EKEY Applications in E-administration
System
I. Overview of e-administration
1.1 Overview
As early as two or three decades ago, the governments
at all levels in many developed Western nations had applied
the computer technology to process the administration
automatically; with the development of the social informatization
and the extensive applications of computer technology
in China, the original OAS for the governments at all
levels is hard to adapt to the hi-standard requirements
for the government office in the network times, and the
demands such as the ¡°penless office¡±, ¡°paperless office¡±
and ¡±e-government¡± are being upgrading. For this end,
the e-administration system emerges as the times require
in such case.
The e-administration system is the online government office
system oriented to the society, including the computer
technology, network technology, communications technology,
database technology and some other top IT technologies,
acting as the quite large integrated application system.
The implementation of this project will forge the excellent
government image in the society, enhance the transparency
of the government works, lower the office cost, improve
the office efficiency, which is conducive to the construction
of the diligent and clean government, and is of great
and far-reaching significance in promoting the social
informatization.
1.2 Implementation scope of e-administration
The e-administration is the process that makes use of
the necessary electric tools to carry out the governmental
administrative activities and the information exchange
on the basis of the network, which includes generally
the following aspects:
l For the openness of administration
The governments at all levels make a great deal of administration
information open to the society by the means of the functionally
powerful government websites. Such information includes
the important activities of government leaders, the latest
news about the government works, and the information about
the supporting authorities with respect to the government
works, and so on. It is observed that, most the administrative
affaires relating to the public can be disclosed to the
public via the government websites in a timely manner.
For example, you can refer to the detailed information
about the bidding projects and investment projects implemented
by the governments when you log in such government websites,
and such information include the qualification condition,
the procedures for such application, and the time schedule
and other contents. This reflects the principle of the
openness of public administration.
l For provision of online services
The online service such as the inquiry, application, fee
payment and registration can be provided via many of the
domestic government websites. E.g., after logging in the
website for inquiry of social insurance information, you
can access to the information about the insured¡¯s monthly
payment, the consumption record of social insurance, and
the balance of account, and so forth. These services are
greatly convenient to the public, for such services make
full use of the advantages of the network, and represent
the development orientation of the virtual government.
l For realization of resource sharing
The governments provide to the mass the information resources
of their public databases via their websites, so that
such public information resources can be shared. E.g.,
the resource sharing functions including all the social
economic statistical indicators, the local economic development
and the tourism resources, the online library and the
online maps can be integrated into the services to be
provided by such government websites.
l Internal e-office (identity authentication, safe e-mail)
The governments often have to issue internally some mandatory
documents. At present, the conventional written documents
and manual signature mode are still remained while the
governmental departments handle the affairs. The activation
of the e-administration system will make it possible for
the governmental departments to depend mainly on the e-processing
and e-transmission for their internal office. In such
case, the signature of documents, the notice for meeting,
the transmission of information, the propaganda of policies,
the promulgation of rules of law, all these can be processed
or conducted by means of the e-mail, and this will quicken
the circulation of information.
The nature of such government works decides that such
internal e-office system have to be based on the network
security authentication. With such authentication, you
need not worry about the authenticity of your information
source, the illegal access by others during the transmission,
or the wrong transmission, and you can process the e-documents
with reassurance.
1.3 Construction status of e-administration
As a whole, the Chinese government departments just see
the initial stage in terms of the application of the e-administration
system. It is observed that, they have made essentially
available the ¡°e-administration¡± hardware, but there are
many problems existing in during the construction of such
system. For instance, the office networks between the
governments at all levels, and between the provinces and
cities have been connected, and there is no the uniform
standards for the network platform and safety technology;
the basic network application functions is not perfect
for the e-administration, and the application level of
leaders is still the bottleneck restricting the e-office.
II. Security System for e-administration system
2.1 Information safety problems
With the rapid development of Internet, it is more and
more popular for the people to depend on the network
for the information exchange. The network¡¯s problems
of information safety are increasing arousing the concerns
and attentions, particularly for the e-administration
application systems with respect to the government¡¯s
confidential documents and the transfer of sensitive
data. For this end, the following problems must be resolved:
? Network¡¯s identity authentication¡ªconfirmation of
authentic identity of network user
? Info and data confidentiality ¡ªprotection of personal/system
confidential info and data
? Info and data integrity¡ªprevention of illegal data
amendment
? Digital signature¡ªNon-repudiation of actions under
network environment
For the security demands of digital info, the following
solutions shall be provided:
? Data confidentiality----encryption
? Data integrity----digital signature
? Identity authentication----digital certificate and
digital signature
? Non-repudiation----digital signature
Now the digital certificate technology is adopted to
ensure the identity authentication of the both parties
involved in the online info transfer and the security
of info transfer, so that the transferred info can enjoy
the confidentiality, authenticity, integrity and non-repudiation.
