Information security An introduction to Technology and law with focus on e-signature, encryption and third party service Yue Liu Feb.2008

What ? Understanding the information security Electronic signature and encryption Trusted third party (CSP)

Information security General technical definition information security is a state of affairs where information, information processing and communication is protected against the confidentiality, integrity and availability of information and information processing. In the context of information networks this also covers reliable identification and authentication. information security is a state of affairs where information, information processing and communication is protected against the confidentiality, integrity and availability of information and information processing. In the context of information networks this also covers reliable identification and authentication.

Information security Legal definition the obligation to take adequate measures for the purpose of safeguarding the state of affairs corresponding the required level of security, and notably the protection of rights related to informational assets

Information security Trust The basic elements of information security –Confidentiality –Integrity –Availability

Information security provisions in current law OECD Recommendations E-commerce and E-signature Privacy regulations Telecommunications Electronic administration Public access to information laws Penal law concerning the computer crime and misuse Critical infrastructure protection

Electronic signature Time frame: Jan 19,2000, July , march 15, 2006 Underline principles. Technical neutral Non-discrimination Party-autonomy/contractual freedom No-harmonization of national civil law

Electronic signature Definition: Electronic signature : data in electronic form which are attached to or logically associated with other electronic data and which serve as a method of authentication (Directive 99/93/EC) Advanced electronic signature: any electronic signature which meets the following requirements: uniquely linked, capable of identifying, maintain sole control, change detectable

Electronic signature Form conditions: QC (annex I) CSP (annex II) secure signature creation device (annext III) advance SKE Qualified signature biometrics Digital signatur e Advanced signature E-sign

Electronic signature Legal effects of the e-signature article 5 of the Directive: Art5 (2) non-discrimination : electronic form, not certified, not certified by accredited CSP (certified service provider); not created by secure signature device Art5 (1) qualified advanced e-signature: the validity in transaction as handwritten signature and evidence effect at court

Electronic signature Cryptography basis: The conversion of data into a secret code for transmission over a public network. The conversion of data into a secret code for transmission over a public network. –Encrypt: convent plain text into cipher text –Decrypt: convert cipher text into plain text –Symmetric key encryption (secret key) –Asymmetric key encryption (public key)

Electronic signature

Public key encryption (PKE) in detail problem of PKE: –More computational intensive –Large amounts of encrypted data vulnerable of hacking –Solution = hashing of the data message

Electronic signature Digital signature 1

Electronic signature Digital signature 2

Electronic signature Problem With digital signature –Trustworthy linkage between public key and real world identity of accountable person –Secure distribution of public keys over open networks –Integrity? –Solution= Public key infrastructure (PKI)

Electronic signature PKI Process Flow Step 1. Subscriber applies to Certification Authority for Digital Certificate Step 2. CA verifies identity of Subscriber and issues Digital Certificate. Step 3. CA publishes Certificate to Repository. Step 4. Subscriber digitally signs electronic message with Private Key to ensure Sender Authenticity, Message Integrity and Non-Repudiation and sends to Relying Party. Step 5. Relying Party receives message, verifies Digital Signature with Subscriber's Public Key, and goes to Repository to check status and validity of Subscriber's Certificate. Step 6.Repository returns results of status check on Subscriber's Certificate to Relying Party. p

Electronic signature

agenda –The legality issues –The technical answers –The liability issues -UNCITRAL e-sign ML, EU e-sign Directive

UNICITRAL e-sign ML E-sign ML-liability concept Reasonable allocation of responsibilities in accordance with domains under the specific control of PKI participants CA signatory Relying party

UNICTRAL e-sign ML Approach –Soft law: –Technology neutrality –comprehensive Responsibility of the signatory (art8) Responsibility of the relying party(art11) Responsibility of the CSP(art9,10)

EU e-sign Directive Approach –Hard law –Technology neutrality –Liability rules CA’s liability

EU e-sign Directive Minimum liability for CA (art6) –accuracy –completeness –the signatory identified in the qualified certificate held the private key corresponding to the public key identified in the certificate –the private key and the public key can be used in a complementary manner if the CSP guarantees them both Principle of negligence Reversed burden of proof Excuse and limitation –Proves he has not act negligently –Exceed intended use –Exceed intended value of transaction

Electronic signature Market access: no prior authorization (art 3.1 ) voluntary accreditation (art 3.2)

EU e-sign Directive Other provisions –data protection issues (art8) –International aspects (art7) –Committee (art9. 10) –Notification (art 11) –Review (art 12)

Encryption Export control measures –Wassennar agreement –EU dual use regulation of Dec.1994 Domestic control measures Key escrow and key recovery systems Privacy considerations

Additional links: Commentary_pdf.pdf Commentary_pdf.pdf Thank you for your attention!