Secure PKI-enabled e-government infrastructures ...

Digitally signed by Thawte Freemail Member DN: cn=Thawte Freemail Member, email=dkef@cn. ntua.gr Reason: I am the author of this document Location: Athens, Greece Date: 2006.08.27 17:59:55 +03'00'

420

Electronic Government, Vol. 3, No. 4, 2006

Secure PKI-enabled e-government infrastructures implementation: the SYZEFXIS-PKI case Dionysis Kefallinos* School of Electrical Engineering and Computer Science, National Technical University of Athens, 9 Iroon Polytechniou Street, Zografou 15773, Athens, Greece E-mail: [email protected] *Corresponding author

Maria A. Lambrou Department of Shipping Trade and Transport, University of the Aegean Business School, 2A Korai Street, Chios 82100, Greece E-mail: [email protected]

Efstathios D. Sykas School of Electrical Engineering and Computer Science, National Technical University of Athens, 9 Iroon Polytechniou Street, Zografou 15773, Athens, Greece E-mail: [email protected] Abstract: In this paper, we address the key issues of trust, identity management and privacy, within the context of a modern, secure, Public Key Infrastructure- (PKI-) based e-government model. Firstly, we review the basic concepts, standards, methodological tools, critical success factors and international experience for designing and implementing PKI-based secure electronic services. We build on this by presenting a case study of a contextualised technology and process solution, namely the SYZEFXIS-PKI case, a nation-wide ongoing initiative aimed to provide a modern ICT infrastructure for the Greek Public Administration (GPA). Our goal is to communicate lessons learnt from the development, implementation and delivery of a national PKI-based environment, its repercussions and the critical success factors for its widespread use and effectiveness, as a major step towards the realisation of a secure e-governance model in Greece. Finally, we discuss the new modern vision of trust, identity management and privacy in the context of electronic governance and we postulate on future developments. Keywords: e-government; Public Key Infrastructure (PKI); security; privacy; trust; identity management. Reference to this paper should be made as follows: Kefallinos, D., Lambrou, M.A. and Sykas E.D. (2006) ‘Secure PKI-enabled e-government infrastructures implementation: the SYZEFXIS-PKI case’, Electronic Government, Vol. 3, No. 4, pp.420–438. Copyright © 2006 Inderscience Enterprises Ltd.

Secure PKI-enabled e-government infrastructures implementation

421

Biographical notes: Dionysis Kefallinos is a Network Engineer for the General Secretariat of Information Systems of Greece. He received a Dipl.-Ing. in Electrical and Computer Engineering from the Department of Electrical and Computer Engineering, National Technical University of Athens, and he is a Doctoral candidate in the same university. He is a Member of the SYZEFXIS-PKI Technical Consultant Work Group. Maria A. Lambrou is a Lecturer in E-business in the Department of Shipping Trade and Transport at the University of Aegean. She received a Dipl.-Ing. and an MA in Industrial Relations from Brunel University, London and a PhD from the Department of Electrical and Computer Engineering, National Technical University of Athens. She is the Project Manager of SYZEFXIS Technical Consultant Consortium. Efstathios D. Sykas is a Professor in Communications Engineering at the School of Electrical and Computer Engineering, National Technical University of Athens. He received a Dipl.-Ing. and Dr.-Ing. in Electrical Engineering, both from National Technical University of Athens. He is the Principal Consultant of the SYZEFXIS Technical Consultant Consortium for network and security services.

1

Introduction

Identity and trust management consists integral parts of successful e-government initiatives. In this paper, we present an introduction to the important concepts, standards, practices, methodological tools, critical success factors and international experiences for designing and implementing a Public Key Infrastructure- (PKI-) enabled secure e-government infrastructure. Furthermore, we analyse a national, electronic government PKI-based solution and the managerial approach for its effective implementation, operation and use, in order to communicate important lessons learnt on a case-based approach.

2

Public key infrastructure

A PKI should be considered more as a set of standards, an environment and a set of policies, rather than an actual network service. However, typically it also incorporates specific protocols and services. All of these together support the applications of public key cryptography to mainstream organisational functions. Furthermore, PKI is not useful in and of itself, but is instead an enabler of trust that provides strong user identification, cryptographic services and evidence for non-repudiation among entities that may or may not have had prior knowledge of each other (Gritzalis et al., 2000; Lambrinoudakis et al., 2003). To enable trust, a PKI typically embodies a collection of one or more Certificate Authorities (CAs), usually arranged in a hierarchy and acting as the so-called trusted third parties, Registration Authorities (RAs), associated repositories and governing policies that are used to manage the relationship between an organisation and its users. PKI extensively uses the technology of asymmetric public–private key encryption and digital signatures, to reach the following important security goals:

422

D. Kefallinos, M.A. Lambrou and E.D. Sykas

•

Authentication: the process of validating the identity of an individual, group or software entity. A PKI can provide assurance beyond simple user name and password authentication by requiring that a user possess a valid digital certificate and a corresponding private key, in many cases contained within a secure container (i.e. smart card or token), in order to provide a higher degree of assurance. In this case, the user or entity must not only possess something, a digital private key or a smart card containing it, they must also know a pass phrase associated with it.

•

Confidentiality: the concept of protecting the privacy of information so that only authorised parties intended may access it. A PKI enables confidentiality through a combination of public key and private key asymmetric encryption. Encrypting in such a manner not only provides protection for the data, but also allows for secure exchange among entities with no prior relationship, as data encrypted with a given entity’s public key can only be decrypted by the corresponding private key.

