Slide 1 EC-DC © ITU Telecommunication Development Bureau (BDT). All Rights Reserved. AFRINET2000 The Africa Internet Summit & Exhibition Abuja, Nigeria September, 2000 Alexander NTOKO Project Manager, ITU Electronic Commerce ITU Telecommunication Development Bureau (BDT) Web: E-Business Core Technologies and Secure Payment Solutions

Slide 2 EC-DC © ITU Telecommunication Development Bureau (BDT). All Rights Reserved. Technology Requirements  Authentication  Encryption  Data Integrity  Non-Repudiation  Access Control  Secure Online Payments

Slide 3 EC-DC © ITU Telecommunication Development Bureau (BDT). All Rights Reserved. Symmetric key encryption system Same key is used to both encrypt and decrypt data Examples of encryption systems: DES, 3DES, RC2, RC4, RC5 DES: Data Encryption Standard, US Gov 1977, developed at IBM

Slide 4 EC-DC © ITU Telecommunication Development Bureau (BDT). All Rights Reserved. Public key encryption system Each user has 2 keys: what one key encrypts, only the other key in the pair can decrypt. Public key can be sent in the open. Private key is never transmitted or shared. Recipient’s Public Key Recipient’s Private Key

Slide 5 EC-DC © ITU Telecommunication Development Bureau (BDT). All Rights Reserved. Sender Authentication Using Public Key Encryption “backwards” provides authentication of the sender Sender’s Public Key Sender’s Private Key

Slide 6 EC-DC © ITU Telecommunication Development Bureau (BDT). All Rights Reserved. Message Digest Hash Algorithm Digest - Used to determine if document has changed - Usually 128-bit or 160-bit “digests” - Infeasible to produce a document matching a digest - A one bit change in the document affects about half the bits in the digest

Slide 7 EC-DC © ITU Telecommunication Development Bureau (BDT). All Rights Reserved. Message Digest Common hash algorithms u MD2 (128-bit digest) u MD4 (128-bit digest) u MD5 (128-bit digest) u SHA-1 (160-bit digest)

Slide 8 EC-DC © ITU Telecommunication Development Bureau (BDT). All Rights Reserved. Digital Signature Signer’s Private Key Signed Document Encrypted Digest Hash Algorithm Digest

Slide 9 EC-DC © ITU Telecommunication Development Bureau (BDT). All Rights Reserved. Verifying the Digital Signature for Authentication and Integrity Hash Algorithm Digest ? ? Signer’s Public Key Integrity: One bit change in the content changes the digest

Slide 10 EC-DC © ITU Telecommunication Development Bureau (BDT). All Rights Reserved. I T U X.509 Certificate Standard certificate virtually everyone uses Includes: serial number, name of individual or system ( X.500 name - e.g., CN=John Smith, OU=Sales, O=XYZ, C=US ), issuer ( X.500 name of CA ), validity period, public key, cryptographic algorithm used, CA digital signature, etc., plus flexible extensions in Version 3 Certificate is signed by the issuer to authenticate the binding between the subject name and the related public key

Slide 11 EC-DC © ITU Telecommunication Development Bureau (BDT). All Rights Reserved. I T U X.509 Version 3 Version 3 standard extensions include subject and issuer attributes, certification policy information, key usage restrictions, address, DNS name, etc. Example of special extensions: account number, postal address, telephone number, photograph (image data), birthday to block users younger than specified age to access certain contents of a Web server, preferred language, etc.

Slide 12 EC-DC © ITU Telecommunication Development Bureau (BDT). All Rights Reserved. Certification Authority Issues Issuing certificates is easy Managing effectively and securely is difficult: CAs must maintain a Certification Revocation List (CRL), must not store private keys (risk of “identity theft”),... Trust depends on integrity and security of CA’s practices and procedures Users will have many certificates (e.g., one for Intranet, one for Extranet, one at home) Interoperability: need for standard

Slide 13 EC-DC © ITU Telecommunication Development Bureau (BDT). All Rights Reserved. Is Encryption Safe? Keys with 128 bits will probably remain unbreakable by brute force for the foreseeable future. If 1 billion keys were tried per chip and one billion chips were used, it will take years. Longer than the age of the universe to break! For keys longer that 128-bits, we will encounter a limit where the energy consumed by the computation (using the minimum energy of a quantum mechanic operation for the energy of one step) will exceed the energy of the mass of the sun or even of the universe.

