EGYPT-MCIT

ITIDA

Egypts E-Signature & PKInfrastructure

Seminar on Electronic Signature Algeria 8-9 Dec. 2009

By:

Hisham Mohamed Abdel Wahab Head of the E-Signature CA Licensing ITIDA- MCIT EGYPT Email: hwahab@mcit.gov.eg

KSA KSA15-16 15-16Dec. Dec 2009 2009

Agenda
Egypts PKI Model

Operational requirements for CSPs in Egypt

Applying ISO 27001 as Main CSP requirements

CSPs Auditing Procedures

KSA KSA15-16 15-16Dec. Dec 2009 2009

Background : ITIDA
Established in 2004 by law 15, financially supported by IT cos. E-Signature regulator, promoter, and root CA. IPR protector for software and databases (Copy Right Office). Empowers IT companies.

Recognizes best practices in E-Content development.

Launches E-business initiatives, especially for SMEs

Supports R&D.
KSA KSA15-16 15-16Dec. Dec 2009 2009

Background : E-Signature mile stones

E-Signature Law issued 2004.

Executive directives of the law issued in 2005.

4 CSP (e-signature certificate service providers) are licensed by ITIDA in 2006

Therefore the Root CA & Gov CA tendered in 2006 Root CA started work in Sep 2009

1st CSP got the official permission to work from ITIDA in Oct.
2009
KSA KSA15-16 15-16Dec. Dec 2009 2009

Background: Getting the experience

Germany Ireland Singapore South Korea Malaysia

Hong Kong

KSA KSA15-16 15-16Dec. Dec 2009 2009

PKI Model in Egypt.(1/2)

ITIDA
Licensing Root CA

CSP

CSP

CSP

CSP

GOV. CA

Public Use

Gov. employees

For public & interaction gov applications

KSA KSA15-16 15-16Dec. Dec 2009 2009

For Internal use only

PKI Model in Egypt.(2/2)

Regulating E-Signature

Information Technology Industry Development Agency (E-Signature regulator)

Request for digital certificates

Certificate Authorities CSP

Digital Certificates

Client Organizations

KSA KSA15-16 15-16Dec. Dec 2009 2009

PKI Model in Egypt: Licensing section....(1/2)

Managing the application process for CSPs in Egypt. Implementing the criteria /requirements for licensing CSPs. Auditing the licensed CSPs. Tracking the Technology to guarantee having the most secure e-signature technology.
KSA KSA15-16 15-16Dec. Dec 2009 2009

PKI Model in Egypt: Licensing Section .....(2/2)

Licensing Requirements

Licensing

Auditing

Awareness

Customer services

KSA KSA15-16 15-16Dec. Dec 2009 2009

PKI Model in Egypt : Root CA....(1/2)

Operates a Root-CA according to the highest security standards.

Offers a continuous 24hx7d operation

Personalizes the CA-and other service-chip cards for other CSPs, Operates an electronic directory service that includes the certificates of all licensed CSPs.

Achieves the interoperability among CSPs and other countries.

Handling the CRLs and E-Signature data of clients in case of licensed CSPs failure KSA KSA15-16 15-16Dec. Dec 2009 2009

PKI Model in Egypt : Root CA....(2/2) How works?

Self Signed Root CA
Root CA Certificate Info Root Signature Root CA's Private Key

Sub CA

Subordinate CA Certificate Info

Root Signature

Root CA's Private Key

Subscriber Certificate Info SubCA's Signature Text Document Subscriber's Signature

KSA KSA15-16 15-16Dec. Dec 2009 2009

Subordinate CA's Private Key

Subscriber's Private Key

PKI Model in Egypt : Licensed Public CSPs (4)

Must be under the Root CA.
Provide Gov. and public certificate services, including SSCD. Working as RAs (Registration Authorities). Must full fill with ITIDA requirements. Use the most recognized world wide standards for PKI (2048/4096 KeysRSAetc).

