3. Datacomm Cloud Business
Certified Infrastructure & Facilities
3
Local Support and Data center location
24x7 Help Desk Support Center
24x7 Network Support Center
24x7 Security Desk Support Center
Rated 3 Constructed
Facilities
by TIA-942
CERTIFIED
DCOS Maturity 4
by TIA-942
CERTIFIED
ISO 9001:2008
CERTIFIED
ISO 27001:2013
CERTIFIED
ISO 20000:2011
CERTIFIED
PCI-DSS
CERTIFIED
4. Industry 4.0 & Open Data in Digital Era
The Rich Landscape of Digital Experience Today
4Resource : Development of Digital Identity Systems - Maganathin Marcus Veeraragaloo
5. Identity In Digital World
Identity is required beyond individual
5
Resource : Development of Digital Identity Systems - Maganathin Marcus Veeraragaloo
Identity
6. Digital Identity
Currently,
identity
providers span
across several
services:
• National ID card or Passport
• Banking credentials
• Health card
• E-Commerce identities
• Social network accounts
• Email account (private and
corporate)
Individuals today are used to having multiple digital identities
6Resource : Maxcode, Understanding digital identity
7. Digital Identity Definition
How is Identity Acquire?
7
Individual preferences
Favorite bands
Taste of music
Interests
Acquired attributes
Address
Medical record
Purchase history
Inherent characteristics
Date of birth
Gender
Nationality
What does she/he like ?
What did she/he do ?
Where does she/he
come from?
Digital Identity
The sum of all
digitally
available data
about an
individual,
irrespective of
its degree of
validity its from
or accesibility
Resource : Maxcode, Understanding digital identity
8. Digital Identity
A Digital Identity holds three main components
8Resource : Maxcode, Understanding digital identity
Identification / Registration
the process that allows an
entity to obtain a digital
identity
Authentication
the verification process
of the identity’s
attributes
Authorization
the process that allows an
entity to use the digital
identity in electronic
transactions
9. Benefit Public Digital Identity as a Service
9Resource : Digital Identity Road Map Guide - ITU
“A successfully implemented National Digital Identity Framework has the potential
to introduce a wide range of benefits for the State and its citizens”
Potential benefits for the users
• Improving the convenience for users
• Reducing costs of the access to services
• Improving inclusions for citizens
• Service delivery improvement
• Reducing cost of service delivery
• Improving security
Potential benefits for the private sector
• New revenue opportunities for public and private
• Reducing cost of service delivery
10. Symmetric Cryptography
• In Symmetric Cryptography, (aka Secret
Key / Shared Key Cryptography) involves
a single key to encrypt and decrypt data
• This operation is much faster than
asymmetric cryptography
• Problems with using a symmetric key
involve
• Sharing key in a secure out-of-band channel
• Key management and distribution among
each communicating party (it’s unscalable for
a HTTPS website to bootstrap and maintain a
key individual to each guest/customer)
10Resource : Theo Gravity, Introduction to public key infrastructure
A
B
C
A
B
C
*54%f
*!N#)
Plain text Plain textEncrypted Data
Encrypt Decrypt
Symmetric Key
Use Use
11. Asymmetric Cryptography
Two Keys
11Resource : Theo Gravity, Introduction to public key infrastructure
In Asymmetric Cryptography, a
pair of digital keys are used to
encrypt and/or sign data.
The keys are linked by a
mathematical formula.
Private key
○ Kept private to oneself
Public key
○ Can be shared with anyone Public Key Private Key
Key Generation
12. Asymmetric Cryptography
How it works
12Resource : Theo Gravity, Introduction to public key infrastructure
• You cannot use the same key to do the
inverse operation in asymmetric encryption.
The opposing key must be used to do the
operation.
