Presentation is loading. Please wait.

Presentation is loading. Please wait.

COEN 351: E-Commerce Security Public Key Infrastructure Assessment and Accreditation.

Similar presentations


Presentation on theme: "COEN 351: E-Commerce Security Public Key Infrastructure Assessment and Accreditation."— Presentation transcript:

1 COEN 351: E-Commerce Security Public Key Infrastructure Assessment and Accreditation

2 Assessment for PKI Assessment: Prescribed procedure for determining whether a system or one of its components satisfies defined criteria for trustworthiness and quality.

3 Assessment for PKI Assessment: Creates favorable legal presumptions. Legal status. Stronger presumptions for non-repudiation. Necessary for licensing and accreditation. Potential formal requirement for PKI interoperation. This is the motivating example. Creates public relations bonus and generates acceptance. Helps in risk assessment and management. Might be required for insurance purposes.

4 Assessment for PKI Assessment is used by: Service subscribers. Relying parties. Policy management authorities. Certification and registration authorities. Licensing and regulatory authorities.

5 Assessment for PKI Formal qualification of Assessors Some laws require assessors to be Certified Public Accountants. Others specify required years of work in the security profession. Material qualifications of Assessors Independence. Quality assurance for assessment work. Educational and training qualifications.

6 Assessment for PKI Assessment targets: (System-level) The overall PKI environment. Systems and Subsystems. Discrete Components. PKI cryptomodules. (Entity) Primary certification authority controls. Key and device management console. Certificate life-cycle controls.

7 Assessment for PKI Attributes of successful assessment criteria Appropriateness. Develop threat model first. Objectivity. Clarity. Ubiquity. general acceptance. Extensibility. Criteria can be updated for future developments.)

8 Assessment for PKI Self-assessment. Internal audit. External audit.

9 System Assessment Criteria Formal criteria have evolved: U.S. Trusted Computer System Evaluation Criteria (TCSEC) 1985. Orange Book. Focused on confidentiality to protect national security secrets. European Information Technology Security Evaluation Criteria (ITSEC) 1991.

10 System Assessment Criteria Common CriteriaITSECTCSEC EAL1: Functionality testedE0D: Minimal protection. EAL2: Structurally testedE1C1: Discretionary security protection EAL3: Methodically tested and checked.E2C2: Controlled access protection EAL4: Methodically designed, tested and reviewed. E3B1: Labeled security protection. EAL5: Semiformal designed and tested.E4B2: Structured protection. EAL6: Semiformal verified design and testing. E5B3: Security domains. EAL7: Formally verified design and testing. E6A1: Verified design

11 Assessment & Accreditation Schemes Australia, Gatekeeper: Australian government effort to enhance secure service delivery, streamline secure intragovernmental transactions, establish a “rational voluntary mechanism for the implementation of PKI by government agencies.” Gatekeeper is also used to provide interoperationality among PKI providers. Mandatory for vendors of PKI services for government. Gatekeeper has two levels of authentication: Entry-level Full accreditation

12 System Assessment Criteria Canada: Government of Canada PKI Allows links via cross-certification. Expert teams establish tables of concordance between requester’s Certificate Policy (CP) and GoC PKI.

13 System Assessment Criteria US: Light Touch State legislation influenced by Utah and Washington. Reciprocity agreements (e.g. Minnesota, Utah, Washington)

14 System Assessment Criteria HIPAA Requires security controls to ensure the integrity and confidentiality of Internet communications.


Download ppt "COEN 351: E-Commerce Security Public Key Infrastructure Assessment and Accreditation."

Similar presentations


Ads by Google