© 1998-2002 ITU Telecommunication Development Bureau (BDT) – E-Strategy Unit. All Rights...
-
Upload
donna-franklin -
Category
Documents
-
view
215 -
download
0
Transcript of © 1998-2002 ITU Telecommunication Development Bureau (BDT) – E-Strategy Unit. All Rights...
©1998-2002 ITU Telecommunication Development Bureau (BDT) – E-Strategy Unit. All Rights Reserved. Page - 1
Security and Trust for E-Transactions
Alexander NTOKO, Head, E-Strategy UnitTelecommunication Development Bureau (BDT)[email protected] http://www.itu.int/ITU-D/e-strategy
ITU-T Workshop on Multimedia Convergence
ITU HQ, Geneva, Switzerland 12-15 March 2002
International Telecommunication Union (ITU)
©1998-2002 ITU Telecommunication Development Bureau (BDT) – E-Strategy Unit. All Rights Reserved. Page - 2
There is a Growing Need for Security…
©1998-2002 ITU Telecommunication Development Bureau (BDT) – E-Strategy Unit. All Rights Reserved. Page - 3
…due to lack of confidence…
“On the Internet, nobodyknows you’re a dog…”
Identification isthe Challenge
…but in e-transactions, it is important to Know if you are dealing with a dog.
©1998-2002 ITU Telecommunication Development Bureau (BDT) – E-Strategy Unit. All Rights Reserved. Page - 4
But what are the Security Threats?
o Eavesdropping: where intermediaries “listen” in on private conversations
o Manipulation: where intermediaries intercept and change information in a private communication
o Impersonation: where a sender or receiver uses a false identity for communication
©1998-2002 ITU Telecommunication Development Bureau (BDT) – E-Strategy Unit. All Rights Reserved. Page - 5
What are the Requirements?Building confidence in e-transactions
o Confidentiality• Information accessed only by those authorized
o Integrity• No information added, changed, or taken out
o Authentication• Parties are who they pretend to be
o Non-repudiation• Originator cannot deny origin
o Infrastructure of trust• Automating the checking of identities
©1998-2002 ITU Telecommunication Development Bureau (BDT) – E-Strategy Unit. All Rights Reserved. Page - 6
How can we Enhance trust?
Confidentiality EncryptionWho am I dealing with? AuthenticationMessage integrity Message DigestNon-repudiation Digital SignatureThird party evidence of authenticity CertificateTrusted certificate Certification Authorities
Symmetric key encryption system
Same key is used to both encrypt and decrypt data
Examples of encryption systems: DES, 3DES, RC2, RC4, RC5DES: Data Encryption Standard, US Gov 1977, developed at IBM
©1998-2002 ITU Telecommunication Development Bureau (BDT) – E-Strategy Unit. All Rights Reserved. Page - 8
Symmetric key encryption system
o AdvantagesFast, secure, widely understood
o Disadvantages
Requires secret sharing
Requires large number of keys
No authentication
No non-repudiation
©1998-2002 ITU Telecommunication Development Bureau (BDT) – E-Strategy Unit. All Rights Reserved. Page - 9
Public key encryption system
o Concept introduced in 1976 by Diffie and Hellman
o RSA, the most popular, was invented in 1977 by Rivest, Shamir, and Adleman
o RSA (www.rsa.com) was founded in 1982
o Everyone has a private key and a public keyo Sender uses the receiver’s public key to encrypt
messageo Only receiver’s private key can decrypt messageo Discovering private key kept by one person is
more difficult than discovering shared secret key
Public key encryption system
Each user has 2 keys: what one key encrypts,only the other key in the pair can decrypt.Public key can be sent in the open.Private key is never transmitted or shared.
Recipient’s Public Key Recipient’s Private Key
©1998-2002 ITU Telecommunication Development Bureau (BDT) – E-Strategy Unit. All Rights Reserved. Page - 11
Public key encryption system
o Example: RSAo Advantages
No secret sharing riskProvides authentication, non-repudiationInfeasible to determine one key from the other
o DisadvantagesComputationally intense (in software, DES is at least 100 times faster than RSA)Requires authentication of public keys
Sender Authentication
Using Public Key Encryption “backwards” provides authentication of the sender
Sender’s Public KeySender’s Private Key
Message Digest
Hash Algorithm
Digest
- Used to determine if document has changed- Usually 128-bit or 160-bit “digests”- Infeasible to produce a document matching
a digest- A one bit change in the document affects
about half the bits in the digest
Plaintext
©1998-2002 ITU Telecommunication Development Bureau (BDT) – E-Strategy Unit. All Rights Reserved. Page - 14
Message Digest
o Common hash algorithms• MD2 (128-bit digest)• MD4 (128-bit digest)• MD5 (128-bit digest)• SHA-1 (160-bit digest)
Digital Signature
Signer’s Private Key
SignedDocument
EncryptedDigestHash
Algorithm
Digest
Verifying the Digital Signaturefor Authentication and Integrity
Hash Algorithm
Digest
Digest??
Signer’sPublic Key
Integrity: One bit change in the content changes the digest
©1998-2002 ITU Telecommunication Development Bureau (BDT) – E-Strategy Unit. All Rights Reserved. Page - 17
Digital Signature
Guarantees:o Integrity of document
One bit change in document changes the digest
o Authentication of senderSigner’s public key decrypts digest sent and decrypted digest matches computed digest
o Non-repudiationOnly signer’s private key can encrypt digest that is decrypted by his/her public key and matches the computed digest. Non-repudiation prevents reneging on an agreement by denying a transaction.
