1. РУП «Национальный центр электронных услуг»
Опыт применения и тенденции развития технологий электронной цифровой подписи и инфраструктуры открытых ключей в Республике Беларусь Комисаренко Владимир

2. Certificate Authority Registration Authority
PKI Structure
A public-key infrastructure(PKI) is a system for the creation, storage, and distribution of digital certificates which is used in digital signature to verify that a particular public key belongs to a certain entity.
Server-side software
Server
Cert
share key info.
certificate
PKI Server
Signature
Digital
reposit
reposit
Directory Server
Certificate Authority
Client-side software
그리고, 이것은 PKI 시스템의 간단한 구성도 입니다.
PKI 시스템은 전자서명에 사용되는 전자인증서를 생성/저장/배포 및 폐기하는 시스템입니다.
인증기관 CA (certificate authority) 는 (전자)인증서를 생성/저장/배포 및 폐기 합니다. PKI 구조에서 가장 중요한 역할을 맡고 있습니다.
등록기관 RA (Registration Authority)는 사용자의 인증서 신청을 받고 CA에 등록하는 역할을 합니다.
PKI 서버와 사용자 PC에서는 이 인증서를 이용하는 application 프로그램이 필요하며,
모든 PKI 시스템의 기록은 디렉토리 서버에 저장이 됩니다.
이러한 PKI 시스템과 사용되는 인증서가 법적인 효력을 가지기 위하여서는 관련 법과 정부의 승인이 필요로 합니다.
reposit
Requests Service
Share Cert. information
Client
Cert
Registration Authority
Provides
service
PKI Client
(PC/Phone/PDA)

3. Interaction between NPKI and GPKI
CTL Model in Korea
National PKI
Government PKI
KISA Directory
(Root CA)
GCC Directory
(Root CA)
Issues a CTL
Issues a CTL
KISA(Root CA)
GCC(Root CA)
CTL
(List : KISA)
(Singer : GCC)
CTL
(List : GCC)
(Singer : KISA)
Accredited CA
Sub CA
PKI 시스템은 다음과 같이 구별이 가능합니다.
National PKI 와 Government PKI 입니다.
NPKI 는 일반 국민들을 위한 PKI 시스템 이며,
GPKI 는 오직 공무원들을 위한 PKI 시스템 입니다. 또한 이 두 시스템간의 상호 연동도 가능하도록 구성이 되어야 합니다.
Subscriber B
Subscriber
Obtains a CTL
Obtains a CTL
CTL : Certificate Trust List

4. Enable tax affairs of Fairness, Clearness
Best Practice : National tax service
Tax service
Electronic tax
payment $
The year-end tax
adjustment service
Online tax civil
petition service
Cash receipt service
Enable tax affairs of Fairness, Clearness

5. Are Available On ONLINE
Best Practice : Online civil petition service
Online Printing
Online Verification
Online Claim
About to 150 Services
Are Available On ONLINE
No more need to WAIT!

6. Best Practice : Education Service
All Education affairs are managed on Internet
National Education
Information System (NEIS)
School Education affairs
Management System (SEMS)
Student Parents Service
Education Information
Service (EDUNET)
NEIS HELP System (HELPSYS)
Education civil service

7. Best Practice : Internet Banking
19 Banks and Post Office provide internet banking service based on accredited certificate
Internet banking users must use the accredited certificate for secure online transaction ('02. 9)

8. Internet Shopping : Credit Card
Best Practice : Internet Shopping
Internet Shopping : Credit Card
Credit card should be used with accredited certificate to enhance the security of electronic payment process
Regarding the transaction of over 300,000 won in Internet shopping, purchasers are required to use accredited certificate ('05. 11)

9. Best Practice : Mobile Banking
Mobile banking service with certificate ('07~)
Transferring a certificate from PC to mobile phone
Generating electronic signature in mobile phone
디바이스 인증..
Certificate Management S/W in Mobile Phone

10. Number of Digital Certificates
5 Accredited CAs issued accredited certificates to subscriber around 28 million in total.
Major PKI Applications
Internet Banking, Online Stock, Internet Shopping, Procurement, e-Government Services
As the environment of PKI is developing, more people want to have Digital Certificate to use it for NPKI system.
5 accredited CAs have issued certificate to subscribers around 28 million in total.
Internet Banking, Online Stock, Internet Shopping, Procurement and e-Government Services are the major PKI applications which have most issued certificate.
Numbers of annual issuance of certificates ( , published by KISA)

