����� �

������������� � �������������� � ���� ����� �������� �� ���� !� "����#$�! � �

13th Subregional Telecommunication Meeting for Cambodia, Lao P.D.R, Myanmar and

VietnamYangon, 4-6 October 2006

Addressing Challenges to the Information Society

Building Trust and SecurityAlexander NTOKO Chief, E-Strategies

ITU Telecommunication Development Bureau (BDT)������������� � �������������� � ���� ����� �������� �� ���� !� "����#$�! � �

As Developing Countries work on their policies, strategies, legislation and infrastructure deployment, security and trust must be part of the initial design stages …

������������� � �������������� � ���� ����� �������� �� ���� !� "����#$�! � �

Agenda

1. Threats2. Framework3. Strategies4. ICTs @Work5. CA Challenges

������������� � �������������� � ���� ����� �������� �� ���� !� "����#$�! � �

A Transaction-based E-government InfrastructureBut how do we get governments, businesses and citizens to conduct critical government transactions online?

������������� � �������������� � ���� ����� �������� �� ���� !� "����#$�! � �

As many countries embark on the e-government bandwagon, governments, citizens and businesses are asking many questions – Can we trust these systems?

• Receiving online submissions to renew national identity cards:

G: Am I dealing with the owner of the identity card?C: How do I know this is really a government site?

• Submitting confidential bids for government procurements:

G: Is the bid from a registered company?B: Can my competitors see my bid?

• Transmitting sensitive government documents online.

G: Can an unauthorized person view the document? G: How can access control be ensured?

������������� � �������������� � ���� ����� �������� �� ���� !� "����#$�! � �

• Issuing birth certificates and land certificates via the Internet:G: Can a citizen modify his or her date of birth?G: What if she changes the size of her land or uses this to make another land certificate?

• Conducting online elections via the Internet –e-voting: C: Can someone know whom I voted for?G: How do we guarantee that a citizen votes only

once? G: Is this vote from a registered voter?

����� �

������������� � �������������� � ���� ����� �������� �� ���� !� "����#$�! � �

Some Challenges to Users

������������� � �������������� � ���� ����� �������� �� ���� !� "����#$�! � �

Unsolicited CommunicationsOnline FraudUnauthorized Access to InformationDestruction of Critical InformationIdentity TheftInvasion of Privacy

Overview of the challenges

������������� � �������������� � ���� ����� �������� �� ���� !� "����#$�! �

MALWAREPHISINGSPAMTRENDS

AGENDA

������������� � �������������� � ���� ����� �������� �� ���� !� "����#$�! � �

MALWARE

������������� � �������������� � ���� ����� �������� �� ���� !� "����#$�! � ��

What is a virus?o Virus (n.) Code written with the express intention of

replicating itself. A virus attempts to spread from computer to computer by attaching itself to a host program. It may damage hardware, software, or information.

o Just as human viruses range in severity from Ebola to the 24-hour flu, computer viruses range from the mildly annoying to the downright destructive. The good news is that a true virus does not spread without human action to move it along, such as sharing a file or sending an e-mail.

Viruses

������������� � �������������� � ���� ����� �������� �� ���� !� "����#$�! � ��

Are Viruses new? The Brain Virus.o The first computer virus for Microsoft DOS was

apparently written in 1986 and contains unencrypted text with the name, address, and telephone number of Brain Computer Services, a store in Lahore, Pakistan. This virus infected the boot sector of 5¼ inch floppy diskettes with a 360 kilo byte capacity. Robert Slade, an expert on computer viruses, believes the Brain virus was written as a form of advertising for the store in Pakistan.

A variant of the Brain virus was discovered at the University of Delaware in the USA during Oct 1987 where the virus destroyed the ability to read the draft of at least one graduate student's thesis.

Viruses

����� �

������������� � �������������� � ���� ����� �������� �� ���� !� "����#$�! � ��

What is a worm?o Worm (n.) A subclass of virus. A worm

generally spreads without user action and distributes complete copies (possibly modified) of itself across networks. A worm can consume memory or network bandwidth, thus causing a computer to stop responding.

o Because worms don't need to travel via a "host" program or file, they can also tunnel into your system and allow somebody else to take control of your computer remotely. Recent examples of worms included the Sasser worm and the Blaster worm.

