To improve Hungarian e-governance capabilities by developing new IT services, the Hungarian Government has spent more than one hundred million Euros since 2010. As the base pillars of the Hungarian Digital State, a number of Controlled Electronic Administration Services (CEAS) have been implemented. The usability of any digital system which can be linked to trust depends on the authenticity of stored and processed information. Using unauthentic information may result in fraudulent activities, which should be avoided in the Administration. Electronic signatures are methods of authentication as defined by the 93/1999  Union enacted the Regulation (EU) No 910/2014 of the European Parliament and the Council called eIDAS. in September of 2014. eIDAS contains comprehensive and obligatory rules for applying electronic identification and electronic signature in 

Europe. It is the continuation of 93/1999 EU Directive, therefore addressing this topic is expected in IT projects in 2015. The examination was performed on IT projects coordinated by the Hungarian Governmental – Information Technology Development Agency. The analysis focuses on three questions: 1. Is electronic signature technology applied in project administration? 2. Which electronic signature attributes appear in the final results of the projects? 3. What kind of electronic signature dimensions appear in the 

projects? The presentation summarizes the main attributes of the examined projects, describes conceptual definitions of authenticity, gives a brief introduction into the electronic signature dimensions, and formulates conclusions about the success and lack of applying electronic signature elements in Hungarian Governmental IT projects

