Int. J. Electronic Governance, Vol. 6, No. 2, 2013
E-governance public key infrastructure (PKI) model Agangiba W. Akotam*, Millicent S. Kontoh and Albert K. Ansah Computer Science and Engineering Department, University of Mines and Technology, Tarkwa, P.O. Box 237, Tarkwa, Ghana E-mail:
[email protected] E-mail:
[email protected] E-mail:
[email protected] *Corresponding author Abstract: Delivery of services to citizens efficiently and at affordable cost is a major concern of many governments today. Many national electronisation projects today aim at empowering governments to implement and accept digitally signed tax returns, execute transactions securely and tighten border controls while maintaining strong security and streamlining administration under affordable costs. To do this, the need for technologies and policies to ensure trusted transactions and identities become very significant. In line with this, digitally enhanced travel and identity documents, e-health and business authentication methods are gaining great popularity and importance in recent times. The public key infrastructure (PKI) using X.509 digital certificates can provide a great framework for handling such government services and concerns with high level of integrity. This paper seeks to develop a architecture of a government PKI, efficient and effective for providing secure government services to citizens. Keywords: e-governance; digital certificates; security; PKI; public key infrastructure; service; confidentiality. Reference to this paper should be made as follows: Akotam, A.W., Kontoh, M.S. and Ansah, A.K. (2013) ‘E-governance public key infrastructure (PKI) model’, Int. J. Electronic Governance, Vol. 6, No. 2, pp.133–142. Biographical notes: Agangiba William Akotam obtained his BSc and Master degrees in Information Systems and Technology from the Tver State technical University, Tver, Russia in 2009 and 2010, respectively. He is currently an Assistant Lecturer in the Department of Computer Science and Engineering at the University of Mines and Technology, Tarkwa, Ghana. His research interests include web services, programming in high-level programming languages and data structures and algorithms. Millicent Sasu Kontoh [AMIEEE] obtained Masters in Computers, Complex Systems and Networks in 2007 from Tver State Technical University. She is currently a Lecturer at the Computer Science and Engineering Department, University of Mines and Technology, Tarkwa Ghana. Millicent has worked in several institutions, including Registrar General’s Department under the Ministry of Justice and Attorney General, Ghana, Zenith and Pentecost University Colleges in Ghana. She served as the Student Branch Counsellor of IEEE at Pentecost University. Her research interests include modelling of software and database systems, distributed systems and mobile computing.
Copyright © 2013 Inderscience Enterprises Ltd.
133
134
A.W. Akotam et al. Albert Kwansah Ansah obtained his MSc in Mobile Computing and Communications from the University of Greenwich in London, UK in 2008. He is currently a Computer Science and Engineering Lecturer at the University of Mines and Technology, Tarkwa, Ghana and a member of International Association of Engineers. His research interests include wireless, satellite and mobile communication & application, network coding and antenna design.
1
Introduction
With the development of computer technology over the past two decades, electronic methods of processing and transmitting information have become very common and reliable. Information can be created, stored and transmitted with the use of computer technologies and software support, which speeds up information processing. With this background, IT has almost captured all spheres of human activities. It has relieved people from manually handling day-to-day activities such as businesses management, transport/travel, academics, banking, broadcasting, entertainment, research and discovery amongst others. The advantages of information technology have also found great application in the government–citizen service delivery system where governments device reliable methods to provide services to their citizens electronically (Kendra, 2008), this new practice of public administration has developed into the concept of Electronic Governance (e-governance). Several researchers have concerned themselves with the study of various aspects of e-governance (Kendra, 2008; Fang, 2002; Paul, 2007; Ebrahim and Irani, 2005; Nishat and Zillur Rahman, 2008; Lam, 2005; Jha ‘Bidyarthi’ and Srivastava, 2009; Williams, 2008). Despite the numerous advantages e-governance provides, very little has been done to address the security issues of e-governance. Information transmitted over public networks is very vulnerable as it can easily be intercepted by other people other than expected recipients. Attributes of information such as confidentiality, integrity and non-repudiation must be carefully protected when handling information in the electronic form. The core focus of this paper is to examine a model of public key infrastructure (PKI), especially for e-governance.
2
Background information
Throughout the world, countries are taking more Innovative approaches to doing business with their citizens. The use of internet to deliver government information and services to citizens is gaining high recognition worldwide (Fang, 2002). Funds and other necessary provisions are being put in place to make the e-governance implementation a reality. Countries like Australia, Austria, Canada, China, Denmark, Finland, France, Hong Kong, Japan, Russia, Singapore, USA among others have already taken the lead in e-governance initiatives (Fang, 2002; Kolachalam, 2003). They find the electronic methods of governance more reliable, cost effective and speedy. The application of e-governance covers, but not limited to the following (Kolachalam, 2003):
E-governance public key infrastructure (PKI) model •
online public services delivery including transaction services (e-portals), e.g., certificates application, tax payment, etc.
