1. Prof. Madhulika Bangre (Research Scholar) and Prof. (Dr.)
G.T.Thampi (Principal & Research Guide)
TSEC,Bandra (W), Mumbai, University Of Mumbai, INDIA
bmadhulika03@gmail.com,gtthampi@yahoo.com
Kapil Kant Kamal and Manish Kumar
Centre for Development of Advanced Computing (C-DAC), Mumbai,
India
kapil@cdac. in, kmanish@cdac. in
Analysis of Security Requirements
for M-Governance Project
Implementation
ASDF WSS-
2014
31-12-2014
3. Abstract
M-Governance provides an additional access tools for e-
Government and its processes with the uses of wireless and
mobile technologies to deliver services over mobile devices.
Though M-Governance extends the accessibility of e-
governance to mobile platform, but it also brings along
numerous challenges in terms of security and authentication,
making it the prime reason behind the apprehension in citizen to
use this channel effectively. Hence, adequate levels of security
must be ensured before implementing such government
applications over wireless/mobile channels.
This study discusses real time security requirements of m-
governance projects to increase the acceptability of the citizen
to this rapidly developing channel. By means of this paper, we
propose a separate security module to address the security
issues in implementing m-governance project.
Further, it also includes case study of Aadhar E-KYC depicting31-12-2014
4. Objective
This study helps in identifying the real time security
needs and offers various measures that can be easily
incorporated by the government department and
application developers for securing the
request/response data during transmission via mobile
delivery channel.
The objective of this paper is to sensitize various
implementation agencies to identify the types of
security measures which can be easily adopted for the
implementation of mobile services and application.
Such security specification, may be replicated by other
Govt. department where ever necessary which can
contribute to the overall success of m-governance.
31-12-2014
5. Introduction
In recent years, many states in India have started
offering government services via various mobile delivery
channels for catering the needs of citizen by integrating
various government departments, services and telecom
service providers. Such implementations have helped to
create cost effective, efficient and round the clock
Government information systems.
All the efforts made by Government departments will be
futile without the inclusion of security and integrity
features in mobile delivery channels like SMS, USSD,
WAP, etc.
Most of the security measures are already incorporated
in m-governance frameworks, but still there are few
measures which can help to provide extra layer of
security at the department level and application
development level, keeping in mind the sensitivity of the
citizen data which are exchanged over such mobile31-12-2014
6. SECURITY REQUIREMENTS FOR M-GOV
IMPLEMENTATIONS
Developers need to seamlessly integrate security functionality into
their mobile applications which should support API for secure
communication of data between the user device and the server.
The increased use of mobile devices for storage of personal and
sensitive data for mobile client application need advanced security for
encrypting the stored data.
The existing security depends on a username/user-id/mobile
number along with PIN/password to verify the user. This method is
not sufficient, especially in cases where critical and personal
information need to be exchanged over untrusted network.
Therefore, it is important for mobile services to have a higher level of
security consisting of combinations of two or more parameters like
unique registration number, One time Password, biometric details ,
etc., which can give rise to a reliable authentication system to
ensure user authenticity.
31-12-2014
7. SECURITY ANALYSIS OF M-GOVERNANCE
DELIVERY CHANNELS
Statistics of Usage:
Following are the results of the analysis done based
on the independent survey of usage and
acceptability of M-governance delivery channels:
1. Which all channels have you used for accessing
Govt. services through Mobile platform?
31-12-2014
Figure1.Statistics for Mobile Channel Usage.
8. Observations 1:
Short message service (SMS) channel employs SMS
Gateway as the interface for sending and receiving the
SMS and value added services. A message sent by the
server is received by a Short Message Service Center
(SMSC) which makes use of a variety of protocols like
SMPP CIMD etc. and then SMSC forwards it through the
appropriate GSM or CDMA network to the appropriate
mobile device.
It has been observed that that the request and the
response which are sent using SMS are sent as a plain
text. There may be cases where the messages need to
be encrypted and only the intended user can view it. This
can be achieved by securing the message by encrypting it
with a key known only to the intended user. Key
Exchange protocol can be used to exchange the key
between the back-end server and the user mobile device.
