SlideShare a Scribd company logo
1 of 22
Prof. Madhulika Bangre (Research Scholar) and Prof. (Dr.)
G.T.Thampi (Principal & Research Guide)
TSEC,Bandra (W), Mumbai, University Of Mumbai, INDIA
bmadhulika03@gmail.com,gtthampi@yahoo.com
Kapil Kant Kamal and Manish Kumar
Centre for Development of Advanced Computing (C-DAC), Mumbai,
India
kapil@cdac. in, kmanish@cdac. in
Analysis of Security Requirements
for M-Governance Project
Implementation
ASDF WSS-
2014
31-12-2014
Presentation Flow
• Abstract
• Objective
• Introduction
• Security Requirements For M-Gov Implementations
• Security Analysis of M-Governance Delivery channels
• Important Findings
• Proposed Solution
• Conclusion
• References
31-12-2014
Abstract
M-Governance provides an additional access tools for e-
Government and its processes with the uses of wireless and
mobile technologies to deliver services over mobile devices.
Though M-Governance extends the accessibility of e-
governance to mobile platform, but it also brings along
numerous challenges in terms of security and authentication,
making it the prime reason behind the apprehension in citizen to
use this channel effectively. Hence, adequate levels of security
must be ensured before implementing such government
applications over wireless/mobile channels.
This study discusses real time security requirements of m-
governance projects to increase the acceptability of the citizen
to this rapidly developing channel. By means of this paper, we
propose a separate security module to address the security
issues in implementing m-governance project.
Further, it also includes case study of Aadhar E-KYC depicting31-12-2014
Objective
This study helps in identifying the real time security
needs and offers various measures that can be easily
incorporated by the government department and
application developers for securing the
request/response data during transmission via mobile
delivery channel.
The objective of this paper is to sensitize various
implementation agencies to identify the types of
security measures which can be easily adopted for the
implementation of mobile services and application.
Such security specification, may be replicated by other
Govt. department where ever necessary which can
contribute to the overall success of m-governance.
31-12-2014
Introduction
In recent years, many states in India have started
offering government services via various mobile delivery
channels for catering the needs of citizen by integrating
various government departments, services and telecom
service providers. Such implementations have helped to
create cost effective, efficient and round the clock
Government information systems.
All the efforts made by Government departments will be
futile without the inclusion of security and integrity
features in mobile delivery channels like SMS, USSD,
WAP, etc.
Most of the security measures are already incorporated
in m-governance frameworks, but still there are few
measures which can help to provide extra layer of
security at the department level and application
development level, keeping in mind the sensitivity of the
citizen data which are exchanged over such mobile31-12-2014
SECURITY REQUIREMENTS FOR M-GOV
IMPLEMENTATIONS
Developers need to seamlessly integrate security functionality into
their mobile applications which should support API for secure
communication of data between the user device and the server.
The increased use of mobile devices for storage of personal and
sensitive data for mobile client application need advanced security for
encrypting the stored data.
The existing security depends on a username/user-id/mobile
number along with PIN/password to verify the user. This method is
not sufficient, especially in cases where critical and personal
information need to be exchanged over untrusted network.
Therefore, it is important for mobile services to have a higher level of
security consisting of combinations of two or more parameters like
unique registration number, One time Password, biometric details ,
etc., which can give rise to a reliable authentication system to
ensure user authenticity.
31-12-2014
SECURITY ANALYSIS OF M-GOVERNANCE
DELIVERY CHANNELS
Statistics of Usage:
Following are the results of the analysis done based
on the independent survey of usage and
acceptability of M-governance delivery channels:
1. Which all channels have you used for accessing
Govt. services through Mobile platform?
31-12-2014
Figure1.Statistics for Mobile Channel Usage.
Observations 1:
Short message service (SMS) channel employs SMS
Gateway as the interface for sending and receiving the
SMS and value added services. A message sent by the
server is received by a Short Message Service Center
(SMSC) which makes use of a variety of protocols like
SMPP CIMD etc. and then SMSC forwards it through the
appropriate GSM or CDMA network to the appropriate
mobile device.
It has been observed that that the request and the
response which are sent using SMS are sent as a plain
text. There may be cases where the messages need to
be encrypted and only the intended user can view it. This
can be achieved by securing the message by encrypting it
with a key known only to the intended user. Key
Exchange protocol can be used to exchange the key
between the back-end server and the user mobile device.
Another technique is to use PKI (Public Key
Infrastructure) based security measures.
31-12-2014
Observations 2:
Mobile Application: The user needs to fill in the
necessary information in order to request service
from the Govt. Department. The request then
takes the form of http request with a URL(Uniform
Resource Locator) which hits the appropriate
server for processing.
It has been observed that the parameters or user
credential which forms the request is sent as it is
which can be easily tampered by the intruder.
This URL can also be encrypted using PKI
which is an arrangement that binds public and
private keys with respective user identities by
means of a CA (Certification Authority). 31-12-2014
PROJECTS
The security architectural model depicts a security layer
crossing at various levels of external communication
that take place between an integrated service delivery
platform and various stakeholders like Government
departments, network service providers,
telecommunication departments, payment bodies, etc.
Figure 2.Security Architecture for M-Governance Projects.
31-12-2014
Features
31-12-2014
Major security concerns related to 2G/3G/GPRS
networks are dealt by the telecommunication
operators.
The security of request and response data
between the client and the server through the
delivery channels (SMS, WAP) should be
provided by the department and application
developers.
The security system should provide flexibility
regarding the transmission of data with different
data formats like XML, JSON using transport
protocols like HTTP/HTTPS and TCP.
Features of Security Architecture
31-12-2014
User Authentication: This component is responsible for
authenticating the user as defined by the various
transition types. The module will verify the user/mobile
