Individual Certificates and PKI - Cyberspace Law and Policy Centre

advertisement
Individual Digital Certificates
and PKI
Chris Connolly
Peter van Dijk
Galexia Consulting
http://www.galexia.com.au
1
1.
Slide 2
Introduction

Galexia Consulting

Federal Privacy Commissioner’s
Discussion Paper on Digital Certificates –
forthcoming

Importance of authentication technologies
– why PKI?

Scope of this presentation – focus on ‘trust’
issues
2. Why Public Key Technology?

Public Key Technology involves the use of
digital signatures. These signature are
used for:
– Authentication - confirm who you are
– Integrity - what you sent
– Non-repudiation - you can’t deny it

Additionally
– Confidentiality - what you can see - enables
the encryption and decryption of information
sent between two parties
Slide 3
2. What is PKI?
 Public Key Infrastructure (PKI) is the combination of
software, encryption technologies (PKT), and
services that enables organisations to protect the
security of their communications and business
transactions on the Internet
 PKIs integrate digital certificates, public-key
cryptography, and certificate authorities into a
shared network security architecture, including:
–
–
–
–
Slide 4
issuance of digital certificates to individual users
end-user enrolment software
integration with corporate certificate directories
tools for managing, renewing, and revoking certificates
2. Components of a PKI
http://www.baltimore.com
Slide 5
2. Components of a PKI
A PKI comprises the following components:
 Certificate Authorities (CAs): These are responsible for issuing
and revoking certificates.
 Registration Authorities (RAs): These verify the binding between
public keys and the identities of their holders. They conduct the initial
verification of a potential subscriber’s identity and/or attributes; .
 Subscribers/Digital Certificate holders: People, machines or
software agents that have been issued with certificates and can use
them to sign digital documents.
 Clients: These validate digital signatures and their certification paths
from a trusted CA's public key.
 Relying parties: Rely on the contents of a digital certificate in
communicating with subscribers.
 Repositories/Directories: These store and make available
certificates and certificate revocation lists.
 Security policy: This sets out and defines the organization's toplevel direction on information security, as well as the processes and
principles for the us of cryptography.
Slide 6
2. What is a Digital Certificate?
 A digital form of identification
– Similar to a passport or driver’s licence
– Binds subject’s public key (a mathematical value)
to one or more attributes relating to their identity
 A certificate is valid for a period of time, (often
one, three or ten years)
 Certificates can do different things. For
example:
–
–
–
–
Slide 7
Encrypt a document
Sign a document – for non-repudiation
Secure a WWW server
Provide authentication - Enable the holder to
access a corporate new work
2. Example Certificate (1)
 Certificate Summary
Slide 8
2. Example Certificate (2)

Slide 9
Certificate Attribute details : Key Usage
2. Example Certificate (3)

Slide 10
Certificate Attribute details : Subject
3. PKI Models

There are a number of factors that
differentiate PKI applications:
– The level of identification (ranging from
anonymous to fully identified);
– The use of attributes;
– The potential for multi-purpose/multi-use
certificates; and
– The use of online services, tokens and mobile
devices.
Slide 11
3. Case Studies
Slide 12

Case study 1 – Australian State
government agency applications

Case study 2 – Multi agency application

Case study 3 – Health smart card

Case study 4 – Patent application

Case study 5 – Banking application
3. Case Studies - Commonwealth

Australian Federal Agency applications
– Centrelink
– Australian Electoral Commission
– Health Insurance Commission
– Customs
– Electronic Tenders
– Jobsearch

Slide 13
Case study 6 – The Australian Business
Number – Digital Signature Certificate
(ABN-DSC)
4. Overview of privacy implications

1. Collection, use, and disclosure of
personal information
– By Certification Authorities and Registration
Authorities:
– By Relying Parties:
Slide 14

2. Storage and destruction

3. Certificate Revocation Lists (CRLs)
4. Privacy (continued)
Slide 15

4. Logging of CRL lookups

5. Revocation of a certificate

6. Cooperation with law enforcement
agencies

7. Access and correction rights

8. Security
4. Privacy (Continued)
Slide 16

9. Identification requirements

10. Unique identifiers

11. Potential for additional use of data
(“function creep”)

12. Risk management practices

13. Limits on user choice
5. Conclusion
Slide 17

Tools to build ‘trust’ in digital certificates

Future trends/issues in PKI

Ongoing discussion and consultation
Download