0
The Hong Kong Public Key Infrastruture 2010 - Presentation to Hong Kong Medical Association, June 2010 S.C. Leung CISSP CI...
About the Speaker <ul><li>S.C. Leung </li></ul><ul><li>Professional affiliations </li></ul><ul><ul><li>Secretary of Intern...
Why Public Key Infrastructure? <ul><li>Internet is not a trusted medium </li></ul><ul><ul><li>Confidentiality </li></ul></...
Before PKI <ul><li>Traditional symmetric (private only) key encryption </li></ul><ul><ul><li>Encryption and Decryption by ...
Basics of PKI <ul><li>Asymmetric Public Key Encryption </li></ul><ul><ul><li>Public / Private Key Pair </li></ul></ul><ul>...
Chain of Trust and CA Management <ul><li>Root Certificate Authority and Chain of Trust </li></ul><ul><ul><li>Trust is give...
Certificate Policy Statement <ul><li>Certificate Policy Statement </li></ul>
Chain of Trust <ul><li>Untrusted root certificate  </li></ul>Root CA cert Server Cert Root CA cert Intermediate CA cert Se...
Root Certificates Stores <ul><ul><li>Ultimate Trust  goes to  Root Certificates in the Certificate Store </li></ul></ul><u...
Root Certificate Store <ul><li>Firefox has own certificate store with HongKong Post root cert. loaded by default </li></ul...
Browser settings for SSL digital certificate <ul><li>In IE browser, choose Internet Options | Advanced </li></ul>CRL
Use of PKI
Use of PKI : User Authentication <ul><li>Computer Login </li></ul><ul><li>Critical System login </li></ul><ul><li>Remote A...
Use of PKI : Two-Factor Authentication <ul><li>Using Client Certificates for online transaction, or access to critical sys...
Use of PKI : Traffic Encryption and Authentication <ul><li>Web site using Server Certificate (SSL) only </li></ul><ul><ul>...
Use of PKI <ul><li>File / Folder Encryption </li></ul><ul><ul><li>Useful for removable disk storage encryption </li></ul><...
Management of Certificates
Scope of Use of Certificate <ul><li>Trust CA </li></ul><ul><ul><li>Encipherment (Encryption) </li></ul></ul><ul><ul><li>Di...
Validity of Certificate <ul><li>Valid Date </li></ul><ul><li>Expired Certificate </li></ul>
Revocation of Certificate <ul><li>Certificate Revocation List </li></ul><ul><li>Revoked certificate </li></ul>
Legal Framework for PKI
Legal Foundation of Hong Kong PKI <ul><li>Electronic Transactions Ordinance (Cap. 553) </li></ul><ul><ul><li>Enacted in 20...
ETO 2004 update <ul><li>Facilitate e-transactions not involving government body </li></ul><ul><ul><li>B2B transactions und...
Recognized CAs in Hong Kong <ul><li>Code of Practice for Recognized CAs </li></ul><ul><ul><li>Publish Certification Practi...
CAs <ul><li>Hongkong Post was appointed the HKSAR CA in 1999 </li></ul><ul><ul><li>Operation outsourced to E-Mice Apr-2007...
e-Cert Applications Online Banking Online Betting E-Government Online Shopping Online Securities Trading
Government Online Services (through GovHK) using digital signatures
Cross-border Recognition <ul><li>Certificates recognized by ETO of Hong Kong may not be recognized by other jurisdiction, ...
Useful References
Useful Further References <ul><li>The Electronic Transactions Ordinance, HKSARG, 2004 </li></ul><ul><ul><ul><li>http://www...
Point of Contact Name: SC Leung Email :   sc@itvoice,hk FB :   scleung.hk
Upcoming SlideShare
Loading in...5
×

The Hong Kong Public Key Infrastruture 2010

1,236

Published on

Presentation at the Health Informatics Workshop at the Hong Kong Medical Association, 21 June 2010.

