ASEAN Member States Chaichana Mitrpant December 18 th , 2014 1 - - PowerPoint PPT Presentation

asean member states
SMART_READER_LITE
LIVE PREVIEW

ASEAN Member States Chaichana Mitrpant December 18 th , 2014 1 - - PowerPoint PPT Presentation

Jan 01, 2023 109 likes •313 views

e-Authentication Workshop for ASEAN Member States Chaichana Mitrpant December 18 th , 2014 1 Part I 2 Lets know us first Background and Mission ETDA was founded on 22 nd February 2011 by the Royal Decree to Establish the Electronic

slide-1
SLIDE 1

1

e-Authentication Workshop for ASEAN Member States

Chaichana Mitrpant

December 18th, 2014

slide-2
SLIDE 2

2

Part I

slide-3
SLIDE 3

3

Let’s know us first

  • Background and Mission

– ETDA was founded on 22nd February 2011 by the Royal Decree to Establish the Electronic Transactions Development Agency 2554 B.E. (A.D. 2011) – The mission is to develop, promote and support the country’s electronic transactions and services through robust technical and soft infrastructure that addresses ICT and security standards.

  • Leading organization to drive soft infrastructure i.e. security, standard and law.
  • Major projects
  • International stages

and several more

slide-4
SLIDE 4

4

Share about yourself

  • Name
  • Title
  • Field of work
  • Background and experience
  • or… anything you want to share 
slide-5
SLIDE 5

5

What bring us to this workshop?

  • e-ASEAN Framework Agreement (agreed in Singapore on Nov

24th 2000)

  • Intra-ASEAN Secure Transactions Framework (2011)

– a part of the ASEAN ICT Masterplan 2015; Strategic thrust 2, Initiative 2.4: Build trust and promote secure transaction within ASEAN

slide-6
SLIDE 6

6

Workshop objectives

  • Understand the framework
  • Encourage collaboration in adopting the framework and

actually implementing a project for trusted cross-border transactions

slide-7
SLIDE 7

7

Secure electronic transactions

  • 4 elements

1. Authenticity 2. Confidentiality 3. Integrity 4. Non-repudiation

  • 3 mechanisms for authentication

1. Something you know 2. Something you have 3. Something you are

Confidentiality Authenticity Integrity Non- Repudiation

slide-8
SLIDE 8

8

Cyber world WITHOUT authentication framework

  • Varying authentication requirements for similar application
  • None or few reusability of electronic identity (Account-Application ratio

is 1:1)

  • System-to-system integration requires bilateral agreement between

two parties and is challenging

  • Full-fledged cross-border electronic transactions is nearly impossible
slide-9
SLIDE 9

9

Cross-border transaction in current scenario

  • Registration

– Use different set of documents <= no trust – Some need to sign additional form

  • Usage

– Different technique . Username & password, token & pin, mobile number & OTP – Banks have to implement identity proofing mechanism (RA) and authentication system themselves

slide-10
SLIDE 10

10

Our vision

  • Accredited sources of RA associated to LoA
  • Authentication Service Provider for each LoA
  • e-Service providers just focus on providing core services

without worrying about authentication mechanisms

  • Electronic identity can be shared among different applications

providing that they have the same LoA

slide-11
SLIDE 11

11

Intra-ASEAN Secure Transactions Framework Report

  • 1. Assurance Levels

and Risk Assessments

  • ISO/IEC 29115:2013
  • OMB M-04-04
  • NeAF
  • 2. Identity Proofing

and Verification

  • ISO/IEC 29115:2013

3.Authentication Mechanism

  • NIST Special

Publication 800-63-1

Framework structure

slide-12
SLIDE 12

12

  • 1. Level of Assurance
  • Level of Assurance is a result of risk assessment measured on two

factors; Potential harm of getting authentication wrong and Likelihood

  • Assurance level defines requirements on identity proofing and verification,

registration process, authentication mechanism and credential management.

  • Higher assurance level requires higher degree of certainty and

trustworthiness of a credential.

