Presentation is loading. Please wait.

Presentation is loading. Please wait.

E-Gov and Security Keren Cummins Digital Signature Trust Co. Richard Guida Chair, Federal PKI Steering Committee.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "E-Gov and Security Keren Cummins Digital Signature Trust Co. Richard Guida Chair, Federal PKI Steering Committee."— Presentation transcript:

1 E-Gov and Security Keren Cummins Digital Signature Trust Co. Richard Guida Chair, Federal PKI Steering Committee

2 E-Transaction Landscape Intra-agency –personnel matters, agency management Interagency –payments, account reconciliation, litigation Agency to trading partner –procurement, regulation Agency to the public

3 Challenges All Applications Face Authentication of Users Non-repudiation for transactions Message integrity Confidentiality (privacy) Liability Interoperability Scalability

4 Potential Internet Security Solutions Pin Numbers Biometrics Digital Signatures or PKI (Public Key Infrastructure) PKI Viewed by Many as Only Total Solution

5 A Digital Signature is NOT: A Digitized Handwritten Signature… The Typed Name of an Individual A Secret Code or a Pin Number

6 A Digital Signature IS: A Transformation of a Message Using Public Key Cryptography Virtually Impossible to Forge Provides a High Level of Security

7 Basic Principle of Cryptography All information goes into a computer as a number One can perform mathematical operations on the information For Example: Add, subtract, multiply, divide or exponentiate it.

8 Two Flavors of Cryptography Symmetric Cryptography –Uses Single Number or Key Asymmetric or Public Key Cryptography –Uses Two Different Numbers or Key Pair –Key Pair Consists of Two Large Numbers: One Called a Private Key One Called a Public Key

9 What Does Cryptography Really Look Like Private Key: –6448072E 0AD8FD61 F78E45FC 0B9419F9 0E1DD1EF Public Key: –47F126B5 74A10BB1 EB107322 C2379439 7F7DD52D 6CB89D3F 04A4E434 0A09EE52 6284271E E092C592 C3CC4144 5861CBF5 E8696BFF 85432ED1 B919A328 48B1D9F0 Hash or Message Digest: –53007ADB 04851436 F3F3ACBB F07CA19D 1AC248EA DSA Signature: –571691CC 0426C2B5 A545D896 C620CB8D 76B7820C

10 What’s a Hash? Brief series of characters associated with a document Message digest, or “fingerprint” generated by a mathematical algorithm Same document will always generate the same hash A document that has been altered can never generate the original hash

11 Message Hashing Algorithm Message Digest 1 Signature Algorithm Message Digital Signature Private Key Creating a Digital Signature

12 An Example: A Signed Message - This will confirm my intention to purchase the Empire State Building. The purchase price shall be $178 million. Closing shall be on or before April 15, 1997. Please forward seller’s account number so that I may arrange wire transfer of funds upon closing. Signed, Donald Trump BEGIN SIGNATURE - iQCVAwUBMARe7gvyLNSbw6ZVAQF6ygP/fDnuvdAbGIDWaSM XUIRMuNHYzdZOOcqkDh/Tc2+DubuEa6GU03AgZY8K9t5r9lua3 4E68pCxegUz009b10cjNt6+o+704Z3j1yy9ijYM8BWNaSp9L2W4n UuWBdlWyel/2PjjRVNZEtqtSRQuPEpJ2IHtx9tGevH10 END SIGNATURE -

13 Verifying a Digital Signature Message Digital Signature Hashing Algorithm Verification Algorithm Message Digest 1 Message Digest 2 Identical Y/N? Public Key

14 What’s Missing Need to Link Individual Identities to Proposed Security Factor How Do I Know This is Your Password, Fingerprint, or Public Key Enter “Trusted Third Parties” or TTPs

15 Role of Trusted Third Parties (TTPs) Link Security Factor to Individual Identity (PKI Uses Digital Certificates) Stand Behind Linkage Demonstrate Sufficient Institutional Stature as to Promote Trust in Linkage Issue a Digital Certificate Binding Signer’s Identity to Signer’s Public Key

