TABLE
OF CONTENTS
1 Introduction 1-01-0
1.1 Purpose 1-01-0
1.1.1 Goals of this Document 1-01-0
1.1.2 Intended Audience 1-01-0
1.2 Scope 1-01-0
1.3 Definitions, Acronyms, and Abbreviations 1-01-0
1.4 Related Documents 1-01-0
2 Review of Existing ATMS Systems 2-02-0
2.1 Caltrans 2-02-0
2.2 Atlanta 2-02-0
2.3 MONITOR 2-02-0
2.4 C-TIC 2-02-0
3 Human Factors Considerations 3-03-0
3.1 Facility Design 3-03-0
3.1.1 Room Layout 3-03-0
3.1.2 Lighting and Acoustics 3-03-0
3.1.3 Video Displays 3-03-0
3.2 Ease of Use 3-03-0
3.3 Performance 3-03-0
4 Required Functionality 4-04-0
4.1 System Logon 4-04-0
4.2 Monitoring Operational Status 4-04-0
4.2.1 Hardware and Software Faults 4-04-0
4.2.2 Troubleshooting 4-04-0
4.3 Data Entry and Validation 4-04-0
Incident
Monitor 4-04-0
4.4.1 Filtering 4-04-0
4.4.2 Sorting 4-04-0
4.4.3 Searching 4-04-0
4.4.4 Refresh 4-04-0
4.5 Map Interface 4-04-0
4.5.1 Menus 4-04-0
4.5.2 Data Windows 4-04-0
4.5.3 Corridor Map Hot Keys 4-04-0
4.6 Internet Maps 4-04-0
4.6.1 GCM Home Page 4-04-0
4.6.2 Expressway Data 4-04-0
4.6.3 Travel Times 4-04-0
4.7 Managing Internet Maps 4-04-0
4.7.1 Internet Map Editor Main Window 4-04-0
4.7.2 Editor Window 4-04-0
4.7.3 Icons 4-04-0
4.8 System Administration 4-04-0
4.8.1 Account Maintenance 4-04-0
4.8.2 Backup/Restore 4-04-0
4.8.3 Printers 4-04-0
4.8.4 Log Files 4-04-0
4.9 Report Generation 4-04-0
4.9.1 Predefined Reports 4-04-0
4.9.2 User Defined Reports 4-04-0
4.10 Internet Web Browser 4-04-0
4.11 Scheduling 4-04-0
4.12 Deficiency Tracking 4-04-0
5 Use Cases 5-05-0
5.1 Logon 5-05-0
5.2 Monitoring 5-05-0
5.3 Incident Tracking and Monitoring 5-05-0
5.4 Map 5-05-0
5.5 Internet 5-05-0
5.6 Internet Map Manager 5-05-0
5.7 Account Maintenance 5-05-0
5.8 Backup/Restore 5-05-0
5.9 Printer Maintenance 5-05-0
5.10 Reports 5-05-0
1 INTRODUCTION................................................................................................................... 1-1
2 INTRODUCTION
to public key infrastructure (pki).......................................... 2-3
2.1 Encryption................................................................................................................. 2-3
2.2 Public
Key Cryptography................................................................................... 2-3
2.3 Public
Key used for Encryption....................................................................... 2-4
2.4 Private
Key used for Decryption.................................................................... 2-4
2.5 Digital
Signatures.................................................................................................. 2-4
2.6 Private
Key for Signature.................................................................................. 2-4
2.7 Public
Key for verifying Signature............................................................... 2-4
2.8 Certificates............................................................................................................... 2-5
2.9 Policies........................................................................................................................ 2-5
2.10 Key
Management—PKI........................................................................................ 2-5
2.10.1 Certificate
Authority................................................................................... 2-5
2.10.2 Registration
Authority (RA)....................................................................... 2-6
2.10.3 Directory
Service............................................................................................ 2-7
2.10.4 Databases............................................................................................................ 2-7
2.10.5 Timestamp
Service............................................................................................ 2-7
3 getting
started.............................................................................................................. 3-9
3.1 installation.............................................................................................................. 3-9
3.2 creating
or importing digital certificates.............................................. 3-10
3.3 importing
digital certificates........................................................................ 3-11
3.4 exporting
digital certificates....................................................................... 3-11
3.5 encrypting
files or folders............................................................................. 3-11
3.6 decrypting
files or folders............................................................................. 3-12
3.7 Digitally
signing documents........................................................................... 3-13
3.8 verifying
digital signature............................................................................. 3-14
3.9 creating
simple hash for verifying documents..................................... 3-15
3.10 verifying
digest.................................................................................................. 3-15
3.11 archiving
or compressing documents..................................................... 3-16
3.12 Extracting
or unzipping................................................................................. 3-17
LIST OF FIGURES
Figure 1........................................................................................................................................................................................ 3-9
Figure
2...................................................................................................................................................................................... 3-10
Figure
3...................................................................................................................................................................................... 3-11
Figure
4...................................................................................................................................................................................... 3-12
Figure
5...................................................................................................................................................................................... 3-13
Figure
6...................................................................................................................................................................................... 3-14
Figure
7...................................................................................................................................................................................... 3-14
Figure
8...................................................................................................................................................................................... 3-15
Figure
9...................................................................................................................................................................................... 3-16
Figure
10.................................................................................................................................................................................... 3-17
