>
c o v e r I N T ERV I E W
Creating Trust in Electronic Environment
Dr N Vijayaditya, Controller of Certifying Authorities, Ministry of Communications and Information Technology, Government of India 8}
w w w.egovonline.net
ov
Digital transactions are central to the effective implementation of e-Governance. How does the Controller of Certifying Authorities (CCA) facilitate secure e-Governance? The Controller of Certifying Authority (CCA) is responsible for issuing the licenses to the Certifying Authority (CA). In other words, the whole procedure is controlled by the CCA. Digital Certificates are issued by the Certifying Authority to the various users as well as the individual user. There are certain procedures that are followed in the issuance of certificates which are stipulated by the CA in the standards issued by them. The CA is regularly audited by the third party on an annual basis. Therefore, there are clearly laid out procedures for the Certifying Authorities. These procedures are regularly noted for various operationalas wellas technologicalchanges. Most of these certificates are issued in a smart card or a USB mode. The major advantage is that once a person digitally signs, anybody who makes modifications in the card can be noted easily. When we say a certificate is digitally signed, there is content and when you apply your USB token or a smart card, it generates a 40 byte character which is sent along with the document. Therefore, if users want to check the genuineness of a document, they can verify the document. If it comes back with 40 bytes, it implies that it is correct and there is no modification in the content. In e-Governance, for instance under MCA 21 (Ministry of Company Affairs) Project, Digital Certificates are used for uploading the content. In future, one cannot say that a particular document was not signed by a person or a particular content is not correct because non-repudiation is only possible through digital signatures. There are many other security systems that can be faltered, whereas, in digital signature this cannot be done. DGFT, IFFCO, RBI are some of the departments that are using inter bank transfers through digital signatures. High Courts are using digital signatures for their judgements as they ensure authenticity of transactions over Internet.
Public Infrastructure is secured in the country. In addition to this, he also audits all the Certifying Authorities on a regular basis. Stringent procedures are followed as laid down under the IT Act for this process. Are there any other Government Departments in the pipeline, which are planning to apply security solutions in their services? Yes, there are many departments in the government that have applied security solutions in their services. The Income Tax Department has initiated the process. The Passport Department is planning to make Passports into e-Passport. However, the procedure will be different from the one followed by others. Nevertheless, they will also be issued Digital Certificates for their operations. What are the major security concerns in cyberspace? What are the steps taken by CCA to ensure the trust in, and security of, e-Transactions? There are many security issues in the cyberspace. One is regarding the genuineness and security (from virus, malware, spyware, etc.) of the emails received. For instance, when a person is carrying out a transaction, how does he/she ensure that it is not hijacked in-between the process. The computer may be safe and secure but, the concern is regarding the safety of the network. Thus, there are lot of issues related to the security in cyberspace. Each of the segments has to be secured. The operations, applications and the systems have to be secured along with the networks. In fact, each and every part has to be secured so that trustworthy transactions are ensured.
As far as the technology is concerned, we provide the highest level of security in electronic transactions
What is the role of the CCA? Under the IT Act 2000, how are the electronic records authenticated? The Control of Certifying Authorities is under Section 17 of the IT Act 2000. Presently, the CCA is responsible for all the Public Key Infrastructure such as the process of issuing the licenses to various Certifying Authorities, the procedure to be followed, etc. CCA is responsible for the safe custody of the Digital Certificates of the Certifying Authorities and the Certifying Authorities are responsible for the certificates that are issued by them. Thus, the whole operation of the Public Key Infrastructure and its security is stipulated by the rules and regulations issued by the Controller. The Controller ensures that the ov
April 2008
Could you tell us more about the Public Key Infrastructure and the services offered by it? What are the major security concerns in this regard? Out of all the mechanisms, Public Key Infrastructure is given utmost importance. Generally, when we have to encrypt something, we use a code that is known to both the parties involved in a transaction so that we can exchange it. The problem here is with a third person, who needs a separate code. The other security solution that exists is called the Public Key Security. There are two keys, and each person or each entity, will have two keys/codes – one is Public and the other is Private. The technology is such that these two work in conjunction. If you encrypt with one of them you can only decrypt with the other and vice versa. The technology for Public Key Infrastructure is such, that if a person has to sign something digitally, he/she uses their Private Key. It remains with them and they do not give it to anybody. But their Public Key is available to anyone who wants to use it. Once, another person has access to his/her 9
c o v e r int e r v i e w
>
This system has been used in banks such as HDFC, ICICI and others for DMAT accounts to certify the statements regularly. A chain of sequence is used to give the authenticity so that it cannot be repudiated. Without knowing the 40 byte character for security, the content cannot be regenerated. Through the reverse mechanism, encrypted information can be sent to a particular person using the Public Key of that person available on the Internet. In any other operation it is easy to copy the fingerprints and it can be used. Whereas, here it cannot be used. This is the highest level of security for transactions on the Internet.
signature and the Public Key, the other person can verify it and see whether he/she has sent it. Another issue is that how does one know that it is his/her authentic Public Key. The certificate for this purpose is issued by a Certifying Authority. When they have a Public-Private Key pair, they take their Public Key to a Certifying Authority. The Certifying Authority issues a Digital Signature Certificate, which is essentially a certificate containing a Public Key and binding it with a digital signature. That is how the technology works and in this way all the Certifying Authorities with the CCA at the root complies the Public and Private Key Infrastructure. With CCA at the root, we have issued 700,000 certificates which is an estimate of the key infrastructure. Each person has a unique key that can not be replicated. Thus, when somebody signs with the digital signature of the Private Key, the content differs as the signature varies.Therefore they cannot generate a key using a different mechanism and it varies from certificate to certificate.
What are some of the e-Transactions carried out within the government agencies and for government services? As far as technology is concerned, we provide the highest level of security in electronic transactions. When you have to work on the Internet for net banking, DMAT trading, filing income tax returns, etc. digital signature authenticates the person and provides the integrity of the content. The transactions cannot be repudiated and denied. These are the factors required for e-Commerce transactions. We are talking more about products, so we are based on electronics. Suppose, I take a print out of a paper that is digitally signed with 40 bytes, in a printed form, anybody can change it. But in the electronic form, if the content is changed, it automatically alerts you about the modifications. This is because there is a strong relation between the content and privacy. Does the current Indian regulatory and certifying laws have adequate security related aspects? How often are these laws updated, considering the growing security threats? The Certifying Authority has created a procedure for issuing secure transactions. It is today, the highest level of security in this context. As the technology is fast changing, we have to regularly deal with it and make appropriate changes. Nevertheless, the procedures used, are quite adequate. In cyber space, what is secure today is not secure tomorrow. Therefore, we make sure that the system we use ensures the highest level of security and for this we follow certain encryption technologies of a very high level. In the future, we have to see what is to be done. There are many people carrying out e-Transactions, for net banking, e-Tendering, etc. When they upload it, they digitally sign it. They use the Public Key, encrypt and transmit it. This way they cannot personally encrypt and change the content until the whole team of 6 – 7 people is present. Yet, if you are just transmitting a file, you have access to it, from any computer. Suppose, two people are responsible for the tendering, and their Public Key is used for encrypting the whole thing, until both of them use their Private Keys, they cannot encrypt it. So, this is the highest level of security that is possible.
Learn more about digital signatures and cybersecurity issues at egov India 2008. For details log on to www.eINDIA.net.in
10
w w w.egovonline.net
ov