controller of certifying authorities pki technology - role of cca assistant controller (technology)...

Controller ofCertifying Authorities

PKI Technology -Role of CCA

Assistant Controller (Technology)Controller of Certifying Authorities

Ministry of Communications & Information Technology

Controller of Certifying Authorities

Role of CCA for secure e-Commerce and e-Governance

Authentication of entities in cyberspacePrevention of deliberate or accidental Disclosure and/or Amendment/Deletion of dataPunishment for cyber crimes Licencing of CAs and establishment of PKI


Security Issues :-

Confidentiality Integrity Authenticity Non-Repudiability


Threats to Authenticity

Masquerading

Counter MeasuresStrong

Digital Signature - Cryptographically generated credentials.


Encryption:Transformation of data to Prevent information being read by unauthorised parties.Sender and Receiver have to know the rules which have been used to encrypt the data.Based on Algorithms which are mathematical functions for combining the data with a string of digits called the Key. The result is the encrypted text.Eg: Adding a fixed number of characters, say 5, to each character in the message that is being encrypted.

The word SECURITY then becomes the encrypted text XJHZWNYD


Document Document

to be sentto be sent

Document Document

to be sentto be sentEncodedEncoded

DocumentDocumentEncodedEncoded



DocumentDocumentReceivedReceived

DocumentDocument

ReceivedReceived

DocumentDocument

Symmetric

key

Symmetric

Key

Encryption TechnologiesSymmetric Key Cryptography

•Identical keys are used for encryption and decryption.

• Requires both parties to a digital conversation to know the key


‘n’ Partners means handling n secret keysAuthenticity cannot be proved.

Encryption TechnologiesSymmetric Key Cryptography (contd.)


Public key cryptographyEach party is assigned a pair of keys –

private – known only by the ownerpublic - known by everyone

Information encrypted with the private key can only be decrypted by the corresponding public key & vice versaFulfils requirements of confidentiality, integrity, authenticity and non-repudiabilityNo need to communicate private keys


Digital Signatures

Pair of keys for every entity

One Public key – known to everyone

One Private key – known only to the possessor


Digital Signatures

To digitally sign an electronic document the signer uses his/her Private key.

To verify a digital signature the verifier uses the signer’s Public key.


Digital Signature

•The message is encrypted with the sender’s private key

• Recipient decrypts using the sender’s public key

Private

SKA

DocumentDocumentDocumentDocument

Digital Digital SignatureSignatureDigital Digital

SignatureSignature

DocumentDocumentDocumentDocument

Public

CONFIRMEDCONFIRMEDDigital Digital

SignatureSignature

CONFIRMEDCONFIRMEDDigital Digital

SignatureSignature

DocumentDocumentDocumentDocument DocumentDocumentDocumentDocument

Digital Digital SignatureSignatureDigital Digital

SignatureSignature

PKA


Message Integrity

one-way hash functions use no keyoriginal data cannot be generated from hash outputNo two messages will generate the same hash.

SIGN the HASH NOT the entire Message


Maintaining Message Integrity

message Hash

Hashgeneration

function

CheckHash

message messageHash

HashHashHash

generationfunction

NoRejectMessage

YesAcceptMessage

SENDER RECEIVER


Public Key Cryptography

Encryption Technologies

Sender A(PKA,SKA)

Receiver B(PKB,SKB)

DocumentDocumentDocumentDocument DocumentDocumentDocumentDocumentEncryptedEncrypted

