VYTAUTO DIDŽIOJO UNIVERSITETAS INFORMATIKOS FAKULTETAS TAIKOMOSIOS INFORMATIKOS KATEDRA
Eglė VALUŠYTĖ
SKAITMENINIO PARAŠO DIEGIMO IR NAUDOJIMO ORGANIZACIJOJE TYRIMAS (anglų kalba)
Magistro baigiamasis darbas
Verslo informatikos studijų programa, valstybinis kodas 62109P109
Informatikos studijų kryptis
Vadovas doc.dr. Kęstutis Šidlauskas ______(Moksl. laipsnis, vardas, pavardė) (Parašas) (Data)
Vadovas universitete Ispanijoje Universidad del País Vasco/ Euskal Herriko Unibertsitatea - D. Julián Gutiérrez Serrano
(Moksl. laipsnis, vardas, pavardė)
Apginta doc.dr. Kęstutis Šidlauskas ______(Fakulteto dekanas) (Parašas) (Data)
Kaunas, 2008
0
SANTRAUKA
Magistro darbo autorė: Eglė Valušytė
Magistro darbo pavadinimas: Skaitmeninio parašo diegimo ir naudojimo organizacijoje tyrimas
Vadovas: doc. dr. Kęstutis Šidlauskas
Vadovas universitete Ispanijoje: D. Julián Gutiérrez Serrano
Darbas pristatytas: Vytauto Didžiojo Universitetas, Informatikos fakultetas, Kaunas, 2008, birželis
Puslapių skaičius: 106
Lentelių skaičius: 11
Paveikslų skaičius: 8
Priedų skaičius: 4
Visam šiuolaikiniam pasauliui persikeliant į elektronines erdves, paslaugoms įgaunant skaitmeninę formą, vis dažniau susimąstoma ir apie visas priemones tam pasiekti, iš kurių viena – e.parašas. E.parašas kai kuriais atžvilgiais netgi lenktų rašalinį savo prototipą ne tik moksle ir IT versle, bet ir vartotojų galvose, jei ne tradiciniai, organizaciniai barjerai, naujovių ir nežinomybės baimė, bei daugelis kitų veiksnių, kuriuos naudinga ištirti.
Labiausiai paplitusi e.parašo realizacija PKI (Public key infrastructure) – viešojo rakto infrastruktūra – gali atlikti žymiai daugiau nei vieną funkciją, visos PKI taikymo sričių įvairovės darbe nepavyktų atskleisti dėl vietos ir laiko stokos. Dar vadinama asimetriniu šifravimu, PKI gali ne tik suteikti galimybę pasirašyti dokumentą, bet įmanomas ir atvirkštinis procesas, t.y., užšifravimui naudojant viešąjį, o iššifravimui – privatųjį raktą, saugiai komunikuoti internete ar kitame tinkle.
Darbas siekia parodyti PKI esmę ir pagrindinius principus, atskleisti galimybes ir priemones organizacijoms ir vartotojams, išanaliztuoi empirinę informaciją organizacijoje, įvertinti dabartinę PKI situaciją Lietuvoje, paliečiant Europą, atskleisti galimo skaitmeninio parašo vartotojo elgsenos ypatumus.
1
ABSTRACT
Author of master thesis: Eglė Valušytė
Full title of master thesis: Digital Signature Implementation And Usage Inside An Organization Research
Master thesis tutor at home university: assoc. prof. dr. Kęstutis Šidlauskas
Master thesis tutor at host university: D. Julián Gutiérrez Serrano
Presented: Vytautas Magnus University, Faculty of Informatics, Kaunas, Lithuania, 2008, June
While all the modern world is moving to the electronic space and the services are assuming a digital form, one also gives thought to the means to approach to this more and more often, and one of many of the means is digital signature. Electronic signature would even overtake its inky prototype not only in science or IT business, but also in the heads of the consumers, if there were not any traditional, organizational barriers, any fear of innovations and uncertainty amongst many other factors that are useful to explore.
The most popular implementation of digital signature - PKI (Public key infrastructure) – can fill a lot more than one function; the variety of all of the PKI application areas is very wide. Also known as assymetric cryptography, PKI can provide an opportunity not only to sign a document, but also a reverse process is possible, that is to communicate safely in the Internet or other net using public key for encoding and private key for decoding.
The paper strives to point out the essence and the main principles of PKI, to disclose its possibilities and means for the organizations and the users, to analyse the empirical information in an organization, to measure the current PKI situation in Lithuania also touching Europe, to reveal the mindset and behaviour peculiarities of a potential user of the digital signature.
2
TABLE OF CONTENTS
SANTRAUKA ...... 1 ABSTRACT ...... 2 TABLE OF CONTENTS ...... 3 LIST OF TABLES ...... 4 LIST OF FIGURES ...... 5 ABBREVIATIONS ...... 6 1. INTRODUCTION...... 7 1.1 Analysis of Antecedents (History) ...... 7 1.2 Analysis of Factibility ...... 9 2.D. O. P., ...... 12 DOCUMENT OF THE OBJECTIVES OF THE PROJECT ...... 12 2.1 ...... 12 General Vision of the Project ...... 12 2.2 Model of the Project: ...... 13 2.3 Definition of the Tasks ...... 15 2.4 Criteria for Completion ...... 16 2.5 Risk Factors ...... 17 3. MANAGEMENT OF THE PROJECT ...... 18 3.1 ...... 18 Project Stages ...... 18 3.2 Time Estimation ...... 19 3.3 The Calendar of the Project ...... 20 4. ANALYSIS OF PKI INFRASTRUCTURE, USER MEANS AND USAGE IN ORGANIZATION ...... 21 4.1 Digital Signature Infrastructure ...... 21 4.2 Analysis of PKI User Means ...... 46 4.3 Organizational Aspects of PKI Implementation ...... 61 4.4 Evaluation Of Digital Signature User Behaviour And Market ...... 75 5. PROJECT PART: SUGGESTED SOLUTIONS FOR PKI IMPLEMENTATION IN AN ORGANIZATION ...... 81 5.1 Digital signature and PKI ...... 81 5.2 PKI applications in VMU ...... 86 5.3 Digital signature user means for VMU ...... 88 5.4 Organizational aspects for PKI implementation in VMU ...... 92 5.5 The user of PKI in VMU ...... 97 6. CONCLUSIONS ...... 98 LITERATURE ...... 103 ANNEXES...... 106
3
LIST OF TABLES
Table 1.1 “Operational factibility of the paper”
Table 1.2 “Technical factibility of the paper”
Table 1.3 ”Researching factibility of the paper”
Table 3.1 “Time estimation of the project”
Table 3.2 “The calendar of the project”
Table 4.1 ”The network readiness ranks given by the World Economic Forum to the Baltic states and “Spain”
Table 4.2 “PKI Application in China’s e-government”
Table 4.3 “PKI application possibilities in universities”
Table 4.4 “Comparation of the user means”
Table 4.5 “Criteria for SWOT analysis”
Table 5.1 ”Documents signed in VMU”
4
LIST OF FIGURES
Figure 4.1: PKI functioning in digital communications Figure 4.2: Usage of keys in asymmetric cryptography Figure 4.3: PKI applications and technologiesFigure 4.4: Digital signatures functions in organizations Figure 4.4: Digital signatures functions in organizations Figure 4.5: Illustrative diagram of SWOT analysis results usage Figure 5.1. Man-in-the-middle attack problem (session take-over) and independent wPKI channel
Figure 5.2: An organization before using PKI in securing its processes Figure 5.3: An organization after using PKI in securing its processes
5
ABBREVIATIONS
PKI - Public key infrastructure
WPKI – wireless PKI
E3P (Elektroninio parašo proveržio programa) – An e-Signature Breakthrough Program in Lithuania
SoDra - Social insurance institution of Lithuania
VMI (Valstybinė mokesčių inspekcija) - State Tax Inspection of Lithuania
VMU - Vytautas Magnus University
D. O. P. - Document of the objectives of the project
IVPK (Informacinės visuomenės plėtros komitetas) – Information society development commitee of Lithuania
E-document – electronic document
VPN - Virtual private network
E-government – electronic government
SSL - Secure Sockets Layer
DMS – Document Management System
DEM - Document Exchange Module
PC – personal computer
6
1. INTRODUCTION
Several years already digital signature is being implemented in Lithuania in the form of PKI1. The process is evolving, but has a very slow pace. All the conditions that have an effect to the diffusion of the digital signature are being observed – technical, law, state, organizational, financial, comfortable usability and others.
Lithuanian digital signature infrastructure is developed fully in the technical and financial point of views. This means that the PKI system should not cause any problems to any user to try and to use the digital signature. However, the interest in it is still very little and this kind of situation tends to attract attention to other important influential aspects, especially organizational ones, those of users and tools.
The project dedicated to business informatics master studies researches examines and discusses issues considering digital signature and technologies, standards, initiatives of various subjects, applications, user means, security requirements, legal and organizational aspects, user behaviour.
1.1 Analysis of Antecedents (History)
Practically they work intensely for digital signature infrastructure in Lithuania, but science does not write about these problems or write only a little, except technical aspects. The last important event that happened in the sphere of digital signature was the establishment of Baltic WPKI forum and the meetings taking place in it, questions discussed in the field of mobile signature. Lithuania also has a special institution taking care of the Lithuanian digital signature; projects taking place, for example E3P (Elektroninio paraso proverzio programa – An e-Signature Breakthrough Program), certification authority and others. Interested and cooperating subjects popularize the digital signature by organizing seminars for all potential users (associations „Langas į ateitį“ and „Infobalt“); installing digital signature into their own systems (SoDra - social insurance institution; VMI - State Tax Inspection; major banks); organizing forums, where responsible institutions regularly discuss
1 If not pointed in another way, during the whole paper ¨digital signature¨ refers to this solution (PKI) conceptions.
7 and solve the arising questions and problems (Baltic WPKI forum, special governmental institution looking after PKI, E3P project) and the like.
Besides, there were several treatises to at least touch the issues of digital signature in the scientific papers. For example, there were several master thesis done in Vytautas Magnus University that was written or at least included part of the material about digital signature.
The question still remains very relevant, because the digital signature adaptation problem has not been solved yet and the reasons have not been identified or it is very difficult to identify them. For this reason research is needed. Also the action takes place only practically, but as far as is known there are no attempts to research and write about these problems scientifically. Only technical materials exist.
The paper is dedicated to carry out experimental and research studies about the PKI applications and usability in an organization. This requires to accomplish these main tasks:
to analyse the PKI and its technical, usage, legal aspects to try PKI between the employers of the organization Vytautas Magnus University to observe, examine and write up the events, as well as theoretical information, to draw inferences from the observations and theoretical studies about the mentioned problems, reasons and possible solutions.
In order to accomplish the tasks, particular needs and conditions have to be met. To prove it is possible, from here we will discuss the actuality of the project in three dimensions – operations, technical and research.
8
1.2 Analysis of Factibility
The analysis of factibility should show the viability of the project and its closeness to the reality in the operational point of view, that is in the usage point of view: in the organization and its system of rules, between the employers, in the system of documentation, data processing and access.
1.2.1 Operational factibility
This factibility shows the probability of the research of PKI usability in the organization and the true access to the resources needed for the author and the users. The key questions to determine, if the project meets the operational factibility requirements, are these that follow (Table 1.1):
Table 1.1 “Operational factibility of the paper”
Questions Answers
Is the organizational users participation in Preliminary, yes experimenting and analysing the PKI garanteed?
Do the users have a real opportunity to try PKI? Yes
Does an access to an organization documents Yes users exist?
Do any law, organizational or similar barriers Preliminary, no for PKI in the organization (Vytautas Magnus (has to be analysed) University) exist?
The source: created by the author.
9
1.2.2 Technical factibility
This section provides a review of technical conditions and risks in the project. The table with questions about existing technical aspects follows here (Table 1.2):
Table 1.2 “Technical factibility of the paper”
Questions Answers
Does a technical specialists’ support for Yes experimenting and analysing the PKI exist?
Do all the needed means for experimenting and Yes analysing the PKI exist?
Is the conformance between the existing Preliminary, yes organizational system, conditions and the (has to be analysed) available user means guaranteed?
Do any technical barriers for Preliminary, no PKI in the organization (Vytautas Magnus (has to be analysed) University) exist?
The source: created by the author.
10
1.2.3 Researching factibility
The factibility of the research shows (Table 1.3) if it is possible to carry out the research and if all the requirements for that are met: Table 1.3 ”Researching factibility of the paper”
Questions Answers
Do sufficient written resource, information, Not much (If talking about the materials materials exist? concerning the problem of the project. But there is plenty of information about digital signature, marketing theories about user behaviour, internet resources about various events, etc.)
Is the project of enough relevance? Yes (it is a current problem)
Do any barriers for carrying out the research Preliminary, no about the PKI in the organization (Vytautas (has to be analysed) Magnus University) exist?
Is the professional and operational information Preliminary, yes and support garanteed?
The source: created by the author.
As can be seen from the tables above, there are conditions totally guaranteed and there are some obstructions and deficiencies that has to be solved. For example, while talking about the operations we saw that studies are needed in order to find out if any law, organizational, technical, of research or similar barriers for PKI in the organization (Vytautas Magnus University) exist. Preliminary, we knew there would not be any problems, but the experiments an research have to show exactly.
One of the reasons for choosing the subject for the master thesis was the lack of such information gathered in one comprehensive source. Therefore, there are not many materials to directly make reference to. However, that means that the project is new with its subject and has no concurrent or competitive treatises.
11
2.D. O. P., DOCUMENT OF THE OBJECTIVES OF THE PROJECT
Document of the objectives of the project shows the general picture of the work, what aims and risks the project has, what main parts and items consists of, what has to cover and accomplish, what discusses and what results drives at.
2.1 General Vision of the Project
As was already mentioned before, this master thesis intends to carry out experimental and theoretical research studies about the PKI usage in an organization. First of all, the paper presents the digital signature and relative issues considering the PKI system and current events. Second, the experiments in using PKI (signing a document, checking the signature) in the organization and observations are being described, together with existing user means solutions and their features. Third, appears the discussion about the laws and normative acts involved in the PKI, as well as internal organizational order and procedures. Later on follows studies of digital signature adaptation in the market and users behaviour reasons. Finally, the work done has to be assessed according to many criteria including the primary objectives, research and practical relevance.
The goal of the paper is to reveal digital signature potential and ways of establishment in an organization in accordance with exploration of user means, internal organizational order, user behaviour.
The tasks for achieving the goal of the thesis are discussed in a further section just after the presentation of the structure of the whole paper (the model of the project).
12
2.2 Model of the Project:
The project has the following structure and strives to cover the following issues:
1. Preface (according to the 1st master research paper of the author)
1.1 Digital signature and certificate, PKI and technological solutions definitions, descriptions and short reviews; 1.2 Standards; the legal base; governmental, business and society initiatives; 1.3 Existent and possible applications of digital signature in Lithuania, Baltic states, Europe (Spain), in the world;
2. Analysis of digital signature user means (information published in literature, internet; personal experience using mobile signature infrastructure):
2.1 Review and comparison of existing digital signature users means (DigiDoc, Justa and other analogous digital signature software, Web client solutions, smart card-ware, mobile solutions);
2.2 Analysis of means compatibility (was planned, provided that if available);
2.3 Security requirements for the system and user means;
2.4 User means convenience evaluation;
2.5 Technical solutions conformance to the legal requirements;
3. Organizational aspects of PKI implementation:
3.1 Analysis of internal organizational order and procedures that are effectual in an organization (for example VDU, Vytautas Magnus University) and that regulate the creation, managing and archiving of documentation;
13
3.2 Ways and methods offered for changing and improving the situation of these orders and procedures; experience of other organizations in the subject of digital signature implementation (if material is available);
4. Construeing digital signature user behavior (according to the 2nd research paper):
4.1 The problem of digital signature awareness and availability;
4.2 Analysis of digital signature opportunities in the markets of Lithuania and Baltic states (and maybe Spain);
4.3 Analysis of experience and behaviour of a user who uses digital signature inside an organization;
5. Thesis conclusions:
5.1 Conclusions;
5.2 The prognosis of the evolution of the digital signature topic and problems;
5.3 The definition of problematic areas that were not studied or studied incompletely;
5.4 Further research recommendations.
The mentioned model requires to accomplish the tasks that are described below.
14
2.3 Definition of the Tasks
Tasks to accomplish during the project in order to reach the goal are these:
to introduce, define and plan the project; to review the 1st research paper and extract the essence about the whole PKI system; to search, examine and resume the available materials about applications, laws and user means; to carry oyt experiments with PKI between the emploees of the organization Vytautas Magnus University; to examine and write down the results of observations, aimed at user means and organizational procedures; to study theoretical materials, compare with empirical information, to assess, and to draw conclusions answering to the mentioned problems, giving reasons and possible solutions; to review the 2nd research paper and resume about PKI user baheviour; to evaluate the work done and methods used; to conclude according to the results of the project.
