© 1998-2002 itu telecommunication development bureau (bdt) – e-strategy unit. all rights...

©1998-2002 ITU Telecommunication Development Bureau (BDT) – E-Strategy Unit. All Rights Reserved. Page - 1

Security and Trust for E-Transactions

Alexander NTOKO, Head, E-Strategy UnitTelecommunication Development Bureau (BDT)[email protected] http://www.itu.int/ITU-D/e-strategy

ITU-T Workshop on Multimedia Convergence

ITU HQ, Geneva, Switzerland 12-15 March 2002

International Telecommunication Union (ITU)


There is a Growing Need for Security…


…due to lack of confidence…

“On the Internet, nobodyknows you’re a dog…”

Identification isthe Challenge

…but in e-transactions, it is important to Know if you are dealing with a dog.


But what are the Security Threats?

o Eavesdropping: where intermediaries “listen” in on private conversations

o Manipulation: where intermediaries intercept and change information in a private communication

o Impersonation: where a sender or receiver uses a false identity for communication


What are the Requirements?Building confidence in e-transactions

o Confidentiality• Information accessed only by those authorized

o Integrity• No information added, changed, or taken out

o Authentication• Parties are who they pretend to be

o Non-repudiation• Originator cannot deny origin

o Infrastructure of trust• Automating the checking of identities


How can we Enhance trust?

Confidentiality EncryptionWho am I dealing with? AuthenticationMessage integrity Message DigestNon-repudiation Digital SignatureThird party evidence of authenticity CertificateTrusted certificate Certification Authorities

Symmetric key encryption system

Same key is used to both encrypt and decrypt data

Examples of encryption systems: DES, 3DES, RC2, RC4, RC5DES: Data Encryption Standard, US Gov 1977, developed at IBM


Symmetric key encryption system

o AdvantagesFast, secure, widely understood

o Disadvantages

Requires secret sharing

Requires large number of keys

No authentication

No non-repudiation


Public key encryption system

o Concept introduced in 1976 by Diffie and Hellman

o RSA, the most popular, was invented in 1977 by Rivest, Shamir, and Adleman

o RSA (www.rsa.com) was founded in 1982

o Everyone has a private key and a public keyo Sender uses the receiver’s public key to encrypt

messageo Only receiver’s private key can decrypt messageo Discovering private key kept by one person is

more difficult than discovering shared secret key


Each user has 2 keys: what one key encrypts,only the other key in the pair can decrypt.Public key can be sent in the open.Private key is never transmitted or shared.

Recipient’s Public Key Recipient’s Private Key



o Example: RSAo Advantages

No secret sharing riskProvides authentication, non-repudiationInfeasible to determine one key from the other

o DisadvantagesComputationally intense (in software, DES is at least 100 times faster than RSA)Requires authentication of public keys

Sender Authentication

Using Public Key Encryption “backwards” provides authentication of the sender

Sender’s Public KeySender’s Private Key

Message Digest

Hash Algorithm

Digest

- Used to determine if document has changed- Usually 128-bit or 160-bit “digests”- Infeasible to produce a document matching

a digest- A one bit change in the document affects

about half the bits in the digest

Plaintext


Message Digest

o Common hash algorithms• MD2 (128-bit digest)• MD4 (128-bit digest)• MD5 (128-bit digest)• SHA-1 (160-bit digest)

Digital Signature

Signer’s Private Key

SignedDocument

EncryptedDigestHash

Algorithm

Digest

Verifying the Digital Signaturefor Authentication and Integrity

Hash Algorithm

Digest

Digest??

Signer’sPublic Key

Integrity: One bit change in the content changes the digest


Digital Signature

Guarantees:o Integrity of document

One bit change in document changes the digest

o Authentication of senderSigner’s public key decrypts digest sent and decrypted digest matches computed digest

o Non-repudiationOnly signer’s private key can encrypt digest that is decrypted by his/her public key and matches the computed digest. Non-repudiation prevents reneging on an agreement by denying a transaction.


Digital Certificate


Digital Certificate

o A digital certificate or Digital ID is a computer-based record that attests to the binding of a public key to an identified subscriber.

o Certificate issued by Certification Authority (CA).o Certified digital signature attests to message

content and to the identity of the signer.o Combined with a digital time stamp, messages can

be proved to have been sent at certain time.

Digital Envelope

Combines the high speed of DES (symmetric encryption) and the key management convenience of RSA (public key encryption)

“DigitalEnvelope”

One timeencryption Key

Recipient’sPublic Key


ITU-T X.509 Certificate

o Standard certificate virtually everyone uses.o Includes: serial number, name of individual

or system (X.500 name - e.g., CN=John Smith, OU=Sales,

O=XYZ, C=US), issuer (X.500 name of CA), validity period, public key, cryptographic algorithm used, CA digital signature, etc., plus flexible extensions in Version 3.

o Certificate is signed by the issuer to authenticate the binding between the subject name and the related public key.


ITU-T X.509 Certificate Version 3

o Version 3 standard extensions include subject and issuer attributes, certification policy information, key usage restrictions, e-mail address, DNS name, etc.

o Example of special extensions: account number, postal address, telephone number, photograph (image data), birthday to block users younger than specified age to access certain contents of a Web server, preferred language, etc.


Security Technologies – Which One?


Components of PKI


ITU E-Security – Brief Status of Activities

o Expanded from EC-DC to Secure e-transaction based on PKI as a result of partnership with WISeKey.

o 20+ security companies worked for 16 months to develop infrastructure + Applications under ITU EC-DC

o 100+ DCs interested in this project. Since deployment started in Q4 2001, 12 DCs countries from Africa, Asia Latin America scheduled to be operational in Q1 2002.

o First ever deployment of digital certification technology and Apps (based on PKI) in the most of the DCs.

o More than US$ 10 million in in-kind contribution from industry partners.

o Lauching multilateral framework (World e-Trust) to expand deployment to more developing countries.

But for it to make sense, it must be available to all…


ITU E-Security - Accomplishments

…an enormous opportunity for the sub-Saharan African states. - World Bank.

Without such initiatives, many countries would stay on the exit ramp. - OPTOROUTE Online

EC-DC Does IT - Time Magazine

The conditions for safe e-business transactions ensured by the EC-DC …- UNIDO … essential in providing the infrastructure for global e-commerce. - International Law Section EC-DC - Bridging the Digital Divide - International Security Review

“… enabling one of the largest certified communities in the world…” - SmartCard Central


ITU E-Security– Solutions & Services

Operational Certification Authority for DCs

Generic Cost-effective and Scalable Platform

Strong Security - PSE (tokens, smart cards)

Services and Solutions for Various Sectors

PKI-enabled Applications for Various Sectors


Using tokens to secure B2B e-marketplace


Signing and encrypting Email


Securing Access to E-Mail using PSE


World e-Trust MoU – the way forward

Objective: Technology neutral and technology independent framework for contributions towards a beneficial, non-exclusive, cost-effective and global deployment of secure e-transaction infrastructures, applications and services in DCs and LDCs worldwide.

Framework: Self regulatory, self funding consisting of a Depository, a Steering Committee and Working Groups to undertake project activities.

Signatories: ITU Member States, Sector Members, public or private sector willing to contribute to one or more activities to be undertaken within an established Working Group.

Entry in Force: Signature of ITU, at least 5 Contributing entities and at least 10 Member States.

With more than 100 DCs and LDCs interested in E-Services infrastructure, how do we proceed?

© 1998-2002 itu telecommunication development bureau (bdt) – e-strategy unit. all rights...

Documents