Slide 14 EC-DC © ITU Telecommunication Development Bureau (BDT). All Rights Reserved. PAYMENTS Everything … must be accessed in money; for this enables men to always exchange their services, and so makes society possible. Aristotle ( B.C.)

Slide 15 EC-DC © ITU Telecommunication Development Bureau (BDT). All Rights Reserved. PAYMENT SOLUTIONS Card Based Payment Systems and Requirements (For B2C and B2B) Using PKI for Multi-Purpose and Multi- Platform Payments

Slide 16 EC-DC © ITU Telecommunication Development Bureau (BDT). All Rights Reserved. Card-Based Payment Scheme A payment scheme typically with a spending limit associated with a special-purpose account. Payments are normally in the form of an instalment-based repayment with a pre-set interest rate on the unpaid balance.

Slide 17 EC-DC © ITU Telecommunication Development Bureau (BDT). All Rights Reserved. Why Card-Based Payments in E-Business ? Have been in use since early 1960s More than 1000 million cards in use Accepted in more than 220 countries by more than 15 million merchants Almost $2000 billion in sales per year Currency-transparent and universal Preferred payment method in C-to-B EC

Slide 18 EC-DC © ITU Telecommunication Development Bureau (BDT). All Rights Reserved. Entities in Card-based Systems Issuing Bank (Issuer) - Issues credit, debit and purchasing cards to cardholders and guarantees payments for authorized transactions. Acquiring Bank (Acquirer) - Establishes contract with merchant and processes payment authorizations and payments. Payment Gateway - System operated by an acquiring bank to process merchant and cardholder payments. Payment Service Provider - Provides payment services to businesses and consumers. Card Holder - Uses a card issued by an issuing Bank to pay for goods and services. Merchant - Establishes contract with acquiring bank to accept card payments from cardholders.

Slide 19 EC-DC © ITU Telecommunication Development Bureau (BDT). All Rights Reserved. PKI-Based Payment Solutions Attribute Certificates linked to Identity Certificates Authorisation Key to Access various Services Validation (OSCP) Services and Digital Receipts USB Certificate Tokens for End-user Authentication Multipurpose E-Payment (micro and high value) + =

Slide 20 EC-DC © ITU Telecommunication Development Bureau (BDT). All Rights Reserved. PKI Based on the WISeKey PKI and Common Root and Certification Process Users will be issued an ITU-T X.509 Digital Certificate stored on a USB port device (a USB Key). Users identified by certificate and “attributes” stored in ITU-T X.500 Directory Attributes Certificates assigned by financial institutions allowing access to various types of payments based on attributes.

Slide 21 EC-DC © ITU Telecommunication Development Bureau (BDT). All Rights Reserved. - Registration Authority Integrated into WISeKey PKI Registration at local level (WTC and CCI) u issue certificates at a local level. u supply user with a end-user access kit (USB Key device and software).

Slide 22 EC-DC © ITU Telecommunication Development Bureau (BDT). All Rights Reserved. Certificate Attributes Attributes give access to different levels of service u Financial Area u Insurance Area u Industry Area Attributes assigned by Trusted Third Parties u Financial Institutions (Banks) u Inspection Organisations u Insurance Companies u Auditing Organisations u Trade Organisations u Intellectual Property

Slide 23 EC-DC © ITU Telecommunication Development Bureau (BDT). All Rights Reserved. WISeCert has been created for organizations serving communities that want to implement a PKI and provides all components of the PKI system required in one package. The only components required to be provided by the organization are the computers and secure environment. Even these can be sourced and provided by WISeCert, thus providing a complete “turn-key” solution. WISeCert Applications: Secure Server Certificates enable companies to unleash the investment potential of their online channels by providing Web identity and strong security to customers, employees and partners communicating online.