ITIDA
EGYPT-MCIT
Egypt’s
E-Signature & PKInfrastructure
Seminar on Electronic Signature Algeria 8-9 Dec. 2009
By:
Hisham Mohamed Abdel Wahab
Head of the E-Signature CA Licensing
ITIDA- MCIT – EGYPT
Email: hwahab@mcit.gov.eg
KSA
KSA15-16
15-16Dec.
Dec 2009
2009
Agenda
Egypt’s PKI Model
Operational requirements for CSPs in Egypt
Applying ISO 27001 as Main CSP requirements
CSPs Auditing Procedures
KSA
KSA15-16
15-16Dec.
Dec 2009
2009
Background : ITIDA
Established in 2004 by law 15, financially supported by IT co’s.
E-Signature regulator, promoter, and root CA.
IPR protector for software and databases (Copy Right Office).
Empowers IT companies.
Recognizes best practices in E-Content development.
Launches E-business initiatives, especially for SMEs
Supports R&D.
KSA
KSA15-16
15-16Dec.
Dec 2009
2009
Background : E-Signature mile stones
E-Signature Law issued 2004.
Executive directives of the law issued in 2005.
4 CSP (e-signature certificate service providers) are licensed by ITIDA in
2006
Therefore the Root CA & Gov CA tendered in 2006
Root CA started work in Sep 2009
1st CSP got the official permission to work from ITIDA in Oct.
2009
KSA
KSA15-16
15-16Dec.
Dec 2009
2009
Background: Getting the experience
Germany
Ireland
Singapore
South Korea
Malaysia
Hong Kong
KSA
KSA15-16
15-16Dec.
Dec 2009
2009
PKI Model in Egypt…….(1/2)
ITIDA
Licensing
CSP
CSP
CSP
Root CA
GOV.
CA
CSP
Gov. employees
Public Use
For public & interaction gov
applications
KSA
KSA15-16
15-16Dec.
Dec 2009
2009
For Internal use only
PKI Model in Egypt…….(2/2)
Regulating E-Signature
Information Technology
Industry Development Agency
(E-Signature regulator)
Request for digital certificates
Certificate
Authorities
CSP
Digital Certificates
KSA
KSA15-16
15-16Dec.
Dec 2009
2009
Client Organizations
PKI Model in Egypt: Licensing
section....(1/2)
Managing the application process for CSPs in Egypt.
Implementing the criteria /requirements
for licensing CSPs.
Auditing the licensed CSPs.
Tracking the Technology to guarantee having the
most secure e-signature technology.
KSA
KSA15-16
15-16Dec.
Dec 2009
2009
PKI Model in Egypt: Licensing Section
.....(2/2)
Licensing
Requirements
Licensing
Auditing
KSA
KSA15-16
15-16Dec.
Dec 2009
2009
Awareness
Customer
services
PKI Model in Egypt : Root
CA....(1/2)
Operates a Root-CA according to the highest security standards.
Offers a continuous 24hx7d operation
Personalizes the CA-and other service-chip
cards for other CSPs,
Operates an electronic directory service that includes the certificates of all
licensed CSPs.
Achieves the interoperability among CSPs and other countries.
Handling the CRLs and E-Signature data of clients in case of licensed CSPs
failure
KSA
KSA15-16
15-16Dec.
Dec 2009
2009
PKI Model in Egypt : Root CA....(2/2)
How works?
Self Signed
Root CA
Root CA
Certificate Info
Root CA's Private Key
Root Signature
Sub CA
Subordinate CA
Certificate Info
Root CA's Private Key
Root Signature
Subscriber
Certificate Info
Subordinate CA's Private Key
SubCA's Signature
Text
Document
Subscriber's
Signature
KSA
KSA15-16
15-16Dec.
Dec 2009
2009
Subscriber's Private Key
PKI Model in Egypt : Licensed Public CSPs (4)
Must be under the Root CA.
Provide Gov. and public certificate services, including SSCD.
Working as RAs (Registration Authorities).
Must full fill with ITIDA requirements.
Use the most recognized world wide standards for PKI (2048/4096 KeysRSA…etc).
