E-IDENTITIESE-IDENTITIES
Foo Jong AiChief Executive OfficerNetrust Pte [email protected]
E-IDENTITIES
N E T R U S T P H I L I P P I N E S C O R P O R A T I O NN E T R U S T P H I L I P P I N E S C O R P O R A T I O N
SCOPE
• Brief Introduction of Netrust
• E-Government & E-Identities
• Fundamentals of PKI (Public Key Infrastructure)
• Demonstration of E-Identity Applications
• Questions & Answers
N E T R U S T P H I L I P P I N E S C O R P O R A T I O NN E T R U S T P H I L I P P I N E S C O R P O R A T I O N
ABOUT NETRUST
Office Location
Netrust Customer
First Public Certificate
Authority (CA) in Asia
Only Accredited CA
in Singapore
Accredited by IMDA, Trusted
by Microsoft Certificate Store
Office In Singapore &
Philippines
Sold approx. $100M+
security solutions in the
region
E-IDENTITIESE-IDENTITIES
N E T R U S T P H I L I P P I N E S C O R P O R A T I O N
Who is NETRUST?
We protect and manage
IDENTITY DATA
through
PKI
(Public Key Infrastructure)
&
N E T R U S T P H I L I P P I N E S C O R P O R A T I O NN E T R U S T P H I L I P P I N E S C O R P O R A T I O N
WHY PROTECT IDENTITY AND DATA?
Cybercrime Costs
Cybercrime damage will cost the
world $6 trillion annually by 2021,
up from $3 trillion in 2015. Costs
include destruction of data,
stolen money and other.
Security Spending
The world will spend $1 trillion
cumulatively from 2017-2021 on
cybersecurity products and
services - to combat cybercrime.
Cybersecurity Jobs
There are 1 million cybersecurity
job openings in 2016, with a
projected shortfall of 1.5 million by
2019. Unemployment stays at 0%.
N E T R U S T P H I L I P P I N E S C O R P O R A T I O NN E T R U S T P H I L I P P I N E S C O R P O R A T I O N
CUSTOMER REFERENCES (for CA/ PKI Services)CA for Web applications CA for Enterprise
STARS eLodgment System (SLA) Government VPN
Electronics Payment Instructions (ePI) (SLA) GoMax for Ministries, Statutory Boards
Integrated Land Information System (SLA) Starhub Ideal (Starhub)
Corenet e-Submission System (BCA) Keppel Corporation
LTA Vehicle Registration & Licensing System (LTA) SingTel, SingTel OPTUS
Netrust Authentication Module (NAM) for ePayment SembCorp Logistics
Netrust Authentication Module (NAM) for SingPass Singapore Technologies Companies
SingPass Authentication Module (SAM) for SingPass 2 NTUC Group
E-Medical Records Exchange (EMRX) (MOH) MediaCorp
eNETS (NETS)
CrimsonLogic (B-B Exchange) Projects in the Region
TradeXchange (Crimsonlogic) PKI/ 2FA for Online Banking (Bank in Malaysia)
Electronic Certificate of Origin (CrimsonLogic) National Root CA (ETDA, Thailand)
Pan Asian Alliance (PAA) GFMIS CA (MOF, Thailand)
Secure FTP (DSTA) CAT Telecom CA, Thailand
Archival of Medical Records (Hospital groups) E-Government National Center, Brunei
Archival of Bank Records (local banks) Energy company in Philippines
E-Archival Service (Trusted Hub) Gaming company in Philippines
N E T R U S T P H I L I P P I N E S C O R P O R A T I O NN E T R U S T P H I L I P P I N E S C O R P O R A T I O N
GLOBAL DIGITAL TRANSFORMATION
Digital transformation is the profound and accelerating transformation of
business activities, processes, competencies and models to fully leverage the
changes and opportunities of digital technologies and their impact across
society in a strategic and prioritized way.
N E T R U S T P H I L I P P I N E S C O R P O R A T I O NN E T R U S T P H I L I P P I N E S C O R P O R A T I O N
DIGITAL TRANSFORMATION
• Largest Shopping Malls in the world.
• Hotel/ room rental companies that do not own hotels.
• Taxi companies that don’t own taxis.