•

Integrity: the assurance that data has not been altered or tampered with. A PKI can provide integrity assurance through the use of digital signatures, a mechanism for the detection of tampering. If the verification of a digital signature fails, the verifier knows that the data has been altered and that it cannot be trusted.

•

Time stamping: the marking of transactions with time stamps of assured integrity. This is a combination of a time stamp generating service and the digital signature mechanism, in order to provide time stamps of assured integrity.

•

Non-repudiation: the provision of proof-of-participation in an action or transaction. A PKI can provide technical non-repudiation using a combination of time stamping and digital signatures. An entity performing a transaction typically time stamps and signs it with its private key and this digital signature can provide a stronger chain of evidence establishing the parties involved in an action and when that action occurred.

The presence of a ‘valid’ digital signature does not guarantee that the legitimate owner of a private key was an actual and willing participant in a transaction. Compromise of an entity’s private key, compromise of the CA, malfunctioning software or computer virus infection can also lead to a valid digital signature without the actual authorisation or knowledge of the private key’s owner. Secure containers, such as smart cards for the private keys can mitigate the dangers of private key disclosure. Typical applications of PKI systems include: •

Remote access: using PKI-enabled authentication mechanisms for remote use of organisational services by users.

•

Virtual Private Networks (VPNs): using PKI-enabled authentication and encryption mechanisms, for the establishment of secure communication within and between networks.

•

Secure browsing and transactions within websites: using PKI-enabled site authentication and encryption to assure the identity of a website to its users and encryption to protect transactions and personal data exchange between the site and its users.

Secure PKI-enabled e-government infrastructures implementation •

Secure electronic messaging: using digital signatures for sender verification and integrity assurance and key pairs for confidentiality.

•

Document integrity and version tracking: through the use of digital signatures, for integrity assurance, revision tracing and logging.

•

Software signing: through the use of digital signatures, for integrity assurance of distributed software and installation control.

•

Transaction time stamping: to provide an official time record and proof that a transaction occurred at a specific date and time.

•

Transaction non-repudiation: through the use of digital signatures, to provide technical proof-of-participation of an entity in a transaction.

423

The main components of a PKI include: •

Keys: sequences of symbols used with a cryptographic algorithm that enable encryption and decryption of data.

•

Public key or asymmetric algorithms (as opposed to secret key, or symmetric algorithms): that make use of two corresponding keys (as opposed to one); the first is called the public key and the second the private key. A message encrypted with one of the keys can only be decrypted using the other corresponding key.

•

Digital certificates: commonly described as digital passports or IDs due to their role in identification. Digital certificates are data structures that contain some digital representation of an entity and information, which can be used to verify the identity of their owner by any third party that trusts their issuer. Certificates are trusted because of a digital signature placed on them by the issuer, which assures their validity and integrity, much like passports are trusted due to the stamps, seals and signatures that the issuing authority has placed on them. Other information included in a certificate may be a list of allowed uses, the certification path and an expiration date.

•

Certificate authorities: responsible, trusted third parties that issue, revoke and manage digital certificates. A CA may directly validate the physical identity of a public key’s owner prior to issuing a certificate, or it may delegate this responsibility to trusted RAs. For large PKI deployments, an RA can further delegate some of its responsibilities to trusted Commissioned Offices (COs). CAs can form hierarchies, where a ‘subordinate’ CA has been ‘certified’ and is trusted by the parent CA to issue certificates.

•

Third party trust: the trust relationship between two entities that possess certificates issued either by the same CA, or by CAs that are in turn trusted by the entities.

•

Repository: a certificate and entity information storage database, with lookup and retrieval services. Commonly built upon industry standard Lightweight Directory Access Protocol services (Boeyen et al., 1999a) for large-scale deployments, or embedded as simple address books in various end-user applications, such as internet explorer or netscape communicator browsers.

A brief schematic representation of a PKI-based secure e-government architecture can be seen in Figure 1.

424


Figure 1

Sample PKI-based secure e-government architecture with relevant services

In this we can see that a PKI service comprises of many different modules and agents, some of which we described above, which include technical online services, as well as staffed organisations responsible for the operations. Also depicted is the type of association of the services with the end-user.

3

PKI standards legacy and future

PKI has enjoyed wide attention from international, national and commercial organisations. These have published a wide range of standards, both technical and regulatory, which may be categorised as syntactic, semantic, contextual and environmental (Palmer and Buck, 2003). The core of PKI syntactic standards is ITU-T X.509 (also published as ISO/IEC 9594-8), which defines certificate format, issue and use, as well as Certificate Revocation Lists (CRL). Other standards have emerged from IEEE’s P1363 Work Group (http://www.ieee.org/groups/1363/), which cover traditional public key cryptography (1363-2000 and 1363a-2004), digital signatures and key establishment; Lattice-based Public-Key Cryptography (P1363.1), which includes encryption (NTRUEncrypt) and digital signature (NTRUSign) schemes; and password-based public key cryptography (P1363.2), which includes Password-Authenticated Key Exchange (EKE, PAK and PPK, SPEKE), Augmented PAKE (AMP, Augmented-EKE, B-SPEKE, PAK-Z and SRP-3) and password-authenticated key retrieval (Ford and Kaliski, 2000). IETF’s PKIX Work Group (http://www.ietf.org/ietf-pkix/) also represents a major effort in PKI standards development and has produced several informational and standards track documents. The first of these, RFC 3280 (Housley et al., 2002), profiles


425

X.509 v3 certificates and X.509 v2 CRLs for use in the internet. Other important standards that should be mentioned are: •

LDAPv2 (Boeyen et al., 1999a) and LDAPv2 Schema (Boeyen et al., 1999b) to support certificate directory schema, use and queries

•

Qualified Certificates Profile (Santesson et al., 2004), to define identity certificates issued to natural persons

•

Certificate Management Protocol (Adams et al., 2005), to define a simple protocol for transporting PKI messages

•

Online Certificate Status Protocol (Myers et al., 1999), for certificate validation

•

Certificate Request Message Format (Schaad, 2005) and

•

Time-Stamp Protocol (Adams et al., 2001), for PKI-based time stamping.

