Signed message (ESM)

Encrypted session key

By receiver public key (DE)

DE

Sender side

Third Process

Receiver PC


Securing e government public key infrastructure

2- Using PKEA the DE

is Decryptedby the

RPRK to get the

session key SK.

3- Send SK back to the

RE PC

Receiver side

Receiver PC

1-DE is sent to the receiver smart

token (RST).

4- By the SK the message will be Decrypted

using the same SKEA Now we have :

M+ SDS + SDC.

5- The SDC received from CA is compared

with SDC received from the sender to

assure its validity. If its valid the procedure

continue , aborted otherwise.

6- Decrypt the SDS by the sender public key

SPUK contained in the SDC to get MD. Call

it MD1.

8- Using M generate a message digest MD

using the same HA. Call it MD2.

7- Compare the two digests MD1 and MD2. If

MD1 and MD2 are identical then message

accepted otherwise the message is

rejected.

Receiver Token

DE

Received Data

SK

ESM + DE


Token blank contain

Token blank contain

1- RSA Encryption/decryption Algorithm.

2- USB Interface.

3- Biometric sensor.

4- Image processing.

5- Feature extraction & recognition.

6- ROM.

7- RAM


Securing e government public key infrastructure

Biometric Device

USB including power supply

Smart Token

Block

Interface

Bus

Token Block Diagram


Securing e government public key infrastructure

Power supply from USB

RAM

Processing and result storage

ROM

Private Key

Certificate contain Public Key

Finger print of the owner

RSA En /Dec Algorithm

& Key Generation

BUS

USB interface

Feature extraction & recognition

Biometric Interface

Image

processing

Control unit

Interface Bus

Biometric Device

SMART TOKEN BLOCK

USB

BUS


Biometric verification for smart token

Biometric Verification for Smart Token


At77c101b cb02v sensor

AT77C101B-CB02V Sensor


Architecture of the automatic identity authentication system

Architecture of the automatic identity authentication system


Image processing and extraction of fingerprint minutia

Image processing and extraction of fingerprint minutia


Step 1 input image

Step (1) Input Image


Step 2 region of interest

Step (2) Region of Interest


Step 3 orientation field

Step (3) Orientation Field


Step 4 ridge detection

Step (4) Ridge Detection

Ridge ending and ridge bifurcation.


Step 5 extracted ridges

Step (5) Extracted Ridges


Step 6 thinned ridges

Step (6) Thinned Ridges


Step 7 smoothing procedure

Step (7) Smoothing procedure

• The presence of undesired spikes and breaks present in a thinned ridge map may lead to many spurious minutiae being detected.

• Therefore, before the minutiae detection, a smoothing procedure is applied to remove spikes and to join broken ridges.


Step 8 minutiae detection

Step (8) Minutiae detection


Last step minutia extraction

Last Step Minutia Extraction


Minutiae m atching

Minutiae Matching

Alignment of the input ridge and the template ridge


Applying the matching algorithm to an input minutiae set and a template

Applying the matching algorithm to an input minutiae set and a template

(a) input minutiae set

(b) template minutiae set


Applying the matching algorithm to an input minutiae set and a template cont

Applying the matching algorithm to an input minutiae set and a template (Cont.)

(d) matching result where template minutiae and their correspondences are connected by green lines.

(c) alignment result based on the minutiae marked with green circles


Pki assessments

PKI Assessments

  • CPS

  • CA

  • AA

  • RA

  • CRL policies.

  • Certificate Usage with applications.

  • Auditing.

  • Cryptographic devices and data

  • Cryptographic Algorithms

  • Critical Information Flow.

  • Sensitive Software Applications.

  • Key Managements.

  • Network Devices Hosts, Routers, firewalls, switches).


Examples for pki applications

Examples for PKI applications

  • E-mail.

  • E-Gov services (Pension, ..).

  • E-Election (voting).

  • Group decision making.

  • Multi signature.

  • Notarizing.

  • E-payment.

  • Medical care.

    Note: It is up to the application to deploy the smart token.


  • Login