Worms

������������� � �������������� � ���� ����� �������� �� ���� !� "����#$�! � ��

What is a Trojan?o Remember the Trojan horse appeared to be a

gift, but turned out to contain Greek soldiers who overtook the city of Troy.

o Trojan (n): A computer programs that appear to be useful software, but instead compromises your security and cause a lot of damage.

o A recent Trojan came in the form of an e-mail message that included attachments claiming to be Microsoft security updates, but turned out to be viruses that attempted to disable antivirus and firewall software.

Trojans

������������� � �������������� � ���� ����� �������� �� ���� !� "����#$�! � ��

By Executing the Code.o Virtually all viruses and many worms

cannot spread unless you open or run an infected program.

o Many of the most dangerous viruses were primarily spread through e-mail attachments—the files that are sent along with an e-mail message.

o The virus is launched when you open the file attachment (usually by double-clicking the attachment icon).

How do worms and other viruses spread?

������������� � �������������� � ���� ����� �������� �� ���� !� "����#$�! � ��

PHISING

������������� � �������������� � ���� ����� �������� �� ���� !� "����#$�! � ��

What is Phishing?o Phishing (also called brand spoofing or carding)

is a technique for acquiring your personal information and subsequently committing fraud in your name, including stealing your identity.

o About 10 years old but attacks are increasing more sophisticated.

o It's a form of cyber-crime growing faster than the ability of the police or courts to deal with it.

o "phishing" originated from the word “fishing”. Like in real fishing, scammers lure victims using baits to divulge information that is used for fraudulent purposes.

Phishing

������������� � �������������� � ���� ����� �������� �� ���� !� "����#$�! � ��

How is phishing perpetrated?o Authentic-looking - In a typical phishing attempt,

you will receive an authentic-looking email message that appears to come from a legitimate business.

o Mostly via Email - The majority of phishing currently is conducted by email, but it is also possible for you to be phished by mail, telephone or even in person.

o But spreading to other applications - Instant Messaging -The latest and most rapidly growing threat is through the use of Instant Messaging (IM), which can also be used for identity theft as well as spreading viruses and spyware.

Phishing

����� �

������������� � �������������� � ���� ����� �������� �� ���� !� "����#$�! � �

Who perpetrates it? o Phishers are scam artists. They send out

millions of emails, realizing that even if only a few recipients give them enough identifying information, they can profit from the resulting fraud.

Who is affected by phishing?o Popular targets are users of online banking

services and auction sites. Any Internet Users who’s email has been made availeable on any public forum. But it does not end there..

Phishing

������������� � �������������� � ���� ����� �������� �� ���� !� "����#$�! � �

SPAM

������������� � �������������� � ���� ����� �������� �� ���� !� "����#$�! � ��

o Unsolicited e-mail. o Unsolicited e-mail, often of a commercial

nature, sent indiscriminately to multiple mailing lists, individuals, or newsgroups; junk e-mail.

o To indiscriminately send unsolicited, unwanted, irrelevant, or inappropriate messages, especially commercial advertising in mass quantities. Noun: electronic "junk mail".

What is SPAM?

������������� � �������������� � ���� ����� �������� �� ���� !� "����#$�! � ��

The battle for combating spam is an ongoing one with an increasingly sophisticated level of finding ways to send unsolicited messages to recipients worldwide. Some of the common spammer tactics include:

• Dictionary attacks• Email and DNS Spoofing• Social Engineering and Urban legends/Hoaxes• Message Board and Chat Room Mining• Open Proxies and Mail Relaying • Chain Letters• Always-On Broadband connections

Some methods used by Spammers

������������� � �������������� � ���� ����� �������� �� ���� !� "����#$�! � ��

SPAM – Constantly Evolving

Spam is not only growing, but is evolving to become broader threat to Internet security

������������� � �������������� � ���� ����� �������� �� ���� !� "����#$�! � ��

TRENDS

����� �

������������� � �������������� � ���� ����� �������� �� ���� !� "����#$�! � ��

Spammers exploit bird flu fears through offers for online purchases of Tamiflu the only know medicine that deals with the human version of the avian flu.

