PKI Technology Role of CCA Controller of Certifying

PKI Technology Role of CCA Controller of Certifying Authorities Assistant Controller (Technology) Controller of Certifying Authorities Ministry of Communications & Information Technology

Role of CCA for secure e-Commerce and e-Governance Authentication of entities in cyberspace Prevention of deliberate or accidental Disclosure and/or Amendment/Deletion of data Punishment for cyber crimes Licencing of CAs and establishment of PKI Controller of Certifying Authoritie

Security Issues : Confidentiality Integrity Authenticity Non-Repudiability Controller of Certifying Authoritie

Threats to Authenticity Masquerading Counter Measures Strong Digital Signature - Cryptographically generated credentials. Controller of Certifying Authoritie

Encryption: Transformation of data to Prevent information being read by unauthorised parties. Sender and Receiver have to know the rules which have been used to encrypt the data. Based on Algorithms which are mathematical functions for combining the data with a string of digits called the Key. The result is the encrypted text. Eg: Adding a fixed number of characters, say 5, to each character in the message that is being encrypted. The word SECURITY then becomes the encrypted text XJHZWNYD Controller of Certifying Authoritie

Encryption Technologies Symmetric Key Cryptography Document Encoded Document to be sent Received Encoded Document Symmetric key Key • Identical keys are used for encryption and decryption. • Requires both parties to a digital conversation to know the key Controller of Certifying Authoritie

Encryption Technologies Symmetric Key Cryptography (contd. ) ‘n’ Partners means handling n secret keys Authenticity cannot be proved. Controller of Certifying Authoritie

Public key cryptography Each party is assigned a pair of keys – private – known only by the owner public - known by everyone Information encrypted with the private key can only be decrypted by the corresponding public key & vice versa Fulfils requirements of confidentiality, integrity, authenticity and non-repudiability No need to communicate private keys Controller of Certifying Authoritie

Digital Signatures Pair of keys for every entity One Public key – known to everyone One Private key – known only to the possessor Controller of Certifying Authoritie

Digital Signatures To digitally sign an electronic document the signer uses his/her Private key. To verify a digital signature the verifier uses the signer’s Public key. Controller of Certifying Authoritie

Digital Signature • The message is encrypted with the sender’s private key • Recipient decrypts using the sender’s public key Public PKA Document Private SKA Digital Signature CONFIRMED Digital Signature Controller of Certifying Authoritie

Message Integrity one-way hash functions use no key original data cannot be generated from hash output No two messages will generate the same hash. SIGN the HASH NOT the entire Message Controller of Certifying Authoritie

Maintaining Message Integrity message Hash message No Hash Reject Message Check Hash generation function Hash SENDER Hash generation function Yes Accept Hash Message RECEIVER Controller of Certifying Authoritie

Public Key Cryptography Encryption Technologies Confidentiality SKB Document Encrypted Document PKB Sender A (PKA, SKA) Receiver B (PKB, SKB) Controller of Certifying Authoritie

Confidential Signed Messages Message Hash Message + signature Hash Encrypted Message Using Hash function ENCRYPTSent thru’ Internet DECRYPT on the message Message + signature with Receiver’s Public Key Message + signature with Receiver’s Private Key + Signature COMPARE Signe Mess d age SIGN hash With Sender’s Private key Sender Hash Receiver VERIFY Signature With Sender’s Public Key Controller of Certifying Authoritie

Authenticity and Confidentiality A signs message with his own private key A then encodes the resulting message with B’s Public key B decodes the message with his own Private key B applies A’s Public key on the digital signature Controller of Certifying Authoritie

Authenticity and Confidentiality When A uses his own private key, it demonstrates that he wants to sign the document he wants to reveal his identity he shows his will to conclude that agreement The encoded message travels on the Net, but nobody can read it : confidentiality Controller of Certifying Authoritie

Authenticity and Integrity B needs to know that A and only A sent the message B uses A’s public key on the signature Only A’s public key can decode the message A cannot repudiate his signature Digital signature cannot be reproduced from the message No one can alter a ciphered message without changing the result of the decoding operation Controller of Certifying Authoritie

Issues in Public key Cryptosystems How will recipient get senders public key? How will recipient authenticate sender's public key ? How will the sender be prevented from repudiating his/her public key? Controller of Certifying Authoritie

Certifying Authority An organization which issues public key certificates. Must be widely known and trusted Must have well defined methods of assuring the identity of the parties to whom it issues certificates. Must confirm the attribution of a public key to an identified physical person by means of a public key certificate. Always maintains online access to the public key certificates issued. Controller of Certifying Authoritie

Public-Key Certification User Certificate User Name & other credentials Certificate Request User’s Public key Certificate Database User Name Signed by using CA’s private key User’s Public Key CA’s Name Publish User 1 certificate User 2 certificate. Validation period Signature of CA Controller of Certifying Authoritie

Contents of a Public Key Certificate Issued by a CA as a data message and always available online S. No of the Certificate Applicant’s name, Place and Date of Birth, Company Name Applicant’s legal domicile and virtual domicile Validity period of the certificate and the signature CA’s name, legal domicile and virtual domicile User’s public key Information indicating how the recipient of a digitally signed document can verify the sender’s public key CA’s digital signature Controller of Certifying Authoritie

Certificate Revocation List • A list of all known Certificates that have been revoked and declared invalid Controller of Certifying Authoritie

Technical Infrastructure Controller of Certifying Authorities as the “Root” Authority certifies the technologies and practices of all the Certifying Authorities licensed to issue Digital Signature Certificates Controller of Certifying Authoritie

Technical Infrastructure. . contd The CCA operates the following : Root Certifying Authority (RCAI) under section 18(b) of the IT Act, and National Repository of Digital Signature Certificates (NRDC) Web site cca. gov. in Controller of Certifying Authoritie

End entities, subscribers and relying parties The End entities of RCAI are the Licensed CAs in India. Subscribers and relying parties using the certificates issued by a CA need to be assured that the CA is licensed by the CCA. They should be able to verify the licence under which a PKC has been issued by a CA. Controller of Certifying Authoritie

Strong Room for RCAI Reinforced walls for room housing RCAI 24 -hour surveillance through CCTV Access controls through proximity cards and biometric readers Physical security including locks Security personnel Controller of Certifying Authoritie

National Repository : NRDC National Repository of Digital Certificates Certificate Revocation List Controller of Certifying Authoritie

CCA : National Repository of Certificates of Public Keys of CAs and Certificates issued by CAs CA Cert/CRL CA Internet Cert/CRL CA Directory Client LAN Cert/CRL Subscriber CCA NRDC Subscriber § CA Public Keys Certified by RCAI § CA’s Revoked Keys RCAI Relying Party Controller of Certifying Authoritie

Thank you Controller of Certifying Authorities