What is Digital Signature?

advertisement
Role of Certificate Authority in
the Informational Society
23 February 2015
Digital landscape in Malaysia
18 Mil
67.1%
3G
Subscribers
Broadband
Penetration
143.6%
Cellular
Phone
Penetration
Growing trust in the electronic transactions:
Internet and Mobile Banking
2005
2013
IB (Subscribers)
2.6 million
15.6 million
IB (Volume)
21.6 million
270 million
IB (Value)
RM259 billion
RM3,457 billion
MB (Subscribers)
128,000
3.8 million
MB (Volume)
400,000
140.4 million
MB (Value)
RM4.5 million
RM9.2 billion
Source: BNM
Source: MCMC Q42013
2
How safe is the online connectivity today?
3
Digital Signature Act is one of the Cyber laws
Computer Crimes
Telemedicine
Act 1997
Copyright
(Amendment) Act
1997
Personal Data
Protection Act
2010
Act 1997
Cyber Laws
Electronic
Government
Activities 2007
Communication
and Multimedia
Act 1998
Electronic
Commerce Act 2006
Digital
DigitalSignature
Signature ActAct
1997
1997
4
Concept of e-signature and digital
signature
Electronic Commerce Act 2006 and
Electronic Government Activities Act
2007
Electronic Signature means any letter,
character, number, sound or any other
symbol or any combination thereof
created in an electronic form adopted by
a person as a signature
Reliable electronic signature is defined as:
(a) The means of creating the electronic
signature is linked to and under the
control of that person only;
(b) Any alteration made to the electronic
signature after the time of signing is
detectable; and
(c) Any alteration made to that document
after the time of signing is detectable
Note:
e-Government Activities Act 2007, Section
13(3) – application of digital signature as
an electronic signature in any Government
activities.
Electronic
Signature
Digital
Signature
Digital Signature Act 1997
Digital Signature means a transformation of a
message using an asymmetric crypto system
such that a person having the initial message
and the signer’s public key can accurately
determine –
(a) Whether the transformation was created
using the private key that corresponds to
the signer’s public key; and
(b) Whether the message has been altered
since the transformation was made
5
Legal Effect of Digital Signature Act
Section 62(2) of DSA
• A document signed with a digital signature is legally binding
as a document signed with a handwritten signature, an
affixed thumb-print or any other mark.
Section 64 of DSA
• A digitally signed message is valid, enforceable and effective
as if it had been written on paper.
Section 65 of DSA
• A digitally signed message is valid, enforceable and effective
as the original message.
“Subscription of digital certificates from CA’s not licensed under
the DSA 1997 will not “enjoy” the “privileges” under the DSA
1997”.
6
Online Identity
Real World..
Virtual World…
No ID
Nama
Alamat
Expiry Date
: 31X00X0007
: Atkinson
: Cyberjaya
: 2011 - 2020
Just as you prove your identity through offline
using handwritten signature, you use a digital
For authentication
signature to prove your identity online.
Encryption using
Private key
Signature
Digital Signature
8
Authentication
Authentication is a basic cryptographic task
• Due to its importance, there is an abundance of different
solutions and different models
– Human memory (passwords) – Logon
– Authentication to applications
– Hardware devices
– Authentication to websites
– Online servers
– Authentication for
– Biometrics
authorization
Authentication
Why?
• To securely exchange data and communicate via
Internet.
How?
• Something the user knows ( User names and
passwords)
• Something the user possess (ATM Cards, tokens)
• Something the User is (Bio Metrics, MyKad)
10
Authentication Hierarchy
Digital
Signature
The most matured authentication method and the
trusted thus far as an identity, encryption,
authentication methodology. This technology has
been simplified in terms of the usage and has been
accepted by consumer.
Biometric
The technology that not fully matured and the
cumbersome for the consumer. Thus is method id
not widely used by retail consumer.
One Time Password
(OTP)
This method is used together with Username and
Password. It is a common practice by Malaysian
banks for Internet Banking transactions
Username & Password
It is a commonly used authentication method.
However due to it weaknesses in this method of
authenticating the users One Time Password (OTP)
is used together for better confidence for online
transactions.
11
Digital Signature Act 1997 is one of the cyber laws enacted by the
Government to promote the development of ICT in Malaysia
Key functions of MCMC :
 Licensing and regulating the CAs
 Ensure compliance
 Nurture applications based on the
Public Key Infrastructure
Key functions of the CA:
 Issuance of digital certificate to a
subscriber (digital identity)
 Management of digital certificate
(suspension, revocation etc.)
