Creating Trust in Electronic Environment - IT Act 2000

advertisement
Controller of
Certifying Authorities
Creating Trust in Electronic
Environment
- IT Act 2000
Deputy Controller (Technology)
Controller of Certifying Authorities
Ministry of Communications & Information Technology
E-Commerce Promotion
•
Creating Trust in Electronic Environment
- Establishing Digital Signature
Framework
•
•
•
•
•
•
•
Trust in the Paper world
Trust issues in the Electronic World
Concept of Digital Signatures
Role of CAs
PKI
IT Act
Role of CCA
Electronic Commerce
• EC transactions over the Internet include
– Formation of Contracts
– Delivery of Information and Services
– Delivery of Content
• Future of Electronic Commerce depends on
“the trust that the transacting parties place in the security
of the transmission and content of their
communications”
Electronic Juridical Statements
• Juridical statements which are set up telematically
• Computers are the only means by which contracting
parties set up their agreements
• Examples include
–
–
–
–
–
–
EFT
Teleshopping
Electronic consultation of data banks
Tele-reservation
Contracts, deed, agreements
Dealing with Public Administrations
The Paper World
Documents
• A paper document consists of four components
–
–
–
–
the carrier ( the sheet of paper)
text and pictures ( the physical representation of information)
information about the originator
measures to verify the authenticity (written signature)
• All the four components are physically connected
– So, paper is the document
• There is only one original
– can be reproduced in innumerable copies
The Paper World
Signature
• Supposed to be unique, difficult to be reproduced,
not changeable and not reusable
• Its main functions
– identification
– declaration
– proof
• The signature is used to identify a person and to
associate the person with the content of that
document
– always related to a physical person
The Paper World
Signature (contd)
• In all legal systems
– Absence of a prescription of an exclusive modality of signing
e.g. Full name, initials, nickname, real or any symbol.
– Token of will and responsibilty
– Contractors have the right to rule their own contractural
relations, defining also the way each one can sign the
agreements.
• From a legal point of view, nothing against the
introduction of new types or technologies of
signature
– Digital Signature is a new technology
Electronic World
• Electronic document produced by a computer. Stored
in digital form, and cannot be perceived without
using a computer
– It can be deleted, modified and rewritten without leaving a
mark
– Integrity of an electronic document is “genetically”
impossible to verify
– A copy is indistinguishable from the original
– It can’t be sealed in the traditional way, where the author
affixes his signature
• The functions of identification, declaration, proof of
electronic documents carried out using a digital
signature based on cryptography.
Electronic World
• Digital signatures created and verified using
cryptography
• Public key System based on Asymmetric keys
– An algorithm generates two different and related
keys
• Public key
• Private Key
– Private key used to digitally sign.
– Public key used to verify.
Public Key Infrastructure
• Allow parties to have free access to the
signer’s public key
• This assures that the public key corresponds
to the signer’s private key
– Trust between parties as if they know one another
• Parties with no trading partner agreements,
operating on open networks, need to have
highest level of trust in one another
Role of the Government
• Government has to provide the definition of
– the structure of PKI
– the number of levels of authority and their
juridical form (public or private certification)
– which authorities are allowed to issue key pairs
– the extent to which the use of cryptography
should be authorised for confidentiality purposes
– whether the Central Authority should have access
to the encrypted information; when and how
– the key length, its security standard and its time
validity
Certifying Authorities
• A CA is an Authority which should :
– reliably identify persons applying for key certificates
(signatures)
– reliably verify their legal capacity
– confirm the attribution of a public signature key to an
identified physical person by means of a signature key
certificate
– always maintain online access to the signature key
certificates with the agreement of the signature key owner
– take measures so that the confidentiality of a private
signature key is guaranteed
Certificate based Key
Management
CA
CA
User A
A
B
User B
CA
A
• Operated by trusted-third
party - CA
• Provides Trading Partners
Certificates
• Notarises the relationship
between a public key and
CA B
its owner
Information Technology Act
• IT Act 2000 : Basic legal framework for ECommerce - promotes trust in electronic
environment
• IT Act creates a conducive environment for
promoting E-Commerce in the country.
– Acceptance of electronic documents as
evidence in a court of law.
– Acceptance of electronic signatures at par with
handwritten signatures.