Erdősi, Péter Máté

Repository of the Academy's Library

ELECTRONIC SIGNATURE TECHNOLOGY IN HUNGARIAN GOVERNMENTAL IT PROJECTS IN 2010-2015PÉTER MÁTÉ, ERDŐSI1ABSTRACTTo improve Hungarian e-governance capabilities by developing new IT services, the Hungarian Government has spentmore than one hundred million Euros since 2010. As the base pillars of the Hungarian Digital  State, a number ofControlled Electronic Administration Services (CEAS) have been implemented. The usability of any digital systemwhich  can  be  linked  to  trust  depends  on  the  authenticity  of  stored  and processed  information.  Using unauthenticinformation may result in fraudulent activities, which should be avoided in the Administration. Electronic signatures aremethods of authentication as defined by the 93/1999 Directive, and tools of strong identification as specified by the newregulation.The European Union enacted the Regulation (EU) No 910/2014 of the European Parliament and the Council calledeIDAS.  in  September  of  2014.  eIDAS  contains  comprehensive  and  obligatory  rules  for  applying  electronicidentification and electronic signature in Europe. It is the continuation of 93/1999 EU Directive, therefore addressingthis topic is expected in IT projects in 2015.The examination was performed on IT projects coordinated by the Hungarian Governmental – Information TechnologyDevelopment Agency. The analysis focuses on three questions:1. Is electronic signature technology applied in project administration?2. Which electronic signature attributes appear in the final results of the projects?3. What kind of electronic signature dimensions appear in the projects?The  presentation  summarizes  the  main  attributes  of  the  examined  projects,  describes  conceptual  definitions  ofauthenticity, gives a brief introduction into the electronic signature dimensions, and formulates conclusions about thesuccess and lack of applying electronic signature elements in Hungarian Governmental IT projects.INTRODUCTION TO AUTHENTICITYEESSI Final Report (EESSI, 1999) stated that “an 'electronic signature' without being further qualified, is indeed anelectronic authentication. The term 'authentication' itself is not defined nor explained in the recitals of the (93/1999 EU)Directive and thus leaves room for a broad interpretation. However, the term is usually defined as 'validation of aclaimed identity'.  Every type of electronic authentication will  be regarded as an electronic signature,  as long as  itattached to or associated in a logical way with other electronic data.”. It is not a surprise that definition of electronicsignature in 93/1999 EU Directive is the following: “data in electronic form which is attached to or logically associatedwith other data in electronic form and which serve as a method of authentication”. eIDAS Regulation (910/2014 EURegulation) gives a very simple definition for it: “data in electronic form which is attached to or logically associatedwith other data in electronic form and which is used by the signatory to sign”. This definition is not a technologicaldependent therefore several implementation has been deployed with different parameters. Consequently, implementingelectronic  signature  systems  requires  deep  and  broad  knowledge  about  dimensions  and  parameters  of  electronicsignatures.DIMENSIONS OF ELECTRONIC SIGNATURESDimension means a set of attributes from which only one can belong to an electronic signature in a unique manner. If anelectronic signature is defined exactly, all relevant dimensions will have to known and the appropriate value from eachdimension will have to assign to the given signature. Between relevant dimensions may occur dependencies. Dimensionanalysis should perform to define these interdependencies correctly. The independent dimensions are called orthogonal.The examined dimensions are the following:Dimension 1: Formalization  (CAdES:  CMS  based  Advanced  Electronic  Signature,  XAdES:  XML-basedAdvanced Electronic Signature and PAdES: PDF-based based Advanced Electronic SignatureDimension 2: Type of Signature (normal, advanced and qualifiedDimension 3: Probative force (evidence at court, partial probative force, full probative force)Dimension 4: Complexity  (basic,  extended  policy  based,  timestamped,  complex,  extended,  extended  long,archive, long term valid)Dimension 5: Validity Period (immediately, short time, long time)Dimension 6: Certificate Standard (PGP, X509, other)Dimension 7: Type  of  Certificate  (qualified,  non  qualified,  signature,  seal,  usable  in  Hungarian  PublicAdministration)Dimension 8: Type of Signatory (end entity including natural person, code signer, automaton, certificate authorityincluding  root,  bridge,  intermediate  or  certificate  issuer,  time-stamping  authority,  archiving  authority,  OCSP1 PhD student at Doctoral School of Public Administration Faculty at National University of Public Serice, Budapest,Hungaryprovider etc.) Dimension 9: Signature Algorithms (e.g. AES, TDEA, GOST, RSA, DSA, ECDSA)Dimension 10: Length of Signature Creation Data (usually it is given in bits – 128, 256, 1024, 2048, 4096...)Dimension 11: Storage of Signature Creation Data (encrypted container file, hardware token including HardwareSecurity Module, Secure Signature Creation Device or simple Signature Creation Device, SIM card, pen drive) Dimension 12: Placement of Signatures (single, multiple including sequential, parallel,  countersign, embedding,embedded, detached or mixed)Dimension 13: Type of Certificate Authority (public, closed group, home made)Dimensions can be categorized by types of connections, some of them connect to signatures, others relate to certificates,in the other words, dimensions may be classified by functional point of view. Next figure visualises this picture: Figure 1: Classifying dimensions of electronic signature by functional aspects (created by