1. Prof. Madhulika Bangre (Research Scholar) and Prof. (Dr.)
G.T.Thampi (Principal & Research Guide) TSEC,Bandra (W),
Mumbai, University Of Mumbai, INDIA
[email protected],[email protected] Kapil Kant Kamal and
Manish Kumar Centre for Development of Advanced Computing (C-DAC),
Mumbai, India kapil@cdac. in, kmanish@cdac. in Analysis of Security
Requirements for M-Governance Project Implementation ASDF WSS- 2014
31-12-2014
2. Presentation Flow Abstract Objective Introduction Security
Requirements For M-Gov Implementations Security Analysis of
M-Governance Delivery channels Important Findings Proposed Solution
Conclusion References 31-12-2014
3. Abstract M-Governance provides an additional access tools
for e- Government and its processes with the uses of wireless and
mobile technologies to deliver services over mobile devices. Though
M-Governance extends the accessibility of e- governance to mobile
platform, but it also brings along numerous challenges in terms of
security and authentication, making it the prime reason behind the
apprehension in citizen to use this channel effectively. Hence,
adequate levels of security must be ensured before implementing
such government applications over wireless/mobile channels. This
study discusses real time security requirements of m- governance
projects to increase the acceptability of the citizen to this
rapidly developing channel. By means of this paper, we propose a
separate security module to address the security issues in
implementing m-governance project. Further, it also includes case
study of Aadhar E-KYC depicting31-12-2014
4. Objective This study helps in identifying the real time
security needs and offers various measures that can be easily
incorporated by the government department and application
developers for securing the request/response data during
transmission via mobile delivery channel. The objective of this
paper is to sensitize various implementation agencies to identify
the types of security measures which can be easily adopted for the
implementation of mobile services and application. Such security
specification, may be replicated by other Govt. department where
ever necessary which can contribute to the overall success of
m-governance. 31-12-2014
5. Introduction In recent years, many states in India have
started offering government services via various mobile delivery
channels for catering the needs of citizen by integrating various
government departments, services and telecom service providers.
Such implementations have helped to create cost effective,
efficient and round the clock Government information systems. All
the efforts made by Government departments will be futile without
the inclusion of security and integrity features in mobile delivery
channels like SMS, USSD, WAP, etc. Most of the security measures
are already incorporated in m-governance frameworks, but still
there are few measures which can help to provide extra layer of
security at the department level and application development level,
keeping in mind the sensitivity of the citizen data which are
exchanged over such mobile31-12-2014
6. SECURITY REQUIREMENTS FOR M-GOV IMPLEMENTATIONS Developers
need to seamlessly integrate security functionality into their
mobile applications which should support API for secure
communication of data between the user device and the server. The
increased use of mobile devices for storage of personal and
sensitive data for mobile client application need advanced security
for encrypting the stored data. The existing security depends on a
username/user-id/mobile number along with PIN/password to verify
the user. This method is not sufficient, especially in cases where
critical and personal information need to be exchanged over
untrusted network. Therefore, it is important for mobile services
to have a higher level of security consisting of combinations of
two or more parameters like unique registration number, One time
Password, biometric details , etc., which can give rise to a
reliable authentication system to ensure user authenticity.
31-12-2014
7. SECURITY ANALYSIS OF M-GOVERNANCE DELIVERY CHANNELS
Statistics of Usage: Following are the results of the analysis done
based on the independent survey of usage and acceptability of
M-governance delivery channels: 1. Which all channels have you used
for accessing Govt. services through Mobile platform? 31-12-2014
Figure1.Statistics for Mobile Channel Usage.
8. Observations 1: Short message service (SMS) channel employs
SMS Gateway as the interface for sending and receiving the SMS and
value added services. A message sent by the server is received by a
Short Message Service Center (SMSC) which makes use of a variety of
protocols like SMPP CIMD etc. and then SMSC forwards it through the
appropriate GSM or CDMA network to the appropriate mobile device.