DocumentDocument

EncryptedEncrypted

DocumentDocument

EncryptedEncrypted

DocumentDocument

EncryptedEncrypted

DocumentDocument

PKB

SKB

Confidentiality


Signed Messages

Message+

Signature

Message+

Signature

HashHash

VERIFYSignatureWith Sender’s Public Key

VERIFYSignatureWith Sender’s Public Key

SIGN hashWith Sender’s Private key

SIGN hashWith Sender’s Private key

Message+

signature

Message+

signature

COMPARECOMPARE

HashHashMessageMessage

Sender Receiver

HashHash

Using Hash function on the message

Signed Message

DECRYPTDECRYPTMessage + signaturewith Receiver’s Private Key

DECRYPTDECRYPTMessage + signaturewith Receiver’s Private Key

ENCRYPTENCRYPTMessage +signaturewith Receiver’sPublic Key

ENCRYPTENCRYPTMessage +signaturewith Receiver’sPublic Key

Encrypted MessageSent thru’ Internet

Using Hash Function

Confidential


Authenticity and Confidentiality

A signs message with his own private keyA then encodes the resulting message with B’s Public keyB decodes the message with his own Private keyB applies A’s Public key on the digital signature


Authenticity and Confidentiality

When A uses his own private key, it demonstrates that

he wants to sign the documenthe wants to reveal his identityhe shows his will to conclude that agreement

The encoded message travels on the Net, but nobody can read it : confidentiality


Authenticity and Integrity

B needs to know that A and only A sent the message

B uses A’s public key on the signatureOnly A’s public key can decode the messageA cannot repudiate his signature

Digital signature cannot be reproduced from the messageNo one can alter a ciphered message without changing the result of the decoding operation


Issues in Public key Cryptosystems

How will recipient get senders public key?How will recipient authenticate sender's public key ?How will the sender be prevented from repudiating his/her public key?


Certifying Authority

An organization which issues public key certificates. • Must be widely known and trusted• Must have well defined methods of assuring the

identity of the parties to whom it issues certificates.• Must confirm the attribution of a public key to an

identified physical person by means of a public key certificate.

• Always maintains online access to the public key certificates issued.


Public-Key Certification

UserName

User’sPublic

Key

CA’sName

Validationperiod

Signatureof CA

User 1 certificate

User 2 certificate.

Signed by using

CA’sprivate

key

UserName &

other credentials

User’s Public

key

User Certificate Certificate Database

PublishCertificateRequest


Contents of a Public Key Certificate

Issued by a CA as a data message and always available online

S.No of the CertificateApplicant’s name, Place and Date of Birth, Company NameApplicant’s legal domicile and virtual domicileValidity period of the certificate and the signatureCA’s name, legal domicile and virtual domicileUser’s public keyInformation indicating how the recipient of a digitally signed document can verify the sender’s public keyCA’s digital signature


Certificate Revocation List

• A list of all known Certificates that have been

revoked and declared invalid


Technical Infrastructure Controller of Certifying Authorities

as the “Root” Authority certifies the technologies and practices of all the Certifying Authorities licensed to issue Digital Signature Certificates


Technical Infrastructure..contd

The CCA operates the following :-Root Certifying Authority (RCAI) under section 18(b) of the IT Act, and National Repository of Digital Signature Certificates (NRDC)Web site cca.gov.in


End entities, subscribers and relying parties

The End entities of RCAI are the Licensed CAs in India. Subscribers and relying parties using the certificates issued by a CA need to be assured that the CA is licensed by the CCA. They should be able to verify the licence under which a PKC has been issued by a CA.


Strong Room for RCAI

Reinforced walls for room housing RCAI24-hour surveillance through CCTVAccess controls through proximity cards and biometric readersPhysical security including locksSecurity personnel


National Repository : NRDC

National Repository of Digital CertificatesCertificate Revocation List


Internet

Directory Client

CA

CA

CA

LAN

Cert/CRL

Cert/CRL

Cert/CRL

RCAI

CCA

NRDC

RelyingParty

SubscriberSubscriber Subscriber

CA Public Keys Certified by RCAI CA’s Revoked Keys

CCA : National Repository of Certificates of Public

Keys of CAs and Certificates issued by CAs

Controller ofCertifying Authorities

Thank you

controller of certifying authorities pki technology - role of cca assistant controller (technology)...

Documents