Figure
11.................................................................................................................................................................................... 3-18
Figure
1 . Caltrans GIS Application 2-02-0
Figure 2.
Atlanta Main Menu........................................................................................................................................................................................................................................................ 2-02-0
Figure 3.
Incident Management on the Atlanta System........................................................................................................................................................................................................................................................ 2-02-0
Figure 4.
Atlanta GIS Map Application........................................................................................................................................................................................................................................................ 2-02-0
Figure 5.
MONITOR System Coordinator Main Window........................................................................................................................................................................................................................................................ 2-02-0
Figure 6.
Gateway Local User Logon Display........................................................................................................................................................................................................................................................ 4-04-0
Figure 7.
Prototype Gateway Monitoring Application........................................................................................................................................................................................................................................................ 4-04-0
Figure 8.
Popup menu for process........................................................................................................................................................................................................................................................ 4-04-0
Figure 9.
Example Data Entry Validation........................................................................................................................................................................................................................................................ 4-04-0
Figure 10.
Prototype Gateway Incident Monitoring Application........................................................................................................................................................................................................................................................ 4-04-0
Figure 11.
Example Filter Dialog Box........................................................................................................................................................................................................................................................ 4-04-0
Figure 12.
Prototype Gateway Map Interface Application........................................................................................................................................................................................................................................................ 4-04-0
Figure 13.
Gateway Monitor Menu in Map Application........................................................................................................................................................................................................................................................ 4-04-0
Figure 14.
Display menu in Map Application........................................................................................................................................................................................................................................................ 4-04-0
Figure 15.
Example Icons for Map Application........................................................................................................................................................................................................................................................ 4-04-0
Figure 16.
Map Application Select Menu........................................................................................................................................................................................................................................................ 4-04-0
Figure 17.
Selecting or Locating a road........................................................................................................................................................................................................................................................ 4-04-0
Figure 18.
Choosing cross streets on a road........................................................................................................................................................................................................................................................ 4-04-0
Figure 19. Selecting an Intersection........................................................................................................................................................................................................................................................ 4-04-0
Figure 20. Locating a Loop Detector........................................................................................................................................................................................................................................................ 4-04-0
Figure 21. Locating using Latitude and Longitude........................................................................................................................................................................................................................................................ 4-04-0
Figure 22. Map Properties Window........................................................................................................................................................................................................................................................ 4-04-0
Figure 23. Incident/Closure Editor Portion of Map
Application........................................................................................................................................................................................................................................................ 4-04-0
Figure 24. Annotation Window........................................................................................................................................................................................................................................................ 4-04-0
Figure 25.