author)LIST OF PROJECTSThe  Governmental  IT  Development  Agency  (GIDA)  coordinates  several  IT  projects  in  Hungarian  PublicAdministration. The scope of this research contains 16 projects which started and performed between 2010 and 2014.Summarized budget of all examined projects was more than 38 billion Hungarian Forint (121 million Euros). It does notcontain budgets of those IT projects which were coordinated by another governmental organization. The followinginformation were gathered: Project code: short acronym created by first letters of words of project name Project name: short description of the project Project ID: Hungarian ID of project Started: The year when the project was initialized Finished: The year when the projects was deployed Budget (EUR): spent money in EurosDetails of the examined projects is listed in the next table:Project code Project name Project ID Started Finished Budget (EUR)1 1AVAM Implementation of single customs administrationEKOP 1.2.2-07-2008-0001 2008 2010 7 692 0002 ACM Implementation of taxpayer-oriented data EKOP 1.2.7-2008-00012009 2011 4 166 500Project code Project name Project ID Started Finished Budget (EUR)model3 ASPInitialization of a Centralized Application Service Provider Centre for Local GovernmentsEKOP 3.1.6-2012-2012-0001 2012 2015 8 333 5004 E-FIZ Implementation of central electronic payment systemEKOP 2.1.1-07-2008-0001 2008 2013 12 777 6005 EFER ConnImplementation of activities related to organizational connections with central electronic payment and settlement system (EFER)EKOP-2.A.3-2013-2013-0002 2014 2014 320 5006 E-SZTENDERDEKGovernmental standards for IT services and e-government functionsÁROP 1.1.17-2012-2012-0001 2012 2013 641 00017 ESRESR-112 Single emergency calling system based on an emergency numberEKOP 2.1.12-2011-2012-0001 2012 2014 17 450 0008 FAIR Single IT support of the development policyEKOP 1.2.12-2011-2011-0001 2011 2013 7 468 0009 GSM-R FEM GSM-R State supervising engineerKÖZOP-6.1.1-11/K-2013-0001 2013 2015 2 404 00010 KGR Government budget management systemEKOP 1.2.1.-07-2008-001 2007 2013 14 263 50011 KKIR2Institutional Accounting Module (IKM-FI) subprojectEKOP-1.2.4-2013-2013-0001 2013 2014 961 50012 OTR Countrywide support monitoring systemEKOP-1.2.11-2013-2013-0001 2013 2014 2 564 25013 TÉBA Modernization of the payment of family benefitsEKOP 1.2.6-2008-0001 2009 2013 5 367 00014 INTÉZMÉNY-KÖZIIT systems development for centralized, inter-institutional data flowTIOP 2.3.1. 2013 2014 8 880 75015 KATÉTER ÉSMÓNIKANationwide health monitoring and capacity map database and application developmentTÁMOP 6.2.3/12-1-2012-0001 2013 2014 3 205 00016 KÖZHITELES Electronic public registers and sectoral portalsTIOP 2.3.2-12/1-2013-0001 2013 2014 6 730 50017 OEPDevelopment of customer relationships in Health Insurance and implementing data management and identification integrated into health information systemsEKOP 2.3.7-2012-2012-0001 2013 2014 8 972 00018 EDREDR development – Development of Single Digital Radiocommunication System (EDR)EKOP 2.2.7-2013-2013-0001 2013 2014 9 612 750Table 1: List of examined projects (created by author based on http://kifu.gov.hu webpage)METHODOLOGY OF RESEARCHThere  are  couple  of  research  regarded  to  Hungarian  ICT  projects.  For  instance  ICT projects  also  examined  byresearchers focused on the policy objectives and project deliverables, not on execution and actual results (ARANYOSSIet. al., 2014). Security consideration of ICT projects is an other important aspect of examination.Performing of my research includes two main direction, reviewing of projects documentation and interviewing withproject managers and related professionals. I try to identify any PKI element in project documentation in designingphase and ask project managers about appearing these elements both in administration and in results of the projects(deploying phase). Measuring IT security is a complex task (MUHA, 2010) and needs some formalization. To formalizemy results, research worksheet is specified for examining certificates, time stamps, signatures and archiving solutions.The worksheet contains the following elements:1. certificatea) PGP signing certificateb) non-qualified signing certificatec) qualified signing certificated) enciphering certificatee) authentication certificatef) SSL certificateg) qualified SSL certificateh) code signing certificate2. time stampa) qualified time stampb) non-qualified time stamp3. signaturea) normal personal PKI signatureb) advanced personal signaturec) qualified personal signatured) normal seale) advanced sealf) qualified seal4. archiving servicesa) qualified archiving serviceb) non-qualified archiving servicec) other archiving serviceMain goal of this research is to identify used PKI elements of the examined IT projects because electronic signatureappears as one of three basic functions of e-government in Hungary.DISCUSSINGBased on project  documentation and  performed interviews  lack  of  PKI elements  can  be stated in  most  examinedprojects. Governmental Certificate Service Provider as a CEAS (henceforward: GOVCA) issued several certificates forthe Governmental Agency, but most certificates (88,46%) were used for implementing only the central financial service(EFER). Detailed distribution of owners can be seen in the next table:Certificate owner CountEFER project 115Employees of Agency (12 authentication certificates + 1 signature certificate)13Developers (for testing purposes) 2Total value: 130Table 2: GOVCA issued certificates grouped by owners (created by author)The intended usage of PKI element was an other interesting question of this research. It can be derived from the appliedtypes  of  PKI  elements.  The  questionnaire  was  prepared  by  eIDAS and Hungarian  Electronic  Signature  Act.  