Intra-ASEAN Secure Transactions Framework Project

Report
Intra-ASEAN Secure
Transactions
Framework
Title
Project
Sub TitleProgress Report
Chaichana Mitrpant
[email protected]
Title
Project Information
Sub TitleAIM 2015 under
• Support
• Strategic Thrust 2 :People Engagement and
Empowerment
• Initiatives 2.4 : Building Trust
• Action : Promote Secure transaction with
in ASEAN
• Description : Promote the use of twofactor authentication
Intra-ASEAN Secure Transactions
Title Framework Project
Scope
work
Subof
Title
o Status update on : Laws, Policies, Regulations related to e-signature ,
certification
o Propose e-authentication recommendation for Intra-ASEAN secure
electronic transactions
Methodology
o Desk Research : Review from the data available to public
o Questionnaire Survey : Distributed to 10 ASEAN member countries
Period : 1 year
Budget : 10,000 USD
Title
Sub Title
Executive Summary
Three main components of e-authentication have been
identified as follows:
Assurance Levels and Risk Assessments – Levels of
assurance are defined so that different levels of importance
of getting e-authentication right can be distinguished.
Identity Proofing and Verification – For each level of
assurance, an objective of authentication and a set of
controls are defined. Then details about identity proofing
and verification methods are provided for the registration
process.
Authentication Mechanism – Different token technologies
are listed and mapped to the levels of assurance.
Moreover, how identity should be managed is
recommended.
Executive Summary
Standards and Best Practices
Title
Sub Title
Assurance Levels • ISO/IEC 29115:2013
and Risk
• OMB M-04-04
Assessments
• NeAF
Identity Proofing
and Verification
• ISO/IEC 29115:2013
Authentication
Mechanism
• NIST Special
Publication 800-63
Executive Summary
Assurance
Levels and Risk Assessment
Title
Sub Title
Assurance Level
Description
1 – Low
Little or no confidence in the asserted identity’s validity
2 – Medium
Some confidence in the asserted identity’s validity
3 – High
High confidence in the asserted identity’s validity
4 – Very High
Very high confidence in the asserted identity’s validity
Executive Summary
Identity
Title Proofing and Verification Approach
Sub Title
Assurance Level
Objectives
Control
Method of
processing
1 – Low
Identity is unique within a context
Self-claimed or self-asserted
Local or remote
2 – Moderate
Identity is unique within context and
the entity to which the identity
pertains exists objectively
Proof of identity through use of
identity information from an
authoritative source
Local or remote
3 – High
Identity is unique within context,
entity to which the identity pertains
exists objectively, identity is verified,
and identity is used in other contexts
Proof of identity through
1. use of identity information from
an authoritative source
2. identity information verification
Local or remote
4 – Very High
Identity is unique within context,
entity to which the identity pertains
exists objectively, identity is verified,
and identity is used in other context
Proof of identity through
1. use of identity information from
multiple authoritative sources
2. identity information verification
3. entity witnessed in-person
Local
Executive Summary
Examples
Title of Token Types for Different LoAs
Sub Title
Token Type
Assurance Level
Level 1
Level 2
Memorized Secret Token
✓*
✓*
Pre-registered Knowledge Token
✓*
✓*
Look-up Secret Token
✓
Out of Band Token
✓
Single-factor (SF) One-Time
Password (OTP) Device
✓
Single-factor (SF) Cryptographic
Device
✓
Multi-factor (MF) Software
Cryptographic Token
Level 3
Level 4
✓
Multi-factor (MF) One-Time
Password (OTP) Device
✓
Multi-factor (MF) Cryptographic
Device
✓
Needs for ASEAN Legal Infrastructure
Title
The cooperation among Member States is necessary in creation of the legal framework
for Information Technology Legal Infrastructure development to be in equivalence and
Sub
Title
conform
to international
principle especially in the following matters:
– Legal Infrastructure for Cross Boarder Electronic transactions
– Principle on organization or unit for supporting and controlling the reliance on
Electronic Transactions
– Clear policy relating to Authentication technology in Electronic Transaction
– Clear and appropriate principle on Identification and Authentication in
Electronic Transaction, for example, the principle that allows a Certification
Authorities (Foreign CA) to issue foreign digital certificate
– Relevant measurements regarding data confirmation, such as, Electronic
Signature and the responsibility of data owner for the accuracy of data.
– The principle on Personal Data Protection, including the principle on a request
of data in Authentication system in Cross Boarder Transaction by authority or
relating person, or data sharing between Government Sector and Private
Sector.

similar documents