Annotation Location........................................................................................................................................................................................................................................................ 4-04-0
Figure 26. Annotation Color and Font........................................................................................................................................................................................................................................................ 4-04-0
Figure 27. Annotation Rank and Layer........................................................................................................................................................................................................................................................ 4-04-0
Figure 28. Annotation positioning........................................................................................................................................................................................................................................................ 4-04-0
Figure 29. Annotation Flags........................................................................................................................................................................................................................................................ 4-04-0
Figure 30. Traffic Info Window........................................................................................................................................................................................................................................................ 4-04-0
Figure 31. User Defined Locations Window........................................................................................................................................................................................................................................................ 4-04-0
Figure 32. The Segment Information Window........................................................................................................................................................................................................................................................ 4-04-0
Figure 33. Address Information........................................................................................................................................................................................................................................................ 4-04-0
Figure 34. Typical Pull off Menu........................................................................................................................................................................................................................................................ 4-04-0
Figure 35.
Sample Internet Map........................................................................................................................................................................................................................................................ 4-04-0
Figure 36. Kennedy Expressway Data........................................................................................................................................................................................................................................................ 4-04-0
Figure 37. Travel Times Page........................................................................................................................................................................................................................................................ 4-04-0
Figure 38. Internet Map Editor Main Window........................................................................................................................................................................................................................................................ 4-04-0
Figure 39. Preview of I-55 Map........................................................................................................................................................................................................................................................ 4-04-0
Figure 40. Internet Map Editor Window........................................................................................................................................................................................................................................................ 4-04-0
Figure 41. Area and Zoom Page........................................................................................................................................................................................................................................................ 4-04-0
Figure 42. Defining the Area of an Internet Map........................................................................................................................................................................................................................................................ 4-04-0
Figure 43.
Legend and Time Position........................................................................................................................................................................................................................................................ 4-04-0
Figure 44. Colors and Widths........................................................................................................................................................................................................................................................ 4-04-0
Figure 45. Uniform Resource Locations........................................................................................................................................................................................................................................................ 4-04-0
Figure 46. Internet map editor flags........................................................................................................................................................................................................................................................ 4-04-0
Figure 47. C-TIC Account Editor Main Menu........................................................................................................................................................................................................................................................ 4-04-0
Figure 48. Adding an Account........................................................................................................................................................................................................................................................ 4-04-0
Figure 49. Editing an Account........................................................................................................................................................................................................................................................ 4-04-0
In this era of Internet, a security has become a top priority for businesses and individuals. There is a great deal of risk of loosing confidential information and cost of loosing such information can be enormous. In order to protect intellectual property or confidential data, businesses and individuals need following:
· Create and manage digital certificates and private keys.
· Encrypt important documents or files with secured algorithms. Once these files are encrypted, they can be safely stored or sent to other users on top of unsecured Internet.
· Digitally sign documents so that recipients can be assured that those files are not tempered.
PlexCrypt is a graphical based application that helps users manage their documents and files securely. It allows users to manage digital certificates and private keys. PlexCrypt protects documents and folders via PKI-based encryption using secured algorithms such as
· AES
· Blowfish
· CAST5/CAST6
· DES
· ElGamal
· IDEA
· IES
· RC2/RC4/RC532/RC564/RC6/RSA
· Rijndael, Serpent, Skipjack
It allows users to encrypt multiple files and folders automatically.
PlexCrypt allows users to digital sign documents and folders and use that signature to verify that original document has not been maliciously or accidently altered. It supports:
· SHA1WithRSA/ISO9796-2
· MD2WithRSAEncryption/MD5WithRSA/ISO9796-2
· RIPEMD160WithRSAEncryption
· RIPEMD160WithRSA/ISO9796-2
algorithms for digital signatures.
PlexCrypt can encrypt more than one file or folders at once and it automatically compress them in a ZIP format and encrypts the ZIP file using PKI-based encryption. PlexCrypt also supports simple documents authentication mechanisms such as creating MD5 based digest of a document and then recipients can verify the document by recomputing the digest and comparing it with the user-supplied digest.
|
A PKI infrastructure offers:
· certainty of the quality of information sent and received electronically
· certainty of the source and destination of that information
· assurance of the time and timing of that information (providing the source of time is known)
· certainty of the privacy of that information
· assurance that the information may be introduced as evidence in a court or law
These facilities are delivered using a mathematical technique called public key cryptography, that uses a pair of related cryptographic keys to verify the identity of the sender (signing) and/or to ensure privacy (encryption).
