Trusted Electronic Transactions
<ul><li>Why conduct transactions electronically? </li></ul><ul><li>Three   Characteristics that ensure trust in electronic...
<ul><li>Achieving trust in electronic transactions with Digital Signature technology and an effective archiving scheme </l...
<ul><li>Applying Public Key Infrastructure to address security risks when  granting public access to community-right-to-kn...
ELECTRONIC TRANSACTIONS <ul><li>Streamline Reporting Process </li></ul><ul><ul><li>Reduce burden on regulated community  <...
<ul><li>Accuracy and   Authenticity </li></ul><ul><ul><li>Decisions regarding Environmental Health and Impact </li></ul></...
<ul><li>Evidence must be unambiguous to be  admissible  in court </li></ul><ul><li>Once admitted into Court, evidence must...
<ul><li>AUTHENTICATION : the ability to prove the sender’s identity </li></ul><ul><li>2.  REPORT INTEGRITY : the ability t...
NON-REPUDIATION AUTHENTICATION REPORT INTEGRITY
TRUST IN PAPER-BASED REPORTS
ELECTRONIC REPORTING
FROM PAPER TO ELECTRONIC: Repudiation Risks in Basic Electronic Transactions <ul><li>“ I did not send that report !”  </li...
“ I did not send that report !” <ul><li>Identity of user is unknown </li></ul><ul><li>Possible Solutions: </li></ul><ul><u...
“ That report is not the one I sent !” <ul><li>Electronic reports contain no evidence of tampering in transmission, storag...
Ensuring Authenticity and Report Integrity in Electronic Transactions <ul><li>Digital Signatures </li></ul><ul><ul><li>Pub...
Public Key Infrastructure (PKI) <ul><ul><li>PKI is a combination of software, encryption technologies and facilities that ...
Key Pairs   <ul><li>A “key” is a unique digital identifier </li></ul><ul><ul><li>Keys are produced using a random number g...
 
<ul><li>A trusted authority  </li></ul><ul><li>Responsible for creating the key pair, distributing the private key, publis...
Digital Certificates <ul><li>A unique electronic signifier issued by a Certificate Authority that functions like a passpor...
 
Public Key Cryptography Complimentary Algorithms are used to  encrypt  and  decrypt  documents @#@#@$$56455908283923542#$@...
Public Key Infrastructure in Action Public Key Private Key Secure Transmission Signatures Decrypting Encrypting Encrypting...
Report  Encryption Algorithm  Digitally Signed An individual digitally signs a document using the private key component of...
Authentication and Verification The individual’s public key, published by the CA decrypts and verifies the digital signatu...
Authentication and Verification <ul><li>Any changes made to the report will invalidate the signature </li></ul><ul><li>Pro...
 
Security in Transmission <ul><li>Secure Socket Layer (SSL) </li></ul><ul><li>https </li></ul><ul><li>Submission is encrypt...
ACHIEVING TRUST IN ELECTRONIC REPORTS
What Should Be Signed ? <ul><ul><li>Balance between capturing the entire content of the transaction vs. ease of data integ...
Ensuring Non-repudiation in Electronic Transactions <ul><li>Capturing Complete Transactions in Archive </li></ul><ul><ul><...
<ul><li>eXtensible Markup Language  </li></ul><ul><li>XML can be used to store both the questions on the form (context) an...
XML Schema From the W3C:  http://www.w3.org/1999/05/06-xmlschema-1/ … define and describe a class of XML documents by usin...
<ul><li>XML Transaction Instance conforming to Schema </li></ul><ul><li>Public Key Cryptography via Web Browser plugin  </...
Granting Public Access to paper reports <ul><li>Public comes into agency office </li></ul><ul><li>Public provides driver’s...
Providing Trusted  Electronic Access to Data <ul><li>Identity of user is unknown </li></ul><ul><li>Access cannot be monito...
Public Digital Certificate In order to obtain access to Community Right to Know Data, individuals first obtain digital Cer...
Public After contributing a certificate to gain access,  The individual’s certificate can be cross-referenced with other s...
<ul><li>TITLE 27, Part 2, Article 5 </li></ul><ul><li>CA Title 2, Division 7, Ch.10  Digital  Signatures  </li></ul>RELEVA...
TITLE 27 – CUPA Legislation
California Digital Signature Regulations   <ul><li>Definitions </li></ul><ul><li>Digital Signatures Must Be Created By An ...
<ul><li>The technology known as Public Key Cryptography is an acceptable technology for use by public entities in Californ...
 
