1 / 14

Public Key Infrastructure : Sudanese Experience

Public Key Infrastructure : Sudanese Experience. Prepared by: Abdelrahman Abdelgader. Outlines. Introduction. Trust Model. Polices And Regulations. Software In Use. Network Architecture. PKI Enabled Applications. Conclusion. Introduction.

orenda
Download Presentation

Public Key Infrastructure : Sudanese Experience

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Public Key Infrastructure : Sudanese Experience Prepared by: Abdelrahman Abdelgader

  2. Outlines • Introduction. • Trust Model. • Polices And Regulations. • Software In Use. • Network Architecture. • PKI Enabled Applications. • Conclusion.

  3. Introduction • In Sudan, a lot of ambitious e-government projects, but it needs security. • Consequently, • Electronic Transactions Act 2007 • Cyber Crimes Act 2007. • In December 2007  Presidential Decree  formation of the NDCC, which is mainly responsible of ensure secure, efficient transmission, and exchange of information electronically

  4. Introduction (Cont’d) • As soon as the committee had been formed: • Some committee members visited other countries (e.g. Egypt, Algeria, Tunisia, Turkey …etc) to study their experiences • A technical team is recruited with high qualifications to be responsible from the technical side of the project and so • As a result, many tasks had been accomplished, as we will see through this presentation.

  5. Trust Model • Before choosing / defining our trust model, we have to consider many factors, such as: • Avoid the complexities associated with some trust models, such as the bridge. • The regulatory must be under the supervision of the government. • because it will be too hard to convince the DoD, for example, to allow a private company to be its trust anchor and to be audited and reviewed by this private company! • Sudanese Conventions  credentials = Government

  6. Trust Model (Cont’d) • As a result we will adopt hierarchical Model. • Allow cross recognition • will also consider in the future to embed our certificate in the popular web browsers

  7. Polices and Regulations • Policies and Regulations, represented in the (CP) and the (CPS) determine the entire project plan. • Including which trust model will be adopted. • How the Certification Authority will be delegated to another parties and so. • feasibility study is conducted by qualified experts to determine the scope of this project • currently our CP, CPS and licensing regulations are ready (available on http://ndcc.gov.sd).

  8. Software in use • PKI software is the core PKI component. • Many features was targeted, and – fortunately – EJBCA Satisfies them all and more. • Using EJBCA we implement our Root CA our RA our OCSP responder • A reputable LDAP implementation (OpenLDAP) is used to implement our directory server  CRL and Subordinate Certification Authorities certificates.

  9. Software in use (Cont’d) • All these components were implemented and tested for stability and reliability. • We are aware of signing keys sensitivity for both the Root CA and the OCSP Responder, so we take into account using high performance HSMs.

  10. Network Architecture • Proper network design to provide a stable and secure IP connectivity. • Network design Considerations: • High-availability fail-over + disaster recovery site. • Logical-security controls • Firewalls + IPS + Log-server (network Layer) , Open source software (Linux , EJBCA, OpenLDAP) • HSMs for the Root keys and the OCSP responses.

  11. Network Architecture (Cont) ISP 2 • Root CA Server “OFFLINE” • HSM (Hardware Security Module) • Log Server with Event-correlation Engine. • Servers , ISPs , Network devices  duplicated  high availability HSM OCSP Responders Directory Servers LOG Server RA Servers HSM CA Server

  12. Applications • Using a small scale implementation, we Implement the following PKI enabled applications: • Secure E-banking and mobile banking. • E-commerce application. • VPN. • Secure Digitally Signed E-mail.

  13. Conclusion • Although in Sudan we have comparatively limited recourses, we assume – according to the current achievements – that we will be able to deploy this NPKI in May 2012. • Through this paper we aim to get the experts and PKI engineers involved with us and getting some feedbacks according to their experiences.

  14. QUESTIONS?

More Related