Circular for Pay Verification Unit to verify the Service books as per 6th pay Commission.

प्रलंबित सेवा पुस्तक पडताळणी बाबत विशेष मोहिम

Workshop on Receipt Reconciliation for DDOs

 सहसंचालक लेखा व कोषागारे नागपूर तर्फे महालेखापाल कार्यालयाचा प्रतिनिधी मार्फत नियंत्रक अधिकाऱ्यां साठी जमा - खर्च रकमेचे ताळमेळाचे महत्व व करावयाची प्रक्रिये बाबत कार्यशाळे चे आयोजन दिनांक १९/०९/२०१६ रोजी ११.०० वाजता करण्यात आले होते. 

  

 

 

सादर कार्यशाळेची  सादरीकरण (PPT) :- PPT of Reconciliation

Biometrics

1.           What is meant by the term “Biometrics”?

Biometrics is [Automated] recognition of [living] persons based on observation of behavioral and biological (anatomical and physiological) characteristics.

2.         What is Biometric Data and which are the different biometric data being used for the identification and verification of individuals in e-Governance applications?

Biometric data is the data representing a biometric characteristic. For Example, Image data, behavioral data, sensor data, etc. The Indian Government proposes to use biometric data for identification and verification of individuals in e-Governance applications. The biometric data includes fingerprint image, minutiae, face image and iris data.

3.           What is the difference between Biometric Sample and Biometric Template?

Biometric Sample is defined as the data obtained from a biometric device , either directly or after processing.

Biometric is defined as the biometric sample or combination of biometric samples that is suitable for storage as a reference for future comparison.

4.           What is a Biometric system?

An automated system capable of: • Capturing a biometric sample from an end user; • Extracting biometric data from that sample; • Comparing the biometric data with that contained in one or more reference templates; • Deciding how well they match; and • Indicating whether or not an identification or verification of identify has been achieved.

5.           Why Biometric standards are important?

Biometric Standards are developed to ensure interoperability of biometric devices and algorithms so as to avoid vendor lock-in and also ensure long term storage of data with technology independence. The defined biometric standards are applicable to all e-Governance applications in India as per the Government’s Policy on Open Standards.

6.   What is the significance of recognition, verification, and identification in Biometrics?

Biometric Recognition – It refers to automated recognition of individuals based on their behavioral and biological characteristics. Automated recognition implies that a machine based system is used for the recognition either for the full process or assisted by a human being. Biometric recognition encompasses biometric verification and identification. (Note: This definition of the term ‘Biometric Recognition’ has been included from ‘CD 2382-37, Vocabulary – Biometrics’) Biometric Verification – In verification, a transaction by a subject is processed by the system in order to verify a positive specific claim about the subject’s enrolment (e.g. “I am enrolled as subject X”). Verification will either accept or reject the claim. The verification decision outcome is considered to be erroneous if either a false claim is accepted (false accept) or a true claim is rejected (false reject). Biometric Identification - In identification, a transaction by a subject is processed by the system in order to find an identifier of the subject’s enrolment. Identification provides a candidate list of identifiers that may be empty or contain only one identifier. Identification is considered correct when the subject is enrolled, and an identifier for their enrolments in the candidate list. The identification is considered to be erroneous if either an enrolled subject’s identifier is not in the resulting candidate list (false-negative identification error), or if a transaction by a non-enrolled subject produces a non-empty candidate list (false-positive identification error). For more details, please refer Biometric Standards for e-Governance published on the portal https://egovstandards.gov.in/.

7.  What are the benefits provided by the use of Biometrics?

Entity authentication etc.Ø Computer network access Ø Entry devices for buildings Ø Law enforcement Ø Confidential Financial transaction Ø Personal data privacy Ø

8.    What are the various e-Governance applications in India using Biometrics?

Transport department for issuing or renewing Driving License, etc.Ø RSBY (Rashtriya Swasthya Bima Yojna) Ø PDS (Public Distribution System) Ø E-Passport Ø NPR (National Population Register) Ø UIDAI (Aadhar) Ø

9.           What is a Fingerprint?

A fingerprint is an impression of the friction ridges found on the inner surface of a finger or a thumb. The ridges follow a global pattern identified as whorl, right loop, left loop, arch, tented arch and twin loop etc. Skin pores also present a detailed pattern in fingerprints. There are also local patterns where ridges end or bifurcate, known as minutiae. Local and/or global patterns of fingerprints are matched to provide a means of identification or verification. The science of fingerprint recognition constitutes accurate means of positive identification known to humans.