Another technique is to use PKI (Public Key
Infrastructure) based security measures.
31-12-2014
9. Observations 2:
Mobile Application: The user needs to fill in the
necessary information in order to request service
from the Govt. Department. The request then
takes the form of http request with a URL(Uniform
Resource Locator) which hits the appropriate
server for processing.
It has been observed that the parameters or user
credential which forms the request is sent as it is
which can be easily tampered by the intruder.
This URL can also be encrypted using PKI
which is an arrangement that binds public and
private keys with respective user identities by
means of a CA (Certification Authority). 31-12-2014
10. PROJECTS
The security architectural model depicts a security layer
crossing at various levels of external communication
that take place between an integrated service delivery
platform and various stakeholders like Government
departments, network service providers,
telecommunication departments, payment bodies, etc.
Figure 2.Security Architecture for M-Governance Projects.
31-12-2014
11. Features
31-12-2014
Major security concerns related to 2G/3G/GPRS
networks are dealt by the telecommunication
operators.
The security of request and response data
between the client and the server through the
delivery channels (SMS, WAP) should be
provided by the department and application
developers.
The security system should provide flexibility
regarding the transmission of data with different
data formats like XML, JSON using transport
protocols like HTTP/HTTPS and TCP.
12. Features of Security Architecture
31-12-2014
User Authentication: This component is responsible for
authenticating the user as defined by the various
transition types. The module will verify the user/mobile
number, check for the registration of the user, verify the
PIN/password, Biometric information if supported, One-
Time-Password (OTP). Departments may choose to use
one or more methods to authenticate the user and verify
the transaction authenticity.
User Authorization: This component is responsible for
checking various roles and permission associated with
the functions call made to the database server. Different
delegation roles are defined for incorporating this feature
into the functional modules to check the access rights of
the user and the admin. The departments should transmit
or share user information only on the user’s
authorization.
13. 31-12-2014
Data Encryption: The information which is transferred while
calling an API for availing services from various Govt.
departments should be encrypted using PKI . The integrity
and authenticity of the response can be provided by using
digital signatures where in the hash of the message is
created by using hash function, and then it will be encrypted by
departments’ Private key. This creates the signature by using
the cryptographic algorithm. Signature is cross verified.
Department is the only private key owner, they cannot deny
sending the message. This is called non-repudiation.
Transaction Security: Each transaction request will interact with
external systems for verification & presentment of the
information, will interact with payment module, department
module, citizen profile module and other modules for various
types of verifications. There is a need for calling business
Features of Security Architecture
(contd.)
14. 31-12-2014
Alerting /Logging/ Auditing: This component generates
alerts for other system components, users, administrators
upon occurrence of certain activity or event.
Logging involves life-cycle details of the transaction with
information about each and every process step. The
module need to log all the API calls to the external system
with reference data and date-time stamp.
Auditing serves the purpose of tracking any changes to the
system configurations. The module needs to have ability to
configure various elements of the system like database
tables, UI, functional flow, parameters at various levels. It
maintains audit records for all the authentication request
metadata along with the response.
Features of Security Architecture
(contd.)
15. Case Study Of Aadhaar e-KYC
API
The Unique Identification Authority of India (UIDAI)
department provides verification of Unique
Identification Number (Aadhaar) to all residents of
India using E-KYC API. The e-KYC API can be used
by an agency to obtain latest resident demographic
data and photo data from UIDAI upon the authorization
of the user. This case depicts the authentication, key
exchange and encryption mechanism adopted by
UIDAI for processing the request of the user.
31-12-2014
Figure 3. E-KYC Data Flow
16. The URL format for Aadhaar KYC
service request:
31-12-2014
To support strong end to end security and avoid request
tampering and man-in-the-middle attacks, it is essential
that encryption of data happened at the time of capture on
the user device. E-KYC is a stateless service over HTTPs
protocol which make use of XML data format for input and
output which allows easy adoption by the user agencies.
