e-signature & pkinfrastructure · e-signature & pkinfrastructure ... alg 8-9 dec. 2009. ksa...
TRANSCRIPT
KSA 15-16 Dec 2009
EGYPT-MCIT ITIDA
Egypt’s
E-Signature & PKInfrastructure
Seminar on Electronic Signature Algeria 8-9 Dec. 2009
By: Hisham Mohamed Abdel Wahab
Head of the E-Signature CA Licensing
ITIDA- MCIT – EGYPT
Email: [email protected]
ALG 8-9 Dec. 2009
KSA 15-16 Dec 2009
Agenda
Egypt’s PKI Model
Operational requirements for CSPs in Egypt
Applying ISO 27001 as Main CSP requirements
CSPs Auditing Procedures
ALG 8-9 Dec. 2009
KSA 15-16 Dec 2009
Background : ITIDA
Established in 2004 by law 15, financially supported by IT co’s.
E-Signature regulator, promoter, and root CA.
IPR protector for software and databases (Copy Right Office).
Empowers IT companies.
Recognizes best practices in E-Content development.
Launches E-business initiatives, especially for SMEs
Supports R&D.
ALG 8-9 Dec. 2009
KSA 15-16 Dec 2009
Background : E-Signature mile stones
E-Signature Law issued 2004.
Executive directives of the law issued in 2005.
4 CSP (e-signature certificate service providers) are licensed by ITIDA in
2006
Therefore the Root CA & Gov CA tendered in 2006
Root CA started work in Sep 2009
1st CSP got the official permission to work from ITIDA in Oct.
2009
ALG 8-9 Dec. 2009
KSA 15-16 Dec 2009
Background: Getting the experience
Germany
Ireland
Singapore
South Korea
Malaysia
Hong Kong
ALG 8-9 Dec. 2009
KSA 15-16 Dec 2009
PKI Model in Egypt…….(1/2)
ITIDALicensing Root CA
CSP CSP CSP CSPGOV.
CA
Gov. employeesPublic Use
For Internal use onlyFor public & interaction gov
applicationsALG 8-9 Dec. 2009
KSA 15-16 Dec 2009
Regulating E-Signature
Request for digital certificates
Digital Certificates
Information Technology Industry Development Agency
(E-Signature regulator)
Client OrganizationsCertificate AuthoritiesCSP
PKI Model in Egypt…….(2/2)
ALG 8-9 Dec. 2009
KSA 15-16 Dec 2009
PKI Model in Egypt: Licensing
section....(1/2)
Managing the application process for CSPs in Egypt.
Implement the criteria for licensing CSPs.
Auditing the licensed CSPs.
Tracking the Technology to guarantee having the most secure e-signature technology.
ALG 8-9 Dec. 2009
KSA 15-16 Dec 2009
PKI Model in Egypt: Licensing Section
.....(2/2)
Licensing AuditingCustomer
servicesAwareness
ALG 8-9 Dec. 2009
Licensing
Requirements
KSA 15-16 Dec 2009
PKI Model in Egypt : Root
CA....(1/2)
Operates a Root-CA according to the highest security standards.
Offers a continuous 24hx7d operation
Personalizes the CA-and other service-chip cards for other CSPs,
Operates an electronic directory service that includes the certificates of all licensed CSPs.
Achieves the interoperability among CSPs and other countries.
Handling the CRLs and E-Signature data of clients in case of licensed CSPs failure
ALG 8-9 Dec. 2009
KSA 15-16 Dec 2009
PKI Model in Egypt : Root CA....(2/2)
How works?
Root CA
Root CA
Certificate Info
Root Signature
Sub CA
Root Signature
Subordinate CA
Certificate Info
Root CA's Private Key
Root CA's Private Key
Subordinate CA's Private Key
SubCA's Signature
Subscriber
Certificate Info
Subscriber's
Signature
Text
DocumentSubscriber's Private Key
Self Signed
ALG 8-9 Dec. 2009
KSA 15-16 Dec 200912
PKI Model in Egypt : Licensed Public CSPs (4)
Must be under the Root CA.
