1 / 27

Creating Trust in Electronic Environment - IT Act 2000

Controller of Certifying Authorities. Creating Trust in Electronic Environment - IT Act 2000. Deputy Controller (Technology) Controller of Certifying Authorities Ministry of Communications & Information Technology. E-Commerce Promotion. Creating Trust in Electronic Environment

daktari
Télécharger la présentation

Creating Trust in Electronic Environment - IT Act 2000

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Controller of Certifying Authorities Creating Trust in Electronic Environment- IT Act 2000 Deputy Controller (Technology) Controller of Certifying Authorities Ministry of Communications & Information Technology

  2. E-Commerce Promotion • Creating Trust in Electronic Environment - Establishing Digital Signature Framework

  3. Trust in the Paper world • Trust issues in the Electronic World • Concept of Digital Signatures • Role of CAs • PKI • IT Act • Role of CCA

  4. Electronic Commerce • EC transactions over the Internet include • Formation of Contracts • Delivery of Information and Services • Delivery of Content • Future of Electronic Commerce depends on “the trust that the transacting parties place in the security of the transmission and content of their communications”

  5. Electronic Juridical Statements • Juridical statements which are set up telematically • Computers are the only means by which contracting parties set up their agreements • Examples include • EFT • Teleshopping • Electronic consultation of data banks • Tele-reservation • Contracts, deed, agreements • Dealing with Public Administrations

  6. The Paper World Documents • A paper document consists of four components • the carrier ( the sheet of paper) • text and pictures ( the physical representation of information) • information about the originator • measures to verify the authenticity (written signature) • All the four components are physically connected • So, paper is the document • There is only one original • can be reproduced in innumerable copies

  7. The Paper World Signature • Supposed to be unique, difficult to be reproduced, not changeable and not reusable • Its main functions • identification • declaration • proof • The signature is used to identify a person and to associate the person with the content of that document • always related to a physical person

  8. The Paper World Signature(contd) • In all legal systems • Absence of a prescription of an exclusive modality of signing e.g. Full name, initials, nickname, real or any symbol. • Token of will and responsibilty • Contractors have the right to rule their own contractural relations, defining also the way each one can sign the agreements. • From a legal point of view, nothing against the introduction of new types or technologies of signature • Digital Signature is a new technology

  9. Electronic World • Electronic document produced by a computer. Stored in digital form, and cannot be perceived without using a computer • It can be deleted, modified and rewritten without leaving a mark • Integrity of an electronic document is “genetically” impossible to verify • A copy is indistinguishable from the original • It can’t be sealed in the traditional way, where the author affixes his signature • The functions of identification, declaration, proof of electronic documents carried out using a digital signature based on cryptography.

  10. Electronic World • Digital signatures created and verified using cryptography • Public key System based on Asymmetric keys • An algorithm generates two different and related keys • Public key • Private Key • Private key used to digitally sign. • Public key used to verify.

  11. Public Key Infrastructure • Allow parties to have free access to the signer’s public key • This assures that the public key corresponds to the signer’s private key • Trust between parties as if they know one another • Parties with no trading partner agreements, operating on open networks, need to have highest level of trust in one another

  12. Role of the Government • Government has to provide the definition of • the structure of PKI • the number of levels of authority and their juridical form (public or private certification) • which authorities are allowed to issue key pairs • the extent to which the use of cryptography should be authorised for confidentiality purposes • whether the Central Authority should have access to the encrypted information; when and how • the key length, its security standard and its time validity

  13. Certifying Authorities • A CA is an Authority which should : • reliably identify persons applying for key certificates (signatures) • reliably verify their legal capacity • confirm the attribution of a public signature key to an identified physical person by means of a signature key certificate • always maintain online access to the signature key certificates with the agreement of the signature key owner • take measures so that the confidentiality of a private signature key is guaranteed

  14. Certificate based Key Management CA • Operated by trusted-third party - CA • Provides Trading Partners Certificates • Notarises the relationship between a public key and its owner CA A B User A User B CA A CA B

  15. Information Technology Act • IT Act 2000 : Basic legal framework for E-Commerce - promotes trust in electronic environment • IT Act creates a conducive environment for promoting E-Commerce in the country. • Acceptance of electronic documents as evidence in a court of law. • Acceptance of electronic signatures at par with handwritten signatures.