2016 B2C: Alibaba US$450 billion, Worldwide – US$1.9 trillion
N E T R U S T P H I L I P P I N E S C O R P O R A T I O NN E T R U S T P H I L I P P I N E S C O R P O R A T I O N
Digital Age = Connectivity
N E T R U S T P H I L I P P I N E S C O R P O R A T I O NN E T R U S T P H I L I P P I N E S C O R P O R A T I O N
GOOD DIGITAL DISRUPTION
Reference:https://www.forrester.com/staticassets/marketing/blogs/ForresterInfographicDigitalBusinessNigelFenwick18.pdf
Organizational benefits from digital
technologies
Percentage Increase in:
Productivity (83%)
Innovation (82%)
Cost Efficiencies (82%)
Agility (81%)
Quality of Work (80%)
Staff Engagement (74%)
N E T R U S T P H I L I P P I N E S C O R P O R A T I O NN E T R U S T P H I L I P P I N E S C O R P O R A T I O N
• E-Government is no longer a question of ‘why’ but ‘when’ and ‘what’.
• Application of ICT to all aspects of a Government’s business to improve efficiency, effectiveness and connectivity.
• E-Government must be Citizen and Business Centric.
• Requires review of existing processes, organisational reforms, and business process re-engineering.
• “E-Government is not an end by itself. Focus on the ‘g’ and not on the ‘e’”.
E-GOVERNMENT
N E T R U S T P H I L I P P I N E S C O R P O R A T I O NN E T R U S T P H I L I P P I N E S C O R P O R A T I O N
Customer-led digital interactions…
• Anytime, anywhere access
• Convenient, low-friction transactions
• Personalized one-to-one interactions
…and trust
•Protected identity
and personal
information
•Secure
transactions
Digital Age User Expectations
N E T R U S T P H I L I P P I N E S C O R P O R A T I O NN E T R U S T P H I L I P P I N E S C O R P O R A T I O N
• An “Electronic Identity” (e-Identity) is a means for people to prove electronically that they are who they say they are and thus gain access to online services.
• The identity allows an entity (citizen, business, organisation) to be distinguished from any other.
• Without e-Identities, eGovernment will not go beyond granting access to generic information.
• The use of e-Identities facilitates the deployment of fully transactional systems diminishing the needs of manual/ repetitive work and interactions.
E-IDENTITY
N E T R U S T P H I L I P P I N E S C O R P O R A T I O NN E T R U S T P H I L I P P I N E S C O R P O R A T I O N14
In our personal life
Identity – The Digital Consumer
N E T R U S T P H I L I P P I N E S C O R P O R A T I O NN E T R U S T P H I L I P P I N E S C O R P O R A T I O N15
In our work life
Identity – The Digital Employee
N E T R U S T P H I L I P P I N E S C O R P O R A T I O NN E T R U S T P H I L I P P I N E S C O R P O R A T I O N
Challenging for Users:• Too many identities• Too many passwords, rules / changes• Multiple hardware tokens, lost / forgotten cards
So what’s the Problem?
Can there be a National e-Identity?
N E T R U S T P H I L I P P I N E S C O R P O R A T I O NN E T R U S T P H I L I P P I N E S C O R P O R A T I O N
Supplemented by 2nd factor authentication (2FA):
E-IDENTITIES
Password 2FA
User Name and Password:
N E T R U S T P H I L I P P I N E S C O R P O R A T I O NN E T R U S T P H I L I P P I N E S C O R P O R A T I O N
SINGPASS
N E T R U S T P H I L I P P I N E S C O R P O R A T I O NN E T R U S T P H I L I P P I N E S C O R P O R A T I O N
SINGPASS HACKING
2014• It was reported that more than 1,500 users may have their IDs and passwords accessed
without permission.
• The passwords of 293 SingPass accounts compromised. All victims had used their NRIC
number as part of their password.
• Three of the compromised SingPass accounts were used to make six fraudulent work pass
applications in MOM (Ministry of Manpower).
• Other SingPass account details were sold to syndicates in China for fraudulent travel visa
applications.
N E T R U S T P H I L I P P I N E S C O R P O R A T I O NN E T R U S T P H I L I P P I N E S C O R P O R A T I O N
SINGPASS 2FA
OTP Token
N E T R U S T P H I L I P P I N E S C O R P O R A T I O NN E T R U S T P H I L I P P I N E S C O R P O R A T I O N
• User ID & Password authentication is really easy to be attacked through technical (password brute forcing, man-in-the-middle, etc.) and social engineering attacks (phishing, shoulder surfing, etc.)