In order to know how to evaluate the tasks and the whole work done, we have to determine the criteria that will serve like arguments for evaluation.
15
2.4 Criteria for Completion
The project has its milestones that have to be fulfilled in order to finalize correctly and have final results. The first bigger part of the paper has to give particular written forms of the observations in the experiments in using PKI (signing a document, checking the signature), exploration of user means solutions and their security, convenience, conformance to requirements.
After the first part, the project enters another phase of analysis of the PKI laws and normative acts, internal organizational order and procedures that has to produce ways and methods for changing and improving the mentioned analysed items.
Further on, the results of the successive part should reveal digital signature potential in an organization, consistent paterns and reasons, that are subsistent in the market, to the adaptation, users reactions.
In the end the work done has to be reviewed and assessed according to many criteria including the primary objectives, research and practical relevance.
16
2.5 Risk Factors
During the project there can appear some obstructions, problems or other risks which can disorganize the proceeding of the work. The main risks are those itemized here:
Technical risks – the main risks are loosing the ability to use digital signature (loosing the card with certificate or PIN codes; loosing internet connection, etc.) and also a very important and dangerous risk is loosing the written part of the thesis (personal computer system, hard disk crash or loosing the disposal of other medium where the paper is kept, etc.).
Organizational and operational risks – working together with other people brings many risks that are very difficult to foresee (for example, the consultants or the comexperimenters can have their risks that can be counted for every person apart - unexpected events, problems, or simply unwillingness).
Personal risks – these are problems with health (diseases, allergy); living in foreign country (money, residence, adaptation to a different system, etc.) and others.
In order to neutralize these risk factors a methodology is used where an exhaustive observation and amendment of very stage is prioritized. Periodical renovations and reviews according to the current stage of the project is one of the main methhods to advance to the problems that can appear during the realization of the project.
17
3. MANAGEMENT OF THE PROJECT
This chaper is going to resume the data of the management and implementation of the project and its parts separately and alltogether.
The initial planification of the project is presented here. Although the aproximate estimations of time for the determined tasks are given, the plan is tentative because it is forwarded before the acomplishing the project and therefore neither of the intended cases purport to be fixed a definition of the positions and times for completing the tasks, just because of forwarding, and also the technical, organizational, human factors and other risks.
3.1 Project Stages
In succession, the project stages are presented. First, the main parts of the work that has to be done are given:
Planification of the project Resume of the already obtained materials Experiments with the PKI different user means (clients), emploees of an organization Recording of the observations Analysis of practical information Analysis of theoretical information Merging, evaluation
Later on, following are the main steps in course:
1. examine and resume digital signature definitions, standarts, initiatives, applications, etc. 2. carry out experiments with digital signature simple user means (clients); in the
18
organization Vytautas Magnus University between the employees; 3. compare digital signature simple user means and analyze their compatibility, security, convienience, etc. 4. study the legal situation (documents); analyze organizational procedures concerning confirming an identity; generate ideas for improving; 5. examine digital signature in the market and its user behavior; 6. evaluate the research methods used in the paper, data gained, work done and not done, results achieved; 7. conclude and forecast.
3.2 Time Estimation
The initial estimation and real time expenses of every stage of the project are presented here in the table 3.1:
Table 3.1 “Time estimation of the project”
Stage Estimated (hours) Real (hours)
Planification of the project 50 70
Resume of the already obtained materials 90 40
Experiments with the PKI different user means 140 30 (clients), emploees of organization
Recording of the observations 50 19
Analysis of practical information 140 110
Analysis of theoretical information 140 105
Merging, evaluation 90 90
Total 700 464
The source: created by the author.
Comparatives between estimated and real efforts can be discernible. The graph ¨Experiments with the PKI different user means (clients), emploees of organization¨ has a big
19 difference between hours planned and dedicated, because of lack of employees of VMU participating in the project. The risk was described in the risks section.
3.3 The Calendar of the Project
The initial estimation and real time expenses of the project in each month are presented here in the table 3.2:
Table 3.2 “The calendar of the project”
Month Estimated (hours) Real (hours)
February 100 70
March 190 60
April 200 85
May 200 250
Total 700 464
The source: created by the author.
The real data is gathered on the base of annotations made during writing the thesis by approximately summing up. As was foreseen in the beginning of the project about risks, two personal risks became true taking away some of the time necessary for the project to acomplish.
20
4. ANALYSIS OF PKI INFRASTRUCTURE, USER MEANS AND USAGE IN ORGANIZATION
This chapter will explore PKI elements, technologies, standarts, legal base and organizational aspects, will describe and compare existing user means.
4.1 Digital Signature Infrastructure
The digital signature and its settings are presented in this chapter using the materials of the author’s 1st master research paper, beginning with the description of the digital signature, certificates and technological solutions, continuing with the standards and legal structure of the PKI system, and ending with different initiative and applications of PKI.
4.1.1 PKI and technologies
Here the digital signature and technologies functioning in its settings are being described.
4.1.1.1 Digital signature and PKI
According to the lithuanian Digital signature law, digital signature is data inserted into, attached or logically linked together with other data for confirmation of the authenticity of the latter and (or) identification of the signing person [1].
Data security is very important issue for communication in a net and it can be achieved by using cryptography. Cryptography is a science about encoding, including digital signature. Digital signature cryptography can be of two sorts: symmetric and asymmetric.
Symmetric cryptography uses one and the same key for both encoding and decoding. For this reason it is comfortable for two secret communication partners, but is not suitable for
21 open, public and mass use.
Asymmetric cryptography uses two different keys – private and public. PKI (Public Key Infrastructure) is based on asymmetric cryptography. Private key is secret and used by its owner: to encrypt data confirming it (to sign digitally) or to decrypt a message that is dedicated only for him/her (for confidential communication). One’s public key is available for everybody and is used: to decrypt data (to check the signature encrypted by the correspondent private key) or to encrypt data for the private key owner (to encode a message that could be read only by the private key owner).
In order to function fully digital signature needs an infrastructure. PKI is a security system of electronic communication that uses asymmetric cryptography. Public Key Infrastructure consists of CAs (Certification Authorities), RAs (Registration Authorities), other support subjects, services, directories, protocols, client programs, servers, other technologies, and performs a complex of functions for cryptography system users: certificate management, administration of archives and keys, integration of rules, standarts and procedures. This system functions in order to capacitate two subjects to take part in a net communication securely and to confirm the validity of it by creating the private and public keys at the same moment using the same algorithm. PKI is called „an architecture of security“ because it lets check the identity of users of electronic services by linking the users with the keys and thus creating trust in connection. The most potential of application supposedly is public services and e-commerce because of strong need of electronic identity confirmation and security.
Asymmetric cryptography services providers generate two interdependent keys for usage of digital signature – if data is encoded with one key, it is possible to decode it only with the other key of the same pair (i.e., from the same certificate). The process of this method (Figure 4.1) takes much more time than of the symmetric cryptography, but it has a very valuable function - knowing only one of the keys it is impossible to reproduce the other
22 one. Only the owner has the password or PIN-code access to the private key which can be kept in a smartcard, personal computer, smartdisk.
Figure 4.1: PKI functioning in digital communications The source: “Archival Implications of Digital Signatures and PKI Technical Standards Panel”, ECURE conference 2002 [4].
The signature is obtained by first creating a fixed length message digest (hash) and then encrypting this hash with the owners private key. The receiver checks the signed data with appropriate software using the public key of the signer and first, creating another hash of the data received, second, decrypting the received hash and third – comparing the received and created hashes. The congruence guarantees that the signature is real. The certifiers (CAs) give the possibility to validate the certificate and the identity of the person.
In addition, there is a clear difference between electronic and digital signatures, though these terms are often used interchangeably. Digital signatures (sometimes referred to as Advanced or Secure Electronic Signatures) are a result of a cryptographic operation. The technology behind digital signatures is an industry standard known as Public Key Infrastructure (PKI), which guarantees data integrity and non-repudiation of transactions. The digital signature cannot be copied, tampered or altered. On the other hand, Electronic signatures are electronic images that are physically or logically attached to the signed data.
23
Adding a sentence “I, John Doe, sign this document” is good enough to be considered as an electronic signature; however, it is clear that electronic signatures are easy to forge, unlike Digital Signatures[5].
4.1.1.2 Certificates
Certificate is a testimony in the electronic form, confirming that the both private and public keys in the certificate belong to the person that is indicated in the certificate. The functions of certificates management, generation, providing information about them is performed by the providers of certification services - Certification Authorities (CAs).
A signature is kept valid (except other limitations indicated in the certificate) only if the person created it in the period of validity of the certificate. In order to prove it, Time Stamp Tokens can be put to the signatures. All the expired certificates are stored in Certificate Revocation List (CRL) for checking if signatures were made in the period of validity of the correspondent certificates.
To resume, in order to function fully, the PKI needs these following components:
Law, A medium to keep the certificate with the private key (ID card, USB memory, etc.), PKI services, Digital signature system.
This means, that in an organization, that uses network, frequent personal identification actions or post services, should be met these issues considering PKI maintennance and implementation:
There should be guaranteed all the conditions in an organization to be in keeping with the requirements of the law for the digital signature creation, checking, user rights and duties. It is necessary to select the most propriate means of using digital signature and
24
to purchase them considering the future use and specifics of the usage (a medium to keep the certificate with the private key, user software, etc.) The services that use a modern way with PKI and that are provided in the market should be adopted into the activity scheme of an organization. It is important to renew and improve the processes and methods of the activity of an organization, to be in time with the world changing to the more advanced (electronic) forms, to take interest in new available tools (especially that are used by the clients, partners, rival firms), to use the digital services provided by the state and business.
Any company or organization that sends financial or any other important information over the Internet should use a Public Key Infrastructure not only for its own security, but for the security of the clients of the services provided by that organization [1].
4.1.1.3 Technological solutions
The base of cryptography is made of these main elements: Protocols; Keys; Algorithms.
Symmetric cryptography uses substitution technologies, inversion, DES (Data Encryption Standard).
Asymmetric cryptography (PKI) is based on the theory of numbers. In line with hybridic cryptography, the RSA cryptographic algorithm is used to distribute the temporary DES key between the sender and the receiver. Also, other methods can be used instead of the RSA, for example ECC – because of the same security level and lesser key length.
For a fast guarrantee of integrity process, message digest is used (a.k.a. hash function), which can be MD2, MD4, MD5, SHA. The most trusted of them for this kind of process are MD5 and SHA. Message digest applied alone all by itself can not guarrantee integrity of a message, because anybody else by having caught the message can change it and
25 recalculate the digest – MAC (Message Authentication Code), when the message digest is found together with the secret key (a large random number). HMAC algorithm can be used – even more safer way to generate MAC.
Another usable method for guarranteeing the integrity process – digital signature, that is the combination of the message digest and public key encryption, e.g., digital signature with RSA/MD5 or DSS with ElGamal algorithm and SHA message digest. The second one has nonessential shortcomings and for this reason the first variant RSA/MD5 is more popular.
Autentification commends to PKI, the public key infrastructure, with which help a person can encode data sent or check and confirm digital signature. In order to solve the key exchange problem (existing in the symmetric case) digital certification and certificates are used, which are provided by local CA (certification authority). The owner has his own private key and for everybody else who wants to encode information or to check digital signature, the public key is available. For certificates the X.509 standard can be used, and also the certification chain/the confirmation path – in order to avoid the uncertainty and distrust of the users.
4.1.2 Standards and legal base of PKI
This chapter reviews the most important in existing standards and the legal base of PKI, functioning in Lithuania and other countries.
4.1.2.1 Standards
Types of issue the PKI Standards deal with, that is, areas of operation of a PKI covered by standards are those:
The format of the public key certificates (the most fundamental issue for a PKI).
Standards for certificate management (a range of different types of interaction between Certification Authorities (CAs) and their clients,
26
including issues such as initial registration, certificate requests, and revocation requests).
Accessing Certificates (Once certificates have been created, there is a need for certificate users to be able to retrieve them from where they are stored).
Standards covering revocation and certificate status (Once certified, there may be a need to withdraw a public key from use prior to the expiry date— this is known as revocation. As a result there is a need for a certificate user to be able to determine the status of a certificate, i.e. whether it has been revoked).
Standards covering time-stamping Services (supporting long-term use of signed documents, and in particular to enable a digitally signed document to have validity after the expiry or revocation of the public key).
Recently there were standards developments in the area of a variety of other Trusted Third Party (TTP) services relevant to PKIs.
Policy and Certification Practice Statements (an understanding of what a certificate means for any effective use of public key certificates) [7].
General standards recognized globally defines more technical, technological specifications of PKI. Lithuanian governmental institution for supervising the digital signature provides the list of standards in these three categories:
1. ETSI (The European Telecommunications Standard Institute) – requirements for service providers, the framework of certificates and time stamp tokens, the formats, XML advanced electronic signatures (XAdES)
2. CEN (Comité Européen de Normalisation) – safety requirements for trusted digital signatures certificates management systems (signing operations, key generation)
27
3. ISO (International Organization for Standardization) - Information technologies, security methods, IT security evaluation criteria.
4.1.2.2 Legal base
Lithuania
Lithuania has one main law that regulates the PKI in this country – Law on electronic signature (Lithuanian Electronic Signature Act). In summary, the Lithuanian Electronic Signature Act provides the first steps for the creation of a legal basis for electronic commerce. The law regulates the creation, checking and validity of the digital signature, rights and responsibility of users of digital signatures, certification services and requirements to the providers of such services, the rights and functions of the electronic signature supervision institution. A safe digital signature now has the same legal effect as a signature in written documents and must be considered as evidence in court proceedings.
Liability of Certification Authorities, stated in the Lithuanian Electronic Signature Act: A certification-service-provider who issues qualified-certificates shall be liable for: 1) accuracy of issued certificate’s data; 2) that the person indicated in the issued certificate is the holder of the signature-creation-data, corresponding to the signature-verification-data indicated in the certificate; 3) correlation between signature-creation-data and signature- verification-data, when he creates both these data, upon the request of the person; 4) suspension or revocation of the validity of the certificate on time. A certification-service- provider, who issues qualified-certificates or guarantees the qualified-certificates issued by other certification-service-providers, shall compensate signature users for inflicted damages, according to the procedure established by laws.
Provisions Relating to Presumptions: A secure-electronic-signature, created by a secure-signature-creation-device and based on a qualified-certificate which is valid, shall have the same legal force that a hand-written signature in written documents has and shall be admissible as evidence in court. A signature may not be deemed invalid based on any of the grounds listed below, that it is: 1) in electronic form; 2) not based upon a qualified-certificate: 3) not based upon a qualified-certificate issued by an accredited certification-service- provider; 4) not created by a secure signature-creation device.
28
Summary of the Lithuanian Electronic Signature Act:
The Electronic Signature Act provides the first steps for the creation of a legal basis for electronic commerce. The law regulates the creation, checking and validity of the digital signature, rights and responsibility of users of digital signatures, certification services and requirements to the providers of such services. A safe digital signature now has the same legal effect as a signature in written documents and must be considered as evidence in court proceedings.
This Act is in compliance with EU Directive 99/93/EC, as well as with the requirements of the Council on a Community Framework for Electronic Signatures.
Another non-lithuanian (international) act that regulates PKI is “Directive 1999/93/EC of the European Parliament and of the Council of 13 December 1999 on a Community framework for electronic signatures”. The purpose of this Directive is to facilitate the use of electronic signatures and to contribute to their legal recognition. It establishes a legal framework for electronic signatures and certain certification-services in order to ensure the proper functioning of the internal market.
Spain
Spain has the Spain Electronic Signature Law for regulating the usage of the digital signature in the country. It covers issue of Electronic Signature and is applied to the use of Digital Signatures.
The definition of Digital Signature: The set of data, in electronic form, attached to other electronic data or functionally associated to them, used to formally identify the author or authors of the surrounding document. Advanced Digital Signature is a digital signature which allows identification of the signer and has been created by means under his or her exclusive control, so that it is univocally bound to him and to the referring data, so that any later modifications can be detected.
Provisions Relating to Presumptions: The advanced digital signature, whenever it is
29 based on an accepted certificate and has been produced by a secure signing device, will have, with respect to the digitally signed data, the same value as handwritten signature has on paper documents, and will be admissible as proof in trial.
Summary of the Spain Electronic Signature Law:
The Spanish Electronic Signature Law regulates the use of digital signatures, recognizes them as legally binding acts, and clarifies how the certification services will be provided to the users. It also states that a digital signature will be admissible as evidence in court if it is based on an accepted certificate and was produced by a secure signing device. It is developing PKI-based initiatives for the use of digital signatures in communications between citizens and public administration.
On March 20th, 2004, a new Electronic Signature Act (Law 59/2003 on Electronic Signature, dated December 19th) entered into force in Spain. It covers issue of Electronic Signature and relates to electronic signatures and electronic transactions and is said to have launched a second round for the digital signature in Spain.