10.      In fingerprint pattern, what is a Friction Ridge and what are three basic patterns of fingerprint ridges?

Friction ridge is defined as the ridges present on the skin of the fingers and toes, the palms and soles of the feet, which makes contact with an incident surface under normal touch. On the fingers, the unique patterns formed by the friction ridges make up fingerprints. The three basic patterns of fingerprint ridges are the arch, loop, and whorl: (Source: http://en.wikipedia.org/wiki/  Fingerprint_recognition (link is external)) • Arch: The ridges enter from one side of the finger, rise in the center forming an arc, and then exit the other side of the finger. • Loop: The ridges enter from one side of a finger, form a curve, and then exit on that same side. • Whorl: Ridges form circularly around a central point on the finger.

11.    What are the specifications of Face Image?

Specifications: Face Image Type: The Full Frontal Image should be captured as per the specifications laid down in Face Image Data Standard version 1.0 published on e-Governance Standards portal https://egovstandards.gov.in. Color Space: 24 Bit RGB (i.e. Code ox01) Inter-eye Distance: The Inter-eye distance should be a minimum 120 pixels for a head width of 240 pixels Pose Angle: Rotation of the head shall be less than ±5 degrees from frontal in every direction (i.e. roll, pitch and yaw) Shoulders: Both the shoulders should be visible.

12. What is an Iris and give specifications of an Iris image?

The Iris is the muscle within the eye that regulates the size of the pupil, controlling the amount of light that enters the eye. "Eye colour" is the colour of the Iris, which can be green, blue, or brown. In some cases it can be hazel (light brown) or grey. It is the area between sclera and pupil. The texture, and patterns of each person’s Iris are as unique as a fingerprint. Iris Image Specifications: Iris Image Type – The interchange format type of the Iris images that is defined in this standard is for rectilinear images only. If the image is collected by a camera that captures only one eye at a time and is stored using a rectilinear coordinate system, no specific pre-processing is required Cameras that capture images of both eyes simultaneously may use the following processing steps to calculate the rotation angle of the Iris images. i. Pre-processing to calculate rotation angle Before compression, the Iris image will have to be pre-processed to calculate rotation angle. Refer section 6.3.1 of ISO 19794-6:2005(E) for rotation angle calculation for rectilinear images. ii. Rectilinear Image Rotation Uncertainty Refer section 6.3.1.3 of ISO 19794-6:2005(E). Number of eyes: For enrollment: Two eyes For verification: One/Two eyes depending upon application sensitivity requirement Iris Diameter: As per ISO 19794-6:2005(E) medium and higher quality images are only acceptable,. Hence for this Standard, minimum acceptable Iris diameter will be150 pixels Image Margin Segmentation: 50% left and right of Iris diameter 25% top and bottom of Iris diameter Color and Pixel Depth: The iris images shall be captured and stored in grey scale with pixel depth 8bits/pixel Illumination: The eye should be illuminated using near infrared light with wavelength between 700 and 900 nano meters (nm) approximately Image Acquisition Format: Lossless (Raw/PNG/ JPEG 2000) formats.