Provide Gov. and public certificate services, including SSCD.
Working as RAs (Registration Authorities).
Must full fill with ITIDA requirements.
Use the most recognized world wide standards for PKI (2048/4096 Keys-RSA…etc).
ALG 8-9 Dec. 2009
KSA 15-16 Dec 200913
PKI Model in Egypt : Licensed Gov CA (1 CA)
Issue certificates to Gov. employees only for internal gov use only & SSCD.
Provide Gov. certificate services.
Under ITIDA Root CA.
Working as RAs (Registration Authorities) for Gov. employees.
Must full fill ITIDA requirements.
Use Specific type of encryption standards.
ALG 8-9 Dec. 2009
KSA 15-16 Dec 2009
PKI Model in Egypt : Strategic
Decisions.......(1/5)
The E-Signature Definition in Egyptian market.
1- Only one type of e-signature is considered in front of court
2- Another types, transactions and e-documents are considered just e-document or e-writing
3- Using third level smart card / token as SSCD is must .
4- Physical identification is must.
Why??
Avoid conflict, because if one type of e-signature is compromised then the market will think that strong types are compromised too!
Strengthen the working environment
ALG 8-9 Dec. 2009
Syria 1-2 July 2008
IS E-Signature
Signer Private Key
Signer Public Key
Digital Certificate
PKI Model in Egypt : Strategic
Decisions.......(1/5)
+Pin Code +Secure pin entryALG 8-9 Dec. 2009
Syria 1-2 July 2008
Security evaluation ITSEC E4 Or NIST FIPS PUB
140-1 Level 2 or higher
X.509v3 certificates ISO 7816
Cryptographic algorithms must include RSA, SHA-1
Microsoft PC/SC Recommended: CAPI – Microsoft
Cryptographic
Recommended : PKCS #11 (interface) Recommended : PKCS #15 (syntax
standard)
Smart Cards are able to store private e-signature keys for a card holder without delivering the key
to the outside world. Therefore the calculation of the signature algorithm as well as its storage is performed
in a highly secure environment inside a smart card. Thus, it is required to have smart
cards (Reader / Readerless / contactless) which use the most advanced security standard available in the market.
-Secure PIN code entry
-Complete separation between E-Signature application and any other applications.
PKI Model in Egypt : Strategic
Decisions.......(1/5)
Signature specification-E
KSA 15-16 DecALG 8-9 Dec. 2009
KSA 15-16 Dec 2009
PKI Model in Egypt : Strategic
Decisions.......(2/5)
Gov CA will use its own encryption technique and provide only services for use in internal gov transactions
1- Executive directive mentioned that gov CA could use it own encryption .
2- The services provided by gov CA for use only in internal gov transaction
3- If end user needs e-signature service to be used between gov and private then he must get it from Public CSP
4- Physical identification is must.
Why??
To secure the sensitive transactions .
To encourage the private investment according to the national strategy.
ALG 8-9 Dec. 2009
KSA 15-16 Dec 2009
PKI Model in Egypt : Strategic
Decisions.......(3/5)
ITIDA will run the Root CA
1- ITIDA will be the only body who is running Root CA for PKI in Egypt.
2- The main and backup site of Root CA is responsibility of ITIDA
3- The Root CA will be audited internally by ITIDA auditors , externally by ISO 27001 auditors , and other gov entities
Why??
Ensure interoperable environment
“trust” originate from a common Root CA (strict hierarchy model)
A subordinate CA will have one superior, and only one
Strict hierarchies are appropriate for many enterprises, especially where policy controls are to be enforced in a “top-down” fashion.
ALG 8-9 Dec. 2009
KSA 15-16 Dec 2009
PKI Model in Egypt : Strategic
Decisions.......(4/5)
Facilitating the financial requirements for licensing
1- The Licensee will pay only 0.5 M EGP instead of 1.5 M EGP.
