Security Model in E-government with Biometric based on PKI



Similar documents
Authentication Levels. White Paper April 23, 2014

Introduction to Public Key Technology and the Federal PKI Infrastructure 26 February 2001

The DoD Public Key Infrastructure And Public Key-Enabling Frequently Asked Questions

The Role of Digital Certificates in Contemporary Government Systems: the Case of UAE Identity Authority

esign Online Digital Signature Service

Advanced Authentication

esign FAQ 1. What is the online esign Electronic Signature Service? 2. Where the esign Online Electronic Signature Service can be used?

Brocade Engineering. PKI Tutorial. Jim Kleinsteiber. February 6, Page 1

A Method of Risk Assessment for Multi-Factor Authentication

solutions Biometrics integration

Certification Practice Statement

Card Management System Integration Made Easy: Tools for Enrollment and Management of Certificates. September 2006

KEYSTROKE DYNAMIC BIOMETRIC AUTHENTICATION FOR WEB PORTALS

Certificates. Noah Zani, Tim Strasser, Andrés Baumeler

ARCHIVED PUBLICATION

Mobility, Security and Trusted Identities: It s Right In The Palm of Your Hands. Ian Wills Country Manager, Entrust Datacard

Audio: This overview module contains an introduction, five lessons, and a conclusion.

Finger Vein digital biometric signature: use cases

Meeting the FDA s Requirements for Electronic Records and Electronic Signatures (21 CFR Part 11)

Dr. Cunsheng DING HKUST, Hong Kong. Security Protocols. Security Protocols. Cunsheng Ding, HKUST COMP685C

Digital Certificates (Public Key Infrastructure) Reshma Afshar Indiana State University

NIST s FIPS 201: Personal Identity Verification (PIV) of Federal Employees and Contractors Masaryk University in Brno Faculty of Informatics

ORDINANCE ON THE ELECTRONIC SIGNATURE CERTIFICATES IN THE. Chapter One GENERAL PROVISIONS

Development of Academic Attendence Monitoring System Using Fingerprint Identification

Entrust Managed Services PKI. Getting started with digital certificates and Entrust Managed Services PKI. Document issue: 1.0

Moving to Multi-factor Authentication. Kevin Unthank

Guide for Securing With WISeKey CertifyID Personal Digital Certificate (Personal eid)

SYMANTEC NON-FEDERAL SHARED SERVICE PROVIDER PKI SERVICE DESCRIPTION

HKUST CA. Certification Practice Statement

Subject: Public Key Infrastructure: Examples of Risks and Internal Control Objectives Associated with Certification Authorities

Mobile OTPK Technology for Online Digital Signatures. Dec 15, 2015

Smart Card- An Alternative to Password Authentication By Ahmad Ismadi Yazid B. Sukaimi

Controller of Certification Authorities of Mauritius

White Paper 2 Factor + 2 Way Authentication to Criminal Justice Information Services. Table of Contents. 1. Two Factor and CJIS

Business Issues in the implementation of Digital signatures

French Justice Portal. Authentication methods and technologies. Page n 1

Multi-Factor Authentication

Public Key Infrastructure for a Higher Education Environment

CALIFORNIA SOFTWARE LABS

NIST Test Personal Identity Verification (PIV) Cards

TELSTRA RSS CA Subscriber Agreement (SA)

Concept of Electronic Approvals

IGI Portal architecture and interaction with a CA- online

Security+ Guide to Network Security Fundamentals, Fourth Edition. Chapter 10 Authentication and Account Management

22 nd NISS Conference

U. S. Department of Justice Information Technology Strategic Plan. Appendix E. Public Key Infrastructure at the Department of Justice.

Technical Safeguards is the third area of safeguard defined by the HIPAA Security Rule. The technical safeguards are intended to create policies and

Public Key Applications & Usage A Brief Insight

An Introduction to Entrust PKI. Last updated: September 14, 2004

Digital identity: Toward more convenient, more secure online authentication

Framework for Biometric Enabled Unified Core Banking

CERTIMETIERSARTISANAT and ELECTRONIC SIGNATURE SERVICE SUBSCRIPTION CONTRACT SPECIFIC TERMS AND CONDITIONS

State of Arkansas Policy Statement on the Use of Electronic Signatures by State Agencies June 2008

Government Information Security System with ITS Product Pre-qualification

Ericsson Group Certificate Value Statement

Glossary of Key Terms

GOALS (2) The goal of this training module is to increase your awareness of HSPD-12 and the corresponding technical standard FIPS 201.

