International Conference on Management of e-Commerce and e-Government

Research on the E-Government Scheme based on Multi-Technologies and Bidirectional Authentication

Li Liangzhi
Research Center of Cluster and Enterprise Development, Business & Management School, Jiangxi University of Finance and Economic, P.R.China, 330013 (Email:lilz@jxufe.edu.cn)

Abstract
The authentication is the key part of the network security. It is also the main problem we should resolve. This scheme, which is bi-directional, using multimechanism to ensure safety authentication and providing a uniform authentication service to other e-government application system, meets the need of current egovernment system. But authentication technology and egovernment system are continually developing, there are still many problems need to be solved. Keywords: multi-mechanism; e-government; authentication technology

1. Introduction
With the rapid development and popularization of computer technology and communication technology, users can share expensive information resources and communicate with each other in the multi-user computer system or network system. However, the probability of controlled information extracted by unauthorized users in the system is also increasing at the same time. In order to reduce losses, the researchers have proposed a wide variety of user identification solution. Wherein, the password identification is a method for identity authentication on the basis of known things, and has being widely adopted because of the low price, easy implementation, user-friendly features and others. But this identification is also the most likely to be broken through in the user authentication mechanisms. If the listener-in on the network receives the secret password, he or she will be able to fake the user. Therefore, the password identification system faces with enormous threat to the network.

Password) system is designed to cope with the passive form of attack known as the replay attack. In the OTP system, only a one-time password is transmitted in Internet and accepts the verification at server-side, but the user's password (known as Secret Pass-Phrase) will not be transmitted at any time in the Internet. OTP identification belongs to a summary identification and its safety is based on the unipolarity of hash function; its core idea is that, it instead of user password transmits on the network and receives certification according to the user's secret pass phrase and the one-time password generated by random factors. In accordance with the choice mode of uncertainty factors, common OTP verification system design provides password sequence mechanism, question/response mechanism, time synchronization mechanism, event synchronization mechanism and others. Compared with Challenge-Response and password sequence these two one-time password authentication mechanism, Challenge-Response Mechanism is easier to achieve and has a strong ability to attack anti-minority and the client needs the small amount of computation, facilitating the realization of identity authentication mechanism in B/S mode applications in e-government.

3. Realization of module or subsystem

An e-government application system with the use of a SSL one-way identification and multi-factor authentication technology is developed in the paper. The system uses the very popular PHP in WEB application development as the development language and takes SQL SERVER2000 as the database server, focuses on the security of transmission network and related data and its security features are as follows: 1) Using SSL technology to encrypt and protect the transmission of the server and client; 2) Using SSL one-way identification technology (only for the server); 3) Using OTP (one-time password) technology for identification; 4) Encrypting the sensitive information in database (with symmetric key algorithm); 5) It is not only necessary to provide the correct accounts and passwords for the login entrance of the

2. One-time password identification solutions

Eavesdropping network connections aim at obtaining useful verification information, such as the legitimate user's account numbers and passwords, and such is a common form of attack in the Internet. Once the information obtained, the attacker will be able to obtain the right to use the system. And OTP (One Time

978-0-7695-3366-7/08 $25.00 2008 IEEE DOI 10.1109/ICMECG.2008.41

124

system administrator, but also to verify the IP address of the administrator to prevent the personnel unrelated from the unauthorized access to the sensitive information; 6) To ensure the effectiveness and availability of the information system, the system updates the contents of the database and processes backup at any time.

3.1. Network topology

the application server or secure communication proxy server. When the client browser is connected with the server, the client will verify the certificate of the server to determine whether the server is trusted, and then a secure communication channel is establish and all data transmitted up and down are encrypted. Users (whether system administrators to the other users logging in applications) can safely submit their own account information and other sensitive or confidential data under the encryption conditions to the trusted server. When it is achieved in fact, customers (referring to the application system managers of e-government) are required to first purchase CA certificate from the authority and import into IIS (Internet Information Service) of the application server. This can achieve data encryption at client/serverside in two-way transmission.
Users User information release Is the information in criterion Y 3DES encryption N System administration/Users One-time password identification Is the ID legal? Y Management interface/User query interface The encryption attachment in the file system 3DES decryption Information release interface Information management/query interface N

Figure 1. System network topology As shown in Figure 1, the system server is connected with the Internet through the firewall. The management computer and users can access the system through a computer randomly connected with the Internet, thus giving full freedom to the users of the system at all levels: the system administrator can at any time anywhere access the system, ensuring that the managers deal with the events timely; users will also be able to access the system at any time anywhere, ensuring the user's privacy and safety and facilitating the system to be applied in a wider range. In addition, the system communicates with the management computer and users through SSL encryption session, also guaranteeing the security of the data.

SQL SERVER data server

Figure 2. System flow chart

3.2. Module division

In accordance with the system functions, the system can be divided into three modules: Part I: user information release/response to query module Part II: information manager identification/information processing module Part III: system administrator system initialization/replacement key of whole system/creating user identification information file module The system modules and flow chart are shown in Figure 2. Owing to space constraints, we skip the other parts, and focus on the identification subsystem.