16 Process Flow Certification Authority Repository Subscriber Relying Party 1 2 3 4 5 6 Annually: 1. Subscriber Applies to CA for Digital Certificate 2. CA verifies identity of subscriber and issues Digital Certificate 3. CA publishes Certificate to Repository Per Transaction: 4. Subscriber digitally signs and sends electronic message to relying party 5. Relying party goes to the Repository to check validity of the Subscriber’s Certificate. 6. Repository returns copy of certificate and results of status check 7

17 Likely Candidates for “TTP” Role Government Agencies Financial Institutions Employers (In their own COI )

18 Legal Framework Government Paperwork Elimination Act (GPEA) –supports the use of electronic signatures for transactions with the Federal government –Enacted October 1998 –Covers user authentication and persistent electronic signatures

19 GPEA Background With some qualifications, GPEA requires agencies by October 2003 to: –Accept forms (>50K copies/year) electronically –Accept electronic signatures on forms and documents Encourages electronic filing and electronic recordkeeping, particularly by employers

20 GPEA Background (continued) Gives electronic signatures full legal effect Technology neutral - agencies select based on specifics of applications (e.g., risk) –But recognizes that technology neutrality does NOT mean all technologies are created equally Focus: transactions with Federal agencies Draft OMB Guidance 3/99; final 5/00

21 Electronic Signatures Under GPEA Guidance OMB GPEA guidance recognizes several ways to effect “electronic signature” –PINs/passwords –Digitized signatures –Biometrics –Digital signatures Each approach has advantages and disadvantages, some more acute than others

22 PINs/Passwords Advantages: –Simple –Used ubiquitously, no “learning curve” Disadvantages: –Shared secret means other party can compromise –Hard to achieve non-repudiation –Does not scale well - PINs/passwords proliferate –Can be very susceptible to remote attack –Parties must know each other beforehand

23 Digitized Signatures Advantages: –Closest in appearance to “wet signature” Disadvantages: –Form of shared secret –No open standards, templates are usually proprietary –Can be vulnerable to replay attack –No cryptographic binding of identity to document –Hard to achieve non-repudiation –Requires additional hardware (stylus/pad)

24 Biometrics Advantages: –Fingerprints, iris images impossible to “forget” Disadvantages: –Form of shared secret –No open standards, templates are usually proprietary –Can be vulnerable to replay attack –No cryptographic binding of identity to document –Requires additional hardware (camera, pad) –Can be hard to revoke old identity and issue new one

25 Digital Signatures Advantages: –No shared shared secrets between remote parties –Cryptographic binding between identity and document –Scales well, interoperates reasonably well Disadvantages: –Requires infrastructure (PKI) –Is more complex than PINs/passwords –Can require additional hardware (if smartcards are used)

26 Summary Digital signatures represent strongest single solution –Also most scalable and interoperable - cutting across agency stovepipes Best solution may be combination: –Digital signature to bind digitized signature –Digital signature with biometric identifier to unlock private signing key PINs/passwords may be sufficient for some applications, if interoperability unimportant

27 Privacy/ Disclosure: Basic Principles Electronic authentication should only be required where needed Tailor authentication needs to the transaction and the participants Avoid collecting information that is more detailed than required Inform participants that information will be managed pursuant to the Privacy Act, Computer Security Act, and other laws.

28 Legal Effect and Validity Electronic records submitted or maintained in accordance with procedures developed under this title, or electronic signatures or other forms of electronic authentication used in accordance with such procedures, shall not be denied legal effect, validity, or enforceability because such records are in electronic form. -GPEA, section 1707

29 Additional Legal Considerations “Intent” at time of signing critical –Need for banners or other indicia Need to capture entire document with signature - not just HTML “tags” Need to retain ability to validate signature at later date (either directly or through “digital notary” Electronic records management big issue - with or without electronic signatures

Download ppt "E-Gov and Security Keren Cummins Digital Signature Trust Co. Richard Guida Chair, Federal PKI Steering Committee."

Similar presentations

Chapter 10 Encryption: A Matter of Trust. Awad –Electronic Commerce 1/e © 2002 Prentice Hall 2 OBJECTIVES What is Encryption? Basic Cryptographic Algorithm.

Chapter 10 Encryption: A Matter of Trust. Awad –Electronic Commerce 1/e © 2002 Prentice Hall 2 OBJECTIVES What is Encryption? Basic Cryptographic Algorithm.
1 ABCs of PKI TAG Presentation 18 th May 2004 Paul Butler.

