Controller of Certifying Authorities Creating Trust in Electronic
- Slides: 27
Controller of Certifying Authorities Creating Trust in Electronic Environment - IT Act 2000 Deputy Controller (Technology) Controller of Certifying Authorities Ministry of Communications & Information Technology
E-Commerce Promotion • Creating Trust in Electronic Environment - Establishing Digital Signature Framework
• • Trust in the Paper world Trust issues in the Electronic World Concept of Digital Signatures Role of CAs PKI IT Act Role of CCA
Electronic Commerce • EC transactions over the Internet include – Formation of Contracts – Delivery of Information and Services – Delivery of Content • Future of Electronic Commerce depends on “the trust that the transacting parties place in the security of the transmission and content of their communications”
Electronic Juridical Statements • Juridical statements which are set up telematically • Computers are the only means by which contracting parties set up their agreements • Examples include – – – EFT Teleshopping Electronic consultation of data banks Tele-reservation Contracts, deed, agreements Dealing with Public Administrations
The Paper World Documents • A paper document consists of four components – – the carrier ( the sheet of paper) text and pictures ( the physical representation of information) information about the originator measures to verify the authenticity (written signature) • All the four components are physically connected – So, paper is the document • There is only one original – can be reproduced in innumerable copies
The Paper World Signature • Supposed to be unique, difficult to be reproduced, not changeable and not reusable • Its main functions – identification – declaration – proof • The signature is used to identify a person and to associate the person with the content of that document – always related to a physical person
The Paper World Signature (contd) • In all legal systems – Absence of a prescription of an exclusive modality of signing e. g. Full name, initials, nickname, real or any symbol. – Token of will and responsibilty – Contractors have the right to rule their own contractural relations, defining also the way each one can sign the agreements. • From a legal point of view, nothing against the introduction of new types or technologies of signature – Digital Signature is a new technology
Electronic World • Electronic document produced by a computer. Stored in digital form, and cannot be perceived without using a computer – It can be deleted, modified and rewritten without leaving a mark – Integrity of an electronic document is “genetically” impossible to verify – A copy is indistinguishable from the original – It can’t be sealed in the traditional way, where the author affixes his signature • The functions of identification, declaration, proof of electronic documents carried out using a digital signature based on cryptography.
Electronic World • Digital signatures created and verified using cryptography • Public key System based on Asymmetric keys – An algorithm generates two different and related keys • Public key • Private Key – Private key used to digitally sign. – Public key used to verify.
Public Key Infrastructure • Allow parties to have free access to the signer’s public key • This assures that the public key corresponds to the signer’s private key – Trust between parties as if they know one another • Parties with no trading partner agreements, operating on open networks, need to have highest level of trust in one another
Role of the Government • Government has to provide the definition of – the structure of PKI – the number of levels of authority and their juridical form (public or private certification) – which authorities are allowed to issue key pairs – the extent to which the use of cryptography should be authorised for confidentiality purposes – whether the Central Authority should have access to the encrypted information; when and how – the key length, its security standard and its time validity
Certifying Authorities • A CA is an Authority which should : – reliably identify persons applying for key certificates (signatures) – reliably verify their legal capacity – confirm the attribution of a public signature key to an identified physical person by means of a signature key certificate – always maintain online access to the signature key certificates with the agreement of the signature key owner – take measures so that the confidentiality of a private signature key is guaranteed
Certificate based Key Management CA CA User A A B User B CA A • Operated by trusted-third party - CA • Provides Trading Partners Certificates • Notarises the relationship between a public key and CA B its owner
Information Technology Act • IT Act 2000 : Basic legal framework for ECommerce - promotes trust in electronic environment • IT Act creates a conducive environment for promoting E-Commerce in the country. – Acceptance of electronic documents as evidence in a court of law. – Acceptance of electronic signatures at par with handwritten signatures.
Information Technology Act. . . contd – Acceptance of electronic documents by the government. – Defines digital signatures based on asymmetric public key cryptography – Provides for the creation of Certifying Authorities to issue public key certificates – digital certificates for electronic authentication of users in electronic commerce.
Information Technology Act. . . contd – Provides for Controller under the IT Act to license the Certifying Authorities and to ensure that none of the provisions of the Act are violated. – Provides for dealing with offences in the cyber space in the form of hackers and other criminals trying to gain access into databases and other business sites. – Provides for the establishment of Cyber Appellate Tribunal to try cases under this Act for speedy adjudication of cases arising out of this Act. – Provides for appropriate changes in the Bankers Act and the Indian Evidence Act.