It has been observed that that the request and the response which
are sent using SMS are sent as a plain text. There may be cases
where the messages need to be encrypted and only the intended user
can view it. This can be achieved by securing the message by
encrypting it with a key known only to the intended user. Key
Exchange protocol can be used to exchange the key between the
back-end server and the user mobile device. Another technique is to
use PKI (Public Key Infrastructure) based security measures.
31-12-2014
9. Observations 2: Mobile Application: The user needs to fill
in the necessary information in order to request service from the
Govt. Department. The request then takes the form of http request
with a URL(Uniform Resource Locator) which hits the appropriate
server for processing. It has been observed that the parameters or
user credential which forms the request is sent as it is which can
be easily tampered by the intruder. This URL can also be encrypted
using PKI which is an arrangement that binds public and private
keys with respective user identities by means of a CA
(Certification Authority). 31-12-2014
10. PROJECTS The security architectural model depicts a
security layer crossing at various levels of external communication
that take place between an integrated service delivery platform and
various stakeholders like Government departments, network service
providers, telecommunication departments, payment bodies, etc.
Figure 2.Security Architecture for M-Governance Projects.
31-12-2014
11. Features 31-12-2014 Major security concerns related to
2G/3G/GPRS networks are dealt by the telecommunication operators.
The security of request and response data between the client and
the server through the delivery channels (SMS, WAP) should be
provided by the department and application developers. The security
system should provide flexibility regarding the transmission of
data with different data formats like XML, JSON using transport
protocols like HTTP/HTTPS and TCP.
12. Features of Security Architecture 31-12-2014 User
Authentication: This component is responsible for authenticating
the user as defined by the various transition types. The module
will verify the user/mobile number, check for the registration of
the user, verify the PIN/password, Biometric information if
supported, One- Time-Password (OTP). Departments may choose to use
one or more methods to authenticate the user and verify the
transaction authenticity. User Authorization: This component is
responsible for checking various roles and permission associated
with the functions call made to the database server. Different
delegation roles are defined for incorporating this feature into
the functional modules to check the access rights of the user and
the admin. The departments should transmit or share user
information only on the users authorization.
13. 31-12-2014 Data Encryption: The information which is
transferred while calling an API for availing services from various
Govt. departments should be encrypted using PKI . The integrity and
authenticity of the response can be provided by using digital
signatures where in the hash of the message is created by using
hash function, and then it will be encrypted by departments Private
key. This creates the signature by using the cryptographic
algorithm. Signature is cross verified. Department is the only
private key owner, they cannot deny sending the message. This is
called non-repudiation. Transaction Security: Each transaction
request will interact with external systems for verification &
presentment of the information, will interact with payment module,
department module, citizen profile module and other modules for
various types of verifications. There is a need for calling
business Features of Security Architecture (contd.)
14. 31-12-2014 Alerting /Logging/ Auditing: This component
generates alerts for other system components, users, administrators
upon occurrence of certain activity or event. Logging involves
life-cycle details of the transaction with information about each
and every process step. The module need to log all the API calls to
the external system with reference data and date-time stamp.
Auditing serves the purpose of tracking any changes to the system
configurations. The module needs to have ability to configure
various elements of the system like database tables, UI, functional
flow, parameters at various levels. It maintains audit records for
all the authentication request metadata along with the response.
Features of Security Architecture (contd.)
