digital signatures 2

Upload: nilesh2050

Post on 09-Apr-2018

220 views

Category:

Documents


0 download

TRANSCRIPT

  • 8/8/2019 Digital Signatures 2

    1/49

    Trusted ElectronicTransactions

  • 8/8/2019 Digital Signatures 2

    2/49

    Why conduct transactions electronically?

    Three Characteristics that ensure trust in

    electronic transactions

    How we achieve trust in paper-based

    transactions

    Problems with common electronic

    transactions

    TOPICS COVERED

  • 8/8/2019 Digital Signatures 2

    3/49

    Achieving trust in electronic transactions

    with Digital Signature technology and an

    effective archiving scheme

    What are digital Signatures?An

    introduction to Public Key Infrastructure

    An introduction to Archiving digitally

    signed transactions using XML.

    TOPICS COVERED

  • 8/8/2019 Digital Signatures 2

    4/49

    Applying Public Key Infrastructure to

    address security risks when granting public

    access to community-right-to-know data

    Relevant Legislation regarding Digital

    Signatures and electronic government

    transactions

    TOPICS COVERED

  • 8/8/2019 Digital Signatures 2

    5/49

    ELECTRONIC TRANSACTIONS

    Streamline Reporting Process

    Reduce burden on regulated community

    Efficient Record Retention

    Timely and Accurate Data Retrieval and Access

    Emergency Response (24/7 access)

    Community-Right-to-Know

  • 8/8/2019 Digital Signatures 2

    6/49

    CAN ELECTRONIC DATA BE TRUSTED?

    Accuracy and Authenticity

    Decisions regarding Environmental Health and Impact

    Security

    Protection from unauthorized access Tamper-resistant

    Accidental human errors

    Intentional - Fraud

    Credibility in Judicial Proceedings

    Effective Enforcement Plaintiff/Defendant Subpoena

  • 8/8/2019 Digital Signatures 2

    7/49

    Evidence must be unambiguous to be

    admissible in court

    Once admitted into Court, evidence must be

    persuasive to a jury

    JUDICIAL CREDIBILITY is the Highest

    Standard for Trusted Data **

    ** National Governors Association (NGA) State Guide to Environmental Reporting

  • 8/8/2019 Digital Signatures 2

    8/49

    1. AUTHENTICATION: the ability to prove the

    senders identity2. REPORT INTEGRITY: the ability to prove that

    there has been no change during transmission,

    storage, or retrieval

    3. NON-REPUDIATION: the ability to prove that the

    originator of a report intended to be bound by the

    information contained in the report

    WHAT DETERMINES A LEGALLY

    BINDING REPORT ?

  • 8/8/2019 Digital Signatures 2

    9/49

    NON-REPUDIATION

    AUTHENTICATION

    REPORT INTEGRITY

  • 8/8/2019 Digital Signatures 2

    10/49

    TRUST IN PAPER-BASED REPORTS

  • 8/8/2019 Digital Signatures 2

    11/49

    ELECTRONIC REPORTING

  • 8/8/2019 Digital Signatures 2

    12/49

    FROM PAPER TO ELECTRONIC:

    Repudiation Risks in Basic ElectronicTransactions

    I did not send that report !

    That report is not the one I sent !

    I did not mean that !

  • 8/8/2019 Digital Signatures 2

    13/49

    I did not send that report !

    Identity of user is unknown

    Possible Solutions:

    Telephone call follow-up

    Terms and Conditions Agreement (TCA) /

    Mailed Certification Agreement

    Mail a Diskette Containing Electronic

    Data

  • 8/8/2019 Digital Signatures 2

    14/49

    That report is not the one I sent !

    Electronic reports contain no evidence of

    tampering in transmission, storage or

    retrieval Sources of possible loss of data integrity

    Human Error

    Data Corruption

    Fraud

  • 8/8/2019 Digital Signatures 2

    15/49

    Ensuring Authenticity and Report Integrity

    in Electronic Transactions

    Digital Signatures

    Public Key Infrastructure

  • 8/8/2019 Digital Signatures 2

    16/49

    Public Key Infrastructure (PKI)

    PKI is a combination of software,

    encryption technologies and facilities that can

    facilitate trusted electronic transactions.

