III PKI exp 07152007
Transcript of III PKI exp 07152007
-
8/14/2019 III PKI exp 07152007
1/20
IIIs experience inPKI and its application
International Group
Institute for Information Industry
Aug. 2007
-
8/14/2019 III PKI exp 07152007
2/20
Foundation and Functions of PKI
PKI is to Ensure Confidentiality
Integrity
Authentication
Non-repudiation
Foundation of a PKI infrastructure Public trust in the operation unit
Provision of the accountability
Comprehensive and reliable audit trail, ..
Ability for key pairs management
Generation, issuance, revocation, Provision of services regarding certificate inquiry
Convenient, fast, timely to the inquiry for certificates validity,applicability,
-
8/14/2019 III PKI exp 07152007
3/20
PKI infrastructure in Taiwan
PCA
Foreign Private
PKI CA in Taiwan
Foreign PKI
Foreign Govt
PKI Root
Foreign Private
PKI Root
PCAGCAGCAPrivateGovt
CA
Taiwan PKI
Digital Certificate
Task Force
General GovtMgt. Center
Biz. Adm.
CA
Other
CA CA
BCA
Citizen
CA
CACACACA
-
8/14/2019 III PKI exp 07152007
4/20
The ePKI system
CHT Developed and maintained
Used and operating for GCA, BACA, CCA,
-
8/14/2019 III PKI exp 07152007
5/20
Complying Standards
Certificate Policy and Certification Practices Framework RFC 2527
Certificate format: ITU-T Recommendation X.509
V3(1997)
Certificate revocation: ITU-T Recommendation X.509V2(1997)
Privilege Management Infrastructure: ITU-T X.509 4th
Edition Draft V4
ASN.1syntax: ITU-T X.680, X.681, X.682 and X.208,X.209
Certificate Management Protocol: RFC 2510
Certificate Request Message Format: RFC 2511
-
8/14/2019 III PKI exp 07152007
6/20
Complying Standards
On-line Certificate Status Protocol: RFC 2560
Public keys encryption algorithm: PKCS #1 RSA1024~2048 bits
Data encryption algorithm: PKCS #7
Private keys encryption algorithm: Triple DES (CBC Mode,with 2 Keys or 3 Keys)
Hash function: SHA-1
Signature algorithm: RSA with SHA-1
Private key syntax and protection: PKCS #8 PKCS #5 Private Key storage: diskette, IC card, or special designed
hardware (for CA and RA)
Key management: X.9.17
-
8/14/2019 III PKI exp 07152007
7/20
Key Features
Highly reliable RA and CA security architecture,meeting ITSEC E3 and FIPS 140-1.
Flexible design to support all kinds of certificate
policies for various business models.
Unified RA solution to minimize cost and expedite
implementation.
Distributed architecture with expandability and
scalability (from enterprise to national infrastructure). Interface with SQL and ODBC.
-
8/14/2019 III PKI exp 07152007
8/20
Key Features
Support DSA and RSA signature algorithms, with
extension mechanism for other algorithms.
Key pairs are easily integrated and used in
applications of secured browsing and emails.
Integrated into IC card and related applications.
Interoperable with other standardized PKI
schemes and applications.
Interface with LDAP directory services.
Support both windows and UNIX systems.
-
8/14/2019 III PKI exp 07152007
9/20
Registration Authority
Certificate Authority
Certificate
Repository
Certification Server
Regis. counterCert.
Applicant
Cert.
concerned
1. Get cert. sw
2. Apply for cert.
Application
approved
3. Application data
4. Request for cert. issuance
5. Publish issued cert.
d. Publish revoked cert.
Get cert.
Get CRL
Inquire cert. status
a. Apply for revocation
b. Revocation data
c. Request for cert. revocation
Cert. user
Cert. application: 1? 2? 3? 4?