  16. Information Technology Act...contd • Acceptance of electronic documents by the government. • Defines digital signatures based on asymmetric public key cryptography • Provides for the creation of Certifying Authorities to issue public key certificates – digital certificates for electronic authentication of users in electronic commerce.

  17. Information Technology Act...contd • Provides for Controller under the IT Act to license the Certifying Authorities and to ensure that none of the provisions of the Act are violated. • Provides for dealing with offences in the cyber space in the form of hackers and other criminals trying to gain access into databases and other business sites. • Provides for the establishment of Cyber Appellate Tribunal to try cases under this Act for speedy adjudication of cases arising out of this Act. • Provides for appropriate changes in the Bankers Act and the Indian Evidence Act.

  18. The Controller of Certifying Authorities (CCA) • Appointed by the Central Government under section 17 of the IT Act. • Came into existence on November 1, 2000. • Aims at promoting the growth of E-Commerce and E-Governance through the wide use of digital signatures.

  19. CCA has to regulate the functioning of CAs in the country by- • Licensing Certifying Authorities (CAs) under section 21 of the IT Act and exercising supervision over their activities. • Certifying the public keys of the CAs, i.e. their Digital Signature Certificates more commonly known as Public Key Certificates (PKCs). • Laying down the standards to be maintained by the CAs, • Addressing the issues related to the licensing process

  20. The licensing process • Examining the application and accompanying documents as provided in sections 21 to 24 of the IT Act, and all the Rules and Regulations there- under; • Approving the Certification Practice Statement(CPS); • Auditing the physical and technical infrastructure of the applicants through a panel of auditors maintained by the CCA.

  21. Audit Process • Adequacy of security policies and implementation thereof; • Existence of adequate physical security; • Evaluation of functionalities in technology as it supports CA operations; • CA’s services administration processes and procedures; • Compliance to relevant CPS as approved and provided by the Controller; • Adequacy to contracts/agreements for all outsourced CA operations; • Adherence to Information Technology Act 2000, the rules and regulations thereunder, and guidelines issued by the Controller from time-to-time.

  22. Public Key Cryptography • RSA - Asymmetric Cryptosystem • Diffie-Hellman - Asymmetric Cryptosystem • Elliptic Curve Discrete Logarithm Cryptosystem • Digital Signature Standards • RSA, DSA and EC Signature Algorithms • SHA-1, SHA-2 - Hashing Algorithms • Directory Services (LDAP ver 3) • X.500 for publication of Public Key Certificates and Certificate Revocation Lists • X.509 version 3 Public Key Certificates • X.509 version 2 Certificate Revocation Lists • PKCS family of standards for Public Key Cryptography from RSA • PKCS#1 – PKCS#13 • Federal Information Processing Standards (FIPS) • FIPS 140-1 level 3 and above for Security Requirement of Cryptographic Modules PKI Standards

  23. Key Size mandated by the CCA • CA • 2048-bit RSA-key • User • 1024-bit RSA-key

  24. Licensed Certifying Authorities • Provides services to its subscribers and relying parties as per its certification practice statement (CPS) which is approved by the CCA as part of the licensing procedure.   • Identification and authentication • Certificate issuance • Certificate suspension and revocation • Certificate renewal • Notification of certificate-related information • Display of all these on its website • Time-stamping

  25. End entities, subscribers and relying parties • The End entities of RCAI are the Licensed CAs in India. • Subscribers and relying parties using the certificates issued by a CA need to be assured that the CA is licensed by the CCA. • They should be able to verify the licence through an indicator in the PKCs issued by a CA.

  26. PKI Hierarchy CCA Directory of Certificates CRLs Directory of Certificates CRLs CA CA CA Subscriber Subscriber Subscriber Relying Party

  27. Trust in Electronic Environment in India • CCA : Root of trust, National Repository • Licensed CAs • Digital signatures for signing documents • Certificates, CRLs for access by relying parties • PKI operational • Other provisions of the IT Act – Cybercrimes not to go unpunished

More Related