    PKI Components

    Key Pairs

    CertificateA

    uthority Public Key Cryptography

  • 8/8/2019 Digital Signatures 2

    17/49

    Key Pairs

    A key is a unique digital identifier

    Keys are produced using a random number

    generator A key pair consists of two mathematically

    related keys

    The private key is secret and under the

    sole control of the individual

    The publickey is open and published

  • 8/8/2019 Digital Signatures 2

    18/49

  • 8/8/2019 Digital Signatures 2

    19/49

    A trusted authority

    Responsible for creating the key pair,

    distributing the private key,

    publishing the public key and

    revoking the keys as necessary

    The Passport Office of the Digital

    World

    Certificate Authority

  • 8/8/2019 Digital Signatures 2

    20/49

    Digital Certificates

    A unique electronic signifier issued by aCertificate Authority that functions like a

    passport to verify a users identity.

    The certificate authority binds the uniquekey to the following

    Name of the Certificate Authority Certificate Expiration Date

    Certificate Identity Number

    Certificate Storage software tokens

    browser certificate stores

    hardware tokens (Smart Cards, USB Tokens)

  • 8/8/2019 Digital Signatures 2

    21/49

  • 8/8/2019 Digital Signatures 2

    22/49

    Public Key Cryptography

    ComplimentaryAlgorithms are used to

    encryptand decryptdocuments

    @#@#@$$564559

    08283923542#$@

    $#%$%$^&

    Encryption key

    Decryption keyUnreadable Format

  • 8/8/2019 Digital Signatures 2

    23/49

    Public Key Infrastructure in Action

    Public Key Private Key

    Secure

    Transmission

    Signatures

    Decrypting

    Encrypting

    Encrypting

    Decrypting

  • 8/8/2019 Digital Signatures 2

    24/49

    Report Encryption Algorithm Digitally Signed

    An individual digitally signs a document using the

    private key component ofhis certificate.

    Digital Signatures

    Private key

  • 8/8/2019 Digital Signatures 2

    25/49

    Authentication and Verification

    The individuals public key, published by the CA

    decrypts and verifies the digital signature.

    Digitally Signed

    Public KeyDecryption Algorithm

  • 8/8/2019 Digital Signatures 2

    26/49

    Authentication and Verification

    Any changes made to the report will

    invalidate the signature

    Provides evidence of report integrity Provides proof of report originators identity -

    Authentication

  • 8/8/2019 Digital Signatures 2

    27/49

  • 8/8/2019 Digital Signatures 2

    28/49

    Security in Transmission

    Secure Socket Layer (SSL)

    https

    Submission is encrypted by the sender

    withrecipients public key

    After receipt, submission is decrypted with

    recipients private key

  • 8/8/2019 Digital Signatures 2

    29/49

    ACHIEVING TRUST IN ELECTRONIC REPORTS

  • 8/8/2019 Digital Signatures 2

    30/49

    What Should Be Signed ?

    Balance between capturing the entire content of

    the transaction vs. ease of data integration

    Data that is Machine readable but which separatesuser entry content from context: database, comma

    delimited, spreadsheet, etc

    Data that records content and context but which are

    not easily integrated into databases: word, pdf, image,html, etc

  • 8/8/2019 Digital Signatures 2

    31/49

    Ensuring Non-repudiation in Electronic

    Transactions

    Capturing Complete Transactions in

    Archive

    Signing the content and context of a

    transaction

    Storing the signed transaction in a data

    warehouse without manual intervention

  • 8/8/2019 Digital Signatures 2

    32/49

    eXtensible Markup Language

    XML can be used to store both the

    questions on the form (context) and the

    data entered by the user (content).

    The entire form can be stored as one

    object

    Default Values Lookup values (ie chemical classifications)

    Questions

    Physical Characteristics

    XML

  • 8/8/2019 Digital Signatures 2

    33/49

    XML Schema

    From the W3C:http://www.w3.org/1999/05/06-xmlschema-1/

    define and describe a class of XML documents by using

    these constructs to constrain and document the meaning, usageand relationships of their constituent parts: datatypes, elements

    and their content, attributes and their values, entities and their

    contents and notations. Schema constructs may also provide for

    the specification of implicit information such as default values.

    Schemas are intended to document their own meaning, usage,and function through a common documentation vocabulary.

