Sunday 23 October 2016
Tuesday 4 October 2016
Monday 19 September 2016
Workshop on Receipt Reconciliation for DDOs
सहसंचालक लेखा व कोषागारे नागपूर तर्फे महालेखापाल कार्यालयाचा प्रतिनिधी मार्फत नियंत्रक अधिकाऱ्यां साठी जमा - खर्च रकमेचे ताळमेळाचे महत्व व करावयाची प्रक्रिये बाबत कार्यशाळे चे आयोजन दिनांक १९/०९/२०१६ रोजी ११.०० वाजता करण्यात आले होते.
सादर कार्यशाळेची सादरीकरण (PPT) :- PPT of Reconciliation
Friday 19 August 2016
Biometrics
1.
What is meant by the term “Biometrics”?
Biometrics
is [Automated] recognition of [living] persons based on observation of
behavioral and biological (anatomical and physiological) characteristics.
2. What is Biometric Data and which are the different
biometric data being used for the identification and verification of
individuals in e-Governance applications?
Biometric data is the data representing a
biometric characteristic. For Example, Image data, behavioral data, sensor
data, etc. The
Indian Government proposes to use biometric data for identification and
verification of individuals in e-Governance applications. The biometric data
includes fingerprint image, minutiae, face image and iris data.
3.
What is the difference between Biometric Sample and
Biometric Template?
Biometric
Sample is
defined as the data obtained from a biometric device , either directly or after
processing.
Biometric is
defined as the biometric sample or combination of biometric samples that is
suitable for storage as a reference for future comparison.
4.
What is a Biometric system?
An automated system capable of: • Capturing a
biometric sample from an end user; • Extracting biometric data from that
sample; • Comparing the biometric data with that contained in one or more
reference templates; • Deciding how well they match; and • Indicating whether
or not an identification or verification of identify has been achieved.
5.
Why Biometric standards are important?
Biometric Standards are developed to ensure
interoperability of biometric devices and algorithms so as to avoid vendor lock-in
and also ensure long term storage of data with technology independence. The
defined biometric standards are applicable to all e-Governance applications in
India as per the Government’s Policy on Open Standards.
6. What is the significance of recognition, verification,
and identification in Biometrics?
Biometric Recognition – It refers to automated
recognition of individuals based on their behavioral and biological
characteristics. Automated recognition implies that a machine based system is
used for the recognition either for the full process or assisted by a human
being. Biometric recognition encompasses biometric verification and
identification. (Note: This definition of the term ‘Biometric Recognition’ has
been included from ‘CD 2382-37, Vocabulary – Biometrics’) Biometric
Verification – In verification, a transaction by a subject is processed by the
system in order to verify a positive specific claim about the subject’s
enrolment (e.g. “I am enrolled as subject X”). Verification will either accept
or reject the claim. The verification decision outcome is considered to be
erroneous if either a false claim is accepted (false accept) or a true claim is
rejected (false reject). Biometric Identification - In identification, a
transaction by a subject is processed by the system in order to find an
identifier of the subject’s enrolment. Identification provides a candidate list
of identifiers that may be empty or contain only one identifier. Identification
is considered correct when the subject is enrolled, and an identifier for their
enrolments in the candidate list. The identification is considered to be
erroneous if either an enrolled subject’s identifier is not in the resulting
candidate list (false-negative identification error), or if a transaction by a
non-enrolled subject produces a non-empty candidate list (false-positive
identification error). For more details, please refer Biometric Standards for
e-Governance published on the portal https://egovstandards.gov.in/.
7. What are the benefits provided by the use of Biometrics?
Entity authentication etc.Ø Computer network access Ø Entry devices for buildings Ø Law enforcement Ø Confidential Financial transaction Ø Personal data privacy Ø
8. What are the various e-Governance applications in India
using Biometrics?
Transport department for issuing or renewing
Driving License, etc.Ø RSBY (Rashtriya
Swasthya Bima Yojna) Ø PDS (Public
Distribution System) Ø E-Passport Ø NPR (National Population Register) Ø UIDAI (Aadhar) Ø
9.
What is a Fingerprint?
A fingerprint is an impression of the friction
ridges found on the inner surface of a finger or a thumb. The ridges follow a
global pattern identified as whorl, right loop, left loop, arch, tented arch
and twin loop etc. Skin pores also present a detailed pattern in fingerprints.
