1 / 22

E-Procurement: Digital Signatures and Role of Certifying Authorities

E-Procurement: Digital Signatures and Role of Certifying Authorities. Jagdeep S. Kochar CEO, (n)Code Solutions. E-Procurement in India. Central Government State Governments: Andhra, Karnataka, Gujarat Public Sector Units Some Organizations: NIC for Central Government DGS&D

omer
Download Presentation

E-Procurement: Digital Signatures and Role of Certifying Authorities

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. E-Procurement:Digital Signatures and Role of Certifying Authorities Jagdeep S. Kochar CEO, (n)Code Solutions

  2. E-Procurement in India • Central Government • State Governments: Andhra, Karnataka, Gujarat • Public Sector Units • Some Organizations: • NIC for Central Government • DGS&D • Northern Railway • IFFCO • GNFC

  3. The ‘PAIN’ of Online Transactions (I)ntegrity (P)rivacy / Confidentiality Modification Interception Has my communication been altered? Is my communication private? (A)uthentication (N)on-repudiation ? Claims NotSent NotReceived Fabrication Who am I dealing with? Who sent/received it and when?

  4. Where do Digital Signatures come in? • Passwords are a weak method of authentication • Passwords donot ensure integrity • Passwords can be broken, guessed, leaked, extracted, etc. • A Digital Signature can not be duplicated, guessed, broken, etc. • No legal protection for disputes in case of other authentication methods In short ; Digital Signatures are an effective remedy against ‘PAIN’ of e-Transactions

  5. Digital Signatures and e-Procurement

  6. Where does buyer use PKI ? • Secure Login • Tender floating • Corrigendum • Secure communications with vendors • Tender opening • Clarifications and negotiations • Digitally signed PO/WO • Digitally Signed Archives

  7. Where does Vendor use PKI ? • Secure Login • Secure storage of content • Tender submission • Encryption using buyer’s public key • Clarifications and negotiations

  8. Electronic Data Electronic Data Hash Function Digital Signature Signing Function Hash Result Private of A Digital Signing of the Data Signed Data Only Private Key holder can sign

  9. Electronic Data Hash Function Hash Result Hash Result Digital Signature Verify Function Public of A Digital Signature Verification So the receiver can compare hashes to verify the signature Valid compare Yes / No ? Signed Data Anyone can verify

  10. Digital Signature & the Law • The IT Act 2000 provides : • Legal and regulatory framework for promotion of e-Commerce and e-Governance • Legal validity for Electronic transactions / contracts and records • For appointment of Certifying Authorities to issue Digital Certificates • The legal framework for electronic filing of documents • For prevention of computer crime, forgery, falsification of identity in e-Commerce transactions

  11. Structure of PKI in India CCA India / ROOT CA ( Ministry of Information Technology ) Licensed Certifying Authority Licensed Certifying Authority Licensed Certifying Authority Subscriber Subscriber Subscriber

  12. Relying Party Application Registration Authority Web Server Internet Repository Certification Authority Certificate Holder Components of PKI • Certification Authorities (CAs) (Issuers) • Registration Authorities (RAs)(Authorize the binding between Public Key & Certificate Holder) • Certificate Holders (Subscribers) • Relying Parties (Validate signatures & certificate paths) • Repositories (Store & distribute certificates & status: expired, revoked, etc.)

  13. Functions of a Certifying Authority • Trusted Third Party • Digital Certificates • Registration and Issuance • Revocation • Maintain • Provide Certificate Revocation Lists • Provide Support

  14. Expectations of a CA • Education and evangelism • Support issues: Support vendors on Certificates and application • 11th hour delivery of Certificates to users • PKI enablement of application

  15. How can a CA add value • Secure Issuance of Digital Certificates • RA / LRA obligations to the CA • Verification of the users/documents • Provide the highest class / high assurance certificates • Provide consulting for secure application design

  16. How can a CA add value (cont.) • SSL enabled site • Secure Application Design: • Digitally signed content at the client end • Digitally signed / encrypted content during data transfer • Data integrity / confidentiality to be taken care of during • changing data by vendor / buyer • Transfer of data from client/server • Storage of data at the server

  17. Types of certificates • Email Signing certificates • ( Popularly known as Class I Certificates ) • Document / Component signing certificates without personal verification • (Popularly known as Class II Certificates ) • Document / Component signing certificates with personal verification • (Popularly known as Class III Certificates )

  18. Which certificate should be used ? • The IT Act Guidelines for CA quotes : • Class 3 Certificate: • This certificate will be issued to individuals as well as organizations. As these are high assurance certificates, primarily intended for e-commerce applications, they shall be issued to individuals only on their personal (physical) appearance before the Certifying Authorities.

  19. Why Class 3 ? • The biggest frauds have been based on documents. • If the banks had opened DMAT accounts on the basis of personal presence the recent IPO scam could have been averted. • A Class 3 asks for the physical appearance at the CA offices. • This reduces the chances of identity frauds

  20. Why use an e-Token ? • Amendment to the IT Act 2000 • G.S.R. 735(E) dated 29th October, 2004 • A secure digital signature shall be deemed to be secure for the purpose of the ACT if a cryptographic smartcard / token is used to create the key pair and the key pair remains the in the cryptographic token / Smartcard.

  21. Case Studies • IFFCO • Northern Railway • Govt. of Gujarat • KSPHC • How (n)Code helped e-procurement succeed

  22. Thank you Jagdeep S Kochar jskochar@ncodesolutions.com

More Related