number, check for the registration of the user, verify the
PIN/password, Biometric information if supported, One-
Time-Password (OTP). Departments may choose to use
one or more methods to authenticate the user and verify
the transaction authenticity.
User Authorization: This component is responsible for
checking various roles and permission associated with
the functions call made to the database server. Different
delegation roles are defined for incorporating this feature
into the functional modules to check the access rights of
the user and the admin. The departments should transmit
or share user information only on the user’s
authorization.
31-12-2014
Data Encryption: The information which is transferred while
calling an API for availing services from various Govt.
departments should be encrypted using PKI . The integrity
and authenticity of the response can be provided by using
digital signatures where in the hash of the message is
created by using hash function, and then it will be encrypted by
departments’ Private key. This creates the signature by using
the cryptographic algorithm. Signature is cross verified.
Department is the only private key owner, they cannot deny
sending the message. This is called non-repudiation.
Transaction Security: Each transaction request will interact with
external systems for verification & presentment of the
information, will interact with payment module, department
module, citizen profile module and other modules for various
types of verifications. There is a need for calling business
Features of Security Architecture
(contd.)
31-12-2014
Alerting /Logging/ Auditing: This component generates
alerts for other system components, users, administrators
upon occurrence of certain activity or event.
Logging involves life-cycle details of the transaction with
information about each and every process step. The
module need to log all the API calls to the external system
with reference data and date-time stamp.
Auditing serves the purpose of tracking any changes to the
system configurations. The module needs to have ability to
configure various elements of the system like database
tables, UI, functional flow, parameters at various levels. It
maintains audit records for all the authentication request
metadata along with the response.
Features of Security Architecture
(contd.)
Case Study Of Aadhaar e-KYC
API
The Unique Identification Authority of India (UIDAI)
department provides verification of Unique
Identification Number (Aadhaar) to all residents of
India using E-KYC API. The e-KYC API can be used
by an agency to obtain latest resident demographic
data and photo data from UIDAI upon the authorization
of the user. This case depicts the authentication, key
exchange and encryption mechanism adopted by
UIDAI for processing the request of the user.
31-12-2014
Figure 3. E-KYC Data Flow
The URL format for Aadhaar KYC
service request:
31-12-2014
To support strong end to end security and avoid request
tampering and man-in-the-middle attacks, it is essential
that encryption of data happened at the time of capture on
the user device. E-KYC is a stateless service over HTTPs
protocol which make use of XML data format for input and
output which allows easy adoption by the user agencies.
API input data should be sent to the URL as XML
document.
https://<host>/kyc/<ver>/<ac>/<uid[0]>/<uid[1]>/<asalk>
Host:Aadhar KYC server address
Kyc: indicate KYC call
Ver :indicate KYC version
Ac: unique code foe KUA
uid[0] and uid[1] : first 2 digits of Aadhaar number.
asalk : A valid KSA license key. It is used for authorization.
The XML data format for authentication
API:
31-12-2014
<Kyc ver=“” ts=“” ra=“” rc=“”>
<Rad>base64 encoded fully valid Auth XML for
resident</Rad>
<Signature/>
</Kyc>
ver:KYC version
ts: timestamp of authentication request
ra: resident authentication type
rs: resident consent to use resident data from Aadhar system
<rad>: element contains base64 encoded Auth XML for
authentication with a valid transaction value(txn).
<Signature>: It is mandatory and used exchanging information
regarding digital signature and certificates using which the KSA
and KUA ensure the message security and integrity between their
servers.
Response XML for the KYC API is as
follows:
31-12-2014
<Resp status=“”>encrypted and base64 encoded
“KycRes” element</Resp>
Resp : container for keeping encrypted KYC data
signed by UIDAI.
“KysRes” is encrypted using either KSA public key or
KUA public key based on the KSA/KUA setup on
UIDAI server. KysRes once decoded containing
information regarding response, transaction,
timestamp, authentication API, UID data, error code in
case of error. It also has encoded Signature element
to check for message integrity and non-repudiation.
Conclusion
31-12-2014
For successful implementation of such
frameworks it is necessary to provide secure,
reliable and high quality services and
applications to the citizen as per their
expectation. The case study provided will
surely help m-governance project
implementers to understand the security
mechanism involved in the authentication of
the entities and encryption of the request and
response data.
Consequently, it will enhance the
complete user experience of using this
government services using this newly addedresponse data
ACKNOWLEDGMENT
We are thankful to C-DAC Mobile Seva team for
their practical inputs and for helping us in
providing the deeper understanding of m-
governance project implementation security
issues. We would like to pay our special thanks to
Dr. Zia Saquib, Executive Director, C-DAC for
supporting us in pursuing this investigation.
31-12-2014
References
1) Antovski, L and Gusev, M 2005, M-Government Framework, Proceedings of the
First European Conference on Mobile Government, 10-12 July, University Sussex,
Brighton, UK.
2) Mengistu, Desta, Hangjung Zo, and Jae Jeung Rho. "M-government:
opportunities and challenges to deliver mobile government services in developing
countries." Computer Sciences and Convergence Information Technology, 2009.
ICCIT'09. Fourth International Conference on. IEEE, 2009.
3) Kumar, Ranjan, Manish Kumar, and Kapil Kant Kamal. "Indian Ecosystem for
Mobile based Service Delivery." www. excelpublish. com: 129.
4) http://india.gov.in/spotlight/mobile-seva-citizen-services-mobile-phones
5) https://mgov.gov.in/
6) mobile.karnataka.gov.in/
7) http://www.itmission.kerala.gov.in/mobile-governance.php
8) https://mgov.gov.in/msdpbasic.jsp
9) www.developershome.com/sms/smsIntro.asp
10) A. Pourali, Dr. M. V. Malakooti, Dr. M.H Yektai, " A Secure SMS Model in E-
Commerce Payment using Combined AES and ECC Encryption Algorithms",
Proceedings of the International conference on Computing Technology and
Information Management, Dubai, UAE, pp 431-442,2014.
11) Watari, M.A., A.A. Zaidan and B.B. Zaidan,, 2013. Securing m-government
transmission based on symmetric and asymmetric algorithms: a review.. Asian J.
Sci. Res., 6: 632-649.
12) http://uidai.gov.in/images/authDoc/d2_authentication_framework_v1.pdf
31-12-2014
Questions??
Thank You
31-12-2014