Victims of Katrina also experienced an increase in identity theft

General TRENDSExploiting Current Fears and Events

������������� � �������������� � ���� ����� �������� �� ���� !� "����#$�! � ��

Number of Attacks – Reports show increasing number of new viruses and variants. A global pandemic.Nature of Attacks - This indicates a trend toward more malicious use of such software by criminals.Use of Spy ware for ID Theft - Growing % of Spyware now reported to be aimed at stealing identity.Adapting to Security Strategies - Worms that exploit security strategies based on "impenetrable firewall" and e-mail filtering to protect an otherwise insecure internal network.

General TRENDSIncreasing and becoming more malicious

������������� � �������������� � ���� ����� �������� �� ���� !� "����#$�! � ��

Expansion to Mobile - New type of phishing could hit mobile phone users. Mophophishing is where hackers send out fake banking applications to unsuspecting mobile phone users. The users then type their account details into the application thinking they were accessing their accounts when they were actually sending their personal details back to the hacker.

Difficulties in Spotting Attacks - Spotting a phishing email is relatively straightforward, the user need only examine the source code of an HTML email and inspect the domain name and path of any link to verify its authenticity.

General TRENDSAs it expands to other platforms, it’s more difficult to detect

������������� � �������������� � ���� ����� �������� �� ���� !� "����#$�! � ��

Not specific to a Particular OS.Not limited to any PlatformAffects services across all SectorsKnows No Geographical or Time barriersMore and more SophisticatedEveryone is Concerned and AffectedThey are all Related

������������� � �������������� � ���� ����� �������� �� ���� !� "����#$�! � �

e-security threats… Spam, Phishing etc

o The battle for combating spam is an ongoing one with an increasingly sophisticated level of finding ways to send unsolicited messages to recipients worldwide. Some of the common spammer tactics include:

1. Dictionary attacks2. Email and DNS Spoofing3. Social Engineering4. Message Board and Chat Room Mining5. Open Proxies and Mail Relaying 6. Chain Letters7. Random Strings of Text and characters

������������� � �������������� � ���� ����� �������� �� ���� !� "����#$�! � �

e-security threats…Spam, Phishing etc

o Reliance on filters using databases of knownspammers, string processing of email headers, reverse look-ups and similar solutions will not scale as spammers will continue to look for and find back-door solutions through the refinement of their tactics.

o Spam does not only cause loss of revenue and time for email recipients and companies but also reduces trust and confidence in email transactions.

o One element common to spam is that spammers try to hide their identities using some of the tactics already enumerated above. The issue of establishing the identities of parties to email transactions should be a key component of any strategy aimed at combating spam and enforcing anti-spam and cyber crime legislation.

�����

������������� � �������������� � ���� ����� �������� �� ���� !� "����#$�! � ��

e-security threats… Spam, Phishing etc

"One of the core problems with spam is we don't know, Yahoo doesn't know, the user doesn't know ... if it really came from the party who it says it came from," Brad Garlinghouse, vice president for communication products at Yahoo, said. "What we're proposing here is to re-engineer the way the Internet works with regard to the authentication of e-mail."

������������� � �������������� � ���� ����� �������� �� ���� !� "����#$�! � ��

Knowing whom you are dealing with…Having firm integrity in something or somebody

• An entity A, can be said to trust another entity B when A makes the assumption that B will behave exactly as A expects.

�������������������� �

�������������� ����

���������������� ��� ������

In addition to privacy, security and policies, knowing whom you are dealing with is vital for building trust.

������������� � �������������� � ���� ����� �������� �� ���� !� "����#$�! � ��

What TRUST is NOT

o Not transitive (cannot be passed from person to person)

o Not distributive (cannot be shared)o Not associative (cannot be linked to

another trust or added together)o Not symmetric (I trust you does not

equal you trust me)o Not self-declared (trust me – why?)

