Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Web Design

Difficulty of Government PKI Implementation (Japan's case

advertisement 
The 2nd US-Japan Experts Workshop
on Critical Information Infrastructure
Protection (CIIP)
June 26, 2005
Difficulty of Government PKI
Implementation (Japan’s case)
Hiromitsu Takagi
Research Center for Information Security,
National Institute of Advanced Industrial Science and
Technology (AIST)
http://staff.aist.go.jp/takagi.hiromitsu/
takagi.hiromitsu@aist.go.jp
References
• R. Clarke, The Fundamental Inadequacies of
Conventional Public Key Infrastructure, Proc. Conf.
ECIS'2001, June 2001
• C. Ellison and B. Schneier, Ten Risks of PKI: What
You're Not Being Told About Public Key Infrastructure,
Computer Security Journal, Vol.16, No.1, 2000
• S. Berinato, Only Mostly Dead: RIP PKI. Why a
security platform never took off, Alarmed on Guard
for Security and Privacy, CIO.com, 2002,
http://www2.cio.com/research/security/edit/a05232002.html
• ......
Japanese GPKI
• “政府認証基盤”
– GPKI: Government Public Key Infrastructure
• “地方公共団体における組織認証基盤”
– LGPKI: Local Government Public Key Infrastructure
• “公的個人認証”
– Public Individual Authentication Platform
• Individual authentication services provided by local
governments
http://www.meti.go.jp/english/information/data/IT-policy/e-government-timetable2.htm
Certification Authorities of Agencies
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
Cabinet Office CA
National Plice Agency (NPA) CA
Japan Defense Agency (JDA) CA
Ministry of Internal Affaires and Communications (MIC) CA
Ministry of Justice (MOJ) CA
Ministry of Foreign Affairs of Japan (MOFA) CA
Ministry of Finance Japan (MOF) CA
Ministry of Education, Culture, Sports, Science and Technology
(MEXT) CA
Ministry of Health, Labour and Welfare CA
Ministry of Agriculture, Forestry and Fisheries of Japan (MAFF) CA
Ministry of Economy, Trade and Industry (METI) CA
Ministry of Land, Infrastructure and Transport (MLIT) CA
Ministry of the Environment CA
Supreme Court of Japan CA
LGPKI CA
1
Applications of GPKI
Bridged PKI
JDA CA
MIC CA
Cabinet Office CA
MEXT CA
• “電子申請届出システム”
NPA CA
MOJ CA
Bridge CA
MAFF CA
MOFA CA
– e-Application to government office
• Implemented as a Web Application
• Implemented with Signed Java Applets
• Secure transactions via TLS/SSL
MOCA
MLIT CA
METI CA
Supreme Court CA
LGPKI CA
other countries
2
MIC CA, Mar 2002
https with trusted cert
http
Web browser
install
MIC
root
cert.
www.shinsei.soumu.go.jp
sign
SHA-1
☠
MIC
root
cert.
MIC
root
fingerprint
cert.
SSL server
cert.
fingerprint
sign
?
SSL server
cert.
3
Mar. 31, 2002, Nikkei Shinbun
April 2, 2002, Nikkei Shinbun
MIC “Fixed” the Problem
• Root certficate file and fingerprint number was
moved to https: page
• However, its SSL connection is authenticated by a
server certificate signed by this root certificate
MIC CA, April 2002
https with trusted cert
https with untrusted cert
Web Browser
MIC
root
cert.
install
MIC
root
cert.
Start
www.shinsei.soumu.go.jp
fingerprint
MIC
root
fingerprint
cert.
?
?
server
cert.
server
cert.
MIC CA, May 2002
want secure
connection to the
server via https
download from the
server via https
need to verify
authentication path of
the server certificate
need the root
certificate of
MIC CA
• Published the fingerprint on multiple Web sites
– e-Gov portal
http://www.e-gov.go.jp/fingerprint/soumu.html
want to get the root
certificate securely
• Published the fingerprint on an official gazette (“官報”)
4
Fingerprint on multiple Web sites
Official gazette No.3360
www.shinsei.soumu.go.jp
www.soumu.go.jp
www.e-gov.go.jp
MIC
root
cert.
Web Browser
fingerprint fingerprint
MIC
root
cert.
install
政府認証基盤を構成する総務省認証局システム
の自己署名証明書及び総務省の使用に係る電子
計算機と安全な通信を行うために総務省運用支援
認証局システムにより発行した証明書のフィン
ガープリントの公示について
☠
server
cert.
fingerprint
fingerprint
MIC
root
cert.
?
server
cert.
Solution A
Web Browser
www.e-gov.go.jp
preinstalled
root
certs
install
MIC
root
cert.
?
Server
cert.
www.shinsei.soumu.go.jp
www.e-gov.go.jp
Web Browser
MIC
root
cert.
fingerprint
MIC
root
cert.
Solution B
www.shinsei.soumu.go.jp
Server
Cert.
MIC
root
cert.
fingerprint
!
Server
Cert.
Server
Cert.
install
verify manually
MIC
root
Cert.
preinstalled
root
certs
MIC
root
cert.
!
Saitama Prefecture’s Case
(Jan 2005)
• Your data will be sent with encryption. A security
alert may pop up, but there are no problem.
5
Kawasaki City’s
Case
• The mayor said “a security
alert will pop up because
your sending data will
protected by an encryption
technology (SSL), so you
can push Yes button and
proceed.”
6
Related documents
Business License Change Request
Business License Change Request
How we raised awareness on information security in Slovenia
How we raised awareness on information security in Slovenia
Link - Physics Teacher
Link - Physics Teacher
Business Planning Questions
Business Planning Questions
信息安全概述(An Overview of Information Security)
信息安全概述(An Overview of Information Security)
Change of Program Request Form - The Institute of World Politics
Change of Program Request Form - The Institute of World Politics
Download
advertisement