Clique para descarregar o certificado raíz
Certificado Raíz

Logótipo do Selo (ECEE PKI Estado) Infraestrutura de Chaves Públicas

 

Frequent Asked Questions (FAQs)

 

In this section answers are given in a simple way to the most frequent asked questions about electronic security, public key infrastructures, electronic signature and electronic certification issues.

 

 

1.         Which are the main aspects of “Electronic Security?

 

The electronic security has its roots in the IT systems security subject. With the evolution which took place along the last decade in the personal computing systems area, as well as in the distributed systems  and networking environments, electronic security started to be strongly interlinked with the security of IT networks and of the information.

 

“Electronic Security” comprises a varied set of dimensions, that includes physical infrastructure aspects in the access to the IT and information systems. The guaranty or “trust” of the 5 aspects below or properties in the electronic transaction or communication processes are usually considered as characteristics of the electronic security:

 

         Authenticity: The guaranty that the identity is valid for all the intervening parties in an electronic communication process, or of the access to an electronic system. This means, that the identity of a user of a certain electronic system or network is “authentic”.

 

         Integrity:  The guaranty that an electronic document or electronic system does not undergo or has not undergone any alterations during an electronic communication process or in the access to that same object or document. This means, that a certain electronic document or information maintains its “integrity” not suffering any alterations.

 

         Confidentiality:  The guaranty that one electronic transaction or communication is confidential, this means that it does not run the risk of having a non-authorised access to that same transaction by any third parties that are not authorised to do that. When an information or document is considered to be “confidential” its contents can only be acceded to by the entities authorised to do that.

 

          Privacy: The guaranty that the information or contents of a certain document or the characteristics of an electronic process or transaction are preserved as “private” for those who are authorised to have access. Thus, it is not violated the “private” aspect of the possession or the possibility of the access to a certain information.

 

          Non-rejection: The guaranty that in a certain electronic communication or transaction, the involved parties are endowed with the means that will enable them “not to reject” the effective realization of such transaction or process. This means that any parties involved do not repudiate the fact that at a specific date and time, there was the access to certain electronic information or communication or transaction of a certain document.

 

2.         What is a PKI?

 

PKI are the initials used to designate a Public Key Infrastructure, which in turn is the English designation for an “infraestrutura de Chaves Públicas”.

 

A Public Key Infrastructure is a system formed by components of a legislative  or juridical nature, of physical infrastructure and of technological equipment, as well as of standards, regulations and procedures that define certification policies and practices, for the electronic security assurance. The peculiarity of the so called public key infrastructures in relation to other security systems is the fact that they are supported in the use “public Keys” asymmetric cryptography technology in opposition to the symmetric cryptography technology.

 

The share of “public keys” and “private keys” among the different entities in the certification system creates the required “trust” to guaranty the security in the electronic transactions among the people and entities that use a certain PKI.

 

There are several organisation models of the certifying entities that compose a given “Public Key infrastructure”, which can be from federated PKI models to hierarchic models and even of crossed certification. The choice of a given model of organisation should comply with optimization criteria for the reality of the security system which is intended to be implemented.

 

In accordance with Decree-Law nº 290-D/99, of 2nd August, it is considered as being an “electronic document” any document elaborated through the electronic data processing;

 

It is also considered as being “Electronic address” the identification of an adequate IT equipment to receive and file electronic documents.

 

In turn, it is considered as being an “electronic signature” the result of an electronic data processing liable of constituting object of individual and exclusive right and of being used to make known the authorship of an electronic document in which it is affixed, so that:

 

i           It identifies in an unequivocal way the licensee as the author of the document;

            ii          Its affixing in the document  depends only on the licensee’s will;

            iii          Its connection to the document allows the detection of any alteration supervenient from its content;

 

 

4.         What are “Advanced Electronic Signatures”?

 

According to Wikipedia, it is considered in cryptography as a digital signature typically treated digital information authentication method, sometimes with too much trust, in analogy to the physical signature in paper. Although there are some analogies, there are also some differences that can be important. The word electronic signature, some times confused, has a different meaning; it refers to any mechanisms, not necessarily a cryptographic one, to identify the sender of an electronic message.