There are also local patterns where ridges end or bifurcate, known as minutiae.
Local and/or global patterns of fingerprints are matched to provide a means of
identification or verification. The science of fingerprint recognition
constitutes accurate means of positive identification known to humans.
10.
In fingerprint pattern, what is a Friction Ridge and what
are three basic patterns of fingerprint ridges?
Friction ridge is defined as the ridges present
on the skin of the fingers and toes, the palms and soles of the feet, which
makes contact with an incident surface under normal touch. On the fingers, the
unique patterns formed by the friction ridges make up fingerprints. The three
basic patterns of fingerprint ridges are the arch, loop, and whorl: (Source: http://en.wikipedia.org/wiki/ Fingerprint_recognition (link is external)) • Arch:
The ridges enter from one side of the finger, rise in the center forming an
arc, and then exit the other side of the finger. • Loop: The ridges enter from
one side of a finger, form a curve, and then exit on that same side. • Whorl:
Ridges form circularly around a central point on the finger.
11. What are the specifications of Face Image?
Specifications: Face Image Type: The Full Frontal
Image should be captured as per the specifications laid down in Face Image Data
Standard version 1.0 published on e-Governance Standards portal https://egovstandards.gov.in. Color Space: 24 Bit RGB (i.e. Code ox01)
Inter-eye Distance: The Inter-eye distance should be a minimum 120 pixels for a
head width of 240 pixels Pose Angle: Rotation of the head shall be less than ±5
degrees from frontal in every direction (i.e. roll, pitch and yaw) Shoulders:
Both the shoulders should be visible.
12. What is an Iris and give specifications of an Iris image?
The
Iris is the muscle within the eye that regulates the size of the pupil,
controlling the amount of light that enters the eye. "Eye colour" is
the colour of the Iris, which can be green, blue, or brown. In some cases it
can be hazel (light brown) or grey. It is the area between sclera and pupil.
The texture, and patterns of each person’s Iris are as unique as a fingerprint.
Iris Image Specifications: Iris Image Type – The interchange format type of the
Iris images that is defined in this standard is for rectilinear images only. If
the image is collected by a camera that captures only one eye at a time and is
stored using a rectilinear coordinate system, no specific pre-processing is
required Cameras that capture images of both eyes simultaneously may use the
following processing steps to calculate the rotation angle of the Iris images.
i. Pre-processing to calculate rotation angle Before compression, the Iris
image will have to be pre-processed to calculate rotation angle. Refer section
6.3.1 of ISO 19794-6:2005(E) for rotation angle calculation for rectilinear
images. ii. Rectilinear Image Rotation Uncertainty Refer section 6.3.1.3 of ISO
19794-6:2005(E). Number of eyes: For enrollment: Two eyes For verification:
One/Two eyes depending upon application sensitivity requirement Iris Diameter:
As per ISO 19794-6:2005(E) medium and higher quality images are only
acceptable,. Hence for this Standard, minimum acceptable Iris diameter will be150
pixels Image Margin Segmentation: 50% left and right of Iris diameter 25% top
and bottom of Iris diameter Color and Pixel Depth: The iris images shall be
captured and stored in grey scale with pixel depth 8bits/pixel Illumination:
The eye should be illuminated using near infrared light with wavelength between
700 and 900 nano meters (nm) approximately Image Acquisition Format: Lossless
(Raw/PNG/ JPEG 2000) formats.
13. How the accuracy of a biometric system can be measured?
The accuracy of a biometric system is determined
through a series of tests in the following order: i. Technology Evaluation:
Assessment of matching algorithm accuracy ii. Scenario Evaluation: Assessment
of performance in a mock environment iii. Operational evaluation: Live testing
on site If all the tests done properly, users will come to know, to a high
degree of accuracy, how the system will perform. Source:http://biometrics.gov/Documents/FAQ.pdf(link
is external))
14. What factors causes biometric system to fail?
In addition to common electronics/computer and
hardware failures, common biometric issues include poor-quality biometric samples,
user confusion, evasion or non-cooperation, noise, inadequate or excessive
lighting, dirty sensor, or subject handicaps. (Source: http://biometrics.gov/
Documents/FAQ.pdf(link is external))
Thursday 18 August 2016
Mobile Governance
1. What is the purpose of setting up Mobile Services Delivery Gateway (MSDG)?
The purpose of setting up MSDG is to
provide a one-stop ecosystem for enabling the delivery of various electronic
government services through mobile devices in an efficient manner with minimum
effort for the participating Government Departments and Agencies. MSDG will
also help in enhancing the interoperability of mobile-based services among
various Government Departments and reduce the total cost of development and
deployment of applications for m-Governance services.