4. Realization of one-time password

The one-time password entirely based on WEB is realized by two main ways: the one is APPLET based on the JAVA and the other is COM component technology based on the ASP. The combination of ASP and COM component way is superior to the APPLET of JAVA about the speed, and this is very obviously reflected when complex operation is conducted. As a result, we select the combination of ASP and COM component achieve it.

4.1. COM component technology achieves onetime password

VC, VB and other languages with strong computing capability and high-efficiency implementation are used to program the COM component, and the COM (Component Object Model) component is embedded in the script program of e-government application system, as can not only expand the applications of the script program but

3.3. Realization of SSL

When the one-way identification SSL security means of communication is used, certificates are only issued to

125

also expand the operating capacity of the script program. We use the ACL (Active Template Library) of VC to prepare a lightweight COM component. First create a COM component and a method for oneway encryption operation. Here, we define the method called as Encrypt, which should have two input parameters Resource and Seed, indicating separately the clear text of order and the value of seed; after Encrypt method completes the implementation, the mixed Res and Seed one-way encryption results return. Next, we choose a suitable method according to actual needs to achieve the one-way encryption algorithm. Finally, the COM component and its dynamic link library needed are packaged and compressed into a CAB file, in order to achieve the automatic download and installation of the browser.

Sub Encrypt () src = login.password.value Seed = login.Sess.vaule dest = PSWClient.Encrypt (src, Seed) login.password.value = dest End Sub --> < / SCRIPT > We can see from the above codes that the whole encryption process of Encrypt is transparent to the users, who can not know the details of encryption process of Encrypt even if they open and view the source codes.

4.3. Server-side Realization

When the client sends the login page request, the server first obtains the system time, and then conducts one-way encryption to get the seed value Seed = MD5 (the current system time of the server). Then, the server sends the Seed value to the client. We complete the work of server-side below, and first insert each script program into the global.asa in order that each script program called in the Encrypt process can visit the one-way encryption COM component: <OBJECT RUNAT=Server SCOPE=Application ID=PSWServer CLASSID =CLSID:xxxxxx> </OBJECT > Then, checkuser.asp calls likewise the Encrypt process of COM object to calculate the clear text of the password And verify: dest = PSWServer.Encrypt (usrpsw , Session.SessionID) Wherein usrpsw is the clear text of user password and is encrypted and stored in the server If (dest < > Request.Form(password) ) then Response.Write Unauthorized users Response.End End if In this way, we all completed the encryption of onetime password identification.

4.2. Client Realization

When it is realized in fact, the client first issues the page request. The server sends Seed value back to the client. The client in the login page submits the user name and password, and encrypts the user password in one-way manner and sends to the server for the same verification and calculation. The realization fragments of its script program are as follows: <FORM NAME =login ACTION=checkuser.Asp METHOD=POST ONSUBMIT =Encrypt ()> < INPUT TYPE =TEXT NAME =UserName VALUE => < INPUT TYPE =PASSWORD NAME =Password> <INPUT TYPE=HIDDEN NAME =Sess VALUE =< %Response.Write chr(34) & Session. Session ID & chr (34) % >> < INPUT TYPE = SUBMIT VALUE = > submit < / FORM> We can see from the above program that what the user inputs in the password domain of the authentication form is still the clear text of the password, which is undoubtedly good news for the users. In the OnSubmit event of form domain, the program calls a client script program (Encrypt), which will be used to encrypt the password domain and the value of Challenge and replace the value of the password domain to the encrypted results. The called Encrypt process below is: first, define the object, and then call the Encrypt function of the COM component object in the script: < OBJECT ID =PSWClient CLASSID =CLSID: xxxxxx> After the object is defined, we can call: < SCRIPT LANGUAGE =VBScript> <!--

5. Client access identification systems

When users visit by WEB browsers (such as Internet Explorer and Netscap), it will be automatically changed and become the HTTPS protocol and make prompt. Login page will show that users are required to enter a user name, password and additional password. We can see that the encryption process of the whole system is transparent to the users, who need not know the details of one-time encryption but only need simple operations (users only

126

input account name and password in the whole process) to pay a visit.

6. Conclusions
A multi-technologies integrated and bi-directional authentication e-government identification solution is proposed, the security of one-way SSL identification and one-time password encryption technology are analyzed in the solution and the realization of the core codes in the solution is presented.

7. References
[1] Lung Maoxiong, Zhang Runtong, E-government and government process reengineering, The defense technology industry, 2003, 4 (2) 65-68 [2] Wan Tao, Research on identity authentication technology in network, Shanxi: Xi'an Electronic Science and Technology University, 2003. [3] Derek Atkins, Internet Security Professional Reference, New Riders Publishing, 1997.5 [4] Gui Qishan, Wang Lichang, Yu Jing, Security management of e-government information in PKI system, Micro-computer information, 2006, 7-3: P173-175 [5] Tang Wen, Luo Junzhou, Research on one-time password authentication system and its implementation, Nanjing: The thesis collection of the Second Cross-Strait Symposium of Information, 2000.

127