API input data should be sent to the URL as XML
document.
https://<host>/kyc/<ver>/<ac>/<uid[0]>/<uid[1]>/<asalk>
Host:Aadhar KYC server address
Kyc: indicate KYC call
Ver :indicate KYC version
Ac: unique code foe KUA
uid[0] and uid[1] : first 2 digits of Aadhaar number.
asalk : A valid KSA license key. It is used for authorization.
17. The XML data format for authentication
API:
31-12-2014
<Kyc ver=“” ts=“” ra=“” rc=“”>
<Rad>base64 encoded fully valid Auth XML for
resident</Rad>
<Signature/>
</Kyc>
ver:KYC version
ts: timestamp of authentication request
ra: resident authentication type
rs: resident consent to use resident data from Aadhar system
<rad>: element contains base64 encoded Auth XML for
authentication with a valid transaction value(txn).
<Signature>: It is mandatory and used exchanging information
regarding digital signature and certificates using which the KSA
and KUA ensure the message security and integrity between their
servers.
18. Response XML for the KYC API is as
follows:
31-12-2014
<Resp status=“”>encrypted and base64 encoded
“KycRes” element</Resp>
Resp : container for keeping encrypted KYC data
signed by UIDAI.
“KysRes” is encrypted using either KSA public key or
KUA public key based on the KSA/KUA setup on
UIDAI server. KysRes once decoded containing
information regarding response, transaction,
timestamp, authentication API, UID data, error code in
case of error. It also has encoded Signature element
to check for message integrity and non-repudiation.
19. Conclusion
31-12-2014
For successful implementation of such
frameworks it is necessary to provide secure,
reliable and high quality services and
applications to the citizen as per their
expectation. The case study provided will
surely help m-governance project
implementers to understand the security
mechanism involved in the authentication of
the entities and encryption of the request and
response data.
Consequently, it will enhance the
complete user experience of using this
government services using this newly addedresponse data
20. ACKNOWLEDGMENT
We are thankful to C-DAC Mobile Seva team for
their practical inputs and for helping us in
providing the deeper understanding of m-
governance project implementation security
issues. We would like to pay our special thanks to
Dr. Zia Saquib, Executive Director, C-DAC for
supporting us in pursuing this investigation.
31-12-2014
21. References
1) Antovski, L and Gusev, M 2005, M-Government Framework, Proceedings of the
First European Conference on Mobile Government, 10-12 July, University Sussex,
Brighton, UK.
2) Mengistu, Desta, Hangjung Zo, and Jae Jeung Rho. "M-government:
opportunities and challenges to deliver mobile government services in developing
countries." Computer Sciences and Convergence Information Technology, 2009.
ICCIT'09. Fourth International Conference on. IEEE, 2009.
3) Kumar, Ranjan, Manish Kumar, and Kapil Kant Kamal. "Indian Ecosystem for
Mobile based Service Delivery." www. excelpublish. com: 129.
4) http://india.gov.in/spotlight/mobile-seva-citizen-services-mobile-phones
5) https://mgov.gov.in/
6) mobile.karnataka.gov.in/
7) http://www.itmission.kerala.gov.in/mobile-governance.php
8) https://mgov.gov.in/msdpbasic.jsp
9) www.developershome.com/sms/smsIntro.asp
10) A. Pourali, Dr. M. V. Malakooti, Dr. M.H Yektai, " A Secure SMS Model in E-
Commerce Payment using Combined AES and ECC Encryption Algorithms",
Proceedings of the International conference on Computing Technology and
Information Management, Dubai, UAE, pp 431-442,2014.
11) Watari, M.A., A.A. Zaidan and B.B. Zaidan,, 2013. Securing m-government
transmission based on symmetric and asymmetric algorithms: a review.. Asian J.
Sci. Res., 6: 632-649.
12) http://uidai.gov.in/images/authDoc/d2_authentication_framework_v1.pdf
31-12-2014