E-Procurement: Digital Signatures and Role of Certifying Authorities Jagdeep S. Kochar CEO, (n)Code Solutions

E-Procurement in India Central Government State Governments: Andhra, Karnataka, Gujarat Public Sector Units Some Organizations: –NIC for Central Government –DGS&D –Northern Railway –IFFCO –GNFC

The ‘PAIN’ of Online Transactions ? Claims Not Sent Not Received (P)rivacy / Confidentiality (I)ntegrity (A)uthentication(N)on-repudiation Interception Modification Fabrication Is my communication private? Has my communication been altered? Who am I dealing with?Who sent/received it and when?

Where do Digital Signatures come in? Passwords are a weak method of authentication Passwords donot ensure integrity Passwords can be broken, guessed, leaked, extracted, etc. A Digital Signature can not be duplicated, guessed, broken, etc. No legal protection for disputes in case of other authentication methods In short ; Digital Signatures are an effective remedy against ‘PAIN’ of e-Transactions

Digital Signatures and e-Procurement

Where does buyer use PKI ? Secure Login Tender floating Corrigendum Secure communications with vendors Tender opening Clarifications and negotiations Digitally signed PO/WO Digitally Signed Archives

Where does Vendor use PKI ? Secure Login Secure storage of content Tender submission Encryption using buyer’s public key Clarifications and negotiations

Digital Signing of the Data Electronic Data Digital Signature Electronic Data Hash Function Signing Function Hash Result Private of A Signed Data Only Private Key holder can sign

Digital Signature Verification Anyone can verify Electronic Data Hash Function Hash Result Valid compare Yes / No ? Signed Data Verify Function Hash Result Digital Signature Public of A So the receiver can compare hashes to verify the signature

Digital Signature & the Law The IT Act 2000 provides : –Legal and regulatory framework for promotion of e- Commerce and e-Governance –Legal validity for Electronic transactions / contracts and records –For appointment of Certifying Authorities to issue Digital Certificates –The legal framework for electronic filing of documents –For prevention of computer crime, forgery, falsification of identity in e-Commerce transactions

Structure of PKI in India CCA India / ROOT CA ( Ministry of Information Technology ) Licensed Certifying Authority Licensed Certifying Authority Licensed Certifying Authority Subscriber

Components of PKI Certification Authorities (CAs) (Issuers) Registration Authorities (RAs) (Authorize the binding between Public Key & Certificate Holder) Certificate Holders (Subscribers) Relying Parties (Validate signatures & certificate paths) Repositories (Store & distribute certificates & status: expired, revoked, etc.) Certificate Holder Registration Authority Relying Party Application Web Server Internet Repository Certification Authority

Functions of a Certifying Authority Trusted Third Party Digital Certificates –Registration and Issuance –Revocation –Maintain –Provide Certificate Revocation Lists –Provide Support

Expectations of a CA Education and evangelism Support issues:Support vendors on Certificates and application 11 th hour delivery of Certificates to users PKI enablement of application

How can a CA add value  Secure Issuance of Digital Certificates  RA / LRA obligations to the CA  Verification of the users/documents  Provide the highest class / high assurance certificates  Provide consulting for secure application design

How can a CA add value (cont.)  SSL enabled site  Secure Application Design:  Digitally signed content at the client end  Digitally signed / encrypted content during data transfer  Data integrity / confidentiality to be taken care of during changing data by vendor / buyer Transfer of data from client/server Storage of data at the server

Types of certificates Signing certificates –( Popularly known as Class I Certificates ) Document / Component signing certificates without personal verification –(Popularly known as Class II Certificates ) Document / Component signing certificates with personal verification –(Popularly known as Class III Certificates )

Which certificate should be used ? The IT Act Guidelines for CA quotes : Class 3 Certificate: –This certificate will be issued to individuals as well as organizations. As these are high assurance certificates, primarily intended for e- commerce applications, they shall be issued to individuals only on their personal (physical) appearance before the Certifying Authorities.

Why Class 3 ? The biggest frauds have been based on documents. If the banks had opened DMAT accounts on the basis of personal presence the recent IPO scam could have been averted. A Class 3 asks for the physical appearance at the CA offices. This reduces the chances of identity frauds

Why use an e-Token ? Amendment to the IT Act 2000 –G.S.R. 735(E) dated 29 th October, 2004 –A secure digital signature shall be deemed to be secure for the purpose of the ACT if a cryptographic smartcard / token is used to create the key pair and the key pair remains the in the cryptographic token / Smartcard.

Case Studies IFFCO Northern Railway Govt. of Gujarat KSPHC How (n)Code helped e-procurement succeed

Thank you Jagdeep S Kochar