 

It is also considered as “digital signature” the electronic signature process based in an asymmetric cryptographic system composed by an algorithm or series of algorithms, through which it is generated a pair of exclusive and interdependent  asymmetric keys, one of which is private and the other public, and that allows the licensee to use the private key to state the authorship of the electronic document to which it is affixed his/her signature and agreement with the contents and to the declaratory to use the public key to verify if the signature was created through the use of the corresponding private key and if the electronic document was altered after affixing the signature.

 

The use of the digital signature provides the undeniable evidence that a message came from the issuer. To check this requirement, a digital signature should have the following properties:

 

          authentication – the receiver should be able to confirm the issuer’s signature:

 

          integrity – the signature cannot be liable to be forged;

 

          non-rejection – the issuer cannot deny its authenticity.

 

 

5.         What is a “Digital Certificate”?

 

It is considered to be a “Signature Certificate” an authenticated electronic document with digital signature and that certifies the holdership of a public key and the validity time of that same key.

 

 

6.         What is a “Qualified Digital Certificate”?

 

It is considered to be a “qualified digital certificate” a digital certificate as defined above, to which is affixed a qualified electronic signature, that is an electronic signature issued by an accredited certifying entity.

 

 

7.         What is a “Certifying Entity”?

 

It is considered to be a “certifying entity” an accredited entity or individual or collective body that creates or supplies the means for the creation of the keys, issues the signature certificates, assures respective publicity and render other services related to digital signatures.

 

 

8.         What is “Symmetric and Asymmetric Cryptography”?

 

According to Wikipedia, it is designated as “symmetric cryptography” a conventional cryptographic system, usually referred as Symmetric Keys System, single key cryptography, or secret key cryptography, is based on one single key, used by both interlocutors and in the premise that this is only known by them.  This system is the more safer as long as it is also for the (1) own key and (2) the media through which it was made known to both interlocutors – it is common for the key to be kept in a place that one “thinks” that is secure.

 

In turn , it is designated as “asymmetric cryptography” the public key cryptography or asymmetric cryptography which is a cryptographic method that uses a pair of keys: one public key and one private key. The public key is freely distributed to all the correspondents via e-mail or other ways, while the private key should be known only by its owner.

 

In an asymmetric cryptography algorithm, an encrypted message with the public key may only be descryptographed by its corresponding private key. The same happens to an encrypted message with the private key which can only be descryptographed by its corresponding public key.

 

The public key algorithms may be used for authenticity and confidentiality. For confidentiality, the public key is used to cryptograph messages, with that only the owner of the private key may desencrypt it. For authenticity, the private key is used to cryptograph messages, with that it is guaranteed that only the owner of the private key may have deciphered  the message that was not deciphered with the public key.

 

 

9.         What are “Public Keys”?

 

It is considered as “Public Key”, within the context of the asymmetric cryptography technologies the element of the pair of asymmetric keys aimed at being diffused, with which one verifies the digital signature affixed in the electronic document by the licensee of the asymmetric keys pair, or an electronic document to be sent to the licensee of the same pair of keys is deciphered.

 

 

10.      What are “Private Keys”?

 

It is considered to be “Private Key”, within the context of the asymmetric cryptography technologies the element of the pair of asymmetric keys aimed at being known only by its licensee, through which it is affixed the digital signature in the electronic document, or decrypt an electronic document previously enciphered with the corresponding public key.

 

 

11.      What is an HSM?

 

HSM is the initials used to designate a “Hardware Security Module” to designate a security device used in cryptography in the generation of digital certificates with high security levels. The main function of the HSM is to generate long term secret keys for protection and security.

 

 

12.      What is an “Accrediting Authority”?

 

According to Decree-Law nº 290-d/99 of 2nd August, it is considered to be an accrediting Authority the competent entity for the accrediting and inspection of the certifying entities rendering electronic certification services.

 

It is considered as “Accreditation” the act in which it is recognised an entity that requests it and which exercises the activity of certifying entity fulfils a set of requirements, such as:

 

 

13.      What is “Chronological Validation”?

 

It is considered to be “Chronological Validation” the declaration of a certifying entity that certifies the date and hour of the creation, remittance or reception of an electronic document.

 

Símbolo de Acessibilidade à Web [D]