Banca Intesa / Mathematical Institute SANU
In this Tutorial, main cryptographic aspects of modern TCP/IP computer networks: digital signature technology based on asymmetrical cryptographic algorithms, data confidentiality by applying symmetrical cryptographic systems, and PKI system – Public Key Infrastructure, are addressed. This Tutorial is thus devoted to the emerging topic in domain of modern e-business systems – a computer network security based on Public Key Infrastructure (PKI) systems. First, we consider possible vulnerabilities of the TCP/IP computer networks and possible techniques to eliminate them. We signify that only a general and multi-layered security infrastructure could cope with possible attacks to the computer network systems. We evaluate security mechanisms on application, transport and network layers of ISO/OSI reference model and give examples of the today most popular security protocols applied in each of the mentioned layers (e.g. S/MIME, SSL and IPSec). Namely, we recommend a secure computer network systems that consists of combined security mechanisms on three different ISO/OSI reference model layers: application layer security (end-to-end security) based on strong user authentication, digital signature, confidentiality protection, digital certificates and hardware tokens (e.g. smart cards), transport layer security based on establishment of a cryptographic tunnel (symmetric cryptography) between network nodes and strong node authentication procedure and network IP layer security providing bulk security mechanisms on network level between network nodes – protection from the external network attacks. These layers are projected in a way that a vulnerability of the one layer could not compromise the other layers and then the whole system is not vulnerable. User strong authentication procedures based on digital certificates and PKI systems are especially emphasized.
We also evaluate and signify differences between software-only, hardware-only and combined software and hardware security systems. Therefore, ubiquitous smart cards and hardware security modules are considered. Hardware security modules (HSM) represent very important security aspect of the modern computer networks. Main purposes of the HSM are twofold: increasing the overall system security and accelerating cryptographic functions (asymmetric and symmetric algorithms, key generation, etc.). HSMs are intended mainly for use in server applications and, optionally for client sides too in case of specialized information systems (government, military, police). For large individual usage, smart cards are more suitable as hardware security modules.
However, for large usages, the best approach is in the combination of SW and smart card solutions for best performance. Namely, smart card increases security and SW increases the total processing speed. In this sense, the most suitable large-scale solution consists of: SW for bulk symmetric data encryption/decryption and smart card for digital envelop retrieval and digital signature generation.
We give the brief description of the main components of the PKI systems, emphasizing Certification Authority and its role in establishing a cryptographic unique identity of the valid system users based on ITU-T X.509v3 digital certificates. Public-key cryptography uses a combination of public and private keys, digital signature, digital certificates, and trusted third party Certification Authorities (CA), to meet the major requirements of e-business security. Before applying the security mechanisms you need the answers for the following questions: Who is your CA? Where do you store your private key? How do you know that the private key of the person or server you want to talk to is secure? Where do you find certificates? A public-key infrastructure (PKI) provides the answers to the above questions. In the sense of ITU-T X.509 standard, the PKI system is defined as the set of hardware, software, roles and procedures needed to create, manage, store, distribute and revoke certificates based on public-key cryptography. PKI system provides a reliable organizational, logical and technical security environment for realization of the four main security functions of the e-business systems: authenticity, data integrity protection, non-repudiation and data confidentiality protection. PKI system consists of the following components: Certification Authority (CA) – responsible for issuing and revoking certificates, Registration Authorities (RAs) – responsible for acquiring certificate requests and checking the identity of the certificate holders, Systems for certificate distribution – responsible for delivering the certificates to their holders, Certificate holders (subjects) – people, machines or software agents that have been issued with certificates, CP, CPS, user agreements and other basic CA documents, systems for publication of issued certificates and Certificate Revocation Lists (CRLs), as well as of PKI applications (secure WEB transactions, secure E-mail, secure FTP, VPN, secure Internet payment, secure document management system – secure digital archives, etc.).
Besides, we give a brief overview of legal aspects of using digital signature emphasizing the EU Directive on electronic signatures and corresponding Electronic Signature Laws on national levels in Europe. Also, we consider possible usage of qualified signatures which have the same legal effect as handwritten signatures, different accreditation and supervision schemes for CAs, some aspects about using Secure Signature Creation Devices (SSCD), necessary conditions for CAs issuing qualified certificates, etc.
At the end of Tutorial, we give a brief overview of main characteristics of the EMV migration, i.e. moving from magstripe to chip payment cards. Also, we give overview about 3D Secure system, as well as Chip Authentication Program (CAP). In fact, we will consider possible combination of Authentication and Secure payment on the Multiapplication DDA payment cards which have at least three different applications on them: Payment, CAP and PKI. A Banca Intesa ad Beograd case study is also given.
2. Information System Security – Key Questions of Security
3. Potential attacks on computer networks of Intranet/Internet type
4. Possible ways of protecting from the considered attacks
5. Cryptography and algorithm types
6. Symmetrical cryptographic systems
7. Asymmetrical cryptographic systems
8. Hash functions
9. Digital signature and digital envelope technology
10. Multilayer architecture of the secure modern computer networks
11. Application layer security
12. Transport layer security
13. Network layer security
14. Software and hardware security solutions
15. Smart cards
16. Hardware Security Modules (HSM)
17. PKI systems
18. Qualified electronic signatures and qualified certificates
19. Secure Signature Creation Devices and conforming criteria
20. Criteria for certification authorities issuing qualified certificates
21. EMV migration aspects
22. 3D Secure systems
23. CAP and DPA
24. Combining authentication and Secure payment
Brief biography of Milan Marković
Milan Marković was born in Smederevska Palanka, Serbia, on Feb. 14th, 1963. He finished primary (8 years) and secondary (4 years) schools in Mladenovac, Serbia. He received B.S.E.E., M.S.E.E., and Ph.D. degrees in electrical engineering from Faculty of Electrical Engineering, University of Belgrade, Serbia, in 1989, 1992, and 2001, respectively. He is a leading researcher of the Mathematical Institute SANU, Belgrade and is currently a lecturer on Faculty of Electrical Engineering, as well as on privately owned University Apeiron in Banja Luka for “Secure Computer Networks”, “Cyber Law”, and “PKI systems” courses. He also performs different courses on different faculties and universities in the same domain of computer security and PKI. He has also performed tutorials from these topics on different international conferences. His research interests are mainly in public key infrastructure, combined SW/HW security solutions, smart cards, cryptographic algorithms, Identity Management, Information Security Management Systems, combining authentication and smart payments, EMV, payment systems, contactless and mobile payment system, etc. He has published more than 280 scientific papers in books, international and domestic journals, as well as in proceedings of international and domestic conferences. He has been included in very sophisticated security projects, such as PKI systems for: National Bank of Serbia, some commercial banks, Ministries of Internal and Foreign Affaires, as well as PKI systems for current Serbian smart card ID project. He was a member of working groups for preparing electronic signature and electronic document laws in Serbia, as well as for corresponding sublegislative acts. He was a leading consultant of Ministry of Telecommunication and Information Society for accreditation of qualified Certification Authorities in Serbia. He is currently in position of ICT Security Officer in Security Department of Banca Intesa ad Belgrade, a leading commercial bank in Serbia.
ICT Security Officer, Security Department
Bulevar Milutina Milankovića 1c
Tel.: +381 11 3770 187
Fax: +381 11 3770 188
Mobile: +381 64 8111 636
Mathematical Institute SANU
Kneza Mihaila 36, P. F. 367