International Journal of Emerging Technology and Advanced Engineering
Website: www.ijetae.com (ISSN 2250-2459,ISO 9001:2008 Certified Journal, Volume 3, Issue 7, July 2013)
217
E-Tendering With Public Key Infrastructure – A Survey Based
Implementation
Mubina S Malik
11
Lecturer, CMPICA, CHARUSAT, Changa, Gujarat
Abstract - In current era, Security is always prime thing to achieve in almost all aspects of business and organizations. Most of the businesses are tending towards remote transactions with the aid of web based computer systems. For the remotely controlled business, e-Tendering becomes most efficient and prominent approach. This process involves a seller, a buyer and a mediator web based computer system. To achieve this we must have a secure environment to maintain integrity of data and the confidentiality of the concern business. To achieve high security measures in e-Tendering, Public Key Infrastructure is implemented for the robust security. PKI is the process to provide secure web based environment guarantees the reliability of the overall system. PKI uses asymmetric encryption/decryption technique to offer high shielded environment. This paper discusses this fact with integration of e-Tendering with Public Key Infrastructure.
Keyword - E-Tendering, Buyer, Bidder/Supplier, PKI, Encryption / Decryption, Public Key/Private Key, Authentication.
I. INTRODUCTION
A.E-Tendering
E-Tendering is done in electronic way B2B (or B2C or B2G) sale and purchase of goods and services. The medium used might be the Internet or any other media like EDI (Electronic Data Interchange) and Enterprise Integrations (formerly known as EAI). E-Tendering is exchanging tender electronically. E-tendering will reduce the burden for tender that will manage traditionally and improve the efficiency and time taken to complete a purchasing. E-Tendering Portal is a website specially set up for exchange information, Tender document electronically on internet. In E-Tendering the key role is Buyer and
Bidder. Buyer is a person who creates, manage and
transmit contract announcement electronically. Bidder is a person who will bid the tender for proposal.
B. Why Security in E-Tendering?
Similar to other electronic commerce systems like e-payments, e-auctions etc., and an e-tendering is required to address generic security requirements like confidentiality, integrity, authentication and non-repudiation.
As tendering is carried over insecure networks, the e-tendering system should provide communication security which protects information that is sent, between all participants. This is generally achieved by using a strong encryption. It is also essential that an e-tendering system provides strong storage security, as submissions are stored in database.
In (Head, 2003), John Barnard refers to discrepancy in usage of e-tendering scheme. He observed that, although more than 75% of tenders are electronically advertised, less than 40% provide electronic documentation required by the tender process and less than 20% make electronic tender submissions. The prime security issue, that has been the main obstacle in a wide adoption of e-tendering, is the lack of fairness of the e-tendering process. A secure e-tendering solution should support both fairness and transparency in order to guarantee tenderers to see progress of their submission processing. It is also important that when disputes arise, an e-tendering system should be able to provide a full history of the events leading up to contract award which can be publicly verified without compromising confidentiality or privacy.
C. PKI (Public Key infrastructure)
Public-key infrastructure a comprehensive system that
provides public-key encryption and digital signature services to ensure confidentiality, access control, data integrity, authentication and non-repudiation. A public-key infrastructure is probably the most critical enterprise security investment a company will make in the next few years. This is mostly used in E-Business applications. PKI Enable new business processes.
Some of the point that is covered by PKI for security is:
Identify users accessing sensitive information?
(Authentication)
control who accesses information (Access Control)
Be sure communication is private but carried over the
Internet? (Privacy)
Ensure data has not been tampered with? (Integrity)
Provide a digital method of signing information and
International Journal of Emerging Technology and Advanced Engineering
Website: www.ijetae.com (ISSN 2250-2459,ISO 9001:2008 Certified Journal, Volume 3, Issue 7, July 2013)
218
In PKI pair of key is generated for user that is public and private key, public key used for encryption where as private key is used for decryption this is called as an asymmetric key. Public key is derived from private key so
it is infeasible to derive private key from public key. When
the sender of a message uses the public key of the recipient to encrypt it, the sender can be sure that its contents can only be read after being decrypted by the recipient and by no one else.
II. ENHANCEMENT OF TRADITIONAL TENDERING TO
E-TENDERING
Earlier Tendering process was done through Public Service publisher (PSP) that was paper work and Tendering process was done manually by a person when e-Tendering concept was not there. Traditional tender processes can be long and cumbersome, often taking three months or longer, which is costly for both buyer and supplier organizations.
