Enhancing System Security Using PUBLIC KEY INFRASTRUCTURE SecureMetric Technology Inc. www.securemetric.com
Enhancing System Security
Using PUBLIC KEY
INFRASTRUCTURE
SecureMetric Technology Inc. www.securemetric.com
REAL WORLD SECRET
Fake MARY’S Public Key
MESSAGE
+ ENCRYPTED MESSAGE
MARY’S Public Key
MODIFIED ENCRYPTED MESSAGE
+
Public Key
Core Technology
Public Key Cryptography (Asymmetric Cryptography) Very first Asymmetric Algorithm (RSA) was published in 1977
Disclaimer
• I am not a legal pracPPoner • I’m just a guy with experience in the PKI industry and is passionate enough about PKI to have researched on the Electronic commerce and Digital Signature Acts of a few countries.
Do not take what I say as legal advice!
Electronic Commerce Act 2000
• “Electronic” Signatures becomes acceptable in court (Sect 8-‐11).
• Sec 5.E “Electronic signature” refers to any disPncPve mark, characterisPc and/or sound in electronic form, represenPng the idenPty of a person and a_ached to or logically associated with the electronic data message or electronic document or any methodology or procedures employed or adopted by a person and executed or adopted by such person with the intenPon of authenPcaPng or approving an electronic data message or electronic document.
“Electronic Signature”
Sec. 8. Legal Recogni/on of Electronic Signatures. An electronic signature on the electronic document shall be equivalent to the signature of a person on a wri_en document if that signature is proved by showing that a prescribed procedure, not alterable by the parPes interested in the electronic document
Rules on Electronic Evidence issued by the Supreme court in 2001 men/ons specifically Asymmetric or Public Cryptosystem (PKI).
Electronic Commerce Act 2000 SEC. 27. Government Use of Electronic Data Messages, Electronic Documents and Electronic Signatures. All departments, bureaus, offices and agencies of the government, as well as all government-‐owned and-‐controlled corporaPons shall within 2 years, accept electronic documents signed with “Electronic” Signatures.
h?p://i.gov.ph/e-‐government-‐where-‐are-‐we-‐now/
Electronic Commerce Act 2000 SEC. 31. Lawful Access. -‐ Access to an electronic file, or an electronic signature of an electronic data message or electronic document shall only be authorized and enforced in favor of the individual or enPty having a legal right to the possession or the use of the plaintext, electronic signature or file and solely for the authorized purposes. The electronic key for idenPty or integrity shall not be made available to any person or party without the consent of the individual or enPty in lawful possession of that electronic key.
• AdopPon of a naPonal level Public Key Infrastructure.
• IdenPficaPon of Agencies responsible.
• Secng up of framework for AccreditaPon.
• Funding and resources. • DirecPves for the Private sector.
• Fees. • CerPficate Authority hierarchy.
ExecuPve Order 810 (2009)
• Philippine AccreditaPon Office (PAO) is put in-‐charged of AccreditaPon of CerPficate authoriPes (CA) including private sector CAs.
ExecuPve Order 810 (2009)
• InformaPon and CommunicaPon Technology Office (ICTO) under DOST is put in-‐charged of the IT infrastructure and operaPons for the NaPonal CerPficate authority (CA).
ExecuPve Order 810 (2009)
Department of Science and Technology (DOST)
• Advanced Science and Technology InsPtute (ASTI) under DOST is put in-‐charged of Technology and project management of the NaPonal PKI iniPaPve.
ExecuPve Order 810 (2009)
Advanced Science and Technology InsMtute (ASTI)
Roles • CA= CerPficate Authority • RA= RegistraPon Authority
ExecuPve Order 810 (2009)
CA
RA RA RA Policy Procedures
LegislaPon
Philippines NaPonal PKI
Technology
EncrypPon AuthenPcaPon
LegislaPon
Digital Signature
In Conclusion…
The Security of ZiaPay
• Each ZiaPay terminal is equipped with a digital cerPficate
• Each transacPon is signed to ensure authenPcity
• Each transacPon is encrypPon to ensure privacy
• ConnecPon between each Ziapay terminal and the servers are secured using SSL
Forwarding Agent
DAGANG NET
KDRM
Code 20 -‐ Approval obtained from KDRM Code 25 -‐ Pre-‐credit received
(3a) Confirm
ation of Payment
(3) Execute Payment Web (https)
(5) Pre-credit received
(5) Pre-credit received
(1) Customs Declaration (CUSDEC)
(1) Customs Declaration (CUSDEC)
(2) Customs Acknowledgement (Code 20)
(2) Customs Acknowledgement (Code 20) (4a) Auto-Debit Advice
(4b) Auto-Credit Advice
(4a) Debit Advice (4b) Credit Advice
BNM RENTAS
Immediate on-line crediting to KDRM