������������� � �������������� � ���� ����� �������� �� ���� !� "����#$�! � ��

Technology Framework for Trust and Security Five (5) Key Requirements – The big 5!This list is NOT exhaustive and but constitutes vital elements for trust.

o Data Confidentiality• Information accessed only by those authorized.

o Data Integrity• No information added, changed, or taken out.

o Strong Authentication• Parties are who they pretend to be.

o Non-repudiation• Originator cannot deny origin or transaction.

o Infrastructure of trust• Automating the verification of digital credentials.

������������� � �������������� � ���� ����� �������� �� ���� !� "����#$�! � ��

How can we enhance security and trust?

Confidentiality � EncryptionWho am I dealing with? � AuthenticationMessage integrity � Message DigestNon-repudiation � Digital SignatureThird party evidence of authenticity � CertificateTrusted certificate � Certification Authorities

Technology Framework for Trust and SecuritySymmetric Encryption - Data Confidentiality

��������������� ������������������ � ������ ���

����������� ������������������������������������������

���������� ����������� ��� �� � ! " # $ $ �� �! ����� ��%& ' �(

) ���* ����� �� ) �+ %�, ����! �� �����-�� ��� �� ��������* ���. �

���������� �� ������/

�����

Technology Framework for Trust and SecurityPublic Key Encryption System – Data Confidentiality

Each user has 2 keys: what one key encrypts,only the other key in the pair can decrypt.Public key can be sent in the open.Private key is never transmitted or shared.

�� ������0� 1 2 ) �� 3 �� �� ������0�1 ��! ��� 3 ��

Technology Framework for Trust and SecurityDigital Envelope – Data Confidentiality

Combines the high speed of symmetric encryption (e.g., AES Rijndael) and the key management convenience of public key encryption encryption. Includes PSE (Smartcards, Mega-brid, USB tokens), biometrics, Hardware Security Modules etc

“��* ����

��! ����”

4 ������

�� ������3 ��

�� ������’�1 2 ) �� 3 ��

Technology Framework for Trust and SecurityMessage Digest – Data Integrity

5 ��. ��* ���. �

������

• Used to determine if document has changed.• Currently based on FIPS 180-2 approved algorithms (SHA-1, SHA-256, SHA-384 and SHA-512).• Produces 160, 256, 284 or 512 bit “digests”.• Infeasible to produce a document matching a digest• A one bit change in the document affects about half the bits in the digest.

� � � ��� �

160, 256, 384 or 512 bit representation (thumb print) of document

Technology Framework for Trust and Security Digital Signature – Non-Repudiation

��* ���0�1 ��! ���

3 ��

��* ���

� 2 ����

�� ������

��* ���5 ��.

��* ���. �

��* ���

Combines Hash Algorithms (FIPS-180), Key Exchange, Public Key Encryption to provide Data integrity, Non-repudiation and Certificate-based Authentication. Digital credentials are established using ITU-T X.509 Digital Certificate Standard based on FIPS 186-x standards.

Verifying the Digital Signaturefor Authentication and Integrity

� � �� ��� ��� �

������

��������

� �� ����

� � � ��� � ��

���������������������������������������������������� �����

������������� � �������������� � ���� ����� �������� �� ���� !� "����#$�! � ��

Digital Signature

Guarantees:o Integrity of document

One bit change in document changes the digest

o Authentication of senderSigner’s public key decrypts digest sent and decrypted digest matches computed digest

o Non-repudiationOnly signer’s private key can encrypt digest that is decrypted by his/her public key and matches the computed digest. Non-repudiation prevents reneging on an agreement by denying a transaction.

����� �

������������� � �������������� � ���� ����� �������� �� ���� !� "����#$�! � ��

Technology Framework for Trust and SecurityDigital Certificates - Establishing Digital Credentials

ITU-T X.509 creates the framework for establishing digital identities – A key component for establishing security and trust for ICT applications in public networks (such as the Internet)

������������� � �������������� � ���� ����� �������� �� ���� !� "����#$�! � ��

Industry Solutions for Online Trust and Security

������������� � �������������� � ���� ����� �������� �� ���� !� "����#$�! � ��

Public Key Infrastructure (PKI) and Industry Solutions for Security & Trusto It’s Not about waging a technology war (PKI vs Non-PKI) but

combining technologies and policies for total solutions.o Combines various industry solutions and standards – PKCS,

PSE (Smart Cards, tokens, Megabrid), OCSP Transponders, HSMs, CA, RA and Content Validation Software.

o Enables security and trust to be built on comprehensive and interoperable solutions with appropriate policies ensuring national sovereignty and enforceable legislation.

o Most highly rated e-government countries have PKI as an important component of their e-government strategy.