12

KSA KSA15-16 15-16Dec. Dec 2009 2009

PKI Model in Egypt : Licensed Gov CA (1 CA)

Issue certificates to Gov. employees only for internal gov use only & SSCD.

Provide Gov. certificate services.

Under ITIDA Root CA. Working as RAs (Registration Authorities) for Gov. employees.

Must full fill ITIDA requirements.

Use Specific type of encryption standards.

13

KSA KSA15-16 15-16Dec. Dec 2009 2009

PKI Model in Egypt : Strategic Decisions.......(1/6)

Why just e-signature is regulated.
1- The law regulates certificates used in E-signature only.

2- Providers are allowed to provide SSL certificate for example with no obligations.
3- Providers can provide any other security services, but when comes to e-signature this must be regulated by ITIDA.

Why??
E-Signature is the most critical application when you come to E-Gov. E-Signature will replace current and traditional signature, so must be working under very trustable conditions

KSA KSA15-16 15-16Dec. Dec 2009 2009

PKI Model in Egypt : Strategic Decisions.......(2/6)

The E-Signature Definition in Egyptian market.
1- Only one type of e-signature is considered in front of court

2- Another types, transactions and e-documents are considered just e-document or ewriting
3- Using third level smart card / token as SSCD is must . 4- Physical identification is must.

Why??
Avoid conflict, because if one type of e-signature is compromised then the market will think that strong types are compromised too! Strengthen the working environment

KSA KSA15-16 15-16Dec. Dec 2009 2009

PKI Model in Egypt : Strategic Decisions.......(2/6)

IS E-Signature

Digital Certificate

Signer Private Key

Signer Public Key

+Pin Code +Secure pin entry

KSA 15-16 Syria 1-2 Dec. July 2009 2008

PKI Model in Egypt : Strategic Decisions.......(2/6)

E-Signature specification
Smart Cards are able to store private e-signature keys for a card holder without delivering the key to the outside world. Therefore the calculation of the signature algorithm as well as its storage is performed in a highly secure environment inside a smart card. Thus, it is required to have smart cards (Reader / Readerless / contactless) which use the most advanced security standard available in the market. -Secure PIN code entry -Complete separation between E-Signature application and any other applications.

Security evaluation ITSEC E4 140-1 Level 2 or higher X.509v3 certificates

Or ISO 7816

NIST FIPS PUB

Cryptographic algorithms must include RSA, SHA-1 Microsoft PC/SC Recommended : PKCS #11 (interface) Recommended: CAPI Microsoft Cryptographic Recommended : PKCS #15 (syntax standard)

KSA 15-16 Dec KSA 15-16 Dec. 2009 Syria 1-2 July 2008

PKI Model in Egypt : Strategic Decisions.......(3/6)

Gov CA will use its own encryption technique and provide only services for use in internal gov transactions
1- Executive directive mentioned that gov CA could use it own encryption .
2- The services provided by gov CA for use only in internal gov transaction 3- If end user needs e-signature service to be used between gov and private then he must get it from Public CSP 4- Physical identification is must.

Why??
To secure the sensitive transactions . To encourage the private investment according to the national strategy.

KSA KSA15-16 15-16Dec. Dec 2009 2009

PKI Model in Egypt : Strategic Decisions.......(4/6)

ITIDA will run the Root CA
1- ITIDA will be the only body who is running Root CA for PKI in Egypt.

2- The main and backup site of Root CA is responsibility of ITIDA

3- The Root CA will be audited internally by ITIDA auditors , externally by ISO 27001 auditors , and other gov entities

Why??
Ensure interoperable environment trust originate from a common Root CA (strict hierarchy model) A subordinate CA will have one superior, and only one Strict hierarchies are appropriate for many enterprises, especially where policy controls are to be enforced in a top-down fashion.