15. Case Study Of Aadhaar e-KYC API The Unique Identification
Authority of India (UIDAI) department provides verification of
Unique Identification Number (Aadhaar) to all residents of India
using E-KYC API. The e-KYC API can be used by an agency to obtain
latest resident demographic data and photo data from UIDAI upon the
authorization of the user. This case depicts the authentication,
key exchange and encryption mechanism adopted by UIDAI for
processing the request of the user. 31-12-2014 Figure 3. E-KYC Data
Flow
16. The URL format for Aadhaar KYC service request: 31-12-2014
To support strong end to end security and avoid request tampering
and man-in-the-middle attacks, it is essential that encryption of
data happened at the time of capture on the user device. E-KYC is a
stateless service over HTTPs protocol which make use of XML data
format for input and output which allows easy adoption by the user
agencies. API input data should be sent to the URL as XML document.
https:///kyc///// Host:Aadhar KYC server address Kyc: indicate KYC
call Ver :indicate KYC version Ac: unique code foe KUA uid[0] and
uid[1] : first 2 digits of Aadhaar number. asalk : A valid KSA
license key. It is used for authorization.
17. The XML data format for authentication API: 31-12-2014
base64 encoded fully valid Auth XML for resident ver:KYC version
ts: timestamp of authentication request ra: resident authentication
type rs: resident consent to use resident data from Aadhar system :
element contains base64 encoded Auth XML for authentication with a
valid transaction value(txn). : It is mandatory and used exchanging
information regarding digital signature and certificates using
which the KSA and KUA ensure the message security and integrity
between their servers.
18. Response XML for the KYC API is as follows: 31-12-2014
encrypted and base64 encoded KycRes element Resp : container for
keeping encrypted KYC data signed by UIDAI. KysRes is encrypted
using either KSA public key or KUA public key based on the KSA/KUA
setup on UIDAI server. KysRes once decoded containing information
regarding response, transaction, timestamp, authentication API, UID
data, error code in case of error. It also has encoded Signature
element to check for message integrity and non-repudiation.
19. Conclusion 31-12-2014 For successful implementation of such
frameworks it is necessary to provide secure, reliable and high
quality services and applications to the citizen as per their
expectation. The case study provided will surely help m-governance
project implementers to understand the security mechanism involved
in the authentication of the entities and encryption of the request
and response data. Consequently, it will enhance the complete user
experience of using this government services using this newly
addedresponse data
20. ACKNOWLEDGMENT We are thankful to C-DAC Mobile Seva team
for their practical inputs and for helping us in providing the
deeper understanding of m- governance project implementation
security issues. We would like to pay our special thanks to Dr. Zia
Saquib, Executive Director, C-DAC for supporting us in pursuing
this investigation. 31-12-2014
21. References 1) Antovski, L and Gusev, M 2005, M-Government
Framework, Proceedings of the First European Conference on Mobile
Government, 10-12 July, University Sussex, Brighton, UK. 2)
Mengistu, Desta, Hangjung Zo, and Jae Jeung Rho. "M-government:
opportunities and challenges to deliver mobile government services
in developing countries." Computer Sciences and Convergence
Information Technology, 2009. ICCIT'09. Fourth International
Conference on. IEEE, 2009. 3) Kumar, Ranjan, Manish Kumar, and
Kapil Kant Kamal. "Indian Ecosystem for Mobile based Service
Delivery." www. excelpublish. com: 129. 4)
http://india.gov.in/spotlight/mobile-seva-citizen-services-mobile-phones
5) https://mgov.gov.in/ 6) mobile.karnataka.gov.in/ 7)
http://www.itmission.kerala.gov.in/mobile-governance.php 8)
https://mgov.gov.in/msdpbasic.jsp 9)
www.developershome.com/sms/smsIntro.asp 10) A. Pourali, Dr. M. V.
Malakooti, Dr. M.H Yektai, " A Secure SMS Model in E- Commerce
Payment using Combined AES and ECC Encryption Algorithms",
Proceedings of the International conference on Computing Technology
and Information Management, Dubai, UAE, pp 431-442,2014. 11)
Watari, M.A., A.A. Zaidan and B.B. Zaidan,, 2013. Securing
m-government transmission based on symmetric and asymmetric
algorithms: a review.. Asian J. Sci. Res., 6: 632-649. 12)
http://uidai.gov.in/images/authDoc/d2_authentication_framework_v1.pdf
31-12-2014