2. What are the functionalities that will be available in MSDG?
MSDG will have functionalities such
as hardware and software to test and deploy the m-Governance applications. It
will have connectivity options for the citizens to apply for and receive public
services through mobile devices irrespective of the network operators with
which they are subscribed. It will also have an integrated system for
delivering the IVR based services through mobile and fixed line. MSDG will
support delivery of both voice and data services and content in a network and
device independent manner to the extent possible and feasible. It will also
offer shared tools like data collection, helpdesk services, APIs, SDKs to the
agencies which wish to deploy mobile applications for public services. It will
have a provision for metered access so that various agencies and partners of
MSDG can account for fee based services based upon their actual delivery.
3. Who will own MSDG?
MSDG will be owned by DeitY,
Government of India, or any of its designated agencies.
4. How will MSDG account for fee-based services?
It will have a provision for metered
access so that various agencies and partners of MSDG can account for the
fee-based services based upon their actual delivery.
5. Who will be responsible for notification of the standards for mobile
applications?
The standards for mobile
applications will be formulated and notified by the Department of Electronics
& Information Technology, Government of India.
6.
Who will be responsible for service fulfilment?
The responsibility for service
fulfilment shall lie with the respective Government Department or Agency. MSDG
will only serve as the channel between the citizen and the participating
Government Department or Agency.
7.
Can the Participating Departments have an alternate mobile initiative?
Any Government Department or Agency
at the Central or State level interested in providing mobile services would be
encouraged to provide its services through MSDG to avoid duplication of
infrastructure.
8. What are the various delivery channels envisaged to be supported by MSDG?
MSDG shall support the following
delivery channels for development and deployment of mobile-based applications
for Government services. As the mobile-based technologies are constantly
evolving, more channels may be added in future as the need arises.
•
SMS
(Short Message Service)
•
IVR
(Interactive Voice Response)
•
WAP
(Wireless Application Protocol)
•
USSD
(Unstructured Supplementary Service Data)
•
CBC
(Cell Broadcast)
•
SIM
Toolkit (STK)/Dynamic STK, 3G-Video
•
Others
(WiFi/ WLan etc.)
9.
Is e-Governance a prerequisite for m-Governance?
Even though m-Governance may be seen
as an extension of e-Governance services, existence of e-Governance services is
not a prerequisite for deployment of m-Governance services. The mobile-based
innovative public services to be deployed under the ambit of this framework and
implementation strategy are aimed at extending the access of public services to
those sections of the society which are unable or unwilling to access public
services through internet or those which simply prefer to use mobile devices.
The key objective of m-Governance initiatives in the proposed framework is to
enhance the bottom-up participation and empower the disadvantaged sections of
the society, thus fulfilling the mission of anywhere, anytime services as
envisaged under the National e-Governance Plan (NeGP).
10. What are the steps to be followed by a Government Department to register
services for m-Governance?
DeitY will provide the necessary
guidance and assistance to all Government Departments and Agencies to register
their services for m-Governance. DeitY will also provide necessary integration
support to help Government Departments in adopting m-Governance for delivery of
public services.
11.
Who will be responsible for creation of mobile-ready content?
The concerned Departments and
Ministries will be responsible for creating and updating mobile-ready content
for their respective services. They may seek appropriate inputs and feedback
from users.
12.
What steps will DeitY take to promote m-Governance initiative?
DeitY, or any of its designated
agencies, will undertake awareness creation and capacity building exercises for
promoting Mobile Governance initiative among stakeholders and potential
beneficiaries across Government, Industry, and Civil Society.
