e-signature & pkinfrastructure · e-signature & pkinfrastructure ... alg 8-9 dec. 2009. ksa...

KSA 15-16 Dec 2009

EGYPT-MCIT ITIDA

Egypt’s

E-Signature & PKInfrastructure

Seminar on Electronic Signature Algeria 8-9 Dec. 2009

By: Hisham Mohamed Abdel Wahab

Head of the E-Signature CA Licensing

ITIDA- MCIT – EGYPT

Email: [email protected]

ALG 8-9 Dec. 2009

mailto:[email protected]

KSA 15-16 Dec 2009

Agenda

Egypt’s PKI Model

Operational requirements for CSPs in Egypt

Applying ISO 27001 as Main CSP requirements

CSPs Auditing Procedures

ALG 8-9 Dec. 2009

KSA 15-16 Dec 2009

Background : ITIDA

Established in 2004 by law 15, financially supported by IT co’s.

E-Signature regulator, promoter, and root CA.

IPR protector for software and databases (Copy Right Office).

Empowers IT companies.

Recognizes best practices in E-Content development.

Launches E-business initiatives, especially for SMEs

Supports R&D.

ALG 8-9 Dec. 2009

KSA 15-16 Dec 2009

Background : E-Signature mile stones

E-Signature Law issued 2004.

Executive directives of the law issued in 2005.

4 CSP (e-signature certificate service providers) are licensed by ITIDA in

2006

Therefore the Root CA & Gov CA tendered in 2006

Root CA started work in Sep 2009

1st CSP got the official permission to work from ITIDA in Oct.

2009

ALG 8-9 Dec. 2009

KSA 15-16 Dec 2009

Background: Getting the experience

Germany

Ireland

Singapore

South Korea

Malaysia

Hong Kong

ALG 8-9 Dec. 2009

KSA 15-16 Dec 2009

PKI Model in Egypt…….(1/2)

ITIDALicensing Root CA

CSP CSP CSP CSPGOV.

CA

Gov. employeesPublic Use

For Internal use onlyFor public & interaction gov

applicationsALG 8-9 Dec. 2009

http://www.smartcardsupply.com/Content/default.htm

http://www.smartcardsupply.com/Content/default.htm

KSA 15-16 Dec 2009

Regulating E-Signature

Request for digital certificates

Digital Certificates

Information Technology Industry Development Agency

(E-Signature regulator)

Client OrganizationsCertificate AuthoritiesCSP

PKI Model in Egypt…….(2/2)

ALG 8-9 Dec. 2009

KSA 15-16 Dec 2009

PKI Model in Egypt: Licensing

section....(1/2)

Managing the application process for CSPs in Egypt.

Implement the criteria for licensing CSPs.

Auditing the licensed CSPs.

Tracking the Technology to guarantee having the most secure e-signature technology.

ALG 8-9 Dec. 2009

KSA 15-16 Dec 2009

PKI Model in Egypt: Licensing Section

.....(2/2)

Licensing AuditingCustomer

servicesAwareness

ALG 8-9 Dec. 2009

Licensing

Requirements

KSA 15-16 Dec 2009

PKI Model in Egypt : Root

CA....(1/2)

Operates a Root-CA according to the highest security standards.

Offers a continuous 24hx7d operation

Personalizes the CA-and other service-chip cards for other CSPs,

Operates an electronic directory service that includes the certificates of all licensed CSPs.

Achieves the interoperability among CSPs and other countries.

Handling the CRLs and E-Signature data of clients in case of licensed CSPs failure

ALG 8-9 Dec. 2009

KSA 15-16 Dec 2009

PKI Model in Egypt : Root CA....(2/2)

How works?

Root CA

Root CA

Certificate Info

Root Signature

Sub CA

Root Signature

Subordinate CA

Certificate Info

Root CA's Private Key

Root CA's Private Key

Subordinate CA's Private Key

SubCA's Signature

Subscriber

Certificate Info

Subscriber's

Signature

Text

DocumentSubscriber's Private Key

Self Signed

ALG 8-9 Dec. 2009

KSA 15-16 Dec 200912

PKI Model in Egypt : Licensed Public CSPs (4)

Must be under the Root CA.

Provide Gov. and public certificate services, including SSCD.

Working as RAs (Registration Authorities).

Must full fill with ITIDA requirements.

Use the most recognized world wide standards for PKI (2048/4096 Keys-RSA…etc).

