HKU Digital Certificates for University Staff and Students

With the Hong Kong SAR Government fully embracing the use of digital certificates and electronic service delivery, Computer Centre has been focusing on the deployment of Electronic Service Delivery (ESD) applications in the University for the last six months.  In preparation for the roll-out of ESD applications, Computer Centre is building up the Public Key Infrastructure (PKI) and setting up the HKU Certification Authority (CA) to issue digital certificates to current University staff and students.

The Hongkong Post e-Cert digital certificates

Since 31st January 2000, a Hong Kong citizen can apply to the first recognized Certificate Authority in Hong Kong, the Hongkong Post, for a Hongkong Post e-Cert digital certificate (HKPost e-Cert for short).  It requires an initial subscription fee of $50, and an annual renewal fee of $150.  The most popular use of the HKPost e-Cert is expected to be in the use of the digital signature for sending and receiving signed and encrypted email.  It is anticipated that the HKPost e-Cert will also be used in the Government's ESD applications starting in October, 2000.

The HKU digital certificates (HKU-Cert)

Computer Centre is planning to set up the HKU CA in the third quarter of 2000 and issue HKU digital certificates with the corresponding private keys to current staff and students.   The HKU-Cert will enable HKU members to exchange encrypted and signed e-mail among ourselves and with other users who have installed the HKU CA Root Certificate in their e-mail programs which are capable of handling digital certificates.

With the issue of HKU Digital Certificates, HKU staff and students will be able to use their private keys issued by HKU CA to digitally sign in the HKU ESD applications.  The HKU ESD applications will eliminate the requirement of written signatures, and thus speed up the human/computer processing by capturing data at source, storing and sending data electronically, and eliminating the handling of paper records in departmental offices.  There will be provision for archiving the signed electronic records, which will be archived for seven or more years in accordance with the Electronic Transaction Ordinance.  We shall be equipping offices with the appropriate hardware necessary for this service.  More details will be announced via electronic mail to our staff and students when the facilities are ready.

Public key infrastructure (PKI)

Below is a brief description of the basic mechanism of the PKI technology.

PKI covers the use of public key cryptography for authentication of a user, access control of a user, guaranteeing the integrity and non-repudiation of documents signed by a user, and confidentiality of data.

PKI employs a pair of keys for each user: a private key which is known only to the user himself, and a public key which is published by some authority, in the form of a digital certificate.

In signing a document or an e-mail, a user signs using his own private key so that others can use the signer's public key to verify the authenticity and non-repudiation of documents or e-mail.

In sending an encrypted e-mail to a recipient, the sender uses an e-mail program which supports the PKI technology to encrypt the e-mail using the  recipient's public key, which is obtained from the  recipient's digital certificate installed in the sender's e-mail program. The recipient, on receiving the encrypted mail, can use his private key to decrypt the mail.  Since only the  recipient has his own private key, the encrypted mail will only be readable by him.  Others, even if they can get hold of a copy of the encrypted mail over the network, would not be able to read the encrypted mail as they do not have the  recipient's private key to decrypt the mail.  The use of PKI saves the trouble of maintaining and distributing the same encryption/decryption key between the sender and the recipient.

The e-mail program Netscape Messenger v4.7 supports the signing and encryption of e-mail using 1024-bit RSA keys and certificates encoded in X.509 v3 format.

By using strong public key cryptographic algorithms, such as 1024-bit RSA keys which Computer Centre and Hongkong Post are employing, it is practically impossible for anyone to crack the private key from the public key within the life-time of a private key.

PKI involves the installation of the Certification Authority Server for issuing the key pairs to users and for maintaining the digital certificates for users to retrieve the public keys for verification and encryption of e-mail and documents.

If you would like to know more about the HKU Digital Certificate, please contact the undersigned.

M. C. Pong
Tel: 2859 2491
E-mail: pmc@cc.hku.hk



[Contents] [Next] [Previous]