Information Technology Act...contd
– Acceptance of electronic documents by the
government.
– Defines digital signatures based on asymmetric
public key cryptography
– Provides for the creation of Certifying Authorities
to issue public key certificates – digital certificates
for electronic authentication of users in electronic
commerce.
Information Technology Act...contd
– Provides for Controller under the IT Act to license the
Certifying Authorities and to ensure that none of the
provisions of the Act are violated.
– Provides for dealing with offences in the cyber space in
the form of hackers and other criminals trying to gain
access into databases and other business sites.
– Provides for the establishment of Cyber Appellate
Tribunal to try cases under this Act for speedy
adjudication of cases arising out of this Act.
– Provides for appropriate changes in the Bankers Act and
the Indian Evidence Act.
The Controller of Certifying
Authorities (CCA)
• Appointed by the Central Government under
section 17 of the IT Act.
• Came into existence on November 1, 2000.
• Aims at promoting the growth of E-Commerce
and E-Governance through the wide use of
digital signatures.
CCA has to regulate the
functioning of CAs in the country by• Licensing Certifying Authorities (CAs) under section
21 of the IT Act and exercising supervision over their
activities.
• Certifying the public keys of the CAs, i.e. their Digital
Signature Certificates more commonly known as
Public Key Certificates (PKCs).
• Laying down the standards to be maintained by the
CAs,
• Addressing the issues related to the licensing process
The licensing process
• Examining the application and accompanying
documents as provided in sections 21 to 24 of
the IT Act, and all the Rules and Regulations
there- under;
• Approving the Certification Practice
Statement(CPS);
• Auditing the physical and technical
infrastructure of the applicants through a
panel of auditors maintained by the CCA.
Audit Process
• Adequacy of security policies and implementation thereof;
• Existence of adequate physical security;
• Evaluation of functionalities in technology as it supports CA
operations;
• CA’s services administration processes and procedures;
• Compliance to relevant CPS as approved and provided by the
Controller;
• Adequacy to contracts/agreements for all outsourced CA
operations;
• Adherence to Information Technology Act 2000, the rules and
regulations thereunder, and guidelines issued by the Controller
from time-to-time.
PKI Standards
Public Key Cryptography
 RSA - Asymmetric Cryptosystem
 Diffie-Hellman - Asymmetric Cryptosystem
 Elliptic Curve Discrete Logarithm Cryptosystem
Digital Signature Standards
 RSA, DSA and EC Signature Algorithms
 SHA-1, SHA-2 - Hashing Algorithms
Directory Services (LDAP ver 3)
 X.500 for publication of Public Key Certificates and Certificate Revocation Lists
 X.509 version 3 Public Key Certificates
 X.509 version 2 Certificate Revocation Lists
PKCS family of standards for Public Key Cryptography from RSA
 PKCS#1 – PKCS#13
Federal Information Processing Standards (FIPS)
 FIPS 140-1 level 3 and above for Security Requirement of Cryptographic Modules
Key Size mandated by the CCA
• CA
– 2048-bit RSA-key
• User
– 1024-bit RSA-key
Licensed Certifying Authorities
• Provides services to its subscribers and relying parties as
per its certification practice statement (CPS) which is
approved by the CCA as part of the licensing procedure.
–
–
–
–
–
–
–
Identification and authentication
Certificate issuance
Certificate suspension and revocation
Certificate renewal
Notification of certificate-related information
Display of all these on its website
Time-stamping
End entities, subscribers and
relying parties
• The End entities of RCAI are the Licensed CAs
in India.
• Subscribers and relying parties using the
certificates issued by a CA need to be assured
that the CA is licensed by the CCA.
• They should be able to verify the licence
through an indicator in the PKCs issued by a
CA.
PKI Hierarchy
CCA
Directory of
Certificates
CRLs
Subscriber
CA
CA
Subscriber
CA
Relying
Party
Directory of
Certificates
CRLs
Subscriber
Trust in Electronic Environment
in India
•
•
•
•
•
•
CCA : Root of trust, National Repository
Licensed CAs
Digital signatures for signing documents
Certificates, CRLs for access by relying parties
PKI operational
Other provisions of the IT Act – Cybercrimes
not to go unpunished
Download