Digital Signatures
1. What is Cryptography?
Cryptography
is the science of enabling secure communications between sender and one or more
recipients. This is achieved by the sender scrambling a message (with a
computer program and a secret key) and leaving the recipient to unscramble the
message (with the same computer program and a key, which may or may not be the
same as the sender's key). There are two types of cryptography:
Secret/Symmetric Key Cryptography and Public Key Cryptography. Secret key
(symmetric/conventional) cryptography - is a system based on the sender and
receiver of a message knowing and using the same secret key to encrypt and
decrypt their messages. One weakness of this system is that the sender and
receiver must trust some communication channels to transmit the secret key to prevent
from disclosure. This form of cryptography ensures data integrity, data
authentication and confidentiality. Public key (asymmetric) cryptography - is a system based on pairs of keys called public key and private
key. The public key is published to everyone while the private key is kept
secret with the owner. The need for a sender and a receiver to share a secret
key and trust some communication channels is eliminated. This concept was
introduced in 1976 by Whitfield Diffie and Martin Hellman. The Digital
Signatures created using the private key ensure data integrity, data
authentication and non repudiation. However, to ensure confidentiality,
encryption of the data has to be done with the recipient’s public key.
2. How do I get a Digital
Signature Certificate?
The Office of Controller of
Certifying Authorities (CCA), issues Certificate only to Certifying
Authorities. The CAs in turn issue Digital Signature Certificates to the
end-users. You can approach any of the CAs for getting the Digital Signature
Certificate. For more information about the respective CAs kindly visit their
websites (provided below).
Name of CA
|
Website
|
Safescrypt
|
|
National
Informatics Centre
|
|
Institute
for Development and Research in Banking Technology (IDRBT)
|
|
TCS
CA services
|
|
MTNL
CA services
|
|
(n)
Code Solutions
|
|
eMudhra
|
3. What is a Certifying
Authority (CA)?
A CA is a trusted third party willing to verify the ID of
entities and their association with a given key, and later issue certificates
attesting to that identity. In the passport analogy, the CA is similar to the
Ministry of External Affairs, which verifies your identification, creates a
recognized and trusted document which certifies who you are, and issues the
document to you.
4. Which are the CAs
licensed by the (Office of Controller of Certifying Authorities) CCA?
a.
Safescrypt
b. NIC
c. IDRBT
d. TCS
e. MtnlTrustline
f. GNFC
g. e-MudhraCA
b. NIC
c. IDRBT
d. TCS
e. MtnlTrustline
f. GNFC
g. e-MudhraCA
5. If a particular CA is out
of business then, the subscriber to that CA is told to move to another CA. Thus
the subscriber has to get a new digital certificate. What happens to his/her
earlier transactions? Does this not create a legal and financial problem
Prior to cessation of operations, the CA has to follow
procedures as laid down under the IT Act. Therefore, such problems should not
exist.
6. Can one authorize someone
to use DSC?
In case a person wants to authorize someone else to sign on
his/her behalf, then the person being authorized should use his/her own PKI
credentials to sign the respective documents.
7. Can a person have two
digital signatures say one for official use and other one for personal use?
Yes.
8. In paper world, date and
the place where the paper has been signed is recorded and court proceedings are
followed on that basis. What mechanism is being followed for dispute
settlements in the case of digital signatures?
Under the IT Act 2000, Digital Signatures are at par with
hand written signatures. Therefore, similar court proceedings will be followed.
9. Is there a "Specimen
Digital Signature" like Paper Signature?
No. The Digital signature changes with content of the message.
10. If a person uses someone
else’s computer, instead of his own computer, then is there any possibility of
threat to the security of the owners/users digital signature?
No, there is no threat to the security of the owner / users
digital signature, if the private key lies on the smartcard/crypto token and
does not leave the SmartCard /crypto token.
11. Is it possible for
someone to use your Digital Signature without your knowledge?
It depends upon how the owner has kept his private key. If
private key is not stored securely, then it can be misused without the
knowledge of the owner. As per the IT Act 2000, the owner of the private key
will be held responsible in the Court of Law for any electronic transactions
undertaken using his/her PKI credentials (public/private keys).
12. When you cancel an
earlier communication you can get it back, how does this work in e-environment?
A new message saying that the current message supersedes the
earlier one can be sent to the recipient(s). This assumes that all messages are
time stamped.
13. When can a DSC be
revoked?
The DSC can be revoked when an officer is transferred, suspended
or his/her key is compromised.
14. How do digital
certificates work in e-mail correspondence?