2.2 Platform of PKI£¨Public Key Infrastructure£©
It is well-known that the PKI system structure is the
relatively mature and perfect solution to the Internet
security so far, which includes the public key technology,
the digital certificate, the CA and the security policy
with regard to the public key. The PKI is a systems
or platform for providing the public-key encryption
and digital signature services for the purpose of the
control of the key and certificate. The security assurance
of the e-administration system should be established
on the basic frame of the PKI.
2.3 Concept of PKI technology
The security of the PKI-based e-administration system
is assured with the encryption, and the e-administration
system adopts two encryption technologies¡ªthe asymmetric
key encryption technology (public-key encryption technology)
and the symmetric key encryption technology. The former
is mostly applied to the protection and distribution
of digital signature and session key (digital envelope),
and the latter is mainly applied to the encryption protection
of the sensitive data, so as to prevent the disclosure
of the state¡¯s confidential info or malicious attack.
l Digital certificate
The digital certificate means a series of data marking
the identity info of the parties involved in the network
communications, which acts as the ID card in our real
life. A CA issues it, and the users can use it to identify
the identity during exchanges.
? Access to the safe Internet websites needing the user
verification;
? Send the encrypted mails with the other party¡¯s digital
certificate;
? Send the mails with one¡¯s signature to other party.
l Digital signature
The digital signature means that the sender encrypts
the communications data with its private key, generates
a digital message and sends such message with the original
text. The digital signature message is similar to the
signature or seal used in our daily life. The receiver
will verify and judge the authenticity of original text
by the sender¡¯s public key.
? Ensure the message to be signed and sent by the signor
itself, and the signor cannot or is hard to repudiate
it; (identity authentication and non-repudiation)
? Ensure no amendment conducted to such message from
its signing and issuing to the receipt, and the signed
and issued document is authentic. (Integrity of data)
l Session key
The session key is applied to the symmetric encryption
algorithm. While implementing the e-administration,
the sender will have a temporary communications key
i.e. the session key for each communications, so as
to protect the communications data (the state¡¯s confidential
info) with the encryption. This session key will be
destroyed after the completion of such communications.
The public-key algorithm will not replace with the symmetric
algorithm. Generally, the public key will not be used
to encrypt the data, but to encrypt the key:
? The symmetric encryption algorithm is faster than
the public-key algorithm (hi-efficiency):
? The public-key algorithm is weak to the plaintext
invasion (anti-invasion).
l Digital envelope
The digital envelope is introduced in order to solve
the problems of change and distribution of keys each
times, integrating the symmetric encryption technology
and public key technology.
The digital envelope means that, the message sender
encrypt a temporary session key with the receiver¡¯s
public key and send it to the receiver. Only the specified
receiver can open this envelope (only the receiver has
the private key to decrypt), get the session key (SK)
and then decrypt the encrypted message.
? Even if the encrypted message is caught illegally
by others, the original text cannot be obtained, for
the sender¡¯s SK cannot be got by such outsiders. (Confidentiality
of data)
? One key one time, with the security improved.
Encrypt and pack the plaintext with the SK (symmetric
key)
Encrypt and pack the SK with the receiver¡¯s public key
Bind these two packages together
Schematic Diagram of Receiver¡¯s Digital Envelope
Encrypted package sent by sender Encrypted package of
SK Open the SK package with the receiver¡¯s private key
Cipher text package Open the cipher text with the SK
Schematic Diagram of Receiver¡¯s Digital Envelope
III. Applications of eKEY in E-administration
3.1 eKEY¡ªinfo safety product
The eKEY product (SmartCOS-PK card +USB Card Reader)
developed independently by MingWah is the info safety
product based on the USB interface. It has the smart
encrypted chip built in, supporting the public-key encryption
algorithm and the symmetric encryption algorithm of
the PKI system; its safety file system can store the
X.509 digital certificate, keys and other confidential
info, meeting with the demands of the e-administration
system for the info safety products at the client-side.