<ul><li>Unsigned Web forms  can be sent by anyone. They can be tampered in transmission and the sender can’t be legally ve...
<ul><li>Digitally signed reports can also be repudiated , if the signed data is stored independently of the form question ...
Conclusion: Ensuring Trusted Electronic Transactions <ul><li>1.  PKI supports trusted electronic  report transactions: </l...
Conclusion, cont. <ul><li>2. PKI supports trusted access to Public Data: </li></ul><ul><li>Agencies require individuals to...
Conclusion, cont.  <ul><li>3. Complete Archiving ensures that a legal record of a transaction can be trusted : </li></ul><...
Resources: <ul><li>eCompliance, Inc.  http://www. ecompliance .net </li></ul><ul><ul><li>White paper/ Electronic Transacti...
Upcoming SlideShare
Loading in …5
×

Cupa pres a_2

293 views

Published on

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
293
On SlideShare
0
From Embeds
0
Number of Embeds
4
Actions
Shares
0
Downloads
2
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide
  • XML Representation of the data appears in the esigner window. The user clicks on Sign and Submit to finish the submittal process.
  • Cupa pres a_2

    1. 1. Trusted Electronic Transactions
    2. 2. <ul><li>Why conduct transactions electronically? </li></ul><ul><li>Three Characteristics that ensure trust in electronic transactions </li></ul><ul><li>How we achieve trust in paper-based transactions </li></ul><ul><li>Problems with common electronic transactions </li></ul>TOPICS COVERED
    3. 3. <ul><li>Achieving trust in electronic transactions with Digital Signature technology and an effective archiving scheme </li></ul><ul><ul><li>What are digital Signatures? An introduction to Public Key Infrastructure </li></ul></ul><ul><ul><li>An introduction to Archiving digitally signed transactions using XML. </li></ul></ul>TOPICS COVERED
    4. 4. <ul><li>Applying Public Key Infrastructure to address security risks when granting public access to community-right-to-know data </li></ul><ul><li>Relevant Legislation regarding Digital Signatures and electronic government transactions </li></ul>TOPICS COVERED
    5. 5. ELECTRONIC TRANSACTIONS <ul><li>Streamline Reporting Process </li></ul><ul><ul><li>Reduce burden on regulated community </li></ul></ul><ul><li>Efficient Record Retention </li></ul><ul><li>Timely and Accurate Data Retrieval and Access </li></ul><ul><ul><li>Emergency Response (24/7 access) </li></ul></ul><ul><ul><li>Community-Right-to-Know </li></ul></ul>
    6. 6. <ul><li>Accuracy and Authenticity </li></ul><ul><ul><li>Decisions regarding Environmental Health and Impact </li></ul></ul><ul><li>Security </li></ul><ul><ul><li>Protection from unauthorized access </li></ul></ul><ul><ul><li>Tamper-resistant </li></ul></ul><ul><ul><ul><li>Accidental – human errors </li></ul></ul></ul><ul><ul><ul><li>Intentional - Fraud </li></ul></ul></ul><ul><li>Credibility in Judicial Proceedings </li></ul><ul><ul><li>Effective Enforcement </li></ul></ul><ul><ul><li>Plaintiff/Defendant Subpoena </li></ul></ul>CAN ELECTRONIC DATA BE TRUSTED?
    7. 7. <ul><li>Evidence must be unambiguous to be admissible in court </li></ul><ul><li>Once admitted into Court, evidence must be persuasive to a jury </li></ul>JUDICIAL CREDIBILITY is the Highest Standard for Trusted Data ** ** National Governor’s Association (NGA) State Guide to Environmental Reporting
    8. 8. <ul><li>AUTHENTICATION : the ability to prove the sender’s identity </li></ul><ul><li>2. REPORT INTEGRITY : the ability to prove that there has been no change during transmission, storage, or retrieval </li></ul><ul><li>3. NON-REPUDIATION : the ability to prove that the originator of a report intended to be bound by the information contained in the report </li></ul>WHAT DETERMINES A LEGALLY BINDING REPORT ?