    Business Plan Schema

  • 8/8/2019 Digital Signatures 2

    34/49

    INCORPORATING XML AND PKI

    XML Transaction Instance conforming to Schema

    Public Key Cryptography via Web Browser plugin

  • 8/8/2019 Digital Signatures 2

    35/49

    Granting Public Access to paper reports

    Public comes into agency office

    Public provides drivers license or other

    identification

    Agency can monitor who is accessing data

  • 8/8/2019 Digital Signatures 2

    36/49

    Providing Trusted Electronic

    Access to Data

    Identity of user is unknown

    Access cannot be monitored

    Relying on the Certificate Authority

  • 8/8/2019 Digital Signatures 2

    37/49

    Public

    Digital

    Certificate

    In order to obtain access to Community Right

    to Know Data, individuals first obtain digital

    Certificates.

    Applying PKI to Public Access

  • 8/8/2019 Digital Signatures 2

    38/49

    Public

    After contributing a certificate to gain access,The individuals certificate can be cross-

    referenced with other security databases to

    monitor suspect individuals.

    Digital

    CertificatesAgency

  • 8/8/2019 Digital Signatures 2

    39/49

    TITLE 27, Part 2, Article 5

    CA Title 2, Division 7, Ch.10 DigitalSignatures

    RELEVANT LEGISLATION

  • 8/8/2019 Digital Signatures 2

    40/49

    TITLE 27 CUPA Legislation

  • 8/8/2019 Digital Signatures 2

    41/49

    California Digital Signature Regulations

    Definitions

    Digital Signatures Must Be Created By An AcceptableTechnology- Criteria For Determining Acceptability

    List of Acceptable Technologies

    Provisions For Adding New Technologies to the List ofAcceptable Technologies

    Issues to Be Addressed By Public Entities When Using

    Digital Signatures

    California Code of RegulationsTitle 2.Administration DIVISION 7.CHAP 10. DIGITAL SIGNATURES

    http://www.ss.ca.gov/digsig/regulations.htm

  • 8/8/2019 Digital Signatures 2

    42/49

    The technology known as Public Key Cryptography isan acceptable technology for use by public entities in

    California, provided that the digital signature is

    created consistent with the provisions in Section

    22003(a)1-5.

    "Acceptable Certification Authorities" means a

    certification authority that meets the requirements of

    either Section 22003(a)6(C) or Section 22003(a)6(D).

    "Approved List of Certification Authorities" means the

    list of Certification Authorities approved by the

    Secretary of State to issue certificates for digital

    signature transactions involving public entities in

    California.

    California Digital Signature Regulations

  • 8/8/2019 Digital Signatures 2

    43/49

  • 8/8/2019 Digital Signatures 2

    44/49

    Unsigned Web forms can be sent by

    anyone. They can be tampered in

    transmission and the sender cant be legally

    verified

    Unsigned Data in a database can be altered

    and does not provide adequate evidence in

    a court of law

    Data on Diskette can be altered without

    visible evidence

    Summary: Electronic Report Transactions

    are subject to fraud and easily repudiated:

  • 8/8/2019 Digital Signatures 2

    45/49

    Digitally signed reports can also be repudiated,

    if the signed data is stored independently of the

    form question data.

    Summary, cont.

  • 8/8/2019 Digital Signatures 2

    46/49

    Conclusion: Ensuring Trusted Electronic

    Transactions

    1. PKI supports trusted electronic

    report transactions:

    Authentication- authenticates thesender of a report

    Report Integrity- invalidates a report if it

    has been tampered.

    Non-repudiation- sender and document

    are authenticated- the sender cannot

    denyhaving sent the report

  • 8/8/2019 Digital Signatures 2

    47/49

    Conclusion, cont.

    2. PKI supports trusted access to Public Data:

    Agencies require individuals to contribute

    digital certificates in order to gain access.

    Agencies can track who gains access at

    what time

    The names of individuals who seek access

    can be cross-referenced with additionalsecurity databases to protect public safety

  • 8/8/2019 Digital Signatures 2

    48/49

    Conclusion, cont.

    3. Complete Archiving ensures that a legal

    record of a transaction can be trusted :

    Non-repudiation- Storing a copy of the entire

    data (including questions on the form) with

    the digital signature.

  • 8/8/2019 Digital Signatures 2

    49/49

    Resources:

    eCompliance, Inc.http://www.ecompliance.net

    White paper/ Electronic Transactions

    Copy of presentation

    Environmental Protection Agency Central Data Exchange

    http://www.epa.gov/cdx/cde.html

    National GovernorsA

    ssociation State Guide to Electronic Reporting of

    Environmental Datahttp://www.nga.org/center/divisions/1,1188,C_ISSUE_BRIE

    F%5ED_1139,00.html