JOnline: Privacy PKI: Improved Security System for Public Administration 

 
Download Article

Processes that are related to the identification and the authentication of individuals and legal entities have been functioning for a while in public administration (PA) and business entities. Approaches to identity management solutions vary throughout Europe, as many European countries are at different maturity levels of services.

This article concentrates on public key infrastructure (PKI)-related identity management solutions, mainly from a Hungarian perspective. It presents a suggested PKI-based identity management framework, customized for Hungarian specialties.

PKI Technology as an Improvement Opportunity for E-government

The traditional identity management methods that have been in use are neither secure nor comfortable. The PKI architecture provides services that are rooted in the available information technology (IT). Regarding all business processes associated with PKI, the requirements for process improvement and the opportunities for enhancing the existing business and software processes should be investigated.

For political and economic reasons, there is a strong pressure to implement more PA services using IT—e-government services. Remote access to e-government services makes it necessary for citizens to identify and authenticate themselves in a reliable and secure manner that ensures mutual trust for both the PA and the citizens.

PKI technology developed during the last decades has achieved success. However, the PKI technology has accomplished only modest success in the relationship of citizens to government in the form of e-government.

The problem is that even if the most recent PKI technology is used, PKI cannot guarantee the authentication and authorization of the identity at the level that is required by PA.1 Business processes and the supporting IT for e-government services must be reengineered, and the available technology solutions should be complemented with appropriate parts. The concept of identity background checking should also be leveraged. The most important Hungarian regulation approach is found in the Act for Procedures of Processes in Public Administration.

Within the relationship between the citizen and PA, there is a requirement for mutual verification and validation of the identities of partners, usually prescribed compulsorily by law, legal environments and/or jurisdiction.

There are several technologies available that could provide a technical solution. However, a technically satisfying solution could collide with local regulation and jurisdictions. Technology should provide services even in distributed or federated cases, by which the partners—PA and citizens— could build up a mutual trust relationship.

There is a very critical and significant difference in the use of PKI by public enterprises, especially the internal utilization of PKI for the secure and reliable communication and business management among an organization’s staff members.2 The difference is in the privacy and protection of personal data. A person can be identified unambiguously or with high probability using some natural bits of information, e.g., given name, second name. There are some identification numbers or character strings used within certain sectors of PAs, such as tax numbers, social insurance numbers or personal identification numbers. These unambiguous and easy-to-handle identifiers cannot be used together because of the legal restrictions in some countries and jurisdictions, and they cannot be stored in the same data store or linked to each other. This is true, in a broad sense, for the member countries of the European Union (EU), albeit with slight differences.

If a citizen obtains a digital certificate at one of the commercial certification authorities (CAs) for managing his/her business with the PA, the public directory of the CA will not contain other data. Optionally, the name of organization, department/business unit, country code, identification number/serial number, or the city or town may appear as public information. The publication of these data is somewhat risky because of privacy issues, unless the person gives permission for the publication. The public key and the serial number of the certification at a particular CA can be considered as an unambiguous, unique identifier of a person. For identification and authentication, these data seem to be perfect. However, what does the public key identify? The popular view is that the person is identified, but the question is which person is identified. Using the public key included in the certificate, only the name and maybe the e-mail address of the person are public. What is the process that can identify unambiguously the person in this situation? Generally, the available information is not sufficient for unambiguous identification, as the names (given name, second name, etc.) are not unique. The alternatives are for PA to:

  • Create a central database of e-mail addresses and couple to the specific person
  • Create a central database of public keys and link to the specific person
  • Use the existing central databases of tax numbers, social insurance numbers and personal identification numbers
  • Map the person unambiguously onto the identifier in each single database. The identifier and public key should be linked together in each database.

Disregarding the “Big Brother” approach in which the state collects all personal data, one of the lawful solutions is a voluntary registration mechanism that enables the person and his/her public key within the digital certificate to be linked together. The major task is to find a registration, certification, identification and authentication mechanism that conforms to the international (EU) directives and national laws and regulations. The tax offices and the social insurance agencies have similar databases containing the identifier that is specific to the sector as well as other items of personal data suitable for identifying the person and considered natural identifiers. There is a temptation to use these databases to support the identification and authentication within each sector of PA involved in e-government and using PKI technology. Joining the public key of a person’s certificate and the identifier specific to a particular sector of PA seems to be a feasible approach, with the rationale that the public key is public—nomen est omen— and it doesn’t jeopardize the person’s privacy. However, there is a serious logical fault in this argument. Through the public key of a person’s certificate, all the separate and insulated databases can be joined together by a primitive algorithm without any serious effort. All the activities related to the public administration of a single person could be tracked easily, and the data collection about a person would become trivial. In the EU generally and in the member states specifically, this solution is strictly prohibited by the law and the practice of jurisdiction. A resulting problem area is supporting commercial CAs by creating market for their services.

