jeen de swart · 2017. 10. 25. · c e rtific a tio n a u th o rity csca document signing ca...
TRANSCRIPT
Date 2
Jeen de Swart Senior Information / Security Architect
A National Public Key Directory The Dutch Solution
ICAO TRIP: Making Air Travel more Secure and Efficient
TOWARD BETTER TRAVELLER IDENTIFICATION MANAGEMENT
FOR ENHANCED BORDER CONTROL INTEGRITY
3
ICAO TRIP: Building Trust in Travel Document Security
The Dutch
National
Public Key Directory
NL-NPKD
LDAP
LDAP LDAP
The Dutch
National
Single Point of Contact
NL-NSPOC
WSDL
The Dutch
National
Terminal Control Center
NL-TCC
WSDL
The Dutch
National
Terminal Control Center
NL-TCC
WSDL
Country SigningCertification
Authority
CSCA
Document SigningCA Certificate X509 Cds- issuer CSCA- DSCA Public Key
KPuds
RSA 2048 PKCS#15DocSigner (DS)
EF.SOD
Country SigningCA Certificate X509 Ccsca- self signed- CSCA Public Key
KPucsca
HSM
PKIDocument Signer
DS
HSM
eMRTD, CSCA PKI chain
eMRTD Passive Authentication
So the digital
signature must
be checked ?
The Dutch
National
Public Key Directory
NL-NPKD
LDAP
The Dutch
National
Single Point of Contact
NL-NSPOC
WSDL
The Dutch
National
Single Point of Contact
NL-NSPOC
WSDL
The Dutch
National
Single Point of Contact
NL-NSPOC
WSDL
The Dutch
Document Verifying
Certification Authority
NL-DVCA
HSM
TCCISMC
IS
Terminal A Terminal B Terminal C
HSM
VENDOR TCC/IS TERMINALS
TCC/IS
Terminal A Terminal B Terminal C
HSM
NL-NPKD
webservice
LDAP
gui
NL-NSPOC
webservice
NL-TCC
webservice
NL-IS1
HSM
NL-IS2
HSM
LB1 LB2
NL-ISMC
webservice webservice
webservice
EFSOD
webservice
NL-IS1
HSM
NL-IS2
HSM
LB1 LB2
NL-ISMC
webservice webservice
webservice
EFSOD
webservice
xxx
NL-EFSOD
webservice
ROOT CA
CONNECT-CA
CA for TLS connections between admin-systems and PKI-EAC systems
AdminCA
CA for TLS connections between EAC-PKI systems
TlsCA
CA for TLS connections between ISMC and IS-systems
AdminMCCA
CA for TLS connections between IS-systems and terminal-readers
TerminalTLSCA
ROOT CA
CONNECT-CA
CA for TLS connections between admin-systems and PKI-EAC systems
AdminCA
CA for TLS connections between EAC-PKI systems
TlsCA
NSPOC
NPKD
ISMC
CA for TLS connections between ISMC and IS-systems
AdminMCCA
ISMC
ISxx
ISxxISxx
CA for TLS connections between IS-systems and terminal-readers
TerminalTLSCA
Terminal-xx
Terminal-xx
Terminal-xx
Terminal-xx
InternetJustitieNet
SERVICES
ROOTPROD ACPTMGMT
DMZI
WRKS
NPKD-Extern
CONNECT-CA
MONITORING
PA SecretaryArchitect
AuditorSecurity OfficerNPKD Responsible CONNECTCA Responsible NSPOC Responsible EAC-PKI Responsible
NSPOC Responsible
Government / MinistriesGovernment / Ministries
Policy AuthorityGovernance
SETUP AND COSTS
• Tender • Self made • Combination
In any case you need: • An architecture • Project plan • Knowledge • Organization • Trained personal • … Costs are hard to predict. Timeline at least a year.
WHITE PAPER: A NATIONAL PUBLIC KEY DIRECTORY TRIP Magazine: THE DUTCH VERIFICATION SOLUTION
16
ICAO TRIP: Building Trust in Travel Document Security