Theinterviewed persons and examined documentation give an early result which is conformed by issued certificates:Type of Certificates Countorganizational signing certificate (seal) 1organizational mass signing certificate (automaton seal) 1organizational authentication certificate 75organizational SSL certificate (client and 26server)organizational code signing certificate 27Total value: 130Table 3: GOVCA issued certificates grouped by types (created by author)Note that this status was recorded at December 21, 2015 and each project manager have not interviewed yet.CONCLUSIONSBased on interviews and examined project documentation, it can be stated that there are no electronic signatures  in anydocumentation of projects neither in creating nor in archiving phases. However, EFER project uses most certificatesissued by GOVCA, because it has a commonly used financial part and electronic signature technology is an externalrequirement in electronic banking transactions nowadays. Furthermore digital certificates only use for authenticatingand testing purposes typically according to the results of the current phase of the research. Based on project managers'general opinion and partial results of this research it is presumable that using electronic signature technology has notintegrated into developing, performing, deploying and documenting Hungarian e-government projects yet, but moreresearch need to prove it undoubtedly.The reason of low intention to use electronic signatures in governmental IT projects requires further research, but it isknown factors that the Governmental Certificate Authority started at the end of 2013 and a bit of employees have PKIengineering  knowledge  as  PKI  usage  experiences  both  in  public  administration  and  commercial  companies.Furthermore we can see from statistical data of National Media- and Infocommunications Authority that using PKIcertificates is not typical among governmental players. The popular argumentation of electronic signature – it is moreexpensive and too complex – may result this behaviour in public administration but we cannot ignore its increasingusage in commercial sector during this time.REFERENCESEuropean Electronic Signature Standardization Initiative (EESSI). 1999. Final Report of the EESSI Expert Team, 20thJuly 1999. http://cryptome.org/eessi.htm (accessed April 10, 2016.)Márta  Aranyossi,  András  Nemeslaki,  Adrienn  Fekó.  2014.  Empirical  Analyis  of  Public  ICT Development  ProjectObjectives  in Hungary.  International Journal  of  Advanced Computer  Science and Applications  45.  Vol.  5  No.  12.http://thesai.org/Publications/ViewPaper?Volume=5&Issue=12&Code=IJACSA&SerialNo=6 (accessed April 10, 2016.)Lajos Muha. 2010. Measuring IT security. http://real.mtak.hu/12938/1/1278547.pdf (accessed April 10, 2016.)Directive  1999/93/EC  of  the  European  Parliament  and  of  the  Council  of  13  December  1999  on  a  Communityframework  for  electronic  signatures.  http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex%3A31999L0093(accessed April 10, 2016.)Regulation  (EU)  No  910/2014  of  the  European  Parliament  and  of  the  Council  of  23  July  2014  on  electronicidentification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC.http://eur-lex.europa.eu/legal-content/EN/TXT/?qid=1463515865338&uri=CELEX:32014R0910  (accessed  April  10,2016.)European Standard. 2016. ETSI EN 319 411-1 V1.1.1 (2016-02) Electronic Signatures and Infrastructures (ESI); Policyand  security  requirements  for  Trust  Service  Providers  issuing  certificates;  Part  1:  General  requirements.http://www.etsi.org/deliver/etsi_en/319400_319499/31941101/01.01.01_60/en_31941101v010101p.pdf (accessed April10, 2016.)European Standard. 2016. ETSI EN 319 411-2 V2.1.1 (2016-02). Electronic Signatures and Infrastructures (ESI); Policyand  security  requirements  for  Trust  Service  Providers  issuing  certificates;  Part  2:  Requirements  for  trust  serviceproviders issuing EU qualified certificates.http://www.etsi.org/deliver/etsi_en/319400_319499/31941102/02.01.01_60/en_31941102v020101p.pdf (accessed April10, 2016.)European Standard. 2016. ETSI EN 319 411-3 V1.1.1 (2013-01). Electronic Signatures and Infrastructures (ESI); Policyand security requirements for Trust Service Providers issuing certificates; Part 3: Policy requirements for CertificationAuthorities issuing public key certificates.http://www.etsi.org/deliver/etsi_en/319400_319499/31941103/01.01.01_60/en_31941103v010101p.pdf (accessed April10, 2016.)European Standard. 2016. ETSI EN 319 422 V1.1.1 (2016-03). Electronic Signatures and Infrastructures (ESI); Time-stamping protocol and time-stamp token profiles.http://www.etsi.org/deliver/etsi_en/319400_319499/319422/01.01.01_60/en_319422v010101p.pdf  (accessed  April  10,2016.)Technical Specification. 2015. ETSI TS 119 122-1 V1.0.1 (2015-07). Electronic Signatures and Infrastructures (ESI);CAdES digital signatures; Part 1: Building blocks and CAdES baseline signatures.http://www.etsi.org/deliver/etsi_ts/119100_119199/11912201/01.00.01_60/ts_11912201v010001p.pdf  (accessed  April10, 2016.)Technical Specification 2015. ETSI TS 119 132-1 V1.0.1 (2015-07). Electronic Signatures and Infrastructures (ESI);XAdES digital signatures; Part 1: Building blocks and XAdES baseline signatureshttp://www.etsi.org/deliver/etsi_ts/119100_119199/11913201/01.00.01_60/ts_11913201v010001p.pdf  (accessed  April10, 2016.)ETSI TS 119 142-1 V1.0.1 (2015-07). Electronic Signatures and Infrastructures (ESI); PAdES digital signatures; Part 1:Building blocks and PAdES baseline signatureshttp://www.etsi.org/deliver/etsi_ts/119100_119199/11914201/01.00.01_60/ts_11914201v010001p.pdf  (accessed  April10, 2016.)

Electronic Signature Technology in Hungarian Governmental IT Projects in 2010-2015

http://real.mtak.hu/93396/1/201607071030000.ERDOSI.pdf

Electronic Signature Technology in Hungarian Governmental IT Projects in 2010-2015

Abstract

Similar works

Full text

Available Versions

Repository of the Academy's Library