13.     How the accuracy of a biometric system can be measured?

The accuracy of a biometric system is determined through a series of tests in the following order: i. Technology Evaluation: Assessment of matching algorithm accuracy ii. Scenario Evaluation: Assessment of performance in a mock environment iii. Operational evaluation: Live testing on site If all the tests done properly, users will come to know, to a high degree of accuracy, how the system will perform. Source:http://biometrics.gov/Documents/FAQ.pdf(link is external))

14.    What factors causes biometric system to fail?

In addition to common electronics/computer and hardware failures, common biometric issues include poor-quality biometric samples, user confusion, evasion or non-cooperation, noise, inadequate or excessive lighting, dirty sensor, or subject handicaps. (Source: http://biometrics.gov/ Documents/FAQ.pdf(link is external))

Mobile Governance

1.          What is the purpose of setting up Mobile Services Delivery Gateway (MSDG)?

        The purpose of setting up MSDG is to provide a one-stop ecosystem for enabling the delivery of various electronic government services through mobile devices in an efficient manner with minimum effort for the participating Government Departments and Agencies. MSDG will also help in enhancing the interoperability of mobile-based services among various Government Departments and reduce the total cost of development and deployment of applications for m-Governance services.

2.         What are the functionalities that will be available in MSDG?

        MSDG will have functionalities such as hardware and software to test and deploy the m-Governance applications. It will have connectivity options for the citizens to apply for and receive public services through mobile devices irrespective of the network operators with which they are subscribed. It will also have an integrated system for delivering the IVR based services through mobile and fixed line. MSDG will support delivery of both voice and data services and content in a network and device independent manner to the extent possible and feasible. It will also offer shared tools like data collection, helpdesk services, APIs, SDKs to the agencies which wish to deploy mobile applications for public services. It will have a provision for metered access so that various agencies and partners of MSDG can account for fee based services based upon their actual delivery.

3.          Who will own MSDG?

      MSDG will be owned by DeitY, Government of India, or any of its designated agencies.

4.          How will MSDG account for fee-based services?

        It will have a provision for metered access so that various agencies and partners of MSDG can account for the fee-based services based upon their actual delivery.

5.        Who will be responsible for notification of the standards for mobile applications?

     The standards for mobile applications will be formulated and notified by the Department of Electronics & Information Technology, Government of India.

6.             Who will be responsible for service fulfilment?

            The responsibility for service fulfilment shall lie with the respective Government Department or Agency. MSDG will only serve as the channel between the citizen and the participating Government Department or Agency.

7.             Can the Participating Departments have an alternate mobile initiative?

            Any Government Department or Agency at the Central or State level interested in providing mobile services would be encouraged to provide its services through MSDG to avoid duplication of infrastructure.

8.          What are the various delivery channels envisaged to be supported by MSDG?

       MSDG shall support the following delivery channels for development and deployment of mobile-based applications for Government services. As the mobile-based technologies are constantly evolving, more channels may be added in future as the need arises.

•              SMS (Short Message Service)

•              IVR (Interactive Voice Response)

•              WAP (Wireless Application Protocol)

•              USSD (Unstructured Supplementary Service Data)

•              CBC (Cell Broadcast)

•              SIM Toolkit (STK)/Dynamic STK, 3G-Video

•              Others (WiFi/ WLan etc.)

9.             Is e-Governance a prerequisite for m-Governance?

        Even though m-Governance may be seen as an extension of e-Governance services, existence of e-Governance services is not a prerequisite for deployment of m-Governance services. The mobile-based innovative public services to be deployed under the ambit of this framework and implementation strategy are aimed at extending the access of public services to those sections of the society which are unable or unwilling to access public services through internet or those which simply prefer to use mobile devices. The key objective of m-Governance initiatives in the proposed framework is to enhance the bottom-up participation and empower the disadvantaged sections of the society, thus fulfilling the mission of anywhere, anytime services as envisaged under the National e-Governance Plan (NeGP).

10.   What are the steps to be followed by a Government Department to register services for m-Governance?

    DeitY will provide the necessary guidance and assistance to all Government Departments and Agencies to register their services for m-Governance. DeitY will also provide necessary integration support to help Government Departments in adopting m-Governance for delivery of public services.

11.         Who will be responsible for creation of mobile-ready content?

      The concerned Departments and Ministries will be responsible for creating and  updating mobile-ready content for their respective services. They may seek     appropriate inputs and feedback from users.

12.         What steps will DeitY take to promote m-Governance initiative?

      DeitY, or any of its designated agencies, will undertake awareness creation and  capacity building exercises for promoting Mobile Governance initiative among  stakeholders and potential beneficiaries across Government, Industry, and Civil      Society.