The new act replaced the legal regime set forth by Royal Decree 14/1999 (the Spain Electronic Signature Law). Both legal texts are based on the principles set out by the EC Directive No. 1999/93, which aimed at creating a harmonized legal environment that may encourage the use of this kind of technology. The new Act shares with the Royal Decree the same ambitious goal: to generalize the use of electronic-authenticating systems so users may rely on their online transactions and activities with the same degree of security that applies in the “offline world”; but it takes a different, more flexible, approach [8].
In summary of the New Electronic Signature Act of Spain we can say that the purpose of the New Electronic Signature Act is to promote secure and efficient utilization of electronic communication by specifying requirements for electronic signatures. This new legislation promotes generalized use of electronic signatures within the private sector.
This Act contains a number of requirements and provisions regarding certification authorities that issue so-called recognized certificates for electronic signatures. It also
30 regulates the issuance of Electronic Identity Cards, equivalent to the present National Identity Documents (DNI).
This Act contains a few supplementary provisions to the existing legislation on protection of personal data. According to the Act, a certification authority may only collect personal data in connection with its activities directly from the person in question or with the explicit consent of that person, and only insofar as the data are needed for the purposes of issuing and maintaining a certificate. A certification authority must not pass on or process data for any other purpose than required for issuing or maintaining a certificate without the explicit consent of the person in question. This ensures that data collected by a certification authority without the consent of its customers cannot be used for marketing purposes [9].
Estonia
In Estonia, the Digital Signatures Act was enacted and is effective till December 15, 2000. It covers Digital signatures and is generally applicable to all communications.
The definition of Electronic Signature in the estonian law: A digital signature is a data unit, created using a system of technical and organisational means, which a signatory uses to indicate his or her connection to a document. A digital signature is created by a signatory using a signature creating device (hereinafter private key) to which a signature verification device (hereinafter public key) uniquely corresponds.
Provisions Relating to Presumptions: A digital signature has the same legal consequences as a hand-written signature if these consequences are not restricted by law and if the compliance of the signature with the requirements of subsection 2 (3) of this Act is proved.
Summary of the Estonian New Electronic Signature Act:
The Digital Signature Act establishes the legal validity of digital signatures and the procedure for exercising supervision over the provision of certification services and time- stamping services. This Law also specifically provides Legal consequences and the Use of digital signatures [10].
31
4.1.3 Initiatives and applications of PKI
Here are described governmental, business and society initiatives in Lithuania, together with existent and possible applications of digital signature.
4.1.3.1 Governmental, business and society initiatives
The World Economic Forum has released The Global Information Technology Report 2007-2008 with The Networked Readiness Index 2007–2008 rankings (Annex 1) of all the countries in the world, where Europen countries Denmark, Sweden and Switzerland take the first three places, and the countries Lithuania, Latvia, Estonia and Spain appear in these positions (Table 4.1):
Table 4.1 ”The network readiness ranks given by the World Economic Forum to the Baltic states and “Spain”
2007-2008 Country/Economy Score rank 20 Estonia 31 Spain 33 Lithuania 44 Latvia
The source: created by author by refering to The Global Information Technology Report 2007-2008 of the World Economic Forum
Considering the places between the first 50 countries in the world, whereas in the report total 127 countries were evaluated, the places achieved shown in the table 4.1 are relatively good. That means that the countries that are mentioned here in the paper have developed their networking technologies effectively, because the report measured many factors. Consequently we can make a little deduction here that we can associate this with the status of PKI in every country too, because in order to develop PKI, first we have to have a strong technological base. There is no doubt, that a country having great network readiness
32 and growing rates has to take care of its network security too. Besides, the practice shows that Estonia is on a higher technological “wave” than Lithuania and Latvia, e.g. the CA of Estonia can even provide digital certificates to other two Baltic states, especially Lithuania.
Lithuania
While returning back to the opportunities for the organizations and digital signature users in general provided by the PKI, here we have described some government initiatives for making some public services electronically available. These include the project of e- government in general, and attempts of other state institutions to contribute to the public e- services.
The Gates of the e-government, the portal of electronic public services (Elektroninės Valdžios Vartai, Elektroninių viešųjų paslaugų portalas) were released and began functioning, where the users signed in the system can access and use some public services that are already provided electronically by some state institutions, for example the state tax inspection, social insurance fund, municipalities of cities and towns [11].
The state tax inspection (VMI, Valstybinė mokesčių inspekcija) some time ago installed system of income declaration in an electronic way – since 2004 accepts electronic income and property declaration of residents. By now the users of internet banking services of many commercial banks in Lithuania can sign a contract in the internet and to lend declarations in the electronic way.
The state social insurance fund board next to the Social security and work ministry („Sodra“, Socialinės apsaugos ir darbo ministerija) use the current PKI that they have for encoded data exchange between Fund board and banks (the sheets for paying pensions), also between the Fund board and pension accummulation companies (to administer the pension accummulation contracts register and to transfer fees to pension funds). Now the new electronic system for servicing the was launched by social insurance fund board and the employers can use the services with connecting to it through the internet.
Information society development committee (Informacinės visuomenės plėtros komitetas, IVPK) is implementing an investment project of electronic documents excange -
33
„Digital signature implantation in national institutions“, which objective is to change short time archiving (up to 5 years) documents that travel between national institutions to digital ones, confirmed with secure digital signature. For this reason electronic documents excange between national institutions module (DMM, dokumentų mainų modulis) is being developed. The main obstructions in the project are: the ministries do not have inner order determining the procedures of e- documents exchange, including document preperator activity regulation, the load of the ministry epmployees grows because in this stage of the project the paper documents and their digital versions are duplicated.
The e-Signature Program E3P (Elektroninio parašo proveržio programa) is a joint initiative where the main members are Lithuanian Government, banks and communications companies. The project is dedicated to achieve massive usage (at least 300 000 active users) of secure electronic signature technology, based on Public Key Infrastructure (PKI) in Lithuania in 3 years.
The e-Signature Program E3P in its publicly declared plan presents means applied in 2007-2009 in order to achieve the main E3P goals and they include the means for complementing the infrastructure with RA´s (mobile operators), applications in the spheres of authentication (internet banking and Omnitel self-service portal), documents signing for physical person and enterprises, instructions, E3P members migration from paper documents to e-documents.
An organization should be insterested in these plans of implementing documents signing for physical person and enterprises:
- Omnitel contracts with clients and partners will be signed, the second half of 2008 - SODRA declaration delivering, the first half of 2008, - VMI declaration delivering, 2009 - E3P work with a\the association of municipalities in terms of e-documents acceptance/service (instructions), 2008
Also, these plans for organizing instructions are usefull for an organization:
34
- association’s "Langas į Ateitį" course "E-signature", 2008 (in the pack: E3P members, municipalities, tickets, C2B, C2G, B2B) - SODRA seminars/ instructions for enterprises - e-signature inclusion into the European Computer Driving License (ECDL) courses - E3P presentations and participation on the educational events of other organizations (e.g. Esaugumas.lt)
4.1.3.2 Possible PKI applications
PKI functionality and all the means created can be applied in many spheres: E-government; Universities; Business; VPN (Virtual private networks), etc.
Here we are going to describe and present possible PKI applications in more details.
4.1.3.3 E-government
Some PKI application examples in the e-government sphere according to the experience of China are presented in the table 4.2 below:
Table 4.2 “PKI Application in China’s e-government”
PKI Application Description Details Customs In China, the commerce China’s Goals to be realized in the electronic information security customs area with the help of PKI are authentication system is based these: on PKI (built by Ministry of Realize interconnection and Commerce of the People’s information shared in foreign trade Republic of China). This system area.
35
is mainly used in foreign Carry out all kinds of foreign commerce, foreign trade and trade’s bill to be transferred by correlative areas. computer network. Realize international e-business.
China’s customs utilizes PKI technology to provide Smart card/PK for import and export enterprises as an identity card when customs declaration. Taxation system Now the value-added tax in China’s scheduled goals in the taxation China is audited with computer area to be realized with the help of PKI: system in 50 cities. Value-added tax forge-prevent system has Build an uniform tax issued 6 hundred thousand information integration platform certificates; Forge-prevent tax control authentication system Support administration, and Value-added tax’s computer operation, decision-support of taxation cross audit system are used in and dealing with external information 3,835 districts and counties; etc. Invoice assist checkup system runs too. Finance Internet banking Applications PKI is applied to these internet need PKI: securities of China state finance:
Commercial Bank of Internet securities applications that China’s applications include include stock trading and Bank- B2C, B2B. securities Link service. China Financial The swapper involving Certification Authority(CFCA) stockholder,stock exchange and includes 14 nationwide bank. commercial banks,10 local The certificate issued by CFCA can commercial banks,and 16 realize transfer in security in real securities companies. time.
36
The transaction amount has exceeded 3 thousand billion There are more than 20 sections which by CFCA. use the certificates issued by CFCA to deal with business and transmit important files and information. Social Insurance The government of China has a goal to build center-province- city network based on the E- Government platform where an interconnection, information shared, security, nationwide social insurance information service network would be present. High-tech park HSP (Haidian Science Park) is HSP is open and interactive, meaning HSP (Haidian China's first large-scale high- that visitors and clients can make direct Science Park) tech park. The Haidian “Digital and immediate online contact with the Park” is a pioneering project government in a two-way online designed to transform the communication. The park HSP is All- traditional work mode of the In-One-Site, where different government into a more governmental departments share the advanced and efficient style that same web page to process their work, utilizes the advantages of new and All-In-One-Sheet, which enables technologies, especially the data and information exchange among Internet. businesses and government departments to be done on a single standardized An important job that can be form. done with this system is the online identity authentication for Significance of the HSP is great, one’s business. In other words, because it is a breakthrough in the “one- one can apply for and obtain an stop” governmental working concept. It ID for one’s business, even can introduces a brand-new “all-in-one- present it when necessary. This site”, “all-in-one-sheet” mode geared to
37
ID is issued by the Beijing the “internet era”. Digital Certificate Authority to ensure its authenticity. The source: ceated by author.
Later on here we resume PKI applications in a government sphere of a country, particularly, in China in that:
80 CAs have been built in China. million certificates have been issued. PKI is applied to Customs,Taxation,Finance,Social Insurance,Science Park etc.
The government of China pay more attention to the standardization on PKI - 42 national standards involving PKI fields were worked out and within those 42, 36 national standards adopted ISO standards [12].
4.1.3.4 Universities
Universities can benefit from the availability of a PKI and its use in these ways (Table 4.3): Table 4.3 “PKI application possibilities in universities”
PKI application Features of PKI use Controlled access to More sophisticated access controls copyrighted materials for PKI credentials address many current issues that students occur with expanded use of electronic material (e.g. enabling and enforcing license agreements applicable to students enrolled in particular courses) minimizes the cost of the license by providing access to only the limited number of specific students who need it (for licensees) provides more secure control over access, and no
38
need to enroll each individual user of the service (for licensors) new standards for this sort of interchange may provide more opportunities to share locally developed materials between higher educational institutions - electronically deliver materials from servers of one institution to individuals or groups at some other institution (from the developers to participators in a specific activity) help meet the legal tests for fair use of materials when the institution has made digital reproductions of protected materials to make access more convenient for students greater reliability of the accountability for the use of the materials Publishing Web sites that have access controls that limit access to information "still public and private parts in development" and other working information to research collaborators (while web sites have become an essential mechanism to disseminate results of any research project and more projects involve researchers distributed at multiple locations and institutions) exchange electronic information on a confidential basis for researchers Replacing IP address access PKI resolves the problem that cause Internet controls at Information Protocol address (IP) controls (the standard method Vendor sites used by many Academic Library information vendors to provide access control based on a site license of their materials) - difficulties for academics who may be travelling or using some other ISP to obtain internet dialup service from home or field locations standard credentials acceptable to the vendors could
39
make these transactions more secure, even to the point of encrypting the data during transfers, while providing location independence to the end users Electronically signed PKI provides a standard and secure way to determine submission of student that submissions in web-enabled or web-based assignments with timestamp courses, originated from a specific student, have not been electronically tampered with and were submitted by the assigned deadline this feature and also being able to take tests remotely is an increasingly attractive prospect, as more courses become web-enabled or web-based. Protect sensitive data used by widely applicable because it is an important aspect researchers while enhancing of work in a number of fields its availability simplifies transfer using the network and protects the data stored on network accessible servers from unauthorized access PKI enables such a neccesary secure networked data repository - delivering data sets only to authorized individuals using secure methods. requested data could be transmitted to authorized researchers transparently encrypted in a way that guarantees the data is secure in transit over the network, such that only authorized individuals are able to decrypt it Expand use of Campus enable Enhanced information in campus directories Directory while protecting can a number of useful services for individuals both individual privacy on and off campus. for example constructing and maintaining a mailing list for a group of individuals located at many different campuses would be greatly simplified if interoperable directories were available (on-campus users could locate the individual best able to resolve a problem by searching job description information.
40
Determining what privileges should be provided to a particular individual is often a difficult question that directory information could help answer) however there is an equally strong need to closely control to whom directory information is provided and for what reason. It is necessary to protect individual privacy and to resist harassing or criminal acts. in some cases individuals may need complete privacy protection and yet still need to be able to make use of campus electronic services. Secure wireless networking The rapid adoption of wireless networking creates an additional security problem for the campus network. Without appropriate access controls, individuals on campus could join the campus network through a wireless access point, potentially gaining campus privileges.
Applications for Federal In efforts to improve the efficiency of providing services Student Loans and Services and to enable easy access to personal information, various agencies of the Federal Government are actively developing and deploying systems that depend on PKI. Providing a campus PKI interoperable with the Federal PKI would be a great benefit to members of the institution who will need to use these systems. In particular the number of different electronic credentials an individual needs to obtain and manage is an important consideration Student and Faculty electronic Similarly local efforts to improve the efficiency of delivery interaction with administrative and simplified methods of accomplishing business systems transactions are an important application of a campus PKI. Students might use these systems, for example, to enroll in classes, apply for housing and manage debit accounts. Replacement of paper forms with electronic documents and multiple signatures that cannot be repudiated has
41
applications in numerous campus activities including payroll actions, benefits selection, and grant submission. Use of these systems requires the individual be able to trust the computation, obtain appropriate confirmation, and protect their workstation from attack. The source: ceated by author.
4.1.3.5 Organization
There are many reasons why someone or an organization should consider using a PKI. First, if anyone is transferring sensitive company information they should utilize the benefits of a PKI to ensure that their data is safely and securely transmitted. A PKI provides more thorough protection then simply adding an encryption or digital signature to a message. Since the PKI is composed of many elements, companies, services, people, and products, it provides greater protection then other methods of encryption. Therefore, any company or organization that is seeking complete and thorough protection should use a PKI scheme.
Everyone who is on the Internet and conducting business transactions online can benefit from the use of a PKI. There are many companies that assist in obtaining a private and public key, as well as digital certificate. Certain companies may not only act as a Certificate Authority, but they also renew the certificate as well. Different companies provide services for different rates. Some Certificate Authorities even allow to apply for digital certificates free of charge. When choosing the elements of PKI, it has to be done carefully, with the companies that best meet the needs [13].
4.1.3.6 Business
Any company or organization that sends financial information over the Internet should use a PKI. This includes the small E-Commerce business to large financial intuitions. Small businesses that deal with trade and retail services online will benefit from a PKI scheme that ensures the privacy of their customer’s data. In financial transactions it is vital to let their customer’s know that their banking or credit card information is secure and kept private.
42
Large financial institutions need to implement a PKI to make certain that critical banking data is kept safe and secure. Encryption is an important tool when transferring banking information and must be used to ensure that these documents and data never enter into the hands of unscrupulous or fraudulent individuals or companies.
Businesses can simplify some of the deployment and management issues that are encountered with secured data communications by employing a PKI for management of encryption keys and identity. As businesses move more security-sensitive communications to the public Internet, an effective mechanism must be implemented to protect sensitive information from the growing criminal threat presented on the Internet. When it comes to running a successful online business, ensuring the respect for customer’s privacy is key. One of the most important ways to ensure the protection of customer’s data is by implementing a PKI Scheme for the business.
There are three primary security vulnerabilities of communications over a publicly accessible network:
Identity theft: intruder gains illegitimate access by posing as an individual who actually can access secured resources. Eavesdropping: intruder "sniffs" the data transmission between two parties Man-in-the-Middle: intruder interrupts a dialogue and modifies the data
PKI reduces the likelihood that the secured communications channel is safe from an intruder posing as a trusted entity in the communications, or by knowledge of encryption keys falling into the wrong hands.
Benefits of PKI deployment in business can be those that follow here:
Simplified management of the security infrastructure through automation Increased security through difficulty of compromising certificate-based security Improved management integration for all secured services Tighter control of secure access to business resources
43
As was already mentioned, the public and private keys of PKI can be used in dual way (Figure 4.2):
Figure 4.2. Usage of keys in asymmetric cryptography [15]. The source: Cisco.