KSA KSA15-16 15-16Dec. Dec 2009 2009

PKI Model in Egypt : Strategic Decisions.......(5/6)

Facilitating the financial requirements for licensing
1- The Licensee will pay only 0.5 M EGP instead of 1.5 M EGP.

2- 20000 EGP as auditing expenses will be paid after 2 years of operation.

3- The payments will be annually instead of quarterly . 4- 3% of the revenue will be paid at the end of 2nd year instead of 1st year.

Why??
Based on companies suggestions and market studies To encourage this new industry

KSA KSA15-16 15-16Dec. Dec 2009 2009

PKI Model in Egypt : Strategic Decisions.......(6/6)

Leaving the pricing model to the market forces
1- Licensed companies are free to put the price model according to their business model.

2- ITIDA must approve the price list or any modifications prior to publish.
3- ITIDA is responsible for control the pricing competition.

Why??
Based on most companies suggestions. Comply with the current Egyptian market.

KSA KSA15-16 15-16Dec. Dec 2009 2009

PKI Model in Egypt : E-Signature, when comes to apply !.....(1/4)

Applying for the service
1- Physical Identification (applicant must show himself up).

2- Delivering the service : Token/smart card CD - installed keys plus certificate.

3- Help desk and customer support (CSP ITIDA). 4- Providing applications (compatible with ITIDA & CSP requirements). 5- Using the e-signature with applications provided by Gov or CSPs or compatible applications provided by another vendors. 6- Renewing / Update the service, or Change the provider / Terminating the service .

KSA KSA15-16 15-16Dec. Dec 2009 2009

PKI Model in Egypt : E-Signature, When comes to apply!......(2/4)

Auditing the service
1- Surveillance and licensing audit by ITIDA.

2-Regular audit by ITIDA.

3- Receiving the complaints and providing support in case of disputes . 4-Setting up the compliance conditions (applications & operational). 5- Renewing / Extending / terminating the license.

KSA KSA15-16 15-16Dec. Dec 2009 2009

PKI Model in Egypt : E-Signature, when comes to apply.......(3/4)

Proposed Market Applications
1- E-Government (All applications who needs physical existence of the users).

2- E-Tax
3- E-Money (money orders will be collected electronically). 4- E-Banking applications. 5- Stock market .

6- Mobile applications.
7-E-Commerce/Payment. 8- E-education. 9- E-Civil applications.

10- E-Archiving (time stamp is must).

11-E-Contracting . 12-Installed on National ID.
KSA KSA15-16 15-16Dec. Dec 2009 2009

PKI Model in Egypt : E-Signature, when comes to apply.......(4/4)

Type of certificates Provided by the CSP
- E-Signature Certificates (Regulated) for persons and organizations.

-SSL (not regulated) .

-Code signing certificates (not regulated).

KSA KSA15-16 15-16Dec. Dec 2009 2009

Sign Contract Details

KSA KSA15-16 15-16Dec. Dec 2009 2009

Web applications as : -Banking & -Trade

KSA KSA15-16 15-16Dec. Dec 2009 2009

Current Situation For E-Signature Certificate Service Providers

KSA 15-16 2009 KSA 15-16 Dec Syria 1-2 Dec. July2009 2008

PKI Model in Egypt : Current Status....(1/2)

4 Licensed companies as CSP (E-Signature Certificates Service Provider). 1 Company finished its infrastructure and is audited , started work in Egyptian market in 1 Oct. 2009 (more than 2000 hours auditing time, team of 13 experts) The Root CA is established in Sep. 2009 The Ministry of finance got the license to provide E-Signature Service to gov. employees for internal transactions only.
KSA KSA15-16 15-16Dec. Dec 2009 2009

PKI Model in Egypt : Current Status....(2/2)

4 Licensed Companies + GOV CA

1-ACT 2-MCDR 3-EgyptTrust 4-SNS

http://www.act-eg.com/ http://www.mcdr.com.eg/ http://www.egypttrust.com/ http://www.snsegypt.com/