Digital Signatures

1.    What is Cryptography?

Cryptography is the science of enabling secure communications between sender and one or more recipients. This is achieved by the sender scrambling a message (with a computer program and a secret key) and leaving the recipient to unscramble the message (with the same computer program and a key, which may or may not be the same as the sender's key). There are two types of cryptography: Secret/Symmetric Key Cryptography and Public Key Cryptography. Secret key (symmetric/conventional) cryptography - is a system based on the sender and receiver of a message knowing and using the same secret key to encrypt and decrypt their messages. One weakness of this system is that the sender and receiver must trust some communication channels to transmit the secret key to prevent from disclosure. This form of cryptography ensures data integrity, data authentication and confidentiality. Public key (asymmetric) cryptography - is a system based on pairs of keys called public key and private key. The public key is published to everyone while the private key is kept secret with the owner. The need for a sender and a receiver to share a secret key and trust some communication channels is eliminated. This concept was introduced in 1976 by Whitfield Diffie and Martin Hellman. The Digital Signatures created using the private key ensure data integrity, data authentication and non repudiation. However, to ensure confidentiality, encryption of the data has to be done with the recipient’s public key.

2.    How do I get a Digital Signature Certificate?

The Office of Controller of Certifying Authorities (CCA), issues Certificate only to Certifying Authorities. The CAs in turn issue Digital Signature Certificates to the end-users. You can approach any of the CAs for getting the Digital Signature Certificate. For more information about the respective CAs kindly visit their websites (provided below).

Name of CA	Website
Safescrypt	www.safescrypt.com(link is external)
National Informatics Centre	http://nicca.nic.in/(link is external)
Institute for Development and Research in Banking Technology (IDRBT)	www.idrbtca.org.in(link is external)
TCS CA services	www.tcs-ca.tcs.co.in(link is external)
MTNL CA services	www.mtnltrustline.com(link is external)
(n) Code Solutions	www.ncodesolutions.com(link is external)
eMudhra	www.e-Mudhra.com(link is external)

3.    What is a Certifying Authority (CA)?

A CA is a trusted third party willing to verify the ID of entities and their association with a given key, and later issue certificates attesting to that identity. In the passport analogy, the CA is similar to the Ministry of External Affairs, which verifies your identification, creates a recognized and trusted document which certifies who you are, and issues the document to you.

4.    Which are the CAs licensed by the (Office of Controller of Certifying Authorities) CCA?

a. Safescrypt
b. NIC
c. IDRBT
d. TCS
e. MtnlTrustline
f. GNFC
g. e-MudhraCA

5.    If a particular CA is out of business then, the subscriber to that CA is told to move to another CA. Thus the subscriber has to get a new digital certificate. What happens to his/her earlier transactions? Does this not create a legal and financial problem

Prior to cessation of operations, the CA has to follow procedures as laid down under the IT Act. Therefore, such problems should not exist.

6.    Can one authorize someone to use DSC?

In case a person wants to authorize someone else to sign on his/her behalf, then the person being authorized should use his/her own PKI credentials to sign the respective documents.

7.    Can a person have two digital signatures say one for official use and other one for personal use?

Yes.

8.    In paper world, date and the place where the paper has been signed is recorded and court proceedings are followed on that basis. What mechanism is being followed for dispute settlements in the case of digital signatures?

Under the IT Act 2000, Digital Signatures are at par with hand written signatures. Therefore, similar court proceedings will be followed.

9.    Is there a "Specimen Digital Signature" like Paper Signature?

No. The Digital signature changes with content of the message.

10.  If a person uses someone else’s computer, instead of his own computer, then is there any possibility of threat to the security of the owners/users digital signature?

No, there is no threat to the security of the owner / users digital signature, if the private key lies on the smartcard/crypto token and does not leave the SmartCard /crypto token.

11.  Is it possible for someone to use your Digital Signature without your knowledge?

It depends upon how the owner has kept his private key. If private key is not stored securely, then it can be misused without the knowledge of the owner. As per the IT Act 2000, the owner of the private key will be held responsible in the Court of Law for any electronic transactions undertaken using his/her PKI credentials (public/private keys).