2- 20000 EGP as auditing expenses will be paid after 2 years of operation.
3- The payments will be annually instead of quarterly .
4- 3% of the revenue will be paid at the end of 2nd year instead of 1st year.
Why??
Based on companies suggestions and market studies
To encourage this new industry
ALG 8-9 Dec. 2009
KSA 15-16 Dec 2009
PKI Model in Egypt : Strategic
Decisions.......(5/5)
Leaving the pricing model to the market forces
1- Licensed companies are free to put the price model according to their business model.
2- ITIDA must approve the price list or any modifications prior to publish.
3- ITIDA is responsible for control the pricing competition.
Why??
Based on most companies suggestions.
Comply with the current Egyptian market.
ALG 8-9 Dec. 2009
KSA 15-16 Dec 2009
PKI Model in Egypt : E-Signature,
when comes to apply !.....(1/4)
Applying for the service
1- Physical Identification (applicant must show himself up).
2- Delivering the service : Token/smart card – CD - installed keys plus certificate.
3- Help desk and customer support (CSP – ITIDA).
4- Providing applications (compatible with ITIDA & CSP requirements).
5- Using the e-signature with applications provided by Gov or CSPs or compatible applications provided by another vendors.
6- Renewing / Update the service, or Change the provider / Terminating the service .
ALG 8-9 Dec. 2009
KSA 15-16 Dec 2009
PKI Model in Egypt : E-Signature,
When comes to apply!......(2/4)
Auditing the service
1- Surveillance and licensing audit by ITIDA.
2-Regular audit by ITIDA.
3- Receiving the complaints and providing support in case of disputes .
4-Setting up the compliance conditions (applications & operational).
5- Renewing / Extending / terminating the license.
ALG 8-9 Dec. 2009
KSA 15-16 Dec 2009
PKI Model in Egypt : E-Signature,
when comes to apply.......(3/4)
Proposed Market Applications
1- E-Government (All applications who needs physical existence of the users).
2- E-Tax
3- E-Money (money orders will be collected electronically).
4- E-Banking applications.
5- Stock market .
6- Mobile applications.
7-E-Commerce/Payment.
8- E-education.
9- E-Civil applications.
10- E-Archiving (time stamp is must).
11-E-Contracting .
12-Installed on National ID.
ALG 8-9 Dec. 2009
KSA 15-16 Dec 2009
PKI Model in Egypt : E-Signature,
when comes to apply.......(4/4)
Type of certificates Provided by the CSP
- E-Signature Certificates (Regulated) for persons and organizations.
-SSL .
-Code signing certificates.
ALG 8-9 Dec. 2009
Syria 1-2 July 2008
Signature Certificate Service Providers-For E Current Situation
KSA 15-16 Dec 2009ALG 8-9 Dec. 2009
KSA 15-16 Dec 2009
PKI Model in Egypt : Current
Status....(1/2)
4 Licensed companies as CSP (E-Signature Certificates Service Provider).
1 Company finished its infrastructure and is audited , started work in Egyptian market in 1 Oct. 2009 (more than 2000 hours auditing time, team of 13 experts)
The Root CA is established in Sep. 2009
The Ministry of finance got the license to provide E-Signature Service to gov. employees for internal transactions only.
ALG 8-9 Dec. 2009
Syria 1-2 July 2008
1-ACT http://www.act-eg.com/
2-MCDR http://www.mcdr.com.eg/
3-EgyptTrust http://www.egypttrust.com/
http://www.snsegypt.com/SNS -4
KSA 15-16 Dec 2009
PKI Model in Egypt : Current
Status....(2/2)
Licensed Companies + GOV CA4
ALG 8-9 Dec. 2009
KSA 15-16 Dec 2009
Agenda
Egypt’s PKI Model
Licensing requirements for CSPs in Egypt
Applying ISO 27001 as Main CSP requirements
CSPs Auditing Procedures
ALG 8-9 Dec. 2009
KSA 15-16 Dec 2009
Licensing Requirements: .....(1)
The detailed requirements are listed in License Form at:
www.e-signature.gov.eg/materials/License-July-2006.doc
(Arabic Language )
- More than 60 Page.