More Related Content

What's hot

Narrative of digital signature technology and moving forward
Narrative of digital signature technology and moving forwardNarrative of digital signature technology and moving forward
Narrative of digital signature technology and moving forward
Conference Papers
 
IJERD (www.ijerd.com) International Journal of Engineering Research and Devel...
IJERD (www.ijerd.com) International Journal of Engineering Research and Devel...IJERD (www.ijerd.com) International Journal of Engineering Research and Devel...
IJERD (www.ijerd.com) International Journal of Engineering Research and Devel...
IJERD Editor
 
ipas implicit password authentication system ieee 2011
ipas implicit password authentication system ieee 2011ipas implicit password authentication system ieee 2011
ipas implicit password authentication system ieee 2011
prasanna9
 

What's hot (17)

Brisk and secure ad hoc vehicular communication
Brisk and secure ad hoc vehicular communicationBrisk and secure ad hoc vehicular communication
Brisk and secure ad hoc vehicular communication
 
Narrative of digital signature technology and moving forward
Narrative of digital signature technology and moving forwardNarrative of digital signature technology and moving forward
Narrative of digital signature technology and moving forward
 
P0704085089
P0704085089P0704085089
P0704085089
 
Two aspect authentication system using secure mobile
Two aspect authentication system using secure mobileTwo aspect authentication system using secure mobile
Two aspect authentication system using secure mobile
 
Security for Future Networks: A Prospective Study of AAIs
Security for Future Networks: A Prospective Study of AAIsSecurity for Future Networks: A Prospective Study of AAIs
Security for Future Networks: A Prospective Study of AAIs
 
Z041106163167
Z041106163167Z041106163167
Z041106163167
 
Smart-Authentication: A secure web service for providing bus pass renewal system
Smart-Authentication: A secure web service for providing bus pass renewal systemSmart-Authentication: A secure web service for providing bus pass renewal system
Smart-Authentication: A secure web service for providing bus pass renewal system
 
Sustainability 07-02028
Sustainability 07-02028Sustainability 07-02028
Sustainability 07-02028
 
Authentication Systems in Internet of Things
Authentication Systems in Internet of ThingsAuthentication Systems in Internet of Things
Authentication Systems in Internet of Things
 
IJERD (www.ijerd.com) International Journal of Engineering Research and Devel...
IJERD (www.ijerd.com) International Journal of Engineering Research and Devel...IJERD (www.ijerd.com) International Journal of Engineering Research and Devel...
IJERD (www.ijerd.com) International Journal of Engineering Research and Devel...
 
Congestion and overload control techniques in massive M2M systems: a survey
Congestion and overload control techniques in massive M2M systems: a surveyCongestion and overload control techniques in massive M2M systems: a survey
Congestion and overload control techniques in massive M2M systems: a survey
 
Instant messaging tech scet
Instant messaging tech scetInstant messaging tech scet
Instant messaging tech scet
 
A BASTION MOBILEID-BASED AUTHENTICATION TECHNIQUE (BMBAT)
A BASTION MOBILEID-BASED AUTHENTICATION TECHNIQUE (BMBAT)A BASTION MOBILEID-BASED AUTHENTICATION TECHNIQUE (BMBAT)
A BASTION MOBILEID-BASED AUTHENTICATION TECHNIQUE (BMBAT)
 
ipas implicit password authentication system ieee 2011
ipas implicit password authentication system ieee 2011ipas implicit password authentication system ieee 2011
ipas implicit password authentication system ieee 2011
 
Secure instant messanger service
Secure instant messanger serviceSecure instant messanger service
Secure instant messanger service
 
IRJET- Technical Review of different Methods for Multi Factor Authentication
IRJET-  	  Technical Review of different Methods for Multi Factor AuthenticationIRJET-  	  Technical Review of different Methods for Multi Factor Authentication
IRJET- Technical Review of different Methods for Multi Factor Authentication
 
An Overview on Authentication Approaches and Their Usability in Conjunction w...
An Overview on Authentication Approaches and Their Usability in Conjunction w...An Overview on Authentication Approaches and Their Usability in Conjunction w...
An Overview on Authentication Approaches and Their Usability in Conjunction w...
 

Similar to ASDF WSS 2014 Paper 003

Brisk and secure ad hoc vehicular communication
Brisk and secure ad hoc vehicular communicationBrisk and secure ad hoc vehicular communication
Brisk and secure ad hoc vehicular communication
eSAT Journals
 
Efficient and Secure Single Sign on Mechanism for Distributed Network
Efficient and Secure Single Sign on Mechanism for Distributed NetworkEfficient and Secure Single Sign on Mechanism for Distributed Network
Efficient and Secure Single Sign on Mechanism for Distributed Network
IJERA Editor
 
Ijmer 41025357
Ijmer 41025357Ijmer 41025357
Ijmer 41025357
IJMER
 
Ijmer 41025357
Ijmer 41025357Ijmer 41025357
Ijmer 41025357
IJMER
 
Ijmer 41025357
Ijmer 41025357Ijmer 41025357
Ijmer 41025357
IJMER
 
Efficient Data Security for Mobile Instant Messenger
Efficient Data Security for Mobile Instant MessengerEfficient Data Security for Mobile Instant Messenger
Efficient Data Security for Mobile Instant Messenger
TELKOMNIKA JOURNAL
 