    9. 9. NON-REPUDIATION AUTHENTICATION REPORT INTEGRITY
    10. 10. TRUST IN PAPER-BASED REPORTS
    11. 11. ELECTRONIC REPORTING
    12. 12. FROM PAPER TO ELECTRONIC: Repudiation Risks in Basic Electronic Transactions <ul><li>“ I did not send that report !” </li></ul><ul><li>“ That report is not the one I sent !” </li></ul><ul><li>“ I did not mean that !” </li></ul>
    13. 13. “ I did not send that report !” <ul><li>Identity of user is unknown </li></ul><ul><li>Possible Solutions: </li></ul><ul><ul><li>Telephone call follow-up </li></ul></ul><ul><ul><li>Terms and Conditions Agreement (TCA) / Mailed Certification Agreement </li></ul></ul><ul><ul><li>Mail a Diskette Containing Electronic Data </li></ul></ul>
    14. 14. “ That report is not the one I sent !” <ul><li>Electronic reports contain no evidence of tampering in transmission, storage or retrieval </li></ul><ul><li>Sources of possible loss of data integrity </li></ul><ul><ul><li>Human Error </li></ul></ul><ul><ul><li>Data Corruption </li></ul></ul><ul><ul><li>Fraud </li></ul></ul>
    15. 15. Ensuring Authenticity and Report Integrity in Electronic Transactions <ul><li>Digital Signatures </li></ul><ul><ul><li>Public Key Infrastructure </li></ul></ul>
    16. 16. Public Key Infrastructure (PKI) <ul><ul><li>PKI is a combination of software, encryption technologies and facilities that can facilitate trusted electronic transactions. </li></ul></ul><ul><li>PKI Components </li></ul><ul><ul><li>Key Pairs </li></ul></ul><ul><ul><li>Certificate Authority </li></ul></ul><ul><ul><li>Public Key Cryptography </li></ul></ul>
    17. 17. Key Pairs <ul><li>A “key” is a unique digital identifier </li></ul><ul><ul><li>Keys are produced using a random number generator </li></ul></ul><ul><li>A “key pair” consists of two mathematically related keys </li></ul><ul><ul><li>The private key is secret and under the sole control of the individual </li></ul></ul><ul><ul><li>The public key is open and published </li></ul></ul>
    18. 19. <ul><li>A trusted authority </li></ul><ul><li>Responsible for creating the key pair, distributing the private key, publishing the public key and revoking the keys as necessary </li></ul><ul><li>The “Passport Office” of the Digital World </li></ul>Certificate Authority
    19. 20. Digital Certificates <ul><li>A unique electronic signifier issued by a Certificate Authority that functions like a passport to verify a user’s identity. </li></ul><ul><li>The certificate authority binds the unique key to the following </li></ul><ul><ul><li>Name of the Certificate Authority </li></ul></ul><ul><ul><li>Certificate Expiration Date </li></ul></ul><ul><ul><li>Certificate Identity Number </li></ul></ul><ul><li>Certificate Storage </li></ul><ul><ul><li>software tokens </li></ul></ul><ul><ul><li>browser certificate stores </li></ul></ul><ul><ul><li>hardware tokens (Smart Cards, USB Tokens) </li></ul></ul>
    20. 22. Public Key Cryptography Complimentary Algorithms are used to encrypt and decrypt documents @#@#@$$56455908283923542#$@$#%$%$^& Encryption key Decryption key Unreadable Format
    21. 23. Public Key Infrastructure in Action Public Key Private Key Secure Transmission Signatures Decrypting Encrypting Encrypting Decrypting
    22. 24. Report Encryption Algorithm Digitally Signed An individual digitally signs a document using the private key component of his certificate. Digital Signatures Private key