 Ensure use of a trustworthy system (annual
audit requirement)
Underlying Technology:
 Public Key Cryptography
Main Applications:
 e-Government
 e-Banking
 e-Corporate
12
Public Key Infrastructure development
in Malaysia
No. of Certificates
7.18
6.20
Types of Certificates issued
5.17
3.65
No. of Digital Cer ficates (Million)
4.25
What’s next??
Individual
2.48
Digital Trust and Confidence
Corporate
Government
10,000,000
8.7
2009 2010 2011 2012 2013 2014
10.0
7.5
Usage of Key Bits 1024
6.2
5.0
3.7
-
-
0.17 0.42
1997 1998
1999 2000
2005 2006
2007
Digital Signature Act 1997
Controller of Certification Authorities
was established
Digital Signature Regulations 1998
1.28
2.0
2008
2009
2.5
2010
4.3
Migration of Key Bits to
2048
2011
2012
2013
2014
2015
2016
2017
National Broadband Initiative
Digital Signature Act 1997 Amendments
Commission a regulatory body
National Cryptography Policy
New Certification Authority Audit
Guideline
13
What is Public Key Infrastructure (PKI)?
Public Key Infrastructure (PKI) refers to the technical
mechanisms, procedures and policies that collectively
provide a framework for fundamentals of security authentication, confidentiality, integrity, non-repudiation and
access control.
Functions of PKI
• Generate public/private key pairs
• Identify and authenticate key subscribers
• Bind public keys to subscriber by digital certificate
• Issue, maintain, administer, revoke, suspend, reinstate,
and renew digital certificates
• Create and manage a public key repository
14
What is CA?
• CA (cyber world) Department (real world)
National
Registration
• CA issues digital certificates – digital identity
What is Digital Certificate?
• A digital certificate is a digital file that certifies the
identity of an individual or institution, or even a
router seeking access to computer - based
information.
• It is issued by a Certification Authority (CA), and
serves the same purpose as a MyKad, driver’s
license or a passport.
15
What information contained in a
Digital Certificate?
• Name of holder
• Public key of holder
• Name of trusted third party (certificate authority)
• Digital Signature Of Certificate Authority
• Data on which hash and public-key algorithms
have been used
• Other business or personal information
16
What is Digital Signature?
• Asymmetric cryptography used to simulate the
security of a signature in digital, rather than
written, form.
• Digital signature schemes give two algorithms
which one which involves the user’s private key
for signing and user's public key for verifying
signatures.
• The output of the signature process is called the
"digital signature.“
17
Control of private key
• Every subscriber shall exercise shall exercise reasonable care to
retain control of the private key corresponding to the public key
listed in his Digital Signature Certificate and take all steps to prevent
its disclosure to non authorised person to affix the digital signature
of the subscriber.
• If the private key corresponding to the public key listed in the Digital
Signature Certificate has been compromised, then, the subscriber
shall communicate the same without and delay to the Certifying
Authority.
Explanation:
Subscriber shall be liable to till he has informed the Certifying Authority
that the private key has been compromised.
18
Signing and Verification
19
Why Need for Digital Signature
Industrial Society
Informational Society
Offline (face to face)
Online
Problem
Solution
Risk of deceiving identity of sender
Authentication
Digital Signature
Risk of changing information on transmission
Integrity
Digital Signature
Risk of denying a fact information transmit
Non Repudiation
Digital Signature
Risk of exposing information on transmission
Confidentiality
Encryption
20
Current MCMC’s Key Initiatives
Fostering higher standard PKI is essential to support various Digital Malaysia’s initiatives
Revised Audit
Guideline
Fit and Proper
MCMC
“Raising the
Bar Initiatives”
(2012-2015)
Business
Continuity Plan
Revised
Registration of
Qualified
Auditor
Guideline
Key Objectives
PKI leader in ASEAN
CA Escalation
Policy
MCMC becomes the PKI centre of excellence
The CA be recognized as an important eco-system
in the digital economy
Malaysia PKI
Standards
Review
Licensing
Conditions and
Criteria
Capacity
Building
Review the Act
Malaysia
PKI Forum
Way Forward on National CA Strategy
Plan
National
CA
Government
e-ID
Digital Trust
& Confidence
Mobile
e-ID
22
THANK YOU
Download