5 FAM 140 ACCEPTABILITY AND USE OF ELECTRONIC SIGNATURES

CS 356 Lecture 28 Internet Authentication. Spring 2013

Biometrics in Physical Access Control Issues, Status and Trends White Paper

ENHANCING ATM SECURITY USING FINGERPRINT AND GSM TECHNOLOGY

REGISTRATION AUTHORITY (RA) POLICY. Registration Authority (RA) Fulfillment Characteristics SECURITY DATA SEGURIDAD EN DATOS Y FIRMA DIGITAL, S.A.

Introduction to Network Security Key Management and Distribution

Comparing Cost of Ownership: Symantec Managed PKI Service vs. On- Premise Software

Biometric SSO Authentication Using Java Enterprise System

What s it all about? SAFE-BioPharma Association

IDENTITY MANAGEMENT. February The Government of the Hong Kong Special Administrative Region

Application of Biometric Technology Solutions to Enhance Security

White Paper. The risks of authenticating with digital certificates exposed

Biometric Electronic Signaturein a Bank Biometryczny podpis elektroniczny w kontekście banku

Chapter 1: Introduction

Smart Card Setup Guide

Securing e-government Web Portal Access Using Enhanced Two Factor Authentication

Lecture VII : Public Key Infrastructure (PKI)

The Convergence of IT Security and Physical Access Control

Class 3 Registration Authority Charter

Multifactor Graphical Password Authentication System using Sound Signature and Handheld Device

Scalable Authentication

SEZ SEZ Online Manual Digital Signature Certficate [DSC] V Version 1.2

Midterm Solutions. ECT 582, Prof. Robin Burke Winter 2004 Take home: due 2/4/2004 NO LATE EXAMS ACCEPTED

Common security requirements Basic security tools. Example. Secret-key cryptography Public-key cryptography. Online shopping with Amazon

NOAA HSPD-12 PIV-II Implementation October 23, Who is responsible for implementation of HSPD-12 PIV-II?

Arkansas Department of Information Systems Arkansas Department of Finance and Administration

Biometrics: Advantages for Employee Attendance Verification. InfoTronics, Inc. Farmington Hills, MI

CSC/ECE 574 Computer and Network Security. What Is PKI. Certification Authorities (CA)

Security and Security Certificates for OpenADR systems. Background. Content:

GAO PERSONAL ID VERIFICATION. Agencies Should Set a Higher Priority on Using the Capabilities of Standardized Identification Cards

FAQs Electronic residence permit

Biometric Authentication Platform for a Safe, Secure, and Convenient Society

Understanding Digital Signature And Public Key Infrastructure

SOLUTIONS FOR HEALTHCARE PROFESSIONALS AND GOVERNMENTS

This method looks at the patterns found on a fingertip. Patterns are made by the lines on the tip of the finger.

HEALTH INFORMATION TECHNOLOGY EXCHANGE OF CONNECTICUT

Information Technology Policy

Biometrics for Global Web Authentication: an Open Source Java/J2EE-Based Approach

IDaaS: Managed Credentials for Local & State Emergency Responders

PKI: Public Key Infrastructure

Adobe PDF for electronic records

Application-Specific Biometric Templates

Digital Signatures on iqmis User Access Request Form

Transcription:

Security Model in E-government with Biometric based on PKI Jaafar.TH. Jaafar Institute of Statistical Studies and Research Department of Computer and Information Sciences Cairo, Egypt Nermin Hamza Institute of Statistical Studies and Research Department of Computer and Information Sciences Cairo, Egypt Bahaa Eldin M. Hassan Chairman at Arab Security Consultants ABSTRACT With the growth of Information Technology and the Internet, governments apply the same principles and technologies that are supporting E-business revolution, to achieve similar transformation. Security becomes necessary to protect the citizens and government information. In this paper a model has been proposed to obtain security services in the E-government based on Public Key Infrastructure (PKI). To achieve more security levels, Biometrics and Hardware token are used. Keywords Security, Token, Biometric, Cryptography 1. INTRODUCTION The using of e-government services increases the needs of the user information and privacy. To accomplish E-government security there are three security issues must be considered which are: authentication, authorization and non-repudiation. The main methodology to get it is to apply Public key infrastructure (PKI). Through this research, it has discovered that there are many people who deal with PKI and E-Government such as, Ali Shayan etc. at 2008,[9], explain the importance of information security requirements during each stage of the e-government. In the results, the importance of twenty selected items was illustrated, and the most and least important practices in each stage based on the expert s opinions and the statistical data analysis were explained, but it comprehensive and the model will not generally applicable to all organizations. At 2012,Phi1D'Angio.etc. [10], began in the analysis of the characteristics of successful projects PKI led by government organizations. examine E-Government project based on PKI suggested the approach for Government PKI programs emphasize strong collaboration use cases. It also examines the characteristics of PKI projects that were not successful in the past. But has not been implemented this application in the e-government system. Ali M. Al-Khouri, 2012, [11], Discusses Multi-Factor Authentication, support varying strengths of authentication i.e., PIN code, biometrics, digital certificates. The multi-factor authentication feature is a major capability that the ID card provides for e-government applications. For example, Abu Dhabi e-government portal uses the UAE smart ID card to provide higher levels of assurance and confidence in the digital identities that interact with the portal. A two factor authentication (PIN and Offline Certificate validation) capability of the ID card has been integrated to support and enhance the security for different e- service access models. The use of the smart ID card for physical authentication and data capture has shortened for example the process cycle of service delivery at one public sector organizations (i.e., Dubai Courts) takes less than 7 seconds, in past it takes from 7 to 10 minutes. And clarify the PKI, the ID card need materials such ID reader which need money. DaeyoungHeo,2012,[12].suggested Some protocols and challenges that came as alternative certificate validation method which translates the original certificate of national PKI to grid credential on separate GSI ( Grid Security Infrastructure ) and delegate the translated credential to grid service by an extended( OAuth protocol). The proposed idea is implemented in service called SecureBox (which is implemented based on the alternative certificate path validation method described in the previous section. SecureBox allows users to login to original GSI of grid by national PKI certificate). GSI can now adapt a reliable certificate issuance process including nationwide RA system from national PKI by the service, but did not explain how the citizens use it, just explain Protocol. This paper will be divided into sections; section 2 will introduce a brief about the Public Key Infrastructure and Biometrics. Section 3 will present some related work in security of e-government. The proposed model will be presented in section 4. And finally section 5 gives the results. 2. PUBLIC KEY INFRASTRUCTURE AND BIOMETRICS 2.1 PKI The basis on which governments can execute transactions safe and reliable whether between individuals, governments businesses, governments or inter-government relationships is PKI. It Allows public entities to securely authenticate all participants in a transaction [2]. PKI could be defined as: the combination of software, encryption technologies, and services that enables enterprises to protect the security of their communications and business transactions on networks [3]. PKI combine digital certificates, public key 33