On the other hand, ISO in cooperation with ITU-T has produced standards for the utilisation of PKI for specific purposes such as use of digital signatures to ensure non-repudiation and timestamping of documents. Commercial organisations have also developed algorithms and protocols for their own use, which in many cases have become de facto standards, such as RSA’s Public Key Cryptography Standards (PKCS) (Kaliski and Staddon, 1998) and Netscape’s Secure Socket Layer (SSL); the latter was subsequently adopted and updated by IETF to become Transport Layer Security (Dierks and Allen, 1999). Semantic standards work towards establishing the meaning of concepts and include American Bar Association’s Digital Signature Guidelines (ABA, 1996); (http://www.abanet.org/) and IETF’s RFC 3647 ‘Certificate Policy (CP) and Certification Practices Framework’ (Chokhani et al., 2003). Contextual standards target specific user groups and include ISO 15782 Parts 1 and 2, and ISO 14516, which attempt to address certificate use and management within the banking community and third party services use and management, respectively. ANSI’s X9.79-2001 ‘Financial Services Public Key Infrastructure (PKI) Policy and Practices Framework’ (ANSI, 2001) is intended for use by CAs and outlines control objectives for managing PKI operations. Environmental standards address technology interoperability, regulation and governance issues and include US NIST PKI Program certificate, digital signatures, records management and authentication policy directives (NIST, 2004) and EU’s 1999/93/EC directive ‘On a Community Framework for Electronic Signatures’. To support the latter, EU has launched the European Electronic Signature Standardisation Initiative (EESSI; http://www.ictsb.org/EESSI_home.htm), a joint effort of the European standards organisations ETSI (SEC ESI WG) (http://www.etsi.org/) and CEN (WS/ESign). The result is a large volume of standardisation effort, of which main standards are TS 101 862 ‘Qualified Certificates Profile’ and CWA 14172-2 ‘CA services and processes’. Because of this great proliferation of published standards, advisories, practices and protocols, many parties have advocated the need for consolidation of these discrete efforts in a new set of universal ISO standards (Palmer and Buck, 2003). However, without the promotion and adoption of such standards by governments, international bodies and large multinational corporations this goal will not be easily achievable and currently eludes us.

426

4


Critical success factors for e-government PKI infrastructure design and deployment

Relevant studies on e-government projects implementation commonly stress the need to invest in proactive planning, collaborative management models, inclusion of ICT and business stakeholders and the value of iterative design processes (Curthoys and Crabtree, 2003; Gil-Garcia and Pardo, 2005; Löfstedt, 2005). Against this background, the impact that a clear and well-communicated business case can have in the ongoing design, development, implementation and review of an e-government security initiative is also stressed. Specifically, a number of important issues for successful design, deployment and use of an e-government PKI infrastructure are highlighted as stemming from literature review and observations from our field experience (Martin, 2005): •

Due to the technical and procedural complexity that security technologies (and in particular a PKI solution) impose, as well as the novelty that these technologies and respective work practices present, not only at the end-user level but also at the designer/implementer level, it is imperative to ensure strong technical and managerial skills for the key members of the project. Also, it is well advised to anticipate possible shortages of qualified technical staff and an incremental approach can help in dealing with this problem.

•

The iterative process of analysis, design and decision making is central in an effort to build a good understanding of problems, solutions, alternatives, costs and risks. In particular, investment analysis and a dedicated business case study can provide invaluable guidance for the success of the project. Contextualising PKI technology and its process solutions is critical for success.

•

The need for early dialogue with all classes of users, in order to address their concerns regarding the system and assess practical difficulties, must be stressed, as well as the importance of planning, effort, coordination and an appropriate culture establishment. End-user, but also ICT, security actors and public management officer participation is a major prerequisite, since both the scale of a national PKI project and the diversity of the users and organisations involved consist major challenges.

•

PKI services’ ease of use as well as proof of usefulness are also of primary importance and quite often taken for granted. Extended and persistent efforts for raising user awareness, training, involvement and solution acceptance is mandatory. End-users’ attitudes and perception of the system’s ease of use and reliability must be reviewed to ensure successful implementation and use/operation of the infrastructure. Likewise, user (in particular public servant) privacy and confidential concerns, as well as a sense of autonomy and required responsibility-accountability are challenges that must be adequately addressed in an e-government PKI initiative.

•

A major setback can be a commonly witnessed lack of alignment between the affected organisational units’ goals and the PKI project implementation needs. Also, individual interests and associated behaviour can lead to resistance to change and internal conflicts.

•

Lack of a concise and thorough risk assessment phase and resultant controls may undermine the trustworthiness of a PKI infrastructure. The same holds for lack of a formal validation of CA practices and of an accreditation of the service’s Certificate Practice Statement (CPS).

Secure PKI-enabled e-government infrastructures implementation •

427

There are additional challenges related to a more general institutional framework and policy environment in which governmental organisations pursuing e-security efforts operate. In this context, institutions have not only laws and regulations, but also norms, actions or behaviour that people accept as good or take for granted. Unclear or contradictory laws and regulations, balances among the executive, legislative and judicial branches or negative norms and behaviour can constrain efforts to use PKI technology. Finally, external pressures such as policy agendas and politics may affect the results of security initiatives.