ALG 8-9 Dec. 2009

KSA 15-16 Dec 200913

PKI Model in Egypt : Licensed Gov CA (1 CA)

Issue certificates to Gov. employees only for internal gov use only & SSCD.

Provide Gov. certificate services.

Under ITIDA Root CA.

Working as RAs (Registration Authorities) for Gov. employees.

Must full fill ITIDA requirements.

Use Specific type of encryption standards.

ALG 8-9 Dec. 2009

KSA 15-16 Dec 2009

PKI Model in Egypt : Strategic

Decisions.......(1/5)

The E-Signature Definition in Egyptian market.

1- Only one type of e-signature is considered in front of court

2- Another types, transactions and e-documents are considered just e-document or e-writing

3- Using third level smart card / token as SSCD is must .

4- Physical identification is must.

Why??

Avoid conflict, because if one type of e-signature is compromised then the market will think that strong types are compromised too!

Strengthen the working environment

ALG 8-9 Dec. 2009

Syria 1-2 July 2008

IS E-Signature

Signer Private Key

Signer Public Key

Digital Certificate



+Pin Code +Secure pin entryALG 8-9 Dec. 2009

Syria 1-2 July 2008

Security evaluation ITSEC E4 Or NIST FIPS PUB

140-1 Level 2 or higher

X.509v3 certificates ISO 7816

Cryptographic algorithms must include RSA, SHA-1

Microsoft PC/SC Recommended: CAPI – Microsoft

Cryptographic

Recommended : PKCS #11 (interface) Recommended : PKCS #15 (syntax

standard)

Smart Cards are able to store private e-signature keys for a card holder without delivering the key

to the outside world. Therefore the calculation of the signature algorithm as well as its storage is performed

in a highly secure environment inside a smart card. Thus, it is required to have smart

cards (Reader / Readerless / contactless) which use the most advanced security standard available in the market.

-Secure PIN code entry

-Complete separation between E-Signature application and any other applications.



Signature specification-E

KSA 15-16 DecALG 8-9 Dec. 2009

KSA 15-16 Dec 2009



Gov CA will use its own encryption technique and provide only services for use in internal gov transactions

1- Executive directive mentioned that gov CA could use it own encryption .

2- The services provided by gov CA for use only in internal gov transaction

3- If end user needs e-signature service to be used between gov and private then he must get it from Public CSP

4- Physical identification is must.

Why??

To secure the sensitive transactions .

To encourage the private investment according to the national strategy.

ALG 8-9 Dec. 2009

KSA 15-16 Dec 2009



ITIDA will run the Root CA

1- ITIDA will be the only body who is running Root CA for PKI in Egypt.

2- The main and backup site of Root CA is responsibility of ITIDA

3- The Root CA will be audited internally by ITIDA auditors , externally by ISO 27001 auditors , and other gov entities

Why??

Ensure interoperable environment

“trust” originate from a common Root CA (strict hierarchy model)

A subordinate CA will have one superior, and only one

Strict hierarchies are appropriate for many enterprises, especially where policy controls are to be enforced in a “top-down” fashion.

ALG 8-9 Dec. 2009

KSA 15-16 Dec 2009



Facilitating the financial requirements for licensing

1- The Licensee will pay only 0.5 M EGP instead of 1.5 M EGP.

2- 20000 EGP as auditing expenses will be paid after 2 years of operation.

3- The payments will be annually instead of quarterly .

4- 3% of the revenue will be paid at the end of 2nd year instead of 1st year.

Why??

Based on companies suggestions and market studies

To encourage this new industry

ALG 8-9 Dec. 2009

KSA 15-16 Dec 2009



Leaving the pricing model to the market forces

1- Licensed companies are free to put the price model according to their business model.

2- ITIDA must approve the price list or any modifications prior to publish.

3- ITIDA is responsible for control the pricing competition.

Why??

Based on most companies suggestions.

Comply with the current Egyptian market.

ALG 8-9 Dec. 2009

KSA 15-16 Dec 2009

PKI Model in Egypt : E-Signature,

when comes to apply !.....(1/4)

Applying for the service

1- Physical Identification (applicant must show himself up).

2- Delivering the service : Token/smart card – CD - installed keys plus certificate.

3- Help desk and customer support (CSP – ITIDA).

4- Providing applications (compatible with ITIDA & CSP requirements).

5- Using the e-signature with applications provided by Gov or CSPs or compatible applications provided by another vendors.

6- Renewing / Update the service, or Change the provider / Terminating the service .