•
tele-consulting, e.g., e-assistance
•
tele-voting, e.g., e-voting
•
e-forums, e.g., message boards
•
online opinion polls, job vacancies
•
online statistical data, GIS traffic information
•
ICT support for voluntary work and charities, e.g., online communities
•
ICT in police and courts and ICT in policy making.
135
However, security issues involved in electronic data exchange systems are continually raising concerns (Verisign White Paper, 2009), though many governments today are taking steps towards implementing security technologies and policies as well as business authentication services, there is still the need to move beyond implementing merely ‘adequate’ protection mechanisms to deploying the more robust standards of safeguarding against transaction fraud, ID theft, duplication and/or spoofing. Strong credentials based on PKI could form a strong framework in addressing these concerns. By employing the right mix of authentication, encryption and digital signatures, governments can significantly reduce the risk of forgery, theft or abuse of identification credentials. PKI is based on Public Key Cryptography (asymmetric key cryptography). The use of asymmetric ciphers (public and private keys) to encrypt and decrypt information is based on the understanding that when prime numbers are multiplied together, there is no easy way to reduce the number back to its prime numbers. And, the larger the number, the more difficult it is to reduce it (Anoop, 2007). Consider two devices A and B. Let PA and UA(PA, C) be the private key and public key of device A, and PB and UB(PB, C) be the private key and public key of device B, respectively. Both device exchanges their public keys. Device A, having got the public key of B, uses its private key to calculate shared secret KA = Generate_Key(PA, UB(PB, C)) Device B, having got the public key of A, uses its private key to calculate the shared secret KB = Generate_Key(PB, UA(PA, C)) (Figure 1). The key generation algorithm ‘Generate_Key’ will be such that the generated keys at the device A and B will be the same, that is shared secret KA = KB = K(PA, PB, C). Since it is practically impossible to obtain private key from the public key any middleman, having access only to the public keys UA(PA, C) and UB(PB, C), will never be able to obtain the shared secret K. Examples of key agreement algorithms are DH, RSA and ECDH. During the key exchange process, the public keys may pass through different intermediate processes. Any middleman cannot thus tamper or change the public key to its private key. Therefore, for establishing shared secret it is important that device A receives the correct public key from device B and vice versa. Digital Certificate helps to deliver the public key in authenticated method.
136
A.W. Akotam et al.
Figure 1
3
Public key cryptography encryption schema (see online version for colours)
E-governance
The term governance means the process by which decisions are made and implemented. E-governance or electronic governance may be defined as the delivery of government services and information to the public using electronic means, including the dissemination of information to the public and other agencies. There are three aspects to e-governance: •
automating the routine government functions
•
web-enabling the government functions so that the citizens will have a direct access
•
improving the government processes so that openness, accountability, effectiveness and efficiency may be achieved.
In general, it may be defined as “giving citizens the choice of when and where to access government information and services”. E-governance promotes efficiency, reduces time delays, enforces accountability and brings transparency in the working of the government systems. As a result, it has become an integral part of democracy. All important government policies, acts, rules, regulations, notifications that are useful to general public, including land records, examination results, crime records, vehicle registration, birth and death registration, training and education, employment information, policies and legislation, telephone directory, etc. are made available on the internet and can be accessed by the public free of cost. It is beneficial to the citizens as they can enjoy faster, effective and timely government services and also to the government as it can become more integrated into the community and can focus its resources where they are needed most. E-governance that involves technology, policies, infrastructure, training and funds is becoming popular around the world including India and European countries. E-Governance is not just about government websites and e-mails. It is not just about service delivery over the internet. It is not just about digital access to government information or electronic payments. It is a tool for changing how citizens relate to governments as much as it changes how citizens relate to each other. It brings forth, new concepts of citizenship, both in terms of needs and responsibilities (Fang, 2002; Preeti, 2009; www.broadllyne.com/Whitepaper%20on%20e-Governance.pdf; Keskinen and Kuosa, 2006).
