III’s experience in PKI and its application

International Group Institute for Information Industry Aug. 2007

Foundation and Functions of PKI
• PKI is to Ensure
− − − − Confidentiality Integrity Authentication Non-repudiation

• Foundation of a PKI infrastructure
− Public trust in the operation unit − Provision of the accountability
− Comprehensive and reliable audit trail, ..

− Ability for key pairs management
− Generation, issuance, revocation, …

− Provision of services regarding certificate inquiry
− Convenient, fast, timely to the inquiry for certificate’s validity, applicability, …

PKI infrastructure in Taiwan
Taiwan PKI
Digital Certificate Task Force

Fo reign PKI

General Gov’t Mgt. Center

BCA

Foreign Gov’t PKI Root

Foreign Private PKI Root

Gov’t CA

Biz. Adm. CA

Citizen CA

Other CA

Private CA

GCA

GCA

PCA

CA

CA

CA

CA

PCA
Foreign Private PKI CA in Taiwan

The ePKI system • CHT Developed and maintained • Used and operating for GCA, BACA, CCA,

Complying Standards
• • • • • • • Certificate Policy and Certification Practices Framework : RFC 2527 Certificate format: ITU-T Recommendation X.509 V3(1997) Certificate revocation: ITU-T Recommendation X.509 V2(1997) Privilege Management Infrastructure: ITU-T X.509 4th Edition Draft V4 ASN.1syntax: ITU-T X.680, X.681, X.682 and X.208, X.209 Certificate Management Protocol: RFC 2510 Certificate Request Message Format: RFC 2511

Complying Standards
• • • • • • • • •

On-line Certificate Status Protocol: RFC 2560 Public keys encryption algorithm: PKCS #1 RSA 1024~2048 bits Data encryption algorithm: PKCS #7 Private keys encryption algorithm: Triple DES (CBC Mode, with 2 Keys or 3 Keys) Hash function: SHA-1 Signature algorithm: RSA with SHA-1 Private key syntax and protection: PKCS #8 及 PKCS #5 Private Key storage: diskette, IC card, or special designed hardware (for CA and RA) Key management: X.9.17

Key Features
• Highly reliable RA and CA security architecture, meeting ITSEC E3 and FIPS 140-1. • Flexible design to support all kinds of certificate policies for various business models. • Unified RA solution to minimize cost and expedite implementation. • Distributed architecture with expandability and scalability (from enterprise to national infrastructure). • Interface with SQL and ODBC.

Key Features
• Support DSA and RSA signature algorithms, with extension mechanism for other algorithms. • Key pairs are easily integrated and used in applications of secured browsing and emails. • Integrated into IC card and related applications. • Interoperable with other standardized PKI schemes and applications. • Interface with LDAP directory services. • Support both windows and UNIX systems.

Certificate Authority

Certification Server

Cert. application: 1? 2? 3? 4? 5 Cert. revocation: a? b? c? d

5. Publish issued cert. d. Publish revoked cert.

Certificate Repository

4. Request for cert. issuance c. Request for cert. revocation

Registration Authority
Get cert. Get CRL Inquire cert. status 1. Get cert. sw

Registration Server

3. Application data b. Revocation data Application approved 2. Apply for cert.

Cert. user

Cert. concerned

Cert. Applicant

Regis. counter

a. Apply for revocation

Certificate Subject
• Can be person, organization, server, application program • Naming: distinguished name in X.500

Hierarchical CA and RA
eCA

Subordinate CA1

Subordinate CA2

Subordinate CAn

RA11

RA12

RA1a

RA21

RA22

RA2b

RAn1

RAn2

RAnn

RAC111

RAC112

RAC11n

RACnnn

Scope of applications and Level of trust • Scope of applications
− − − − − − − − Company’s Intranet Inter-companies Company – individuals Individual - individual Class 1 Class 2 Class 3 Class 4

• Level of trust

Reasons for using BA_cert
• Facilitate trust mechanism for online transactions • Strengthen enterprise competition through G2B services • Create business values by integrating G2B and B2B services • Facilitate other secured business models

Application for a BA_cert.
Secured op center
Internet
F/W App. processing site F/W

Cert. Server

(1) App li cati on for m downlo ad

(7)Open the Cert.

Reg. Server & repository

Cert.. issuance Card making center

Corporation
Applicant (3) Ha nd in ap p. form w/i ID

Service window

app. Form (batch)

RA
BA-system

County gov’t

(2)Fill the form

Desig. Reg. unit (4) Revie w

(5)Print / Issuing cert.

(6) Deliver cert.

Applications of BA_cert
 BA_cert Facilitate trust mechanism for secured online transaction
• G2B, B2B,

 G2B applications
• • • • • • Registration of corporation and related items Online Gov’t procurement procedure G2B document exchange, Company income tax filing, Employee insurance registration, Electronic invoice

 B2B applications
• Electronic invoice • Electronic payment

Business certificates used in the systems
 DOC - Online registration of corporation http://eicm.moea.gov.tw  Tendering procedures in gov’t electronic procurement http://www.geps.gov.tw  Government document exchange in Security administration http://eweb.tse.com.tw  Labor insurance registration and inquiry to Labor insurance agency http://www.blia.gov.tw  Customs declaration procedures http://asp.dgoc.gov.tw

統一編號: 96979933 卡 別:正卡 發卡日期: 2003/08/07 中華電信股份有限公司 MG00000000000001

Gov’t online service with fund transfer (ft) to treasury

ft data validated BA_Cert account Password account password

Checking result file
BOT account Partici patin CBC password OCB

Corporation

Payme nt gateway Fund Authen. CHT Notice Fund v’t agenc y Fund Go Serv. site
withdraw withdraw

g

bank(a Authen. pplic an t)
checking result Paid-in notice

withdraw

Receipt
(e_mailed with approved permit) Checking (amount) Check sheet Paying-in slip Check sheet (daily) Paid-in fund

Che ckup unit
Check sheet

Ca shi er Acc ount ing

De sig. a ge nt ba nk
Paid-in fund

Treasury

Applications of other certificates
• Government document exchange with G_cert by officals • Citizen income tax filing with C_cert • Medical payment application with H_cert by doctors • Vehicle administration/services with C-cert • Online trading of stocks with X_cert • …

Why III in PKI management
• III has a great experience in implement Taiwan eGov PKI system • III plays the leading role in Taiwan PKI police for government • III has good global connection on international PKI community • III develops many PKI enabling system for Taiwan government • …

Thank you very much