The above issues highlight the range of highly complex and diverse challenges public managers and security researchers and professionals must face as they work in the e-government security arena. Success is not only about selecting the right technology, but also about managing organisational capabilities, regulatory constraints and environmental pressures. For e-government managers and professionals to be successful in their initiatives they must be aware of these challenges and use appropriate strategies to overcome them. Against this background, research results and best practices knowledge mandate to think beyond technology or products, on to systems and processes in context (Martin, 2005).

5

A case study of an e-government security framework: the ‘SYZEFXIS-PKI’ case

5.1 Project objectives and application identification The SYZEFXIS project is typically a large-area and large-scale communication and information services infrastructure project, covering all of the Greek national area, with over 1800 points-of-presence. This ambitious project will initially serve four of the Greek national ministries, which constitute the bulk of the Greek Public Administration (GPA): all sectors of the Ministry of Internal Affairs (main offices, general secretariats, peripheries, local prefectures and citizen service centres), all sectors of the Ministry of Health (peripheral health administration, hospitals and local health centres), many sectors of the Ministry of National Economy and Economics and lastly, the Greek Army drafting service of the Ministry of National Defense. Each of these four initial participants will be served by its own MPLS-based VPN. The main target of SYZEYFXIS is the improvement of the operations of the GPA. This will be accomplished via the updating of the communication services and the offering of advanced information technology and security services. It is in total the main thrust for the formulation of the appropriate infrastructures and services that will facilitate electronic governance in Greece. In this context, the need for security of the information and the transactions that will be expedited and completed within the network is of utmost importance and will be served in the most appropriate way via a PKI service, similar in nature to the national PKIs of other European countries. SYZEFXIS is subdivided into nine smaller projects, of which seven are concerned with the organisation and construction of the telecommunications network, one is about the training of its users and the ninth and final one is about the PKI service. The government chose to not implement the service on its own, but instead to outsource it to a private party, who will provide the infrastructure, technical implementation and support

428


of the CAs and RAs that will issue the digital certificates for the sectors of the GPA and its users. The service will be administered and operated by personnel of the public sectors, which will be appointed by the corresponding organisations and trained for CA operations by the provider. The use of the certificates will be supported by smart cards and smart card readers, which will be distributed to the users. Within SYZEFXIS, the CA will be the trusted party that will assure the above goals and will provide the secure and trusted environment that is required for the realisation of the new electronic governance framework. The cryptographic services provided by the CA, using the technologies of asymmetric cryptography and hashing algorithms and of digital signatures, guarantee the observance of the above principles in a variety of electronic applications, such as: •

secured and/or certified information exchange via electronic mail

•

secure and certified exchange of documents

•

secure and certified access to websites of the GPA, public or private

•

secure and certified access for services of the GPA to citizens

•

secured communication and transaction networks (extranets) between different sectors of the GPA and between the GPA and other organisations (businesses, private parties, etc.).

Conclusively, SYZEFXIS-PKI is aimed, via the enforcement and use of PKI-related practices, to change and advance the way that information is handled, transactions are executed, applications are managed and people and organisations are identified, towards a more secure and modern e-government model.

5.1.1 Design and implementation methodology outline The methodological approach for the development of the SYZEFXIS-PKI service includes seven phases that take action in all main levels of the affected organisations. These can be summarised in Figure 2. Figure 2

Project methodology outline


429

This approach is consistent with international design standards, ensures that the PKI service will fit in to the organisational and operational structure of the public sectors and maximises the possibility of its acceptance and adoption. Of them, the detailed design phase is probably the most important of the project; its flow chart can be outlined in Figure 3 and is further elaborated in this and the following sections. Figure 3

SYZEFXIS-PKI detailed design phase flow chart

As shown above, the detailed design phase is structured into three distinct subphases, each with several steps. The end results are the three main project documents, the Project Main Study Guide, the CPS and the Service Level Agreement (SLA).

5.1.2 European, international and local experience assessment Throughout the world, many national governments and international and local organisations have implemented PKI services, directed towards either the general public or closed groups of users. The main goals are to provide secure electronic transactions, to simplify and accelerate bureaucratic procedures and to advance public as well as private administration into the electronic age. During the planning stage of SYZEFXIS-PKI, we scrutinised the implementation and the experiences of quite a few countries, as well as international and local organisations,

430


in order to provide a valuable insight into the design goals and the problems that may ensue for the implementation and acceptance of a PKI structure and practices into a large body of organisations and individuals. More specifically we considered, the national initiatives, requirements and implementations the PK Infrastructures of Belgium (.beID, 2001), Canada (GoC PKI, 2001), Finland (FINEID, 2000) and the Netherlands (PKIoverheid, 2002). Also considered were the PKI of the EU IDA(BC) program (IDA(BC) PKI, 1999) and of Greek efforts, the Greek Stock Exchange’s HERMES (a B2B system), Athens Chamber of Commerce and Industry’s EDIRA registry and Research Academic Computer Technology Institute’s PKI implementation for the Greek Ministry of Education. The main observations that we surmised from the above and were considered as useful basic attention points for the SYZEFXIS-PKI project are: •

most of the European and Western Countries are moving towards a PKI-based secure e-government model, for private parties as well as citizens

•

widespread introduction and use of certificate services and electronic signatures was generally initiated by the public sector

•

the technological possibilities offered by PKI services have urged public administration to reconsider and redefine the relationships of state, corporations and citizens, putting in focus electronic governance

•

the primary importance in applications of PKI services was attributed to transaction security

•

the implementation of a monolithic and universal trust level has proven too ambitious a goal due to the high cost of PKI services

•

in many cases the procedures, uses and effects of the PKI services were not clearly envisioned or defined prior to the implementation of the services. As in other technological advances, implementation of the technology usually predated administrative, procedural and sociological adjustments

•

during the transition to a PKI-enabled environment, a higher operational level of trust and technological awareness was asked of the participants. In many cases this has led to a raise of the cost of operations and the demand for more time to adjust to new notions

•

there have been cases of failure to adopt the new environment, either in breadth of space or in depth of time.

5.2 Project analysis and implementation 5.2.1 Logical structure design The PKI of SYZEFXIS adopts a dual pronged private–public hierarchical structure. All internal to SYZEFXIS certificates are issued by the private hierarchy (described below), while all SSL server certificates, which will be accessible over the internet, are issued by the Secure Server Certification Authority of VeriSign, Inc. The latter is so that any client browser which connects over the internet will implicitly trust the SSL server certificates, without the need to publish the issuing CA certificate and explicitly trust it. As a result, for the issuing of SSL server certificates SYZEFXIS-PKI includes only one RA.


431

For the private hierarchy, the SYZEFXIS-PKI specifies one Root CA and four subordinate CAs. The Root CA will be the responsibility of the Ministry of Internal Affairs, while each of the subordinate CAs corresponds to and will be the responsibility of one of the four main participants-ministries. Apart from the CAs, SYZEFXIS-PKI specifies a number of RAs, in order to serve the large number of certificate registration requests of the various sectors and parts of each of the four main ministries. Within each ministry, the RAs are distributed among the major geographical areas of Greece. The Ministry of Internal Affairs has four RAs, the Ministry of National Economy and Economics two, the Ministry of Health two and the Ministry of National Defence two. The distribution of RAs among the Ministries and within each one was decided taking into account mainly the number of clients within each organisation and their geographical distribution. The final and lowest level in the PKI hierarchy is the COs. A CO expedites any transactions of the PKI service with the physical world, such as collection of forms, distribution of smart cards, verification of physical identity, etc. The COs will be the Citizen Service Centres, an existing generic Greek Government service point for citizens. The hierarchical architecture of a PKI service is by its nature highly scalable. Nevertheless, SYZEFXIS-PKI, being a national scope project, was explicitly designed and outfitted to scale to a large size and to be expandable to incorporate additional CAs, RAs and COs of public sectors which may join the structure in the future. Furthermore, a connection with other European PKI systems (such as IDA) is possible (and has been provisioned for) via bridging (Figure 4). Figure 4

Logical structure of SYZEFXIS-PKI

5.2.2 Standards compliance planning From its conception, SYZEFXIS-PKI was specified to meet the requirements of the most important international standards for PKI systems, paying particular attention to the ones instituted by the European Union and in particular for: •

Certificates profile: − RFC 3739 (Santesson et al., 2004) − ETSI TS 101 862: Qualified Certificate Profile.

432


•

Certification services: − RFC 3647 (Chokhani et al., 2003) − ETSI TS 101 456: Policy Requirement for certification authorities issuing qualified certificates − ANSI X9.79-2001 Financial Services Public Key Infrastructure (PKI) Policy and Practices Framework (ANSI, 2001) − AICPA/CICA WebTrust Program for Certification Authorities (AICPA, 2003).

•

Certification authority provider and site: − Common Criteria for Information Technology Security Evaluation, EAL4 − ISO/IEC 17799:2005 and 27001:2005 − AICPA/CICA SAS70 Type II (AICPA, 2000).

•

Cryptographic equipment: − Information Technology Security Evaluation Criteria (ITSEC) – E3 − Common Criteria for Information Technology Security Evaluation, EAL4 − FIPS PUB 140-1 (NIST, 2002), Level 3.

•

Smart cards: − ITSEC (http://www.cesg.gov.uk/) – E3 −

Common Criteria for Information Technology Security Evaluation, EAL4+ (http://www.commoncriteriaportal.org/)

−

ISO/IEC 7816-1–3, ISO/IEC 10373-3, PKCS#11 v2.20 (RSA Laboratories, 2004).

Standards compliance is necessary in order to ensure the accreditation of the PKI service by the Hellenic Telecommunications and Post Commission (HTPC), which is the regulatory and accreditation body for communications security in Greece, as well as for conformance to the national legal background, as it is outlined below. However, it is mainly important in order to assure and raise the trust level of the service to its end-users.

5.2.3 Legal background compliance planning The legal framework for SYZEFXIS-PKI is based on EU directive 1999/93/EC, ‘On a Community framework for electronic signatures’. There are a number of specific laws and directives that have been issued by the Greek Government and HTPC in order to harmonise the Greek legal frame with that of the EU. This legal background is reflected and followed closely in the CPS of SYZEFXIS-PKI (discussed further on), in order to provide qualified certificate services and so that transactions performed with certificates issued by its CA will have legal significance.

5.2.4 Restraining factors assessment Although international state-of-the-art technologies, practices and experience, as well as a contextualisation approach have led the SYZEFXIS-PKI project management and design efforts, as was described in the previous sections, a number of risks and restraining factors that may hinder the successful completion, widespread use and


433

effectiveness of the SYZEFXIS-PKI have been identified and are closely monitored up to now; these can be summarised into the following: •

not enough information or involvement of the public sector employees who will participate in the operational phase of the project

•

difficulties, changes and delays in locating the right personnel and the assignment of their duties in the parts of the public sector entities that will administer the PKI service and operate the CAs, RAs and COs

•

obscurity or vagueness in the practical identification of the services and applications that will be served by the PKI

•

lack of alignment with actions related with the end-users that will be using the PKI service (demand side)

•

difficulties in the adoption of PKI practices and procedures by the personnel of the public sector entities, while not adequately considering the culture and the existing practices of the users that will be involved

•

underestimation of the organisational, procedural and legal issues that have to be dealt with for the implementation of the PKI.

5.2.5 Risk assessment and control The purpose of the Risk Assessment and Control (RAC) is to improve the security of the PKI service, as far as certificate use and information handling and management are concerned, by foreseeing the threats that may affect it and establish appropriate controls to thwart them. The main security standards and RAC tools adopted for SYZEFXIS-PKI are ISO/IEC 17799:2005 and 27001:2005, in conjunction with whatever information about the users of the service was available or was possible to access. Furthermore, the process followed a formal methodology, which included several steps, as is required by the standards: PKI service identification and analysis, determination of harmful conditions, control identification and assessment, threat vulnerability and categorisation and countermeasure selection and recommendation.

5.2.6 Certificate practice statement A CPS is a statement of the practices that a CA employs in managing the certificates it issues, and describes how the CP is interpreted in the context of the system architecture and operating procedures of the affected organisations. It is binding for the CA as well as the users of the service and forms the basis for the establishment trust. Although a standard format for a CPS has not yet been internationally finalised, a framework which includes a checklist of policy components has emerged. All major components of this checklist are considered and delivered in a detailed form in the SYZEFXIS-PKI CPS, based on internet X.509 PKI CP and Certification Practices Framework (Chokhani et al., 2003), VeriSign CPS v3.1 (VeriSign, 2005) and the aforementioned Greek legal framework. This CPS will be published in the website of the SYZEFXIS-PKI CA, to be available to all users of the service. More specifically, the CPS is tailored to the organisational structure, operating procedures, facilities and computing environment of the GPA sectors that will comprise the SYZEFXIS-PKI

434


authorities (CAs, RAs and COs) by the use of a formal structure for the CP and detailed CPS subdocuments that help ensure completeness and simplify the assessment of the corresponding degree of assurance by PKI users. The main elements of the SYZEFXIS-PKI CPS are: •

Community and applicability: number of CAs and RAs, standards to which their external interfaces conform, name form used in certificates, and the name-space in which the CAs intend to issue certificates.

•

Identification and authentication: the mechanisms used to authenticate the identity of all service principals and users, including security officer, security administrator, directory administrator, RA officers and a statement of the privileges and responsibilities assigned to each role.

•

Key management: describes how the key lifecycles of each of the system components (including the CAs, RAs and end-users) are managed. Additional components in the area of key management included choice of certificate signing algorithm, certificate validity periods and data signing algorithm.

•

Operational practices: describes the operating procedures for the CAs, RAs and end-entities, including the issues of registration of unique names, deregistration/revocation, key compromise, dismissal for cause, certificate update, disaster recovery, private key recovery, security controls, audit practices, record keeping, non-disclosure of personal information, policy revision and update and disaster recovery scheme.

•

Certificate and CRL profile: a profile of the certificates, the CRL and the directory schema, indicating which certificate and CRL extensions are present, whether they are marked critical or non-critical, which optional fields are included, what value ranges are allowed and what action is expected of verifiers in response to any non-standard extensions.

•

Local security practices: related to the environment in which the major components of the SYZEFXIS-PKI operates including physical controls, personnel controls and procedural and technical controls.

•

Legal provisions: explicitly identifies the statutes to which the PKI must conform, including data protection, privacy, access to information and legal wiretap legislation. Also included are CA liability, CA and RA obligations, certificate user obligations, principal obligations, acceptance of limitations and informed consent. User and third person contracts and legal issues covered by them are also detailed.

•

Financial responsibility and fees information.

After drafting, we reevaluated the CPS and judged it as sufficiently comprehensive. We determined that its major drawback is that, being a pioneering work for the GPA, it is solely of ‘consultative character’ and not legally binding for the affected entities; that is the authorities defined for the PKI implementation cannot be legally enforced to follow the state-of-the-art, detailed CPS provisions. Thus, we designed and implemented a number of ‘soft’ mechanisms and measures in order to ensure the CPS implementation. Firstly, we initiated a consultation process in order to finalise and smoothly promote the SYZEFXIS-PKI CPS, with the participation of the assigned CA and RA parties. Secondly, in the scope of the main SYZEFXIS project, a subproject dealing with Training, Awareness and Human Resources Empowerment aspects is running, in order to face the overall organisational and management change issues. In the scope of this


435

initiative, the PKI technology and management aspects were explicitly included. Dedicated courses were designed and are soon to be delivered to all three levels (CA, RA and CO) of the GPA personnel involved in the SYZEFXIS-PKI project, the content of which relates to the technical, managerial and legal aspects of information handling, network security and PKI-related best practices, for various trainee (GPA employees) profiles. Finally, we initiated a process for providing a binding legal framework, via an appropriate presidential decree, which will formally assign the PKI-authority roles to specific public-sector entities and enforce the use of the CPS to all parties involved.

6

Discussion

PKI implementation and use stand to revolutionarise the way trust and identity are managed and can reform the way that Government and Public Administration handles them. Moreover, it can change the way that the GPA uses and routes information within itself and with the outside and it represents a major step for the digitisation of administrative processes and G2G, G2B and G2C interactions. If deployed widely, it can even change the way that civil servants deal with accountability and procedures. One of the main concerns of both the private and the public sectors of the modern information society during the last few years is Trust and the digital representation of the physical Identity of people and organisations. This is especially important in the public sector, where misuse of identity may entail immediate and severe penalties; likewise repudiation of responsibility is quite common and practices to ensure it can actually become a concern of many civil servants. Furthermore, e-government creates a new, virtual public space. This immediately raises the question of how do the role structures in real public space conform to it. The distributed context structure of public space is much more scattered and heterogeneous than it used to be. Social rules for behaviour in public are less stringent but also more difficult to understand. The virtual public space of e-government has to be designed according to the needs of the citizen. It must not ignore present cultural trends and thus, it must admit a rich mix of role-structures and context definitions (Riedl, 2004). Also, in the post-modern information society the coupling of the roles people play in different communication channels gets looser and looser. People focus more on the context, as they have been taught that the message is created at the receiver. As a consequence, the real threat to Identity is not only that privacy may be violated in a known context, but that personal data may be stripped of their context and combined for a context unknown to their producers. Identity is more open and fragmented than it used to be a hundred years ago. It consists of all the roles, which people perform in different contexts and thus it is made up of situated fragmented identities. Interaction with digital services creates personal data, the sum of which constitutes our digital identity. However, these situated data are valid for a particular context only. Combining digital data from different roles strongly violates privacy. This observation is represented by the context principle in European data protection principles. Personal data created and stored for one context must not automatically be reused in another context. Thus, it can be concluded that the public sector and post-modern reality are both furnished with rich role structures, which are becoming increasingly complex. The design of e-government solutions must support these role structures and their

436


management by the citizens and the government agencies (although organisational measures have to take care that no definition of roles for the sake of the exploitation of technology takes place). Further care has to be taken that only productive role structures and role structures with productive side effects on the institutional culture are designed and implemented. A well-designed PKI-enabled secure e-government space can support the above Trust and Identity Management model. As far as Greece is concerned, the future is both promising and uncertain. On the one hand, electronic governance is a fairly new concept and has few success stories to demonstrate (Metaxiotis and Psarras, 2004). On the other hand, while it is clear that SYZEFXIS-PKI is revolutionary, it is a fairly closed system and even if it finds wide acceptance and use, it is nevertheless targeted towards employees of the GPA (i.e. public servants), not the general public (i.e. Greek citizens). For the latter, there is currently no provision for enjoying the benefits of a unified PKI-enabled transaction environment, either with the GPA or with financial institutions. There are a few isolated attempts for providing PKI-enabled services for the public from a couple of private banks and even a proposal for a Central Administration Internet Gateway for Information and Secure G2C and G2B Transactions, but there is currently lack of an initiative to provide the Greek citizens, private companies and the GPA with a unified and universal secure e-government environment. The ongoing modernisation of the Hellenic Taxation System (TAXIS) (Tahinakis et al., 2006) provides a good opportunity, especially since the technical requirements for its future version contain PKI-enabled systems. This has the potential to drive the market and it could provide a de facto standard for others to follow. However, whether SYZEFXIS-PKI can be expanded to cover this opportunity or a new infrastructure (which could subsequently be bridged with SYZEFXIS) will be necessary, is more a matter of insightful political governance and less of technological implementation.

7

Conclusion and directions for further research

PKI is neither a panacea nor an individually enabling technology for the advancement of electronic governance in a country. Many other technical services should be implemented in order to advance this goal, useful and functional services that can provide to public servants and citizens alike the motivation to use this environment (Eyob, 2004). However, PKI is an important enabler of trust in the electronic equivalent of government and trust is one of its necessary ingredients (Palanisamy, 2004). Furthermore, a PKI’s technical implementation is not the hard part; this technology is mature, well documented and it has been applied in numerous commercial applications. It is contextualisation of service, adaptation of procedures, user awareness, involvement and acceptance, resistance to change and appropriate culture establishment that are difficult to attain. We believe that SYZEFXIS-PKI possesses the necessary qualities to overcome these hurdles and attain its goal to reform e-governance in Greece. But it will be a lengthy and time-consuming effort and a good case for further research, within the span of the next two to three years. Another interesting case for further research could be the migration of this technology and e-governance model to a mobile environment, which is currently a topic that has attracted a lot of attention, both in its technical as well as its governmental aspects.