- More than 250 item to be satisfied before getting the license
- Categorized to financial , operational, technical and administrative.
- References: The Law 15, Its Directive, NTRA license, ETSI TS 101 456
ALG 8-9 Dec. 2009
KSA 15-16 Dec 2009
Licensing Requirements: .....(2)
License Sections
LegalOperational TechnicalFinancial
ALG 8-9 Dec. 2009
KSA 15-16 Dec 200931
Insurance of $ 1.5 Million
Licensing fee $ 85,000 for 5 years
Insurance per certificate $ 200
3% of revenue of licensed services
Financial Requirements
Licensing Requirements: .....(3)
ALG 8-9 Dec. 2009
KSA 15-16 Dec 200932
Complete PKI infrastructure.
Disaster Recovery site.
ISO 27001 for Info. Security.
PKIX (PKI Based on X.509).
Encryption Keys with length 1024-2048.
Using Smart Cards as E-Signature creation device (SSCD).
Technical Requirements
Licensing Requirements: .....(4)
ALG 8-9 Dec. 2009
KSA 15-16 Dec 2009
Licensing Requirements: .....(5)
www.e-signature.gov.eg/materials/License-July-2006.doc
(Arabic Language )
ALG 8-9 Dec. 2009
KSA 15-16 Dec 2009
Agenda
Egypt’s PKI Model
Operational requirements for CSPs in Egypt
Applying ISO 27001 as Main CSP requirements
CSPs Auditing Procedures
ALG 8-9 Dec. 2009
KSA 15-16 Dec 2009
, which, like other assetInformation is an
to an valueimportant business assets, has
organization and consequently needs to be
. Information security protectedsuitably
protects information from a wide range of
business continuity, in order to ensure threats
minimize business damage and maximize return
.”on investments and business opportunities
Quote ISO/IEC 17799-2000(E)
Main Requirement ISO27001:
Information is an asset....(1/2)
ALG 8-9 Dec. 2009
KSA 15-16 Dec 2009
Printed
Written
Fax
Microfilm
Spoken
Transmitted
Stored on Computers
Data
Main Requirement ISO27001:
Information is an asset.....(2/2)
ALG 8-9 Dec. 2009
KSA 15-16 Dec 2009
PROTECTION OF INFORMATION FOR:
CONFIDENTIALITY
Protecting sensitive information from unauthorised disclosure or intelligible interception
INTEGRITY
Safeguarding the accuracy and completeness of information and computer software
AVAILABILITY
Ensuring that information and vital services are available to users when required
Main Requirement ISO27001:
will satisfy...
ALG 8-9 Dec. 2009
MISUSE OF DATA
SABOTAGEتخريب
FRAUDخداع
VANDALISMتدمير
ESPIONAGEتجسس
NATURAL
DISASTER
ERRORخطأ
Main Requirement ISO27001:
Importance for PKI .....(1/2)
ALG 8-9 Dec. 2009
ISO27001 is providing complete security management system. Through:-
Logical security
Application security
Physical & environmental security
Network Security
Personal Security.
Need for dual control through third party audit.
ISO2001 is complete ISMS, merges between business and technology .
ISO27001 needs continual improvements.