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
1,236
On Slideshare
0
From Embeds
0
Number of Embeds
3
Actions
Shares
0
Downloads
36
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Transcript of "The Hong Kong Public Key Infrastruture 2010"

  1. 1. The Hong Kong Public Key Infrastruture 2010 - Presentation to Hong Kong Medical Association, June 2010 S.C. Leung CISSP CISA CBCP
  2. 2. About the Speaker <ul><li>S.C. Leung </li></ul><ul><li>Professional affiliations </li></ul><ul><ul><li>Secretary of Internet Society Hong Kong </li></ul></ul><ul><ul><li>Found Chairperson of Professional Information Security Association </li></ul></ul><ul><ul><li>Professional designations: CISSP, CISA and CBCP </li></ul></ul><ul><li>Work </li></ul><ul><ul><li>Information Senior Consultant </li></ul></ul><ul><li>Contact </li></ul><ul><ul><li>[email_address] </li></ul></ul><ul><ul><li>www.facebook.com/ scleung.hk </li></ul></ul>
  3. 3. Why Public Key Infrastructure? <ul><li>Internet is not a trusted medium </li></ul><ul><ul><li>Confidentiality </li></ul></ul><ul><ul><ul><li>Data travels in different path so can be intercepted and sniffed </li></ul></ul></ul><ul><ul><li>Integrity </li></ul></ul><ul><ul><ul><li>Content of data can be modified during transit </li></ul></ul></ul><ul><ul><ul><li>Identity of sender or author of data can be spoofed (e.g. phishing, identity theft) </li></ul></ul></ul><ul><li>Public Key Infrastructure (PKI) tries to provide a solution </li></ul>
  4. 4. Before PKI <ul><li>Traditional symmetric (private only) key encryption </li></ul><ul><ul><li>Encryption and Decryption by the same (symmetric) private key which is a secret </li></ul></ul><ul><ul><li>Share private keys before transaction  not scalable </li></ul></ul>
  5. 5. Basics of PKI <ul><li>Asymmetric Public Key Encryption </li></ul><ul><ul><li>Public / Private Key Pair </li></ul></ul><ul><ul><ul><li>Public key is made available to everyone </li></ul></ul></ul><ul><ul><ul><li>Private key is secured by owner </li></ul></ul></ul><ul><ul><li>Sender encrypts data using recipient’s public key </li></ul></ul><ul><ul><li>Recipient decrypts data using own private key </li></ul></ul>
  6. 6. Chain of Trust and CA Management <ul><li>Root Certificate Authority and Chain of Trust </li></ul><ul><ul><li>Trust is given to a small number of Root CA Certificates </li></ul></ul><ul><ul><li>Inherit Trust from the Root CA Certificates to Intermediate CA Certificate, etc.  Chain of Trust </li></ul></ul><ul><ul><li>CAs have obligation to verify server/client authenticity (manual procedure) before issuing the digital certificates </li></ul></ul><ul><ul><li>Root CA has to maintain a physically and logically secure repository for the digital certificate </li></ul></ul>
  7. 7. Certificate Policy Statement <ul><li>Certificate Policy Statement </li></ul>
  8. 8. Chain of Trust <ul><li>Untrusted root certificate </li></ul>Root CA cert Server Cert Root CA cert Intermediate CA cert Server Cert Example: a public certificate of an online banking web site
  9. 9. Root Certificates Stores <ul><ul><li>Ultimate Trust goes to Root Certificates in the Certificate Store </li></ul></ul><ul><ul><li>Microsoft Windows has HongKong Post root certificates installed (2004 onwards) </li></ul></ul><ul><ul><ul><li>IE, some Window based browsers (such as Safari, Chrome) and email clients use this certificate store </li></ul></ul></ul><ul><ul><li>Linux has its own crypto store </li></ul></ul><ul><ul><li>MacOS keychain </li></ul></ul>
  10. 10. Root Certificate Store <ul><li>Firefox has own certificate store with HongKong Post root cert. loaded by default </li></ul><ul><li>Opera don’t have HongKong Post root cert. by default </li></ul>
