The document discusses a national authentication framework in Nepal that integrates digital certificates and one-time passwords (OTPs) for stronger user authentication. It emphasizes the transition from traditional password-based systems to hybrid authentication methods, enabling citizen-centric services while minimizing costs and enhancing security. The framework is designed to simplify the user experience and is supported by the government to facilitate access across public and private sectors.

1. Comprehensive National Authentication Framework using Digital Certificate and One Time PasswordsRajan Raj PantControllerOffice of Controller of CertificationMinistry of Science & Technology

2. The State of User AuthenticationPasswords still dominate, but continue to weakenThe need for strong authentication continues to growIncreasing number of business processes moving onlineEmployee mobility expanding – demand for anywhere anytime access to informationCompliance and notification laws proliferatePhishing attacks have increased dramatically (see www.antiphishing.org)2

3. Digital CertificatesDigital certificates:An electronic document that utilizes amethod to bind together:A public keyAn identityCan be used to verify that a public key belongs to an individual3Digital Certificate

4. One Time Passwords (OTP)4Software Token onPCSoftware Token on Mobile DeviceOTP On-demandDelivered:Via hardware tokenSoftware application on PC or smart deviceOver an SMS channelCan only be used onceHardware Token

5. Lightweight OTP and Legal validity using Digital Certificates – Mantra of Hybrid AuthenticationAll Citizen Centric Internet Applications can utilize the single Authentication framework without having to reinvest into citizen registration thereby saving thousands of dollars in user managementApplications can choose OTP for lightweight authentication while Digital Certificates where non-repudiation and digital signing may be necessary. Not all applications require digital signatures but all applications definitely need “strong 2 Factor Authentication”Citizen would be safe from password based vulnerabilities and would also not be required to remember multiple authentication schemes across the various public and private enterprises thereby increasing convenience manifoldWith government support a uniform and strong authentication service would be available for all to access – a major deterrent for technology adoption is the initial cost of procurement and maintenance – this is completely eliminated by the government providing the same as a service to all enterprises and citizens alikeThe framework can be easily extended to newer authentication technologies e.g. Risk Based authentication, Knowledge based authentication etc..5OTP AuthenticationPKI Authentication& ServiceseCommerceSiteInternetBankingSite

6. Digital Certificate Management Components6Registration ManagerCertificate ManagerUserValidation ClientKey Recovery ManagerWeb ServerCardManagerValidation Manager

7. CCA Digital Certificate Management Components

8. Digital Certificate SolutionsProviding Secure Business Transactions8User authentication

9. Device authentication

10. Digital Signing

11. E-mail encryption

12. Extended validation SSL certificatesIdentity validationDeviceidentificationNon-repudiation supportConfidentialcommunicationsTrusted websites

13. NEPAL and ICT9

14. Southern Asia, between India and China ISP = 12 Telecom Operator = 4Area: 147,181 sq km, Land: 143,351, Water: 3,830 sq kmPopulation: 29,391,883 (June 2011)country comparison to the world: 41 10

15. Land of Yeti11

16. Land of Mt. Everest12

17. Land of Buddha13

18. 14

19. 15

20. 16

21. 17

22. Vision 18“The Value Networking Nepal” through –Citizen-centered serviceTransparent ServiceNetworking GovernmentKnowledge Based Society

23. Nepal FactsheetPopulation: 29,391,883 (June 2011)country comparison to the world: 41 Internet hosts: 43,928 (2010)country comparison to the world: 91Internet users: 2,426,357(June 2011)country comparison to the world: 116 Internet penetration: 8.49 %ETA 2006, IT Policy, Password Practices, IT Security Guidelines (to be passed)Current Penetration of Mobile: 24.35 %19

24. Rural Network20

25. 21

26. IT Trends in Nepal22PresentFutureE-mail FacebookSkypeIRDOnline TaxReturnPKIE-PassportE-BankingOnline PostboxNIDDR CenterGIDCMobileCashDigitizationOf Land MapVehicle RegistrationGEA

27. 23Security LayersThreatsApplications SecurityDestructionCorruptionServices SecurityRemovalDisclosureInterruptionInfrastructure SecurityAttacksSecurityPlanesSecurity DimensionsControl PlaneManagement PlaneTechnology Architecture- SecurityPrivacyAuthenticationNon-RepudiationData ConfidentialityCommunications SecurityData IntegrityAvailabilityAccess ControlVulnerabilitiesEnd User Plane

28. InitiationsITERTIT Security GuidelinesCode of Conduct for ITGovernment Network24

29. Cyber Crime21 Cases so far reportedMostly Social Engineering from FacebookHacking 38 cases up to May 2011 25