    23. 25. Authentication and Verification The individual’s public key, published by the CA decrypts and verifies the digital signature. Digitally Signed Public Key Decryption Algorithm
    24. 26. Authentication and Verification <ul><li>Any changes made to the report will invalidate the signature </li></ul><ul><li>Provides evidence of report integrity </li></ul><ul><li>Provides proof of report originator’s identity - Authentication </li></ul>
    25. 28. Security in Transmission <ul><li>Secure Socket Layer (SSL) </li></ul><ul><li>https </li></ul><ul><li>Submission is encrypted by the sender with recipient’s public key </li></ul><ul><li>After receipt, submission is decrypted with recipient’s private key </li></ul>
    26. 29. ACHIEVING TRUST IN ELECTRONIC REPORTS
    27. 30. What Should Be Signed ? <ul><ul><li>Balance between capturing the entire content of the transaction vs. ease of data integration </li></ul></ul><ul><ul><ul><li>Data that is Machine readable but which separates user entry content from context: database, comma delimited, spreadsheet, etc </li></ul></ul></ul><ul><ul><ul><li>Data that records content and context but which are not easily integrated into databases: word, pdf, image, html, etc </li></ul></ul></ul>
    28. 31. Ensuring Non-repudiation in Electronic Transactions <ul><li>Capturing Complete Transactions in Archive </li></ul><ul><ul><li>Signing the content and context of a transaction </li></ul></ul><ul><ul><li>Storing the signed transaction in a data warehouse without manual intervention </li></ul></ul>
    29. 32. <ul><li>eXtensible Markup Language </li></ul><ul><li>XML can be used to store both the questions on the form (context) and the data entered by the user (content). </li></ul><ul><li>The entire form can be stored as one object </li></ul><ul><ul><li>Default Values </li></ul></ul><ul><ul><li>Lookup values (ie chemical classifications) </li></ul></ul><ul><ul><li>Questions </li></ul></ul><ul><ul><li>Physical Characteristics </li></ul></ul>XML
    30. 33. XML Schema From the W3C: http://www.w3.org/1999/05/06-xmlschema-1/ … define and describe a class of XML documents by using these constructs to constrain and document the meaning, usage and relationships of their constituent parts: datatypes, elements and their content, attributes and their values, entities and their contents and notations. Schema constructs may also provide for the specification of implicit information such as default values. Schemas are intended to document their own meaning, usage, and function through a common documentation vocabulary. Business Plan Schema
    31. 34. <ul><li>XML Transaction Instance conforming to Schema </li></ul><ul><li>Public Key Cryptography via Web Browser plugin </li></ul>INCORPORATING XML AND PKI
    32. 35. Granting Public Access to paper reports <ul><li>Public comes into agency office </li></ul><ul><li>Public provides driver’s license or other identification </li></ul><ul><li>Agency can monitor who is accessing data </li></ul>
    33. 36. Providing Trusted Electronic Access to Data <ul><li>Identity of user is unknown </li></ul><ul><li>Access cannot be monitored </li></ul><ul><li>Relying on the Certificate Authority </li></ul>
    34. 37. Public Digital Certificate In order to obtain access to Community Right to Know Data, individuals first obtain digital Certificates. Applying PKI to Public Access
    35. 38. Public After contributing a certificate to gain access, The individual’s certificate can be cross-referenced with other security databases to monitor suspect individuals. Digital Certificates Agency
    36. 39. <ul><li>TITLE 27, Part 2, Article 5 </li></ul><ul><li>CA Title 2, Division 7, Ch.10 Digital Signatures </li></ul>RELEVANT LEGISLATION
