Future of Telecom in KSA - PowerPoint by B29390f

VIEWS: 0 PAGES: 21

									Arab Forum on
e-transactions Security the Public Key Infrastructure (PKI),
Tunisia, 25-27 January 2010



PKI in Saudi Arabia
Design, Services, and Policies
 Dr. Fahad Al Hoymany
 Senior Advisor
 Director of National Center for Digital Certification
 MCIT, Saudi Arabia

 Jan 26, 2010
   Saudi PKI Services and Structure
 PKI is a security infrastructure adopted by Saudi Arabia to
  provide:
                (1) Confidentiality
                (2) Authentication
                (3) Data Integrity
                (4) Non-Repudiation/Digital Signature

 The Saudi PKI is based on a hierarchical CA model.

 All CAs are housed in and operated by The National Center
  for Digital Certification (NCDC).

 The Saudi PKI consists of two main CSPs:
    1. Government CSP for servicing the government sector.
    2. Commercial CSP for serving the private sector (and others).
 Dr. Fahad AlHoymany, National Center for Digital Certification (NCDC)   2
                              Saudi PKI Structure

National                                                         Root                                     Foreign
 Policy
Authority                                                        CA                                         CA

                            Government                                          Commercial
                               CA                                                  CA




          Government                        Government                    Commercial
                                                                             CSP             Commercial
             CSP                               CSP
                                                                                                CSP
                                   ...
            RA           PA                  RA           PA               RA      PA         RA    PA




                                                         Subscribers
  Dr. Fahad AlHoymany, National Center for Digital Certification (NCDC)
                                                                                                                3
Saudi PKI Strategy

     1. Centralized certificate issuance and management.

     2. Distributed user registration and management.

     3. National PKI policies drive acceptance.

     4. e-Government is the driver for successful PKI
        deployment.

     5. Issue separate certificates for authentication, signing,
        and encryption.

     6. Use smart card, USB token, and roaming methods.
 Dr. Fahad AlHoymany, National Center for Digital Certification (NCDC)
                                                                         4
           Structure of Certificate Chain
 Root CA Certificate


                                              Government CA Certificate



    Identity of Root CA                                                    User Certificate
 associated with public
key and signed by Root
              CA (itself)
                                                 Identity of Government
                                                      CA associated with
                                                public key and signed by
                                                                Root CA

                                                                                  Identity of user
                                                                           associated with public
                                                                              key and signed by
                                                                                government CA

 Dr. Fahad AlHoymany, National Center for Digital Certification (NCDC)
                                                                                                 5
    Example: Customer Logs on to Bank Website

                                                      123456 :ID                            Browser

Ahmad Ibrahim
National ID: 123456
Account No: 7788                                                                                         Ahmad
Balance = $75000
                                                               Challenge- response
                                                                                                      ‫المفتاح الخاص‬


                                                             Secret key       exchange
                               Bank
                                                                  Secure     Transactions
   ID        Acct
123456       7788
---------   ---------
---------   ---------
---------   ---------
---------   ---------




  Dr. Fahad AlHoymany, National Center for Digital Certification (NCDC)
                                                                                                                      6
Certificate and Key Lifetimes

  Certificate life times are as follows:
       - End Users (including Non Humans and Entities) : 3 Years
       - CA (Level 1 CA) : 10Years
       - Root CA: 20Years


  Key lengths are as follows:
       - End Users (including Non Humans and Entities) : 1024 bits
       - CA (Level 1 CA) : 2048 bits
       - Root CA: 4096 bits

  No certificate renewal is done, except at key update times,
   unless CSP’s policy demands otherwise.

  Dr. Fahad AlHoymany, National Center for Digital Certification (NCDC)
                                                                          7
Backup and Recovery

 Signing keys are never backed up.
      - Difficult to enforce non-repudiation if signing key is backed up.

 The creation of a signing key would be done under the
  control of the user.

 Key backup, Archive/History, Escrow, and Recovery will be
  provided for all CSP’s.

 Key history will be included on user cryptographic tokens
  for convenience.


 Dr. Fahad AlHoymany, National Center for Digital Certification (NCDC)
                                                                         8
                     Types of PKI Certificates

 Used for signing,                                                                  Email Certificate
  encrypting, and                                                                    ahmad@org.gov.sa
  authentication via Email
  address.
                                                                         Linking Email address to a public key




 Used for signing,                                                                  Name Certificate
  encrypting, and
  authentication via                                                         Ahmad Ibrahim Abdullah
  person’s name.
                                                                                Linking name to a public key




              Dr. Fahad National Center for Digital Certification (NCDC)
   Dr. Fahad AlHoymany,AlHoymany, National Center for Digital Certification (NCDC)
                                                                                                                 9
                     Types of PKI Certificates

 Used for signing and                                                         Website Certificate
  authentication via domain                                                          www.Bank.com.sa
  name.

