1 / 49

Securing e Government Public Key Infrastructure

Securing e Government Public Key Infrastructure. Prof Dr Mohamed Kouta Chairman Of MIS Department Arab Academy For Science And Technology. Outline. Security Requirements. Symmetric Key Cryptosystem. Asymmetric (Public) Key Cryptosystem. Over View of Digital Signature.

niveditha
Download Presentation

Securing e Government Public Key Infrastructure

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Securing e GovernmentPublic Key Infrastructure Prof Dr Mohamed Kouta Chairman Of MIS Department Arab Academy For Science And Technology

  2. Outline • Security Requirements. • Symmetric Key Cryptosystem. • Asymmetric (Public) Key Cryptosystem. • Over View of Digital Signature. • Secure Socket Layer Protocol. • Digital Certificate. • Certificate Authority. • PKI Components. • PKI Implementation. • Using biometrics and Smart Token. • PKI Assessment.

  3. Security Requirements • Privacy. • Authenticity. • Non repudiation • Integrity.

  4. Symmetric Key Cryptosystem Poly alphabetic Cipher Consider a key length = 4 Key = BAND 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 A B C D E F G H I J K L M N O P Q R S T U V W X Y Z Plain Text M= E BUS INES S B AND BAND B Cipher Text E(M)= G CIW KOSW U

  5. Secret Key Secure Channel Secret Key Secret Key M M Encryption Es Decryption Ds C Sender Receiver Intruder Overview Symmetric-key Cryptosystems

  6. Secret Key Secure Channel Secret Key Secret Key M M Encryption Es Decryption Ds C Sender Receiver Intruder Overview Symmetric-key Cryptosystems

  7. Public Key Private Key M M Encryption EK Decryption DK C Receiver Sender Intruder Overview Asymmetric-key Cryptosystems

  8. Overview of Digital Signature Signer’s Private Key Encrypted Digest Digest Signed Document Hash Algorithm Remember, a digital signature involves services provided by Certificate Authority (CA)

  9. ? Verifying the Digital Signaturefor Authentication and Integrity Digest Hash Algorithm Digest Signer’s Public Key And so does the process of verifying the validity of a digital signature

  10. Sender’s Computer Message   Message Digest Digital Signature + Message  + Encrypt + Symmetric Key Encrypted Message  Receiver’s Certificate Sender’s Certificate Encrypt Digital Envelope Receiver’s Key-Exchange Key Sender’s Private Signature Key 10 © Prentice Hall, 2000

  11. Receiver’s Private Key-Exchange Key Decrypt  Message Digest Message Digest Digital Signature  Message  + Decrypt Symmetric Key +  compare Encrypted Message  Decrypt Sender’s Certificate Sender’s Public Signature Key Digital Envelope Receiver’s Computer 11 © Prentice Hall, 2000

  12. Digital Certificate • X509 Standard Each certificate contains the public-key of a user and is signed with the private-key of a trusted certificate authority

  13. CertificateAuthority • In an uncontrolled system, anyone could publish a new public-key and assume a new identity. • Any Participant can send his public-key to any other one broadcast the key

  14. CertificateAuthority • This would be like allowing anyone to issue his or her own passport or driving licenses • This is clearly unacceptable for any application that, like electronic commerce, requires authentication and non-repudiation. • In order to assure a proper information exchange mechanism, an important entity should be involved in the process which is the Certificate Authority (CA).

  15. CertificateAuthority • Cont. Distribution of Public Keys • Public key Certificate

  16. CertificateAuthority • Requirements of setting up the CA • Compatibility with existing Internet based Certificate Authorities • It should be possible to use the certificates in applications such as Netscape navigators, secure email, and custom built business-to-business e-commerce applications. • Certificates must be consistent with accepted standards; such the widely recognized X.509 certificate formats.

  17. Certificate Authority • Effective Distribution mechanisms • Directory server support:- • includes client certificates, and certificate validity status. • Certificates accompanying signatures:- • The certificate, being signed by the ECA, enables the receiving party to check the validity of both the certificate, and the accompanying signature. • Support for certificate revocation:-

  18. Certificate Authority • Revocation of Certificates • The user’s private key is compromised • The user is no longer certified by this CA • The CA’s certificate is compromised

  19. Certificate management cycle Request certificate for key linked with LIR ID Program Certificate Authority Certificate Revocation request Certificate is included in the Certificate Revocation List (CRL) Request a certificate Send browser form Send public key Certificate User CA never sees the private key Certificate Some time later the user wants to revoke the certificate…

  20. PKI Component • Certificate Authority (CA). Issues Digital Certificates • Authorization Authority (AA). Response for Digital Certificate (DC) request • Registration Authority (RA). Contains a database for DC and Certificate Revocation List CRL. • Directory Services. Handles DC exchange. • Applications.

  21. PKI Implementation • Issuing the Certificate Practice Statement (CPS). A statement of Practices that CA employs in issuing DC. • Building the PKI as according CPS. • Training for users and administration Staff. • Connections to secured systems that could circumvented the PKI must be ended. • Integration with the different applications.