  11. 11. Browser settings for SSL digital certificate <ul><li>In IE browser, choose Internet Options | Advanced </li></ul>CRL
  12. 12. Use of PKI
  13. 13. Use of PKI : User Authentication <ul><li>Computer Login </li></ul><ul><li>Critical System login </li></ul><ul><li>Remote Access / VPN Authentication </li></ul><ul><ul><li>No removable media policy </li></ul></ul>Image source www.pisa.org.hk Image source www.apple.com
  14. 14. Use of PKI : Two-Factor Authentication <ul><li>Using Client Certificates for online transaction, or access to critical systems </li></ul><ul><ul><li>Client certificate in addition to PIN </li></ul></ul><ul><ul><li>Client certificate can be held in Smart ID Card, iKey USB token, etc. </li></ul></ul>
  15. 15. Use of PKI : Traffic Encryption and Authentication <ul><li>Web site using Server Certificate (SSL) only </li></ul><ul><ul><li>Server authentication (yellow padlock in IE) </li></ul></ul><ul><ul><li>Traffic (data in transit) encryption </li></ul></ul><ul><li>Email Messaging System </li></ul><ul><ul><li>Encrypt Email Message Transport </li></ul></ul><ul><ul><li>Authenticate email sender </li></ul></ul><ul><li>Server to Server connection </li></ul><ul><ul><li>Critical private systems </li></ul></ul>
  16. 16. Use of PKI <ul><li>File / Folder Encryption </li></ul><ul><ul><li>Useful for removable disk storage encryption </li></ul></ul><ul><li>Files / Record Signing </li></ul><ul><ul><li>Examination report, patient report signing </li></ul></ul><ul><ul><li>Validate if signed file (e.g. security patch or virus definition update file) is original and untampered </li></ul></ul>Image source www.pisa.org.hk
  17. 17. Management of Certificates
  18. 18. Scope of Use of Certificate <ul><li>Trust CA </li></ul><ul><ul><li>Encipherment (Encryption) </li></ul></ul><ul><ul><li>Digital Signature </li></ul></ul><ul><ul><li>Trust the CA to identify a web site </li></ul></ul><ul><ul><li>Trust the CA to identify an email user </li></ul></ul><ul><ul><li>Trust the CA to identify a software developer </li></ul></ul>
  19. 19. Validity of Certificate <ul><li>Valid Date </li></ul><ul><li>Expired Certificate </li></ul>
  20. 20. Revocation of Certificate <ul><li>Certificate Revocation List </li></ul><ul><li>Revoked certificate </li></ul>
  21. 21. Legal Framework for PKI
  22. 22. Legal Foundation of Hong Kong PKI <ul><li>Electronic Transactions Ordinance (Cap. 553) </li></ul><ul><ul><li>Enacted in 2000 </li></ul></ul><ul><ul><ul><li>Modelled under UN Commission on International Trade (UNCITRAL) Model Law on Electronic Commerce </li></ul></ul></ul><ul><ul><ul><li>Major Content </li></ul></ul></ul><ul><ul><ul><ul><li>Provides a legal framework for the conduct of electronic transactions </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Establish e-records and digital signature to enjoy same legal status as paper counterpart (i.e. non-repudiation ) </li></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>Digital signature used for G2G and G2B </li></ul></ul></ul></ul></ul><ul><ul><ul><ul><li>Establish a voluntary recognition scheme for Certificate Authorities, empower the Government Chief Information Office (“GCIO”) to grant recognition to CAs and digital certificates </li></ul></ul></ul></ul>