12.  When you cancel an earlier communication you can get it back, how does this work in e-environment?

A new message saying that the current message supersedes the earlier one can be sent to the recipient(s). This assumes that all messages are time stamped.

13.  When can a DSC be revoked?

The DSC can be revoked when an officer is transferred, suspended or his/her key is compromised.

14.  How do digital certificates work in e-mail correspondence?

Suppose Sender wants to send a signed data/message to the recipient. He creates a message digest (which serves as a "digital fingerprint") by using a hash function on the message. Sender then encrypts the data/message digest with his own private key. This encrypted message digest is called a Digital Signature and is attached to sender's original message, resulting in a signed data/message. The sender sends his signed data/message to the recipient.
When the recipient receives the signed data/message, he detaches sender's digital signature from the data /message and decrypts the signature with the sender's public key, thus revealing the message digest. The data/message part will have to be re-hashed by the recipient to get the message digest. The recipient then compares this result to the message digest he receives from the sender. If they are exactly equal, the recipient can be confident that the message has come from the sender and has not changed since he signed it. If the message digests are not equal, the message may not have come from the sender of the data/message, or was altered by someone, or was accidentally corrupted after it was signed.

15.  How do Digital Certificates work in a web site?

When a Certificate is installed in a web server, it allows users to check the server's authenticity (server authentication), ensures that the server is operated by an organization with the right to use the name associated with the server's digital certificate. This safeguards the users from trusting unauthorized sites. A secure web server can control access and check the identity of a client by referring to the client certificate (client authentication), this eliminates the use of password dialogs that restrict access to particular users. The phenomenon that allows the identities of both the server and client to be authenticated through exchange and verification of their digital certificate is called mutual server-client authentication. The technology to ensure mutual server-client authentication is Secure Sockets Layer (SSL) encryption scheme.

16.  What clause an e-Governance project should have to ensure that the PKI implementation meets the requirement of the IT Act 2000?

The e-Governance applications have to be developed in compliance with RFC5280 certificate profile. A number of commercial and open source PKI toolkits are available which can be used to develop a standard validation process, for example, Microsoft CNG, Sun Java Toolkit. Please refer to Annexure IV of the Digital Signature Certificate Interoperability Guidelines (http://cca.gov.in/cca/sites/all/ DSC_Interoperability_Guidelines_R2.5.pdf (link is external) ) for further details.

17.  Can I use the certificate issued by a CA across e-Governance applications?

Yes.

18.  What are the key sizes in India?

CA Key is 2048 bits and the end user keys are 1024 bits. However from 1 Jan 2011, the end user keys are 2048 bits as well, as per the notification by CCA.

19.  What is the size of digital signatures?

The size of the Digital Signatures varies with the size of the keys used for generation of the message digest or hash. It can be a few bytes.

20.  What is the Key Escrow?

Key escrow (also known as a fair cryptosystem) is an arrangement in which the keys needed to decrypt encrypted data are held in escrow so that, under certain circumstances, an authorized third party may gain access to those keys. These third parties may include businesses, who may want access to employees' private communications, or governments, who may wish to be able to view the contents of encrypted communications.

21.  How do applications use the Certificate Revocation List (CRLs)?

The applications download the CRLs from the respective CA sites at a specified frequency. The applications than verify the public keys against this CRL at the time of Digital Signature verification. The CCA is in the process of implementation of the OCVS (Online Certificate Verification Service). This will ensure online verifications of the CRLs by the applications.

22.  How long do the CAs’ in India preserve the Public Keys of the end users?

As per the IT Act 2000, each CA stores the Public Key in their repository for a period of 7 years from the date of expiration of the Certificate.

23.  Should e-Governance applications archive the Digital Signature Certificates as well?

In view of the fact that the CAs have a mandate to save the DSCs for a period of 7 years, it may be advisable for the e-governance applications which would need to verify the records for authenticity for periods beyond 7 years.