cryptography, and certification authorities into a complete enterprise-wide network security architecture. The basic components of public key infrastructure are certification authority, Registration Authority, PKI Users, repositories and archives [4]. Certificate holders will obtain their certificates from different CAs; Certification Authority; depending upon the organization or community in which they are member [5]. A PKI is typically composed of many CAs linked by trust paths. A trust path links a relying party with one or more trusted third parties. Figure 1 illustrates PKI Architectures. Fig 1: PKI Architectures. Two basic data structures are used in PKIs. They are the public key certificate and the certificate revocation lists. A third data structure, the attribute certificate, may be used as an addendum [6]. Figure 2 illustrates PKI Data Structures. Fig 2: PKI Data Structures 2.2. Biometrics Systems are tightly linked to a person because they can use a certain unique property of an individual for identification and/or authentication. which are automated methods of identifying a person or verifying the identity of a person based on a physiological or behavioural characteristic [7].The common Physical characteristics are: Fingerprint, Face, Retina, Iris, Vein pattern and Hand and finger geometry. Behavioral characteristics are: Keystroke dynamics, Voice, Gait and Signature dynamics. Biometric systems are tightly linked to a person because they can use a unique property of a certain individual for identification and/or authentication. While a person s biometric data can be deleted or altered the source from which they have been extracted can in general neither be altered nor deleted [8]. 3. PROPOSED MODEL The aim of the proposed model is to achieve some levels of security of e-government. The main security services we want to achieve are authentication, authorization and nonrepudiation.the proposed model based on three security issues: PKI, biometrics, and hardware security tool. The first one is selection of PKI cause this methodology based on the certificate and digital signature that ensure the authentication and non-repudiation security services, which we need to obtain in e-government system. Issuing the biometrics is the second one, and differentiates between biometrics parts have been known by DaeyoungHeo and Suntae Hwang [13]. Through our study about Biometric characteristics and comparisons with Biometric parts we choose the fingerprint. Fingerprint is accomplishing some accuracy. Fingerprint is suitable for E-government applications cause it is the most economical biometric PC user Authentication technique, Easy to use, small storage space required for the biometric template, reducing the size of the database Memory required,standardized, and one of the most Developed biometrics And the third issue is using hardware security device. We choose hardware token; token is a physical device that an authorized user of computer services is given to aid in authentication. Advantage of the token: can be modified while in use, simple / Inexpensive to use, ensures all students get Fair treatment, reinforcing basic math skills, Teaches selfdiscipline. Some people preferred to use the smart card but it noticed that a token has a lot features more than smart card. The smart card takes much time to read data from because it needs reader device while the token need no device except USB socket. Login the site through a token much faster than the smart card. Token is clearly and Chip in the smart card can be scratched while the token does not scratched. The proposed model is based on two main levels they are to register and verification. The both levels will be discussed at the following: 3.1. Registration This level is face-to-face level; it needs a meeting between user and the central government which act as Registration Authority (RA). At this meeting the user needs to register his information into the central government to issue a digital certificate. In the model we choose a hardware token can take and store the user fingerprint for more security. The RA gets the personal information of the user and his/her finger print image. Then the user receives the hardware token carried by the user certificate and private key. Figure 3 illustrate the register steps. The following steps discuss figure 3. 1. The user Request Certificate from the Registration Authority and Registration Authority (RA) Verify User. 2. Registration Authority Vouch for User to the Certification Authority. 34

3. Certification Authority Issue Certificate to user. 4. Certification Authority Stores Certificate to Repository (for future use the user because maybe he lost). 5. Registration Authority takes PIN & Fingerprint form User. 6. Registration Authority store Certificate & PIN & Fingerprint on Token. 7. Registration Authority Store PIN and Fingerprint on Repository (for future use the user because maybe he lost). Fig 3: Registration (PIN & fingerprint & certification). 3.2 Verification This level based on web application, this step is important for E-government. The user of E-government will be using his token to verify him. Figure 4 illustrate the steps of verification level. The steps will be discussed as following: 1. Verify User by PIN and then by fingerprint reader that Collect Biometric Data. 2. Verify quality fingerprint if Quality Sufficient then generates the template, if not then new biometric sample is requested. 3. Verify fingerprint by match the template with the token if Decision Confidence then do the 4th step if not go back to user. 4. Digitally singed by the Relaying Party and take the Certificate. 5. Verify the certificate will be send it through to the server PKI and the certificate is verified through CRL. 6. Verify the certificate is active if generate session key and send session key to client, the client request new session and attaching the session key with his request, and the server checks for session key if the session key correct then open session else stopping session. Else the certification is in active stopping the procedure. As explained in Figure 5 below. 35

Figure 4: Verification (PIN & fingerprint & certification). Figure 5: Explain step 5 and 6, relaying party. We can collect one scheme ways to illustrate the workflow, but through drawing. As explained in Figure 6 below 36

Figure 6: the workflow Registration and Verification E-government must provide security during the high exchange of documents between the user and the server. The user login in website E-government should have a high security on Web content, including documents, as well as how to transfer these documents between the government and the user. So it must to provide trusted transfer process, according to our study and applications, which applies these days through the digital signature using the private key and public. We will explain how to be used and documentation among the governments in order to provide a safe environment for the protection of government data in the server. Initially the digital signature must be achieved from the provision of key public and private, which are stored on Token. After making sure the user opens the website of government, there are many services for e-government; we will take one of them, in the issuance of the passport. for example, if the user needs to issue a passport he will go to the site of Ministry of the Interior and then goes to the name of the application in the issue of a new passport and ask the server to open this application and the server opens application, The user fill application with his information, at the end the user puts his digital signature at the end of the application. Then encrypts this application or document with the private key that is stored in Token and sent to the server to verify the user as well as to achieve Confidentiality, Authentication, integrity and non-repudiation. The server verify the user process to decryption using the public key of the user and if the user is already active it, a server will send messages agree the process and give him a date for the receipt of the passport, as shown in Figure 7 below. Figure 7: Success Fill Application of Website 37

