Loading presentation...

Present Remotely

Send the link below via email or IM

Copy

Present to your audience

Start remote presentation

  • Invited audience members will follow you as you navigate and present
  • People invited to a presentation do not need a Prezi account
  • This link expires 10 minutes after you close the presentation
  • A maximum of 30 users can follow your presentation
  • Learn more about this feature in our knowledge base article

Do you really want to delete this prezi?

Neither you, nor the coeditors you shared it with will be able to recover it again.

DeleteCancel

Make your likes visible on Facebook?

Connect your Facebook account to Prezi and let your likes appear on your timeline.
You can change this under Settings & Account at any time.

No, thanks

Digital signatures

Estonia vs the World
by

Anton Keks

on 13 March 2016

Comments (0)

Please log in to add your comment.

Report abuse

Transcript of Digital signatures

vs
Anton Keks, @antonkeks
Digital
Thanks!
@antonkeks
signatures
Estonia vs the World
Encryption
transforming data with a key
abc
def
f(key)
symmetric
(ciphering)
PKI
assymetric
key pair
abc
def
f(key1)
f(key2)
private key
public key
Digital signature
data
hash
signature
f
encrypt
(private key)
Signing
Verifying
signature
hash
data
decrypt
(public key)
Strength = hash + encryption
hash
f
hash
kept secret
shared with the world
(one way f)
proof that you own the private key
x509
Certificates
public key
owner's info (x500 DN)
allowed key usage
shared as
is the same?
stored on
ID card
Mobile ID
USB token
file
smart card
SIM card
CA
Certificate Authority
issues certificates
maintains revocations
CRL
OCSP
check public
key validity
trusted by all
Root cert
Issuing cert
Issued cert
The Government
The best CA is
certifies every citizen
standardizes algorithms
provides keys on physical tokens
revokes lost/stolen certs
standardizes file formats
provides software to end users
libraries to developers
(your id)
Estonia
and online services
Passed a law
Started issuing ID cards
As internal ID
Later as EU travel document
2 certificates:
authentication
digital signature
@Y2K
CA tender won by SK
Mobile ID (on SIM card)
2007
Electronic voting
.ddoc format
.bdoc format
for usability
Desktop software, libraries
browser plugins, portals
Russia
you are on your own
Has necessary laws
(like many countries nowadays)
Only GOST-family algos are legal
lots of work on
cross-country compatibility
Software must be FSB-certified
No official CA
No official file formats
DIY digital signatures
Usually hard to work with and
expensive, mostly Windows-only
CryptoPro
Open-source and
cross-platform
Choose tokens (USB), buy them
Build CA (min 3 levels of certs)
Web UI for reissuing of certs
by signing of CSR with expiring private key
Serial numbers and revocations at each level
Issue tokens to people (verifying identities)
Lawyers: different certificate for different needs, many per person
Choose file format: CAdES (PKCS7), PAdES
both contain the data as well as cert chain, signature, timestamp, etc
PKCS11
Securely store private keys for issuing
High incompatibility between services,
many tokens
.cdoc for encrypted docs
Bouncy Castle supports GOST-algos
from 1.50 - compatible with CryptoPro
Java
+ supports parsing and generation of CSR, x509, CRL, CAdES/CMS, etc
on server side
Provide installer with trusted CA certs,
token drivers, browser plugins + certified CSP
Cross-platform and cross-browser support - nightmare :-)
github.com/open-eid
Server
Client
Data
Hardware
Software
CA
Admin
e.g. SHA256withRSA
XAdES
2013
ASiC-E
zip container
(digitally signing them)
2005
2010
2015
E-Residency
GOST R 34.10
CA key and cert management
Signatures
Signature verification and storage
Generate data for signing
Find software for verification
User cert issuing UI
Cert revocation UI
Format
(insecure)
qdigidoc
qesteidutil
jdigidoc, et al
id.ee
digidoc.sk.ee
eesti.ee
RSA -> ECC
DIY
github.com/angryziber/crypto-talk
Full transcript