Trust Assessment Policy Manager in Cloud Computing – Cloud Service Provider’s...
Trust Assessment Policy Manager in Cloud Computing – Cloud Service Provider’s...Trust Assessment Policy Manager in Cloud Computing – Cloud Service Provider’s...
Trust Assessment Policy Manager in Cloud Computing – Cloud Service Provider’s...
idescitation
 

Similar to ASDF WSS 2014 Paper 003 (20)

Brisk and secure ad hoc vehicular communication
Brisk and secure ad hoc vehicular communicationBrisk and secure ad hoc vehicular communication
Brisk and secure ad hoc vehicular communication
 
Dashboard of intelligent transportation system (ITS) using mobile agents stra...
Dashboard of intelligent transportation system (ITS) using mobile agents stra...Dashboard of intelligent transportation system (ITS) using mobile agents stra...
Dashboard of intelligent transportation system (ITS) using mobile agents stra...
 
SECURITY ANALYSIS AND DELAY EVALUATION FOR SIP-BASED MOBILE MASS EXAMINATION ...
SECURITY ANALYSIS AND DELAY EVALUATION FOR SIP-BASED MOBILE MASS EXAMINATION ...SECURITY ANALYSIS AND DELAY EVALUATION FOR SIP-BASED MOBILE MASS EXAMINATION ...
SECURITY ANALYSIS AND DELAY EVALUATION FOR SIP-BASED MOBILE MASS EXAMINATION ...
 
Security Analysis and Delay Evaluation for SIP - Based Mobile Mass Examinatio...
Security Analysis and Delay Evaluation for SIP - Based Mobile Mass Examinatio...Security Analysis and Delay Evaluation for SIP - Based Mobile Mass Examinatio...
Security Analysis and Delay Evaluation for SIP - Based Mobile Mass Examinatio...
 
Dynamic Key Based User Authentication (DKBUA) Framework for MobiCloud Environ...
Dynamic Key Based User Authentication (DKBUA) Framework for MobiCloud Environ...Dynamic Key Based User Authentication (DKBUA) Framework for MobiCloud Environ...
Dynamic Key Based User Authentication (DKBUA) Framework for MobiCloud Environ...
 
Security issues in grid computing
Security issues in grid computingSecurity issues in grid computing
Security issues in grid computing
 
Efficient and Secure Single Sign on Mechanism for Distributed Network
Efficient and Secure Single Sign on Mechanism for Distributed NetworkEfficient and Secure Single Sign on Mechanism for Distributed Network
Efficient and Secure Single Sign on Mechanism for Distributed Network
 
Addressing Security Issues and Challenges in Mobile Cloud Computing
Addressing Security Issues and Challenges in Mobile Cloud ComputingAddressing Security Issues and Challenges in Mobile Cloud Computing
Addressing Security Issues and Challenges in Mobile Cloud Computing
 
Using Trusted Platform Module (TPM) to Secure Business Communication (SBC) in...
Using Trusted Platform Module (TPM) to Secure Business Communication (SBC) in...Using Trusted Platform Module (TPM) to Secure Business Communication (SBC) in...
Using Trusted Platform Module (TPM) to Secure Business Communication (SBC) in...
 
Efficient Data Security for Mobile Instant Messenger
Efficient Data Security for Mobile Instant MessengerEfficient Data Security for Mobile Instant Messenger
Efficient Data Security for Mobile Instant Messenger
 
Secure Multi-Owner Group Signature Based Secure M-Health Records in Cloud
Secure Multi-Owner Group Signature Based Secure M-Health  Records in Cloud Secure Multi-Owner Group Signature Based Secure M-Health  Records in Cloud
Secure Multi-Owner Group Signature Based Secure M-Health Records in Cloud
 
Ijmer 41025357
Ijmer 41025357Ijmer 41025357
Ijmer 41025357
 
Ijmer 41025357
Ijmer 41025357Ijmer 41025357
Ijmer 41025357
 
Ijmer 41025357
Ijmer 41025357Ijmer 41025357
Ijmer 41025357
 
Efficient Data Security for Mobile Instant Messenger
Efficient Data Security for Mobile Instant MessengerEfficient Data Security for Mobile Instant Messenger
Efficient Data Security for Mobile Instant Messenger
 
Trust Assessment Policy Manager in Cloud Computing – Cloud Service Provider’s...
Trust Assessment Policy Manager in Cloud Computing – Cloud Service Provider’s...Trust Assessment Policy Manager in Cloud Computing – Cloud Service Provider’s...
Trust Assessment Policy Manager in Cloud Computing – Cloud Service Provider’s...
 
IRJET- An Overview on Mobile Cloud Computing
IRJET-  	  An Overview on Mobile Cloud ComputingIRJET-  	  An Overview on Mobile Cloud Computing
IRJET- An Overview on Mobile Cloud Computing
 
International Journal of Computational Engineering Research(IJCER)
International Journal of Computational Engineering Research(IJCER) International Journal of Computational Engineering Research(IJCER)
International Journal of Computational Engineering Research(IJCER)
 
A New Research and Design for Grid Portal Security System
A New Research and Design for Grid Portal Security SystemA New Research and Design for Grid Portal Security System
A New Research and Design for Grid Portal Security System
 
Two aspect authentication system using secure
Two aspect authentication system using secureTwo aspect authentication system using secure
Two aspect authentication system using secure
 

More from Association of Scientists, Developers and Faculties

Core conferences bta 19 paper 12
Core conferences bta 19 paper 12Core conferences bta 19 paper 12
Core conferences bta 19 paper 12
Association of Scientists, Developers and Faculties
 
