Cyber Security Management in

Kenya

Victor Kyalo
Kenya ICT Board
Agenda
§ Background
§ Global Cyber Incidents
§ Mitigating Cyber Threats
§ Conclusions
§ National PKI Establishment
Background
Background
Global Cyber Incidents
Global Cyber Incidents
Mitigating Cyber Threats
(Efforts)
Mitigating Cyber Threats
Mitigating Cyber Threats: Kenya
KE-CIRT
KE-CIRT
Conclusions
National PKI Establishment (NPKI)
(Work in progress)
Contents

1. Necessity of National PKI

2. The Status of InfoSec/PKI in Kenya

3. Steps of NPKI Establishment

4. Questions
Contents

1. Necessity of National PKI

2. The Status of PKI in Kenya

3. Steps of NPKI Establishment

4. Questions
 PKI (Public Key
Infrastructure)?
Personnel, policy, procedures, components and facilities to bind user names to
electronic keys so that applications can provide the desired security services.

Server-side software
Server
Cert
certificate

repository PKI Server

Signature
Digital
Directory
Server
Certificate Client-side software
Authority

Client
Cert
Registration
Authority PKI Client
(PC/Phone/PDA)
Need for Digital Signature
Industrial Society Informational Society

Offline (face-to-face) online

Problems Solutions
Risk of deceiving Authentication Digital Signature
identity of sender

Risk of changing information Integrity Digital Signature

on transmission

Risk of denying a fact Non-repudiation Digital Signature

information transmit

Risk of exposing information Confidentiality Encryption

on transmission
Identification and Signature
Cyberspace
Real World
(Internet)
National ID Card Accredited Certificate
Name : Jaejung Kim Name : Jaejung Kim
SSN : XX0921-152XXXX Serial No : 883XXX8377
Address : SG, Seoul, Kr Address : SG, Seoul, Kr
Issued Date : 2002/6/1 Validity : 2008/6/1~ CA’s
Finger Print : 2009/5/31 Signature
Public Key : +
Encrypted
For Authentication Private Key

Signature or
Signature-seal Digital Signature

Digital signature using asymmetric

encryption / decryption method

Reusable Impossible to reuse

 Types of Certificates
Accredited Certificate
The accredited certificate is issued by a CA, which in turn is designated by
the government pursuant to the laws after thorough screening, to be used
for various e-transactions.

Certificate Without Accreditation (or Private Certificate)

A certificate is issued by a certification organization that is not accredited by
the government. It is used for a limited number of e-transactions

Category Accredited Certificate Certificate Without

Level of technology Passage of thorough screening Impossible to verify
Accreditation
Legal effect
and security Valid as provided
pursuant by the laws
to the law Valid only by agreement
Compensation Easy to get compensated Hard to get compensated
Scope of applicable Wide Narrow
services
 What happens if the country doesn’t establish
a NPKI earlier?

•It will result in duplication of resources and confusion in policy-making

because of absence of unified infrastructure.
•It will not grow its national competitive edge in the same region because
a country doesn’t accumulate and retain its own technologies related to
security and certification.
•The interoperability issue among CA’s must happen due to absence of
united technical standards.
•It is difficult to build e-government framework because PKI is the
mandatory infrastructure in e-government.
•It is hard to cooperate with other nations about international
interoperability because of the absence of accredited CA.
•User or entities have to use a lot of certificate for each application.
Contents

1. Necessity of National PKI

2. The Status of InfoSec/PKI in Kenya

3. Steps of NPKI Establishment

4. Questions
Domain Information (April 2011)
Hacked/Defaced Websites 2007-2011 (.go.ke)
Hacked/Defaced Websites (.ac.ke)
Hacked/Defaced Websites (.co.ke)
Certificate Without Accreditation
Weak Authentication
Confidential Client Data
Accredited Digital Certificate (Trusted and Valid)
Accredited Digital Certificate + Human Verification
Encrypted Database (Anti-WikiLeaks)
Contents

1. Necessity of National PKI

2. The Status of PKI in Kenya

3. Steps of NPKI Establishment

4. Questions
 Setup of Infrastructure for Internet Security

Government Law, Policy,

Standards
License

PKI Model

stablihm
Ew
enL gu),P
(croS K
Id Certification
Accredited Service
Root CA
CA
B
uildngPK
IC
etr
Accredited
Certificate
E-procurement,
Internet
enabldA
pictos Banking,
D K
evlopingP
I E-commerce, etc
Application Service organizations or companies

Accredited Electronic Signature

To establish safe and reliable

Information society
USER
 PKI-enabled Application
Development
Regional Administration
-Service for counties
-Access with certificates
Taxation
-National Tax Agency
-Access with certificates
National Financing
Information System
- Based on Internet
banking, etc
Electric document system
-Interoperable with other systems
Education Administration System
-Teachers can assess with cert.
Petition Service
- Identify oneself online by Personal Management inside
certificates Government
-All employees inside Government
Digital Signature & Seal
-Distribute certificates
-Develop and enhance system
e-Government adopting certificates
Applications
E-Supply (G2B)
- Online bidding with certificate
Public Key Infrastructure
(PKI Center)
Enhance computerization
- Sharing national resource
information
4 Major Insurances data exchange
- Labor, Medical care, Pension, Industrial
disaster
- Internet access with certificate
 Effectiveness of
Expectations
PKI is making up the safe and trustful environment using electronic signature.

National PKI Establishment

Win (User) – Win (Government) – Win (Company)

USER Government Corporation

•Increase the confidence and trust. •Convert
•Reduce the time and cost. offline business to online.
•Ensure interoperability of PKI •Provide more secure and safe of
•Convenience of application like
infrastructure with other service.
Online Civil Service, Internet
Government.
Banking etc. •Increase the trust of company.
•Establishment of National
•
Security Plan.

Background

Standards & PKI enabled

Law, Policies Accredited CA
Technology Applications
 Asante!

vkyalo@ict.go.ke