Benefits of employing PKI for identity and key management increase with the number of encryption peers, that means, the bigger is the organization, the better.
4.1.3.7 Usage examples
We will describe the benefits of PKI for a business and how it can be used in more details here:
Authentication – it’s important for business to work in a safe and secure network. With a PKI the identity of those using the system of the organization can be easily determined.
Along with the benefits provided by authentication, a PKI also offers companies the ability to use encryption. It is vital to ensuring that all sensitive data is transmitted in
44
privacy and not only protects customer’s data. When the firm’s customers make a transaction at its site, their information is encryptedand they are safe to make online transactions.
PKI Scheme also enables users to apply digital signatures to their messages. This allows businesses reassurance that those who send messages are who they claim to be. This is also very powerful when someone is sending time sensitive materials.
PKIs offer businesses an ability to store their digital certificates in directories. Thus individuals can easily look up the owner or subscriber of a digital certificate to ensure the user’s identity. In addition, businesses may also use a SSL to allow secure encryption over the Internet. This is vitally important for customers to perform business transactions online that include sharing credit card numbers, social security numbers, or banking information.
A Certificate Authority assigns digital certificates to users or subscribers. Using a PKI Scheme ensures that those with digital certificates will have the safety and security needed to provide a secure environment for their users. By registering organization’s information with a Certificate Authority, organization’s customers can trust that organization to be who it says to be and not fear making financial or other personal transactions at its site. When one is part of a PKI, one also knows that his certificate and keys are stored in a secure directory and that his privacy needs are being met.
Finally, companies will find that using certificates not only makes business transactions quicker and more efficient, but it also helps a business create secure relationships with other businesses and customers for the first time. There is no need to take time to research user’s credentials as the PKI Scheme will contain that information in the form of the digital certificate [4.].
To resume, PKIs of one type or another, and from any of several vendors, have many uses, including providing public keys and bindings to user identities which are used for: Encryption and/or sender authentication of e-mail messages (e.g., using OpenPGP or
45
S/MIME).
Encryption and/or authentication of documents (e.g., the XML Signature or XML Encryption standards if documents are encoded as XML).
Authentication of users to applications (e.g., smart card logon, client authentication with SSL).
Bootstrapping secure communication protocols, such as Internet key exchange (IKE) and SSL. In both of these, initial set-up of a secure channel (a "security association") uses asymmetric key (a.k.a. public key) methods, whereas actual communication uses faster secret key (a.k.a. symmetric key) methods.
4.2 Analysis of PKI User Means
This is a review and comparison of some digital signature users means - analogous digital signature software. Client-side solutions have to meet many requirements, because they are in use with all the PKI system and its parts.
4.2.1 Existing created user means available
Hereinafter we describe some possible digital signature user solutions for the organization.
4.2.1.1 DigiDoc clients
DigiDoc is a set of software applications based on OpenXAdES spec/library. Applications include: DigiDoc client DigiDoc portal DigiDoc webservice (SOAP)
46
The client is tested with Estonian, Finnish and Belgium ID-cards and multilingual version available. Technology is integrated in all major document handling systems and Internet banks in Estonia. DigiDoc is a whole environment for providing digitally signed documents and contains: WWW-portal Client programs Programming library Document format
DigiDoc is distributed as a free system. Its architecture is given in the picture below:
DigiDoc Portal is claimed to be a simple WWW-application, because it has: Document downloading/uploading Signing and validity confirmation Verification Sending document to another portal user Sorting/Deleting/Archives
Verification Portal allows to check .ddoc file without ID-card and DigiDoc Client
47 provides the same functionality as the portal. Signing and obtaining validity confirmation Verification of signed document Does not require uploading document to some server Provides for digital signatures without using DigiDoc portal DigiDoc Client
DigiDoc library has these technical properties: • Signing through PKCS#11 and CSP • Handling of validity confirmation • Handling of XML document • Verification • Win32/Unix, C code • DLL & COM under Windows • Java implementation • Distributed under LGPL terms
The document format of DigiDoc is based on XML-DSIG standard and contains subset of ETSI TS 101 903 (XAdES) extensions: Place, time and of signature Role of signature holder Validity confirmation and certificate of OCSP responder
• Multiple original documents can be signed at once • Original document can be embedded or detached • Original document can be XML or any binary format • Multiple signatures are supported • Just one validity confirmation per signature
48
DigiDoc Client is written in Visual Basic. Most of the PKI-specific functionality is carried out by the DigiDoc C-library [18].
4.2.1.2 JUSTA GE (Government Edition)
SSC software JUSTA GE is dedicated to:
1. users who want to sign documents of various formats. JUSTA GE is a freely distributed program, with the help of which the user in his/her computer will be able to sign all the types of documents. JUSTA GE is dedicated to companies that have some kind of document signing order, e.g. the list of the signing persons, the juridic power of their signatures and so on.
2. the creators and exploitors of the information systemas. With the help of JUSTA WEB software the programmers will be able to put the functions of document signing, encrypting and signature checking without much of exertion. This eases the install of digital signature to the existing or newly-created applications [19].
Justa GE (government edition) – software intended in general for state attendants to create a safe digital signature and to check it. The software was purchased by the IVPK by competition, while implementing the project of electronic signature development in Lithuania.
49
Justa GE functions that are available for the users: Signing a file of whatever format Signing one file with several signatures Signing several files in the same breath Comfortable signing and checking through the same menu Ability to check the status of the validity of the certificate Comfortable and informative signature user interface Adjusted to the Windows and Linux operational systemas Stationery expenditure saving Time saving
The software is not an commercial product and all the proprietary rights belong to the IVPK.
4.2.1.3 CDS, Certified Document Services
Certified Document Services (CDS) is the first digital signing solution that allows authors to create Adobe® PDF files that automatically certify to the recipient that the author's identity has been verified by a trusted organization, an Adobe CDS provider, and that the document has not been altered in any way.
Target audience - organizations that communicate critical information to broad audiences, such as financial services organizations and government agencies, are struggling to deal with increasing trends — from phishing to document forgery — that can erode customer confidence and cause liability issues. Now with CDS, individuals and organizations can send certified Adobe PDF documents and forms with added assurance of identity validation and information integrity.
Examples of the potential organizations-users of the solution include:
Financial services and research organizations that publish valuable analyst reports Government organizations that publish policies, legislation, forms, and other critical
50
documents Manufacturing organizations that publish manuals, operating documents, and other critical documents Public companies that publish financial documents
What's new about CDS is that it is the first broad implementation of public key infrastructure (PKI)–based document validation technology, and now anyone using Adobe Reader (6.0 or later) software can easily take advantage of it. While digital signatures have been available for a while, a service that automatically certifies documents from a trusted authority is new. With non-CDS signatures, a user must explicitly "trust" the author of a document. With CDS signatures, trust is built into Adobe Reader and Acrobat® software — no additional software download or configuration is required by the recipient of a certified document to validate its authenticity.
CDS signatures help ensure best practices and the highest level of document integrity because the user's digital credentials must be stored on a cryptographic hardware device, and they must be issued by a WebTrust certified authority using strict verification guidelines.
Key success story of Pennsylvania State University
Penn State is using a CDS solution developed by Adobe's partners and VeriSign, an Adobe CDS provider, to certify their electronic transcripts. One issue of critical concern to Penn State officials was the proliferation of fake diplomas and falsified transcripts — annual sales of which total more than $100 million worldwide. The falsified transcripts have become so advanced that they include watermarks, metallic strips, and other identifiers typically associated with helping to prevent fraud. With the prevalence of fraudulent transcripts on the rise, Penn State needed a reliable way to validate that transcripts came from the school's secure system and were not tampered with by anyone. Otherwise, Penn State could not provide electronic transcript services.
The group decided that CDS with Adobe LiveCycle® Digital Signatures software and digital IDs from VeriSign/GeoTrust provided the requisite capabilities. When recipients open a certified PDF transcript in either Reader or Acrobat, a validation message is displayed.
51
If the certification was applied with a CDS digital ID from VeriSign/GeoTrust, the message provides assurance that the transcript came from Penn State and that its contents have not been changed. This offers peace of mind for the alumnus, school administrators, and the recipient. If a transcript was altered, an error or warning message appears as soon as the file is opened.
Penn State expects a quick return on investment. Staff once dedicated to printing and mailing transcripts can now focus on other student services such as handling student payments and issues with class schedules. At the same time, the university's printing and mailing costs can be decreased by tens of thousands of dollars annually. And alumni benefit from near-instant delivery of transcripts to intended recipients, without having to pay extra delivery charges for overnight shipping.
Desktop-based document certification
Documents can be certified in client- and server-based workflows. In a client environment, a CDS provider issues a digital credential to an individual or an organizational role, which is stored on a USB token or smart card. The individual then uses Acrobat or Reader to sign the document.
Server-based document certification
Adobe LiveCycle Digital Signatures ES software allows organizations to quickly certify and validate large volumes of Adobe PDF files, such as bank statements or financial reports. In this case, a CDS provider issues an organization a digital credential, which is stored on a server-based key management system for added protection. The credential is accessed by LiveCycle Digital Signatures ES to apply the digital signature. The PDF file automatically validates when opened in Reader or Acrobat (6.0 or later).
An organization that wants to enroll in CDS has to contact a CDS provider listed below: ChosenSecurity: a solution for verifying the authenticity and integrity of PDF documents and forms. This new solution enables authors of PDF documents and personalized PDF forms to centrally sign them on a server using a hardware security module (HSM). The recipients can then easily check the
52
validity of the signature within free Adobe Reader. With the new Adobe certificate, ChosenSecurity — the proven experts for digital certificates and security solutions — is addressing in particular the needs of financial institutions, insurance companies, and government authorities.
GlobalSign: issues CDS certificates, DocumentSign Digital IDs, to individuals and departments within organizations. Offers solutions for low- and medium- volume signings through fully automated implementation models capable of scaling to extremely high volumes. The flexibility for organizations to scale their document signing solutions between relatively small and large rollouts as their demand for PDF security grows is a key benefit offered by DocumentSign.
KEYNECTIS: provides and preserves proof of electronic documents (processing of electronic signatures, time stamping, validation, and archiving of documents). With more than 20 million certificates issued, KEYNECTIS is currently the leading French trust services operator, and its mission is to help companies and government agencies protect their electronic exchanges (electronic signature, time stamping, e-commerce, and so on).
VeriSign: allows authors to create Adobe PDF documents that clearly certify to the recipient that the author's identity has been verified by a trusted organization and that the document has not been altered. This solution allows organizations to engage in more secure, reliable electronic document exchange [20].
The services are enabled by the Adobe root certificate authority. CDS enables document authors to sign Portable Document Format (PDF) files, using standard digital certificates, which automatically validate when authors are using free Adobe® Reader® software. No additional client software or configuration is required.
53
Difference between approval signatures and certified signatures
Approval signatures are performed when someone signs a document to show consent, approval, or acceptance. A certified document is one that has a certification signature applied by the originator when the document is ready for use. The originator specifies what changes are allowed; choosing one of three levels of modification permitted: - no changes - form fill-in only - form fill-in and commenting Valid approval signatures produce a “green check mark” and certified signatures produce a “blue ribbon”. Both types of digital signatures provide embedded OCSP and RFC 3161 compliant services resulting in valid signatures well past the life of the DocumentSign Digital ID that signed them.
4.2.1.4 Digital signature in DMS “Sodas”
The document management system was created by the company “Informacinės Technologijos” and has these features given below:
• inner Saperion
– more simple usage, clear transparent integration
– small objects can be signed – e.g., tokens, marks in a sanned view
– encryption possibilities
• a solution created by “Informacinės Technologijos”
– safe, qualified sertificates can be used
54
– in a compound object of a document separate components are kept – files, metadata, digital signatures (XadES)
– only during export/import the container of a e-document is used (currently – based on OpenDocument v1.2; in plans – containers of other formats, e.g. eDoc)
• specialized solutions
– signature integrated in the eFormFiller .ffdata (XML) file (used in “Sodros” Elektroninėje draudėjų aptarnavimo sistema)
4.2.1.5 Digital signature in DEM (Document Exchange Module) provided by IVPK
Just to mention as another available solution for using digital signature in an organization (VMU), Document Exchange Module "DMM" (v.2.2) was made to order of IVPK and distributed for free. It is an e-documents exchange software , congruous with IVPK recommendations. The application is dedicated to employees of offices in state institutions.
4.2.1.6 SSC specially designed PKI platform
Lithuanian CC SSC offers specially designed PKI platform, which can be additionally installed into the organization’s possesed technology and thus guaranteeing the protection of data.
By implementing virtual PKI into organization, this also creates full PKI certification services provision system. In this system the security politics, PKI hierarchy, autentification and digital certificates issuing, revocation can be fully controlled.
SSC virtual PKI system lets integrate digital signatures based data security into already existing organization’s IP infrastructure. The organization can issue certificates of
55 various types, including currently believed to be the safest in the world 128 bite SSL encryption server certificates, S/MIME certificates for protecting email messages and IPSec certificates, dedicated to protect data transmitted by Virtual Private Networks (VPN) [14].
According to EU and Lithuanian law digital certification can be provided by everybody, but trusted certificates are issued only by the firm, that has an exceptional right for this. Thus, in general a certificate can be issued not only for a particular person, but also for the whole server.
4.2.1.7 Comparison of the described user means
Here in the section user means are compared breifly according to the features usefull to an organization. The modules of the DMS mentioned in the latter section will not be included here, because they cannot function all alone and thus cannot be used by single employees without integration into a DMS.
56
Table 4.4 “Comparation of the user means”
DigiDoc JUSTA GE CDS Client and internet portal + _ _ Multilingual + _ ? Tested with ID-cards + + + Tested with USB ? + + Tested with WPKI + - ? (not applicable) Free of charge + + _ Sending document to another (portal) + (portal) - _ user Sorting/Deleting/Archives + (only - _ portal?) Possibility to upload the document to a + (portal) - + server Necessity to upload the document to a + (portal) - _ server Verification of signed document + + + (automatically) Handling of XML document + + + Multiple original documents can be + + _ signed at once Original document can be XML or any + + (whatever _ binary format format) Multiple signatures are supported + + - Adjusted to the Windows and Linux _ + _ operational systemas The document reader has all the - - + necessary for signing/verifying software components integrated TOTAL: 14 9 6
57
It should be noted here that different applications can have problems checking documents signed with another application. i.e.a document, signed with DigiDoc cannot be verified by JUSTA GE.
As can be seen in the totals of the table 4.4, the highest scores for ordinary digital signature usage cirteria achieves the solution DigiDoc.
4.2.1.7 WPKI user means
Wireless Public Key Infrastructure (WPKI) is a two factor authentication scheme using mainly the mobile phone and a laptop. Mainly promoted by banks, mobile operators, and mobile network manufactors.
As the use of mobile devices, especially mobile phones, is increasing G. Rugevičiūtė suggests we need other methods than e-commerce. The Rugevičiūtė‘s thesis work „Use of Public Key Infrastructure (PKI) in Modelling Secure M-Business Systems” concentrates on aspects of PKI in mobile business and states that WPKI is the key technology in using electronic services.
In order to use the WPKI service the user need to have the following: 1. A Mobile terminal (Support: User) 2. A SIM card with WPKI functionality (Support: Mobile Operator) 3. Obtain an original identification by a Certificate Authority (Support: Certificate Authority)
Also, a personal computer and signing software is needed. The latter can be chosen from those described earlier in the last section, compatible with WPKI.
The user connects to a service from a PC and uses his mobile phone to authenticate
58 himself. The computer provides the information channel. When using the service the user is prompted to digitally sign some information on his mobile device either with the goal to identify him, or to sign an agreement provided by the service provider.
As R. Šablinskas states in his presentation in eBaltics forum [21], WPKI solution is ideal for the mass-market due to: – Convenience to the user (mobile phone is always at hand) – Simple operation (no need for the users to learn interface) – Secure operation (signature protection with separate sPIN) – Fast operation (as quick as SMS)
4.2.2 Security requirements for the system and user means
When discussing requirements for PKIs, businesses often neglect the requirement for client-side software. Ultimately, however, the value of a PKI is tied to the ability of users to use encryption and digital signatures. For this reason, the PKI must include client-side software that operates consistently and transparently across applications on the desktop (for example, email, Web browsing, e-forms, file/folder encryption, ...). A consistent, easy-to-use PKI implementation within client-side software lowers PKI operating costs.