Core conferences bta 19 paper 10
Core conferences bta 19 paper 10Core conferences bta 19 paper 10
Core conferences bta 19 paper 10
Association of Scientists, Developers and Faculties
 
Core conferences bta 19 paper 8
Core conferences bta 19 paper 8Core conferences bta 19 paper 8
Core conferences bta 19 paper 7
Core conferences bta 19 paper 7Core conferences bta 19 paper 7
Core conferences bta 19 paper 6
Core conferences bta 19 paper 6Core conferences bta 19 paper 6
Core conferences bta 19 paper 5
Core conferences bta 19 paper 5Core conferences bta 19 paper 5
Core conferences bta 19 paper 4
Core conferences bta 19 paper 4Core conferences bta 19 paper 4
Core conferences bta 19 paper 3
Core conferences bta 19 paper 3Core conferences bta 19 paper 3
Core conferences bta 19 paper 2
Core conferences bta 19 paper 2Core conferences bta 19 paper 2

More from Association of Scientists, Developers and Faculties (20)

Core conferences bta 19 paper 12
Core conferences bta 19 paper 12Core conferences bta 19 paper 12
Core conferences bta 19 paper 12
 
Core conferences bta 19 paper 10
Core conferences bta 19 paper 10Core conferences bta 19 paper 10
Core conferences bta 19 paper 10
 
Core conferences bta 19 paper 8
Core conferences bta 19 paper 8Core conferences bta 19 paper 8
Core conferences bta 19 paper 8
 
Core conferences bta 19 paper 7
Core conferences bta 19 paper 7Core conferences bta 19 paper 7
Core conferences bta 19 paper 7
 
Core conferences bta 19 paper 6
Core conferences bta 19 paper 6Core conferences bta 19 paper 6
Core conferences bta 19 paper 6
 
Core conferences bta 19 paper 5
Core conferences bta 19 paper 5Core conferences bta 19 paper 5
Core conferences bta 19 paper 5
 
Core conferences bta 19 paper 4
Core conferences bta 19 paper 4Core conferences bta 19 paper 4
Core conferences bta 19 paper 4
 
Core conferences bta 19 paper 3
Core conferences bta 19 paper 3Core conferences bta 19 paper 3
Core conferences bta 19 paper 3
 
Core conferences bta 19 paper 2
Core conferences bta 19 paper 2Core conferences bta 19 paper 2
Core conferences bta 19 paper 2
 
CoreConferences Batch A 2019
CoreConferences Batch A 2019CoreConferences Batch A 2019
CoreConferences Batch A 2019
 
International Conference on Cloud of Things and Wearable Technologies 2018
International Conference on Cloud of Things and Wearable Technologies 2018International Conference on Cloud of Things and Wearable Technologies 2018
International Conference on Cloud of Things and Wearable Technologies 2018
 
ICCELEM 2017
ICCELEM 2017ICCELEM 2017
ICCELEM 2017
 
ICSSCCET 2017
ICSSCCET 2017ICSSCCET 2017
ICSSCCET 2017
 
ICAIET 2017
ICAIET 2017ICAIET 2017
ICAIET 2017
 
ICICS 2017
ICICS 2017ICICS 2017
ICICS 2017
 
ICACIEM 2017
ICACIEM 2017ICACIEM 2017
ICACIEM 2017
 
A Typical Sleep Scheduling Algorithm in Cluster Head Selection for Energy Eff...
A Typical Sleep Scheduling Algorithm in Cluster Head Selection for Energy Eff...A Typical Sleep Scheduling Algorithm in Cluster Head Selection for Energy Eff...
A Typical Sleep Scheduling Algorithm in Cluster Head Selection for Energy Eff...
 
Application of Agricultural Waste in Preparation of Sustainable Construction ...
Application of Agricultural Waste in Preparation of Sustainable Construction ...Application of Agricultural Waste in Preparation of Sustainable Construction ...
Application of Agricultural Waste in Preparation of Sustainable Construction ...
 
Survey and Research Challenges in Big Data
Survey and Research Challenges in Big DataSurvey and Research Challenges in Big Data
Survey and Research Challenges in Big Data
 
Asynchronous Power Management Using Grid Deployment Method for Wireless Senso...
Asynchronous Power Management Using Grid Deployment Method for Wireless Senso...Asynchronous Power Management Using Grid Deployment Method for Wireless Senso...
Asynchronous Power Management Using Grid Deployment Method for Wireless Senso...
 

Recently uploaded

Chemistry Data Delivery from the US-EPA Center for Computational Toxicology a...
Chemistry Data Delivery from the US-EPA Center for Computational Toxicology a...Chemistry Data Delivery from the US-EPA Center for Computational Toxicology a...
Chemistry Data Delivery from the US-EPA Center for Computational Toxicology a...
US Environmental Protection Agency (EPA), Center for Computational Toxicology and Exposure
 
GENETICALLY MODIFIED ORGANISM'S PRESENTATION.ppt
GENETICALLY MODIFIED ORGANISM'S PRESENTATION.pptGENETICALLY MODIFIED ORGANISM'S PRESENTATION.ppt
GENETICALLY MODIFIED ORGANISM'S PRESENTATION.ppt
SyedArifMalki
 
HIV AND INFULENZA VIRUS PPT HIV PPT INFULENZA VIRUS PPT
HIV AND INFULENZA VIRUS PPT HIV PPT  INFULENZA VIRUS PPTHIV AND INFULENZA VIRUS PPT HIV PPT  INFULENZA VIRUS PPT
Electricity and Circuits for Grade 9 students
Electricity and Circuits for Grade 9 studentsElectricity and Circuits for Grade 9 students
Electricity and Circuits for Grade 9 students
levieagacer
 

Recently uploaded (20)

RACEMIzATION AND ISOMERISATION completed.pptx
RACEMIzATION AND ISOMERISATION completed.pptxRACEMIzATION AND ISOMERISATION completed.pptx
RACEMIzATION AND ISOMERISATION completed.pptx
 
Adaptive Restore algorithm & importance Monte Carlo
Adaptive Restore algorithm & importance Monte CarloAdaptive Restore algorithm & importance Monte Carlo
Adaptive Restore algorithm & importance Monte Carlo
 
Soil and Water Conservation Engineering (SWCE) is a specialized field of stud...
Soil and Water Conservation Engineering (SWCE) is a specialized field of stud...Soil and Water Conservation Engineering (SWCE) is a specialized field of stud...
Soil and Water Conservation Engineering (SWCE) is a specialized field of stud...
 
