cupa pres a_2
DESCRIPTION
TRANSCRIPT
![Page 1: Cupa pres a_2](https://reader035.vdocuments.site/reader035/viewer/2022062617/54bca3084a79595a6d8b45bb/html5/thumbnails/1.jpg)
Trusted Electronic Transactions
![Page 2: Cupa pres a_2](https://reader035.vdocuments.site/reader035/viewer/2022062617/54bca3084a79595a6d8b45bb/html5/thumbnails/2.jpg)
Why conduct transactions electronically?
Three Characteristics that ensure trust in electronic transactions
How we achieve trust in paper-based transactions
Problems with common electronic transactions
TOPICS COVERED
![Page 3: Cupa pres a_2](https://reader035.vdocuments.site/reader035/viewer/2022062617/54bca3084a79595a6d8b45bb/html5/thumbnails/3.jpg)
Achieving trust in electronic transactions with Digital Signature technology and an effective archiving scheme
• What are digital Signatures? An introduction to Public Key Infrastructure
• An introduction to Archiving digitally signed transactions using XML.
TOPICS COVERED
![Page 4: Cupa pres a_2](https://reader035.vdocuments.site/reader035/viewer/2022062617/54bca3084a79595a6d8b45bb/html5/thumbnails/4.jpg)
Applying Public Key Infrastructure to address security risks when granting public access to community-right-to-know data
Relevant Legislation regarding Digital Signatures and electronic government transactions
TOPICS COVERED
![Page 5: Cupa pres a_2](https://reader035.vdocuments.site/reader035/viewer/2022062617/54bca3084a79595a6d8b45bb/html5/thumbnails/5.jpg)
ELECTRONIC TRANSACTIONS
Streamline Reporting Process
• Reduce burden on regulated community
Efficient Record Retention
Timely and Accurate Data Retrieval and Access
• Emergency Response (24/7 access)
• Community-Right-to-Know
![Page 6: Cupa pres a_2](https://reader035.vdocuments.site/reader035/viewer/2022062617/54bca3084a79595a6d8b45bb/html5/thumbnails/6.jpg)
CAN ELECTRONIC DATA BE TRUSTED?
Accuracy and Authenticity• Decisions regarding Environmental Health and Impact
Security• Protection from unauthorized access• Tamper-resistant
Accidental – human errors Intentional - Fraud
Credibility in Judicial Proceedings• Effective Enforcement• Plaintiff/Defendant Subpoena
![Page 7: Cupa pres a_2](https://reader035.vdocuments.site/reader035/viewer/2022062617/54bca3084a79595a6d8b45bb/html5/thumbnails/7.jpg)
Evidence must be unambiguous to be admissible in court
Once admitted into Court, evidence must be persuasive to a jury
JUDICIAL CREDIBILITY is the Highest Standard for Trusted Data **
** National Governor’s Association (NGA) State Guide to Environmental Reporting
![Page 8: Cupa pres a_2](https://reader035.vdocuments.site/reader035/viewer/2022062617/54bca3084a79595a6d8b45bb/html5/thumbnails/8.jpg)
1. AUTHENTICATION: the ability to prove the sender’s identity
2. REPORT INTEGRITY: the ability to prove that there has been no change during transmission, storage, or retrieval
3. NON-REPUDIATION: the ability to prove that the originator of a report intended to be bound by the information contained in the report
WHAT DETERMINES A LEGALLY BINDING REPORT ?
![Page 9: Cupa pres a_2](https://reader035.vdocuments.site/reader035/viewer/2022062617/54bca3084a79595a6d8b45bb/html5/thumbnails/9.jpg)
NON-REPUDIATION
AUTHENTICATION
REPORT INTEGRITY
![Page 10: Cupa pres a_2](https://reader035.vdocuments.site/reader035/viewer/2022062617/54bca3084a79595a6d8b45bb/html5/thumbnails/10.jpg)
TRUST IN PAPER-BASED REPORTS
![Page 11: Cupa pres a_2](https://reader035.vdocuments.site/reader035/viewer/2022062617/54bca3084a79595a6d8b45bb/html5/thumbnails/11.jpg)
ELECTRONIC REPORTING
![Page 12: Cupa pres a_2](https://reader035.vdocuments.site/reader035/viewer/2022062617/54bca3084a79595a6d8b45bb/html5/thumbnails/12.jpg)
FROM PAPER TO ELECTRONIC: Repudiation Risks in Basic Electronic Transactions
“I did not send that report !”
“That report is not the one I sent !”
“I did not mean that !”
![Page 13: Cupa pres a_2](https://reader035.vdocuments.site/reader035/viewer/2022062617/54bca3084a79595a6d8b45bb/html5/thumbnails/13.jpg)
“I did not send that report !”