4. EXPERIMENT Through our study, it is clear that e-government is a great thing in providing assistance to citizens so our focus was to provide security to the service using the technique of user authentication and data transfer security. Through the application of our token using PIN code, fingerprint and the digital certificate the give us the highest security, and compared with the smart card, there is a big difference in time in terms of make sure from person takes less than 3 seconds in the token and smart card takes less than 7 seconds, and this difference in the science of accounts. As well as the applied file transfer between the citizen and the server, which is done through the digital signature on the file and give us the results of which will be in the case of encryption and signature on file when the home is as shown in Figure 8 below. Figure 8: Comparing a hash, encryption and execution time In the case of decryption, and the comparison that the user effective or not effective, and the response to the user's acceptance or rejection of the results were as shown in Figure 9 below. Figure 9: Comparing a reading, hash, decryption and execution time 5. CONCLUSION In the proposed work we have created a security model to achieve higher security through authentication, nonrepudiation, and encryption of information, as well as take a little time to verify user and achieves trust between the user and the party responsible. And this based on PKI Issued digital certificates and digital signature and etc. Which is the basis of our work, as well as on Biometrics a fingerprint that is easier type of Biometric, and stores all these parts in the token, which we explained its features and the difference between it and the smart card, And this made us less time with high security where it takes about 3 seconds. The future work, we are implementing this model in the field of e-government, and there many of the areas that can be 38

applied for example in the field of e-health, e-learning and e- voting. 6. REFERENCES [1] RICHARD HEEKS,I Government, Centre for Development Informatics, Institute for Development Policy and Management, SED University of Manchester, Arthur Lewis Building, Manchester, M13 9PL, UK,2010. [2] NATIONAL PKI: THE FOUNDATION OF TRUST IN GOVERNMENT, Symantec World Headquarters 350 Ellis St. (2011). [3] D. Richard Kuhn, Vincent C. Hu, W. Timothy Polk, Shu- Jen Chang, Introduction to Public Key Technology and the Federal PKI Infrastructure, National Institute of Standards and Technology, 26 February 2001. [4] Matti Järvinen, PKI Requirements for IPsec, helsinki university of technology department of computer science and engineering,2003. [5] RFC 2104 HMAC: Keyed-Hashing for MessageAuthentication.http://www.ietf.org/rfc/rfc2104.t xt, visited Jun. 2014. [6] Lee A. Guideline for implementing cryptography in the Federal Government, NIST SP 800-21. National Institute of Standards and Technology November, 1999. [7] Anil Jain, 50 Years of Biometric Research : Almost solved, The unsolved, and the Unexplored, Michigan State University,Jun 5,2013. [8] Biometric-S-2013, [Online] Retrieved from:http://www.biometric-security-devices.com/facialbiometrics.html,facial Biometrics An Excellent Time Attendance And Tracking Option, [Accessed: 2 NOV 2013]. [9] Jacob KOHNSTAMM, Done at Brussels, on 27 April 2012,Opinion 3/2012 on developments in biometric technologies, Website: http://ec.europa.eu/justice/dataprotection/index_en.htm. [10] Ali Shayan, BehnamAbdi, and MaliheQeisari,,identify the importance of information security requirements during each stage of the e-government maturity, 2008. [11] Phi1D'Angio.PanosVassilliadas Phaidon Kaklamanis, PKI - Crawling Out of the Grave &Into the Arms of Government,2010. [12] ali m.al-khouri, pki in government identity management systems, Emirates Identity Authority, Abu Dhabi, United Arab Emirates. ali.alkhouri@emiratesid.ae,2011 DaeyoungHeo and Suntae Hwang, Proposed to Adapt Reliability of National PKI to Grid Security Infrastructure by Credential Translation and Delegation with OAuth, International Journal of Security and Its Applications, Vol. 6, No. 3, July, 2012. [13] Ali M.Al-Khouri, egovernment Strategies The Case of the United Arab Emirates (UAE), European Journal of epractice www.epracticejournal.eu,nº 17 September 2012. [14] IJCA TM : www.ijcaonline.org 39

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information