A Scientific PowerPoint on Albert Einstein
A Scientific PowerPoint on Albert EinsteinA Scientific PowerPoint on Albert Einstein
A Scientific PowerPoint on Albert Einstein
 
PARENTAL CARE IN FISHES.pptx for 5th sem
PARENTAL CARE IN FISHES.pptx for 5th semPARENTAL CARE IN FISHES.pptx for 5th sem
PARENTAL CARE IN FISHES.pptx for 5th sem
 
ANITINUTRITION FACTOR GYLCOSIDES SAPONINS CYANODENS
ANITINUTRITION FACTOR GYLCOSIDES SAPONINS CYANODENSANITINUTRITION FACTOR GYLCOSIDES SAPONINS CYANODENS
ANITINUTRITION FACTOR GYLCOSIDES SAPONINS CYANODENS
 
FORENSIC CHEMISTRY ARSON INVESTIGATION.pdf
FORENSIC CHEMISTRY ARSON INVESTIGATION.pdfFORENSIC CHEMISTRY ARSON INVESTIGATION.pdf
FORENSIC CHEMISTRY ARSON INVESTIGATION.pdf
 
Chemistry Data Delivery from the US-EPA Center for Computational Toxicology a...
Chemistry Data Delivery from the US-EPA Center for Computational Toxicology a...Chemistry Data Delivery from the US-EPA Center for Computational Toxicology a...
Chemistry Data Delivery from the US-EPA Center for Computational Toxicology a...
 
Precision Farming in Fruit Crops presentation
Precision Farming in Fruit Crops presentationPrecision Farming in Fruit Crops presentation
Precision Farming in Fruit Crops presentation
 
Heads-Up Multitasker: CHI 2024 Presentation.pdf
Heads-Up Multitasker: CHI 2024 Presentation.pdfHeads-Up Multitasker: CHI 2024 Presentation.pdf
Heads-Up Multitasker: CHI 2024 Presentation.pdf
 
GENETICALLY MODIFIED ORGANISM'S PRESENTATION.ppt
GENETICALLY MODIFIED ORGANISM'S PRESENTATION.pptGENETICALLY MODIFIED ORGANISM'S PRESENTATION.ppt
GENETICALLY MODIFIED ORGANISM'S PRESENTATION.ppt
 
HIV AND INFULENZA VIRUS PPT HIV PPT INFULENZA VIRUS PPT
HIV AND INFULENZA VIRUS PPT HIV PPT  INFULENZA VIRUS PPTHIV AND INFULENZA VIRUS PPT HIV PPT  INFULENZA VIRUS PPT
HIV AND INFULENZA VIRUS PPT HIV PPT INFULENZA VIRUS PPT
 
GBSN - Microbiology (Unit 4) Concept of Asepsis
GBSN - Microbiology (Unit 4) Concept of AsepsisGBSN - Microbiology (Unit 4) Concept of Asepsis
GBSN - Microbiology (Unit 4) Concept of Asepsis
 
GBSN - Biochemistry (Unit 3) Metabolism
GBSN - Biochemistry (Unit 3) MetabolismGBSN - Biochemistry (Unit 3) Metabolism
GBSN - Biochemistry (Unit 3) Metabolism
 
GBSN - Biochemistry (Unit 8) Enzymology
GBSN - Biochemistry (Unit 8) EnzymologyGBSN - Biochemistry (Unit 8) Enzymology
GBSN - Biochemistry (Unit 8) Enzymology
 
Vital Signs of Animals Presentation By Aftab Ahmed Rahimoon
Vital Signs of Animals Presentation By Aftab Ahmed RahimoonVital Signs of Animals Presentation By Aftab Ahmed Rahimoon
Vital Signs of Animals Presentation By Aftab Ahmed Rahimoon
 
Electricity and Circuits for Grade 9 students
Electricity and Circuits for Grade 9 studentsElectricity and Circuits for Grade 9 students
Electricity and Circuits for Grade 9 students
 
Information science research with large language models: between science and ...
Information science research with large language models: between science and ...Information science research with large language models: between science and ...
Information science research with large language models: between science and ...
 
EU START PROJECT. START-Newsletter_Issue_4.pdf
EU START PROJECT. START-Newsletter_Issue_4.pdfEU START PROJECT. START-Newsletter_Issue_4.pdf
EU START PROJECT. START-Newsletter_Issue_4.pdf
 
An Overview of Active and Passive Targeting Strategies to Improve the Nano-Ca...
An Overview of Active and Passive Targeting Strategies to Improve the Nano-Ca...An Overview of Active and Passive Targeting Strategies to Improve the Nano-Ca...
An Overview of Active and Passive Targeting Strategies to Improve the Nano-Ca...
 