Main Requirement ISO27001:
Importance for PKI .....(2/2)
ALG 8-9 Dec. 2009
KSA 15-16 Dec 2009
Accreditation & Certification
•Everything you wanted to know about accreditation….(in 30 seconds)
Company Company 2 Company 3
European
Certification Body
Certified by a
Certification Body
National
Accreditation
Board
Accredited by a State
Organisation
EA – European
Accreditation
Forum
Wishes to be certified
to national or
international
standards
Conformance at a
European Level
ISO 27001
EA 7/02
ISO Guide 66
EA 45012
National
Accreditation
Board
ALG 8-9 Dec. 2009
KSA 15-16 Dec 2009
The Certification Process
ISMS Standard27001 Certification to ISO ®
Ph
ase
1 :
Pre
-Au
dit
Stu
dy
Information
Security
Management
System
Ph
ase
2 :
On
Sit
e A
ud
it
Cer
tifi
ed I
nfo
rma
tion
Sec
uri
ty
Ma
na
gem
ent
Sy
stem
ALG 8-9 Dec. 2009
KSA 15-16 Dec 2009
Agenda
Egypt’s PKI Model
Operational requirements for CSPs in Egypt
Applying ISO 27001 as Main CSP requirements
CSPs Auditing Process
ALG 8-9 Dec. 2009
KSA 15-16 Dec 2009
CSPs Auditing Process
Initiating (planning ) the audit
Conducting Documentation
review
Preparing for Audit activities
Conducting audit activities
Preparing , approving &
distributing the audit report
Conducting audit follow up
Preparation
phase
Post Audit
Phase
ALG 8-9 Dec. 2009
KSA 15-16 Dec 2009
CSPs Auditing Process
Initiating (planning ) the audit
Conducting Documentation
review
Preparing for Audit activities
Conducting audit activities
Preparing , approving &
distributing the audit report
Conducting audit follow up
Scope , Objective , Criteria
Determine feasibility & select audit team
Write an audit plan
Contact the auditee
ALG 8-9 Dec. 2009
KSA 15-16 Dec 2009
CSPs Auditing Process
Initiating (planning ) the audit
Conducting Documentation
review
Preparing for Audit activities
Conducting audit activities
Preparing , approving &
distributing the audit report
Conducting audit follow up
Request relevant documents
Review prior to arriving on-site
Review the previous audit report if any
ALG 8-9 Dec. 2009
KSA 15-16 Dec 2009
CSPs Auditing Process
Initiating (planning ) the audit
Conducting Documentation
review
Preparing for Audit activities
Conducting audit activities
Preparing , approving &
distributing the audit report
Conducting audit follow up
Finalize audit plan
Prepare work documents
Assign audit team
ALG 8-9 Dec. 2009
KSA 15-16 Dec 2009ALG 8-9 Dec. 2009
CSPs Auditing Process
Initiating (planning ) the audit
Conducting Documentation
review
Preparing for Audit activities
Conducting audit activities
Preparing , approving &
distributing the audit report
Conducting audit follow up
Opening Meeting
Communication during the audit
Collecting objective evidences
Closing meeting
KSA 15-16 Dec 2009
CSPs Auditing Process
Initiating (planning ) the audit
Conducting Documentation
review
Preparing for Audit activities
Conducting audit activities
Preparing , approving &
distributing the audit report
Conducting audit follow upDistribute it to the appropriate persons
Mention positive & negatives
ALG 8-9 Dec. 2009
KSA 15-16 Dec 2009
CSPs Auditing Process
Initiating (planning ) the audit
Conducting Documentation
review
Preparing for Audit activities
Conducting audit activities
Preparing , approving &
distributing the audit report
Conducting audit follow up
ALG 8-9 Dec. 2009
KSA 15-16 Dec 2009
Thank you
very much
www.itida.gov.eg
ALG 8-9 Dec. 2009
KSA 15-16 Dec 2009
55
Cyberlaws & ICT-related Laws & Regulations
A comprehensive IPR Law (Law No. 82/2002)
A comprehensive Communications Act (Law No. 10/2003)
An E-Signature law ( Law No. 15/2004)
Children Protection Law (2008)
Drafts: A Data Protection, Privacy, and Cyber Security law
A Cyber Crime law
Access to Information Law
ALG 8-9 Dec. 2009