enisa overview of tsp services security in europe

European Union Agency for Network and Information Security www.enisa.europa.eu

TSP services, standards and risk analysisTrusted e-ID infrastructures and services in EUProf. Manel Medina (ENISA), Alex Elices (Athos Consulting)

Brussels, September, 24th 2013

European Union Agency for Network and Information Security www.enisa.europa.eu 2

Contents

• Context• Survey• Services• Standards• Risk Analysis• Recommendations summary• Pending issues


Context

• Proposal for a new Regulation on eID and Trust Services for electronic transactions.

• Current Directive 1999/93/EC on a Community framework for e-signatures.

• Provisions regarding the security requirements applicable to TSPs.

• ENISA works on 2013 on a series of studies:– The security aspects of trust service providers issuing

electronic certificates.– Security and interoperability aspects specific to the new

trust services foreseen in the proposed Regulation.


Survey

• Participants: EU TSPs • Scope: services they offer, security practices, standards used,

interoperability issues and type of risks related with their operation.

• The study is focused on the services whose provisions will be regulated in the new Regulation:– Electronic Time Stamps (TS)– Electronically signed documents storage or management

(eDoc)– Electronic delivery services (eDeliv)– Validation of electronic signatures (eVal)– Long time preservation of electronic signatures (LTP)


Survey

• The universe of the survey is 51 TSPs corresponding to 20 EU Member States.

• Invitations were made mainly through national regulators of certification service providers and the trust services lists they produce.


Services: Type of service provided

• Almost all provide certificates as well as other services.• They are already used to implement certification schemas.• 67% of TSPs offer services to both Public and private sector.

REC1: CSP Certification schemas could be extended to other TSP services to have harmonised criteria of QoS and SLA guidelines.


Services: Scope of certificates

REC2: Cross-border interoperability has to be promoted.


Services: Authentication mechanisms

REC3. The strength of the authentication mechanism should be proportional to the criticality of the accessed services.


Services: Platforms used

REC4. Promote the implementation of clients to be executed in the customer computer with web-service access to TSP (https unsafe)


Services: Documents storage in the TSP’s servers

The difference can be explained because of the nature of the services.

REC5. The impact of this practice in the adequate security mechanisms to be adopted recommends to define different profiles of the service provision in each case.


Standards: Security Management standards

BCM: Low use of the ISO standard, although 80% have BCP documents.

REC6. BCM standards should be promoted to address the ‘unavailability of the services’ type of risk.


Standards: Audits


Standards: e-Signature standards

REC7. Achieve full interoperability, reaching the 100% of acceptance of standards.


Standards: Time Stamping services

This is the service most offered in the survey (93%).

REC8. Although self-generated main time source is low used, it should be taken into consideration in the specification of the quality of a Time Stamping service.


Standards: Validation services


Standards: Long Time Preservation services

Adding CRL/certificates is preferred more than only references

REC9. The dispersion of standards used implies that best practices must be defined.


Risk Analysis

• Probability, Impact and Risk Values have been normalised to 100% for uniformity.

• 100% means the worst, but in most cases has been reported as 3/5, i.e. medium probability or impact.

• The aim is to identify areas where actions need to be taken, because they are weakest of the scenario.

• Deviation of responses indicates:– Confidence of the result.– Need to harmonise views.– Need of guidelines implementation.


0

20

40

60

80

100

120

Rela

y on

not

-upd

ated

cer

tifica

te r

evoc

ation

info

rmati

on /

eVa

l.

The

evol

ution

of c

rypt

ogra

phy

/ LT

P

Una

vaila

bilit

y of

ser

vice

/ e

Val.

Una

vaila

bilit

y of

ser

vice

/ e

Doc.

Web

site

/ w

eb s

ervi

ce im

pers

onati

on /

eD

oc.

Lose

or

alte

ratio

n of

evi

denc

es in

cha

in o

f tru

st /

eD

oc.

End

user

impe

rson

ation

/ e

Doc.

Com

prom

ise

of th

e m

ain

time

sour

ce /

TS

Send

er o

r Rec

eive

r im

pers

onati

on /

eD

el.

Una

vaila

bilit

y of

the

mai

n tim

e so

urce

/ T

S

Rela

y on

not

-upd

ated

cer

tifica

te r

evoc

ation

info

rmati

on /

LTP

Lose

of a

ccur

acy

of th

e m

ain

time

sour

ce /

TS

Lose

or

alte

ratio

n of

evi

denc

es in

cha

in o

f tru

st /

LTP

Web

site

/ w

eb s

ervi

ce im

pers

onati

on /

eD

el.

Lose

or

com

prom

ise

of s

ervi

ce’s

sig

natu

re c

reati

on d

ata

/ eD

oc.

Lose

or

alte

ratio

n of

dig

ital e

vide

nces

/ e

Del.

Lose

or

com

prom

ise

of s

ervi

ce’s

sig

natu

re c

reati

on d

ata

/ LT

P

Lose

or

alte

ratio

n of

dig

ital e

vide

nces

/ L

TP

Lose

or

com

prom

ise

of s

ervi

ce’s

sig

natu

re c

reati

on d

ata

/ TS

Lose

or

alte

ratio

n of

evi

denc

es in

cha

in o

f tru

st /

TS

Rela

y on

not

-upd

ated

cer

tifica

te r

evoc

ation

info

rmati

on /

eD

el.

Lose

or

alte

ratio

n of

dig

ital e

vide

nces

/ e

Doc

.

Una

vaila

bilit

y of

ser

vice

/ e

Del.