������������� � �������������� � ���� ����� �������� �� ���� !� "����#$�! � ��

ICTs@Work

������������� � �������������� � ���� ����� �������� �� ���� !� "����#$�! � ��

ICTs@Work:e-government

o Using ICTs to increase efficiency and enhance business processes.

o Addressed rather complex needs in business flow-processes (e.g., license issuing, work-flow automation and information processing).

o Implemented using local expertise and the strong commitment of CRA management and technical Team.

E-government Project in Bosnia & Herzegovina. Other operational projects have been implemented in countries in Latin America, Asia and Europe.

������������� � �������������� � ���� ����� �������� �� ���� !� "����#$�! � ��

ITU-T X.509 creates the framework for establishing digital identities – A key component for establishing security and trust for ICT applications in public networks (such as the Internet)

Cybersecurity - Solutions implemented in projects:Certificate-based authentication using ITU-T X.509 V.3

����� �

������������� � �������������� � ���� ����� �������� �� ���� !� "����#$�! � �

o PKI including Certificate Authority, Registration Authorities and related policies and procedures (CPS and CP) for identity verification and management taking into account national policies and national sovereignty issues.

Cybersecurity - Solutions implemented in projects:Automating identity verification and management

RA

RA

CA-2

RegistrationAuthority

RegistrationAuthority

RootCA-1

CertificationAuthority

(A)

CertificationAuthority

(B)

RegistrationAuthority

Certificate Request

RegistrationAuthority

Certificate Request

Valid

Revoked

(CRL)

[Certificate]

������������� � �������������� � ���� ����� �������� �� ���� !� "����#$�! � �

• Global Asymmetrical Trust Model and technology strategy based on Public Key Infrastructure (PKI), Privilege Management Infrastructure and related PMI and PKI-enabled applications.

ICTs@Work:e-Trust

������������� � �������������� � ���� ����� �������� �� ���� !� "����#$�! � ��

Cybersecurity - Sample Project – GeorgiaSecuring communication within government networks

Challenge: Government of Georgia embarks on a project to convert paper documents (including restricted ones) into digital format to facilitate dissemination of government information to citizens. Senior officials plan to electronically sign official correspondences. How can access to these documents be controlled? How is the integrity of these official electronic correspondences ensured?

Solution: Implementation of public key infrastructure providing strong certificate-based authentication including fingerprint biometrics, data integrity using FIPS-approved digest algorithms, e-signature and data confidentiality based on both public key and symmetric encryption. Solutions built on existing infrastructure to ensure seamless integration. Funding and implementation by ITU.

������������� � �������������� � ���� ����� �������� �� ���� !� "����#$�! � ��

Cybersecurity - Sample Project – ParaguaySecuring the transmission of sensitive documents

Challenge: Clients of CONATEL needed secure IT solutions to transmit confidential data (reports) to CONATEL. To address this requirements, the solutions should ensure the integrity of data, preserve the confidential nature of the documents, ensure that both sender and receiver are certain of the identities of each other.

Solution: After a careful assessment of the security and trust requirements and discussions with the management and IT professionals of CONATEL,ITU/BDT assisted in the design and development of a public key infrastructure providing solutions for identity management, non-repudiation, data integrity and strong encryption. Technology components including digital signature, biometric authentication, cryptographic token interfaces were built on the existing infrastructure for a seamless integration. Funded and implemented by ITU/BDT this project has increased the efficiency in the business processes of CONATEL and provides security and trust solutions for communicating with it clients (operators and service providers).