  23. 23. ETO 2004 update <ul><li>Facilitate e-transactions not involving government body </li></ul><ul><ul><li>B2B transactions under contract: any form of electronic signatures, provided it is reliable and appropriate </li></ul></ul><ul><ul><ul><li>Common Law approach: a matter to be determined by parties to the contract  technology neutral </li></ul></ul></ul><ul><ul><ul><li>Electronic signature </li></ul></ul></ul><ul><ul><ul><ul><li>any letters, characters, numbers or other symbols in digital form attached to or logically associated with an electronic record, and executed or adopted for the purpose of authenticating or approving the electronic record. </li></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>Digital signature is one form of electronic signature. </li></ul></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>PIN is another. </li></ul></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>*But biometrics was not included </li></ul></ul></ul></ul></ul>
  24. 24. Recognized CAs in Hong Kong <ul><li>Code of Practice for Recognized CAs </li></ul><ul><ul><li>Publish Certification Practice Statement (CPS) </li></ul></ul><ul><ul><li>Issue and revoke certificates </li></ul></ul><ul><ul><li>Publish certificates issued and the certificate revocation list (CRL) </li></ul></ul><ul><ul><li>Annual Assessment Report (on trustworthiness ) by independent party. Operation Report by officer of CA. </li></ul></ul>GCIO Digi-Sign ID-Cert Electronic Transactions Ordinance Voluntary Recognition Scheme
  25. 25. CAs <ul><li>Hongkong Post was appointed the HKSAR CA in 1999 </li></ul><ul><ul><li>Operation outsourced to E-Mice Apr-2007 to Mar 2012 </li></ul></ul><ul><ul><ul><li>Types of e-Certs </li></ul></ul></ul><ul><ul><li>Issues recognized “e-Cert” for personal and organizational uses </li></ul></ul><ul><li>Digi-Sign Certification Service Limited </li></ul><ul><ul><li>Previously under Tradelink </li></ul></ul><ul><ul><li>Issues recognized “ID-Certs” for personal and organizational use </li></ul></ul><ul><ul><li>Act as gateway between Govt and Trade Community </li></ul></ul>
  26. 26. e-Cert Applications Online Banking Online Betting E-Government Online Shopping Online Securities Trading
  27. 27. Government Online Services (through GovHK) using digital signatures
  28. 28. Cross-border Recognition <ul><li>Certificates recognized by ETO of Hong Kong may not be recognized by other jurisdiction, and vice versa </li></ul><ul><li>Mutual Recognition of Electronic Signature Certificates Issued by Hong Kong and Guangdong </li></ul><ul><ul><ul><li>promote investment facilitation </li></ul></ul></ul><ul><ul><ul><li>enhance the security of e-transactions </li></ul></ul></ul><ul><ul><li>2008 Working Group </li></ul></ul><ul><ul><li>2010-Apr Pilot Project started. Recognized CAs in both places and their partners can submit applications </li></ul></ul>CA CA reverse cross-cert. forward cross-cert. local remote
  29. 29. Useful References
  30. 30. Useful Further References <ul><li>The Electronic Transactions Ordinance, HKSARG, 2004 </li></ul><ul><ul><ul><li>http://www.ogcio.gov.hk/eng/eto/eeto.htm </li></ul></ul></ul><ul><li>Use of Public Key Technology, Johnson & Johnson, 2004 </li></ul><ul><ul><ul><li>http://www.dartmouth.edu/~deploypki/summit04/presentations/JNJ_case_study.ppt </li></ul></ul></ul><ul><li>“ Japan Medical and Healthcare Network” in Asia PKI Application Casebook Nov 2005, BAWG, Asia PKI Forum </li></ul><ul><ul><ul><li>http://www.japanpkiforum.jp/shiryou/APKI-F/PKI_App_CaseBook_1st.pdf </li></ul></ul></ul><ul><li>Case Study: Denmark’s Achievement with Healthcare Information Exchange </li></ul><ul><ul><ul><li>http://www-03.ibm.com/industries/ca/en/healthcare/files/gartner-case_study-denmarks_achievementswHIE.pdf </li></ul></ul></ul>
  31. 31. Point of Contact Name: SC Leung Email : sc@itvoice,hk FB : scleung.hk
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×