KSA KSA 15-16 15-16 Dec 2009 Syria 1-2 Dec. July2009 2008

Agenda
Egypts PKI Model

Licensing requirements for CSPs in Egypt

Applying ISO 27001 as Main CSP requirements

CSPs Auditing Procedures

KSA KSA15-16 15-16Dec. Dec 2009 2009

Licensing Requirements: .....(1)

The detailed requirements are listed in License Form at:

www.e-signature.gov.eg/materials/License-July-2006.doc
(Arabic Language ) - More than 60 Page. - More than 250 item to be satisfied before getting the license - Categorized to financial , operational, technical and administrative. - References: The Law 15, Its Directive, NTRA license, ETSI TS 101 456
KSA KSA15-16 15-16Dec. Dec 2009 2009

Licensing Requirements: .....(2)

License Sections

Operational

Financial

Technical

Legal

KSA KSA15-16 15-16Dec. Dec 2009 2009

Licensing Requirements: .....(3)

Financial Requirements
Insurance of $ 1.5 Million Licensing fee $ 85,000 for 5 years Insurance per certificate $ 200 3% of revenue of licensed services

34

KSA KSA15-16 15-16Dec. Dec 2009 2009

Licensing Requirements: .....(4)

Technical Requirements
Complete PKI infrastructure. Disaster Recovery site (DR).

ISO 27001 for Info. Security.

PKIX (PKI Based on X.509). Encryption Keys with length 1024-2048. Using Smart Cards as E-Signature creation device (SSCD).

35

KSA KSA15-16 15-16Dec. Dec 2009 2009

Licensing Requirements: .....(5)

www.e-signature.gov.eg/materials/License-July-2006.doc
(Arabic Language )

KSA KSA15-16 15-16Dec. Dec 2009 2009

Agenda
Egypts PKI Model

Operational requirements for CSPs in Egypt

Applying ISO 27001 as Main CSP requirements

CSPs Auditing Procedures

KSA KSA15-16 15-16Dec. Dec 2009 2009

Why Implement an ISMS System ?

KSA 15-16 Syria 1-2 Dec July2009 2008

Main Requirement ISO27001: Information is an asset....(1/2)

Information is an asset, which, like other important business assets, has value to an organization and consequently needs to be suitably protected. Information security protects information from a wide range of threats in order to ensure business continuity, minimize business damage and maximize return on investments and business opportunities. Quote ISO/IEC 17799-2000(E)

KSA KSA15-16 15-16Dec. Dec 2009 2009

Main Requirement ISO27001: Information is an asset.....(2/2)

Stored on Computers Transmitted Printed

Data

Written Fax Microfilm Email Spoken

KSA KSA15-16 15-16Dec. Dec 2009 2009

Main Requirement ISO27001: will satisfy...

PROTECTION OF INFORMATION FOR:

CONFIDENTIALITY
Protecting sensitive information from unauthorised disclosure or intelligible interception

INTEGRITY
Safeguarding the accuracy and completeness of information and computer software

AVAILABILITY
Ensuring that information and vital services are available to users when required

KSA KSA15-16 15-16Dec. Dec 2009 2009

Main Requirement ISO27001: Importance for PKI .....(1/2)

SABOTAGE

MISUSE OF DATA
FRAUD VANDALISM ESPIONAGE NATURAL DISASTER ERROR
KSA 15-16 Dec. 2009

Main Requirement ISO27001: Importance for PKI .....(2/2)

ISO27001 is providing complete security management system. Through:Logical security. Application security.

Physical & environmental security.

Network Security. Personal Security.

Need for dual control through third party audit.

ISO2001 is complete ISMS, merges between business and technology . ISO27001 needs continual improvements.