ASDF WSS 2014 Paper 003

  • 1. Prof. Madhulika Bangre (Research Scholar) and Prof. (Dr.) G.T.Thampi (Principal & Research Guide) TSEC,Bandra (W), Mumbai, University Of Mumbai, INDIA bmadhulika03@gmail.com,gtthampi@yahoo.com Kapil Kant Kamal and Manish Kumar Centre for Development of Advanced Computing (C-DAC), Mumbai, India kapil@cdac. in, kmanish@cdac. in Analysis of Security Requirements for M-Governance Project Implementation ASDF WSS- 2014 31-12-2014
  • 2. Presentation Flow • Abstract • Objective • Introduction • Security Requirements For M-Gov Implementations • Security Analysis of M-Governance Delivery channels • Important Findings • Proposed Solution • Conclusion • References 31-12-2014
  • 3. Abstract M-Governance provides an additional access tools for e- Government and its processes with the uses of wireless and mobile technologies to deliver services over mobile devices. Though M-Governance extends the accessibility of e- governance to mobile platform, but it also brings along numerous challenges in terms of security and authentication, making it the prime reason behind the apprehension in citizen to use this channel effectively. Hence, adequate levels of security must be ensured before implementing such government applications over wireless/mobile channels. This study discusses real time security requirements of m- governance projects to increase the acceptability of the citizen to this rapidly developing channel. By means of this paper, we propose a separate security module to address the security issues in implementing m-governance project. Further, it also includes case study of Aadhar E-KYC depicting31-12-2014
  • 4. Objective This study helps in identifying the real time security needs and offers various measures that can be easily incorporated by the government department and application developers for securing the request/response data during transmission via mobile delivery channel. The objective of this paper is to sensitize various implementation agencies to identify the types of security measures which can be easily adopted for the implementation of mobile services and application. Such security specification, may be replicated by other Govt. department where ever necessary which can contribute to the overall success of m-governance. 31-12-2014
  • 5. Introduction In recent years, many states in India have started offering government services via various mobile delivery channels for catering the needs of citizen by integrating various government departments, services and telecom service providers. Such implementations have helped to create cost effective, efficient and round the clock Government information systems. All the efforts made by Government departments will be futile without the inclusion of security and integrity features in mobile delivery channels like SMS, USSD, WAP, etc. Most of the security measures are already incorporated in m-governance frameworks, but still there are few measures which can help to provide extra layer of security at the department level and application development level, keeping in mind the sensitivity of the citizen data which are exchanged over such mobile31-12-2014
  • 6. SECURITY REQUIREMENTS FOR M-GOV IMPLEMENTATIONS Developers need to seamlessly integrate security functionality into their mobile applications which should support API for secure communication of data between the user device and the server. The increased use of mobile devices for storage of personal and sensitive data for mobile client application need advanced security for encrypting the stored data. The existing security depends on a username/user-id/mobile number along with PIN/password to verify the user. This method is not sufficient, especially in cases where critical and personal information need to be exchanged over untrusted network. Therefore, it is important for mobile services to have a higher level of security consisting of combinations of two or more parameters like unique registration number, One time Password, biometric details , etc., which can give rise to a reliable authentication system to ensure user authenticity. 31-12-2014
  • 7. SECURITY ANALYSIS OF M-GOVERNANCE DELIVERY CHANNELS Statistics of Usage: Following are the results of the analysis done based on the independent survey of usage and acceptability of M-governance delivery channels: 1. Which all channels have you used for accessing Govt. services through Mobile platform? 31-12-2014 Figure1.Statistics for Mobile Channel Usage.
  • 8. Observations 1: Short message service (SMS) channel employs SMS Gateway as the interface for sending and receiving the SMS and value added services. A message sent by the server is received by a Short Message Service Center (SMSC) which makes use of a variety of protocols like SMPP CIMD etc. and then SMSC forwards it through the appropriate GSM or CDMA network to the appropriate mobile device. It has been observed that that the request and the response which are sent using SMS are sent as a plain text. There may be cases where the messages need to be encrypted and only the intended user can view it. This can be achieved by securing the message by encrypting it with a key known only to the intended user. Key Exchange protocol can be used to exchange the key between the back-end server and the user mobile device. Another technique is to use PKI (Public Key Infrastructure) based security measures. 31-12-2014
  • 9. Observations 2: Mobile Application: The user needs to fill in the necessary information in order to request service from the Govt. Department. The request then takes the form of http request with a URL(Uniform Resource Locator) which hits the appropriate server for processing. It has been observed that the parameters or user credential which forms the request is sent as it is which can be easily tampered by the intruder. This URL can also be encrypted using PKI which is an arrangement that binds public and private keys with respective user identities by means of a CA (Certification Authority). 31-12-2014
  • 10. PROJECTS The security architectural model depicts a security layer crossing at various levels of external communication that take place between an integrated service delivery platform and various stakeholders like Government departments, network service providers, telecommunication departments, payment bodies, etc. Figure 2.Security Architecture for M-Governance Projects. 31-12-2014
  • 11. Features 31-12-2014 Major security concerns related to 2G/3G/GPRS networks are dealt by the telecommunication operators. The security of request and response data between the client and the server through the delivery channels (SMS, WAP) should be provided by the department and application developers. The security system should provide flexibility regarding the transmission of data with different data formats like XML, JSON using transport protocols like HTTP/HTTPS and TCP.