12
KSA
KSA15-16
15-16Dec.
Dec 2009
2009
PKI Model in Egypt : Licensed Gov CA (1 CA)
Issue certificates to Gov. employees only for internal gov use only
& SSCD.
Provide Gov. certificate services.
Under ITIDA Root CA.
Working as RAs (Registration Authorities) for Gov. employees.
Must full fill ITIDA requirements.
Use Specific type of encryption standards.
13
KSA
KSA15-16
15-16Dec.
Dec 2009
2009
PKI Model in Egypt : Strategic
Decisions.......(1/6)
Why just e-signature is regulated.
1- The law regulates certificates used in E-signature only.
2- Providers are allowed to provide SSL certificate for example with no obligations.
3- Providers can provide any other security services, but when comes to e-signature this
must be regulated by ITIDA.
Why??
E-Signature is the most critical application when you come to E-Gov.
E-Signature will replace current and traditional signature, so must be working under very
trustable conditions
KSA
KSA15-16
15-16Dec.
Dec 2009
2009
PKI Model in Egypt : Strategic
Decisions.......(2/6)
The E-Signature Definition in Egyptian market.
1- Only one type of e-signature is considered in front of court
2- Another types, transactions and e-documents are considered just e-document or ewriting
3- Using third level smart card / token as SSCD is must .
4- Physical identification is must.
Why??
Avoid conflict, because if one type of e-signature is compromised then the market will
think that strong types are compromised too!
Strengthen the working environment
KSA
KSA15-16
15-16Dec.
Dec 2009
2009
PKI Model in Egypt : Strategic
Decisions.......(2/6)
IS E-Signature
Digital Certificate
Signer Private Key
Signer Public Key
+Pin Code +Secure pin entry
KSA
15-16
Syria
1-2 Dec.
July 2009
2008
PKI Model in Egypt : Strategic
Decisions.......(2/6)
E-Signature specification
Smart Cards are able to store private e-signature keys for a card holder without delivering the key
to the outside world. Therefore the calculation of the signature algorithm as well as its storage is performed
in a highly secure environment inside a smart card. Thus, it is required to have smart
cards (Reader / Readerless / contactless) which use the most advanced security standard available in the market.
-Secure PIN code entry
-Complete separation between E-Signature application and any other applications.
Security evaluation ITSEC E4
140-1 Level 2 or higher
X.509v3 certificates
Or
NIST FIPS PUB
ISO 7816
Cryptographic algorithms must include RSA, SHA-1
Microsoft PC/SC
Recommended : PKCS #11 (interface)
Recommended: CAPI – Microsoft
Cryptographic
Recommended : PKCS #15 (syntax
standard)
KSA
15-16
Dec
KSA
15-16
Dec.
2009
Syria
1-2
July
2008
PKI Model in Egypt : Strategic
Decisions.......(3/6)
Gov CA will use its own encryption technique and provide only
services for use in internal gov transactions
1- Executive directive mentioned that gov CA could use it own encryption .
2- The services provided by gov CA for use only in internal gov transaction
3- If end user needs e-signature service to be used between gov and private then he must
get it from Public CSP
4- Physical identification is must.
Why??
To secure the sensitive transactions .
To encourage the private investment according to the national strategy.
KSA
KSA15-16
15-16Dec.
Dec 2009
2009
PKI Model in Egypt : Strategic
Decisions.......(4/6)
ITIDA will run the Root CA
1- ITIDA will be the only body who is running Root CA for PKI in Egypt.
2- The main and backup site of Root CA is responsibility of ITIDA
3- The Root CA will be audited internally by ITIDA auditors , externally by ISO 27001
auditors , and other gov entities
Why??
Ensure interoperable environment
“trust” originate from a common Root CA (strict hierarchy model)
A subordinate CA will have one superior, and only one
Strict hierarchies are appropriate for many enterprises, especially where policy controls
are to be enforced in a “top-down” fashion.
KSA
KSA15-16
15-16Dec.
