Enhancing System Security Using PKI

Enhancing System Security

Using PUBLIC KEY

INFRASTRUCTURE

SecureMetric Technology Inc. www.securemetric.com

What is PKI?

Public Key Infrastructure

Public Key Private Key

What is a Certificate Authority?

SECRET

MARY’S Public Key

IDEAL WORLD

MESSAGE

+ ENCRYPTED MESSAGE

REAL WORLD SECRET

Fake MARY’S Public Key

MESSAGE

+ ENCRYPTED MESSAGE

MARY’S Public Key

MODIFIED ENCRYPTED MESSAGE

+

HOW TO SOLVE PROBLEM?

SECRET

MESSAGE

+ ENCRYPTED MESSAGE

MARY’S Public Key

We are going round in circle!

PROBLEM SOLVED

CPS & CP��

CERTIFICATE AUTHORITY

Why PKI?

4 Trust Requirements

The Philippines: Ready for PKI?

Public Key

Core Technology

Public Key Cryptography (Asymmetric Cryptography) Very first Asymmetric Algorithm (RSA) was published in 1977

Infrastructure

InformaPon Technology

LegislaPon

Enforcement

Policy

Procedures

LegislaPon

LegislaPon

Disclaimer

•  I am not a legal pracPPoner •  I’m just a guy with experience in the PKI industry and is passionate enough about PKI to have researched on the Electronic commerce and Digital Signature Acts of a few countries.

Do not take what I say as legal advice!

EO 801 eCommerce Act 2000

Electronic Commerce Act 2000

•  “Electronic” Signatures becomes acceptable in court (Sect 8-‐11).

•  Sec 5.E “Electronic signature” refers to any disPncPve mark, characterisPc and/or sound in electronic form, represenPng the idenPty of a person and a_ached to or logically associated with the electronic data message or electronic document or any methodology or procedures employed or adopted by a person and executed or adopted by such person with the intenPon of authenPcaPng or approving an electronic data message or electronic document.

“Electronic Signature”

Sec. 8. Legal Recogni/on of Electronic Signatures. An electronic signature on the electronic document shall be equivalent to the signature of a person on a wri_en document if that signature is proved by showing that a prescribed procedure, not alterable by the parPes interested in the electronic document

Rules on Electronic Evidence issued by the Supreme court in 2001 men/ons specifically Asymmetric or Public Cryptosystem (PKI).

Electronic Commerce Act 2000 SEC. 27. Government Use of Electronic Data Messages, Electronic Documents and Electronic Signatures. All departments, bureaus, offices and agencies of the government, as well as all government-‐owned and-‐controlled corporaPons shall within 2 years, accept electronic documents signed with “Electronic” Signatures.

h?p://i.gov.ph/e-‐government-‐where-‐are-‐we-‐now/

Electronic Commerce Act 2000 SEC. 31. Lawful Access. -‐ Access to an electronic file, or an electronic signature of an electronic data message or electronic document shall only be authorized and enforced in favor of the individual or enPty having a legal right to the possession or the use of the plaintext, electronic signature or file and solely for the authorized purposes. The electronic key for idenPty or integrity shall not be made available to any person or party without the consent of the individual or enPty in lawful possession of that electronic key.

•  AdopPon of a naPonal level Public Key Infrastructure.

•  IdenPficaPon of Agencies responsible.

•  Secng up of framework for AccreditaPon.

•  Funding and resources. •  DirecPves for the Private sector.

•  Fees. •  CerPficate Authority hierarchy.

ExecuPve Order 810 (2009)

•  Philippine AccreditaPon Office (PAO) is put in-‐charged of AccreditaPon of CerPficate authoriPes (CA) including private sector CAs.


•  InformaPon and CommunicaPon Technology Office (ICTO) under DOST is put in-‐charged of the IT infrastructure and operaPons for the NaPonal CerPficate authority (CA).


Department of Science and Technology (DOST)

•  Advanced Science and Technology InsPtute (ASTI) under DOST is put in-‐charged of Technology and project management of the NaPonal PKI iniPaPve.


Advanced Science and Technology InsMtute (ASTI)

Roles •  CA= CerPficate Authority •  RA= RegistraPon Authority


CA

RA RA RA Policy Procedures

LegislaPon

Philippines NaPonal PKI

Technology

EncrypPon AuthenPcaPon

LegislaPon

Digital Signature

In Conclusion…

Why Should Banks Use PKI?

Miss World 2013

September 28, 2013…

Megan Young

September 29, 2013…

Other variants of malware email…

Simple Email Content…

How do we know who is your real friend in the

anonymous world of Internet?

Wouldn’t it be nice if…

How do you know if this actually belong to a legiMmate organizaMon?

Give your POS Terminal an idenMty!

Introducing…

JCOP RFID Card with PKI Enabled Chip

The Security of ZiaPay

•  Each ZiaPay terminal is equipped with a digital cerPficate

•  Each transacPon is signed to ensure authenPcity

•  Each transacPon is encrypPon to ensure privacy

•  ConnecPon between each Ziapay terminal and the servers are secured using SSL

Case Study: ePayment & Customs

Declaration

Forwarding Agent

DAGANG NET

KDRM

Code 20 -‐ Approval obtained from KDRM Code 25 -‐ Pre-‐credit received

(3a) Confirm

ation of Payment

(3) Execute Payment Web (https)

(5) Pre-credit received

(5) Pre-credit received

(1) Customs Declaration (CUSDEC)

(1) Customs Declaration (CUSDEC)

(2) Customs Acknowledgement (Code 20)

(2) Customs Acknowledgement (Code 20) (4a) Auto-Debit Advice

(4b) Auto-Credit Advice

(4a) Debit Advice (4b) Credit Advice

BNM RENTAS

Immediate on-line crediting to KDRM

Enhancing System Security Using PKI

Internet

Transcript of Enhancing System Security Using PKI