������������� � �������������� � ���� ����� �������� �� ���� !� "����#$�! � ��

Cybersecurity -Sample Project – BulgariaBuilding Security and Confidence in Government Services

Solution: Now in its third phase, Phase I provided solutions for certificate-based authentication of government officials, confidentiality in the transmission of sensitive documents and non-repudiation through e-signatures. In Phase II three government, agencies were interconnected using PKI-enabled Virtual Private Networks as a cost-efficient way to use the Internet for sensitive e-government services. Project funding and coordinating the design and implementation was provided by ITU/BDT. Phases I and II are operational and Phase III is expected to be operational in Q2 2005

Challenge: Securing communication between government officials and providing security for IP-based interconnection of three (3) government agencies. Main cyber security challenges included providing solutions for authentication, data integrity, data confidentiality and non-repudiation.

������������� � �������������� � ���� ����� �������� �� ���� !� "����#$�! � ��

Cybersecurity - Sample Project –TurkeyBuilding security and trust for the Health Sector

Solution (First Phase): Secure health information system enabling citizens, medical institutions, health insurance and health care professionals participating in Phase I to use information technologies to store, access and disseminate sensitive health data national wide. Funding is provided by Government of Turkey. Launched at WSIS I, ITU is providing expertise for the coordination and implementation.

Challenge: 81 provinces, 90,000 doctors, 1200 hospitals and 70+ million inhabitants to be connected through an ICTs health platform as part of national the health transformation project. In addition to several other technological, policy, regulatory and institutional challenges, there are security and trust issues to be addressed. e.g., Transmission of sensitive medical records, authenticating doctors, patients, healthcare professionals and institutions, ensuring patient-doctor confidentiality, integrity, privacy and ownership of EPRs and protecting critical infrastructure and data.

����� �

������������� � �������������� � ���� ����� �������� �� ���� !� "����#$�! � ��

ICTs@Work:e-government

Increasing government transparency, enabling transaction-based e-government services, secure document transmission between government agencies, online payment based on e-currency for government services, PKI-based e-signatures and digital certification. Implemented by ITU and funded by European Community and ITU.

������������� � �������������� � ���� ����� �������� �� ���� !� "����#$�! � ��

o Assisting countries in the design, development and implementation of e-business solutions.

o Operational projects in Africa, Asia, Europe, Latin America and Arab Region.

ICTs@Work:e-business

������������� � �������������� � ���� ����� �������� �� ���� !� "����#$�! � ��

o Assisting in the design, development and implementation of infrastructure for credit card-based e-payments solutions for e-commerce and e-government transactions.

o Projects implemented in countries such as Brazil, Morocco (US$2,5 million), South Africa and Venezuela.

ICTs@Work:e-payment

������������� � �������������� � ���� ����� �������� �� ���� !� "����#$�! � ��

o Providing a forum for exchanging best practices in the implementation of e-health projects.

o Developing guidelines and elaborating strategies at global level in fostering e-health services.

o Working with industry partners, international organizations (WHO, ESA) and governments to assist developing countries in e-health projects.

ICTs@Work:e-health

ITU Experts Meeting on E-heath – June 2004 Tokai University, Japan

������������� � �������������� � ���� ����� �������� �� ���� !� "����#$�! � �

o Using ICTs to bring access to medical services such as remote diagnostics and tele-radiology.

o Interconnecting ambulatory services in two remote areas in Venezuela and enabling access to medical specialist located in the capital city (Caracas).

ICTs@Work:e-medicine

ITU's e-health activities include the implementation of telemedicine projects in several countries including Mozambique, Malta, Nicaragua, Georgia, Myanmar, Senegal, Bhutan, Uganda and Ukraine. There are ongoing and planned projects for several countries such as Cameroon, Ethiopia, Kenya, Haiti, Rwanda, Venezuela, Sudan, Turkey, Mauritania, Bulgaria, Zimbabwe, Guinea, Lebanon, Tajikistan, Uzbekistan and Latvia.

������������� � �������������� � ���� ����� �������� �� ���� !� "����#$�! � �

o Enabling youths to access a wide range of information via the Internet.

o Enhancing knowledge-building and ensuring active participation of youths in the information society.

