The Department of Electronics and Information Technology, GOI (DeitY) has released a document called “e-Pramaan: Framework for e-Authentication”. This is intended to serve as the guiding document for all Central and State Ministries, departments and government agencies for implementing an appropriate authentication model for online and mobile based delivery of their services It is also intended to help maintenance of uniformity and consistency across various authentication mechanisms.
The framework identifies 5 levels of identity management for users of e governance services starting from level zero (no authentication) to level 1 (password), level 2( OTP), level 3(hardware token based PIN), and level 4 (biometric).
It is recommended that applications will carry a “Fraud Management” layer to evaluate the risks of identity theft and provide real-time protection against identity theft and online fraud.
Websites are recommended to adopt techniques such as watermarking,digital certificates, prevention of superimposition by fake websites etc to prevent phishing.
An e-Pramaan Gateway is suggested to be used both for Central and State Government projects to provide a secure and convenient way to access government services through internet and mobile. For this purpose, a “Centralized Identity Directory” is intended to be established. The system will be aadhaar compatible.
A responsibility has been cast on the department or agencies deploying the applications to identify the privacy implications inherent in the proposed transactions and appropriately address the same.
Detailed guidelines can be accessed here.
The objective of the framework is appreciable. However the framework has stopped at “Identity authentication” rather than “Transaction authentication”. Hence it identifies biometric authentication as the highest level of authentication and not emphasized on the legal compliance of transaction authentication which is possible only through digital signatures.The Information Assurance framework recommended by Naavi continues to support the digital signature based authentication even for identity authentication since that alone provides non repudiation under the current Indian laws.Hence the highest level of authentication under the ePramaan framework corresponds only to the penultimate level of assurance envisaged under the TIA (Total Information Assurance) Framework suggestion.
The ePramaan framework appears to be intended to support the “Aaadhar” project which is yet to get the legal sanction. The reliability of “biometric” authentication adopted by aadhaar is also yet to pass the security test and hence the dependency of the framework on the aadhar framework is likely to be an issue in the coming days.
The framework has emphasized the need for “Risk management” software at the gateway level which is critical for prevention of frauds.
There is no mention of “Encryption” but it may be said that the responsibility for encryption of sensitive data is left to the application managers.
There is an indirect mention of prevention of “Man in the Middle Attack” though it has not been specified as such. This will be a challenge that the e-governance project managers will find it hard to secure against.
Overall the release of the framework is an interesting development in the security of e-Governance projects.
Naavi
Biometrics as an auth factor is one with the worst flaws.
The flaws include
1) Easily spoofable
2) Poor repeatability of biometric prints due to ageing and health
3) Due to 2) continuos reenrollement is a necessity, providing a massive security vulnerability for exploits like 1) to succeed.
4) Poor operating environment tolerance especially amongst lower strata of populace.
4) Inability to withdraw a biometric factor once compromised.
Fingerprints and Irises, everyones favourite, are extremely easy to compromise, requiring nothing more tha candlewax and fevicol for fingerprints, and a digital camera for iris prints.
It is surprising that government bodies continue to wallow in ignorance and sheer incompetence.
The locks in our houses are easily overcome by anyone other than an amateur thief. Yet we don’t accuse ourselves (residents/home-owners) of wallowing in “…ignorance and sheer incompetence”. Instead, we keep a lookout for better locks and install them when they become available.
There is no doubt that there are issues with exclusively-biometric modes of authentication. But it is not correct to accuse either ePramaan or the UID project of promoting only those. Both offer multiple modes of authentication; “unattended pure-biometric auth” methods are neither exclusively recommended nor used in practice. In fact the choice of methods is left to the individual departments. So far no scheme has opted for such worst-case scenarios as are being implied. I don’t think anyone will.
Quite unsurprisingly, these allegations are not new. When they were first made years-ago, they prompted the UIDAI to review their options and recommendations thoroughly and improve upon their methods. Much has happened since then (some good, some not so good). The author (jtd), though apparently quite tech-savvy is perhaps unaware of these developments.
Smart Card based decentralized authentication techniques are often offered as “better” alternatives (despite being dependent on the same *flawed* & *spoofable* biometrics!). Needless to say, there is no “one universally best method”. Neither the UIDAI nor the DeitY (sponsor of the ePramaan) are asking for immediate abolition of smart cards at one stroke. Even now many projects are using them and will continue to use them (though for all the wrong reasons). Let us just say that we have many different ways in which we can mess up (or succeed!).
Constructive criticism is usually based on facts, expertise, good analysis and offering of feasible alternatives/solutions. Clearly the author is quite capable of taking that path – if only (s)he chooses to.