  22. Using Biometrics and Smart Token in Electronic signature

  23. How a citizen can apply for a Smart Token • Step 1 The citizen (Applicant A) provides his National Security Number Card (NSN) to one of the Service Provider (SP). • Step 2 SP sends the NSN information to the CA. • Step 3 CA checks for Applicant already has a DC or revoked with RA. • Step 4 If A is applying first time, CA asks for authorization from AA. • Step 5 AA responses for CA. • Step 6 CA asks A to generate his keys pair. • Step 7 The Two pairs are generated inside the applicant smart Token. • Step 8 The public Key is sent to the CA. • Step 9 The CA generates and sends the DC back to the applicant Token. • Step 10 The token is trained for the applicant finger print.

  24. Sender side CA 2 check validity 1 S wants to communicate with R 3 SDC 3 RDC Receiver (R) Sender (S) Pre Session Stage

  25. Sender PC Sender side Sender Token 1- Selecting the message M to be sent from the sender PC (SPC). 2- According to the Hashing Algorithm (HA) stored in the SPC , M will be hashed and the message digest (MD) will be generated. 3- The message digest MD is transferred from the SPC to the sender Smart Token (SST). 6- Using a random number generator (RNG), a session key (SK) will be generated inside the SPC. 7- Encrypting M+SDS+SDC using symmetric key encryption algorithm SKEA and Sk as encryption key and call it the encrypted signed message (ESM). 8- Extracting the receiver public key (RPUK) from the RDC available in the SCL. 9- Encrypt the SK with RPUK using PKUK to create Digital Envelop (DE) send ESM+DE. MD 4- Using public key cryptographic algorithm (PKCA) ,the MD is encrypted with the sender private key (SPRK) to get the sender digital signature (SDS). 5- The SDS+ a copy from the sender digital certificate (SDC) are sent back to the SPC. Sender Data SDS + SDC ESM + DE

  26. Sender PC ESM + Encrypted Signed message (ESM) Encrypted session key By receiver public key (DE) DE Sender side Third Process Receiver PC

  27. 2- Using PKEA the DE is Decryptedby the RPRK to get the session key SK. 3- Send SK back to the RE PC Receiver side Receiver PC 1-DE is sent to the receiver smart token (RST). 4- By the SK the message will be Decrypted using the same SKEA Now we have : M+ SDS + SDC. 5- The SDC received from CA is compared with SDC received from the sender to assure its validity. If its valid the procedure continue , aborted otherwise. 6- Decrypt the SDS by the sender public key SPUK contained in the SDC to get MD. Call it MD1. 8- Using M generate a message digest MD using the same HA. Call it MD2. 7- Compare the two digests MD1 and MD2. If MD1 and MD2 are identical then message accepted otherwise the message is rejected. Receiver Token DE Received Data SK ESM + DE

  28. Token blank contain 1- RSA Encryption/decryption Algorithm. 2- USB Interface. 3- Biometric sensor. 4- Image processing. 5- Feature extraction & recognition. 6- ROM. 7- RAM

  29. Biometric Device USB including power supply Smart Token Block Interface Bus Token Block Diagram

  30. Power supply from USB RAM Processing and result storage ROM Private Key Certificate contain Public Key Finger print of the owner RSA En /Dec Algorithm & Key Generation BUS USB interface Feature extraction & recognition Biometric Interface Image processing Control unit Interface Bus Biometric Device SMART TOKEN BLOCK USB BUS

  31. Biometric Verification for Smart Token

  32. AT77C101B-CB02V Sensor

  33. Architecture of the automatic identity authentication system

  34. Image processing and extraction of fingerprint minutia

  35. Step (1) Input Image

  36. Step (2) Region of Interest

  37. Step (3) Orientation Field

  38. Step (4) Ridge Detection Ridge ending and ridge bifurcation.

  39. Step (5) Extracted Ridges

  40. Step (6) Thinned Ridges

  41. Step (7) Smoothing procedure • The presence of undesired spikes and breaks present in a thinned ridge map may lead to many spurious minutiae being detected. • Therefore, before the minutiae detection, a smoothing procedure is applied to remove spikes and to join broken ridges.

  42. Step (8) Minutiae detection

  43. Last Step Minutia Extraction

  44. Minutiae Matching Alignment of the input ridge and the template ridge

  45. Applying the matching algorithm to an input minutiae set and a template (a) input minutiae set (b) template minutiae set

  46. Applying the matching algorithm to an input minutiae set and a template (Cont.) (d) matching result where template minutiae and their correspondences are connected by green lines. (c) alignment result based on the minutiae marked with green circles

  47. PKI Assessments • CPS • CA • AA • RA • CRL policies. • Certificate Usage with applications. • Auditing. • Cryptographic devices and data • Cryptographic Algorithms • Critical Information Flow. • Sensitive Software Applications. • Key Managements. • Network Devices Hosts, Routers, firewalls, switches).

  48. Examples for PKI applications • E-mail. • E-Gov services (Pension, ..). • E-Election (voting). • Group decision making. • Multi signature. • Notarizing. • E-payment. • Medical care. Note: It is up to the application to deploy the smart token.

More Related