• This means you cannot:
• Encrypt data with public key, decrypt same data with
public key
• Encrypt data with private key, decrypt with same
private key
• Same situation with decrypting
• Summary:
• Encryption with private key, must use public key to do
opposite
• Encryption with public key must use private key to do
opposite
• hash of data + encryption w/ private key = signature
Plain text Plain textCipher text
Can't do this with
same key in
asymmetric
encryption
Pubic Key Private Key
Encrypt DecryptSender Recipient
13. Asymmetric Cryptography
Operations
13Resource : Digital Signature& PKI-Shubham Sharma
Clear Text
Clear Text
Clear Text
Clear Text
Cipher text
Encrypted
Cipher text
Encrypted
Cipher text
Encrypted
Cipher text
Encrypted
Clear Text
Clear Text
Clear Text
Clear Text
Public Key Private Key
Works !
Fails !
x
x
14. Public Key Cryptography
14Resource : PKI Application - Nakov & Nedyalkov
• Public-Key Cryptography is an encryption scheme that uses mathematically related, but not
identical keys.
• Each user has a key pair (public key/private key).
• Information encrypted with the public key can only be decrypted using the private key.
• Information encrypted with the public key can only be decrypted using the private key.
Original
Document
Encryption Encrypted
Document
Decryption Original
Document
Sender Receiver
%jdlg*463u&bj
vkf@+$mjfjr^!!)
08^&
%jdlg*463u&bj
vkf@+$mjfjr^!!)
08^&
15. Public Key Infrastructure
Public Key Infrastructure
(PKI) describes the
procedures and
hardware/software
infrastructure on how to
store, issue, revoke
certificates and manage
public keys.
15Resource : Theo Gravity, Introduction to public key infrastructure
Definition
16. Public Key Security
EcoSystems
16Resource : PKI Application - Nakov & Nedyalkov
PRIVACY
AUTHENTICATION
INTEGRITY
NON-REPUDIATION
Public key technology
Digital certificates
Certification Authorities
Security Management
• Public key technology best
suite to solve business needs
• Infrastructure = Certification
Authorities
Services
Infrastructure
Technology
17. Multiple Players
Building Public Trust
17Resource : PKI Application - Nakov & Nedyalkov
Registration Authority (RA)
to identity proof users
Certification Authorities (CA)
to issue certificates and CRL’s
Repositories (publicly
available databases) to
hold certificates and CRLs
18. What is a digital certificate?
18Resource : Theo Gravity, Introduction to public key infrastructure
• Contains identifiers that identify an
entity and ties ownership to a public
key
• These identifiers are called subjects
• An example of a subject would be the
Common Name (eg, viv.ai) in a
certificate used for HTTPS
• Contains the public key of the entity
(the entity itself is assumed to have
the private key)
• Is issued by an entity
• Can be used for encryption and
verifying signatures (since it has the
public key)
19. Think of a certificate as an ID card
19Resource : Theo Gravity, Introduction to public key infrastructure
20. What is Digital Signature ?
To provide Authenticity, Integrity and Non-repudiation to electronic documents
20Resource : Digital Signature& PKI-Shubham Sharma
Digital code attached to an
electronically transmitted document
to verify its contents and the
sender's identity.
Digital Signature of a person
therefore varies from document to
document thus ensuring authenticity
of each word of that document.
21. Signed Messages
21Resource : Digital Signature& PKI-Shubham Sharma
Message
Message
+
Signature
Hash
SIGN hash
With
Sender’s
Private key
Calculated
Hash
Message
+
Signature
COMPARE
Hash
Decrypt signature
with Sender’s
public key
Signed
Message
Sent Thru’ Internet
Sender
Receiver
If
OK
Signatures
verified
22. Signed Messages
Signing & Verification
22
Resource : Digital Signature& PKI-Shubham Sharma
Data
Hash
Signature
Digitally signed data
Hash function 101100110101
Encrypt hash using
signer’s private key
111101101110
Certificate
Attach to data
Digitally signed data
Data Signature
111101101110
Hash
Function
Hash
101100110101
Decrypt
Using
Signer’s
Public key
Hash
101100110101
=
?