In addition, client-side software must be technologically enabled to support all of the elements of a PKI discussed earlier in this paper. The following list summarizes the requirements client-side software must meet to ensure that users in a business receive a usable, transparent (and thus, acceptable) PKI.:
public key certificates - to provide third-party trust, all PKI-enabled applications must use certificates in a consistent, trustworthy manner. The client-side software must validate the CA's signature on certificates and ensure that the certificates are within their validity periods.
key backup and recovery - to ensure users are protected against loss of data, the PKI must support a system for backup and recovery of decryption keys. With respect to administrative costs, it is unacceptable for each application to
59
provide its own key backup and recovery. Instead, all PKI-enabled client applications should interact with a single key backup and recovery system. The interactions between the client-side software and the key backup and recovery system must be secure, and the interaction method must be consistent across all PKI-enabled applications.
support for non-repudiation - to provide basic support for non-repudiation, the client-side software must generate the key pairs used for digital signature. In addition, the client-side software must ensure that the signing keys are never backed up and remain under the users' control at all times. This type of support must be consistent across all PKI-enabled applications.
automatic update of key pairs - to enable transparency, client-side applications must automatically initiate updating of users' key pairs. This activity must be done in accordance with the security policies of the organization. It is unacceptable for users to have to know that their key pairs require updating. To meet this requirement across all PKI-enabled applications, the client-side software must update key pairs transparently and consistently.
management of key histories - to enable users to easily access all data encrypted for them (regardless of when it was encrypted), PKI-enabled applications must have access to users' key histories. The client-side software must be able to securely recover users' key histories.
a scalable certificate repository - to minimize the costs of distributing certificates, all PKI-enabled applications must use a common, scalable certificate repository. Transparent support [17.]
4.2.3 User means convenience evaluation
Principal problems using digital signature in an organization are additional work load, which discourage to use the digital signature, non-intuitive and not comfortable for the user digital documents exchange software (IVPK).
60
Currently the software though is created sufficiently comfortable, but the problem is that there are many questions that are not clear, and only by trying and experimenting additional issues appear, things about what nobody warns before and nobody mentions. For example, the conteiners of DigiDoc sometimes are confusing and it is difficult for a new user to understand where the document begins and where ends, how to save them and to archive them; the software needed for checking the document needs additional components, software and certificates, about what information is not disseminated.
The experience of other countries says that often the first step is the adjustment of Government’s service idea and function, and only then - the development of Information Technology. The reform of the form of industry organization follows as the last step.
4.3 Organizational Aspects of PKI Implementation
4.3.1 VMU internal organizational order and procedures of documentation
Here we are analysing internal organizational order and procedures that are effectual in an organization (for example VDU, Vytautas Magnus University) and that regulate the creation, managing and archiving of documentation.
The procedures and order inside the Vytautas Magnus University is regulated by the official document called ¨reguliaminas¨. This regulating document describes how the emploees should work, the generations of the documents, the duties and subordination of documents and where they have to flow. In general, the system is fairly complicated and the administrators of the decanats or other offices of the university have to wait for the superior to come back to the working place in order to get a signature (while the persons like that spend a lot of time outside the office), to travel between remoted buildings with signed papers in order to deliver them or to send them in other ways (a car, post, etc.), that costs money and time.
The documentation of the university is very diverse. There are faculties, centres, various offices, student organizations, account department, property office, hostels. Documentation in these departments and between them flows very diversly too.
61
In the faculty of informatics all the documents prepared ar signed by dean, they can be confirmed by referent or vice-dean, sometimes they are signed by quartermaster, and later they go to the centre of VMU. The destination depends on the purpose of the document. It can go to staff office, finance office, office of academic affairs, office of students affairs, property office, and so on.
Almost all the students affairs documentation, including all the students applications with their signatures, flows to the office of academic affairs or the Department of Extramural Studies. There the answers to the appplications – prescripts are prepared and are signed by the VMU rector or the prorector of studies.
Every faculty has its own board. Sometimes the dean alone cannot decide some affairs and in this kind of situations the meeting of the Faculty board is called, where the problem arised is discussed and voted. The protocol is written and signed by the chairperson of the board and the referent. Later on the document goes to rectorate or the office of academic affairs. Nobody else signs the document.
Before begining his studies a student has to sign a bilateral agreement, which is also signed by the prorector of the studies. Students are advanced to higher course or expunged for regress with the offering of dean with his signature. The prescript is issued by the prorector of the studies.
The students registration and the sheets of lecturers are signed by themselves respectively students and lecturers.
VMU also has relations outside the organization and keeps in touch with institutions regularly or ocasionally. Of course, sending so, the duplicating of documents in paper and electronic forms still will be present for some period of time.
62
4.3.2 Changing and improving the organizational orders and procedures of documentation
This chapter offers some ways and methods that could be reasonable for an organization for changing and improving the situation of these orders and procedures of documentation, implementing the PKI usage in the organization.
The solution really should be digital signature, especially for Vytautas Magnus University (VMU), because some better methods to work are necessary to the system that becomes old and heavy. The documentation processes also should be considered. The flows should be turned from paper to electronic ones.
The use of single-factor authentication, such as user name and password, has been inadequate for guarding against account fraud and identity theft, in sensitive online services. The introduction of additional authentication provides an added level of security. Acoording to Entrust, a security software and services company, the common encryption issues, facing organizations, are these:
IBE, PKI or a hybrid Securing the mobile workforce Sharing encrypted data outside the organization End-to-end versus gateway encryption Audits and logs The capability of the laptop full-disk encryption alone to provide enough Encryption part of everyday activity The capability of the access control to secure information
There are a broad range of encryption solutions available today and they are often difficult to categorize and compare. Each solution uses one of four standard encryption methodologies. Each methodology offers a different approach to the types of data that can be protected, how to manage the user experience and the place that an encryption solution will occupy in your overall infrastructure.
63
Some methodologies have been developed to be simple point solutions that manage one small aspect of encryption. Others are more robust and offer a more comprehensive set of encryption tools. The following llists presents the features of every kind of solution: Methodology & Uses Overview Strengths Weaknesses
PKI can be used for a range of encryption types in the VMU’s processes including:
• File & folder • E-mail • Full-disk • Mobile e-mail • Mobile data - PKI issues and manages keys and certificates - Provides end-to-end security for data - Robust, comprehensive management - Provides security services beyond encryption including digital signatures and authentication - Standards-based and scaleable - Costly
Identity Based Encryption (IBE) can be used as typically is used for:
• E-mail • Mobile e-mail • IBE is a public-key cryptosystem that can use any string as a valid public key - For example, e-mail addresses and dates can be public keys. - Simple point solution - Easy to understand - There are no public keys because text strings such as the e-mail
64
address are considered the public key - Not based on industry standards - Provides encryption only and no other services such as digital signatures - Closed system using proprietary technology - Client software required for all users including external recipients of data - Decryption keys stored insecurely - Can’t work with other methodologies such as “Encrypting the Pipe”
“Encrypting the Pipe” using Transport Layer Security (TLS) is typically used for:
• E-mail • Mobile e-mail - Encrypts the pipe that transports messages from the sender’s e- mail gateway to recipient’s e-mail gateway - Does not encrypt messages, but provides protection during transit - Simple point solution - Native to Exchange - Easy to use and invisible to the user - Focuses on the most vulnerable part of message delivery - Individual messages are not encrypted - Cannot secure data or messages within an organization - Assumes outside organizations also use gateway encryption - Cannot work with other methodologies such as IBE
Hybrid or PKI PLUS is used for a range of encryption types including:
• File & folder • E-mail • Full-disk • Mobile e-mail • Mobile data
65
- Uses a robust PKI platform combined with simplified management and streamlined operations - Provides end-to-end security for all types of data - Flexibility allows choice for e-mail including gateway- to- gateway encryption - Easy to set up and manage, masks complexity - Robust user and key management - Flexible for all types of e-mail delivery including Web-based - Flexibility can be seen as complex
Talking in general, Digital signatures help organizations sustain signer authenticity, accountability, data integrity and non-repudiation of documents and transactions, as can be seen in the Figure 4.4.
Figure 4.3: Digital signatures functions in organizations The source: Practical PKI, Robert E. Booker, Control Data Systems [22]
Digital certificates’ work in a web site
When a certificate is installed in a web server, it allows users to check the server's authenticity (server authentication), ensures that the server is operated by an organization
66 with the right to use the name associated with the server's digital certificate. This safeguard's users from trusting unauthorized sites.
A secure web server can control access and check the identity of a client by referring to the client certificate (client authentication), this eliminates the use of password dialogs that restrict access to particular users.
The phenomenon that allows the identities of both the server and client to be authenticated through exchange and verification of their digital certificate is called mutual server-client authentication. The technology to ensure mutual server-client authentication is Secure Sockets Layer (SSL) encryption scheme.
4.3.3 The system of choosing encryption methodologies
4.3.3.1 Checklist
Before choosing one of these encryption methodologies, these issues have to be determined: • How important is flexibility to the organization? • Do data and messages need to be encrypted at rest as well as in transit? • Does the organization want to distribute and manage client-side software to every user inside and outside the organization? • Could the requirements of the organization expand to include digital signatures? • Does the organization require the use of standards-based, non-proprietary software components?
More and more organizations are arming employees with the tools to work from anywhere, any time. Employees are accessing the corporate network from hotels, coffee shops and their homes.
67
As more mobile workers work from anywhere, at any time, the corporate security architecture starts to lose the power to protect and prevent incidents. Therefore a need for encryption solutions that are able to extend to all of the devices your users access sensitive data from is raising. E-mail encryption needs to work with BlackBerry and other smart phones. Encryption solutions should be persistent so that encrypted data stays encrypted while in transit or at rest on a mobile device, and decrypted only when needed by the user.
Encryption solutions use several message formats when they are sending encrypted messages. They use different approaches to allow recipients to receive, decrypt and respond to encrypted message, each with their own strengths and weaknesses.
Practical PKI programs are much more than technology decisions. Such programs reuse existing information about individuals, their roles, and their affiliations. Practical PKI programs are built in conjunction with existing human resources systems, as well as a variety of customer and partner systems. Practical PKI programs also use existing organizational policies and practices for registration and revocation. In addition, practical PKI programs focus on deployment for business and application needs, rather than technological elegance.
Successful achievement of these objectives, however, requires careful consideration of four important questions regarding application fit, community, management and administration, and build-or-buy decisions.
68
4.3.3.2 Application Fit
The first practical PKI question would be what applications the organization requires that rely on a PKI.
Figure 4.4: PKI applications and technologies
In the past 4 years, the PKI application scope has evolved from an interesting technology that facilitates data encryption and digital signatures. Today’s PKI application scope supports more compelling organization needs, such as secure e-mail, Web authorization and encryption, virtual private networks (VPNs), and non-repudiation of transactions. Some solutions today are positioned to support the Web and e-mail world, while other solutions are more focused on application authorization and the utopia of single sign- on.
69
Today’s PKI technology also yields several benefits for transaction-oriented applications, including:
privacy through data encryption, transaction assurance through digital signatures, authorization through the use of digital certificates as credentials, and personalization of service. Table 1 relates these benefits to the various PKI applications, and identify the most pressing considerations that contribute to the complexity of the solutions.
Today, organizations can deploy a PKI that issues certificates to support all of these application environments. However, organizations frequently do not require all of these capabilities in their first wave of PKI deployment. The technology continues to evolve rapidly, and architectural planning for requirements that will surface in 2 years remains difficult and still impacts the delivery of today’s solutions.
Practical PKI programs may require deployment of a limited infrastructure to support the most critical and compelling programs. A practical approach is to start small, with limited scope, and grow the solution as new requirements and capabilities emerge.
4.3.3.3 Community
Another relevant practical PKI question is what community one must be able to identify and support through the use of digital certificates. In addition to a variety of technical factors, the complexity associated with PKI deployment encompasses such considerations as:
management and administration of the community of subscribers to the service, support of required desktop software components and revision levels, implementation of sound policies and practices to protect the organization’s interests,
70
integration with the application environments. Each of these considerations increases dramatically as the community size and complexity increases. It is therefore practical to focus initial deployments on specific communities, rather than all of the communities that are candidates for support by the service.
The scope of the community supported by a PKI is also critical to the technology and vendor selection decisions, as well as the overall capital cost and operational cost of the solution. In particular, an organization should consider the following three community-related perspectives:
Open or Closed—In an open community, the identity of an individual is not based on an existing business relationship, as it is in a closed community. Internet portals are an example of an open community application, while online banking applications typify a closed community. The bank must know whom they are dealing with regardless of the use of a digital certificate.
Internal or External—Internal communities consist of employees and application entities within the organization. By contrast, external communities typically consist of trading partners or customers outside of the organization.
Role and Affiliation—The role and affiliation of an individual are often as important as the individual’s identity. This is especially true in dealing with business-to-business relationships, in which an individual acts on behalf of a business with which a trading relationship exists.
Deployment of early PKI applications is easier to achieve in closed communities where an existing relationship already exists. Internal communities are also easier to deploy
71 and manage. However, external communities provide a greater business benefit and a more compelling business case.
4.3.3.4 Management and Administration
Practical PKI question number 3: How do I manage and administer the community and the certificates issued to its individual members? As a practical matter, business priorities and e-commerce dictate the appropriate type of community for initial deployment of a PKI and associated applications. Part of this decision process involves considering the management and administration processes required for PKI. These processes address several required elements that must be considered for PKI solutions both big and small:
Registration and Verification—Organizations may choose from a variety of existing registration models through which individuals or communities may be registered to the PKI service. For example, self-registration may allow a subscriber to complete their own registration application, or it may be based on back-office registration practices. Registration requests must be verified to the level of integrity required by the service. In some cases, the organization may require that an individual validate the application to ensure that it conforms to organizational policy. In other cases, an automated process or existing credentials may be used to validate the application by verifying the individual against existing data services.
Revocation—Revocation is often the forgotten consideration in initial PKI deployments. The use of existing termination processes for employees, customers, and trading partners is more practical than manual revocation processes in which a registration authority must revoke the certificate associated with an individual.
As a practical matter, the use of existing registration and validation processes to identify a closed subscriber community will greatly reduce the complexity of the PKI deployment, and will further leverage existing administrative practices. Human resources,
72 customer, and trading partner databases are all excellent candidates as data sources for a PKI deployment because employees are almost always paid on time, while customers and trading partners are invoiced and have receivables and/or payables.
The use of existing organizational data and practices in the PKI registration process offers the benefit of associating an individual’s certificate with information that may already be known about the individual. Thus, the information about an individual can include attributes and elements that provide a richer application experience. For example, the individual’s e-mail address may reside in a directory service and may be able to be provided to the certificate registration process through an automated process.
A major issue in deploying a PKI is the analysis invested in determining the level of assurance required for identity validation. PKI deployments are often viewed as requiring the level of trust associated with cash management systems and trading systems. This may be appropriate in some cases, but digital certificates can often be used for lower-assurance applications such as secure e-mail or Web authentication. In these cases, digital certificates provide a better level of assurance than user IDs and passwords, provide for a better user experience, and are superior to the existing infrastructure. Therefore, for applications with low assurance requirements, it may be more practical to consider a best-effort approach to identity validation, and reserve the analysis and complexity of highly trusted certificates to applications that require non-repudiation.
4.3.3.5 Build or Buy
It is important to know if it is better to operate one’s own PKI, or is it better to rely on a managed services provider with expertise in this area. The answer to this question is that early in the project cycle, an organization must decide whether to deploy and operate the PKI internally (in-source), rely on a service from a trusted third-party (out-source), or manage the registration process internally and interoperate with a service provider who provides the certificate authority (co-source). The decision involves far more than the cost of
73 ownership/capitalization. The application requirements, the community, and the management and administration requirements all affect this decision.
Different solution providers have different approaches. How to operate the service is a critical decision that requires careful consideration. A "one size" PKI does not fit all application and community needs.
For a closed community, an organization would use essentially the same management and administration model whether the technology is deployed internally or purchased as a service. The organization is always responsible for registration, verification, and revocation of users, as well as publication of certificates to directory services and application repositories. Management and administration affect the cost-of-ownership much more than the capital cost of the software and hardware or the recurring service fees.
In-source solutions are required when the registration and certification processes must be managed internally for statutory or political purposes.
As a practical matter, organizations will end up with multiple PKI solutions in the future. Trusted third parties may be used for lower-assurance applications, such as secure e- mail and consumer Web access while more highly trusted internal services may be used for application authentication, business-to-business communications, and transaction support. Investment in enterprise-wide licensing of specific technologies should be carefully weighed to ensure that the investment in today’s technologies has value for tomorrow’s activities requirements.
Practical PKI is possible with careful planning, reasonable expectations, and good communication both internally and with customers, trading partners, and technology providers will ensure that everything will be successfull from project launch to completion [22].
74
4.4 Evaluation Of Digital Signature User Behaviour And Market
The digital signature user and market aspects are described here in this chapter using the materials of the author’s 2nd master research paper, using the description of the SWOT analysis scheme and the results of user poll.
As it is known in the management theories, user is part of the market, and market can be called “users”. In order to evaluate users, first of all we will apply here the SWOT Analysis, which is a strategic planning tool used to evaluate the Strengths, Weaknesses, Opportunities, and Threats involved in a project or in a business venture. It involves specifying the objective of the business venture or project and identifying the internal and external factors that are favorable and unfavorable to achieving that objective [23].