E-governance public key infrastructure (PKI) model
4
137
Public key infrastructure
PKI is a set of standards, procedures, software and people for implementing authentication using public key cryptography. PKI is used to request, install, configure, manage and revoke digital certificates. PKI offers authentication via digital certificates, and these digital certificates are signed and provided by certificate authorities. PKI uses public key cryptography and works with x.509 standard certificates. The infrastructure issues, maintains, manages and revokes certificates. Its major components are the Registration Authority (RA), Certificate Authority (CA), Certificate Directory and Archives (Figure 2). Registration Authority processes user requests, confirm their identities and induct them into the user database. Certification Authority issue digital certificates to entities and attests that the public key embedded in it indeed belongs to the particular entity as stated in the certificate. The Certification Authority also has the right to revoke a certificates if need be. Certificate Directory manages and stores the user’s registration information and certificates for future references. All revoked certificates are stored in the archive (Kleinsteiber, 2002; http://www.internetcomputer-security.com/VPN-Guide/PKI.html). Figure 2
Summarised structure of PKI
Source: Adapted from Kleinsteiber (2002)
5
PKI and e-governance
Accurate implementation of PKI can enable government agencies to provide secure services to entities (corporate organisations and individuals). With PKI both parties can exchange electronic data securely; encrypting and decrypting data at each end. Figure 3 is an illustration of secure service provision by the government to citizens. Figure 3
Accessing electronic service/resource through PKI
138
6
A.W. Akotam et al.
Suggested PKI architecture
The model assumes functions of the central government are divided into ministries (M1, M2, M3, …, Mn). Every government ministry Mn, has a CA known as Mn_CA. Corporate organisations are classified as C1, C2, C3, …, Cn according to their services and placed under each ministry. There is a CA, labelled Cn_CA, under each ministry responsible for issuing digital certificates for each corporate organisation. The model of the e-governance Certification Authority for PKI implementation is therefore, a three-tier hierarchy. There is a root CA, known as e-government CA. This is a special government organ set apart for controlling and managing the lifecycle of digital certificates. It also ensures that, all regulations relating to certificate usage are followed. It issues certificates to its immediate users and signs the certificates of the CAs at the next level; that is the ministries’ CAs (Mn_CA). These CAs issue certificates to all subscribers classified directly under them. They also sign the certificates of the corporate CAs (Cn_CA). The corporate CA issues and manages certificates to organisations, enterprises and businesses under the various ministries. Figure 4 shows the architecture of the suggested model of the e-government CA. Figure 4
E-governance PKI architecture
6.1 Structural and security implications This architecture has a great advantage of high flexibility and scalability; the CA of any newly created ministry, Mi_CA and (or) corporate organisation (Ci_CA) can easily be added, deleted or otherwise dealt with uniquely without affecting any of the existing ones in any way. Let Ci_CA be omitted and Ck_CA be present. Security flaws may affect only institutions controlled by the Ci_CA. Organisations under Ci_CA are able to access the public keys (certified by this e-governance PKI architecture) of organisations under Ck_CA (through the public key directory) and may send them securely encrypted information. Organisations under Ci_CA on the other hand, are not able to receive securely encrypted information entrusted by this e-governance PKI architecture.
E-governance public key infrastructure (PKI) model
7
139
Function and design
The e-government PKI design functionally consists of the Registration Authority, Certification Authority and Certificate Directory. The mutual interaction and function of these components manages the public key use of the citizens.
7.1 Registration Authority The major components of the Registration Authority (RA) includes a web server GNU/Linux/Apache/MySql/Php/OpenSSL with a client information database, client service web application and a web application for working with the Certification Authority (CA). The client service web application allows users/clients to register and generate a pair of keys online (if requesting for a new certificate) or generate other types of requests such as certificate revocation request. Registration Authority (RA) by virtue of the applicant’s credentials may submit the client’s request to the Certification Authority (CA) Server by means of an XMLRPC call. In essence, the functions of the RA include digital certificate enrolment, renewal and revocation.
7.2 Certification Authority The Certification Authority (CA) is configured to perform a number of functions in relation to the Registration Authority and Certificate Directory (CD). It consists of a web server GNU/Linux/Apache/MySql/Php/OpenSSL, and web applications for interacting with both the RA and the CD. The CA server runs scripts which describe methods that may be invoked/called by the RA server for a given type of request. In essence, the CA receives requests from the RA and may issue new certificate, renew an expired certificate, revoke an existing certificate, publishes certificates in the certificate directory, maintains a lists of revoked certificates and so on.
7.3 Certification Directory This component of the e-government PKI provides users with public directory of certificates as well as Certificate Revocation List (CRL). It runs on a web server GNU/Linux/Apache/MySql/Php/OpenSSL and a web application for serving clients. Using the web application clients are able to access and make appropriate searches for resources. This component of the e-governance PKI also manages and stores users’ registration information and certificates for reference purposes.