PKI facilities have been developed principally to support secure information exchange over insecure networks - such as the Internet - where such features cannot otherwise be readily provided. PKI facilities can, however, be used just as easily for information exchanged over private networks, including corporate internal networks.
Encryption is the process of transforming the contents of a message using a secret key so that the message cannot be read. Decryption is the process of transforming the message back into a readable form. Message encryption and decryption is the foundation upon which a secure messaging system is built.
The problems with establishing and managing a secure messaging system are to ensure that—
· Encryption techniques and secret keys are sufficiently complex so that unauthorized people cannot decrypt messages
· Keys are accessible to people who are authorized to use them, and kept away from people who are not authorized to use them
When sender and recipient use same secret key to exchange private message, it is called symmetrical key or secret key cryptography. This technology is thought to be sufficiently strong that it would be almost impossible to decrypt a message without the secret key. The problem with symmetrical key encryption is key distribution: ensuring that the keys to the message senders and recipients do not get into the hands of unauthorized persons. As the number of users of the secure messaging system increases, the problem of generating, distributing, safeguarding, and accounting for the secret keys increases at a geometric rate.
Public key cryptography uses two keys that are mathematically linked; one key can be used only to encrypt a message, and the other key can be used only to decrypt the message. The key that is used to encrypt a message can be freely distributed (or placed in an accessible directory), and the recipient keeps the key used to decrypt the message.
The sender use recipient’s public encryption key when he/she sends confidential information. The recipient can provide his/her public key to the sender, or it can be retrieved from the directory in which it is published.
A private key is used to decrypt information that has been encrypted using its corresponding public key. The person using the private key can be certain that the information it is able to decrypt must have been intended for them, but they cannot be certain who the information is from.
Digital signatures are electronic signatures linked to the signed data in a way that tampering is noticed and that the sender can be identified unequivocally. Other forms of electronic signatures, such as PINs, do not protect the data integrity.
To create a digital signature, the signing transmitter creates a Manipulation Detection Code (hash) of the message and then uses an exclusively transmitter-owned private key to encrypt the hash. This is the digital signature and it is attached to the real message (message expanding).
The private key has a matching public key that the receiver can use to verify the signature. The receiver uses the same hash function to create a hash of the real message, and then takes the public key to the transmitter, decrypts the digital signature, and compares hashes.
A trustworthy institution (i.e., a Trust Center or a Certificate Authority) assigns this pair of keys to a particular person.
If the sender wishes to prove to a recipient that they are the source of the information they use a private key to digitally sign a message. A unique mathematical value, determined by the content of the message, is calculated using a ‘hashing’ or ‘message authentication’ algorithm, and then this value is encrypted with the private key – creating the digital signature for this specific message. The encrypted value is either attached to the end of the message or is sent as a separate file together with the message. The Public Key corresponding to this private key may also be sent with the message, either on its own or as part of a certificate.
The receiver of a digitally signed message uses the correct public key to verify the signature.
Digital certificates are virtual fingerprints that authenticate absolutely the identity of a person or thing. The certificate itself is simply a collection of information to which a digital signature is attached. A certificate is information referring to a public key, that has been digitally signed by a Certification Authority (CA). The information normally found in a certificate conforms to the ITU (IETF) standard X.509 v3. Certificates conforming to that standard include information about the published identity of the owner of the corresponding private key, the key length, the algorithm used, and associated hashing algorithm, dates of validity of the certificate and the actions the key can be used for. A third-party authority that the community of certificate users trusts attaches the digital signature.
A Certificate Policy is a set of rules that indicates the applicability of a certificate.
A Certification Practice Statement (CPS) is a statement of the practices that a PKI uses to manage the certificates that it issues. The Operating Authority (usually an individual within the IT unit) is responsible for preparing and maintaining the CPS. The CPS describes how the Certificate Policy is interpreted in the context of the system architecture and operating procedures of the organization.