Identity of user is unknown
Possible Solutions:
Telephone call follow-up
Terms and Conditions Agreement (TCA) / Mailed Certification Agreement
Mail a Diskette Containing Electronic Data
![Page 14: Cupa pres a_2](https://reader035.vdocuments.site/reader035/viewer/2022062617/54bca3084a79595a6d8b45bb/html5/thumbnails/14.jpg)
“That report is not the one I sent !”
Electronic reports contain no evidence of tampering in transmission, storage or retrieval
Sources of possible loss of data integrity
• Human Error
• Data Corruption
• Fraud
![Page 15: Cupa pres a_2](https://reader035.vdocuments.site/reader035/viewer/2022062617/54bca3084a79595a6d8b45bb/html5/thumbnails/15.jpg)
Ensuring Authenticity and Report Integrity in Electronic Transactions
Digital Signatures
• Public Key Infrastructure
![Page 16: Cupa pres a_2](https://reader035.vdocuments.site/reader035/viewer/2022062617/54bca3084a79595a6d8b45bb/html5/thumbnails/16.jpg)
Public Key Infrastructure (PKI)
PKI is a combination of software, encryption technologies and facilities that can facilitate trusted electronic transactions.
PKI Components
•Key Pairs
•Certificate Authority
•Public Key Cryptography
![Page 17: Cupa pres a_2](https://reader035.vdocuments.site/reader035/viewer/2022062617/54bca3084a79595a6d8b45bb/html5/thumbnails/17.jpg)
Key Pairs
• A “key” is a unique digital identifier– Keys are produced using a random number
generator
• A “key pair” consists of two mathematically related keys– The private key is secret and under the
sole control of the individual– The public key is open and published
![Page 18: Cupa pres a_2](https://reader035.vdocuments.site/reader035/viewer/2022062617/54bca3084a79595a6d8b45bb/html5/thumbnails/18.jpg)
![Page 19: Cupa pres a_2](https://reader035.vdocuments.site/reader035/viewer/2022062617/54bca3084a79595a6d8b45bb/html5/thumbnails/19.jpg)
• A trusted authority
• Responsible for creating the key pair, distributing the private key, publishing the public key and revoking the keys as necessary
• The “Passport Office” of the Digital World
Certificate Authority
![Page 20: Cupa pres a_2](https://reader035.vdocuments.site/reader035/viewer/2022062617/54bca3084a79595a6d8b45bb/html5/thumbnails/20.jpg)
Digital Certificates
• A unique electronic signifier issued by a Certificate Authority that functions like a passport to verify a user’s identity.
• The certificate authority binds the unique key to the following
• Name of the Certificate Authority• Certificate Expiration Date• Certificate Identity Number
• Certificate Storage• software tokens• browser certificate stores• hardware tokens (Smart Cards, USB Tokens)
![Page 21: Cupa pres a_2](https://reader035.vdocuments.site/reader035/viewer/2022062617/54bca3084a79595a6d8b45bb/html5/thumbnails/21.jpg)
![Page 22: Cupa pres a_2](https://reader035.vdocuments.site/reader035/viewer/2022062617/54bca3084a79595a6d8b45bb/html5/thumbnails/22.jpg)
Public Key Cryptography
Complimentary Algorithms are used to encrypt and decrypt documents
@#@#@$$56455908283923542#$@$#%$%$^&
Encryption key
Decryption keyUnreadable Format
![Page 23: Cupa pres a_2](https://reader035.vdocuments.site/reader035/viewer/2022062617/54bca3084a79595a6d8b45bb/html5/thumbnails/23.jpg)
Public Key Infrastructure in Action
Public Key Private Key
Secure Transmission
Signatures
Decrypting
Encrypting
Encrypting
Decrypting
![Page 24: Cupa pres a_2](https://reader035.vdocuments.site/reader035/viewer/2022062617/54bca3084a79595a6d8b45bb/html5/thumbnails/24.jpg)
Report Encryption Algorithm Digitally Signed
An individual digitally signs a document using the private key component of his certificate.
Digital Signatures
Private key
![Page 25: Cupa pres a_2](https://reader035.vdocuments.site/reader035/viewer/2022062617/54bca3084a79595a6d8b45bb/html5/thumbnails/25.jpg)
Authentication and Verification
The individual’s public key, published by the CA decrypts and verifies the digital signature.
