eGovernance in India

Improving eGovernance in INDIA

Security Checks to be maintained in e-Procurement as recommended by Indian IT Act 2000

Posted by egovindia on January 21, 2007

Security Checks to be maintained in e-Procurement as recommended by Indian IT Act 2000

Dear eGovINDIA Group Members,

Please find below an academic detail as how Online Bidding should be secure and Transparent:-

(Andhra Pradesh to be investigated if e-Procurement is fulfilling these Security Features for Rs. 15000/- Crore of e-Procurement done)

An ideal eTendering/eProcurement application should comply with Information Technology Act 2000 in totality. To ensure that you existing eTendering/eProcurement application meets the above requirement, please check if it fulfills the security features checklist mentioned below.

1.      Simple Login ID & Password based Login

eTendering website should have dual authentication process i.e.

Login ID and Password based authentication &
Digital Certificate based authentication.

It is very easy for the service provider to retrieve Login ID & Password of any user form the database, if the same is not stored as it format as explained in point no. 2.

The existing application you are using does not have Digital Certificate based login, which means the service provider could log in any time as any bidder/buyer and view/modify/delete/ any data as he liked. Why has Digital Certificate based login system not been adopted on www.eprocurement.gov.in?

2.      MD5 Hash of password are stored in Database and not actual password

If password are stored in database in plain text format in database, then it is very easy for the service provider to know the Login ID & Password of any user. Storing the message digest of a password instead of the plain text password in the database is a universally accepted security best practice.

Message Digest/hash is basically a digital fingerprint of password generated using Hash Algorithm. For eg. Message Digest of a password like Apple is 9f6290f4436e5a2351f12e03b6433c

3c.

The beauty of Hash algorithm is that every time Apple with capital A is typed from anywhere in the world, it will result in same Message Digest/Hash. Also Message Digest/Hash is irreversible i.e. from 9f6290f4436e5a2351f12e03b6433c3c no one can know that the original password i.e. Apple. The only person on the world to know the actual password is the person who specifies at time of Login ID creation.

Are passwords converted to message digest before being stored in your eTendering site? If not, why? This technology is a more than a decade old and is so secure that it has not been cracked so far.

3.      Digitally Signed Bids

As per IT ACT 2000, all Bids submitted by bidders should be digitally signed.  Please check if the bid that are submitted by your bidders are digitally signed and submitted on you eTendering website.

A Bid that is not digitally signed can be easily viewed and tampered with by the service provider. If the bidder whose bid has been tampered puts any allegation on the service provider, there is no way it can be proved that service provider had not tampered the bid. If the bids are digitally signed, and if the same are tampered, it can be detected easily.

IT ACT 2000 was in place since 2000, Digital Certificate were publicly available since 2002 and first digitally signed eTender was enabled in July 2003 in India. Why did your service provider not integrate Digital Certificates till March 2005. Why did the most IT savvy state of Andhra Pradesh not integrated Digital Certificates for eTendering as mandated in IT ACT 2000.

Why did the government of AP allow a service provider who didn’t have PKI enabled (Digital Certificate enabled) eTendering application to offer eTendering services to various government departments?

4.      Access to price bid before Tender due date.

Ideally the bid submitted by Bidders should be first digitally signed and encrypted before it is submitted on the eTendering website. Bid encryption (data enveloping) should be as per IT ACT 2000. In this process the Bid are digitally signed and encrypted using digital certificate.

The benefits of Digital Certificate based encryption is that it cannot be deciphered by service provider. Only the individual whose Digital Certificate is used for encryption, can decipher it.

In case of Andhra Pradesh as till March 2005 Digital Certificate were not used, why?

How were price bids being encrypted? By using which technology? Did that technology have legal credibility?

If encryption was done using some proprietary tool, then the existing service provider  could very well decipher and know the bids of all bidders even before due date and time of opening.

So far Rs. 15,000 cr. worth of eTendering that has been done enabled on www. eprocurement.gov.in, what is the assurance that there was no malpractise like viewing price bids before due date and time, as well as modifying price bids after due date and time?

5.      Biometric Based Authentication

To ensure that Buyer was present at time of Tender Opening, biometric based authentication is very crucial. As eTendering is a web based technology, privilege users like administrator can access any content. The biometric device restricts this access to the authorised persons from the buyer side to access the website.

6.      128 Bit SSL

The data that is exchanged between Bidders (client) and Website (sever) should happen over a secure network such that hackers cannot hack the data in transit and read/tamper the data.  For the same, as per IT ACT, 128 SSL certificate should be used.

To detect whether any malpractice took place, as well as to take effective steps to ensure that further malpractices are not possible, we suggest that you take proactive steps to institute an internal inquiry as well as undertake a comprehensive security audit of the eTendering system you have been using.  Taking such a step will protect your interests.  If you require, we can undertake this audit for you, free of cost.  We will check if the security features are in place, including 25 security checks as per the IT Act 2000.  It is also in your interests to refrain from using the current eTendering system till either it is given a clean chit or the security issues identified are corrected.

Advertisements

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

 
%d bloggers like this: