information security
Download
Skip this Video
Download Presentation
Information security

Loading in 2 Seconds...

play fullscreen
1 / 27

Information security - PowerPoint PPT Presentation


  • 67 Views
  • Uploaded on

Information security. An introduction to Technology and law with focus on e-signature, encryption and third party service Yue Liu Feb.2008. What ?. Understanding the information security Electronic signature and encryption Trusted third party (CSP). Information security.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Information security' - sook


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
information security

Information security

An introduction to Technology and law with focus on e-signature, encryption and third party service

Yue Liu

Feb.2008

slide2
What ?
  • Understanding the information security
  • Electronic signature and encryption
  • Trusted third party (CSP)
information security1
Information security
  • General technical definition

information security is a state of affairs where information, information processing and communication is protected against the confidentiality, integrity and availability of information and information processing. In the context of information networks this also covers reliable identification and authentication.

information security2
Information security
  • Legal definition

the obligation to take adequate measures for the purpose of safeguarding the state of affairs corresponding the required level of security, and notably the protection of rights related to informational assets

information security3
Information security
  • Trust
  • The basic elements of information security
    • Confidentiality
    • Integrity
    • Availability
information security provisions in current law
Information security provisions in current law
  • OECD Recommendations
  • E-commerce and E-signature
  • Privacy regulations
  • Telecommunications
  • Electronic administration
  • Public access to information laws
  • Penal law concerning the computer crime and misuse
  • Critical infrastructure protection
electronic signature
Electronic signature

Time frame: Jan 19,2000, July 19 2001, march 15, 2006

Underline principles.

  • Technical neutral
  • Non-discrimination
  • Party-autonomy/contractual freedom
  • No-harmonization of national civil law
electronic signature1
Electronic signature

Definition:

Electronic signature : data in electronic form which are attached to or logically associated with other electronic data and which serve as a method of authentication

(Directive 99/93/EC)

Advanced electronic signature: any electronic signature which meets the following requirements: uniquely linked, capable of identifying, maintain sole control, change detectable

electronic signature2
advance

E-sign

SKE

Advanced signature

Digital signature

Qualified signature

biometrics

Electronic signature
  • Form conditions:

QC (annex I) CSP (annex II) secure signature creation device (annext III)

electronic signature3
Electronic signature

Legal effects of the e-signature article 5 of the Directive:

  • Art5 (2) non-discrimination : electronic form, not certified, not certified by accredited CSP (certified service provider); not created by secure signature device
  • Art5 (1) qualified advanced e-signature: the validity in transaction as handwritten signature and evidence effect at court
electronic signature4
Electronic signature
  • Cryptography basis:

The conversion of data into a secret code for transmission over a public network.

    • Encrypt: convent plain text into cipher text
    • Decrypt: convert cipher text into plain text
    • Symmetric key encryption (secret key)
    • Asymmetric key encryption (public key)
electronic signature6
Electronic signature
  • Public key encryption (PKE) in detail

problem of PKE:

    • More computational intensive
    • Large amounts of encrypted data vulnerable of hacking
    • Solution = hashing of the data message
electronic signature7
Electronic signature
  • Digital signature 1
electronic signature8
Electronic signature
  • Digital signature 2
electronic signature9
Electronic signature
  • Problem With digital signature
    • Trustworthy linkage between public key and real world identity of accountable person
    • Secure distribution of public keys over open networks
    • Integrity?
    • Solution= Public key infrastructure (PKI)
electronic signature10
Electronic signature

PKI Process Flow

  • Step 1. Subscriber applies to Certification Authority for Digital Certificate
  • Step 2. CA verifies identity of Subscriber and issues Digital Certificate.
  • Step 3. CA publishes Certificate to Repository.
  • Step 4. Subscriber digitally signs electronic message with Private Key to ensure Sender Authenticity, Message Integrity and Non-Repudiation and sends to Relying Party.
  • Step 5. Relying Party receives message, verifies Digital Signature with Subscriber's Public Key, and goes to Repository to check status and validity of Subscriber's Certificate.
  • Step6.Repository returns results of status check on Subscriber's Certificate to Relying Party.

p

electronic signature12
Electronic signature
  • agenda
    • The legality issues
    • The technical answers
    • The liability issues

-UNCITRAL e-sign ML, EU e-sign Directive

unicitral e sign ml
UNICITRAL e-sign ML
  • E-sign ML-liabilityconcept

CA

Reasonable allocation

of responsibilities in accordance with domains under

the specific control of PKI participants

Relying party

signatory

unictral e sign ml
UNICTRAL e-sign ML
  • Approach
    • Soft law:
    • Technology neutrality
    • comprehensive
  • Responsibility of the signatory (art8)
  • Responsibility of the relying party(art11)
  • Responsibility of the CSP(art9,10)
eu e sign directive
EU e-sign Directive
  • Approach
    • Hard law
    • Technology neutrality
    • Liability rules

CA’s liability

eu e sign directive1
EU e-sign Directive
  • Minimum liability for CA (art6)
    • accuracy
    • completeness
    • the signatory identified in the qualified certificate held the private key corresponding to the public key identified in the certificate
    • the private key and the public key can be used in a complementary manner if the CSP guarantees them both
  • Principle of negligence
  • Reversed burden of proof

Excuse and limitation

    • Proves he has not act negligently
    • Exceed intended use
    • Exceed intended value of transaction
electronic signature13
Electronic signature
  • Market access:

no prior authorization (art 3.1 )

voluntary accreditation (art 3.2)

eu e sign directive2
EU e-sign Directive
  • Other provisions
    • data protection issues (art8)
    • International aspects (art7)
    • Committee (art9. 10)
    • Notification (art 11)
    • Review (art 12)
encryption
Encryption
  • Export control measures
    • Wassennar agreement
    • EU dual use regulation of Dec.1994
  • Domestic control measures
  • Key escrow and key recovery systems
  • Privacy considerations
slide27
Additional links:

http://www.verisign.com

http://www.ulapland.fi/home/oiffi/julkaisut/ISLCommentary_pdf.pdf

Thank you for your attention!

ad