Digitally Signed
Public KeyDecryption Algorithm
![Page 26: Cupa pres a_2](https://reader035.vdocuments.site/reader035/viewer/2022062617/54bca3084a79595a6d8b45bb/html5/thumbnails/26.jpg)
Authentication and Verification
• Any changes made to the report will invalidate the signature
• Provides evidence of report integrity
• Provides proof of report originator’s identity - Authentication
![Page 27: Cupa pres a_2](https://reader035.vdocuments.site/reader035/viewer/2022062617/54bca3084a79595a6d8b45bb/html5/thumbnails/27.jpg)
![Page 28: Cupa pres a_2](https://reader035.vdocuments.site/reader035/viewer/2022062617/54bca3084a79595a6d8b45bb/html5/thumbnails/28.jpg)
Security in Transmission
• Secure Socket Layer (SSL)
• https
• Submission is encrypted by the sender with recipient’s public key
• After receipt, submission is decrypted with recipient’s private key
![Page 29: Cupa pres a_2](https://reader035.vdocuments.site/reader035/viewer/2022062617/54bca3084a79595a6d8b45bb/html5/thumbnails/29.jpg)
ACHIEVING TRUST IN ELECTRONIC REPORTS
![Page 30: Cupa pres a_2](https://reader035.vdocuments.site/reader035/viewer/2022062617/54bca3084a79595a6d8b45bb/html5/thumbnails/30.jpg)
What Should Be Signed ?
Balance between capturing the entire content of the transaction vs. ease of data integration
Data that is Machine readable but which separates user entry content from context: database, comma delimited, spreadsheet, etc
Data that records content and context but which are not easily integrated into databases: word, pdf, image, html, etc
![Page 31: Cupa pres a_2](https://reader035.vdocuments.site/reader035/viewer/2022062617/54bca3084a79595a6d8b45bb/html5/thumbnails/31.jpg)
Ensuring Non-repudiation in Electronic Transactions
Capturing Complete Transactions in Archive
• Signing the content and context of a transaction
• Storing the signed transaction in a data warehouse without manual intervention
![Page 32: Cupa pres a_2](https://reader035.vdocuments.site/reader035/viewer/2022062617/54bca3084a79595a6d8b45bb/html5/thumbnails/32.jpg)
eXtensible Markup Language
XML can be used to store both the questions on the form (context) and the data entered by the user (content).
The entire form can be stored as one object
Default Values Lookup values (ie chemical classifications) Questions Physical Characteristics
XML
![Page 33: Cupa pres a_2](https://reader035.vdocuments.site/reader035/viewer/2022062617/54bca3084a79595a6d8b45bb/html5/thumbnails/33.jpg)
XML Schema
From the W3C: http://www.w3.org/1999/05/06-xmlschema-1/
…define and describe a class of XML documents by using these constructs to constrain and document the meaning, usage and relationships of their constituent parts: datatypes, elements and their content, attributes and their values, entities and their contents and notations. Schema constructs may also provide for the specification of implicit information such as default values. Schemas are intended to document their own meaning, usage, and function through a common documentation vocabulary.
Business Plan Schema
![Page 34: Cupa pres a_2](https://reader035.vdocuments.site/reader035/viewer/2022062617/54bca3084a79595a6d8b45bb/html5/thumbnails/34.jpg)
INCORPORATING XML AND PKI
• XML Transaction Instance conforming to Schema• Public Key Cryptography via Web Browser plugin
![Page 35: Cupa pres a_2](https://reader035.vdocuments.site/reader035/viewer/2022062617/54bca3084a79595a6d8b45bb/html5/thumbnails/35.jpg)
Granting Public Access to paper reports
Public comes into agency office
Public provides driver’s license or other identification
Agency can monitor who is accessing data
![Page 36: Cupa pres a_2](https://reader035.vdocuments.site/reader035/viewer/2022062617/54bca3084a79595a6d8b45bb/html5/thumbnails/36.jpg)
Providing Trusted Electronic Access to Data
Identity of user is unknown
Access cannot be monitored
Relying on the Certificate Authority
![Page 37: Cupa pres a_2](https://reader035.vdocuments.site/reader035/viewer/2022062617/54bca3084a79595a6d8b45bb/html5/thumbnails/37.jpg)
Public Digital
Certificate
In order to obtain access to Community Right to Know Data, individuals first obtain digital Certificates.
Applying PKI to Public Access
![Page 38: Cupa pres a_2](https://reader035.vdocuments.site/reader035/viewer/2022062617/54bca3084a79595a6d8b45bb/html5/thumbnails/38.jpg)
Public
After contributing a certificate to gain access, The individual’s certificate can be cross-referenced with other security databases to monitor suspect individuals.
