Enhancing System Security Using PUBLIC KEY INFRASTRUCTURE SecureMetric Technology Inc. www.securemetric.com
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Enhancing System Security
Using PUBLIC KEY
INFRASTRUCTURE
SecureMetric Technology Inc. www.securemetric.com
What is PKI?
Public Key Infrastructure
Public Key Private Key
What is a Certificate Authority?
SECRET
MARY’S Public Key
IDEAL WORLD
MESSAGE
+ ENCRYPTED MESSAGE
REAL WORLD SECRET
Fake MARY’S Public Key
MESSAGE
+ ENCRYPTED MESSAGE
MARY’S Public Key
MODIFIED ENCRYPTED MESSAGE
+
HOW TO SOLVE PROBLEM?
SECRET
MESSAGE
+ ENCRYPTED MESSAGE
MARY’S Public Key
We are going round in circle!
PROBLEM SOLVED
CPS & CP���
CERTIFICATE AUTHORITY
Why PKI?
4 Trust Requirements
The Philippines: Ready for PKI?
Public Key Infrastructure
Public Key
Core Technology
Public Key Cryptography (Asymmetric Cryptography) Very first Asymmetric Algorithm (RSA) was published in 1977
Public Key Infrastructure
Infrastructure
InformaPon Technology
LegislaPon
Enforcement
Policy
Procedures
LegislaPon
LegislaPon
Disclaimer
• I am not a legal pracPPoner • I’m just a guy with experience in the PKI industry and is passionate enough about PKI to have researched on the Electronic commerce and Digital Signature Acts of a few countries.
Do not take what I say as legal advice!
EO 801 eCommerce Act 2000
Electronic Commerce Act 2000
• “Electronic” Signatures becomes acceptable in court (Sect 8-‐11).
• Sec 5.E “Electronic signature” refers to any disPncPve mark, characterisPc and/or sound in electronic form, represenPng the idenPty of a person and a_ached to or logically associated with the electronic data message or electronic document or any methodology or procedures employed or adopted by a person and executed or adopted by such person with the intenPon of authenPcaPng or approving an electronic data message or electronic document.
“Electronic Signature”
Sec. 8. Legal Recogni/on of Electronic Signatures. An electronic signature on the electronic document shall be equivalent to the signature of a person on a wri_en document if that signature is proved by showing that a prescribed procedure, not alterable by the parPes interested in the electronic document
Rules on Electronic Evidence issued by the Supreme court in 2001 men/ons specifically Asymmetric or Public Cryptosystem (PKI).
Electronic Commerce Act 2000 SEC. 27. Government Use of Electronic Data Messages, Electronic Documents and Electronic Signatures. All departments, bureaus, offices and agencies of the government, as well as all government-‐owned and-‐controlled corporaPons shall within 2 years, accept electronic documents signed with “Electronic” Signatures.
h?p://i.gov.ph/e-‐government-‐where-‐are-‐we-‐now/
Electronic Commerce Act 2000 SEC. 31. Lawful Access. -‐ Access to an electronic file, or an electronic signature of an electronic data message or electronic document shall only be authorized and enforced in favor of the individual or enPty having a legal right to the possession or the use of the plaintext, electronic signature or file and solely for the authorized purposes. The electronic key for idenPty or integrity shall not be made available to any person or party without the consent of the individual or enPty in lawful possession of that electronic key.
• AdopPon of a naPonal level Public Key Infrastructure.
• IdenPficaPon of Agencies responsible.
• Secng up of framework for AccreditaPon.
• Funding and resources. • DirecPves for the Private sector.
• Fees. • CerPficate Authority hierarchy.
ExecuPve Order 810 (2009)
• Philippine AccreditaPon Office (PAO) is put in-‐charged of AccreditaPon of CerPficate authoriPes (CA) including private sector CAs.
ExecuPve Order 810 (2009)
• InformaPon and CommunicaPon Technology Office (ICTO) under DOST is put in-‐charged of the IT infrastructure and operaPons for the NaPonal CerPficate authority (CA).
ExecuPve Order 810 (2009)
Department of Science and Technology (DOST)
• Advanced Science and Technology InsPtute (ASTI) under DOST is put in-‐charged of Technology and project management of the NaPonal PKI iniPaPve.
ExecuPve Order 810 (2009)
Advanced Science and Technology InsMtute (ASTI)
Roles • CA= CerPficate Authority • RA= RegistraPon Authority
ExecuPve Order 810 (2009)
CA
RA RA RA Policy Procedures
LegislaPon
Philippines NaPonal PKI
Technology
EncrypPon AuthenPcaPon
LegislaPon
Digital Signature
In Conclusion…
Why Should Banks Use PKI?
Miss World 2013
September 28, 2013…
Megan Young
September 29, 2013…
Other variants of malware email…
Simple Email Content…
How do we know who is your real friend in the
anonymous world of Internet?
Wouldn’t it be nice if…
How do you know if this actually belong to a legiMmate organizaMon?
Give your POS Terminal an idenMty!
Introducing…
JCOP RFID Card with PKI Enabled Chip
The Security of ZiaPay
• Each ZiaPay terminal is equipped with a digital cerPficate
• Each transacPon is signed to ensure authenPcity
• Each transacPon is encrypPon to ensure privacy
• ConnecPon between each Ziapay terminal and the servers are secured using SSL
Case Study: ePayment & Customs
Declaration
Forwarding Agent
DAGANG NET
KDRM
Code 20 -‐ Approval obtained from KDRM Code 25 -‐ Pre-‐credit received
(3a) Confirm
ation of Payment
(3) Execute Payment Web (https)
(5) Pre-credit received
(5) Pre-credit received
(1) Customs Declaration (CUSDEC)
(1) Customs Declaration (CUSDEC)
(2) Customs Acknowledgement (Code 20)
(2) Customs Acknowledgement (Code 20) (4a) Auto-Debit Advice
(4b) Auto-Credit Advice
(4a) Debit Advice (4b) Credit Advice
BNM RENTAS
Immediate on-line crediting to KDRM
Related Documents