While a Certificate Policy is defined independently of the specific details of the operating environment of the PKI, the corresponding CPS is tailored to the organizational structure, operating procedures, facilities, and computing environment of the Operating Authority. The use of a standard structure for Certificate Policy and CPS documents is recommended to ensure completeness and simplify users’ and other Certificate Authorities’ assessment of the corresponding degree of assurance. See Section 4.1 of this Toolkit for the recommended structure for Certificate Policy and CPS documents.
The use of PKI enables a secure exchange of digital signatures, encrypted documents, authentication and authorization, and other functions in open networks where many communication partners are involved.
PKI has four parts:
· Certificate Authority (CA)
· Registry Authority (RA) or Local Registry Authorities (LRA)
· Directory Service
· Time Stamping (as an additional service)
The Certificate Authority (CA) is the entity responsible for issuing and administering the digital certificates. The CA acts as the agent of trust in the PKI.
A CA performs the following main functions:
· Generating key pairs. The CA may generate a public key and a private key (a key pair) or the person applying for a certificate may have to generate their own key pair and send a signed request containing their public key to the CA for validation.
· Certifies users’ public keys
· Publishes users’ certificates. A CA may also state the quality of the checks that were carried out before the certificate was issued. Different classes of certificate can be purchased that correspond to the level of checks made. There are three or four general classes of certificate: Class 1 certificates can be easily acquired by supplying an email address, Class 2 certificates require additional personal information to be supplied, and Class 3 certificates can only be purchased after checks have been made as to the requestors identity. A 4th class may be used by governments and organizations needing very high levels of checking.
· Issues certificate revocation lists (CRLs)
The foundation upon which a PKI is built is trust—in other words the user community must trust the CA to distribute, revoke, and manage keys and certificates in such a way as to prevent any security breaches. As long as users trust the CA and its business processes, they can trust certificates the CA issues.
The CA’s signature in a certificate ensures that any changes to its contents will be detected. Such certificates can be distributed publicly and users retrieving a public key from a certificate can be assured of the validity that the key:
· Belongs to the entity specified in the certificate
· Can be used safely in the manner for which the CA certified it
Users need to be able to determine the degree of assurance or trust that can be placed in the authenticity and integrity of the public keys contained in certificates the CA issues. The information upon which such determinations can be made is documented in the Certificate Policy and the Certification Practice Statement of the CA.
A CA has the following tasks:
· Generate the certificate based on a public key. Typically a Trust Center generates the pair of keys on a smart card or a USB token.
· Guarantees the uniqueness of the pair of keys and links the certificate to a particular user
· Manages published certificates
The Registration Authority (RA) is responsible for recording and verifying all information the CA needs. In particular, the RA must check the user’s identity to initiate issuing the certificate at the CA. This functionality is neither a network entity nor is it acting online. The RAs will be where users must go to apply for a certificate. Verification of the user identity will be done for example by checking the user’s identity card.
A RA has two main functions:
· Verify the identity and the statements of the claimant
· Issue and handle the certificate for the claimant
The directory service has two main functions:
· Publish certificates
· Publish a Certificate Revocation List or to make an online certificate available via the Online Certificate Status Protocol (OCSP)
A database can be configured to accept X.509 format certificates. This may be done for private systems where the search methods for locating certificates do not follow the LDAP structure. Because it is essentially proprietary, this method is not used for public systems.
Timestamping is a special service. Timestamping confirms the receipt of digital documents at a specific point in time. The service is used for contracts or other important documents for which a receipt needs to be confirmed.
PlexCrypt can be downloaded from http://www.plexobject.com/software/plexcrypt. PlexCrypt comes with the installation wizards for Windows, Mac OS/X, Linux and UNIX platforms. After installing it, launch PlexCrypt. It will show a graphical window as shown in figure 1.
On top are the menu options, followed by toolbar icons and then view of your local files and folders.