ICTs@Work:e-education

In te rn e t@Sch ools Pro je c t in Toumboucktu, Mali providing Internet access to more than 700 students in a very remote areas 1000 km from the capital city (Bamako). On go in g p ro je c t in Se ne ga l l a u n c h e d i n J u n e 2 0 0 5 .

����� ��

������������� � �������������� � ���� ����� �������� �� ���� !� "����#$�! � ��

o Using ICTs applications and infrastructure to enhance agricultural activities in Madaniyatvillage in rural Kyrgyzstan.

o Providing solutions to access information on better farming methods and up-to-date information on the price of produce and business partners.

ICTs@Work:e-agriculture

������������� � �������������� � ���� ����� �������� �� ���� !� "����#$�! � ��

o As a supporting organization for the industry-led Global e-Sustainability Initiative (GeSI), undertaking activities with UNEP aimed at addressing the environmental effects of telecom and ICTs.

o Working with Member States to develop strategies on the use of telecommunications and ICTs for the protection of the environment.

ICTs@Work:e-environment

Global e-Sustainability Initiative Supply Chain Working Group Benchmarking Report

������������� � �������������� � ���� ����� �������� �� ���� !� "����#$�! � ��

o Enabling African business women and youths in Cameroon to use ICTs for e-employment.

o Improving social conditions by increasing income through the provisioning of ICT-enabled remunerated remote translation and document processing services.

ICTs@Work:e-employment

o ITU e-employment and e-business project for the association of business entrepreneurs in Africa (ASAFE).

������������� � �������������� � ���� ����� �������� �� ���� !� "����#$�! � ��

o Establishing shared access to rural and remote communities in Pacific Island States.

o In June 2005 launched a project to implement 20 Multi-Purpose Community Centers in Solomon Islands and Western Samoa.

o Providing Internet Access (Email and Web) + e-commerce, e-agriculture and e-government solutions to rural population.

ICTs@Work: Connecting Island Communities

With Prime Minister of Western Samoa at Launch of Project – June 2005

Map of Guarda Canal Province, Solomon Islands showing locations for MCTs

������������� � �������������� � ���� ����� �������� �� ���� !� "����#$�! � ��

o Assisting Member States in establishing harmonized e-legislation for 4 Latin American States (ASETA).

o Providing assistance to individual states (Burkina Faso, Cape Verde, Mauritania, Mongolia and Tanzania) to elaborate national legislation on ICTs.

Legislative Framework for ICTs

������������� � �������������� � ���� ����� �������� �� ���� !� "����#$�! � ��

o Bringing together Member States to address regional policies and strategies for ICTs (e-applications, Internet and e-Security) (e.g., IP Symposia for Africa, Americas, Asia Pacific, and Europe and Arab Region leading to Kigali and Moscow and Dubai Declarations

National and Regional Policies

ITU E-government and IP Symposium for 22 Arab States in Dubai (UAE) – 22-25 November 2004

����� ��

������������� � �������������� � ���� ����� �������� �� ���� !� "����#$�! � ��

Certificate Authority Challenges

������������� � �������������� � ���� ����� �������� �� ���� !� "����#$�! � ��

Cross Certification

o A CA issues a certificate to another CA. This is applied to Strict Hierarchy (Root CAs)

o Establishment of Trust Relationship between CAs (Chain of Trust).

o Could result in Trust Cascades (A>B and B>C should not imply A>C).

o Trust relationship could be Mutual (Horizontal Trust relationship) or Unilateral (Vertical Trust relationship – Root CAs).

������������� � �������������� � ���� ����� �������� �� ���� !� "����#$�! � �

Bridge Certificate Authority

o A CA acts as a bridge between CAs in different PKI domains.

o Each CA establishes a Trust Relationship with the Bridge CA.

o The absence of direct relationships between CAs avoids overheads related to the establishment of direct trust relationships between co-operating CAs.

������������� � �������������� � ���� ����� �������� �� ���� !� "����#$�! � �

Cross Recognition

o No trust relationship on cross certification between CAs.

o Requires a mutually trusted and recognized third party.

o CA-CA Interoperability is achieved through the licensing or auditing by a mutually agreed authority.

