the hong kong public key infrastruture 2010

The Hong Kong Public Key Infrastruture 2010

- Presentation to Hong Kong Medical Association, June 2010

S.C. LeungCISSP CISA CBCP

The Hong Kong Public Key Infrastructure

About the Speaker

■ S.C. Leung

■ Professional affiliations Secretary of Internet Society Hong Kong

Found Chairperson of Professional Information Security Association

Professional designations: CISSP, CISA and CBCP

■ Work Information Senior Consultant

■ [email protected]

www.facebook.com/scleung.hk


Why Public Key Infrastructure?

■Internet is not a trusted mediumConfidentiality

Data travels in different path so can be intercepted and sniffed

Integrity

Content of data can be modified during transit

Identity of sender or author of data can be spoofed (e.g. phishing, identity theft)

■Public Key Infrastructure (PKI) tries to provide a solution


Before PKI

■Traditional symmetric (private only) key encryptionEncryption and Decryption by the same (symmetric) private key

which is a secret

Share private keys before transaction not scalable


Basics of PKI

■ Asymmetric Public Key EncryptionPublic / Private Key Pair

Public key is made available to everyone

Private key is secured by owner

Sender encrypts data using recipient’s public key

Recipient decrypts data using own private key


Chain of Trust and CA Management

■Root Certificate Authority and Chain of TrustTrust is given to a small number of Root CA Certificates

Inherit Trust from the Root CA Certificates to Intermediate CA Certificate, etc. Chain of Trust

CAs have obligation to verify server/client authenticity (manual procedure) before issuing the digital certificates

Root CA has to maintain a physically and logically secure repository for the digital certificate


Certificate Policy Statement

■Certificate Policy Statement


Chain of Trust

■ Untrusted root certificate

Root CA certServer Cert

Root CA certIntermediate CA certServer Cert

Example: a public certificate of an online banking web site


Root Certificates Stores

Ultimate Trust goes to Root Certificates in the Certificate Store

Microsoft Windows has HongKong Post root certificates installed (2004 onwards) IE, some Window based

browsers (such as Safari, Chrome) and email clients use this certificate store

Linux has its own crypto store

MacOS keychain


Root Certificate Store

■ Firefox has own certificate store with HongKong Post root cert. loaded by default

■ Opera don’t have HongKong Post root cert. by default


Browser settings for SSL digital certificate

■ In IE browser, choose Internet Options | Advanced

CRLCRL

Use of PKI


Use of PKI : User Authentication

■ Computer Login

■ Critical System login

■Remote Access / VPN AuthenticationNo removable media

policy

Image source www.pisa.org.hk

Image source www.apple.com


Use of PKI : Two-Factor Authentication

■Using Client Certificates for online transaction, or access to critical systemsClient certificate in addition to PIN

Client certificate can be held in Smart ID Card, iKey USB token, etc.


Use of PKI : Traffic Encryption and Authentication

■Web site using Server Certificate (SSL) onlyServer authentication (yellow padlock in IE)

Traffic (data in transit) encryption

■Email Messaging SystemEncrypt Email Message Transport

Authenticate email sender

■ Server to Server connectionCritical private systems


Use of PKI

■ File / Folder EncryptionUseful for removable disk storage encryption

■ Files / Record SigningExamination report, patient report signing

Validate if signed file (e.g. security patch or virus definition update file) is original and untampered

Image source www.pisa.org.hk

Management of Certificates


Scope of Use of Certificate

■Trust CAEncipherment (Encryption)

Digital Signature

Trust the CA to identify a web site

Trust the CA to identify an email user

Trust the CA to identify a software developer


Validity of Certificate

■ Valid Date ■ Expired Certificate


Revocation of Certificate

■ Certificate Revocation List ■ Revoked certificate

Legal Framework for PKI


Legal Foundation of Hong Kong PKI

■Electronic Transactions Ordinance (Cap. 553)Enacted in 2000

Modelled under UN Commission on International Trade (UNCITRAL) Model Law on Electronic Commerce

Major ContentProvides a legal framework for the conduct of electronic transactionsEstablish e-records and digital signature to enjoy same legal status as

paper counterpart (i.e. non-repudiation) Digital signature used for G2G and G2B

Establish a voluntary recognition scheme for Certificate Authorities, empower the Government Chief Information Office (“GCIO”) to grant recognition to CAs and digital certificates


ETO 2004 update

■Facilitate e-transactions not involving government bodyB2B transactions under contract: any form of electronic signatures,

provided it is reliable and appropriate

Common Law approach: a matter to be determined by parties to the contract technology neutral

Electronic signatureany letters, characters, numbers or other symbols in digital form attached to

or logically associated with an electronic record, and executed or adopted for the purpose of authenticating or approving the electronic record. Digital signature is one form of electronic signature. PIN is another. *But biometrics was not included


GCIOGCIO

Recognized CAs in Hong Kong

Digi-Sign ID-Cert Digi-Sign ID-Cert

Electronic Transactions OrdinanceElectronic Transactions Ordinance

Voluntary Recognition SchemeVoluntary Recognition Scheme

■ Code of Practice for Recognized CAs Publish Certification Practice Statement (CPS) Issue and revoke certificates Publish certificates issued and the certificate revocation list (CRL) Annual Assessment Report (on trustworthiness) by independent

party. Operation Report by officer of CA.


CAs

■Hongkong Post was appointed the HKSAR CA in 1999Operation outsourced to E-Mice Apr-2007 to Mar 2012

Types of e-Certs

Issues recognized “e-Cert” for personal and organizational uses

■Digi-Sign Certification Service LimitedPreviously under Tradelink

Issues recognized “ID-Certs” for personal and organizational use

Act as gateway between Govt and Trade Community


e-Cert Applications

Online Banking

Online Betting

E-Government

Online Shopping

Online Securities Trading


Government Online Services (through GovHK) using digital signatures


Cross-border Recognition

■ Certificates recognized by ETO of Hong Kong may not be recognized by other jurisdiction, and vice versa

■ Mutual Recognition of Electronic Signature Certificates Issued by Hong Kong and Guangdong

promote investment facilitation

enhance the security of e-transactions

2008 Working Group

2010-Apr Pilot Project started. Recognized CAs in both places and their partners can submit applications

CA CA

reverse cross-cert.

forward cross-cert.

local remote

Useful References


Useful Further References

■ The Electronic Transactions Ordinance, HKSARG, 2004 http://www.ogcio.gov.hk/eng/eto/eeto.htm

■ Use of Public Key Technology, Johnson & Johnson, 2004 http://www.dartmouth.edu/~deploypki/summit04/presentations/

JNJ_case_study.ppt

■ “Japan Medical and Healthcare Network” in Asia PKI Application Casebook Nov 2005, BAWG, Asia PKI Forum

http://www.japanpkiforum.jp/shiryou/APKI-F/PKI_App_CaseBook_1st.pdf

■ Case Study: Denmark’s Achievement with Healthcare Information Exchange

http://www-03.ibm.com/industries/ca/en/healthcare/files/gartner-case_study-denmarks_achievementswHIE.pdf

Point of Contact

Name: SC Leung

Email : sc@itvoice,hk

FB : scleung.hk