ALG 8-9 Dec. 2009

KSA 15-16 Dec 2009


When comes to apply!......(2/4)

Auditing the service

1- Surveillance and licensing audit by ITIDA.

2-Regular audit by ITIDA.

3- Receiving the complaints and providing support in case of disputes .

4-Setting up the compliance conditions (applications & operational).

5- Renewing / Extending / terminating the license.

ALG 8-9 Dec. 2009

KSA 15-16 Dec 2009


when comes to apply.......(3/4)

Proposed Market Applications

1- E-Government (All applications who needs physical existence of the users).

2- E-Tax

3- E-Money (money orders will be collected electronically).

4- E-Banking applications.

5- Stock market .

6- Mobile applications.

7-E-Commerce/Payment.

8- E-education.

9- E-Civil applications.

10- E-Archiving (time stamp is must).

11-E-Contracting .

12-Installed on National ID.

ALG 8-9 Dec. 2009

KSA 15-16 Dec 2009


when comes to apply.......(4/4)

Type of certificates Provided by the CSP

- E-Signature Certificates (Regulated) for persons and organizations.

-SSL .

-Code signing certificates.

ALG 8-9 Dec. 2009

Syria 1-2 July 2008

Signature Certificate Service Providers-For E Current Situation

KSA 15-16 Dec 2009ALG 8-9 Dec. 2009

KSA 15-16 Dec 2009

PKI Model in Egypt : Current

Status....(1/2)

4 Licensed companies as CSP (E-Signature Certificates Service Provider).

1 Company finished its infrastructure and is audited , started work in Egyptian market in 1 Oct. 2009 (more than 2000 hours auditing time, team of 13 experts)

The Root CA is established in Sep. 2009

The Ministry of finance got the license to provide E-Signature Service to gov. employees for internal transactions only.

ALG 8-9 Dec. 2009

Syria 1-2 July 2008

1-ACT http://www.act-eg.com/

2-MCDR http://www.mcdr.com.eg/

3-EgyptTrust http://www.egypttrust.com/

http://www.snsegypt.com/SNS -4

KSA 15-16 Dec 2009

PKI Model in Egypt : Current

Status....(2/2)

Licensed Companies + GOV CA4

ALG 8-9 Dec. 2009

http://www.snsegypt.com/

KSA 15-16 Dec 2009

Agenda

Egypt’s PKI Model

Licensing requirements for CSPs in Egypt



ALG 8-9 Dec. 2009

KSA 15-16 Dec 2009

Licensing Requirements: .....(1)

The detailed requirements are listed in License Form at:

www.e-signature.gov.eg/materials/License-July-2006.doc

(Arabic Language )

- More than 60 Page.

- More than 250 item to be satisfied before getting the license

- Categorized to financial , operational, technical and administrative.

- References: The Law 15, Its Directive, NTRA license, ETSI TS 101 456

ALG 8-9 Dec. 2009

http://www.e-signature.gov.eg/materials/License-July-2006.doc








KSA 15-16 Dec 2009


License Sections

LegalOperational TechnicalFinancial

ALG 8-9 Dec. 2009

KSA 15-16 Dec 200931

Insurance of $ 1.5 Million

Licensing fee $ 85,000 for 5 years

Insurance per certificate $ 200

3% of revenue of licensed services

Financial Requirements


ALG 8-9 Dec. 2009

KSA 15-16 Dec 200932

Complete PKI infrastructure.

Disaster Recovery site.

ISO 27001 for Info. Security.

PKIX (PKI Based on X.509).

Encryption Keys with length 1024-2048.

Using Smart Cards as E-Signature creation device (SSCD).

Technical Requirements


ALG 8-9 Dec. 2009

KSA 15-16 Dec 2009


www.e-signature.gov.eg/materials/License-July-2006.doc

(Arabic Language )

ALG 8-9 Dec. 2009









KSA 15-16 Dec 2009

Agenda

Egypt’s PKI Model




ALG 8-9 Dec. 2009

Syria 1-2 July 2008

Why Implement an ISMS System ?

KSA 15-16 Dec 2009

KSA 15-16 Dec 2009

, which, like other assetInformation is an

to an valueimportant business assets, has

organization and consequently needs to be

. Information security protectedsuitably

protects information from a wide range of

business continuity, in order to ensure threats

minimize business damage and maximize return

.”on investments and business opportunities

Quote ISO/IEC 17799-2000(E)

Main Requirement ISO27001:

Information is an asset....(1/2)

ALG 8-9 Dec. 2009

KSA 15-16 Dec 2009

Printed

Written

Fax

Microfilm

Email

Spoken

Transmitted

Stored on Computers

Data


Information is an asset.....(2/2)

ALG 8-9 Dec. 2009

KSA 15-16 Dec 2009

PROTECTION OF INFORMATION FOR:

CONFIDENTIALITY

Protecting sensitive information from unauthorised disclosure or intelligible interception

INTEGRITY

Safeguarding the accuracy and completeness of information and computer software

AVAILABILITY

Ensuring that information and vital services are available to users when required


will satisfy...