• OTP is also subject to man-in-the-middle attacks.
• In May 2016, the National Institute of Standards and Technology (NIST) published a guideline recommending the depreciation of SMS authentication as a second factor for strong authentication.
SECURITY CONCERNS
N E T R U S T P H I L I P P I N E S C O R P O R A T I O NN E T R U S T P H I L I P P I N E S C O R P O R A T I O N
AUTHENTICATION STRENGTH
N E T R U S T P H I L I P P I N E S C O R P O R A T I O NN E T R U S T P H I L I P P I N E S C O R P O R A T I O N
• PKI with 2nd Factor – Signing/ Authentication Private Key Repository
PKI-BASED AUTHENTICATION
Password required to unlock the private key
Smart Card
USB Cryptographic Token
Mobile Device
N E T R U S T P H I L I P P I N E S C O R P O R A T I O NN E T R U S T P H I L I P P I N E S C O R P O R A T I O N
BENEFITS OF PKI-BASED E-IDENTITIES
• Known and proven technology.
• One of the strongest authentication means when supplemented by 2nd
factor hardware token/ device.
• Authentication is not dependent on an expensive centralised infrastructure.
• Support for digital signatures.
• Potential for replacing physical signatures and support for paperless end-to-
end plus digital archival.
• Legality of digital signatures backed by appropriate legislation.
N E T R U S T P H I L I P P I N E S C O R P O R A T I O NN E T R U S T P H I L I P P I N E S C O R P O R A T I O N 25
Demonstration
PKI Authentication &
Signing
N E T R U S T P H I L I P P I N E S C O R P O R A T I O NN E T R U S T P H I L I P P I N E S C O R P O R A T I O N
NSign is a comprehensive
digital signing solution built
based on nSign Core.
nSign Desktop
nSign Mobile
nSign Online
nSign Enterprise
Core
Enrich workflows with Digital Signature
Signing at your Flexibility
Zero Client Token Signing
Integrated Workflow Management
Clie
nt
Web
Wo
rkfl
ow
nSIGN
Crypto-token Mobile
N E T R U S T P H I L I P P I N E S C O R P O R A T I O NN E T R U S T P H I L I P P I N E S C O R P O R A T I O N
nSEAL – TRUST IN PHYSICAL DOCUMENTS
N E T R U S T P H I L I P P I N E S C O R P O R A T I O NN E T R U S T P H I L I P P I N E S C O R P O R A T I O N
N E T R U S T P H I L I P P I N E S C O R P O R A T I O NN E T R U S T P H I L I P P I N E S C O R P O R A T I O N
WHY DIGITAL SIGNATURE
Authentication IntegrityNon
repudiationDigital
Signature
N E T R U S T P H I L I P P I N E S C O R P O R A T I O NN E T R U S T P H I L I P P I N E S C O R P O R A T I O N
PAPER SIGNATURES vs ELECTRONIC SIGNATURES vs DIGITAL SIGNATURES
ATTRIBUTES PAPER SIGNATURE ELECTRONIC SIGNATURE DIGITAL SIGNATURE
Authenticity May be forged May be scanned and copied Cannot be forged
Integrity
Anyone can change the
document without being
detected
Changing the document will
not invalidate the signature
You can verify whether the
document is the originally
signed document or has
been changed
Non-Repudiation
Handwriting expert needed
and is not foolproof ; could be
challenged in court
Could easily be denied
that his/her signature
was just copied
One cannot deny that they
have signed the document.
N E T R U S T P H I L I P P I N E S C O R P O R A T I O NN E T R U S T P H I L I P P I N E S C O R P O R A T I O N
DOES THE USE OF DIGITAL SIGNATURE HAVE A LEGAL BASIS IN THE PHILIPPINE CONTEXT?
YES..
According to the Philippine Republic Act 8792 , also known as the E Commerce Act of 2000
Sec. 8. Legal Recognition of Electronic Signatures. - An electronic signature on the
electronic document shall be equivalent to the signature of a person on a written
document if that signature is proved by showing that a prescribed procedure, not
alterable by the parties interested in the electronic document, existed
N E T R U S T P H I L I P P I N E S C O R P O R A T I O NN E T R U S T P H I L I P P I N E S C O R P O R A T I O N 32
Questions?
Foo Jong Ai
Chief Executive Officer
Netrust Pte Ltd