437

References Adams, C., Cain, P., Pinkas, D. and Zuccherato, R. (2001) ‘Internet X.509 public key infrastructure time-stamp protocol (TSP)’, IETF, RFC 3161, Available at: http: //www.ietf.org/rfc/rfc3161.txt. Adams, C., Farrell, S., Kause, T. and Mononen, T. (2005) ‘Internet X.509 public key infrastructure certificate management protocol’, IETF, RFC 4210 (obsoletes 2510), Available at: http://www.ietf.org/rfc/rfc4210.txt. AICPA (2000) Statement on Auditing Standards (SAS) No. 70, Available at: http: //www.sas70.com/. AICPA (2003) Webtrust Program for Certification Authorities, American Institute of Certified Public Accountants, Available at: http://www.webtrust.org/CertAuth_fin.htm. American Bar Association (1996) Digital Signature Guidelines: Legal Infrastructure for Certification Authorities and Electronic Commerce, ISBN 1570732507, American Bar Association. American National Standards Institute (2001) Available at: http://www.ansi.org/. Belgium.beID (2001) Available at: http://eid.belgium.be/en/navigation/12000/index.html. Boeyen, S., Howes, T. and Richard, P. (1999a) ‘Internet X.509 public key infrastructure operational protocols: LDAPv2’, IETF, RFC 2559 (updates 1777), Available at: http:// www.ietf.org/rfc/rfc2559.txt. Boeyen, S., Howes, T. and Richard, P. (1999b) ‘Internet X.509 public key infrastructure LDAPV2 schema’, IETF, RFC 2587, Available at: http://www.ietf.org/rfc/rfc2587.txt. Canada GoC PKI (2001) Available at: http://www.solutions.gc.ca/pki-icp/gocpki/gocpki_e.asp. Chokhani, S., Ford, W., Sabett, R., Merrill, C. and Wu, S. (2003) ‘Internet X.509 public key infrastructure: certificate policy and certification practice statement framework’, IETF, RFC 3647 (obsoletes 2527), Available at: http://www.ietf.org/rfc/rfc3647.txt. Curthoys, N. and Crabtree, J. (2003) SmartGov: Renewing Electronic Government for Improved Service Delivery, ISociety Report, The Work Foundation, London, Available at: http://www.pwc.com/uk/eng/about/ind/gov/smargovfinal.pdf. Dierks, T. and Allen, C. (1999) ‘The TLS protocol version 1.0’, IETF, RFC 2246, Available at: http://www.ietf.org/rfc/rfc2246.txt. Eyob, E. (2004) ‘E-government: breaking the frontiers of inefficiencies in the public sector’, Electronic Government: An International Journal, Vol. 1, No. 1, pp.107–114. Finland FINEID (2000) Available at: http://www.fineid.fi/. Ford, W. and Kaliski, B. (2000) ‘Server-assisted generation of a strong secret from a password’, Proceedings of the Ninth IEEE International Workshop on Enabling Technologies: Infrastructure for Collaborative Services, pp.176–180. Gil-Garcia, J.R. and Pardo, T.A. (2005) ‘E-government success factors: mapping practical tools to theoretical foundations’, Government Information Quarterly, Vol. 22, pp.187–216. Gritzalis, S., Katsikas, S., Lekkas, D., Moulinos, K. and Polydorou, E. (2000) ‘Securing the electronic market: the keystone public key infrastructure architecture’, Computers and Security, Vol. 19, No. 8, pp.731–746. Housley, R., Polk, W., Ford, W. and Solo, D. (2002) ‘Internet X.509 public key infrastructure certificate and certificate revocation list (CRL) profile’, IETF, RFC 3280 (obsoletes 2459), Available at: http://www.ietf.org/rfc/rfc3280.txt. IDA(BC) PKI (1999) Available at: http://europa.eu.int/idabc/en/document/2316/5644. Kaliski, B. and Staddon, J. (1998) ‘PKCS#1: RSA cryptography specifications version 2.0’, IETF, RFC 2437 (obsoletes 2313), Available at: http://www.ietf.org/rfc/rfc2437.txt. Lambrinoudakis, C., Gritzalis, S., Dridi, F. and Günther, P. (2003) ‘Security requirements for e-government services: a methodological approach for developing a common PKI-based security policy’, Computer Communications, Vol. 26, No. 16, pp.1873–1883.

438


Löfstedt, U. (2005) E-Government – Assessment of Current Research and Proposals for Future Directions, Available at: http://www.hia.no/iris28/Docs/IRIS2028-1008.pdf. Martin, N. (2005) ‘Why Australia needs a SAGE: a security architecture for the Australian government environment’, Government Information Quarterly, Vol. 22, pp.96–107. Metaxiotis, K. and Psarras, J. (2004) ‘E-government: new concept, big challenge, success stories’, Electronic Government: An International Journal, Vol. 1, No. 2, pp.141–151. Myers, M., Ankley, R., Malpani, A., Galperin, S. and Adams, C. (1999) ‘X.509 internet public key infrastructure online certificate status protocol – OCSP’, IETF, RFC 2560, Available at: http://www.ietf.org/rfc/rfc2560.txt. National Institute of Standards and Technology (US) (2002) ‘FIPS PUB 140-1: security requirements for cryptographic modules’, Available at: http://csrc.nist.gov/publications/ fips/fips140-1/fips1401.pdf. National Institute of Standards and Technology (US) (2004) Public Key Infrastructure, Available at: http: //csrc.nist.gov/pki/. Netherlands PKIoverheid (2002) Available at: https://www.pkioverheid.nl/. Palanisamy, R. (2004) ‘Issues and challenges in e-governance planning’, Electronic Government: An International Journal, Vol. 1, No. 3, pp.253–272. Palmer, T. and Buck, P.S. (2003) ‘PKI needs good standards?’ Information Security Technical Report, Vol. 8, No. 3, pp.6–13. Riedl, R. (2004) ‘Rethinking trust and confidence in European e-government: linking the public sector with post-modern society’, Proceedings of the Fourth IFIP Conference on e-Commerce, e-Business and e-Government 2004, Toulouse, France, pp.89–108. RSA Laboratories (2004) PKCS#11 v.2.20: Cryptographic Token Interface Standard, RSA Data Security, Inc., Available at: ftp://ftp.rsasecurity.com/pub/pkcs/pkcs-11/v2-20/ pkcs-11v2-20.pdf. Santesson, S., Nystrom, M. and Polk, T. (2004) ‘Internet X.509 public key infrastructure qualified certificates profile’, IETF, RFC 3739 (obsoletes 3039), Available at: http://www.ietf.org/rfc/ rfc3739.txt. Schaad, J. (2005) ‘Internet X.509 public key infrastructure certificate request message format (CRMF)’, IETF, RFC 4211 (obsoletes 2511), Available at: http://www.ietf.org/rfc/ rfc4211.txt. Tahinakis, P., Mylonakis, J. and Protogeros, N. (2006) ‘The contribution of e-government to the modernization of the Hellenic taxation system’, Electronic Government: An International Journal, Vol. 3, No. 2, pp.139–157. VeriSign (2005) Certification Practice Statement Version 3.1, Available at: http://www. verisign.com/repository/CPS/VeriSignCPSv3.1.pdf.