Suppose Sender wants to send a signed data/message to the
recipient. He creates a message digest (which serves as a "digital
fingerprint") by using a hash function on the message. Sender then
encrypts the data/message digest with his own private key. This encrypted
message digest is called a Digital Signature and is attached to sender's
original message, resulting in a signed data/message. The sender sends his
signed data/message to the recipient.
When the recipient receives the signed data/message, he detaches sender's digital signature from the data /message and decrypts the signature with the sender's public key, thus revealing the message digest. The data/message part will have to be re-hashed by the recipient to get the message digest. The recipient then compares this result to the message digest he receives from the sender. If they are exactly equal, the recipient can be confident that the message has come from the sender and has not changed since he signed it. If the message digests are not equal, the message may not have come from the sender of the data/message, or was altered by someone, or was accidentally corrupted after it was signed.
When the recipient receives the signed data/message, he detaches sender's digital signature from the data /message and decrypts the signature with the sender's public key, thus revealing the message digest. The data/message part will have to be re-hashed by the recipient to get the message digest. The recipient then compares this result to the message digest he receives from the sender. If they are exactly equal, the recipient can be confident that the message has come from the sender and has not changed since he signed it. If the message digests are not equal, the message may not have come from the sender of the data/message, or was altered by someone, or was accidentally corrupted after it was signed.
15. How do Digital
Certificates work in a web site?
When a Certificate is installed in a web server, it allows
users to check the server's authenticity (server authentication), ensures that
the server is operated by an organization with the right to use the name
associated with the server's digital certificate. This safeguards the users
from trusting unauthorized sites. A secure web server can control access and
check the identity of a client by referring to the client certificate (client
authentication), this eliminates the use of password dialogs that restrict
access to particular users. The phenomenon that allows the identities of both
the server and client to be authenticated through exchange and verification of
their digital certificate is called mutual server-client authentication. The
technology to ensure mutual server-client authentication is Secure Sockets
Layer (SSL) encryption scheme.
16. What clause an
e-Governance project should have to ensure that the PKI implementation meets
the requirement of the IT Act 2000?
The e-Governance applications have to be developed in
compliance with RFC5280 certificate profile. A number of commercial and open
source PKI toolkits are available which can be used to develop a standard
validation process, for example, Microsoft CNG, Sun Java Toolkit. Please refer
to Annexure IV of the Digital Signature Certificate Interoperability Guidelines
(http://cca.gov.in/cca/sites/all/
DSC_Interoperability_Guidelines_R2.5.pdf (link is external) ) for further details.
17. Can I use the certificate
issued by a CA across e-Governance applications?
Yes.
18. What are the key sizes in
India?
CA Key is
2048 bits and the end user keys are 1024 bits. However from 1 Jan 2011, the end
user keys are 2048 bits as well, as per the notification by CCA.
19. What is the size of
digital signatures?
The size of the Digital Signatures varies with the size of
the keys used for generation of the message digest or hash. It can be a few
bytes.
20. What is the Key Escrow?
Key escrow (also known as a fair cryptosystem) is an
arrangement in which the keys needed to decrypt encrypted data are held in
escrow so that, under certain circumstances, an authorized third party may gain
access to those keys. These third parties may include businesses, who may want
access to employees' private communications, or governments, who may wish to be
able to view the contents of encrypted communications.
21. How do applications use
the Certificate Revocation List (CRLs)?
The applications download the CRLs from the respective CA
sites at a specified frequency. The applications than verify the public keys
against this CRL at the time of Digital Signature verification. The CCA is in
the process of implementation of the OCVS (Online Certificate Verification
Service). This will ensure online verifications of the CRLs by the applications.
22. How long do the CAs’ in
India preserve the Public Keys of the end users?
As per the IT Act 2000, each CA stores the Public Key in
their repository for a period of 7 years from the date of expiration of the
Certificate.
23. Should e-Governance
applications archive the Digital Signature Certificates as well?
In view of the fact that the CAs have a mandate to save the
DSCs for a period of 7 years, it may be advisable for the e-governance
applications which would need to verify the records for authenticity for
periods beyond 7 years.
24. Is it possible that a
document has multiple signatures?
Yes, a document can have multiple Digital Signatures. For
example, in the MCA21 application, the forms are signed by different Directors
as part of the application workflow.
25. What are the types of
applications that should use Digital Signatures?