Table 4.5 “Criteria for SWOT analysis”
Strengths Weaknesses criteria examples criteria examples
Advantages of proposition? Disadvantages of proposition? Capabilities? Gaps in capabilities? Competitive advantages? Lack of competitive strength? USP's (unique selling points)? Reputation, presence and reach? Resources, Assets, People? Financials? Experience, knowledge, data? Own known vulnerabilities? Financial reserves, likely returns? Timescales, deadlines and pressures? Marketing - reach, distribution, awareness? Cashflow, start-up cash-drain? Innovative aspects? Continuity, supply chain robustness? Location and geographical? Effects on core activities, distraction? Price, value, quality? Reliability of data, plan predictability? Accreditations, qualifications, certifications? Morale, commitment, leadership? Processes, systems, IT, communications? Accreditations, etc? Cultural, attitudinal, behavioural? Processes and systems, etc? Management cover, succession? Management cover, succession? Philosophy and values?
75
Opportunities Threats criteria examples criteria examples
Market developments? Political effects? Competitors' vulnerabilities? Legislative effects? Industry or lifestyle trends? Environmental effects? Technology development and innovation? IT developments? Global influences? Competitor intentions - various? New markets, vertical, horizontal? Market demand? Niche target markets? New technologies, services, ideas? Geographical, export, import? Vital contracts and partners? New USP's? Sustaining internal capabilities? Tactics: eg, surprise, major contracts? Obstacles faced? Business and product development? Insurmountable weaknesses? Information and research? Loss of key staff? Partnerships, agencies, distribution? Sustainable financial backing? Volumes, production, economies? Economy - home, abroad? Seasonal, weather, fashion influences? Seasonality, weather effects?
The source: Businessballs [24]
76
The questions that answers the SWOT are provided in the Table 4.4. After acomplishing the analysis, the results of SWOT can be creatively used - Generating Strategies according to the guidelines, given in the Figure 4.4:
Inner factors, current aspects
ADVANTAGES DISADVANTAGES TO USE, TO LEAN ON TO DECREASE, TO COMPENSATE, TOFIX
TO EXPLORE, TO USE TO AVOID, TO REPULSE, TO NEUTRALIZE
OPPORTUNITIES THREATS
External factors, future aspects
Figure 4.4: Illustrative diagram of SWOT analysis results usage
If, on the other hand, the objective seems attainable, the SWOTs are used as inputs to the creative generation of possible strategies, by asking and answering each of the following four questions, many times:
How can we Use each Strength?
How can we Stop each Weakness?
How can we Exploit each Opportunity?
How can we Defend against each Threat?
Ideally a cross-functional team or a task force that represents a broad range of perspectives should carry out the SWOT analysis. In this paper, the analysis of SWOT of PKI is being carried out in only a moderate manner, which means that the SWOT is not covered fully and professionally.
77
4.4.1 Digital signature as innovation
According to Melnikas B., Jakubavičius A., Strazdas R. [25], every organization should seek for innovation, to accept innovations and to apply them into their processes and stimulate the mentioned features:
1. discontentment with current state of affairs and continuous refinement
2. adaptive organizational structures and operational procedures;
3. creative management, acceptance of innovative ideas;
4. experimentation, exploration and continual learning in training and executive development;
5. support for solution methodologies of alternative problems sprendimo metodologijų and alternative decision-making model.
While innovating, an organization should focus to the problem solving and increasing potential, the future, vision seeking leadership, that would help to survive in the modern world.
As the concept „Innovation” signifies an original idea transformed into reality, i.e. realization/implantation of new ideas, and current situation of digital signature in the market is the stage of implementation, consequently in this case managerial methods intended for innovations can be applied. For the strategy of innovations implementation SWOT (Strengths, Weaknesses, Opportunities, Threats) analysis model is used. The results are displayed in lithuanian in the Annex 4.
SWOT applied to the digital signature in the market generally shows that there are more strengths and opportunities of digital signature than those of weaknesses and threats.
Thus, an organization (e.g. VMU) has to realize that a new technology, that is scientifically reasoned and practically tried, bring new opportunities, that are necessary in modern and competitive world.
78
Therefore, an organization (e.g. VMU) must try, experiment in its activity boldly, nor forgetting digital signature, because it was proved that the instalation of digital signature is an innovation that cannot drastically affect or, even in a case of failure, would not bring any critical damage. Still, there is one thing to remember, that benefit and dividend paying is counteb not in point of the brought production profitability, but in point of the human life and working conditions.
4.4.2 User poll
While writing the second research apper of master program a user poll in the internet was dispensed. Its description motivates the poll by the fact that digital signature in Lithuania, like every other innovation that changes more than leisure schedule, is not adopted aidely in the beginning. That’s how a need appears to find out, why it is so and how to anticipate the consciousness of the society to the digital signature adoption in Lithuania. The poll was anonymous; its questionnaire and results are presented in Annex 2 and Annex 3.
The poll “Digital signature using” acomplished in the internet showed that not nearly everybody. That is to say the majority of common users in the market (except specialist of informatics) does not know in particularly wat digital signature is, how it functions and how it is used. The common users in the market didnot meet it anywhere and therefore donot know almost anything about it.
Poll results (Annex 3) showed that the users:
Only heard something about the PKI (34.38%)
Know more or less for what digital signature is used
Only some of them told they use PKI in their workplace or at home, but the majority claimed they donnot use it at all (61.29%)
37.04% of the polled tells that they don’t have conditions to use and to take interest in the PKI
79
The third of the polled users says that the lack of information is the main reason for the obstruction for the PKI
39.06% of them want the method of informing the society to be used like the means of improving the situation of the digital signature in Lithuania
Evidently, the lack of information reaching the users is obvious. That is the reason why we can suggest for every organization to prepare their employees, to send to the public seminars the IT specialists who will be able to train the whole organization, and people who sign documents. The rest system of informing their employees the organization could choose by themselves.
These conclusions of managerial recommendations can be usefull to organizations:
New technology is a necessary condition for survival in the modern world of computerization and competition.
Motivation for improving working conditions and methods, time saving, increasing capability, performance and competitive advantage, focusing on the future and vision seeking leadership – the absence of this motivation – one of the reasons why lithuanian enterprises do not take interest in using digital signature in their own businesses.
Every organization should seek for innovation and to stimulate its features.
Flexibility is critical to activity of an organization, which can increase the acception of PKI [26].
80
5. PROJECT PART: SUGGESTED SOLUTIONS FOR PKI IMPLEMENTATION IN AN ORGANIZATION
Considering previous analysis part and its results, this chapter brings ideas, advice and recommendations for an organization, how to protect themselves and how to use PKI in their processes.
5.1 Digital signature and PKI
While data security is very important issue for communication in a net and communicating in the net is a concurrent of any nowadays organization, any activity would not survive without using cryptography.
As was mentioned before (chapter 4), for an organization the most acceptable solution of available cryptographies would be asymmetric one (PKI), mainly because of its convenience and prevalence. It means that:
1) PKI is convenient for an organization, because the key-exchange system is absolutely undemanding (i.e. physical meeting, dual confidentiality, many different keys for every new partner not needed);
2) PKI has a good availability and like so delivers utility for an organization, because PKI is one of the most prevalent cryptography method and thus harmonizing with clients, partners and others can be more affordable.
Choosing the most appropriate CA in Lithuania depends on the means the user in the organization wants to use and the investment the organization wants to make. Using digital certificates in a smartcard or especially USB memory can be costly, because this kind of manner requires additional expenses for buying the medium with the certificate and also the hardware for reading from the medium (in case of smarcard). Obtaining a digital certificate in a SIM of mobile phone is a cheaper one option currently, only if an organization has enough telephone numbers and telephones available for every signing person or if the emploees agree to use their own numbers and/or telephones.
81
In order to get more information, an organization that is interested in PKI can get in touch with the subjects and projects in Lithuania, that are supervising and developing the PKI, e.g. can consult the websites of the Supervision of digital signature in the IVPK, or the e-Signature Program (E3P), though latter is more complex for an ordinary user.
In Lithuania currently there appear more and more public services that form a base for using PKI. That is to say, many public and business services become electronic. For example, an organization already can use these electronic services of the e-government in Lithuania with the help of digital signature (for authentication):
Social insurance management The documentation electronical rendering to the Communications Regulatory Authority of the Republic of Lithuania The electronic services provided by Vilnius municipality administration (for example, confirmation and issuance of the current and overpast prescripts and their preparation documents copies of the municipality administration director or the reception of the applications for the financial affairs like tax deduction or land rent payments in the Finance department) The information of registers administered by Central Mortgage Office.
For VMU the most important and usefull of those mentioned is Social insurance management, because in the university there work many people, thus the flows of social insurance information are big. Therefore, using PKI here can benefit in two ways: VMU employees authentication for the system; VMU social insurance documentation signed and delivered electronically.
In order to use the services provided by the electronic government portal, the waiter has to be a user of one of the participating banks electronic systems or to have a personal digital certificate of 2 or 3 class, issued by a qualified digital signature services provider. Hence, it is not necessary to have a digital signature in order to use e-government’s services, but e-government’s electronic services provide a possibility of much more comfortable and less time-resource-consuming access way by using digital signature. The technical solution of the service of the electronic government of Lithuania was realized in cooperation with the
82 company „Alna“. The development of e-government services for citizens and businesses aims for improvement of management through computerisation of the Municipality, creation of data bases, their administration and maintenance. The information in the Gates of the e- government, the portal of electronic public services (Elektroninės Valdžios Vartai, Elektroninių viešųjų paslaugų portalas), is published in XML format for information excange with other internet information systems. For that reason the programmers of an organization (e.g. VMU) can interconnect the systems and DB-es with the portal of electronic public services, of course with an agreement of the state instituition that they are trying to connect to. For example, I could suggest that there could be a possibility for an organization (e.g. VMU) to transfer monthly all the information about its employees, their worked hours and salaries safely from their system to the SoDra system and back.
As the author of the “E-government Implementation in Lithuania” Ligita Zailskaitė (KTU) states, the fact that e-signature still does not function put the brake on e-government and e-commerce process, but she admits that both sides affect each other: “E-government can be implemented just in information society (IS), however e-government implementation is a tool of information society development”. However, e-signature is important for transactions, payments, declaration and others e-perorations. That is why an organization (e.g. VMU) can not only intent to use digital signature in its processes, but also to induce its clients and partners to use it too, thus collaborating more effectively. Unfortunately, nowadays the Gates of the e-government, the portal of electronic public services only publishes information, but does not provide any direct link to have an access possibility to the whole system. There are available only approaches through the banks systems and to separated parts of the e- government, to one or two services. The services already can be used though.
The portal for providing electronic services of the State Patients’ Fund at the Ministry of Health, Republic of Lithuania, has problems with its certificate and so the internet explorer warns about dangers related to that and wants to close the window. This kind of breaches show that the system is not prepared and finished completely, though all the DB-es (SoDra and others mentioned above) show the requested results.
As was already stated the difference between electronic and digital signatures, there should be noted that:
83
the digital signature is always used in organizations (e.g. VMU) document signing processes
and the electronic signature is used to be generated inside organization (e.g. VMU) – to protect organization’s data, communication, guarrantee integrity, etc.
It was proved that in an organization, that uses network, frequent personal identification actions or post services, should be met these issues considering PKI maintennance and implementation:
There should be guaranteed all the conditions in an organization to be in keeping with the requirements of the law for the digital signature creation, checking, user rights and duties. It is necessary to select the most propriate means of using digital signature and to purchase them considering the future use and specifics of the usage (a medium to keep the certificate with the private key, user software, etc.) The services that use modern technologies with PKI and that are provided in the market should be adopted into the activity scheme of an organization. It is important to renew and improve the processes and methods of the activity of an organization, to be in time with all other organizations changing to the more advanced (electronic) forms, to take interest in new available tools (especially that are used by the clients, partners, rival firms), to use the digital services provided by the state and business.
For a fast guarrantee of integrity process there are suggested two ways:
the most trusted for this kind of process MD5 and SHA message digest should be used together with HMAC algorithm – safer way to generate MAC (Message Authentication Code) because message digest applied alone all by itself can not guarrantee integrity of a message.
84
digital signature, that is the combination of the message digest and public key encryption, e.g., digital signature with RSA/MD5.
For authentication function organization (e.g. VMU) has to use PKI to encode data sent or to check and confirm digital signature. Digital certification and certificates should be used those provided by local CA (certification authority). The owner will have his own private key and for everybody else who wants to encode information for him or to check his digital signature, his public key will be available. For certificates the X.509 standard can be used, and also the certification chain/the confirmation path – in order to avoid the uncertainty and distrust of the users.
Also, the lack of information for the users was mentioned, together with that it would be useful for the university to organize some training or seminars. The Digital Signature Breakthrough program have instructions in their plans that can be attended by VMU’s employees:
association’s "Langas į Ateitį" course "E-signature", 2008 (in the pack: E3P members, municipalities, tickets, C2B, C2G, B2B)
SODRA seminars/ instructions for enterprises
e-signature inclusion into the European Computer Driving License (ECDL) courses
E3P presentations and participation on the educational events of other organizations (e.g. Esaugumas.lt)
Having an example of IVPK project „Digital signature implantation in national institutions“, an organization, in this case, VMU, has to consider changing documents, e.g., short time archiving (up to 5 years), that travel between departments of the university (VMU) to digital ones, confirmed with secure digital signature. For this reason electronic documents exchange between departments of VMU module (DMM, document exchange module) should
85 be developed. Considering the example of the IVPK project, possible obstructions in the project of VMU can be similar and some could be solved:
University has to create inner order that would be unified for all departments, determining the procedures of e-documents exchange, including document preperator activity regulation,
the load of the departments’ employees can grow because in this stage of the project the paper documents and their digital versions are duplicated. It’s more difficult to solve this problem, but VMU could hire more people during the moving from paper to computer. The only obstruction could be finance, which is critical to educational institutions, unfortunately. Therefore, the state should be involved to take care and finance the migration of the instituional documentation from paper to electronic form.
5.2 PKI applications in VMU
According to the analysis results, PKI can be applied in the university in these spheres:
Controlled access to copyrighted materials for students
Publishing Web sites that have public and private parts
Replacing IP address access controls at Information Vendor sites
Electronically signed submission of student assignments with timestamp
Protect sensitive data used by researchers while enhancing its availability
Expand use of Campus Directory while protecting individual privacy
Secure wireless networking
Applications for Federal Student Loans and Services
Student and Faculty electronic interaction with administrative systems
86
That is, VMU has to establish a project with e.g. several students working-studying together that would realize the funtions mentioned above integrated in one portal or applying to non-relative spheres. The portal could give access to the students where they would find copyrighted materials, assign themselves, apply for loans and other services, interact with administrative systems. Also, university can benefit from PKI by using it in Web sites with private parts, wireless networking.
The documents that can be signed electronically in VMU are provided in the table below:
Table 5.1 ”Documents signed in VMU”
University dimension Documents signed
Inside the Faculty of Informatics Dean decrees
Students applications
Correspondence between lecturers
Declaration of the accumulative notes
Appeals
Between other faculties and departments Various students and lecturers applications
Accounts
Write-off (transfer) acts
Time-boards
Complaints
On a university scale Orders of rector
Staff orders
Duty journeys
87
Student registration into the courses
Students applications
Lecturers applications
Outside the university VMI
SoDra
The Communications Regulatory Authority of the Republic of Lithuania (RRT)
Central Mortgage Office
The source: created by the author.
As is seen, when using PKI and digital signature for not only signing documentation, but also for authentication, these functions can be used inside and outside the organization (e.g. VMU).
5.3 Digital signature user means for VMU
First of all, we will pay attention to the requirements, that have to be considered before choosing a solution. PKI client-side software must be consistent, transparent and technologically enabled to support all of the elements of a PKI, because easy-to-use PKI implementation within client-side software lowers PKI operating costs. These requirements for PKI client-side solutions must be met in VMU:
public key certificates validated and ensured that they are within their validity periods key backup and recovery by interacting between PKI-enabled client applications and a single key backup and recovery system support for non-repudiation - generate the key pairs used for digital signature, but essentially ensuring that the signing keys are never backed up and remain
88
only under the users' control automatic update of key pairs in accordance with the security policies of the organization, VMU (not involving users time) access to users' key histories in order to enable users to easily access all data encrypted for them (regardless of when it was encrypted) a scalable certificate repository for minimizing the costs of distributing certificates
The mobile sulution of PKI has a possibility to provide protection of finance or other important documents transfer or business transactions.