3.2 eKEY function
l Storage function
It can store the RSA/ECC digital certificate, encryption
key, personal key, personal data and control the safety;
l PIN protection
With the PIN protection built in, it can lock the eKEY
if multiple errors occur;
l RSA/ECC digital signature
Supporting the 1024-bit RSA and the 192-bit ECC public-key
encryption algorithm, the digital signature, data encryption/decryption
functions;
l Encryption/decryption of sensitive data
Supporting the DES and 3DES symmetric encryption algorithms
and the 128-bit national-secret grouping encryption
algorithm; realizing the encryption/decryption of data;
l RSA/ECC digital envelope
Supporting the 1024-bit RSA and the192-bit ECC digital
envelope functions; realizing the leading in/out of
the cipher text with the 128-bit national-secret grouping
symmetric key, ensuring the safe transfer of the symmetric
key;
l Features of SDK software
¡ª¡ªSupporting all the Windows platforms;
¡ª¡ªSupporting the Linux Red HatV7.1(Kernel 2.42)
¡ª¡ªProviding the ActiveX component API
¡ª¡ªproviding the API transferred by C language.
3.3 Application of e-administration
(taking the eKEY as example)
The process of eKEY¡¯s application in the e-administration
is described as below:
1. Applying for the eKEY
l Initialize the eKEY
Base on the application conditions of the e-administration,
the corresponding user file structure is built up in
within the eKEY, with the personal PIN set up for each
user at the same time.
The card issuer can finish the
initialization of the eKEY, or the client can finish
such initialization by means of application via the
Internet in person, after the driver software and the
e-administration user tool software have been installed
at the client-side.
l Applying for the certificate
Log in the specified e-administration website, fill
in the application form and submit the necessary supporting
documents for the identity, receive the examination
of the CA Center; after such examination, enter the
¡°CA card-distribution control system¡± and finish the
following operations:
? PIN password verification;
? Generate the RSA/ECC key pair£¨protected by the PIN,
for use only, not for read£©;
? Send the public key to CA certificate-distribution
system, bind together the applicant¡¯s personal data
and the public key, and sign with the CA private and
then generate the digital certificate (RSA/ECC);
? Download the generated certificate into the eKEY;
and store such certificate in the CA certificate library.
2. Application
After the receipt of the private key and the eKEY for
the certificate, users can access to the Internet for
the e-administration activities, including the safe
login, the safe e-mail, the file examination and approval/digital
signature, and the encryption transfer of sensitive
data, and so on.
An entire process of the data encryption/decryption
and identity authentication is listed as below:
l Verify the user¡¯s PIN password, and then allow to
log in the relevant e-administration websites;
l The message sender A generates an info summary AHash(M)
with a unidirectional hashing function.
l The message sender A signs such info summary with
its signature private key.
l The message sender A generates a symmetric key (SK),
encrypts the original message, the signature and its
certificate (with its signature public-key info) with
such symmetric key, and generates the encrypted message.
l The message sender A gets the receiver B¡¯s key-encrypted
public key from B¡¯s certificate, and then generate the
digital envelope with such encrypted symmetric key (SK).
l The A sends the encrypted message and the digital
envelope to the B.
l The B decrypts the digital envelope with the key-encrypted
private key, and gets the symmetric key (SK).
l The B decrypt the encrypted message with the symmetric
key, and gets the A¡¯s certificate, the original message,
and the A¡¯s signature for the info summary.
l The B gets the A¡¯s signature public key from the A¡¯s
certificate, and then decrypt the A¡¯s signature for
such info summary with such public key, and finally
obtains the info summary.
l The B generates the info summary BHash(M) for the
original message with a unidirectional hashing function.
l Compare the info summaries of the Ahash(M) and Bhash(M),
if they are consistent, then the entire processing of
the A¡¯s sending and the B¡¯s receiving of message is
over. Such process ensures the security of the data
transfer, the integrity and non-modifiability of data.
3.4 Startup status of e-administration in South China¡¯s
Nanhai
l PKI-based security system structure
The PKCS#11 standards is adopted for the intermediate
pieces
l Twin-certificate
The 1024-bit RSA and 192-bit ECC twin-certificate is
stored for all the natural person, devices and servers.
l Encryption algorithm
The public-key encryption algorithm adopts the RSA and
ECC;
The symmetric-key encryption algorithm adopts the 3DES
and the national-secret grouping encryption algorithm.
l Two-model client-side safety product
eKEY£¨other eKEY£©
SmartCOS¡ªcombination of PK and card reader
l Server-side safety product
Hardware encryptor £¨with the national-secret grouping
encryption algorithm£©
|