    37. 40. TITLE 27 – CUPA Legislation
    38. 41. California Digital Signature Regulations <ul><li>Definitions </li></ul><ul><li>Digital Signatures Must Be Created By An Acceptable Technology- Criteria For Determining Acceptability </li></ul><ul><li>List of Acceptable Technologies </li></ul><ul><li>Provisions For Adding New Technologies to the List of Acceptable Technologies </li></ul><ul><li>Issues to Be Addressed By Public Entities When Using Digital Signatures </li></ul>California Code of Regulations Title 2. Administration DIVISION 7. CHAP 10. DIGITAL SIGNATURES http://www.ss.ca.gov/digsig/regulations.htm
    39. 42. <ul><li>The technology known as Public Key Cryptography is an acceptable technology for use by public entities in California, provided that the digital signature is created consistent with the provisions in Section 22003(a)1-5. </li></ul><ul><li>&quot;Acceptable Certification Authorities&quot; means a certification authority that meets the requirements of either Section 22003(a)6(C) or Section 22003(a)6(D). </li></ul><ul><li>&quot;Approved List of Certification Authorities&quot; means the list of Certification Authorities approved by the Secretary of State to issue certificates for digital signature transactions involving public entities in California. </li></ul>California Digital Signature Regulations
    40. 44. <ul><li>Unsigned Web forms can be sent by anyone. They can be tampered in transmission and the sender can’t be legally verified </li></ul><ul><li>Unsigned Data in a database can be altered and does not provide adequate evidence in a court of law </li></ul><ul><li>Data on Diskette can be altered without visible evidence </li></ul>Summary: Electronic Report Transactions are subject to fraud and easily repudiated:
    41. 45. <ul><li>Digitally signed reports can also be repudiated , if the signed data is stored independently of the form question data. </li></ul>Summary, cont.
    42. 46. Conclusion: Ensuring Trusted Electronic Transactions <ul><li>1. PKI supports trusted electronic report transactions: </li></ul><ul><li>Authentication - authenticates the </li></ul><ul><li>sender of a report </li></ul><ul><li>Report Integrity - invalidates a report if it has been tampered. </li></ul><ul><li>Non-repudiation - sender and document </li></ul><ul><li>are authenticated- the sender cannot </li></ul><ul><li>deny having sent the report </li></ul>
    43. 47. Conclusion, cont. <ul><li>2. PKI supports trusted access to Public Data: </li></ul><ul><li>Agencies require individuals to contribute digital certificates in order to gain access. </li></ul><ul><li>Agencies can track who gains access at what time </li></ul><ul><li>The names of individuals who seek access can be cross-referenced with additional security databases to protect public safety </li></ul>
    44. 48. Conclusion, cont. <ul><li>3. Complete Archiving ensures that a legal record of a transaction can be trusted : </li></ul><ul><li>Non-repudiation - Storing a copy of the entire data (including questions on the form) with the digital signature. </li></ul>
    45. 49. Resources: <ul><li>eCompliance, Inc. http://www. ecompliance .net </li></ul><ul><ul><li>White paper/ Electronic Transactions </li></ul></ul><ul><ul><li>Copy of presentation </li></ul></ul><ul><li>Environmental Protection Agency </li></ul><ul><ul><li>Central Data Exchange http://www. epa . gov / cdx / cde .html </li></ul></ul><ul><li>National Governor’s Association </li></ul><ul><ul><li>State Guide to Electronic Reporting of Environmental Data http://www. nga .org/center/divisions/1,1188,C_ISSUE_BRIEF%5ED_1139,00.html </li></ul></ul>

    ×