Cert. revocation: a? b? c? d
Registration Server
-
8/14/2019 III PKI exp 07152007
10/20
Certificate Subject
Can be person, organization, server, application
program
Naming: distinguished name in X.500
-
8/14/2019 III PKI exp 07152007
11/20
eCA
Subordinate
CA2
RA11
Subordinate
CA1
Subordinate
CAn
RA12 RA1a RA21 RA22 RA2b RAn1RAn2 RAnn
RAC111 RAC112 RACnnnRAC11n
Hierarchical CA and RA
-
8/14/2019 III PKI exp 07152007
12/20
Scope of applications and Level oftrust
Scope of applications
Companys Intranet
Inter-companies
Company individuals
Individual - individual Level of trust
Class 1
Class 2
Class 3
Class 4
-
8/14/2019 III PKI exp 07152007
13/20
Reasons for using BA_cert
Facilitate trust mechanism for online transactions
Strengthen enterprise competition through G2B
services
Create business values by integrating G2B and
B2B services Facilitate other secured business models
-
8/14/2019 III PKI exp 07152007
14/20
Application for a BA_cert.
Card making
center
Ha nd in ap p.form w/i ID
Internet F/WF/W App. processing site
Reg. Server
& repository
Desig. Reg.
unit
RA
App li cation for mdownlo ad
ApplicantBA-system
(1)
(3)
(4)
Cert.. issuance
(5)Print /
Issuing cert.
(6) Deliver cert.
(7)Open the
Cert.
Corporation
(2)Fill the form
County govt
Service
windowapp.Form
(batch)
Revie
w
Cert. Server
Secured op center
-
8/14/2019 III PKI exp 07152007
15/20
Applications of BA_cert
BA_cert Facilitate trust mechanism for secured
online transaction G2B, B2B,
G2B applications Registration of corporation and related items
Online Govt procurement procedure G2B document exchange,
Company income tax filing,
Employee insurance registration,
Electronic invoice
B2B applications Electronic invoice
Electronic payment
-
8/14/2019 III PKI exp 07152007
16/20
Business certificates used in the systems
DOC - Online registration of corporationhttp://eicm.moea.gov.tw
Tendering procedures in govt electronicprocurement
http://www.geps.gov.tw
Government document exchange inSecurity administration
http://eweb.tse.com.tw
Labor insurance registration and inquiry
to Labor insurance agency
http://www.blia.gov.tw
Customs declaration procedures
http://asp.dgoc.gov.tw
96979933
2003/08/07
MG00000000000001
-
8/14/2019 III PKI exp 07152007
17/20
Govt online service with fund transfer (ft) toGovt online service with fund transfer (ft) to
treasurytreasury
PaymentgatewayParticipatin
gbank(a pplic an t)Corporation Serv. site
Cashier
Receipt(e_mailed with
approved permit)
BA_Cert
account
Password
account
password
CHTo vt agenc y
account
password
Che ckupunit
Acc ount ing Treasury
Authen.Authen.
ft data validatedChecking
result file
BOT
CBC
OCB
Paying-in slip
Paid-in fund
Checking
(amount)
Notice Fund
withdraw
Fund
withdrawFund
withdraw
Check sheet
De sig. a ge ntbankCheck sheet (daily)Paid-in fund Check
sheet
checking result
Paid-in notice
A li ti f th
-
8/14/2019 III PKI exp 07152007
18/20
Applications of othercertificates
Government document exchange with G_cert by
officals
Citizen income tax filing with C_cert
Medical payment application with H_cert by
doctors Vehicle administration/services with C-cert
Online trading of stocks with X_cert
-
8/14/2019 III PKI exp 07152007
19/20
Why III in PKI management
III has a great experience in implement Taiwan e-
Gov PKI system
III plays the leading role in Taiwan PKI police for
government
III has good global connection on internationalPKI community
III develops many PKI enabling system for
Taiwan government
-
8/14/2019 III PKI exp 07152007
20/20
Thank you very much