©1998-2002 ITU Telecommunication Development Bureau (BDT) – E-Strategy Unit. All Rights Reserved. Page - 18
Digital Certificate
©1998-2002 ITU Telecommunication Development Bureau (BDT) – E-Strategy Unit. All Rights Reserved. Page - 19
Digital Certificate
o A digital certificate or Digital ID is a computer-based record that attests to the binding of a public key to an identified subscriber.
o Certificate issued by Certification Authority (CA).o Certified digital signature attests to message
content and to the identity of the signer.o Combined with a digital time stamp, messages can
be proved to have been sent at certain time.
Digital Envelope
Combines the high speed of DES (symmetric encryption) and the key management convenience of RSA (public key encryption)
“DigitalEnvelope”
One timeencryption Key
Recipient’sPublic Key
©1998-2002 ITU Telecommunication Development Bureau (BDT) – E-Strategy Unit. All Rights Reserved. Page - 21
ITU-T X.509 Certificate
o Standard certificate virtually everyone uses.o Includes: serial number, name of individual
or system (X.500 name - e.g., CN=John Smith, OU=Sales,
O=XYZ, C=US), issuer (X.500 name of CA), validity period, public key, cryptographic algorithm used, CA digital signature, etc., plus flexible extensions in Version 3.
o Certificate is signed by the issuer to authenticate the binding between the subject name and the related public key.
©1998-2002 ITU Telecommunication Development Bureau (BDT) – E-Strategy Unit. All Rights Reserved. Page - 22
ITU-T X.509 Certificate Version 3
o Version 3 standard extensions include subject and issuer attributes, certification policy information, key usage restrictions, e-mail address, DNS name, etc.
o Example of special extensions: account number, postal address, telephone number, photograph (image data), birthday to block users younger than specified age to access certain contents of a Web server, preferred language, etc.
©1998-2002 ITU Telecommunication Development Bureau (BDT) – E-Strategy Unit. All Rights Reserved. Page - 23
Security Technologies – Which One?
©1998-2002 ITU Telecommunication Development Bureau (BDT) – E-Strategy Unit. All Rights Reserved. Page - 24
Components of PKI
©1998-2002 ITU Telecommunication Development Bureau (BDT) – E-Strategy Unit. All Rights Reserved. Page - 25
ITU E-Security – Brief Status of Activities
o Expanded from EC-DC to Secure e-transaction based on PKI as a result of partnership with WISeKey.
o 20+ security companies worked for 16 months to develop infrastructure + Applications under ITU EC-DC
o 100+ DCs interested in this project. Since deployment started in Q4 2001, 12 DCs countries from Africa, Asia Latin America scheduled to be operational in Q1 2002.
o First ever deployment of digital certification technology and Apps (based on PKI) in the most of the DCs.
o More than US$ 10 million in in-kind contribution from industry partners.
o Lauching multilateral framework (World e-Trust) to expand deployment to more developing countries.
But for it to make sense, it must be available to all…
©1998-2002 ITU Telecommunication Development Bureau (BDT) – E-Strategy Unit. All Rights Reserved. Page - 26
ITU E-Security - Accomplishments
…an enormous opportunity for the sub-Saharan African states. - World Bank.
Without such initiatives, many countries would stay on the exit ramp. - OPTOROUTE Online
EC-DC Does IT - Time Magazine
The conditions for safe e-business transactions ensured by the EC-DC …- UNIDO … essential in providing the infrastructure for global e-commerce. - International Law Section EC-DC - Bridging the Digital Divide - International Security Review
“… enabling one of the largest certified communities in the world…” - SmartCard Central
©1998-2002 ITU Telecommunication Development Bureau (BDT) – E-Strategy Unit. All Rights Reserved. Page - 27
ITU E-Security– Solutions & Services
Operational Certification Authority for DCs
Generic Cost-effective and Scalable Platform
Strong Security - PSE (tokens, smart cards)
Services and Solutions for Various Sectors
PKI-enabled Applications for Various Sectors
©1998-2002 ITU Telecommunication Development Bureau (BDT) – E-Strategy Unit. All Rights Reserved. Page - 28
Using tokens to secure B2B e-marketplace
©1998-2002 ITU Telecommunication Development Bureau (BDT) – E-Strategy Unit. All Rights Reserved. Page - 29
Signing and encrypting Email
©1998-2002 ITU Telecommunication Development Bureau (BDT) – E-Strategy Unit. All Rights Reserved. Page - 30
Securing Access to E-Mail using PSE
©1998-2002 ITU Telecommunication Development Bureau (BDT) – E-Strategy Unit. All Rights Reserved. Page - 31
World e-Trust MoU – the way forward
Objective: Technology neutral and technology independent framework for contributions towards a beneficial, non-exclusive, cost-effective and global deployment of secure e-transaction infrastructures, applications and services in DCs and LDCs worldwide.
Framework: Self regulatory, self funding consisting of a Depository, a Steering Committee and Working Groups to undertake project activities.
Signatories: ITU Member States, Sector Members, public or private sector willing to contribute to one or more activities to be undertaken within an established Working Group.
Entry in Force: Signature of ITU, at least 5 Contributing entities and at least 10 Member States.
With more than 100 DCs and LDCs interested in E-Services infrastructure, how do we proceed?