Presentation given by Rajan Raj Pant, Controller Ministry of Science & Technology, Government of Nepal on August 3rd, 2011 at eWorld Forum (www.eworldforum.net) in the session Information Management and Security
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Rajan Raj Pant
1. Comprehensive National Authentication Framework using Digital Certificate and One Time Passwords Rajan Raj Pant Controller Office of Controller of Certification Ministry of Science & Technology
2. The State of User Authentication Passwords still dominate, but continue to weaken The need for strong authentication continues to grow Increasing number of business processes moving online Employee mobility expanding – demand for anywhere anytime access to information Compliance and notification laws proliferate Phishing attacks have increased dramatically (see www.antiphishing.org) 2
3. Digital Certificates Digital certificates: An electronic document that utilizes amethod to bind together: A public key An identity Can be used to verify that a public key belongs to an individual 3 Digital Certificate
4. One Time Passwords (OTP) 4 Software Token on PC Software Token on Mobile Device OTP On-demand Delivered: Via hardware token Software application on PC or smart device Over an SMS channel Can only be used once Hardware Token
5. Lightweight OTP and Legal validity using Digital Certificates – Mantra of Hybrid Authentication All Citizen Centric Internet Applications can utilize the single Authentication framework without having to reinvest into citizen registration thereby saving thousands of dollars in user management Applications can choose OTP for lightweight authentication while Digital Certificates where non-repudiation and digital signing may be necessary. Not all applications require digital signatures but all applications definitely need “strong 2 Factor Authentication” Citizen would be safe from password based vulnerabilities and would also not be required to remember multiple authentication schemes across the various public and private enterprises thereby increasing convenience manifold With government support a uniform and strong authentication service would be available for all to access – a major deterrent for technology adoption is the initial cost of procurement and maintenance – this is completely eliminated by the government providing the same as a service to all enterprises and citizens alike The framework can be easily extended to newer authentication technologies e.g. Risk Based authentication, Knowledge based authentication etc.. 5 OTP Authentication PKI Authentication & Services eCommerce Site Internet Banking Site
6. Digital Certificate Management Components 6 Registration Manager Certificate Manager User Validation Client Key Recovery Manager Web Server Card Manager Validation Manager
14. Southern Asia, between India and China ISP = 12 Telecom Operator = 4 Area: 147,181 sq km, Land: 143,351, Water: 3,830 sq km Population: 29,391,883 (June 2011) country comparison to the world: 41 10
22. Vision 18 “The Value Networking Nepal” through – Citizen-centered service Transparent Service Networking Government Knowledge Based Society
23. Nepal Factsheet Population: 29,391,883 (June 2011) country comparison to the world: 41 Internet hosts: 43,928 (2010) country comparison to the world: 91 Internet users: 2,426,357(June 2011) country comparison to the world: 116 Internet penetration: 8.49 % ETA 2006, IT Policy, Password Practices, IT Security Guidelines (to be passed) Current Penetration of Mobile: 24.35 % 19
26. IT Trends in Nepal 22 Present Future E-mail Facebook Skype IRD Online Tax Return PKI E-Passport E-Banking Online Postbox NID DR Center GIDC Mobile Cash Digitization Of Land Map Vehicle Registration GEA
27. 23 Security Layers Threats Applications Security Destruction Corruption Services Security Removal Disclosure Interruption Infrastructure Security Attacks Security Planes Security Dimensions Control Plane Management Plane Technology Architecture- Security Privacy Authentication Non-Repudiation Data Confidentiality Communications Security Data Integrity Availability Access Control Vulnerabilities End User Plane
28. Initiations ITERT IT Security Guidelines Code of Conduct for IT Government Network 24
29. Cyber Crime 21 Cases so far reported Mostly Social Engineering from Facebook Hacking 38 cases up to May 2011 25
38. 28 OCC Implementation of ETA License to ICA Monitor and Supervision of ICAs Information Security Relates works IT Security Audit Investigation Agency Functions