Before a user can decrypt or digitally sign his/her documents or files, he/she must create digital certificate or import it. In order to create digital certificate, click
Tools->Preferences
From top menu and then select “Key Store (Digital Certificates & Key-Pairs)” tab.
Click on “Create Certificate” to create a new digital certificate with private keys.
Type in your information and then click “OK” to create digital certificate along with private key.
Before you can send encrypted documents, you must import recipient’s digital certificate by selecting
Tools->Preferences
from main menu and then select “Key Store (Digital Certificates & Key-Pairs)” tab. Then click on “Import Certificate”
After you create your digital certificate, you would need to export it to a file and then distribute it to all users who can send you encrypted documents by selecting
Tools->Preferences
from main menu and then select “Key Store (Digital Certificates & Key-Pairs)” tab. Then select your certificate and click on “Export Certificate”
Select folders or files that you wish to encrypt and then click
File->Crypt->Encrypt
from top menu or by clicking the encrypt icon from the toolbar. It will show a window as shown in following figure:
You may choose any of the encryption algorithms such as AES, Blowfish, CAST, DES, etc. Encryption uses public key or certificate of the recipient, so you would choose the digital certificate of recipient from drop down option. If it’s not imported yet, then import digital certificate before using it. You may add other files or folders by clicking “Add.” Once all files are added, select output file by clicking “Output File” or typing in file name. Then click “Encrypt” button to start the encryption process.
Select the encrypted file and then click
File->Crypt->Decrypt
from top menu or by clicking the decrypt icon from the toolbar. It will show a window as shown in following figure:
Select the encryption algorithm same as used by the sender. Decryption uses private key of the recipient, so you would choose your digital certificate of recipient from drop down option. Then specify output folder or directory. Finally, click “Decrypt” to decrypt file. If file contains multiple files or folders, they will automatically be extracted in the output folder.
Select the file that you wish to digitally sign and then click
File->Signature->Create Digital Signature
from top menu or by clicking the sign icon from the toolbar. It will show a window as shown in following figure:
You may choose any of the hashing algorithms from the drop options and then select name of signature file. Then click “Create Digital Signature” button to create the digital certificate. Once completed, you may send the original document along with digital signature to the recipient.
Select the original file and then click
File->Signature->Verify Digital Signature
from top menu or by clicking the verify icon from the toolbar. It will show a window as shown in following figure:
Select the hashing algorithm same as used by the sender. Verification uses public key of the sender, so you would choose his/her digital certificate from drop down option. Then specify name of signature file and original file. Finally, click “Verify Digital Signature”. It will notify user whether the document is validated against the signature or not.
In addition to PKI-based mechanism for verifying documents, PlexCrypt supports simple hashing mechanism based on MD5 and SHA protocols. You can create a file containing hash by selecting the file that you wish to authenticate and then click
File->Digest->Create Digest
from the top menu or by clicking the digest icon from the toolbar. It will show a window as shown in following figure:
You may choose any of the hashing algorithms from the drop options and then select name of digest file. Then click “Create Digest” button to create the file containing hash code. Once completed, you may send the original document along with digest to the recipient.
Select the original file and then click
File->Digest->Verify Digest
from top menu or by clicking the verify-digest icon from the toolbar. It will show a window as shown in following figure:
Select the hashing algorithm same as used by the sender. Then specify name of digest file and original file. Finally, click “Verify Digest”. It will notify user whether the document is validated against the digest or not.
PlexCrypt supports ZIP based mechanism for arching and compressing folders and files into a single file. The user can either digitally sign that file or encrypt it and then send it to another user. You can create an archive file by selecting folders or files and then click
File->Digest->Archive->Zip
from the top menu or by clicking the zip icon from the toolbar. It will show a window as shown in following figure:
You may add additional files or folders and then select output file. Once completed, click “Zip” to create the archive file.
The zip or archive can be extracted by selecting the archived file and then clicking
File->Archive->UnZip
from top menu or by clicking the verify-digest icon from the toolbar. It will show a window as shown in following figure:
Select or type in the output folder and click “Unzip” to extract all files or folders.