If the hashes are equal, the signature is valid
23. Authentication Technologies
Public Key Infrastructure – Digital Signatures
23Resource : Development of Digital Identity Systems - Maganathin Marcus Veeraragaloo
User
Certificate Authority
Registration Authority
Verification
Verifier
• Certificate Authority - A Certificate Authority issues a digital
certificate to an entity. The issued digital certificate is signed with
the private key of the CA, so that it is not tampered with. When a
host gets a digital certificate of another host, it checks with the
corresponding CA to make sure it is an authentic one.
• Registration Authority - When an entity requests for a digital
certificate, the Registration Authority verifies the identity of the
entity to make sure the digital certificate is not mis-issued.
• Central Directory - A Central Directory is a central location
where public keys are stored and indexed, so that they can be
retrieved at the time of verification of digital certificates.
• Certificate Management System - A Certificate
Management System manages access to stored certificates and
the delivery of the certificates to be issued.
• Certificate Policy - It consists of policies of digital certificates.
24. Authentication Protocol
24Resource : Development of Digital Identity Systems - Maganathin Marcus Veeraragaloo
• OAuth 2.0 enables applications to access resources on behalf of a specific user. This is why
the OAuth protocol has a resource server — a policy enforcement point that is likely either an
API gateway or a reverse-proxy Web access management (WAM) system.
• The OAuth access and resource servers work in concert to provide access to resources via a
scope (see the Scopes section) entitlement request by the application.
• Connect is about authentication — providing an ID Token for interoperable acceto cross-
domain relying.
• The Connect protocol leaves the policy enforcement to the relying party — juslike SAML does.
• Security Assertion Markup Language 2.0 (SAML 2.0) is a version of the SAML standard for
exchanging authentication and authorization data between security domains.
• SAML 2.0 is an XML-based protocol that uses security tokens containing assertions to pass
information about a principal (usually an end user) between SAML authority, named an
Identity Provider, and a SAML consumer, named a Service Provider.
• SAML 2.0 enables web-based authentication and authorization scenarios including cross-
domain single sign-on (SSO), which helps reduce the administrative overhead of distributing
multiple authentication tokens to the user.
25. Conclusion
Privacy, Consent & Control
Compliance & Regulation
Cost & Risk
Technology (IOT, Mobility, AI)
Interoperability
Cyber & Digital Security
Public Digital Identity as a Service
25
26.
27. Certification Authority (CA)
27Resource : PKI Application - Nakov & Nedyalkov
Certification Authority
Trusted (third) party
Enrolls and validtaes subscribers
Manages revocation and renewal
of certificaties
Establishes policies &
prcedures
What's Important
Operational experience
High assurance security architecture
Scalability
Flexibility
Interoperability
Outsource vs inhouse
Trustworthiness
Certification Authority = Basis of Trust
28. Registration Authority (RA)
28Resource : PKI Application - Nakov & Nedyalkov
Enrolling, de-
enrolling, and
approving or
rejecting requested
changes to the
certificate attributes
of subscribers.
Validating certificate
applications.
Authorizing requests
for key-pair or
certificate generation
and requests for the
recovery backed-up
keys.
Accepting and
authorizing requests
for certificate
revocation or
suspension.
Physically distributing
personal tokens to
recovering obsolete
tokens from people
authorized to hold
and use them.
29. Certificate Policy (CP) is …
29Resource : PKI Application - Nakov & Nedyalkov
the basis for trust between unrelated entities
not a formal "contract" (but implied)
a framework that both informs and constrains a PKI implementation
a statement of what a certificate means
a set of rules for certificate holders
a way of giving advice to relying parties
30. Symmetric/Asymmetric Encryption
30Resource : Digital Signature& PKI-Shubham Sharma
Symmetric encryption uses the identical key to both encrypt and decrypt the data.
Plain text-Input Plain text-outputCipher text
Encryption Decryption
Same Key
(Share secret)
"The quick brown
fox umps over
the lazy dog"
"The quick brown
fox umps over
the lazy dog"
"*hfduv&^%)jdjvj@jd
me!#8em%"
31. Asymmetric
31Resource : Digital Signature& PKI-Shubham Sharma
Two related
keys (public
and private)
for data
encryption
and
decryption.
The private
key is never
exposed.
Takes away
the security
risk of key
sharing.