Dec 2009
2009
PKI Model in Egypt : Strategic
Decisions.......(5/6)
Facilitating the financial requirements for licensing
1- The Licensee will pay only 0.5 M EGP instead of 1.5 M EGP.
2- 20000 EGP as auditing expenses will be paid after 2 years of operation.
3- The payments will be annually instead of quarterly .
4- 3% of the revenue will be paid at the end of 2nd year instead of 1st year.
Why??
Based on companies suggestions and market studies
To encourage this new industry
KSA
KSA15-16
15-16Dec.
Dec 2009
2009
PKI Model in Egypt : Strategic
Decisions.......(6/6)
Leaving the pricing model to the market forces
1- Licensed companies are free to put the price model according to their business model.
2- ITIDA must approve the price list or any modifications prior to publish.
3- ITIDA is responsible for control the pricing competition.
Why??
Based on most companies suggestions.
Comply with the current Egyptian market.
KSA
KSA15-16
15-16Dec.
Dec 2009
2009
PKI Model in Egypt : E-Signature,
when comes to apply !.....(1/4)
Applying for the service
1- Physical Identification (applicant must show himself up).
2- Delivering the service : Token/smart card – CD - installed keys plus certificate.
3- Help desk and customer support (CSP – ITIDA).
4- Providing applications (compatible with ITIDA & CSP requirements).
5- Using the e-signature with applications provided by Gov or CSPs or compatible
applications provided by another vendors.
6- Renewing / Update the service, or Change the provider / Terminating the service .
KSA
KSA15-16
15-16Dec.
Dec 2009
2009
PKI Model in Egypt : E-Signature,
When comes to apply!......(2/4)
Auditing the service
1- Surveillance and licensing audit by ITIDA.
2-Regular audit by ITIDA.
3- Receiving the complaints and providing support in case of disputes .
4-Setting up the compliance conditions (applications & operational).
5- Renewing / Extending / terminating the license.
KSA
KSA15-16
15-16Dec.
Dec 2009
2009
PKI Model in Egypt : E-Signature,
when comes to apply.......(3/4)
Proposed Market Applications
1- E-Government (All applications who needs physical existence of the users).
2- E-Tax
3- E-Money (money orders will be collected electronically).
4- E-Banking applications.
5- Stock market .
6- Mobile applications.
7-E-Commerce/Payment.
8- E-education.
9- E-Civil applications.
10- E-Archiving (time stamp is must).
11-E-Contracting .
12-Installed on National ID.
KSA
KSA15-16
15-16Dec.
Dec 2009
2009
PKI Model in Egypt : E-Signature,
when comes to apply.......(4/4)
Type of certificates Provided by the CSP
- E-Signature Certificates (Regulated) for persons and organizations.
-SSL (not regulated) .
-Code signing certificates (not regulated).
KSA
KSA15-16
15-16Dec.
Dec 2009
2009
Sign Contract Details
KSA
KSA15-16
15-16Dec.
Dec 2009
2009
Web applications as : є -Banking & є-Trade
KSA
KSA15-16
15-16Dec.
Dec 2009
2009
Current Situation For E-Signature Certificate Service Providers
KSA
15-16
2009
KSA
15-16
Dec
Syria
1-2 Dec.
July2009
2008
PKI Model in Egypt : Current
Status....(1/2)
4 Licensed companies as CSP (E-Signature Certificates Service
Provider).
1 Company finished its infrastructure and is audited , started
work in Egyptian market in 1 Oct. 2009 (more than 2000 hours
auditing time, team of 13 experts)
The Root CA is established in Sep. 2009
The Ministry of finance got the license to provide E-Signature
Service to gov. employees for internal transactions only.
KSA
KSA15-16
15-16Dec.
Dec 2009
2009
PKI Model in Egypt : Current
Status....(2/2)
4 Licensed Companies + GOV CA
1-ACT
2-MCDR
3-EgyptTrust
4-SNS
http://www.act-eg.com/
http://www.mcdr.com.eg/
http://www.egypttrust.com/
http://www.snsegypt.com/
KSA
KSA
15-16
15-16
Dec
2009
Syria
1-2 Dec.