KSA 15-16 Dec. 2009

Accreditation and Certification for ISO 27001

KSA KSA15-16 15-16Dec. Dec 2009 2009

Accreditation & Certification

Everything you wanted to know about accreditation.(in 30 EA European Conformance at a seconds) Accreditation
European Level

Forum
EA 7/02

Accredited by a State Organisation

National Accreditation Board

National Accreditation ISO Guide 66 Board

EA 45012

Certified by a Certification Body

European Certification Body

ISO 27001

Company

Company 2

Company 3

Wishes to be certified to national or international standards

KSA KSA15-16 15-16Dec. Dec 2009 2009

The Certification Process

Information Security Management System

Certification to ISO 27001 ISMS Standard

KSA 15-16 Dec2009 2009 KSA 15-16 Dec.

Certified Information Security Management System

Phase 1 : Pre-Audit Study

Phase 2 : On Site Audit

Agenda
Egypts PKI Model

Operational requirements for CSPs in Egypt

Applying ISO 27001 as Main CSP requirements

CSPs Auditing Process

KSA KSA15-16 15-16Dec. Dec 2009 2009

CSPs Auditing Process

KSA KSA15-16 15-16Dec. Dec 2009 2009

CSPs Auditing Process

Initiating (planning ) the audit Conducting Documentation review Preparing for Audit activities Conducting audit activities Preparing , approving & distributing the audit report
Post Audit Phase Preparation phase

Conducting audit follow up

KSA KSA15-16 15-16Dec. Dec 2009 2009

CSPs Auditing Process

Initiating (planning ) the audit Conducting Documentation review Preparing for Audit activities Conducting audit activities
Write an audit plan Scope , Objective , Criteria

Determine feasibility & select audit team

Preparing , approving & Contact the auditee distributing the audit report

Conducting audit follow up

KSA KSA15-16 15-16Dec. Dec 2009 2009

CSPs Auditing Process

Initiating (planning ) the audit Conducting Documentation review Preparing for Audit activities Conducting audit activities
Review the previous audit report if any Request relevant documents Review prior to arriving on-site

Preparing , approving & distributing the audit report

Conducting audit follow up

KSA KSA15-16 15-16Dec. Dec 2009 2009

CSPs Auditing Process

Initiating (planning ) the audit Conducting Documentation review Preparing for Audit activities Conducting audit activities
Finalize audit plan

Preparing , approving Prepare & work documents distributing the audit report
Assign audit team

Conducting audit follow up

KSA KSA15-16 15-16Dec. Dec 2009 2009

CSPs Auditing Process

Initiating (planning ) the audit Conducting Documentation review Preparing for Audit activities Conducting audit activities Preparing , approving & distributing theCommunication audit report during the audit
Opening Meeting

Conducting audit followobjective up Collecting evidences

KSA KSA15-16 15-16Dec. Dec 2009 2009

Closing meeting

CSPs Auditing Process

Initiating (planning ) the audit Conducting Documentation review Preparing for Audit activities Conducting audit activities Preparing , approving & distributing the audit report
Distribute it to the appropriate persons

Conducting audit follow up

Mention positive & negatives
KSA KSA15-16 15-16Dec. Dec 2009 2009

CSPs Auditing Process

Initiating (planning ) the audit Conducting Documentation review Preparing for Audit activities Conducting audit activities Preparing , approving & distributing the audit report

Conducting audit follow up

KSA KSA15-16 15-16Dec. Dec 2009 2009

Thank you very much

hwahab@mcit.gov.eg
www.itida.gov.eg
KSA KSA15-16 15-16Dec. Dec 2009 2009

57 KSA KSA15-16 15-16Dec. Dec 2009 2009

Cyberlaws & ICT-related Laws & Regulations

A comprehensive IPR Law (Law No. 82/2002) A comprehensive Communications Act (Law No. 10/2003) An E-Signature law ( Law No. 15/2004) Children Protection Law (2008) Drafts:

A Data Protection, Privacy, and Cyber Security law A Cyber Crime law Access to Information Law

58 KSA KSA15-16 15-16Dec. Dec 2009 2009