They are hardware security tokens used to store cryptographic
keys and certificates. For example, USB etc.
26. What are the different
ways of authenticating content of digitally signed documents issued to the
citizen?
There are different ways of
verifying the content and the digital signatures of the document. Some of the
mechanism are enlisted below:-
- Via Unique Request ID (manual
content verification only) - In this process the user can verify the validity
of his/her document by logging onto the Department website and providing
the unique request number printed on the document. The Department
application will display the electronic version of the document stored in
the application repository. However in this process since the digital
signature on the document is not verified, the contents have to be
verified manually by the user by comparing the online document from the
website with the hardcopy of the document. This process thus provides
content verification only. The verification of the Digital Signature does
not take place in this process.
- Verification by the 2D Barcode – In this process, the barcode
printed at the bottom of the document is used for the digital signature
verification. The barcode has the Digital Signature embedded in it. The
two verification mechanisms enlisted below verify the Digital Signature
only. Since the complete content of the document is not being scanned, the
content verification has to be done manually.
a) Online Verification
In this process, a barcode
reader is used to scan the 2-D bar code printed at the bottom of the
certificate. The verification utility of the Departmental application would
verify the digital signature embedded in the document and after successful
verification, show the corresponding electronic record on their website.
However the user needs to compare the contents of the electronic record and the
hardcopy. This method requires a computer, an internet connection and a 2D bar
code reader.
b)
Offline Verification
In this process, the user
can verify the digital signature embedded in the barcode without connecting to
the Department website. Thereby this process is called as “offline”
verification. The user needs to download and install the verification utility
custom developed by the Department (downloadable from their website). The user
also needs to download the root chain certificates of CCA and NIC and the
public key of the authorized taluka and the taluka official onto the computer.
Once these items are installed on the computer, the user can scan the 2D
barcode on the document and the verification utility will check the validity of
the digital signature embedded in the document thereby proving the authenticity
of the document. However, the content of the hardcopy of the document will have
to be manually verified by the comparing with the electronic version available
at the Department website as the content of the hardcopy is not being scanned
in this process.
27. How can a digitally
signed document be verified after the DSC associated with the Public Key has
expired?
The digital signature verification process for a document
requires the public key, root chains and the CRL. The e-Governance application
should therefore have a repository of public key certificates, root chains and
the CRL’s of the time the document was digitally signed. The CA’s as of now are
mandated to store the Digital Signature Certificates, root chains and the CRLs
for a period of 7 years as per the Rules of the IT Act. Therefore the Digital
Signature Certificates can be downloaded from the CAs for a period of 7 years.
However, if the digital signature on the document needs to be verified after
this period, the e-Governance applications will have to have a provision to
store the DSCs, root chains and the CRLs in a repository and undertake the
verification of digitally signed document against this repository. However, it
may be a cumbersome process to get the CRLs’ from the respective CAs for a
specific period (in the past).
28. How can Departments
ensure that their Government officers authorized to sign the Certificates do
not misuse their Digital Signature Certificates after being transferred from a
given place?
It is recommended that as
part of the handing over of charge of a given officer, the DSC issued to the
officer be revoked. Further his user credentials in the respective e-Governance
applications should be deactivated so that he can no longer access the
application while the Certificate revocation is under process with the CA. Once
the DSC is successfully revoked, the officer will be no longer able to sign the
documents.
29. How can a citizen be
assured that the document has been digitally signed by the appropriate
authorized Government officer?
In order to ensure that the documents are
signed by authorized individuals only, the Departments should maintain a
repository having a mapping between the DSC and the respective roles assigned
to the officers of the Departments. The e-Governance application should check
against this repository for the various documents before allowing an officer to
digitally sign the document. This mechanism has been implemented in MCA21
application wherein multiple directors sign the e-forms for the application.
The key challenge with this approach is to be able to maintain an updated
repository at all times.
The Government of India is currently looking into the proposal for creation of a central repository of Digital Signature Certificates and CRLs’ in order to ensure that digitally signed documents can be verified at a later date ( greater than 7 years).
The Government of India is currently looking into the proposal for creation of a central repository of Digital Signature Certificates and CRLs’ in order to ensure that digitally signed documents can be verified at a later date ( greater than 7 years).
Subscribe to:
Posts (Atom)