11. ИСТОРИЯ (законодательство, стандартизация)
1999
Стандарты на функцию хэширования, электронную цифровую подпись
2000
Закон «Об электронном документе»
2009
Закон «Об электронном документе и электронной цифровой подписи»
Стандарт на синтаксис обмена персональной информацией
2011
Новая функция хэширования, ЭЦП на эллиптических кривых
2012
Формат сертификатов и списка отозванных сертификатов, синтаксис запроса

12. Стандарт разработан белорусскими криптографами
СТБ «Информационная технология. Защита информации. Процедура хэширования»
Стандарт разработан белорусскими криптографами

13. СТБ 1176. 2-1999 «Информационная технология. Защита информации
СТБ «Информационная технология. Защита информации. Процедуры выработки и проверки электронной цифровой подписи»
Стандарт разработан белорусскими криптографами с использованием схемы Шнора (Schnorr C. P. Efficient Signature Generation by Smart Cards, J. Cryptology, 4(3): 161–174, 1991)
Безопасность основана на практической неразрешимости задачи дискретного логарифмирования в конечных полях. Позволяет быстро вырабатывать и проверять подпись. Значение подписи – короткое (посравнению с другими алгоритмами).
Включает алгоритм генерации простых чисел как параметров

15. the main steps of the algorithm signature verification

16. LAW OF THE REPUBLIC OF BELARUS The Electronic Document
January 10, 2000
Electronic document is equivalent to document on paper and have the same legal him force

17. UNCITRAL United Nations Commission on International Trade Law Model Law on Electronic Signatures
with
Guide to Enactment
UNITED NATIONS

18. NOW
2013

19. Means of digital signature - software, software and hardware, or technical means by which implements one or more of the following functions: generation of digital signature, digital signature verification, development of the private key and the public key.
Means of electronic digital signatures must be certified in the national system of certification

20. Certificate Authority Certificate Authority Certificate Authority
PKI Belarus Banking
Belarus Bank
Certificate Authority
BelSwiss Bank
Certificate Authority
Belinvest Bank
Certificate Authority

21. PKI Belarus State Mailgov Certificate Authority Custom
Tax
Certificate Authority
Social Protection Found
Certificate Authority

22. LAW OF THE REPUBLIC OF BELARUS
The electronic document and electronic digital signature
December 28, 2009

23. PKI Belarus Root CA Banking Certificate Authority Other
State
Certificate Authority
Belarus Bank
Registration Authority
BelSwiss Bank
Registration Authority

24. ARTICLE 17. THE STRUCTURE OF AN ELECTRONIC DOCUMENT
Electronic document consists of two integral parts - general and special.
The general part of the electronic document consists of information that forms the content of the document.
The special part of the electronic document consists of one or more digital signatures, and may also contain additional data needed to verify digital signatures (digital signatures) and identification of an electronic document, which establishes the technical regulations

25. ARTICLE 19. ORIGINAL ELECTRONIC DOCUMENT
Original electronic document exists only in electronic form. All identical copies of electronic documents are originals and have the same legal effect.

26. ARTICLE 22. LEGAL VALIDITY OF ELECTRONIC DOCUMENTS
Original electronic document equivalent to a paper document, signed by his own hand, and with it has the same legal effect.
Electronic document, signed after the revocation public key, is not legally binding.
Original electronic document and its copy, corresponding to the requirements specified in Article 20 of this Act, have the same legal force.
If, in accordance with the legislation requires that the document be made ​​in writing, the electronic document and its copy are considered relevant to this requirement.

27. ARTICLE 29. THE STATE SYSTEM OF PUBLIC KEY MANAGEMENT
State public-key management system is designed to provide opportunities for all interested organizations and individuals information about the public key and their owners in the Republic of Belarus, is a system of interconnected and accredited in its service providers.
The main functions of the State public-key management system are:
registration owners of private keys;
publication, distribution and storage of public key certificates and certificate revocation lists of public keys;
creation and maintenance of databases of current and revocation of public keys;
introduction of public key certificates to the database of existing public key certificates;
accessibility  database of current and revoked  public key certificates;
a review of public key certificates;
reliable confirmation accessories public key specific organization or individual.