The Controller of Certifying Authorities (CCA) • Appointed by the Central Government under section 17 of the IT Act. • Came into existence on November 1, 2000. • Aims at promoting the growth of E-Commerce and E-Governance through the wide use of digital signatures.
CCA has to regulate the functioning of CAs in the country by • Licensing Certifying Authorities (CAs) under section 21 of the IT Act and exercising supervision over their activities. • Certifying the public keys of the CAs, i. e. their Digital Signature Certificates more commonly known as Public Key Certificates (PKCs). • Laying down the standards to be maintained by the CAs, • Addressing the issues related to the licensing process
The licensing process • Examining the application and accompanying documents as provided in sections 21 to 24 of the IT Act, and all the Rules and Regulations there- under; • Approving the Certification Practice Statement(CPS); • Auditing the physical and technical infrastructure of the applicants through a panel of auditors maintained by the CCA.
Audit Process • Adequacy of security policies and implementation thereof; • Existence of adequate physical security; • Evaluation of functionalities in technology as it supports CA operations; • CA’s services administration processes and procedures; • Compliance to relevant CPS as approved and provided by the Controller; • Adequacy to contracts/agreements for all outsourced CA operations; • Adherence to Information Technology Act 2000, the rules and regulations thereunder, and guidelines issued by the Controller from time-to-time.
PKI Standards Public Key Cryptography · RSA - Asymmetric Cryptosystem · Diffie-Hellman - Asymmetric Cryptosystem · Elliptic Curve Discrete Logarithm Cryptosystem Digital Signature Standards · RSA, DSA and EC Signature Algorithms · SHA-1, SHA-2 - Hashing Algorithms Directory Services (LDAP ver 3) · X. 500 for publication of Public Key Certificates and Certificate Revocation Lists · X. 509 version 3 Public Key Certificates · X. 509 version 2 Certificate Revocation Lists PKCS family of standards for Public Key Cryptography from RSA · PKCS#1 – PKCS#13 Federal Information Processing Standards (FIPS) · FIPS 140 -1 level 3 and above for Security Requirement of Cryptographic Modules
Key Size mandated by the CCA • CA – 2048 -bit RSA-key • User – 1024 -bit RSA-key
Licensed Certifying Authorities • Provides services to its subscribers and relying parties as per its certification practice statement (CPS) which is approved by the CCA as part of the licensing procedure. – – – – Identification and authentication Certificate issuance Certificate suspension and revocation Certificate renewal Notification of certificate-related information Display of all these on its website Time-stamping
End entities, subscribers and relying parties • The End entities of RCAI are the Licensed CAs in India. • Subscribers and relying parties using the certificates issued by a CA need to be assured that the CA is licensed by the CCA. • They should be able to verify the licence through an indicator in the PKCs issued by a CA.
PKI Hierarchy CCA Directory of Certificates CRLs Subscriber CA CA Subscriber CA Relying Party Directory of Certificates CRLs Subscriber
Trust in Electronic Environment in India • • • CCA : Root of trust, National Repository Licensed CAs Digital signatures for signing documents Certificates, CRLs for access by relying parties PKI operational Other provisions of the IT Act – Cybercrimes not to go unpunished
- Verification of death geeky medics
- Northern trust charitable trust
- Electronic field production
- An electronic is the electronic exchange of money or scrip
- Faber character traits
- Lds general authorities seniority
- Types of authority
- Fthun
- Authorities refers to
- Prc br 435 – code of ethics for professional teachers
- Asia pacific privacy authorities
- Hubs and authorities
- Ahj authority having jurisdiction
- Importance of lok adalat
- Creating and starting the venture
- Inclusion works creating child care programs
- Cengage word module 2 creating a research paper
- Mari carlos and amanda collect stamps
- Hyperbole in the cask of amontillado
- Porters 3 generic strategy
- Tci chapter 8 - creating the constitution answer key
- Creating a sporting habit for life
- Creating brand equity kotler
- Creating a better tomorrow today
- Creating and interpreting distance time graph
- Good rubrics
- The bscs 5e instructional model: creating teachable moments
- Marketing concept