[image:2.612.347.535.134.308.2]In traditional, tendering process tendering was done through envelop or paper which has many disadvantages like wastage of time, paper, money, fraud in tendering, human errors and fraudulent. The process of Tendering was very tedious as all the work was done through a paper or envelops. In this security was main concern as may be the bid amount could be stolen or leaked. Hence to overcome with these issues government and private industries had found out the way for online tendering i.e. e-Tendering. In e-Tendering the whole process is carried out online. User need to be authenticated and submit the bid electronically so there is very little chance to breach that security. All the work done through web portal and the data will be store directly in to the database. No one has the access to the web application and the database. But still there is a risk may be someone hack bid data from that web portal. It may be possible that the data or information stored in database is in readable format so if hacker hack this data bidder can be loose that entire bid. Hence again the concern was the same i.e. security to avoid such malfunctioning.
Figure I: Enhancement of Traditional Tendering To e-Tendering
This can be avoided by implementing E-Tendering with PKI. The data in the database will be stored in strongly encrypted format in unreadable format and no one can read that data without decrypt it. Public key infrastructure is very helpful and highly secure in e-Tendering. In Asymmetric PKI Implementation whole process carried out at client end. Secure submission of bid from bidder computer to the server should be done after the bid is encrypted using PKI and further submitted to the server through SSL encryption. Only the encrypted file submitted by the bidder should be stored and decrypted at the
Tendering Opening Event (TOE) [3].
III. IMPLEMENTATION OF PKI IN E-TENDERING
International Journal of Emerging Technology and Advanced Engineering
Website: www.ijetae.com (ISSN 2250-2459,ISO 9001:2008 Certified Journal, Volume 3, Issue 7, July 2013)
219
In the IT Act 2000 electronic transactions/contracts are legally valid. Use of Digital Signatures is legal. Additionally IT Act enables electronic communication by means of reliable electronic record and security procedure for electronic records and digital signature. Appointment of Certifying Authorities and Controller of Certifying Authorities are also made valid under IT Act 2000, India. Controller is the entity to act as a repository of all digital signature certificates and Certifying authorities are the entities to get licenses to issue digital signature certificates. Hence, the certificates issued by any of valid certifying authority in India are valid under IT Act 2000 [4][8].
Integration of PKI component with e-Tendering is prime scope of the article. According to IT Act 2000 digital certificate and digital signature are mandatory for secure electronically transaction. As I mention above the Evolution of Tendering process that will show how we can overcome with the security issues. Tendering process done from very long time but still many of the organization will not implement PKI in E-tendering.
Here, I have explored how e-Tendering works with PKI. Companies with authority to issue digital certificates play a crucial role in e-Tendering.
A. Registration Process
In E-tendering process buyer and bidder act as a key person. When this process begins buyer and bidder both has to be register for accessing web portal of E-tendering without registration buyer can not publish tender as well as bidder cannot bid the tender. In this system if buyer and bidder wants to Access the web portal then he/she has to first submit the document at the Application Service provider(ASP) for accessing the web portal. ASP verifies the document as well as E-Mail verification is done. After document verification process the buyer and bidder process for the digital certificate and digital signature, buyer and bidder will have access to the web portal. According to tendering rule CLASS III organization certificate is needed for e-tendering.
ASP is responsible for domain creation of buyer. Many organizations publish the tender from websites and similarly many others like to create a sub domain for publishing their tender. ASP will create the user and assign the role accordingly to the buyer.
During Registration process both the buyer/bidder will be prompted to enter valid user id, password, email id and other details. After providing the generic details, appropriate digital certificate of buyer/bidder (signing/encryption) will be mapped with the user id itself. This mapping of digital certificate will be done using Public Key Infrastructure (PKI).
[image:3.612.326.560.338.561.2]During this process buyers/bidders private key of the digital certificate will be accessed and the respective certificates will be mapped with the login. Digital certificate information like certificate serial number, Thumbprint, public key, certificate valid from, certificate valid to, etc details can be stored in the database for further processing. Now, while logging in the portal user will be prompted to enter the username and password. After clicking Login Button, a digital certificate dialog box will appear to select the certificate from eToken. If buyer/bidder selects another certificate then he/she will not be able to login to the system. Hence, during secure login user should select the digital certificate that is being used during User Registration process. After registration and login process buyer can publish tender, evaluate the tender, declare award of contract and supplier can submit the bid data, Edit the bid if needed as well as view the result of contract
Figure II: Registration Process
B. Bid Submission
International Journal of Emerging Technology and Advanced Engineering
Website: www.ijetae.com (ISSN 2250-2459,ISO 9001:2008 Certified Journal, Volume 3, Issue 7, July 2013)
220
Hence, the data are completely secured it gets stored in un-readable format, Also if someone tempers the data, it does not get decrypted. The data can be decrypted only with the supplier’s private key only. Supplier, himself only is the authorized person to view the bid. All the documents uploaded also get encrypted & stored either in database server
[image:4.612.327.567.224.461.2]As, PKI uses asymmetric Encryption /Decryption, It is impossible to decrypt the data after final bid submission, Entire bid gets encrypted & stored in database. Private key with which bid is decrypted is available with concerned person/officer before the public tender opening event. An Internet Standard Secure Protocol SSL is used in PKI that will secure data by encrypting data at the time of transmission. Before bid is submitted to the database server the computer are protected with SSL Encryption and Database level Encryption. And it will be decrypted accordingly and after reaching to the server the SSL Encryption is removed and bid is again encrypted with PKI. [2, 3]
Figure III: Bid Submission Process
C. Bid Evaluation
[image:4.612.51.286.377.593.2]Bid evaluation process will be carried out at buyer end buyer will create the committee. This committee is responsible for bid opening. After analysing the entire bid will be evaluated and comparative report will be generated and result will be shared and appropriate supplier will get the award of contract (AOC).