July2009
2008
Agenda
Egypt’s PKI Model
Licensing requirements for CSPs in Egypt
Applying ISO 27001 as Main CSP requirements
CSPs Auditing Procedures
KSA
KSA15-16
15-16Dec.
Dec 2009
2009
Licensing Requirements: .....(1)
The detailed requirements are listed in License Form at:
www.e-signature.gov.eg/materials/License-July-2006.doc
(Arabic Language )
- More than 60 Page.
- More than 250 item to be satisfied before getting the license
- Categorized to financial , operational, technical and administrative.
- References: The Law 15, Its Directive, NTRA license, ETSI TS 101
456
KSA
KSA15-16
15-16Dec.
Dec 2009
2009
Licensing Requirements: .....(2)
License Sections
Operational
Financial
Technical
KSA
KSA15-16
15-16Dec.
Dec 2009
2009
Legal
Licensing Requirements: .....(3)
Financial Requirements
Insurance of $ 1.5 Million
Licensing fee $ 85,000 for 5 years
Insurance per certificate $ 200
3% of revenue of licensed services
34
KSA
KSA15-16
15-16Dec.
Dec 2009
2009
Licensing Requirements: .....(4)
Technical Requirements
Complete PKI infrastructure.
Disaster Recovery site (DR).
ISO 27001 for Info. Security.
PKIX (PKI Based on X.509).
Encryption Keys with length 1024-2048.
Using Smart Cards as E-Signature creation device (SSCD).
35
KSA
KSA15-16
15-16Dec.
Dec 2009
2009
Licensing Requirements: .....(5)
www.e-signature.gov.eg/materials/License-July-2006.doc
(Arabic Language )
KSA
KSA15-16
15-16Dec.
Dec 2009
2009
Agenda
Egypt’s PKI Model
Operational requirements for CSPs in Egypt
Applying ISO 27001 as Main CSP requirements
CSPs Auditing Procedures
KSA
KSA15-16
15-16Dec.
Dec 2009
2009
Why Implement an ISMS System ?
KSA
15-16
Syria
1-2 Dec
July2009
2008
Main Requirement ISO27001:
Information is an asset....(1/2)
Information is an asset, which, like other
important business assets, has value to an
organization and consequently needs to be
suitably protected. Information security
protects information from a wide range of
threats in order to ensure business continuity,
minimize business damage and maximize return
on investments and business opportunities.”
Quote ISO/IEC 17799-2000(E)
KSA
KSA15-16
15-16Dec.
Dec 2009
2009
Main Requirement ISO27001:
Information is an asset.....(2/2)
Stored on Computers
Transmitted
Printed
Data
Written
Fax
Microfilm
Email
Spoken
KSA
KSA15-16
15-16Dec.
Dec 2009
2009
Main Requirement ISO27001:
will satisfy...
PROTECTION OF INFORMATION FOR:
CONFIDENTIALITY
Protecting sensitive information from unauthorised disclosure or intelligible interception
INTEGRITY
Safeguarding the accuracy and completeness of information and computer software
AVAILABILITY
Ensuring that information and vital services are available to users when required
KSA
KSA15-16
15-16Dec.
Dec 2009
2009
Main Requirement ISO27001:
Importance for PKI .....(1/2)
SABOTAGE
MISUSE OF DATA
FRAUD
VANDALISM
ESPIONAGE
NATURAL
DISASTER
ERROR
KSA 15-16 Dec. 2009
Main Requirement ISO27001:
Importance for PKI .....(2/2)
ISO27001 is providing complete security management system.
Through:Logical security.
Application security.
Physical & environmental security.
Network Security.
Personal Security.
Need for dual control through third party audit.
ISO2001 is complete ISMS, merges between business and technology .
ISO27001 needs continual improvements.
KSA 15-16 Dec. 2009
Accreditation and Certification
for ISO 27001
KSA
KSA15-16
15-16Dec.
