Transcript Web Programming

Public Key Infrastructure[PKI]
in
Thailand
by
Rear Admiral Prasart Sribhadung
Rear Admiral Prasart Sribhadung
•
•
•
•
•
•
•
•
•
Dean, Graduate School of Internet and
E-Commerce, Assumption University
President, Association of Thai Internet
Indusdry (ATII)
Advisor, Past Vice President Computer
Association of Thailand Under the
Patronage of H.M. the King (CAT)
Advisor Thai Internet Service Provider
Club (TISPC)
Member, Internet Policy Sub
Committee, NITC, Ministry of Science
Member, Computer Terminology
Committee, The Royal Institute
Member, National Copyright
Committee, Ministry of Commerce
Chairman, Computer Software
Copyright Promotion Subcommittee,
Ministry of Commerce
Member, Cyber Inspector, Ministry of
Information and Communication
Technology
Rear Admiral Prasart Sribhadung
•
•
•
•
•
•
Former Managing Director
A-Net Co. Ltd.
Business Online Co. Ltd.
Former Vice Chairman
ANEW Corporation
Former Director
Naval Data Processing Center
Former Lecturer
Naval Academy (Operations Research
and Computer Programming)
Former Lecturer
Naval Staff College
(Operations Research)
Former Lecturer
NIDA and UTCC
(Operations Research)
Public Key Infrastructure (PKI)
• The concept of public key infrastructure (PKI) enables you to bring
strong authentication and privacy to the online world.
• By using public key cryptographic techniques and encryption
algorithms, you can provide a means to identify users and ensure
that no one but the intended recipients of data can have access to
the data or any other network resources.
Public Key Infrastructure (PKI)
• PKI is a solution that includes technological, procedural, and
personnel elements.
• The key technological elements of a PKI solution are the private
key, public key, and certificate authority (which creates and
oversees the digital certificate).
• The procedural elements are the security policies that govern the
use of the technological elements.
• The personnel elements are the cultural requirements of the user
community that uses the solution.
Public Key Infrastructure (PKI)
• The purpose of a PKI solution is to give a user a means of
identifying himself in the electronic world.
• This is done through the use of asymmetric cryptographic
techniques and the creation of digital certificates.
• A user utilizes a complex mathematic algorithm to create a public
key and private key pair.
• The public key is distributed to anyone with whom he wants to
establish secure communications.
• The private key is kept safely in the sole possession of the owner
and is never disclose to anyone else.
Public Key Infrastructure (PKI)
• After a user have created a key pair, he needs to have his identity
validated by a trusted third party which is known as the certificate
authority (CA) . He submits his public key to the CA and authorizes
it to investigate him to prove his identity.
• After the CA has affirmed that the user is who he claims to be, it
then adds its digital signature to the public key and adds information
about the user to create an X.509 digital certificate
• PKI is the infrastructure required so
that the utilization of Digital Signatures
will be possible
PKI in Thailand
• PKI-related initiatives/projects in Thailand started in 1999 within the
Government Information Technology Services (GITS) which
operated as part of NECTEC to leverage the pool of manpower,
expertise and other common infrastructures.
• Thai Digital ID Co.Ltd. The first CA in Thailand was established in
2000 and had its first key pair called “Root Key” generated on 4th
September 2000. CA service was available in April 2001.
• June 2001, ACERTs Co.Ltd was established as the second CA in
Thailand with collaboration with Netrust Pte. Ltd. of Singapore and
started its CA operation in Dec 2001.
PKI in Thailand
• GITS started test running CA service for government agencies in
2002.
• On 19th August 2003, TOT Corporation Public Company establish a
CA in collaboration with UniCERT of Baltimore USA.
IT Laws in Thailand
• The Ministry of Science, Technology and Environment proposed six
new laws to develop IT infrastructure for Thailand and was approved
by the cabinet in December 1988, they are:
•
•
•
•
•
•
1. Electronic Transactions Law
2. Electronic Signature Law
3. Universal Access Law
4. Computer Crime Law
5. Data Protection Law
6. Electronic Funds Transfer Law.
• The first two were combined into one and was proclaimed
“Electronic Transaction Act B.E.2544” on 2nd December 2001.
Digital (Electronic) Signature
•
Electronic Transaction Act B.E.2544 Chapter 2, Section 26, stated that an
electronic signature is considered to be a reliable electronic signature if it
meets the following requirements:
(1) The signature creation date are, within the context in which they are used, linked
to the signatory and to no other person;
(2) The signature creation date were, at the time of signing, under the control of the
signatory and of no other person;
(3) Any alteration to the electronic signature, made after the time of signing, is
detectable; and
(4) Where a purpose of legal requirement for a signature is to provide assurance as
to the completeness and integrity of the information and any alteration made to
that information after the time of signing is detectable.