Figure IV: Bid Evaluation Process
D. Tender Process Cycle
Buyer End:
The supplier has to login in his account for Tender creation & publishing the tender online. After publishing of the tender, that tender is available for bid submission. If any correction is done in the information/requirement of the tender, then tender Corrigendum is done. Hence, the tender is again available for bid submission.
International Journal of Emerging Technology and Advanced Engineering
Website: www.ijetae.com (ISSN 2250-2459,ISO 9001:2008 Certified Journal, Volume 3, Issue 7, July 2013)
[image:5.612.53.284.133.369.2]221
Figure V: Tender Process Cycle
Supplier End:
The supplier has to login in his account for bidding for appropriate tender. Supplier has to plug-in e-Token consisting of his valid CLASS III digital certificates. After logging into the system supplier will be allowed to bid for the tender. The tender data will be stored in an encrypted format. Supplier will be able to edit his bid until he has not done final bid submission. After final bid submission, supplier cannot edit the bid. He can only view the result of the bid.
TABLE I
COMPARISON OF E-TENDERING PROCESS WITHOUT PKI AND WITH PKI IMPLEMENTATION
e-Tendering Process Without PKI
e-Tendering Process With PKI Component
Data is not Highly Secured Data is Highly secured by Asymmetric key
Data is stored in plain text and hence it is vulnerable for critical information
Data is stored in encrypted format. Impossible to decrypt the encrypted data.
In Symmetric key Each message has been encrypted with the same key so attacker can figure out the key that is used for encryption and decryption
In Asymmetric key Message has been decrypted with different key so there is no possibility of hacker can hack data
Does not provides confidentiality, non-repudiation
Provides true confidentiality and non-repudiation
Does not follows security norms set by govt. of India
Implementing PKI follows all the security norms set by govt. of India as per IT Act 2000
In simple e-Tendering, maximum symmetric encryption methodology can be applied that provides security up to some extent
In e-Tendering with PKI, symmetric as well as asymmetric encryption methodologies can be applied that provides maximum security
Symmetric
Encryption/Decryption takes place at server side if the key is leaked data becomes insecure
Asymmetric
[image:5.612.319.566.168.556.2]International Journal of Emerging Technology and Advanced Engineering
Website: www.ijetae.com (ISSN 2250-2459,ISO 9001:2008 Certified Journal, Volume 3, Issue 7, July 2013)
222
IV. CONCLUSION
The article focuses the importance of Commerce through e-Tendering with high security implementation through PKI. As discussed in paper, through PKI provides securities like authentication, privacy, integrity and non-repudiation in electronic tendering process. The process proves reliable, secure and time efficient with little human intervention. Complete automatic system can be achieved through precise implementation of proposed architecture. The article concludes the advantages of e-Tendering with PKI than e-e-Tendering without PKI. The overall system can be shielded more properly through combination of both private key and public key.
REFERENCES
[1] Vijayakrishnan Pasupathinathan, Josef Pieprzyk, “A Fair E-Tendering Protocol” , ACAC, Department of Computing, Macquarie University, Sydney, Australia
[2] Quality requirements of eProcurement System
[3] PKI Ensures Fair, Fast & Secure e-Procurement, TCS
[4] PKI and e-Procurement-An Indian Perspective, (n) Code Solutions [5] Ameera Damsika, Dulhan Ranasinghe, Dhananjay Kulkarni,”A
Novel Mechanism for Secure E-Tendering in an open electronic tender”, Asia Pacific Institute of Information Technology – Sri Lanka
[6] Haslina Mohd, Mlohd Afdhal Muhammad Robie, Fauziah Baharom, Nazib Nordin, Norida muhd Darus,Mohamed AliSaip, Azman Yasmi, Azida Zainol, Nor Laily hashim, “Misuse Case Modeling for Secure E-Tendering System” ,2012
[7] Jitendra Kohli, “Red Flags In E-Procurement/ E-Tendering For public Procurement and Some Remedial Measures”, IIT(Delhi) [8] “Information Technology Act 2000 ”, Government of India [9] Government of Gujarat Industries and Mines Department,