Assurance Level Description LoA1 Little or no confidence in the asserted identity’s validity LoA2 Some confidence in the asserted identity’s validity LoA3 High confidence in the asserted identity’s validity LoA4 Very high confidence in the asserted identity’s validity

Source: ISO/IEC 29115: 2013, Table 6-1 page 7

slide-13
SLIDE 13

13

1.1 Risk Assessment

Impact Categories Impact Values of Authentication Failure Low Moderate High

  • 1. Inconvenience, distress, or

damage to standing or reputation Limited and short-term Serious short term or limited long- term Severe or serious long-term

  • 2. Financial loss or agency

liability Insignificant or inconsequential unrecoverable financial loss Serious unrecoverable financial loss Severe or catastrophic unrecoverable financial loss

  • 3. Harm to agency programs or

public interests Limited effect Serious effect Severe or catastrophic effect

  • 4. Unauthorized release of

sensitive information resulting in a loss of confidentiality with a low impact resulting in loss of confidentiality with a moderate impact resulting in loss of confidentiality with a high impact

  • 5. Personal safety

Minor injury not requiring medical treatment Moderate risk of minor injury or limited risk of injury requiring medical treatment Risk of serious injury or death

  • 6. Civil or criminal violations

No enforcement efforts required. May be subject to enforcement efforts Are special importance to enforcement programs Source: OMB M-04-04 Section 2.2. Risks, Potential Impacts, and Assurance Levels

slide-14
SLIDE 14

14

1.2 Assurance Level Impact Profiles

Source: OMB M-04-04 Table 1

Impact Categories Assurance Level Impact Profiles LoA1 LoA2 LoA3 LoA4

  • 1. Inconvenience, distress, or damage to standing or reputation

Low Mod Mod High

  • 2. Financial loss or agency liability

Low Mod Mod High

  • 3. Harm to agency programs or public interests

N/A Low Mod High

  • 4. Unauthorized release of sensitive information

N/A Low Mod High

  • 5. Personal safety

N/A N/A Low Mod High

  • 6. Civil or criminal violations

N/A Low Mod High Impact Categories Assurance Level Impact Profiles LoA1 LoA2 LoA3 LoA4

  • 1. Inconvenience, distress, or damage to standing or reputation

Low Mod Mod High

  • 2. Financial loss or agency liability

Low Mod Mod High

  • 3. Harm to agency programs or public interests

N/A Low Mod High

  • 4. Unauthorized release of sensitive information

N/A Low Mod High

  • 5. Personal safety

N/A N/A Low Mod High

  • 6. Civil or criminal violations

N/A Low Mod High

Case : Internet banking authentication (Individual)

slide-15
SLIDE 15

15

  • 2. Registration Requirements

Assurance Level Objective Controls Example

LoA1 Identity is unique within a context Self-claimed or self-asserted

  • Free email
  • Public web board

LoA2 Identity is unique within context + entity identity exists objectively Proof of identity through use of identity information from an authoritative source

  • E-commerce website
  • Specific web board

LoA3 Identity is unique within context + entity identity exists objectively + identity is verified and used in

  • ther contexts

Proof of identity through 1. use of identity information from an authoritative source 2. identity information verification

  • Cross-organization information exchange
  • Financial report submission system

LoA4 Identity is unique within context + entity identity exists objectively + identity is verified and used in

  • ther contexts

+ verification requires in-person Proof of identity through 1. use of identity information from multiple authoritative sources 2. identity information verification 3. entity witnessed in-person

  • Internet banking
  • e-Tax filing
slide-16
SLIDE 16

16

  • 3. Authentication Mechanisms

Source: NIST SP 800-63 * Depend on implementation details Token Type Assurance Level LoA1 LoA2 LoA3 LoA4 Memorized Secret Token e.g. username and password, PIN, challenge questions ✓* ✓* Single-factor One-Time Password Token e.g. OTP via SMS ✓ Single-factor Cryptographic Token e.g. cryptographic keys stored in a smart card ✓ Multi-factor Software Cryptographic Token e.g. cryptographic keys stored on soft media, requires activation through a 2nd factor ✓ Multi-factor One-Time Password Token e.g. RSA SecurID ✓ Multi-factor Hardware Cryptographic Token e.g. Hardware Security Module ✓

slide-17
SLIDE 17

17

References

1. Department of Finance and Deregulation, Australian Government Information Management Office. (2013). National e-Authentication Framework. 2. Executive Office of the President, Office of Management and Budget. (2003). OMB M-04-04 E-Authentication Guidance for Federal Agencies. 3. Interoperability Solutions for European Public Administrations (ISA). (2011). Towards a Trusted and Sustainable European Federated eID system (Final Report). 4. ISO/IEC. (2013). ISO/IEC 29115 Information technology - Security techniques - Entity authentication assurance framework. 5. National Institute of Standards and Technology. (2011). NIST Special Publication 800-63-1 Electronic Authentication Guideline.

slide-18
SLIDE 18

18

Q & A

slide-19
SLIDE 19

19