Rajan Raj Pant


Published on

Presentation given by Rajan Raj Pant, Controller Ministry of Science & Technology, Government of Nepal on August 3rd, 2011 at eWorld Forum (www.eworldforum.net) in the session Information Management and Security

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Rajan Raj Pant

  1. 1. Comprehensive National Authentication Framework using Digital Certificate and One Time Passwords<br />Rajan Raj Pant<br />Controller<br />Office of Controller of Certification<br />Ministry of Science & Technology<br />
  2. 2. The State of User Authentication<br />Passwords still dominate, but continue to weaken<br />The need for strong authentication continues to grow<br />Increasing number of business processes moving online<br />Employee mobility expanding – demand for anywhere anytime access to information<br />Compliance and notification laws proliferate<br />Phishing attacks have increased dramatically (see www.antiphishing.org)<br />2<br />
  3. 3. Digital Certificates<br />Digital certificates:<br />An electronic document that utilizes amethod to bind together:<br />A public key<br />An identity<br />Can be used to verify that a public key belongs to an individual<br />3<br />Digital Certificate<br />
  4. 4. One Time Passwords (OTP)<br />4<br />Software Token on<br />PC<br />Software Token on Mobile Device<br />OTP On-demand<br />Delivered:<br />Via hardware token<br />Software application on PC or smart device<br />Over an SMS channel<br />Can only be used once<br />Hardware Token<br />
  5. 5. Lightweight OTP and Legal validity using Digital Certificates – Mantra of Hybrid Authentication<br />All Citizen Centric Internet Applications can utilize the single Authentication framework without having to reinvest into citizen registration thereby saving thousands of dollars in user management<br />Applications can choose OTP for lightweight authentication while Digital Certificates where non-repudiation and digital signing may be necessary. Not all applications require digital signatures but all applications definitely need “strong 2 Factor Authentication”<br />Citizen would be safe from password based vulnerabilities and would also not be required to remember multiple authentication schemes across the various public and private enterprises thereby increasing convenience manifold<br />With government support a uniform and strong authentication service would be available for all to access – a major deterrent for technology adoption is the initial cost of procurement and maintenance – this is completely eliminated by the government providing the same as a service to all enterprises and citizens alike<br />The framework can be easily extended to newer authentication technologies e.g. Risk Based authentication, Knowledge based authentication etc..<br />5<br />OTP Authentication<br />PKI Authentication<br />& Services<br />eCommerce<br />Site<br />Internet<br />Banking<br />Site<br />
  6. 6. Digital Certificate Management Components<br />6<br />Registration Manager<br />Certificate Manager<br />User<br />Validation <br />Client<br />Key Recovery Manager<br />Web Server<br />Card<br />Manager<br />Validation Manager<br />
  7. 7. CCA Digital Certificate Management Components<br />
  8. 8. Digital Certificate SolutionsProviding Secure Business Transactions<br />8<br /><ul><li>User authentication
  9. 9. Device authentication
  10. 10. Digital Signing
  11. 11. E-mail encryption
  12. 12. Extended validation SSL certificates</li></ul>Identity validation<br />Device<br />identification<br />Non-repudiation <br />support<br />Confidential<br />communications<br />Trusted websites<br />
  13. 13. NEPAL and ICT<br />9<br />
  14. 14. Southern Asia, between India and China <br />ISP = 12 Telecom Operator = 4<br />Area: 147,181 sq km, Land: 143,351, Water: 3,830 sq km<br />Population: 29,391,883 (June 2011)<br />country comparison to the world: 41 <br />10<br />
  15. 15. Land of Yeti<br />11<br />
  16. 16. Land of Mt. Everest<br />12<br />
  17. 17. Land of Buddha<br />13<br />
  18. 18. 14<br />
  19. 19. 15<br />
  20. 20. 16<br />
  21. 21. 17<br />
  22. 22. Vision <br />18<br />“The Value Networking Nepal” through –<br />Citizen-centered service<br />Transparent Service<br />Networking Government<br />Knowledge Based Society<br />
  23. 23. Nepal Factsheet<br />Population: 29,391,883 (June 2011)<br />country comparison to the world: 41 <br />Internet hosts: 43,928 (2010)<br />country comparison to the world: 91<br />Internet users: 2,426,357(June 2011)<br />country comparison to the world: 116 <br />Internet penetration: 8.49 %<br />ETA 2006, IT Policy, Password Practices, IT Security Guidelines (to be passed)<br />Current Penetration of Mobile: 24.35 %<br />19<br />
  24. 24. Rural Network<br />20<br />
  25. 25. 21<br />
  26. 26. IT Trends in Nepal<br />22<br />Present<br />Future<br />E-mail Facebook<br />Skype<br />IRD<br />Online Tax<br />Return<br />PKI<br />E-Passport<br />E-Banking<br />Online <br />Postbox<br />NID<br />DR Center<br />GIDC<br />Mobile<br />Cash<br />Digitization<br />Of Land Map<br />Vehicle Registration<br />GEA<br />
  27. 27. 23<br />Security Layers<br />Threats<br />Applications Security<br />Destruction<br />Corruption<br />Services Security<br />Removal<br />Disclosure<br />Interruption<br />Infrastructure Security<br />Attacks<br />Security<br />Planes<br />Security Dimensions<br />Control Plane<br />Management Plane<br />Technology Architecture- Security<br />Privacy<br />Authentication<br />Non-Repudiation<br />Data Confidentiality<br />Communications Security<br />Data Integrity<br />Availability<br />Access Control<br />Vulnerabilities<br />End User Plane<br />
  28. 28. Initiations<br />ITERT<br />IT Security Guidelines<br />Code of Conduct for IT<br />Government Network<br />24<br />
  29. 29. Cyber Crime<br />21 Cases so far reported<br />Mostly Social Engineering from Facebook<br />Hacking 38 cases up to May 2011 <br />25<br />
  30. 30. Challenges <br />26<br /><ul><li>Connectivity
  31. 31. Lack of Infrastructure
  32. 32. Lower IT literacy
  33. 33. Political instability
  34. 34. Lack of proper co-ordination among IT agencies
  35. 35. Lack of proper implementation and monitoring of the existing rules and regulation
  36. 36. Not keeping IT in the priority list
  37. 37. Shortage of IT Manpower</li></li></ul><li>27<br />ICT Related Agencies<br />Government<br />Non-Government<br />MOST<br />MIC<br />HLCIT<br />NITC<br />OCC<br />NTA<br />NPCC<br />CAN<br />ICTAN<br />ISPAN<br />ITS<br />
  38. 38. 28<br />OCC<br />Implementation of ETA<br />License to ICA<br />Monitor and Supervision of ICAs<br />Information Security Relates works<br />IT Security Audit<br />Investigation Agency<br />Functions<br />
  39. 39. THANK YOU<br />29<br />