24.  Is it possible that a document has multiple signatures?

Yes, a document can have multiple Digital Signatures. For example, in the MCA21 application, the forms are signed by different Directors as part of the application workflow.

25.  What are the types of applications that should use Digital Signatures?

They are hardware security tokens used to store cryptographic keys and certificates. For example, USB etc.

26.  What are the different ways of authenticating content of digitally signed documents issued to the citizen?

There are different ways of verifying the content and the digital signatures of the document. Some of the mechanism are enlisted below:-

1. Via Unique Request ID (manual content verification only) - In this process the user can verify the validity of his/her document by logging onto the Department website and providing the unique request number printed on the document. The Department application will display the electronic version of the document stored in the application repository. However in this process since the digital signature on the document is not verified, the contents have to be verified manually by the user by comparing the online document from the website with the hardcopy of the document. This process thus provides content verification only. The verification of the Digital Signature does not take place in this process.
2. Verification by the 2D Barcode – In this process, the barcode printed at the bottom of the document is used for the digital signature verification. The barcode has the Digital Signature embedded in it. The two verification mechanisms enlisted below verify the Digital Signature only. Since the complete content of the document is not being scanned, the content verification has to be done manually.

a) Online Verification

In this process, a barcode reader is used to scan the 2-D bar code printed at the bottom of the certificate. The verification utility of the Departmental application would verify the digital signature embedded in the document and after successful verification, show the corresponding electronic record on their website. However the user needs to compare the contents of the electronic record and the hardcopy. This method requires a computer, an internet connection and a 2D bar code reader.

b) Offline Verification

In this process, the user can verify the digital signature embedded in the barcode without connecting to the Department website. Thereby this process is called as “offline” verification. The user needs to download and install the verification utility custom developed by the Department (downloadable from their website). The user also needs to download the root chain certificates of CCA and NIC and the public key of the authorized taluka and the taluka official onto the computer. Once these items are installed on the computer, the user can scan the 2D barcode on the document and the verification utility will check the validity of the digital signature embedded in the document thereby proving the authenticity of the document. However, the content of the hardcopy of the document will have to be manually verified by the comparing with the electronic version available at the Department website as the content of the hardcopy is not being scanned in this process.

27.  How can a digitally signed document be verified after the DSC associated with the Public Key has expired?

The digital signature verification process for a document requires the public key, root chains and the CRL. The e-Governance application should therefore have a repository of public key certificates, root chains and the CRL’s of the time the document was digitally signed. The CA’s as of now are mandated to store the Digital Signature Certificates, root chains and the CRLs for a period of 7 years as per the Rules of the IT Act. Therefore the Digital Signature Certificates can be downloaded from the CAs for a period of 7 years. However, if the digital signature on the document needs to be verified after this period, the e-Governance applications will have to have a provision to store the DSCs, root chains and the CRLs in a repository and undertake the verification of digitally signed document against this repository. However, it may be a cumbersome process to get the CRLs’ from the respective CAs for a specific period (in the past).

28.  How can Departments ensure that their Government officers authorized to sign the Certificates do not misuse their Digital Signature Certificates after being transferred from a given place?

It is recommended that as part of the handing over of charge of a given officer, the DSC issued to the officer be revoked. Further his user credentials in the respective e-Governance applications should be deactivated so that he can no longer access the application while the Certificate revocation is under process with the CA. Once the DSC is successfully revoked, the officer will be no longer able to sign the documents.

29.  How can a citizen be assured that the document has been digitally signed by the appropriate authorized Government officer?

In order to ensure that the documents are signed by authorized individuals only, the Departments should maintain a repository having a mapping between the DSC and the respective roles assigned to the officers of the Departments. The e-Governance application should check against this repository for the various documents before allowing an officer to digitally sign the document. This mechanism has been implemented in MCA21 application wherein multiple directors sign the e-forms for the application. The key challenge with this approach is to be able to maintain an updated repository at all times.
The Government of India is currently looking into the proposal for creation of a central repository of Digital Signature Certificates and CRLs’ in order to ensure that digitally signed documents can be verified at a later date ( greater than 7 years).