Professional Documents
Culture Documents
PKI
January 2014
Agenda
Objectives
PKI Features
eTrust Components
Government eServices
2
Agenda
PKI Implementations
Mobile PKI
Signature Verification
Accreditation Service
3
Objectives
PKI aims to increase the number of e-services of Government and Private entities to
empower the e-Government Transformation as PKI provides:
Trust, confidence and easiness to use online services for citizens and residents
January 2014 4
About PKI
PKI enables the online service providers to identify and authenticate their clients
electronically and enables electronic signature for online transactions with non-
repudiation service
January 2014 5
About PKI
PKI enables the online service providers to identify and authenticate their clients
electronically and enables electronic signature for online transactions with non-
repudiation service
January 2014 6
PKI Features
January 2014 7
eTrust Pyramid Components
Secure
eServices &
Applications
Public Key
Infrastructure
Trust Legal
Services Framework
January 2014 8
eTrust Pyramid Components
Public Key Policies, Procedures, People, Hardware and Software required for to generate,
Infrastructure share and manage digital certificates.
Secure eServices & E-Services require strong means of authentication, digital signing and data
Applications protection in accordance with the country laws and regulations.
January 2014 9
Government eServices
January 2014 10
PKI Hierarchy
Level 2: Offline
Government Commercial
CA CA
Level 3: Online
Email Encry.Signing Auth Auth Signing SSL IPSec/VPN eMail Encry Siging Auth
SSL IPSec/VPN
Encry. Auth Signing Signing Auth.
July 2013 11
PKI Implementations
Authentication
Electronic Signing
Time Stamping
OCSP Responder
January 2014 12
Oman National PKI
Electronic Identity Gateway
13
IDP Integration
Electronic Identity Gateway is a web based application hosted in Oman National PKI
Center.
Organizations are welcome to integrate their online services to get use of it.
Advantages to users
˃ Single Sign On -- No need to remember dozen of usernames and passwords. A single
authentication will provide access to multiple service providers integrated
˃ No need to install any client software in user’s computer. End-users can access online
services in a secure and convenient way.
January 2014 14
IDP Integration
January 2014 15
IDP Integration – Authentication Service
Open SP website
Login request
Redirect the
request to IDP
Signed SAML SSO request
session.put(samlCredential)
Extracting attributes
SP website page
January 2014 16
IDP Integration – Digital Signature Service
Web
SP
End user Smart card SConnect Browser IDP
Format data
to sign
Redirect the
Signed DSS request to IDP Check request is
request to IDP
from a trusted
party and if user
is logged in
January 2014 17
Oman National PKI
Mobile PKI
18
Mobile PKI
˃ ITA Mobile PKI is a solution for mobile authentication and signing by a PIN code using a
mobile phone
October 2013 19
Mobile PKI Architecture
Service
Provider
(Bank)
Mobile PKI
solution
January 2014 20
Mobile PKI Integration
Customer
Database
Service Provider e.g. Bank
ITA Signature
ITA Messaging Server
Server
Transaction User
Card Database Database
Mobile Activation Client (ITA-VMAC) Database ITA Registration
• RSA cryptography for digital signatures
Server
• User controlled PIN management
January 2014 21
Mobile PKI Transaction Flow
1. Signing or authentication process has been started
from Service Provider application.
Service
1 Provider 11 2. Signature request has been sent to ITA-SS.
(Bank)
3. ITA-SS will enquery subscriber certificate details
from ITA-RS.
4. ITA-RS will return subscriber certificate details to
2 10 ITA-SS.
5. ITA-SS will check that returned certificate is valid
4 and will send signature request to ITAMS.
ITA Signature ITA Registration
Server Server 6. ITA-MS will reroute message to mobile phone.
3
7. User will see signature request and confirm
transaction by entering signing or authentication
5 9
pin.
8. User data is sent back to ITA-MS.
7 9. ITAMS will reroute data to ITA-SS.
8
ITA Messaging 10. ITA-SS will validate signature, check certificate
Server
6 revocation status from CA and send result to
Service Provider.
11. User can see certificate details from Service
Provider interface.
January 2014 22
Signature Verification
Online signature verification
Provides web service interface
Sub-CA accreditation
An Entity can be accredited as a Sub-CA and build its own technical solution
Entity must request license according to the licensing processes
Entity should meet all the policies and the accreditation agreements approved by ITA
ITA will conduct auditing activities periodically and according to the auditing report, PMC
might renew or suspend the accreditation
January 2014 24
Thank You