1 / 27

Information security

Information security. An introduction to Technology and law with focus on e-signature, encryption and third party service Yue Liu Feb.2008. What ?. Understanding the information security Electronic signature and encryption Trusted third party (CSP). Information security.

caban
Télécharger la présentation

Information security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Information security An introduction to Technology and law with focus on e-signature, encryption and third party service Yue Liu Feb.2008

  2. What ? • Understanding the information security • Electronic signature and encryption • Trusted third party (CSP)

  3. Information security • General technical definition information security is a state of affairs where information, information processing and communication is protected against the confidentiality, integrity and availability of information and information processing. In the context of information networks this also covers reliable identification and authentication.

  4. Information security • Legal definition the obligation to take adequate measures for the purpose of safeguarding the state of affairs corresponding the required level of security, and notably the protection of rights related to informational assets

  5. Information security • Trust • The basic elements of information security • Confidentiality • Integrity • Availability

  6. Information security provisions in current law • OECD Recommendations • E-commerce and E-signature • Privacy regulations • Telecommunications • Electronic administration • Public access to information laws • Penal law concerning the computer crime and misuse • Critical infrastructure protection

  7. Electronic signature Time frame: Jan 19,2000, July 19 2001, march 15, 2006 Underline principles. • Technical neutral • Non-discrimination • Party-autonomy/contractual freedom • No-harmonization of national civil law

  8. Electronic signature Definition: Electronic signature : data in electronic form which are attached to or logically associated with other electronic data and which serve as a method of authentication (Directive 99/93/EC) Advanced electronic signature: any electronic signature which meets the following requirements: uniquely linked, capable of identifying, maintain sole control, change detectable

  9. advance E-sign SKE Advanced signature Digital signature Qualified signature biometrics Electronic signature • Form conditions: QC (annex I) CSP (annex II) secure signature creation device (annext III)

  10. Electronic signature Legal effects of the e-signature article 5 of the Directive: • Art5 (2) non-discrimination : electronic form, not certified, not certified by accredited CSP (certified service provider); not created by secure signature device • Art5 (1) qualified advanced e-signature: the validity in transaction as handwritten signature and evidence effect at court

  11. Electronic signature • Cryptography basis: The conversion of data into a secret code for transmission over a public network. • Encrypt: convent plain text into cipher text • Decrypt: convert cipher text into plain text • Symmetric key encryption (secret key) • Asymmetric key encryption (public key)

  12. Electronic signature

  13. Electronic signature • Public key encryption (PKE) in detail problem of PKE: • More computational intensive • Large amounts of encrypted data vulnerable of hacking • Solution = hashing of the data message

  14. Electronic signature • Digital signature 1

  15. Electronic signature • Digital signature 2

  16. Electronic signature • Problem With digital signature • Trustworthy linkage between public key and real world identity of accountable person • Secure distribution of public keys over open networks • Integrity? • Solution= Public key infrastructure (PKI)

  17. Electronic signature PKI Process Flow • Step 1. Subscriber applies to Certification Authority for Digital Certificate • Step 2. CA verifies identity of Subscriber and issues Digital Certificate. • Step 3. CA publishes Certificate to Repository. • Step 4. Subscriber digitally signs electronic message with Private Key to ensure Sender Authenticity, Message Integrity and Non-Repudiation and sends to Relying Party. • Step 5. Relying Party receives message, verifies Digital Signature with Subscriber's Public Key, and goes to Repository to check status and validity of Subscriber's Certificate. • Step6.Repository returns results of status check on Subscriber's Certificate to Relying Party. p

  18. Electronic signature

  19. Electronic signature • agenda • The legality issues • The technical answers • The liability issues -UNCITRAL e-sign ML, EU e-sign Directive

  20. UNICITRAL e-sign ML • E-sign ML-liabilityconcept CA Reasonable allocation of responsibilities in accordance with domains under the specific control of PKI participants Relying party signatory

  21. UNICTRAL e-sign ML • Approach • Soft law: • Technology neutrality • comprehensive • Responsibility of the signatory (art8) • Responsibility of the relying party(art11) • Responsibility of the CSP(art9,10)

  22. EU e-sign Directive • Approach • Hard law • Technology neutrality • Liability rules CA’s liability

  23. EU e-sign Directive • Minimum liability for CA (art6) • accuracy • completeness • the signatory identified in the qualified certificate held the private key corresponding to the public key identified in the certificate • the private key and the public key can be used in a complementary manner if the CSP guarantees them both • Principle of negligence • Reversed burden of proof Excuse and limitation • Proves he has not act negligently • Exceed intended use • Exceed intended value of transaction

  24. Electronic signature • Market access: no prior authorization (art 3.1 ) voluntary accreditation (art 3.2)

  25. EU e-sign Directive • Other provisions • data protection issues (art8) • International aspects (art7) • Committee (art9. 10) • Notification (art 11) • Review (art 12)

  26. Encryption • Export control measures • Wassennar agreement • EU dual use regulation of Dec.1994 • Domestic control measures • Key escrow and key recovery systems • Privacy considerations

  27. Additional links: http://www.verisign.com http://www.ulapland.fi/home/oiffi/julkaisut/ISLCommentary_pdf.pdf Thank you for your attention!

More Related