While currently all the public electronical services are provided only via an internet banking system, a PKI user in VMU also must have an internet banking account (in the moment of connection his sofware becomes a bank client). For example, in a “Man-in-the- middle” attack situation (session take-over) the computer can display fake website (Figure 5.1):
Figure 5.1. Man-in-the-middle attack problem (session take-over) and independent wPKI channel
89
The source: “On security issues of the mobile PKI solution”, Ramūnas Šablinskas.
wPKI is capable of protecting transactions, because the mobile channel is an independent channel to display transaction details, and it is more difficult for the “man-in- the-middle” to fraud two channels together in one time. The only thing the user has to do is to decide not to continue the transaction, if he sees different codes in the session. Figure 5.1 shows, how should look the sequence of actions in organizations’ electronic tranzaction fraud situation. We can see, that here the organization and the user have a possibility to protect themselves and the situation in the figure 5.1 can end with the second action (2) after comparing the codes in the screens of computer and mobile phone. It is relevant enough keeping in mind the fact that all the e-government’s provided e-services are available only through the internet banking systems for now.
In order to use the WPKI service the user need to have the following: 1. A Mobile terminal 2. A SIM card with WPKI functionality 3. Obtain an original identification by a Certificate Authority 4. A personal computer with internet and signing software
Meanwhile, considering the results of the comparison presented above, the solution DigiDoc seems to have these advantages: the most easier, cheap (distributed as a free system) comfortable choice for an ordinary user or for organization with only low documentation volume requirements (I suggest VMU currently is in the role of passive observer, so doesnot have much of need for digital signing or load of this kind of processes) it is a whole environment for providing digitally signed documents contains WWW-portal and client programs DigiDoc technology can be integrated into document handling systems, so in other words, it can be treated as a module of DMS.
90
JUSTA GE has all the necessary functions for signing and verifying a digital signature, but compared to other solutions doesn’t have these features:
Client and internet portal Multilingual Application with WPKI Sending document to another (portal) user Sorting/Deleting/Archives Possibility to upload the document to a server The document reader has all the necessary for signing/verifying software components integrated
Certified Document Services (CDS) is a technology distinct from others mentioned in the paper. While it has a successful implementation case in Pennsylvania State University, where served the purpose to prevent fake diplomas and falsified transcripts, the solution cannot be overlooked. The most interesting and superior thing about CDS is that no additional software or configuration is needed. The only user means is free Adobe® Reader® software which automatically validate authors standard digital certificates. One important nuance of this option is paying for the registrators, so resuming about CDS: CDS is costly for VMU CDS have few advantages comparing to the functions other solutions have
When the users of VMU are prepared for a more serious technology, the SSC virtual PKI system can be selected. It has these valuable features:
Integration of digital signatures based data security into already existing organization’s IP infrastructure
the organization can issue various certificates:
- currently believed to be the safest in the world 128 bite SSL encryption server certificates,
- S/MIME certificates for protecting email messages,
- IPSec certificates, dedicated to protect data transmitted by VPN.
91
Finally, the decision was chosen as the solution DigiDoc. However, DigiDoc could appear to be too little for a bigger organization with higher volume of documentation flows. This splits the decision for VMU into these options:
1) Choosing DigiDoc as the primary experimental introductory means, while the usage of digital signature in VMU has slow pace; later after the employees have learned and got used to ir, integrating it like a module into the DMS of VMU;
2) The implementation of PKI in VMU could begin straight from the point of integrating IVPK’s DEM into the DMS of VMU.
5.4 Organizational aspects for PKI implementation in VMU
It was prooved that digital signature is an innovation. It is also known already, that PKI has many advantages to be implemented into the activity of an organization.
First of all, an organization, VMU in this case, has to be prepared to adopt an innovation. It is necessary to know the barriers and blocks of innovation inside an organization and to eliminate them:
To cultivate flexibility of organizational structures and procedures To refuse hierarchical and formal communicational structures, instead implements decentralized, unformal, reason and content based communication, not forgetting the new technologies To refuse obsolete, incongruous to the modern order and stimulate receptivity to the innovations To develop personal creativity, ingenuity and vision search To elimminate hostility to the changes – interest to conserve the old order, unwillingness to accept other peolple ideas and the lack of motivation With reasonable carefullness admit and accept estimated innocuous risk
92
In Figure 5.2 we can see a fragment of an organization, VMU, without securing its processes with PKI:
Inter-communication
Referent of Documents Signing Referent of VMU VMU Informatics faculty account department
M-in-the-Middle VMU inner organizational resources
Figure 5.2: VMU Informatics faculty before using PKI in securing its processes The source: created by author.
Here can be clearly seen that all the organization’s (VMU) inner resources, communications with clients, partners or remote employees, documents printed on the paper, signed traditionally and sent by transport or post – everything that can be vital to the activity of the organization is exposed to the whoever possible, who can be interested (the red pointers indicate the attempts of Men-in-the-Middle to attack organization’s data). Also, the piles of paper (printed documents), likewise the processes of preparing a document, sending and waiting back are overloaded usually in the senses of time, space, finance and employee effort.
By using PKI to protect their data, an organization (in this case, VMU) has a guarrantee, that their inner resources, communications with clients, partners or remote employees, documentation, sent by email (everything vital to the activity of the organization) is encrypted and put under total control. Men-in-the-Middle donot have any possibility to
93 attack organization’s data anymore. Also, the problem of piles of paper (printed documents), likewise the processes of preparing a document, sending and waiting is solved. After an organization uses PKI in its activity, the documentation and communication take less time, space, finance and employee effort, and additionally are safer. The same model of a fragment of an organization (VMU) complemented with PKI is shown in the Figure 5.3:
Inter-communication Referent of Referent of VMU VMU Informatics account faculty Documents Signing department
Checking Private Key Computer Public Key
M-in-the-Middle VMU inner organizational CA resources
Figure 5.3: VMU Informatics faculty after using PKI in securing its processes
The situation in the figure 5.3 shows inter-communication and documentation between two departments of VMU – Informatics faculty and account department, which usually consist of financial, staff wage and social insurance information: The white arrows and rectangles marks the significant unload from the VMU faculty of Informatics processes of signing, queues and delivery; the locks signifies encrypted networks with encrypted communication tunnels (VPN) and usage of SSL (mutual identification of the server and client). The same or similar approaches can be applied to all the other departments of VMU.
Flows of documentation in the departments of VMU and between them are very
94 diverse: faculties, centres, various offices, student organizations, account department, property office, hostels, therefore:
1) firstly Faculty of Informatics has to implement a project of students research, developing, installing and experiments with PKI. 2) secondly, all the VMU departments mentioned have to be integrated with one reasonable adequately developed and tried PKI system (with VMU employees – rector, prorectors, deans, directors, accountants, quartermasters, lecturers, etc.).
When the system has gathered the pace inside the organization (VMU), the PKI system and digital signatures can be used outside with:
1) Students 2) State institutions that provide electronical services or at least use the PKI (SoDra, VMI, etc.) 3) Other partners (other universities, EU institutions, etc.)
IS in VMU that administrates and prepares documents, has to be prepared and maintained oriented to the implementation of digital signature, i.e. the IS has to be prepared to be compatible with PKI.
All the employees in the faculty of informatics have to acquire their own digital certificates just because the faculty of informatics has to show an example to other departments. Alike the faculty of informatics cannot let themselves teach new technologies without using them themselves.
All the other departments (staff office, finance office, office of academic affairs, office of students affairs, property office, the Department of Extramural Studies, Rector, Rektorate, prorectors, etc.) should be able and have an opportunity to check digital signature in the prepared documents, and later of course to use their own digital certificate and digital signature. Accordingly, insructions for the begining users are necessary, together with simplified and streamlined information and guides.
95
In order to acomplish PKI implementation in an organization (e.g. VMU) these elements are needed: 1. To evaluate the needs of the activity and processes. 2. According to the needs, to choose the most suitable PKI technologies, system and user means: a) For smaller needs of several people signing several types of documents and only moderate or small amount of relevant information communicated through network – simple PKI client; b) For big flows of signed documents and much of important information exposed in the network – PKI system, applied to the whole organization of VMU. 3. Digital certificates with particular person’s private and public keys. 4. Trainings and seminars for the employees.
It would be useful inside an organization to have some IT specialists, or at least one, who would prepare instructional material, provide inner instructions for the emploees of the organization, take care of applying to the right subjects, dealing all the technical details. VMU could have some or at least one PKI specialist(s). For smaller organizations it is more difficult to understand where to apply in order to begin to use PKI. Still, some IT services providers have to be hired at least from time to time (if not as an employee of the enterprise) in order to take care of the firm’s computers, net, Internet, website and similar things that are necessary for business.
Much of the complexity associated with deploying a PKI cannot be eliminated. However, practical decisions regarding the early applications, communities, management and administrative practices, and deployment model are critical to early success or frustration. A steady program with milestones that enable early project success is more practical than enterprise-wide deployment plans that impact multiple business units. A gradual and careful investment in specific technologies and service solutions is prudent, given the rate of change in the industry.
96
5.5 The user of PKI in VMU
In general, there is plenty of information published about digital signature, infrastructure, technologies, advantages. Meanwhile for a simple user who doesnot know the new technologies very well, is not clear, what should be done, where and to whom apply to, that one could be able to begin to use his own digital signature. Though the “Skaitmeninio sertifikavimo centras” declare that they provide certification services, however the information provided is complicated for a ordinary simple user in the market. The digital signature breakthrough program announce various plans details and what was done, together with technical specifications, though one cannot find any links to the facts that first of all digital certificate should be obtained, how and where it can be done. In the processes, where documents and their flows are needed, and where the level of computerization is growing, it is necessary and every organization, including VMU, will have to implement digital signature sooner or later, because it will become harder everytime to exchange various contracts, and other documents not only with official institutions of Europe Union, but also with institutions and companies of Lithuania Republic, likewise between each other. This will let:
speed up mentioned processes using digital signature,
consequently the expenses will decline,
because expensive time of the organization will be saved,
the queues of documents and waiting workers will shorten or vanish,
the workers will use their working hours effectively,
and no additional transportation/postal expenses will be needed in order to get signatures of different sides of a contract or a a confirmation, etc.
The experiments carried out with the Vytautas Magnus University showed that with the help of a supervisor who knows how to use the digital signature or a computer administrator the usage is fairly right enough. Though a new, but only a little informed user could loose because of not clear parts in the whole signing-checking process.
97
6. CONCLUSIONS
The paper explored digital signature potential and ways of establishment in an organization in accordance with exploration of user means, internal organizational order, user behaviour. During the research these results were achieved in conclusion:
Bearing in mind the fact that there is provided already the whole PKI system with necessary technological solutions, legal base and government and business electronic services, an organization in Lithuania or another developed country can and should use them for its own welfare in the terms of time, labour resources (human resources) saving by completing part of organization’s tasks electronically. It is safe and legal for an organization to urge the emploees to possess and use their digital sertificates, because of technical solutions, complicated mathematical algorithms, because of the european laws for electronic signature (in addition they state that digital signature is a proof in court; besides, personal data collected by a certification authority cannot be used for marketing purposes).
To resume, PKIs of one type or another, and from any of several vendors, have many uses, including providing public keys and bindings to user identities which are used for: - Encryption and/or sender authentication of e-mail messages (e.g., using OpenPGP or S/MIME).
- Encryption and/or authentication of documents (e.g., the XML Signature or XML Encryption standards if documents are encoded as XML).
- Authentication of users to applications (e.g., smart card logon, client authentication with SSL).
- Bootstrapping secure communication protocols, such as Internet key exchange (IKE) and SSL. In both of these, initial set-up of a secure channel (a "security association") uses asymmetric key (a.k.a. public key) methods, whereas actual communication uses faster secret key (a.k.a. symmetric key) methods.
98
Before choosing one of these encryption methodologies, these issues have to be determined: - How important is flexibility to the organization? - Do data and messages need to be encrypted at rest as well as in transit? - Does the organization want to distribute and manage client-side software to every user inside and outside the organization? - Could the requirements of the organization expand to include digital signatures? - Does the organization require the use of standards-based, non-proprietary software components?
Questions Answers 1 What applications the organization To start small, with limited scope, and grow requires that rely on a PKI? the solution as new requirements and capabilities emerge 2 What community one must be able to Deployment of early PKI applications is easier identify and support through the use of to achieve in closed communities where an digital certificates? existing relationship already exists. Internal communities are also easier to deploy and manage. However, external communities provide a greater business benefit and a more compelling business case. 3 How do I manage and administer the Therefore, for applications with low assurance community and the certificates issued requirements, it may be more practical to to its individual members? consider a best-effort approach to identity validation, and reserve the analysis and complexity of highly trusted certificates to applications that require non-repudiation.
PKI technology - deployed internally or purchased as a service needs a decision involving the cost of ownership/capitalization, the application requirements, the community, and the management and administration requirements: - Management and administration of the ownership are much more expensive than the software and hardware or the recurring service fees. - If the registration and certification aren’t neccesarilly to be managed internally for statutory or political purposes, in-source solutions are not required then.
After the analysis of digital signature user means, the solution DigiDoc seems to be the
99
most easier, cheap and comfortable choice for an ordinary user or only with a need to sign or check documents by several people occasionally. But for a bigger organization this could appear to be too little and the solution should be chosen the whole PKI integrated into the organization (e.g.,VMU) with big flows of signed and checked documents, protecting the communication and organizational inner resources.
VMU has to choose DigiDoc since (the most important advantages): - While being out of the office, the superiors can use their mobile phone and DigiDoc WWW-portal.
- Tested with ID-cards and WPKI
- Free of charge
- Sorting/Deleting/Archives
- Possibility to upload the document to a server
- Verification of signed document
- Handling of XML document
- Multiple original documents can be signed at once
- Original document can be XML or any binary format
- Multiple signatures are supported
DigiDoc - involving further students research, experiments, programming works more functions can be developing according to the advantages of examples of JUSTA, CDS and other distinct software solutions. Also, these missing features could be included: - Adjusting to the Windows and Linux operational systems. - The document reader with all the necessary for signing/verifying software components integrated.
Though the latter one is rather relative, some possible solutions could be searched.
100
Other options are considered in case of DigiDoc problem, inadoption or the like: - Choosing DigiDoc as the primary experimental introductory means, while the usage of digital signature in VMU has slow pace; later after the employees have learned and got used to ir, integrating it like a module into the DMS of VMU;
- The implementation of PKI in VMU could begin straight from the point of integrating IVPK’s DEM into the DMS of VMU.
The benefit of the digital signature as an innovation in an organization was prooved by these main factors discussed in the project:
- While communicating with EU institutions, also shortly with lithuanian, everytime it becomes more complicated to exchange various contracts and other signed documents in the traditional way, because PKI is already used there.
- In organizations there are many processes where important documents and their flows are exchanged unsafely, and where the computerization reaches higher level every day, therefore the need of PKI usage becomes crucial.
- In order to validate signatures of other sides of a contract it has to be sent a few days before and it takes at least several days to wait it back by post, or to be transported by oneselves – this way time and money are wasted, and using PKI can solve this problem by signing the document in several minutes and sending it directly, receiving the other sides signatures by email in several minutes.
- Lack of information about digital signature, finance, access conditions can be a barrier sometimes, but this happens more theorically and the organization can find a gratuitous solution, can easily meet many informational sources, hire or consult a specialist or find a consultant in interested companies of PKI that would help to access all the possibilities that deliver PKI.
SWOT analysis method applied to the digital signature for market (i.e.,users) showed that
101
there are more strengths and opportunities of digital signature than those of weaknesses and threats. Meanwhile the user poll points out that there is a lack of information about the digital signature. Digital signature user behaviour depends on many pasychological things, especially the fear of not knowing, so while knowing this fact an organization, thereby VMU too, could provide some education, invent various informing methods in order to encourage the employees and students that they wouldn’t be afraid to try.
The results of the paper can be used in further research and experiments in the subject of PKI usage in an organization, that can be developed considering deeper exploration of legal aspects and digital signature usage, user means (e.g.smart card, a.k.a. ID card) and compatibility, legal and technical conformance, technologies, practical experiments by implementing a trial version in an organization, VMU or whatever else.
The paper did not consider these issues that could be explored:
1. Smart card-ware: not realized, neither planned means in Lithuania. Therefore, in order not to cosume time and space of the project needlesly, the issue was excluded.
2. Analysis of means compatibility: “if available” was stated in the beginning of the project after consulting with specialist of Omnitel company Ramūnas Šablinskas, because it is said to be a very complicated question and scarcely practicable.
3. Technical solutions conformance to the legal requirements: another very complicated issue, covering more and deeper analysis of the law. It was chosen not to broaden the paper more, because the scope of the work is wide enough.
