III’s experience in

PKI and its application

International Group
Institute for Information Industry

Aug. 2007
 Foundation and Functions of PKI

• PKI is to Ensure
− Confidentiality
− Integrity
− Authentication
− Non-repudiation
• Foundation of a PKI infrastructure
− Public trust in the operation unit
− Provision of the accountability
− Comprehensive and reliable audit trail, ..
− Ability for key pairs management
− Generation, issuance, revocation, …
− Provision of services regarding certificate inquiry
− Convenient, fast, timely to the inquiry for certificate’s validity,
applicability, …
 PKI infrastructure in Taiwan

Taiwan PKI Fo reign PKI

Digital Certificate
Task Force

General Gov’t Foreign Gov’t Foreign Private

Mgt. Center BCA PKI Root PKI Root

Gov’t Biz. Adm. Citizen Other Private GCA GCA

CA PCA
CA CA CA CA

CA CA CA CA PCA

Foreign Private
PKI CA in Taiwan
 The ePKI system

• CHT Developed and maintained

• Used and operating for GCA, BACA, CCA,

 Complying Standards

• Certificate Policy and Certification Practices Framework ：

RFC 2527
• Certificate format: ITU-T Recommendation X.509
V3(1997)
• Certificate revocation: ITU-T Recommendation X.509
V2(1997)
• Privilege Management Infrastructure: ITU-T X.509 4th
Edition Draft V4
• ASN.1syntax: ITU-T X.680, X.681, X.682 and X.208,
X.209
• Certificate Management Protocol: RFC 2510
• Certificate Request Message Format: RFC 2511
 Complying Standards

• On-line Certificate Status Protocol: RFC 2560

• Public keys encryption algorithm: PKCS #1 RSA
1024~2048 bits
• Data encryption algorithm: PKCS #7
• Private keys encryption algorithm: Triple DES (CBC Mode,
with 2 Keys or 3 Keys)
• Hash function: SHA-1
• Signature algorithm: RSA with SHA-1
• Private key syntax and protection: PKCS #8 及 PKCS #5
• Private Key storage: diskette, IC card, or special designed
hardware (for CA and RA)
• Key management: X.9.17
 Key Features

• Highly reliable RA and CA security architecture,

meeting ITSEC E3 and FIPS 140-1.
• Flexible design to support all kinds of certificate
policies for various business models.
• Unified RA solution to minimize cost and expedite
implementation.
• Distributed architecture with expandability and
scalability (from enterprise to national infrastructure).
• Interface with SQL and ODBC.
 Key Features
• Support DSA and RSA signature algorithms, with
extension mechanism for other algorithms.
• Key pairs are easily integrated and used in
applications of secured browsing and emails.
• Integrated into IC card and related applications.
• Interoperable with other standardized PKI
schemes and applications.
• Interface with LDAP directory services.
• Support both windows and UNIX systems.
 Certificate Authority

Certification Server Cert. application: 1? 2? 3? 4? 5

Cert. revocation: a? b? c? d

5. Publish issued cert.

d. Publish revoked cert.

4. Request for cert. issuance

Certificate
Repository c. Request for cert. revocation

Registration Authority
Get cert.
Get CRL
Inquire cert. status
Registration Server
1. Get cert. sw

3. Application data

b. Revocation data
Cert. user Application
approved 2. Apply for cert.

Cert. Cert. Regis. counter

concerned Applicant

a. Apply for revocation

 Certificate Subject
• Can be person, organization, server, application
program
• Naming: distinguished name in X.500
 Hierarchical CA and RA

eCA

Subordinate Subordinate Subordinate

CA1 CA2 CAn

RA11 RA12 RA1a RA21 RA22 RA2b RAn1 RAn2 RAnn

RAC111 RAC112 RAC11n RACnnn

 Scope of applications and Level of
trust
• Scope of applications
− Company’s Intranet
− Inter-companies
− Company – individuals
− Individual - individual
• Level of trust
− Class 1
− Class 2
− Class 3
− Class 4
 Reasons for using BA_cert
• Facilitate trust mechanism for online transactions
• Strengthen enterprise competition through G2B
services
• Create business values by integrating G2B and
B2B services
• Facilitate other secured business models
 Application for a BA_cert.

Secured op center

Internet F/W App. processing site F/W

Cert. Server

Cert.. issuance
(1) App li cati Reg. Server
on for m & repository
(7)Open the
downlo ad Cert. Card making
Service app. center
Corporation window Form RA
Applicant (batch)
(3) BA-system
Ha nd in ap p.
County gov’t (5)Print /
form w/i ID
Desig. Reg. Issuing cert.
unit
(2)Fill the form (4) Revie
w (6) Deliver cert.
 Applications of BA_cert
 BA_cert Facilitate trust mechanism for secured
online transaction
• G2B, B2B,
 G2B applications
• Registration of corporation and related items
• Online Gov’t procurement procedure
• G2B document exchange,
• Company income tax filing,
• Employee insurance registration,
• Electronic invoice
 B2B applications
• Electronic invoice
• Electronic payment
Business certificates used in the systems
 DOC - Online registration of corporation
http://eicm.moea.gov.tw
 Tendering procedures in gov’t electronic 統一編號： 96979933
卡 別：正卡
procurement 發卡日期：
2003/08/07
中華電信股份有限公司
http://www.geps.gov.tw MG00000000000001

 Government document exchange in

Security administration
http://eweb.tse.com.tw
 Labor insurance registration and inquiry
to Labor insurance agency
http://www.blia.gov.tw
 Customs declaration procedures
http://asp.dgoc.gov.tw
 Gov’t online service with fund transfer (ft) to
treasury

Checking
ft data validated result file
BA_Cert
account account BOT
account
Password password Partici patin CBC
Corporation Payme nt password
Serv. site g OCB
gateway bank(a pplic an t)
Authen.
Fund
Notice FundGo v’t agenc y Authen. CHT Fund checking result
withdraw withdraw withdraw
Paid-in notice
Receipt
(e_mailed with Che ckup
approved permit) Checking Check sheet
unit
(amount) Paying-in slip De sig. a ge nt
Ca shi er Check sheet (daily) ba nk
Paid-in fund Check
Paid-in fund
sheet

Acc ount ing Treasury

 Applications of other
certificates
• Government document exchange with G_cert by
officals
• Citizen income tax filing with C_cert
• Medical payment application with H_cert by
doctors
• Vehicle administration/services with C-cert
• Online trading of stocks with X_cert
• …
Why III in PKI management
• III has a great experience in implement Taiwan e-
Gov PKI system
• III plays the leading role in Taiwan PKI police for
government
• III has good global connection on international
PKI community
• III develops many PKI enabling system for
Taiwan government
• …
Thank you very much