Digital
CertificatesAgency
![Page 39: Cupa pres a_2](https://reader035.vdocuments.site/reader035/viewer/2022062617/54bca3084a79595a6d8b45bb/html5/thumbnails/39.jpg)
TITLE 27, Part 2, Article 5
CA Title 2, Division 7, Ch.10 Digital Signatures
RELEVANT LEGISLATION
![Page 40: Cupa pres a_2](https://reader035.vdocuments.site/reader035/viewer/2022062617/54bca3084a79595a6d8b45bb/html5/thumbnails/40.jpg)
TITLE 27 – CUPA Legislation
![Page 41: Cupa pres a_2](https://reader035.vdocuments.site/reader035/viewer/2022062617/54bca3084a79595a6d8b45bb/html5/thumbnails/41.jpg)
California Digital Signature Regulations
• Definitions
• Digital Signatures Must Be Created By An Acceptable Technology- Criteria For Determining Acceptability
• List of Acceptable Technologies
• Provisions For Adding New Technologies to the List of Acceptable Technologies
• Issues to Be Addressed By Public Entities When Using Digital Signatures
California Code of Regulations Title 2. Administration DIVISION 7. CHAP 10. DIGITAL SIGNATUREShttp://www.ss.ca.gov/digsig/regulations.htm
![Page 42: Cupa pres a_2](https://reader035.vdocuments.site/reader035/viewer/2022062617/54bca3084a79595a6d8b45bb/html5/thumbnails/42.jpg)
The technology known as Public Key Cryptography is an acceptable technology for use by public entities in California, provided that the digital signature is created consistent with the provisions in Section 22003(a)1-5.
"Acceptable Certification Authorities" means a certification authority that meets the requirements of either Section 22003(a)6(C) or Section 22003(a)6(D).
"Approved List of Certification Authorities" means the list of Certification Authorities approved by the Secretary of State to issue certificates for digital signature transactions involving public entities in California.
California Digital Signature Regulations
![Page 43: Cupa pres a_2](https://reader035.vdocuments.site/reader035/viewer/2022062617/54bca3084a79595a6d8b45bb/html5/thumbnails/43.jpg)
![Page 44: Cupa pres a_2](https://reader035.vdocuments.site/reader035/viewer/2022062617/54bca3084a79595a6d8b45bb/html5/thumbnails/44.jpg)
Unsigned Web forms can be sent by anyone. They can be tampered in transmission and the sender can’t be legally verified
Unsigned Data in a database can be altered and does not provide adequate evidence in a court of law
Data on Diskette can be altered without visible evidence
Summary: Electronic Report Transactions are subject to fraud and easily repudiated:
![Page 45: Cupa pres a_2](https://reader035.vdocuments.site/reader035/viewer/2022062617/54bca3084a79595a6d8b45bb/html5/thumbnails/45.jpg)
Digitally signed reports can also be repudiated, if the signed data is stored independently of the form question data.
Summary, cont.
![Page 46: Cupa pres a_2](https://reader035.vdocuments.site/reader035/viewer/2022062617/54bca3084a79595a6d8b45bb/html5/thumbnails/46.jpg)
Conclusion: Ensuring Trusted Electronic Transactions
1. PKI supports trusted electronic report transactions:
Authentication- authenticates the sender of a report Report Integrity- invalidates a
report if it has been tampered. Non-repudiation- sender and document are authenticated- the sender cannot deny having sent the report
![Page 47: Cupa pres a_2](https://reader035.vdocuments.site/reader035/viewer/2022062617/54bca3084a79595a6d8b45bb/html5/thumbnails/47.jpg)
Conclusion, cont.
2. PKI supports trusted access to Public Data:
Agencies require individuals to contribute digital certificates in order to gain access.
Agencies can track who gains access at what time
The names of individuals who seek access can be cross-referenced with additional security databases to protect public safety
![Page 48: Cupa pres a_2](https://reader035.vdocuments.site/reader035/viewer/2022062617/54bca3084a79595a6d8b45bb/html5/thumbnails/48.jpg)
Conclusion, cont.
3. Complete Archiving ensures that a legal record of a transaction can be trusted :
Non-repudiation- Storing a copy of the entire data (including questions on the form) with the digital signature.
![Page 49: Cupa pres a_2](https://reader035.vdocuments.site/reader035/viewer/2022062617/54bca3084a79595a6d8b45bb/html5/thumbnails/49.jpg)
Resources:
• eCompliance, Inc. http://www.ecompliance.net
• White paper/ Electronic Transactions
• Copy of presentation
• Environmental Protection Agency
• Central Data Exchange http://www.epa.gov/cdx/cde
.html
• National Governor’s Association
• State Guide to Electronic Reporting of Environmental Data http://www.nga.org/center/divisions/1,1188,C_ISSUE_BRIEF%5ED_1139,00.html