The provision of paragraph one does not limit that there is no other way to prove
the reliability of an electronic signature of the adducing of the evidence of the
non-reliability of an electronic signature.
PKI
• Public Key Infrastructure is the entire set of
hardware, software, and cryptosystems
necessary to implement public key encryption
• PKI systems are based on public-key
cryptosystems and include digital certificates
and certificate authorities (CAs) and can:
–
–
–
–
Issue digital certificates
Issue crypto keys
Provide tools to use crypto to secure information
Provide verification and return of certificates
The Use of Public-Key Cryptosystems
•
•
•
•
•
We can classify the use of Public-Key Cryptosystems into three categories:
1. Key Exchange: The two communicating partners cooperate to exchange a
session key. Several approaches are possible, involving the private key(s) of
one or both parties.
2. Digital Signature/Authentication: The sender “signs” a message by
encrypting with his private key. That is achieved by a cryptographic algorithm
applied to the message or to a small block of data that is a function of the
message.
3. Confidentiality(Secrecy) The sender encrypts the plaintext message with
the receiver’s public key and sends the ciphertext, then the receiver decrypts the
ciphertext with his own private key to retrieve the plaintext message. (This is
only possible for a small plaintext)
Some algorithms covers all three applications, others can manage one or two of
those applications.(see table 6.2, p.170)
Public Key Encryption
•If Alice wishes to send a confidential
message to Bob, she uses Bob’s public
key to encrypt the plaintext message,
then sends the ciphertext to Bob
• When Bob receives the encrypted
message, Bob decrypts the ciphertext
with his private key, revealing the
plaintext message from Alice
Public Key Encryption
Digital Signature
• An interesting thing happens when the asymmetric
process is reversed, that is the private key is used to
encrypt a short message
• The public key can be used to decrypt it, and the fact
that the message was sent by the organization that owns
the private key cannot be refuted
• This is known as nonrepudiation, which is the foundation
of digital signatures
• Digital Signatures are encrypted messages that are
independently verified by a central facility (registry) as
authentic
Hybrid
•
•
•
•
In practice, pure asymmetric key encryption is not widely used
except in the area of certificates
It is more often used in conjunction with symmetric key encryption
creating a hybrid system
Use the Diffie-Hellman Key Exchange method that uses asymmetric
techniques to exchange symmetric keys to enable efficient, secure
communications based on symmetric keys
Diffie-Hellman provided the foundation for subsequent
developments in public key encryption
Digital Signature
Digital (Electronic) Signature
•
Electronic signature means letters, characters, numbers, sounds or
any other symbols created in electronic form and affixed to a data
message in order to establish the association between a person and
a data message for the purpose of identifying the signatory who
involves in such data message and showing that the signatory who
involves in such data message and showing that the signatory
approves the information contained in such data message.
Digital Signature
•
•
•
•
•
•
•
•
•
•
•
PGP signatures look like this:
---- BEGIN PGP SIGNED MESSAGE---Really Good Electronics - Chip Prices
1MB 2 CHIP 80 NS $20.25
1MB 2 CHIP 70 NS $20.75
1MB 8 CHIP 80 NS $18.70
1MB 8 CHIP 70 NS $19.60
1MB FX (Any speed) $16.80
For information, call 800-RAM-GOLD
----BEGIN PGP SIGNATURE---iQCVAgUBLlgEEHD7CbCQPJJ1AQEMXgQAueUPPrpYeb13RZMPD4f8QmW+pQs/ay2P
vrtD+kL0zz3LczxoK3XDdvRj1eRYviXYaJhvSt13cK7+D71no1mFHWv3DS7tBJzpG3hJ
RUr6guRoekcYWXPR7OZhW9VTUHNoIG/OpK23HCatd9f+81TafeUc160k9/CMKj034
kZ1hz8=
=jRLh
----END PGP SIGNATURE----
Signing a Digital Signature
Unsigned
plaintext
document
Digital
signature
applied by
encryption
with MD5/RSA
sender’s
private key
Document
with signature
compressed
Compressed
signed
document
encrypted
with IDEA
session key
The session
key (IDEA )is
encrypted
using RSA
receiver’s
public key
and attached
File converted
to ASCII
armor
format
Message file transferred
Message
received in
ASCII
armor
format
ASCII
armor
removed
Attached
encrypted
session key
decrypted
with receiver
private key
Compressed
encrypted
signed
message
decrypted with
session key
Decompress
file revealing
plaintext
message and
signature
Verify
signature
using sender
public key
RSA/MD5