102
LITERATURE
1. LR Seimas. Lietuvos Respublikos Elektroninio parašo įstatymas. 2000, Nr. 61-1827 [žiūrėta 2007 05 20]. Prieiga per internetą:
103
Coles, [žiūrėta 2008 05 16]. Prieiga per internetą:
104
Šablinskas,
105
ANNEXES
Annex 1 “The Networked Readiness Index 2007–2008 rankings”
106
The source: The Global Information Technology Report 2007-2008 of the World Economic Forum
107
Annex 2
The questionnaire of the poll
Pavadinimas: Elektroninio parašo naudojimas
Lietuvoje el.parašas kaip ir bet kuri kita naujovė, keičianti daugiau nei laisvalaikio tvarkaraštį, ne iš karto priimama plačiai. Sunku patikėti, kad internetas, el.paštas, be kurių nebeįsivaizduojame šiandieninio darbo, pradžioje t.p. nebuvo laikomi rimtais dalykais. Aprašymas: Atsiranda poreikis išsiaiškinti, kodėl taip yra, ir kaip priartinti visuomenės sąmonę prie el.parašo adaptacijos Lietuvoje. Anketa yra ANONIMINĖ ir skirta informatikos magsitrantūros tiriamojo darbo tikslams.
Savininkas: eglev
Tema: Visuomenė
Sukurta: 2007.05.15
Atsakymų skaičius: 32
108
109
110
111
112
113
Annex 3
The results of the poll
Pavadinimas: Elektroninio parašo naudojimas
Lietuvoje el.parašas kaip ir bet kuri kita naujovė, keičianti daugiau nei laisvalaikio tvarkaraštį, ne iš karto priimama plačiai. Sunku patikėti, kad internetas, el.paštas, be kurių nebeįsivaizduojame šiandieninio darbo, pradžioje t.p. nebuvo laikomi rimtais dalykais. Aprašymas: Atsiranda poreikis išsiaiškinti, kodėl taip yra, ir kaip priartinti visuomenės sąmonę prie el.parašo adaptacijos Lietuvoje. Anketa yra ANONIMINĖ ir skirta informatikos magsitrantūros tiriamojo darbo tikslams.
Savininkas: eglev
Tema: Visuomenė
Sukurta: 2007.05.15
Atsakymų skaičius: 32
1. Ar žinote, kas yra el.parašas?
Taip (21) 65.63%
Kažką girdėjau, bet mažai tenumanau (11) 34.38%
Ne (pereikite prie 4 klausimo...) (0) 0.00%
Iš viso negirdėjau apie tokį dalyką (pereikite (0) 0.00% prie 4 klausimo...)
2. Ar žinote, kam yra naudojamas el.parašas?
Taip, daugmaž (18) 56.25%
114
Žinau daugiau, pvz., kad ne tik (9) 28.13% pasirašymams ir kita
Ne (0) 0.00%
Girdėjau, bet mažai žinau (5) 15.63%
Tai manęs nedomina (0) 0.00%
3. Ar naudojate el. parašą savo darbo ir asmeninėje veikloje?
Taip (7) 22.58%
Planuoju naudoti (5) 16.13%
Ne (19) 61.29%
4. Ar norėtumėte plačiau sužinoti apie el.parašą?
Taip, norėčiau sužinoti (28) 90.32%
Tai mane gąsdina/man nepatinka, nenorėčiau (1) 3.23% (labai prašome paskaityti 6 klausimą...)
Kita ar papildoma (2) 6.45%
Kita ar papildoma:
1970.01.01 ne
1970.01.01 Kai susidursiu, pasidomesiu
5. Kur naudojate/naudotumėte el.parašą?
Darbe (18) 36.00%
Asmeniniais reikalais (16) 32.00%
115
Visur, kur pasirašoma,vietoje paprasto parašo ir registracijos,teisių,autorystės ir (15) 30.00% pan.patvirtinimo
Nenaudočiau (labai prašome paskaityti 6 (0) 0.00% klausimą...)
Kita ar papildoma (1) 2.00%
Kita ar papildoma:
1970.01.01 T.p. mokesčių deklaracijoms (VMI priima)
6. Kokios priežastys stabdo Jūsų norą domėtis, naudotis el.parašu?
Nesuprantu/nežinau nieko apie el.parašą, ir tai mane gąsdina/man nepatinka, (0) 0.00% nenaudočiau
Neturiu tam sąlygų (10) 37.04%
Jei man būtų labiau prieinama/suprantama/kita, į tokias naujoves (9) 33.33% investuočiau
Į naujoves neinvestuoju/nemėgstu rizikuoti (0) 0.00%
Laikausi tradicijų, man patinka "seni geri" (2) 7.41% būdai
Kita ar papildoma (6) 22.22%
Kita ar papildoma:
1970.01.01 siuo metu "seni geri"
1970.01.01 Nėra būtinybės
116
1970.01.01 nestabdo
1970.01.01 jai tai butu pakankamai saugu
1970.01.01 nera butinybes, kol kas tai nepopuliaru
1970.01.01 jokios nestabdo
1970.01.01 nestabdo
7. Jūsų nuomone, ko trūksta, kad būtų patogu ir lengva naudotis el.parašu?
Daugiau informacijos (22) 27.50%
Sąlygų naudotis (paprastos, suprantamos prieigos prie sertifikavimo paslaugos, (16) 20.00% kompiuterinių priemon
Lėšų (5) 6.25%
Sąlygų, kur panaudoti el.parašą (10) 12.50%
Nemokamo pabandymo (9) 11.25%
Įstatymų ir jų tikslumo (10) 12.50%
Dirbančiųjų šioje srityje (organizacijų, (6) 7.50% žmonių)
Kita ar papildoma (2) 2.50%
Kita ar papildoma:
1970.01.01 naudotis paprasta
1970.01.01 greiciau veiktu
1970.01.01 kad jo NERA (PARASO)
117
8. Ką siūlytumėte keisti Lietuvoje el.parašo atžvilgiu, kad jis būtų labiau priimtinas, naudotinas?
Informuoti ir šviesti visuomenę, paaiškinti (25) 39.06% el.parašo esmę, principą ir naudojimo sritis
Kurti infrastruktūrą (sąlygas, prieigas), nes (15) 23.44% verta ir bus norinčių naudotis
Tobulinti e.p.įstatymą ir kurti papildomai (11) 17.19% naujus
Leisti nemokamai pabandyti (13) 20.31%
Kita ar papildoma (0) 0.00%
Kita ar papildoma:
1970.01.01 Infrastruktura sukurta, reikia tik laiko, kol prades veikti
9. Kokia informavimo priemonė apie el.parašą Jums būtų priimtiniausia?
Spauda, bukletai, informacinės knygelės, (18) 24.32% straipsniai, mėnesio naujienų leidiniai
Įvairi verslininkų reklama lauke,TV,radijuje,žinomi žmonės...-tikrai (13) 17.57% atkreipčiau dėmesį,susidomėčiau
Internetas - pats/pati ieškosiu informacijos (11) 14.86%
El.paštas - norėčiau gauti informacijos (9) 12.16% el.paštu
Konsultantai. Kur ir kaip Jums preinama (7) 9.46% geriausiai:
118
Konferencijos, seminarai, konkursai, (6) 8.11% žaidimai
Asmeninis laiškas į mano pašto dėželę (8) 10.81%
Jūsų variantas (2) 2.70%
Jūsų variantas/kur ir kaip konsultantai Jums preinami geriausiai::
1970.01.01 parodoje
1970.01.01 Svietimo istaigos/Darboviete
10. Mano nuomone, informavimo ir infrastruktūros finansavimas:
Suvokiu,kad ne konkretaus produkto reklamai,o visuomeninei paslaugai (kaip ir (10) 23.26% internetas,el.paštas)
Iš valstybės ir mokesčių mokėtojų biudžeto dalies, skirtos e-paslaugoms ir e-valdžiai (20) 46.51% formuoti
Iš suinteresuotų verslinkų paramos (9) 20.93%
Kiekvienas norintis turėtų (3) 6.98% prisidėti/nusipirkti/susimokėti
Kita ar papildoma (1) 2.33%
11. Jūsų amžius - įrašykite:
1970.01.01 26
1970.01.01 23
1970.01.01 25
119
1970.01.01 26
1970.01.01 40
1970.01.01 25
1970.01.01 21
1970.01.01 26
1970.01.01 24
1970.01.01 24
1970.01.01 23
1970.01.01 24
1970.01.01 23
1970.01.01 53
1970.01.01 22
1970.01.01 25
1970.01.01 25
1970.01.01 26
1970.01.01 24
1970.01.01 26
1970.01.01 24
1970.01.01 26
120
1970.01.01 23
1970.01.01 24
1970.01.01 16
1970.01.01 24
1970.01.01 35
12. Jūsų gyvenamoji vieta:
Vilnius (9) 28.13%
Kaunas (18) 56.25%
Klaipėda (0) 0.00%
Šiauliai (0) 0.00%
Panevėžys (0) 0.00%
Rajonų centrai/ rajoniniai miestai (1) 3.13%
Miestelis (3) 9.38%
Kaimas (1) 3.13%
13. Jūsų išsilavinimas:
Aukštasis (25) 78.13%
Nebaigtas aukštasis (5) 15.63%
Aukštesnysis (0) 0.00%
Spec. vidurinis/profesinis (0) 0.00%
121
Vidurinis (1) 3.13%
Nebaigtas vidurinis (1) 3.13%
14. Jūsų užsiėmimas:
Tam tikro lygmens vadovas (6) 14.63%
Vidutinis/stambus verslininkas (0) 0.00%
Specialistas (8) 19.51%
Valstybės tarnautojas (6) 14.63%
Darbininkas, techninis darbuotojas (1) 2.44%
Smulkus verslininkas (1) 2.44%
Ūkininkas (1) 2.44%
Bedarbis (1) 2.44%
Pensininkas (0) 0.00%
Studentas (17) 41.46%
Namų šeimininkas (-ė) (0) 0.00%
122
Annex 4
„SWOT quadrants – e-signature (PKI) in Lithuania“
INSIDE
Strenghts Weaknesses
Iššifruoti turint tik viešą raktą neįmanoma Vartotojui nėra lengva iškart suvokti ir perprasti (tokias matematines formules gali paskaičiuoti e.parašą ir jo veikimo procesą, nors iš tiesų tai tik labai daug galingų procesorių dirbdami kartu labai paprasta, tačiau žmonių galvose egzistuoja dešimtis metų). 100% saugu. Saugumą, kokybę didelis barjeras ir baimė dėl nežinomumo. garantuoja sudėtingi matematiniai algoritmai ir šiuolaikinės technologijos.
Atstumas tarp vartotojų ir paslaugos teikėjų (neinformuotumas) kartais yra pakankamai Palengvina ir pagreitina žmogaus darbo ir kitos didelis, ypač jei vartotojai nedalyvauja ir nėra veiklos procesus, kuriuose reikia asmens daugiau mažiau susiję su IT pasauliu. tapatybės, įgaliojimų, teisių, susitarimų patvirtinimo. Sutaupomi popieriaus, transporto kaštai, (šalių) pasirašymo laukimo laikas. El.parašą įmanoma pavogti, nors panaudoti pavogtą el.parašą yra sudėtinga.
Labai plačiai taikomas, gali atlikti daugiau nei tik pasirašymo fuknciją (šifravimas: tinklų Brangu. Verslo investicijos į PKI infrastruktūrą apsauga, informacijos konfidencialumas ir laukia atsipirkimo, kuris užtruko ilgiau, nei slaptumas). tikėtasi ir planuota. Iškyla pavojus, jog atsiradus dar pažangesnėms technologijoms, senesnės taip ir nepanaudotos nebepadengs investicijų. Patogus naudoti, nereikalauja slaptų apsikeitimų raktais, nes viešas raktas prieinamas visiems, 100% saugu. Neturi apčiuopiamos tiesioginės finansinės grąžos.
PKI jau turi realizacijas Lietuvoje: įstatymą, el.parašo priežiūros instituciją, sertifikavimo Geografiškai nuo miesto, informacijos ir centrą, proveržio programą ir reglamentus, technologijų bei sąlygų nutolę kaimo gyventojai specifikacijas ir direktyvas, darbo grupę, turi mažiau galimybių, sąlygų naudoti el.parašą. koordinacinį komitetą, įvairias prieigos
123 priemones ir paslaugų teikėjus (informacines sistemas (dokumentų), internetines pasirašymo sistemas, mobiliąją prieigą ir kt.). Tokiam naujam procesui, kuris iš esmės keičia pasirašymo, autentifikavimo ir autorizavimo principus, įsisavinti reikalingas ilgas laiko tarpas, papildomos lėšos ir organizacijų, Yra taikymo užsienyje atvejų ir pavyzdžių, todėl darbuotojų papildomas darbas tam, kad suderinti egzistuoja patirties ir žinių apie el.parašo senus ir naujus proceso ypatumus. taikymą ir problemas šaltinis.
Kolkas nesutariama dėl geriausio PKI ir CA Verslo sektorius suinteresuotas el.parašą kaip valdymo modelio. prekę padaryti kuo patrauklesnį, paprastesnį naudoti, t.p. suinteresuotas reklamuoti, pateikti kuo patogesnę prieigą ir sąlygas išbandyti, nusipirkti. El.parašas taip tampa gerai žinomas ir lengvai pasiekiamas.
Įneša didelę naujovę į visuomenės ir žmogaus kasdieninę veiklą, taip palengvina ją ir atveria didžiules naujas galimybes dokumentais keistis daug greičiau elektroniškai, iš esmės pakeisdamas darbo ir asmeninės autentifikacijos bei autorizacijos procesus (principus).
Atriša geografinius pančius, žmogaus veikla tampa nepriklausoma nuo pasirašančiojo ir parašą priimančiojo geografinės padėties ir atstumų. Parašą ne tik naudoti, bet ir įsigyti gali bet kuris asmuo, turintis interneto ir/ar elektroninio atsiskaitymo prieigas.
PKI yra moksliškai, teoriškai, empiriškai ir kitais būdais ištirta, įrodyta, pripažinta ir išbandyta šifravimo technologija. Pasaulinės organizacijos (pvz., w3.org, ISO) pripažįsta ir rekomenduoja PKI kaip vieną geriausių saugumo užtikrinimo priemonių.
Gerai pritaikytas ne tik pasirašymui, bet ir saugiam, slaptam komunikavimui internete ar privačiame tinkle. Toks daugiafunkcionalumas
124 yra nenuginčijamas privalumas ir pranašumas.
Valdymo schemų tiems patiems ir skirtingiems atvejams yra daug ir įvairių, kuriamos naujos.
E.parašas sukuria visai kitos prigimties ilgiau išliekančią vertę.
OUTSIDE
Opportunities Threats
Rinka egzistuoja ir vis plečiasi pati savaime, nes Įvairūs šaltiniai teigia, jog įstatymas dar nėra didėja visapusė IT, telekomunikacijų ir visapusiškai apgalvotas ir pilnavertiškai elektroninių paslaugų plėtra, naudojamumas. išbaigtas. Tai gali sukelti nenumatytų problemų, Kur klesti kompiuterizacija, telekomunikacijos ir tiesiog iškilus nesusipratimams ar elektroninės paslaugos, ten egzistuoja el.parašo nesąžiningiems žmonėms perpratus pagrindinius niša, el.parašo būtinybė ir poreikis jam. Kaip įstatymo principus ir bandant jį aplenkti. žinia, Lietuvos infrastruktūra sparčiai vystosi šia linkme, o rinkoje jau dabar nemaža verslo dalis komunikuoja ir tranzakcijas atlieka Nėra tiesioginės e.parašo paklausos, poreikio ir elektroniškai, o čia atsiranda poreikis ir niša iniciatyvos, arba ji kyla iš nepakankamos rinkos el.parašui. dalies (per mažos).
Simetrinis šifravimas ir algoritmai negali konkuruoti su asimetriniu PKI šifravimu dėl savo nepatogaus slapto apsikeitimo raktais, poreikio generuoti vis kitą raktą skirtingiems asmenims ir nesaugumo dėl to, kad vienąkart jau perdavus raktą kam nors, tas raktas to paties asmens nebus panaudojamas dar kartą savininkui komunikuojant su kitais asmenimis.
Atsiranda vis naujos pažangesnės technologijos, kaip pritaikyti ir realizuoti PKI (pvz., privačiuose tinkluose, e-čekiuose, talpinama
125
USB jungtyje, mobiliuosiuose prietaisuose ir t.t.). kompiuterių, IT ir telekomunikacijų pasaulyje kasdien tokių galimybių gali tik daugėti. PKI realizavimo technologijos vystosi.
Europos Sąjungoje viešos organizacijos jau plačiau naudoja el.parašą ir tarpusavio bendradarbiavimui pasiekti reikalinga, kad ir Lietuvos organizacijos pripažintų el.parašą, o tai visų pirma sąlygoja el.parašo naudojimą, visų antra - formuoja paklausos ir rinkos el.parašui tolimesnį vystymąsi.
Gali atsirasti naujų unikalių pardavimo taškų (USP), integruojant kartu su virtualiais privačiais tinklais, el.atsiskaitymais, asmens pasais ir kitais identifikatoriais ir pan.
Propaguoja valstybinės įstaigos, o tai turėtų paskatinti ir vartotojų palankumą.
Nuolat atliekami nauji tyrimai moksle.
126