  • 12. Features of Security Architecture 31-12-2014 User Authentication: This component is responsible for authenticating the user as defined by the various transition types. The module will verify the user/mobile number, check for the registration of the user, verify the PIN/password, Biometric information if supported, One- Time-Password (OTP). Departments may choose to use one or more methods to authenticate the user and verify the transaction authenticity. User Authorization: This component is responsible for checking various roles and permission associated with the functions call made to the database server. Different delegation roles are defined for incorporating this feature into the functional modules to check the access rights of the user and the admin. The departments should transmit or share user information only on the user’s authorization.
  • 13. 31-12-2014 Data Encryption: The information which is transferred while calling an API for availing services from various Govt. departments should be encrypted using PKI . The integrity and authenticity of the response can be provided by using digital signatures where in the hash of the message is created by using hash function, and then it will be encrypted by departments’ Private key. This creates the signature by using the cryptographic algorithm. Signature is cross verified. Department is the only private key owner, they cannot deny sending the message. This is called non-repudiation. Transaction Security: Each transaction request will interact with external systems for verification & presentment of the information, will interact with payment module, department module, citizen profile module and other modules for various types of verifications. There is a need for calling business Features of Security Architecture (contd.)
  • 14. 31-12-2014 Alerting /Logging/ Auditing: This component generates alerts for other system components, users, administrators upon occurrence of certain activity or event. Logging involves life-cycle details of the transaction with information about each and every process step. The module need to log all the API calls to the external system with reference data and date-time stamp. Auditing serves the purpose of tracking any changes to the system configurations. The module needs to have ability to configure various elements of the system like database tables, UI, functional flow, parameters at various levels. It maintains audit records for all the authentication request metadata along with the response. Features of Security Architecture (contd.)
  • 15. Case Study Of Aadhaar e-KYC API The Unique Identification Authority of India (UIDAI) department provides verification of Unique Identification Number (Aadhaar) to all residents of India using E-KYC API. The e-KYC API can be used by an agency to obtain latest resident demographic data and photo data from UIDAI upon the authorization of the user. This case depicts the authentication, key exchange and encryption mechanism adopted by UIDAI for processing the request of the user. 31-12-2014 Figure 3. E-KYC Data Flow
  • 16. The URL format for Aadhaar KYC service request: 31-12-2014 To support strong end to end security and avoid request tampering and man-in-the-middle attacks, it is essential that encryption of data happened at the time of capture on the user device. E-KYC is a stateless service over HTTPs protocol which make use of XML data format for input and output which allows easy adoption by the user agencies. API input data should be sent to the URL as XML document. https://<host>/kyc/<ver>/<ac>/<uid[0]>/<uid[1]>/<asalk> Host:Aadhar KYC server address Kyc: indicate KYC call Ver :indicate KYC version Ac: unique code foe KUA uid[0] and uid[1] : first 2 digits of Aadhaar number. asalk : A valid KSA license key. It is used for authorization.
  • 17. The XML data format for authentication API: 31-12-2014 <Kyc ver=“” ts=“” ra=“” rc=“”> <Rad>base64 encoded fully valid Auth XML for resident</Rad> <Signature/> </Kyc> ver:KYC version ts: timestamp of authentication request ra: resident authentication type rs: resident consent to use resident data from Aadhar system <rad>: element contains base64 encoded Auth XML for authentication with a valid transaction value(txn). <Signature>: It is mandatory and used exchanging information regarding digital signature and certificates using which the KSA and KUA ensure the message security and integrity between their servers.
  • 18. Response XML for the KYC API is as follows: 31-12-2014 <Resp status=“”>encrypted and base64 encoded “KycRes” element</Resp> Resp : container for keeping encrypted KYC data signed by UIDAI. “KysRes” is encrypted using either KSA public key or KUA public key based on the KSA/KUA setup on UIDAI server. KysRes once decoded containing information regarding response, transaction, timestamp, authentication API, UID data, error code in case of error. It also has encoded Signature element to check for message integrity and non-repudiation.
  • 19. Conclusion 31-12-2014 For successful implementation of such frameworks it is necessary to provide secure, reliable and high quality services and applications to the citizen as per their expectation. The case study provided will surely help m-governance project implementers to understand the security mechanism involved in the authentication of the entities and encryption of the request and response data. Consequently, it will enhance the complete user experience of using this government services using this newly addedresponse data
  • 20. ACKNOWLEDGMENT We are thankful to C-DAC Mobile Seva team for their practical inputs and for helping us in providing the deeper understanding of m- governance project implementation security issues. We would like to pay our special thanks to Dr. Zia Saquib, Executive Director, C-DAC for supporting us in pursuing this investigation. 31-12-2014
  • 21. References 1) Antovski, L and Gusev, M 2005, M-Government Framework, Proceedings of the First European Conference on Mobile Government, 10-12 July, University Sussex, Brighton, UK. 2) Mengistu, Desta, Hangjung Zo, and Jae Jeung Rho. "M-government: opportunities and challenges to deliver mobile government services in developing countries." Computer Sciences and Convergence Information Technology, 2009. ICCIT'09. Fourth International Conference on. IEEE, 2009. 3) Kumar, Ranjan, Manish Kumar, and Kapil Kant Kamal. "Indian Ecosystem for Mobile based Service Delivery." www. excelpublish. com: 129. 4) http://india.gov.in/spotlight/mobile-seva-citizen-services-mobile-phones 5) https://mgov.gov.in/ 6) mobile.karnataka.gov.in/ 7) http://www.itmission.kerala.gov.in/mobile-governance.php 8) https://mgov.gov.in/msdpbasic.jsp 9) www.developershome.com/sms/smsIntro.asp 10) A. Pourali, Dr. M. V. Malakooti, Dr. M.H Yektai, " A Secure SMS Model in E- Commerce Payment using Combined AES and ECC Encryption Algorithms", Proceedings of the International conference on Computing Technology and Information Management, Dubai, UAE, pp 431-442,2014. 11) Watari, M.A., A.A. Zaidan and B.B. Zaidan,, 2013. Securing m-government transmission based on symmetric and asymmetric algorithms: a review.. Asian J. Sci. Res., 6: 632-649. 12) http://uidai.gov.in/images/authDoc/d2_authentication_framework_v1.pdf 31-12-2014