7.4 Interaction and functioning of e-governance PKI components The success of this model of the e-governance PKI system depends entirely upon the efficiency, coordination and performance of the three PKI system components described above. The schema of mutual interaction and performance of the e-governance PKI components is captured in Figure 5. The use of XMLRPC adds an advantage of client independence. This makes it flexible for different kinds of clients; be it desktop applications or mobile applications to
140
A.W. Akotam et al.
interact with the CA. Again, during implementation, it is recommended that, such a system be placed behind strong firewalls for security purposes. Using XMLRPC makes the system more efficient as all XMLRPC data easily passes through firewalls when compared with other methods of remote procedure calls like COM and DCOM (Figure 6). Figure 5
Mutual interaction between PKI components (see online version for colours)
Figure 6
Interaction between RA and CA using XMLRPC (see online version for colours)
7.5 XmlRPC technology The XMLRPC is applied to enhance communication between the Registration Authority and the Certification Authority. The RA makes a secure connections to the CA server using HTTPS and makes a remote procedure call (RPC), specifying a given request to
E-governance public key infrastructure (PKI) model
141
the Certification Authority as illustrated in Listing 1. The RA application, being the RPC client specifies the name of a particular procedure/method on the Certificate Authority server (the RPC server). The procedures to be found on the RPC server include the procedure for revocation, issuing new certificates and so on. The RPC server may respond with success or failure in an xml format as illustrated in Listing 2. Listing 1 RA request for new certificate
Listing 2 CA response
8
Conclusion
The convenience of using the internet as a medium to enhance the lives of citizens economically, socially, politically, academically amongst others have seen many governments across the globe opting for the implementation of e-governance. As the provision of services online to citizens is characterised by many security risks, PKI model has been suggested in this paper. The model is meant to be implemented for the security of an e-governance system.
Acknowledgements The authors of this paper extend their utmost appreciation to Professor I.A. Adetunde, Dean of Faculty of Engineering, University of Mines And Technology, Tarkwa whose guidance, counsel and experienced suggestions have brought this paper to a completion.
142
A.W. Akotam et al.
We also acknowledge Professor V.A. Temeng, Head of Department, Computer Science and Engineering for his support towards the writing of this paper.
References Anoop, M.S. (2007) Public Key Cryptography: Applications Algorithms and Mathematical Explanations, Tata Elxsi Ltd, India. Ebrahim, Z. and Irani, Z. (2005) E-Government Adoption: Architecture and Barriers, Department of Information Systems and Computing, Information Systems Evaluation and Integration Network Group, Brunel University, Uxbridge, Middlesex, UK. Fang, Z. (2002) E-Government in Digital Era: Concept, Practice, and Development, PhD School of Public Administration, National Institute of Development Administration (NIDA), Thailand. Jha ‘Bidyarthi’, H.M. and Srivastava, A.K. (2009) ‘Citizen’s perspectives of e-governance’, in Amitabh, O. (Ed.): E-Governance in Practice, GIFT Publishing, pp.69–76. Kendra, J.S. (2008) ‘E-government in state’, State Level Workshop on e-Governance (Electronic Delivery of Services, 17 April, 2008, Thursday at Hotel Taj Residency, Lucknow. Keskinen, A. and Kuosa, T. (2006) ‘Foundations for citizen oriented egovernance models’, in Anttiroiko, A. and Mälkiä, M. (Eds.): Encyclopedia of Digital Government, Idea Group, USA, Available at http://www.edemokratia.uta.fi/haefile.php?f=224 Kleinsteiber, J. (2002) PKI Tutorial [online], available at http://cs.gmu.edu/~hfoxwell/EC511/ pki.pdf Kolachalam S. (2003) ‘An overview of e-government’, International Symposium on learning Management and Technology Development in the Information and Internet Age. Available Online at www.ea2000.com Lam, W. (2005) ‘Barriers to e-government integration’, Journal of Enterprise Information Management, Vol. 18, No. 5, pp.511–530. Nishat, M. and Zillur Rahman, F. (2008) ‘E-government in India: modelling the barriers to its adoption and diffusion’, Electronic Government, an International Journal (EG), Vol. 5, No. 2. Paul, B-D. (2007) ‘Models for e-government’, Transforming Government: People, Process and Policy, Vol. 1, No. 1, pp.7–28. Preeti, M. (2009) ‘E-governance initiatives in India with special reference to Punjab’, Asia-Pacific Journal of Social Sciences, Vol. 1, January–June, pp.142–155, ISSN 0975-5942. Verisign White Paper (2009) National PKI: The Foundation of Trust in Government Programs. Williams, M.D. (2008) ‘E-government adoption in Europe at regional level’, Transforming Government: People, Process and Policy, Vol. 2, No. 1, pp.47–59.
Websites e-Governance Solutions and its importance [online], Available at www.broadllyne.com/ Whitepaper%20on%20e-Governance.pdf Public Key Infrastructure – How PKI works, Available at: http://www.internet-computersecurity.com/VPN-Guide/PKI.html