Controller of Certifying Authorities Creating Trust in Electronic Environment - IT Act 2000 Deputy Controller (Technology) Controller of Certifying Authorities Ministry of Communications & Information Technology E-Commerce Promotion • Creating Trust in Electronic Environment - Establishing Digital Signature Framework • • • • • • • Trust in the Paper world Trust issues in the Electronic World Concept of Digital Signatures Role of CAs PKI IT Act Role of CCA Electronic Commerce • EC transactions over the Internet include – Formation of Contracts – Delivery of Information and Services – Delivery of Content • Future of Electronic Commerce depends on “the trust that the transacting parties place in the security of the transmission and content of their communications” Electronic Juridical Statements • Juridical statements which are set up telematically • Computers are the only means by which contracting parties set up their agreements • Examples include – – – – – – EFT Teleshopping Electronic consultation of data banks Tele-reservation Contracts, deed, agreements Dealing with Public Administrations The Paper World Documents • A paper document consists of four components – – – – the carrier ( the sheet of paper) text and pictures ( the physical representation of information) information about the originator measures to verify the authenticity (written signature) • All the four components are physically connected – So, paper is the document • There is only one original – can be reproduced in innumerable copies The Paper World Signature • Supposed to be unique, difficult to be reproduced, not changeable and not reusable • Its main functions – identification – declaration – proof • The signature is used to identify a person and to associate the person with the content of that document – always related to a physical person The Paper World Signature (contd) • In all legal systems – Absence of a prescription of an exclusive modality of signing e.g. Full name, initials, nickname, real or any symbol. – Token of will and responsibilty – Contractors have the right to rule their own contractural relations, defining also the way each one can sign the agreements. • From a legal point of view, nothing against the introduction of new types or technologies of signature – Digital Signature is a new technology Electronic World • Electronic document produced by a computer. Stored in digital form, and cannot be perceived without using a computer – It can be deleted, modified and rewritten without leaving a mark – Integrity of an electronic document is “genetically” impossible to verify – A copy is indistinguishable from the original – It can’t be sealed in the traditional way, where the author affixes his signature • The functions of identification, declaration, proof of electronic documents carried out using a digital signature based on cryptography. Electronic World • Digital signatures created and verified using cryptography • Public key System based on Asymmetric keys – An algorithm generates two different and related keys • Public key • Private Key – Private key used to digitally sign. – Public key used to verify. Public Key Infrastructure • Allow parties to have free access to the signer’s public key • This assures that the public key corresponds to the signer’s private key – Trust between parties as if they know one another • Parties with no trading partner agreements, operating on open networks, need to have highest level of trust in one another Role of the Government • Government has to provide the definition of – the structure of PKI – the number of levels of authority and their juridical form (public or private certification) – which authorities are allowed to issue key pairs – the extent to which the use of cryptography should be authorised for confidentiality purposes – whether the Central Authority should have access to the encrypted information; when and how – the key length, its security standard and its time validity Certifying Authorities • A CA is an Authority which should : – reliably identify persons applying for key certificates (signatures) – reliably verify their legal capacity – confirm the attribution of a public signature key to an identified physical person by means of a signature key certificate – always maintain online access to the signature key certificates with the agreement of the signature key owner – take measures so that the confidentiality of a private signature key is guaranteed Certificate based Key Management CA CA User A A B User B CA A • Operated by trusted-third party - CA • Provides Trading Partners Certificates • Notarises the relationship between a public key and CA B its owner Information Technology Act • IT Act 2000 : Basic legal framework for ECommerce - promotes trust in electronic environment • IT Act creates a conducive environment for promoting E-Commerce in the country. – Acceptance of electronic documents as evidence in a court of law. – Acceptance of electronic signatures at par with handwritten signatures. Information Technology Act...contd – Acceptance of electronic documents by the government. – Defines digital signatures based on asymmetric public key cryptography – Provides for the creation of Certifying Authorities to issue public key certificates – digital certificates for electronic authentication of users in electronic commerce. Information Technology Act...contd – Provides for Controller under the IT Act to license the Certifying Authorities and to ensure that none of the provisions of the Act are violated. – Provides for dealing with offences in the cyber space in the form of hackers and other criminals trying to gain access into databases and other business sites. – Provides for the establishment of Cyber Appellate Tribunal to try cases under this Act for speedy adjudication of cases arising out of this Act. – Provides for appropriate changes in the Bankers Act and the Indian Evidence Act. The Controller of Certifying Authorities (CCA) • Appointed by the Central Government under section 17 of the IT Act. • Came into existence on November 1, 2000. • Aims at promoting the growth of E-Commerce and E-Governance through the wide use of digital signatures. CCA has to regulate the functioning of CAs in the country by• Licensing Certifying Authorities (CAs) under section 21 of the IT Act and exercising supervision over their activities. • Certifying the public keys of the CAs, i.e. their Digital Signature Certificates more commonly known as Public Key Certificates (PKCs). • Laying down the standards to be maintained by the CAs, • Addressing the issues related to the licensing process The licensing process • Examining the application and accompanying documents as provided in sections 21 to 24 of the IT Act, and all the Rules and Regulations there- under; • Approving the Certification Practice Statement(CPS); • Auditing the physical and technical infrastructure of the applicants through a panel of auditors maintained by the CCA. Audit Process • Adequacy of security policies and implementation thereof; • Existence of adequate physical security; • Evaluation of functionalities in technology as it supports CA operations; • CA’s services administration processes and procedures; • Compliance to relevant CPS as approved and provided by the Controller; • Adequacy to contracts/agreements for all outsourced CA operations; • Adherence to Information Technology Act 2000, the rules and regulations thereunder, and guidelines issued by the Controller from time-to-time. PKI Standards Public Key Cryptography RSA - Asymmetric Cryptosystem Diffie-Hellman - Asymmetric Cryptosystem Elliptic Curve Discrete Logarithm Cryptosystem Digital Signature Standards RSA, DSA and EC Signature Algorithms SHA-1, SHA-2 - Hashing Algorithms Directory Services (LDAP ver 3) X.500 for publication of Public Key Certificates and Certificate Revocation Lists X.509 version 3 Public Key Certificates X.509 version 2 Certificate Revocation Lists PKCS family of standards for Public Key Cryptography from RSA PKCS#1 – PKCS#13 Federal Information Processing Standards (FIPS) FIPS 140-1 level 3 and above for Security Requirement of Cryptographic Modules Key Size mandated by the CCA • CA – 2048-bit RSA-key • User – 1024-bit RSA-key Licensed Certifying Authorities • Provides services to its subscribers and relying parties as per its certification practice statement (CPS) which is approved by the CCA as part of the licensing procedure. – – – – – – – Identification and authentication Certificate issuance Certificate suspension and revocation Certificate renewal Notification of certificate-related information Display of all these on its website Time-stamping End entities, subscribers and relying parties • The End entities of RCAI are the Licensed CAs in India. • Subscribers and relying parties using the certificates issued by a CA need to be assured that the CA is licensed by the CCA. • They should be able to verify the licence through an indicator in the PKCs issued by a CA. PKI Hierarchy CCA Directory of Certificates CRLs Subscriber CA CA Subscriber CA Relying Party Directory of Certificates CRLs Subscriber Trust in Electronic Environment in India • • • • • • CCA : Root of trust, National Repository Licensed CAs Digital signatures for signing documents Certificates, CRLs for access by relying parties PKI operational Other provisions of the IT Act – Cybercrimes not to go unpunished