������������� � �������������� � ���� ����� �������� �� ���� !� "����#$�! � ��

Accreditation Certificate

o A combination of cross-certification and cross recognition.

o Involves the creation of an accreditation CA.

o Public Key of each CA is signed by accreditation CA.

o Used in Australia in the Gatekeeper Accreditation CA.

o Requires high level government structure and control to create hierarchy (e.g., government-wide PKI).

������������� � �������������� � ���� ����� �������� �� ���� !� "����#$�! � ��

Certificate Policy – Plays an important role in the implementation of some of these initiatives

o Certificate Policy (CP) – A Named set of rules that indicate the applicability of a certificate to a particular community and/or class of applications of common security requirements.

����� ��

������������� � �������������� � ���� ����� �������� �� ���� !� "����#$�! � ��

Policy Mappings ExtensionAllows a certification authority to indicate that certain policies in its own domain can be considered equivalent to certain other policies in the subject certification authority's domain.

ITU-T X509: CA-CA Policy Interoperability

������������� � �������������� � ���� ����� �������� �� ���� !� "����#$�! � ��

ITU-T X.509: Preventing Trust Cascades

Policy Constraints extension Ability for a certification authority to require that explicit certificate policy indications be present in all subsequent certificates in a certification path.Ability for a certification authority to disable policy mapping by subsequent certification authorities in a certification path.

������������� � �������������� � ���� ����� �������� �� ���� !� "����#$�! � ��

Building Online Trust For E-Government Digital Signature – Issues and Challenges

o Acceptance of Digital Signatures Across Multi-Jurisdictional PKI Domains (at the National, Regional and Global Levels).

o Adopting Policies for Generic Identity Certificates (PKI) and the relationship with Attribute Certificates (Privilege Management Infrastructures).

o Elaborating Harmonized and Technology Neutral E-Legislative Framework and Enforcement Mechanisms.

������������� � �������������� � ���� ����� �������� �� ���� !� "����#$�! � ��

Strategy for E-Signatures and CAsOnline Trust and Security for e-Government Needs to be part of a comprehensive policy framework dealing with other e-services

������������� � �������������� � ���� ����� �������� �� ���� !� "����#$�! � ��

What could be the Role of Governments in fostering e-government deployment and use?

o National/Regional Policies for the Management of Public IP Resources to ensure fair and equitable allocation of.

• Internet Protocol Addresses• Domain Names (under ccTLDs)

o Creating an Enabling Environment for E-Applications (e.g.,):

• Accreditation of Certification Authorities• Control and Enforcement Mechanisms (Spam,

Spim, P/Vhishing and Data privacy legislations).• Harmonized Regional Framework E-Legislation

o Active Role in Implementing e-government.������������� � �������������� � ���� ����� �������� �� ���� !� "����#$�! � ��

ITU Development Activities in E-governmentActivities undertaken within the past three years.

o Projects using trust technologies (encryption, digital certificates, biometrics, smart cards/USB tokens) implemented in Bulgaria, Burkina Faso, Cambodia,Cameroon, Ecuador, Georgia, Paraguay, Peru, Senegal, Turkey, Vietnam and Zambia.

o Ongoing Projects in Barbados, Bhutan, Kyrgyz Republic, Jamaica and Rwanda.

o Workshops/Seminars on technology policies in Africa, Asia, Arab Region, Latin America and World.

o Assistance to ASETA, Burkina Faso, Cape Verde and Mongolia to elaborate legislation for e-signatures.

o Policy analysis, guidelines and best practices. o Multi-lateral and self-regulatory framework launched -

World e-Trust Memorandum of Understanding.

����� ��

������������� � �������������� � ���� ����� �������� �� ���� !� "����#$�! � �

ITU WTDC E-Strategies ProgrammeAn Overview of Related Projects and Activities

������������� � �������������� � ���� ����� �������� �� ���� !� "����#$�! � �

For ICT applications to deliver services aimed at reducing the social divide, enhancing basic services in health, educational, commercial and government sectors, citizens, governments and businesses must all have TRUST in the technologies and the solutions.

Thank You for your attention

For further information:Web: http://www.itu.int/ITU-D/e-strategyEmail: e-strategy@itu.int

CONCLUSION