Date post: | 14-Nov-2014 |
Category: |
Technology |
Upload: | manel-medina |
View: | 246 times |
Download: | 4 times |
The gray area is an image container. In the diapositive mask select this gray box and choose ‘Fill’ under the ‘Format’ Tab. Choose Fill with image, select your picture and
delete this text box.
www.enisa.europa.eu
ENISA
E-Identification & trust services for electronic transactions Security
Prof. Manel MedinaAndreas Sfakianakis
www.enisa.europa.eu 2
Content
• eID and Trust service providers regulation in Europe
• Trust Services in the new EU Regulation• Preliminary results of ENISA’s survey on TSP
security and interoperability requirements• Standards implemented by the TSPs in EU
www.enisa.europa.eu 3
eID and Trust service providers regulation in Europe
www.enisa.europa.eu 4
Digital Identity
www.enisa.europa.eu 5
eIDAS: the EU approach
www.enisa.europa.eu 6
Regulation on eID and TS
• Building trust in the online environment is key to economic development
• No comprehensive EU cross-border and cross-sector framework for secure electronic transactions that encompasses electronic trust services
• Enhance existing legislation
www.enisa.europa.eu 7
Scope
• Mutual recognition and acceptance of electronic identification
• Electronic trust services:• Electronic signatures • Electronic seals• Website authentication• Electronic time stamp• Electronic delivery service• Electronic documents• Long time preservation
www.enisa.europa.eu 8
Mutual recognition and acceptance of electronic identification
• How does it work? 'notified' eID(s)
• EU Member States obligations: – ‘notify’ the ‘national’ electronic identification scheme(s)
used at home for access to its public services. – Must recognise ‘notified’ eIDs of other MSs – Free private & abroad, liability Unambiguous
• Common principles– Tech. neutral, – Mutual recognition of qualified, – Data protection & data minimisation– Secondary legislation to ensure flexibility: Tech, Best pr.
www.enisa.europa.eu 9
More on the Regulation on eID an TS
• What is not covered?– Not eID or EU eID
• Why will it make a difference?– One single legislation across EU: NO need of Nat. Reg.– Supervision– Trusted lists vs. notified ID– Easy eSignature: “Soft ID”?– Clear market needs in terms of trust services
• https://ripe66.ripe.net/presentations/291-eIDAS_May2013.ppt
www.enisa.europa.eu 10
ENISA’sSurvey on Trust Services in the EU
www.enisa.europa.eu 11
ENISA’s work on Trust Services in the EU
•Risk assessment, security requirements and incident management for trust service providers issuing electronic certificates. (ENISA Work Programme 2013)
•Explore security mechanisms used by EU TSPs and identify their interoperability issues. (ENISA Work Programme 2013)
www.enisa.europa.eu 12
ENISA’s survey on Trust Services in the EU
• Launched anonymous survey intended for TSPs
• Survey is still online!!https://www.enisa.europa.eu/trust-services-in-eu
• The final results of the survey will be presented at a workshop for trust service providershttps://www.enisa.europa.eu/activities/identity-and-trust/trust-services/eid-workshop
www.enisa.europa.eu 13
General Security Audit (I)Kind of Audits
www.enisa.europa.eu 14
General Security Audit (II)Periodicity
<=12 months > 12 months0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
100%
Periodicity of audits
15% indicated less than 12 months
www.enisa.europa.eu 15
General Security Audit (III)Applied Standards
0%
20%
40%
60%
80%
100%
Which general security management standards do you follow?
ETSI TS 102042ETSI TS 101456WebTrustetc.
www.enisa.europa.eu 16
General Security Audit (&IV) Audit Supporting documents
Certifi
catio
n Pr
actic
e St
atem
ent
Info
rmat
ion
Secu
rity Po
licy
Job
desc
riptio
ns fo
r Tru
sted
Roles
Inve
ntor
y of
Ass
ets
Busines
s Risk
Ass
essm
ent
Bussin
ess C
ontin
uity
Plan
Incid
ent R
espo
nse
Plan
CA Ter
minat
ion
Plan
0%10%20%30%40%50%60%70%80%90%
100%
94% of participants issue certificates
94% of the TSPs (or intend to) provide e-certificates, 78% other trust services and 22% only electronic certificates.
www.enisa.europa.eu 17
Other TSs Provided (mostly by CSPs)
0%
20%
40%
60%
80%
100%
What kind of services do the TSPs provide?
www.enisa.europa.eu 18
Supported standards (I): e-signature
www.enisa.europa.eu 19
Supported standards (II): Time Stamping
RFC 3161 Time Stamp Pro-tocol
DSS XML TimeStamping Profile0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
100%
What TimeStamping format standards are supported?
www.enisa.europa.eu 20
Supported standards (III): Certificate Validation
OCSP CRL SCVP0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
100%
What certificate validation standards are supported?
www.enisa.europa.eu 21
Supported standards (&IV): Long Time Preservation
0%
20%
40%
60%
80%
100%
What standards are used to provide long-time preservation of e-Signatures?
www.enisa.europa.eu 22
Risk / Impact perception (I):Time Stamping
40 50 60 70 80 90 1000
10
20
30
40
50
60
70
80
90
100
Security Risks for TimeStamping Services
Compromise of the TSA’s signature creation data (private key)
Lose of evidence in chain of trust in the preservation of Tokens
Compromise of the main time source
Lose of accuracy of the main time source
Unavailability of the main time source
Probability
Impact
www.enisa.europa.eu 23
Risk / Impact perception (II):Electronic Documents
www.enisa.europa.eu 24
Risk / Impact perception (III):Electronic Delivery
www.enisa.europa.eu 25
Risk / Impact perception (IV):Certificate Validation
65 70 75 80 85 90 95 1000
10
20
30
40
50
60
70
80
90
100
Security Risks for Validation Services
Unavailability of the service
Web site / web service imperson-ation
Probability
Impact
www.enisa.europa.eu 26
Risk / Impact perception (&V):Long Time Preservation
www.enisa.europa.eu 27
For further information and feedback• [email protected] • [email protected]
• https://www.enisa.europa.eu/activities/identity-and-trust/trust-services/trust-services-in-eu
• https://www.enisa.europa.eu/activities/identity-and-trust/trust-services/eid-workshop