The Hungarian Solution to Improve the Service and Security of E-government Processes

In Hungary, the Gordian knot of the previously mentioned problem is resolved in the following way (see figure 1):

  • The request for a certificate enclosing a digital signature and registration takes place at a commercial CA with a conforming rigorous certification policy (CP) that enables the certification holder to do business with government through e-government services (no. 1 and 4 in figure 1). Avoidance of centralization of personal data is automatically guaranteed and designates a movement toward a federated PKI architecture.
  • At a single CA, the person’s naturally identifying data are stored in a secure database beside the certificate, and only the public data are published in a directory. The certificate contains an indicator that signals the appropriateness for the PA to handle issues through e-government services. The identifiers specific to certain sectors of PA (tax number, social insurance number, etc.) are not stored in the certificate or in the personal registration database—not even in a coded format that might be created by a cryptographic algorithm or a hash function.
  • The CAs should own by the force of law a so-called certificate revocation list (CRL) site. At this site, the CA should provide specific services to answer yes or no to an identification request from the PA. The CA receives a data package that includes the naturally identifying data of a person, public key and/or the serial number of the certificate. The service carries out a check on the database, retrieves information and unifies to the provided data. If there is a match, the answer is yes; in all other cases, the answer is no (no. 3, 4, 5 and 6).
  • During an interaction with the PA, a citizen can identify himself/herself and try to get authenticated by a certificate enclosing a digital signature. The e-government service of a specific sector requests the sector-specific identifier (e.g., tax number or social insurance number), the public key of the digital signature and some naturally identifying data. The e-government service based on the gathered data calls for an answer from the certificate issuer CA and performs a check on its own internal database. After gaining an answer satisfying and fitting to the available data from both resources (i.e., internal and external databases), the person is authenticated and authorized to execute transactions through the e-government service (see no. 1-6).

Figure 1

Conclusion

PA faces a lot of legal issues as the circle that may want to do business with it is not closed and could be regarded as open. The procedures of PA abide by strict regulations, laws and other legalities. For this reason, the e-government service should find the narrow path between the legal opportunities and solutions provided by the PKI technology.

The Hungarian approach avoids several pitfalls:

  • There is no central registration of citizens with digital certificates.
  • The registration process does not use any sector-specific identifier of the Hungarian PA at the commercial CA.
  • The certification issued by the commercial CA contains sufficient information for interfaces and automated software solutions at the various sectors of the Hungarian PA.

The applied cryptographic procedures related to the PKI technology are widespread, technically sophisticated, sound, reliable and resistant to the known algorithmic attack.

The Hungarian solution is technically sound and conforms to the legal environment without any compromise and, therefore, could be considered as the basis for an international approach.

References

Architecture Guidelines for Trans-European Telematics Networks for Administrations, IDA Enterprise DG Brussels, September 2004

Gateway to e-Government Success Story, 2001, www.gateway.gov.uk

Herreweghen, E., et al; “Enterprise PIM Roadmap: Privacy Enhancing Technologies and Identity Management Systems in Enterprises,” 2002

IT Governance Institute (ITGI), Enterprisewide Identity Management—Managing Secure and Controllable Access in the Extended Enterprise Environment, USA, 2004, www.itgi.org

Koch, M.; W. Wörndl; “Community Support and Identity Management,” Proceedings of the European Conference on Computer Supported Cooperative Work (ECSCW 2001), Germany, September 2001

Endnotes

1 Menezes, Alfred J.; P. C. van Oorschot; Scott A. Vanstone; Handbook of Applied Cryptography, CRC Press, 2001

2 Nash, A.; Bill Duane; Celia Joseph; Derek Brink; PKI: Implementing and Managing E-security, USA, Osborne/McGraw-Hill, 2001

Bálint Molnár, Ph.D., CISA
is a member of the ISACA Academic Relations Committee and a principal consultant, research and course manager, at the Information Technology Foundation of the Hungarian Academy of Sciences, which works for the Hungarian Government as a service provider in ICT consultancy. Molnár is also associate professor at Budapest University of Economic Sciences and Public Administration, where he teaches development of information systems, project management and knowledge-based systems development. Molnár can be reached at molnar@informatika.bke.hu.

Andrea Kõ, Ph.D.
is a lecturer at Budapest University of Economic Sciences and Public Administration in the Department of Information Systems. She teaches IT audit, MIS, knowledge management, e-commerce, information systems development, project management and knowledge-based systems development. She is also an ISACA member and academic advocate, as well as a member of the John von Neumann Society for Computing Sciences. Kõ can be reached at ko@informatika.bke.hu.


Information Systems Control Journal, formerly the IS Audit & Control Journal, is published by the ISACA. Membership in the association, a voluntary organization of persons interested in information systems (IS) auditing, control and security, entitles one to receive an annual subscription to the Information Systems Control Journal.

Opinions expressed in the Information Systems Control Journal represent the views of the authors and advertisers. They may differ from policies and official statements of the Information Systems Audit and Control Association and/or the IT Governance Institute® and their committees, and from opinions endorsed by authors' employers, or the editors of this Journal. Information Systems Control Journal does not attest to the originality of authors' content.

Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from the association. Where necessary, permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC), 27 Congress St., Salem, Mass. 01970, to photocopy articles owned by the Information Systems Audit and Control Association Inc., for a flat fee of US $2.50 per article plus 25¢ per page. Send payment to the CCC stating the ISSN (1526-7407), date, volume, and first and last page number of each article. Copying for other than personal use or internal reference, or of articles or columns not owned by the association without express permission of the association or the copyright owner is expressly prohibited.