Post on 15-Jan-2016
transcript
e-Government Security and necessary Infrastructures
Dimitrios Lekkas
Dept. of Systems and Products Design Engineering
University of the Aegean
dlek@aegean.gr
University of the
Aegean
Review
Do we really need security in the networks of Public Sector?
What security requirements do we have? What solutions may we propose to cover
the requirements?
University of the
Aegean
The traditional way of communication
University of the
Aegean
The modern way of communication within the public sector
University of the
Aegean
Possible problems (1)
Confidentiality
University of the
Aegean
Possible problems (2)
Integrity
University of the
Aegean
Possible problems (3)
Availability
University of the
Aegean
Possible problems (4)I did not send it!
I have never received it!
Non-repudiation
University of the
Aegean
Possible problems (5)
Secure Timestamping
University of the
Aegean
Possible problems (6)
Authenticity
University of the
Aegean
We identified the following security requirements:
Confidentiality of the exchanged information Integrity of the exchanged information Availability of information and
communication Non-repudiation of (a) origin and (b) receipt Timestamping of electronic documents Authenticity of transacting parties
University of the
Aegean
Satisfy the requirements
Confidentiality: Public key Cryptography Integrity: Digital signatures Authenticity: Digital certificates and signatures Availability: Lower level protocols, such as IPsec Value-added services: Time-stamping, non-
repudiation of origin and receipt, notary, privilege management
University of the
Aegean
Solutions;
Asymmetric and Symmetric cryptography Public Key Infrastructure Smart cards Relevant Legal framework
University of the
Aegean
Cryptography Symmetric (Traditional) cryptography
– Same key for data encryption/decryption
– Prior key agreement of transacting parties
– Problems: protection of key distribution Symmetric (Public Key) cryptography
– Key pair: One private and one public
– Data encrypted with on key can only be decrypted with the other
– A private key is the property of one only physical entity
– A public key is freely distributed
University of the
Aegean
Items of PKI
University of the
Aegean
Certification Services Provision
Basic services– Registration
– Certificate management
– Cryptographic functions
– Directory Services
– Data repository
Support–Administration–Audit and Control–Logging–User support
University of the
Aegean
Value-added Services
A CSP as Time-Stamping Authority A CSP as Key Distribution Center A CSP as Privilege Management Authority A CSP as Notary A CSP as Evidence Provider
University of the
Aegean
CSP Requirements in e-gov
Reliability demonstration Physical security Publishing of certification policies and practices Risk analysis Protection of Personal Data Long-term repositories of signature verification
data Insurance ? ISO 9000 certification ?
University of the
Aegean
Digital Signature Definition
– A Digital Signature is data attached or co-related to an electronic document, that are used to verify its authenticity.
Characteristics– It is uniquely related to the signer– Provides a means to identify the signer– It is created by means under the absolute
control of the signer– It is uniquely related to the document– It assures the integrity of the document
University of the
Aegean
Digital Certificate A Digital Certificate is a Signed Data Structure
that binds a physical entity to a public key that possesses.
The certificate is digitally signed by an Authority (Trusted Third Party) Trusted and Qualified to act as a Certification Services Provider (CSP).
It assures by Technical and Legal means that a public key belongs to a specific entity and consequently that this entity legally possesses the relevant private key.
University of the
Aegean
Smart Cards Special Smart Cards with crypto-processor are
used in PKI Ideal solution for private key storage:
– Key pairs produced within the card
– Digital signature creation is performed within the card
– Private key is never exported from the smart card
– Mobile
– PIN protected
– Reliability and Physical durability
University of the
Aegean
Legal framework Digital signatures are internationally recognised as
equivalent to handwritten signatures and in some cases as stronger
The European Directive EC/93/99 on Digital Signatures is already adopted by the 15 member states
The Directive is adopted in Greece by the Presidential Decree 150/2001
National Telecommunication Authorities (e.g. EETT) publish regulations for the provision of Qualified Certification Services.
University of the
Aegean
Do we need something else;
Information Systems Security does not succeed with the simple raising of physical or electronic barriers.
An integrated Security Policy is needed, that will be the basis for the construction of security procedures.
University of the
Aegean
Summary
Electronic Government is close. Secure e-Government is still at a distance. … but it must (and it can) come closer! The Public Sector must face the ICT
Security as a fundamental issue.