ALG 8-9 Dec. 2009

MISUSE OF DATA

SABOTAGEتخريب

FRAUDخداع

VANDALISMتدمير

ESPIONAGEتجسس

NATURAL

DISASTER

ERRORخطأ


Importance for PKI .....(1/2)

ALG 8-9 Dec. 2009

ISO27001 is providing complete security management system. Through:-

Logical security

Application security

Physical & environmental security

Network Security

Personal Security.

Need for dual control through third party audit.

ISO2001 is complete ISMS, merges between business and technology .

ISO27001 needs continual improvements.


Importance for PKI .....(2/2)

ALG 8-9 Dec. 2009

KSA 15-16 Dec 2009

Accreditation and Certification

for ISO 27001

ALG 8-9 Dec. 2009

KSA 15-16 Dec 2009

Accreditation & Certification

•Everything you wanted to know about accreditation….(in 30 seconds)

Company Company 2 Company 3

European

Certification Body

Certified by a

Certification Body

National

Accreditation

Board

Accredited by a State

Organisation

EA – European

Accreditation

Forum

Wishes to be certified

to national or

international

standards

Conformance at a

European Level

ISO 27001

EA 7/02

ISO Guide 66

EA 45012

National

Accreditation

Board

ALG 8-9 Dec. 2009

KSA 15-16 Dec 2009

The Certification Process

ISMS Standard27001 Certification to ISO ®

Ph

ase

1 :

Pre

-Au

dit

Stu

dy

Information

Security

Management

System

Ph

ase

2 :

On

Sit

e A

ud

it

Cer

tifi

ed I

nfo

rma

tion

Sec

uri

ty

Ma

na

gem

ent

Sy

stem

ALG 8-9 Dec. 2009

KSA 15-16 Dec 2009

Agenda

Egypt’s PKI Model



CSPs Auditing Process

ALG 8-9 Dec. 2009

KSA 15-16 Dec 2009


ALG 8-9 Dec. 2009

KSA 15-16 Dec 2009


Initiating (planning ) the audit

Conducting Documentation

review

Preparing for Audit activities

Conducting audit activities

Preparing , approving &

distributing the audit report

Conducting audit follow up

Preparation

phase

Post Audit

Phase

ALG 8-9 Dec. 2009

KSA 15-16 Dec 2009




review






Scope , Objective , Criteria

Determine feasibility & select audit team

Write an audit plan

Contact the auditee

ALG 8-9 Dec. 2009

KSA 15-16 Dec 2009




review






Request relevant documents

Review prior to arriving on-site

Review the previous audit report if any

ALG 8-9 Dec. 2009

KSA 15-16 Dec 2009




review






Finalize audit plan

Prepare work documents

Assign audit team

ALG 8-9 Dec. 2009

KSA 15-16 Dec 2009ALG 8-9 Dec. 2009




review






Opening Meeting

Communication during the audit

Collecting objective evidences

Closing meeting

KSA 15-16 Dec 2009




review





Conducting audit follow upDistribute it to the appropriate persons

Mention positive & negatives

ALG 8-9 Dec. 2009

KSA 15-16 Dec 2009




review






ALG 8-9 Dec. 2009

KSA 15-16 Dec 2009

Thank you

very much

[email protected]

www.itida.gov.eg

ALG 8-9 Dec. 2009

mailto:[email protected]

KSA 15-16 Dec 2009

54

ALG 8-9 Dec. 2009

KSA 15-16 Dec 2009

55

Cyberlaws & ICT-related Laws & Regulations

A comprehensive IPR Law (Law No. 82/2002)

A comprehensive Communications Act (Law No. 10/2003)

An E-Signature law ( Law No. 15/2004)

Children Protection Law (2008)

Drafts: A Data Protection, Privacy, and Cyber Security law

A Cyber Crime law

Access to Information Law

ALG 8-9 Dec. 2009

e-signature & pkinfrastructure · e-signature & pkinfrastructure ... alg 8-9 dec. 2009. ksa...

Documents