Dec 2009
2009
Accreditation & Certification
Everything you wanted to know
accreditation….(in 30 •
EA –about
European
Conformance at a
seconds)
Accreditation
European Level
Forum
EA 7/02
Accredited by a State
Organisation
National
Accreditation
Board
National
Accreditation
ISO Guide 66
Board
EA 45012
Certified by a
Certification Body
European
Certification Body
ISO 27001
Company
Company 3
Company 2
KSA
KSA15-16
15-16Dec.
Dec 2009
2009
Wishes to be certified
to national or
international
standards
Management
System
Certified Information Security
Management System
Security
Phase 2 : On Site Audit
Information
Phase 1 : Pre-Audit Study
The Certification Process
®
Certification to ISO 27001 ISMS Standard
KSA15-16
15-16Dec.
Dec2009
2009
KSA
Agenda
Egypt’s PKI Model
Operational requirements for CSPs in Egypt
Applying ISO 27001 as Main CSP requirements
CSPs Auditing Process
KSA
KSA15-16
15-16Dec.
Dec 2009
2009
CSPs Auditing Process
KSA
KSA15-16
15-16Dec.
Dec 2009
2009
CSPs Auditing Process
Initiating (planning ) the audit
Preparation
phase
Conducting Documentation
review
Preparing for Audit activities
Conducting audit activities
Preparing , approving &
distributing the audit report
Conducting audit follow up
KSA
KSA15-16
15-16Dec.
Dec 2009
2009
Post Audit
Phase
CSPs Auditing Process
Initiating (planning ) the audit
Conducting Documentation
review
Scope , Objective , Criteria
Preparing for Audit activities
Determine feasibility & select audit team
Conducting audit activities
Write an audit plan
Preparing , approving &
Contact the auditee
distributing the audit report
Conducting audit follow up
KSA
KSA15-16
15-16Dec.
Dec 2009
2009
CSPs Auditing Process
Initiating (planning ) the audit
Conducting Documentation
review
Request relevant documents
Preparing for Audit activities
Review prior to arriving on-site
Conducting audit activities
Review the previous audit report if any
Preparing , approving &
distributing the audit report
Conducting audit follow up
KSA
KSA15-16
15-16Dec.
Dec 2009
2009
CSPs Auditing Process
Initiating (planning ) the audit
Conducting Documentation
review
Preparing for Audit activities
Conducting audit activities
Finalize audit plan
Preparing , approving
Prepare &
work documents
distributing the audit report
Assign audit team
Conducting audit follow up
KSA
KSA15-16
15-16Dec.
Dec 2009
2009
CSPs Auditing Process
Initiating (planning ) the audit
Conducting Documentation
review
Preparing for Audit activities
Conducting audit activities
Opening Meeting
Preparing , approving &
distributing theCommunication
audit reportduring the audit
Conducting audit
followobjective
up
Collecting
evidences
KSA
KSA15-16
15-16Dec.
Dec 2009
2009
Closing meeting
CSPs Auditing Process
Initiating (planning ) the audit
Conducting Documentation
review
Preparing for Audit activities
Conducting audit activities
Preparing , approving &
distributing the audit report
Distribute it to the appropriate persons
Conducting audit follow up
Mention positive & negatives
KSA
KSA15-16
15-16Dec.
Dec 2009
2009
CSPs Auditing Process
Initiating (planning ) the audit
Conducting Documentation
review
Preparing for Audit activities
Conducting audit activities
Preparing , approving &
distributing the audit report
Conducting audit follow up
KSA
KSA15-16
15-16Dec.
Dec 2009
2009
Thank you
very much
hwahab@mcit.gov.eg
www.itida.gov.eg
KSA
KSA15-16
15-16Dec.
Dec 2009
2009
57
KSA
KSA15-16
15-16Dec.
Dec 2009
2009
Cyberlaws & ICT-related Laws & Regulations

A comprehensive IPR Law (Law No. 82/2002)

A comprehensive Communications Act (Law No.
10/2003)

An E-Signature law ( Law No. 15/2004)

Children Protection Law (2008)

Drafts:



A Data Protection, Privacy, and Cyber Security law
A Cyber Crime law
Access to Information Law
58
KSA
KSA15-16
15-16Dec.
Dec 2009
2009