1 ABCs of PKI TAG Presentation 18 th May 2004 Paul Butler.
Digital Signatures in State of Tennessee Pam Roberts Finance & Administration Office for Information Resources Planning, Research & Development.

Digital Signatures in State of Tennessee Pam Roberts Finance & Administration Office for Information Resources Planning, Research & Development.
Public Key Infrastructure A Quick Look Inside PKI Technology Investigation Center 3/27/2002.

Public Key Infrastructure A Quick Look Inside PKI Technology Investigation Center 3/27/2002.
PROJECT ON DIGITAL SIGNATURE Submitted by: Submitted to: NAME: Roll no: Reg.no. :

PROJECT ON DIGITAL SIGNATURE Submitted by: Submitted to: NAME: Roll no: Reg.no. :
Information Security & Cryptographic Principles. Infosec and Cryptography Subjects / Topics : 1. Introduction to computer cryptography 1. Introduction.

Information Security & Cryptographic Principles. Infosec and Cryptography Subjects / Topics : 1. Introduction to computer cryptography 1. Introduction.
Information security An introduction to Technology and law with focus on e-signature, encryption and third party service Yue Liu Feb.2008.

Information security An introduction to Technology and law with focus on e-signature, encryption and third party service Yue Liu Feb.2008.
6/1/20151 Digital Signature and Public Key Infrastructure Course:COSC513-01 Instructor:Professor Anvari Student ID:106845 Name:Xin Wen Date:11/25/00.

6/1/20151 Digital Signature and Public Key Infrastructure Course:COSC Instructor:Professor Anvari Student ID: Name:Xin Wen Date:11/25/00.
Electronic Government: Law, Policy, and Practice Jonathan P. Womer Information Policy and Technology Office of Management and Budget

Electronic Government: Law, Policy, and Practice Jonathan P. Womer Information Policy and Technology Office of Management and Budget
Department of Information Engineering1 Major Concerns in Electronic Commerce Authentication –there must be proof of identity of the parties in an electronic.

Department of Information Engineering1 Major Concerns in Electronic Commerce Authentication –there must be proof of identity of the parties in an electronic.
Principles of Information Security, 2nd edition1 Cryptography.

Principles of Information Security, 2nd edition1 Cryptography.
E-Procurement: Digital Signatures and Role of Certifying Authorities Jagdeep S. Kochar CEO, (n)Code Solutions.

E-Procurement: Digital Signatures and Role of Certifying Authorities Jagdeep S. Kochar CEO, (n)Code Solutions.
Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.

Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.
Dr Alejandra Flores-Mosri Message Authentication Internet Management & Security 06 Learning outcomes At the end of this session, you should be able to:

Dr Alejandra Flores-Mosri Message Authentication Internet Management & Security 06 Learning outcomes At the end of this session, you should be able to:
BY MUKTADIUR RAHMAN MAY 06, 2010 INTERODUCTION TO CRYPTOGRAPHY.

BY MUKTADIUR RAHMAN MAY 06, 2010 INTERODUCTION TO CRYPTOGRAPHY.
November 1, 2006Sarah Wahl / Graduate Student UCCS1 Public Key Infrastructure By Sarah Wahl.

November 1, 2006Sarah Wahl / Graduate Student UCCS1 Public Key Infrastructure By Sarah Wahl.
Apr 22, 2003Mårten Trolin1 Agenda Course high-lights – Symmetric and asymmetric cryptography – Digital signatures and MACs – Certificates – Protocols Interactive.

Apr 22, 2003Mårten Trolin1 Agenda Course high-lights – Symmetric and asymmetric cryptography – Digital signatures and MACs – Certificates – Protocols Interactive.
Cryptographic Technologies

Cryptographic Technologies
Presented by Xiaoping Yu Cryptography and PKI Cosc 513 Operating System Presentation Presented to Dr. Mort Anvari.

Presented by Xiaoping Yu Cryptography and PKI Cosc 513 Operating System Presentation Presented to Dr. Mort Anvari.
Information Security of Embedded Systems 3.2.2010: Algorithms and Measures Prof. Dr. Holger Schlingloff Institut für Informatik und Fraunhofer FIRST.

Information Security of Embedded Systems : Algorithms and Measures Prof. Dr. Holger Schlingloff Institut für Informatik und Fraunhofer FIRST.

Similar presentations

Ads by Google