                                                                       Linking website address to a public key




 Used for signing and
  authentication via                                                         National ID Certificate
  national ID number.                                                                        123456



                                                                                     Linking ID to a public key



              Dr. Fahad National Center for Digital Certification (NCDC)
   Dr. Fahad AlHoymany,AlHoymany, National Center for Digital Certification (NCDC)
                                                                                                                  10
                     Types of PKI Certificates

 Used for signing, encrypting,                                         Mobile Number Certificate
  and authentication via mobile
  number.                                                                            0504443245


                                                                        Linking mobile number to a public key




 Used for signing,                                                              Device Certificate
  encrypting, and
  authentication via IP                                                              192.23.45.11
  address (or any other device
  identifier).
                                                                           Linking IP address to a public key



              Dr. Fahad National Center for Digital Certification (NCDC)
   Dr. Fahad AlHoymany,AlHoymany, National Center for Digital Certification (NCDC)
                                                                                                                11
Electronic Transactions Act

  The Act aims at the control, organization, and provision of a
   regulatory framework for electronic transactions and signatures
   to achieve the following:-

       1. Establish standard rules for using electronic transactions and signatures
          and facilitating their application in the public and private sectors by
          means of reliable electronic records.
       2. Give credibility and accord trustworthiness to the accuracy and
          integrity of electronic transactions, signatures, and records.
       3. Streamline the introduction of electronic transactions and signatures
          both at the national and international levels.
       4. Prevent misuse and fraudulent practices in electronic transactions
          and signatures.



  Dr. Fahad AlHoymany, National Center for Digital Certification (NCDC)
                                                                               12
Warranties, Liabilities, and Indemnification

  Warranties:
       -     Root CA and CSPs ensure that they provide services
             consistent with the CP, CPS and operating rules.
       -     No warranties as a result of loss due to war, natural
             disasters, unauthorized use of certificates, negligence, etc.
  Liabilities:
       -     End-users, RAs, and CSPs are liable for misrepresentation of
             certificate information.
       -     Subscribers are liable for breach of Subscriber’s agreement.
       -     Relying Parties are liable for failure to perform according to
             Relying Party Agreement.
       -     RAs are liable for failure to perform according to
             Registration Authorities agreement.
       -     NPA will set liability limits and indemnification outreach.
  Dr. Fahad AlHoymany, National Center for Digital Certification (NCDC)
                                                                             13
Dispute Resolution

       Dispute Resolution Committee arbitrates on all claims or
        disputes.
       NPA will define the role of Dispute Resolution Committee:
      –     Objectives and responsibilities.
      –     Reporting structure.
      –     Relationships with other NPA committees, CSP Policy, Authorities and
            outside parties.
      –     Rules of procedures and practice.
      –     Powers and jurisdiction.
       Dispute Resolution Policy includes:
      –     Types of claims and disputes it applies to e.g. key/certificate management,
            time-stamping, transactions, etc.
      –     Applicability (to whom it applies to).
      –     Dispute resolution procedure.
      –     Any exceptions or exclusions.
       Voluntary mediation first, then binding arbitration.
 Dr. Fahad AlHoymany, National Center for Digital Certification (NCDC)
                                                                                     14
Center Photos




 Dr. Fahad AlHoymany, National Center for Digital Certification (NCDC)
                                                                         15
Center Photos




 Dr. Fahad AlHoymany, National Center for Digital Certification (NCDC)
                                                                         16
Center Photos




 Dr. Fahad AlHoymany, National Center for Digital Certification (NCDC)
                                                                         17
Center Photos




 Dr. Fahad AlHoymany, National Center for Digital Certification (NCDC)
                                                                         18
Center Photos




 Dr. Fahad AlHoymany, National Center for Digital Certification (NCDC)
                                                                         19
Center Photos




 Dr. Fahad AlHoymany, National Center for Digital Certification (NCDC)
                                                                         20
                                       THANK YOU
                             Further information can be found here:


                                    http://www.pki.gov.sa

                                  http://www.ncdc.gov.sa




Dr. Fahad AlHoymany, National Center for Digital Certification (NCDC)
                                                                        21

								
To top