Rela

y on

not

-upd

ated

cer

tifica

te r

evoc

ation

info

rmati

on /

eD

oc.

Lose

or

com

prom

ise

of s

ervi

ce’s

sig

natu

re c

reati

on d

ata

/ eD

el.

Global Results Impact valueProb. valueRisk valueDeviation

Risk AnalysisRe

lay

on n

ot-u

pdat

ed ce

rtific

ate

revo

catio

n in

form

ation

eVal

The

evol

ution

of c

rypt

ogra

phy

LTP

Unav

aila

bilit

y of

serv

ice

eVal

Unav

aila

bilit

y of

serv

ice

eDoc

Web

site

/ w

eb se

rvic

e im

pers

onati

oneD

oc

Lose

/Alte

ratio

n of

evi

denc

es in

chai

n of

trus

teD

oc

End

user

impe

rson

ation

eDoc

Com

prom

ise

of th

e m

ain

time

sour

ceTS

Send

er o

r Rec

eive

r im

pers

onati

oneD

eliv

Unav

aila

bilit

y of

serv

ice

TS

Rela

y on

not

-upd

ated

certi

ficat

e re

voca

tion

info

rmati

onLT

P

Lose

of a

ccur

ay o

f the

mai

n tim

e so

urce

TS

Lose

/Alte

ratio

n of

evi

denc

es in

chai

n of

trus

tLT

P

Web

site

/ w

eb se

rvic

e im

pers

onati

oneD

eliv

Lose

/Com

prom

ise

sign

atur

e's c

reati

on d

ata

eDoc

Lose

/Alte

ratio

n of

dig

ital e

vide

nces

eDel

iv

Lose

/Com

prom

ise

sign

atur

e's c

reati

on d

ata

LTP

Lose

/Alte

ratio

n of

dig

ital e

vide

nces

LTP

Lose

/Com

prom

ise

sign

atur

e's c

reati

on d

ata

TS

Lose

/Alte

ratio

n of

evi

denc

es in

chai

n of

trus

tTS

Rela

y on

not

-upd

ated

certi

ficat

e re

voca

tion

info

rmati

oneD

eliv

Lose

/Alte

ratio

n of

dig

ital e

vide

nces

eDoc

Unav

aila

bilit

y of

serv

ice

eDel

iv

Rela

y on

not

-upd

ated

certi

ficat

e re

voca

tion

info

rmati

oneD

oc

Lose

/Com

prom

ise

sign

atur

e's c

reati

on d

ata

eDel

iv


Risk Analysis

• Lose or compromise of service’s signature creation data: high impact, but low probability and risk.– Adequate measures to prevent it are taken.

0

20

40

60

80

100

120

0 20 40 60 80 100 120

Probability

Impact

Lose or compromise of service's signature creation data


Risk Analysis• Relay on not-updated

certificate revocation information in eValidation: high risk and probability– Measures are taken:

services through CRLs and OCSP, but they still don’t rely on the quality of the information.

– REC10. Quality of the certificate revocation service should be guaranteed, to allow eVal. services to trust more on them.

– In LTP & eDeliv. Probability of this Risk is much lower, because these services are offered to customers close to the service provider, using credentials issued by close TSP.


Risk Analysis

• Web site / web service impersonation for eDocuments: high probabil. /high impact:– REC12: User training and

awareness about the risk.– Use of strong credentials in

client and server.– Promoting the implementation

of clients to be executed in the customer computer with web-service access to TSP.

• Unavailability of the service has also high risk, due to high probabil.:– Cloud hosting service providers.


Risk Analysis

• Evolution of cryptography in Long Time Preservation: high risk and probability– It is out of control: Difficult to

anticipate the evolution of algorithms.

– REC11: The use of 2 algorithmswill help, because breaking twoalgorithms at the same time is less probable.

• Electronic Time Stamp– Compromise of the main time source & Unavailability of the

main time source have large dispersion of values.– REC8. Promote the use of internationally trusted time sources

and define best practices to standardize the QoS through SLAs.


Recommendations summary

• REC2. Cross-border interoperability of credentials has to be promoted.

• REC3. The strength of the authentication mechanism should be proportional to the criticality of the accessed services, both in client and server.

• REC1. CSP Certification schemas could be extended to other TSP services to have harmonised criteria of QoS and SLA guidelines.

• REC8. Promote the use of internationally trusted main time sources and define best practices to standardize the QoS through SLAs. Although self-generated main time source is low used, it should be taken into consideration in the specification of the quality of a Time Stamping service.

• REC12. Focus on user training and awareness to prevent ‘Web site / web service impersonation’ for eDocuments.


Pending issues

• In relation with the platform used, promote the implementation of clients to be executed in the customer computer with web-service access to TSP (https unsafe).

• The impact of storing eDocs in the adequate security mechanisms to be adopted recommends to define different profiles of the service provision in each case.

• BCM standards should be promoted to address ‘unavailability of the services’ type of risk / Use Cloud hosting service providers to prevent unavailability.


Pending issues

• Achieve full interoperability, reaching the 100% of acceptance of eSignature standards.

• The dispersion of standards used in LTP services implies that best practices about standards adopted must be defined.

• Quality of the certificate revocation service should be guaranteed, to allow e-Validation services to trust more on them.

• The use of two PKI/Hash algorithms will help to prevent cryptanalysis , because breaking two algorithms at same time is less probable.

www.enisa.europa.eu

Follow ENISA:

European Union Agency for Network and Information Security

Thank you

enisa overview of tsp services security in europe

Technology

information securitywww

tsp services

auditseuropean union

accessed services

time stamping services

services type of risk

new trust services

bcm standards