28. PRESIDENTIAL DECREE OF NOVEMBER 8, 2011 № 515
"ON SOME ISSUES OF THE INFORMATION SOCIETY IN THE REPUBLIC OF BELARUS“
To establish that Operatively Analytical Center under the President shall regulate in the area:
operation of the State public keys management systems of verify digital signatures, the Republic of Belarus;
cryptographic protection of information that does not contain information classified as state secrets

29. PRESIDENTIAL DECREE OF NOVEMBER 8, 2011 № 515
"ON SOME ISSUES OF THE INFORMATION SOCIETY IN THE REPUBLIC OF BELARUS“
To establish that the National Center Electronics Services has operated a root certification authorities and other State system of management of public keys

30. Information technology and security.
STB P
Information technology and security.
Digital signature and key transport algorithms based on elliptic curves

31. Standard of the Republic of Belarus
International standard
The object 1.
GOST  «Information processing system. Cryptographic Security. Cryptographic transformation algorithm»
national
encryption 2.
STB  «Information technology. Data security. Procedure and check procedures of electronic digital signature»
digital signature 3.
STB  « Information technology. Data security. Hashing function»
hashing function 4.
STB   «Information technology and security. Security requirements for software cryptographic modules»
software cryptographic modules 5.
STB P   «Information technology and security. Digital signature algorithms based on elliptic curves» 6.
STB  «Information technology and security. Cryptographic algorithms of pseudorandom number generation»
number generation 7.
STB   «Information technology and security. Public key card format»
public key card

32. Standard of the Republic of Belarus
International standard
The object 1.
STB   «Information technology and security. Certification request syntax»
PKCS #10: Certification request syntax standard. Version 1.7. RSA Laboratories, 2000
certification request 2.
STB   «Information technology. Personal information exchange syntax»
PKCS #12 v1.0:1999 Personal information exchange syntax
personal information exchange 3.
STB    «Information technology and security. Public key infrastructure certificate and certificate revocation list profile»
RFC 5280:2008 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile
certificate and certificate revocation list 4.
STB – 2009 «Information technology. Cryptographic Token Interface»
PKCS #11 v2.20:2004 Cryptographic Token Interface Standard
cryptographic token interface 5.
STB   «Information technology and security. Cryptographic message syntax»
PKCS #7: Cryptographic Message Syntax Standard
cryptographic message syntax 6.
STB   «Information technology and security. Online certificate status protocol (OCSP)»
X.509 Internet Public Key Infrastructure Online Certificate Status Protocol - OCSP
online certificate status protocol

33. MEANS
1.Cryptographic software
cryptographic software must meet the requirements specified in the standards
2.Hardware secure module
The goals of an HSM are:
onboard secure generation
onboard secure storage
use of cryptographic and sensitive data material
offloading application servers for complete cryptography operations.
HSMs provide both logical and physical protection of these materials from non-authorized use and potential adversaries.

34. TRUSTED THIRD PARTY
Achievement of adequate levels of business confidence in the operation of IT systems is underpinned by the provision of practical and appropriate legal and technical controls. Business must have confidence that IT systems will offer positive advantages and that such systems can be relied upon to sustain business obligations and create business opportunities.
An exchange of information between two entities implies an element of trust, e.g. with the recipient assuming that the identity of the sender is in fact the sender, and in turn, the sender assuming that the identity of the recipient is in fact the recipient for whom the information is intended. This "implied element of trust" may not be enough and may require the use of a Trusted Third Party (TTP) to facilitate the trusted exchange of information.

35. SERVICES PROVIDED BY TTPS:
key management,
certificate management,
identification and authentication support,
privilege attribute service, non-repudiation,
time stamping services,
electronic public notary services

37. (electronic public notary services)
Trusted third party
(electronic public notary services)
Russia
TTPs Russia
Belarus
TTPs Belarus
Kazakhstan
TTPs Kazakhstan

38. RFC 3029 Internet X.509 Public Key Infrastructure
Data Validation and Certification Server Protocols
4 types of validation and certification services:
- Certification of Possession of Data (cpd),
- Certification of Claim of Possession of Data (ccpd),
- Validation of Digitally Signed Document (vsd),
- Validation of Public Key Certificates (vpkc).

39. RFC 3161 Internet X.509 Public Key Infrastructure Time-Stamp Protocol (TSP)
The TSA is a TTP that creates time-stamp tokens in order to indicate that a datum existed at a particular point in time.

40. COMMISSION DECISION
of 25 February 2011
establishing minimum requirements for the cross-border processing of documents signed electronically by competent authorities under Directive 2006/123/EC of the European Parliament and of the Council on services in the internal market
(notified under document C(2011) 1081) (Text with EEA relevance) (2011/130/EU)
Specifications for an XML, CMS or PDF advanced electronic signature to be technically supported by the receiving Member State

41. for Information Technology Security Evaluation
Common Criteria
for Information Technology Security Evaluation
Part 1: Introduction and general model
Part 2: Security functional requirements
Part 3: Security assurance requirements

43. РУП «Национальный центр электронных услуг»
Опыт применения и тенденции развития технологий электронной цифровой подписи и инфраструктуры открытых ключей в Республике Беларусь Комисаренко Владимир,