32. Authentication Technologies
Block Chain & Digital Signature
32Resource : Development of Digital Identity Systems - Maganathin Marcus Veeraragaloo
• Usually a digital signature is made using the
private key of the owner. Whoever wants to
verify the signature can do so using the
corresponding public key.
• Suppose a company wants to accept Bitcoins
for its trades. Now, because of security
reasons, the company would not want that
only a single employee will have access to the
company’s Bitcoin wallet's password. Any
transaction should need approval from more
than one employees of the company. A
multisignature Address is created for that
purpose.
33. Authentication Technologies
Block Chain & Digital Signature …… (continued)
33Resource : Development of Digital Identity Systems - Maganathin Marcus Veeraragaloo
• A multi-signature address is an address associated
with more than one Elliptic Curve Digital Signature
Algorithm (ECDSA) private keys. So, in an m-of-n
address, when a Bitcoin address is generated, it is
associated with n private keys. And, at least m
private keys will be required to make a transaction
possible.
• This concept can be used in making digital
signatures. One can create a multi-signature m-of-
n address using n private keys and use that to
record digital signature of documents in a
blockchain. Anyone can verify the digital signature
using public keys, but to make the digital signature
one would need at least m private keys, out f n
private keys associated with the multi-signature
address.
34. Authentication Technologies
Block Chain, How a blockchain works
34
Resource : Development of Digital Identity Systems - Maganathin Marcus Veeraragaloo
The block is
broadcast to
every party in the
network
?
?
?
?
A wants to send
money to B1
The transaction is represente
online as a "block"
2
3
Those in the
network approve
the transaction is
valid
4
The block then can be added
to the chain, which provides
an indelible and transparent
record of transactions
5 The money moves
from A to B
6
35. What is a Digital Signature ?
35Resource : PKI Application - Nakov & Nedyalkov
A Digital
Signature is the
result of
encrypting the
Hash of the
data to be
exchanged.
A Hash (or
Message Digest)
is the process of
mathematically
reducing a data
stream down to
a fixed length
field.
The Hash
uniquely
represents the
original data.
The probability
of producing the
same Hash with
two sets of
different data is
<.001%.
Signature Process is opposite to
Encryption Process
Private Key is
used to Sign
(encrypt) Data
Public Key is
used to verify
(decrypt)
Signature
36. Digital Signature Process
36Resource : PKI Application - Nakov & Nedyalkov
Step 1– Hash (digest) the
data using one of the
supported Hashing
algorithms, e.g., MD2,
MD5, or SHA-1.
Step 2- Encrypt the
hashed data using the
sender’s private key.
Step 3- Append the
signature (and a copy of
the sender’s public key) to
the end of the data that
was signed
DATA
Digital
Signature
Public
Step 1
Hash
Hash
Step 2
Encrypt
Private
Digital
Signature
Step 3
37. Signature Verification Process
37Resource : PKI Application - Nakov & Nedyalkov
• Step 1. Hash the original data using the same hashing algorithm.
• Step 2. Decrypt the digital signature using the sender’s public key. All digital signatures contain a
copy of the signer’s public key.
• Step 3. Compare the results of the hashing and the decryption. If the values match then the
signature is verified. If the values do not match, then the data or signature was probably modified in
transit.
Step 1
Step 2
Hash
Decrypt
Public Key
Hash
Hash
Step 3
DATA
Digital
Signature
Editor's Notes
This is the first page. You can change the text into anything that suit your need.
Who Is Datacomm
Local, private company which committed to build robust digital infrastructure to usher Indonesia toward the digital economy.
Two primary business of datacomm include infrastructure manage service to Indonesian largest telecommunication operators (Telkom, Telkomsel, Indosat, Lintasarta) and Cloud Services.
Why Datacomm?
We are backed up by +29 years experiences and +500 people which primarily technical and engineer team that own the wide spectrum of IT expertise, network, security, system application, operation, project management, datacenter and consulting.
In the cloud area, we manage cloud service provider, with hybrid/multicloud differentiation in enterprise, secure, local.