ijetae_0713_35

6
 International Journal of Emerging Technology and Advanced Engineering Website: www.ijetae.com (ISSN 2250-2459, ISO 9001:2008 Certified Journal, Volume 3, Issue 7, July 2013) 217 E-Tendering With Public Key Infrastructure   A Survey Based Implementation Mubina S Malik 1 1  Lecturer, CMPICA, CHARUSAT, Changa, Gujarat  Abstract - In current era, Security is always prime thing to achieve in almost all aspects of business and organizations. Most of the businesses are tending towards remote transactions with the aid of web based computer systems. For the remotely controlled business, e-Tendering becomes most efficient and prominent approach. This process involves a seller, a buyer and a mediator web based computer system. To achieve this we must have a secure environment to maintain integrity of data and the confidentiality of the concern business. To achieve high security measures in e-Tendering, Public Key Infrastructure is implemented for the robust security. PKI is the process to provide secure web based environment guarantees the reliability of the overall system. PKI uses asymme tric encryption/decryptio n technique to offer high shielded environmen t. This paper discusses this fact with integration of e-Tendering with Public Key Infrastructure . Keyword - E-Tendering, Buyer, Bidder/Supplier, PKI, Encryption / Decryption, Public Key/Private Key, Authentication. I. I  NTRODUCTION  A.  E-Tendering E-Tendering is done in electronic way B2B (or B2C or B2G) sale and purchase of goods and services. The medium used might be the Internet or any other media like EDI (Electronic Data Interchange) and Enterprise Integrations (formerly known as EAI). E-Tendering is exchanging tender electronically. E-tendering will reduce the burden for tender that will manage traditionally and improve the efficiency and time taken to complete a  purchasing. E-Tendering Portal i s a website specially set up for exchange information, Tender document electronically on internet. In E-Tendering the key role is Buyer and Bidder. Buyer  is a person who creates, manage and transmit contract announcement electronically. Bidder is a  person who will bid the tender for proposal.  B. Why Security in E-Tendering? Similar to other electronic commerce systems like e-  payments, e-auctions etc., and an e-tendering is required to address generic security requirements like confidentiality, integrity, authentication and non-repudiation. As tendering is carried over insecure networks, the e- tendering system should provide communication security which protects information that is sent, between all  participants. This is generally achieved by using a strong encryption. It is also essential that an e-tendering system  provides strong storage security, as submissions are stored in database. In (Head, 2003), John Barnard refers to discrepancy in usage of e-tendering scheme. He observed that, although more than 75% of tenders are electronically advertised, less than 40% provide electronic documentation required by the tender process and less than 20% make electronic tender submissions. The prime security issue, that has been the main obstacle in a wide adoption of e-tendering, is the lack of fairness of the e-tendering process. A secure e-tendering solution should support both fairness and transparency in order to guarantee tenderers to see progress of their submission processing. It is also important that when disputes arise, an e-tendering system should be able to  provide a full history of the events leading up to contract award which can be publicly verified without compromising confidentiality or privacy. C.  PKI (Public Key infrastructure) Public-key infrastructure a comprehensive system that  provides public-key encryption and digital signature services to ensure confidentiality, access control, data integrity, authentication and non-repudiation. A public-key infrastructure is probably the most critical enterprise security investment a company will make in the next few years. This is mostly used in E-Business applications. PKI Enable new business processes. Some of the point that is covered by PKI for security is:  Identify users accessing sensitive information? (Authentication)  control who accesses information (Access Control)  Be sure communication is private but carried over the Internet? (Privacy)  Ensure data has not been tampered with? (Integrity)  Provide a digital method of signing information and transactions? (Non-repudiation)

Upload: sathish40

Post on 04-Jun-2018

218 views

Category:

Documents


0 download

TRANSCRIPT

Page 1: IJETAE_0713_35

8/13/2019 IJETAE_0713_35

http://slidepdf.com/reader/full/ijetae071335 1/6

 International Journal of Emerging Technology and Advanced Engineering

Website: www.ijetae.com (ISSN 2250-2459, ISO 9001:2008 Certified Journal, Volume 3, Issue 7, July 2013) 

217

E-Tendering With Public Key Infrastructure –  A Survey BasedImplementation

Mubina S Malik 1

1 Lecturer, CMPICA, CHARUSAT, Changa, Gujarat  

Abstract - In current era, Security is always prime thing to

achieve in almost all aspects of business and organizations.

Most of the businesses are tending towards remote

transactions with the aid of web based computer systems. For

the remotely controlled business, e-Tendering becomes most

efficient and prominent approach. This process involves a

seller, a buyer and a mediator web based computer system. To

achieve this we must have a secure environment to maintain

integrity of data and the confidentiality of the concernbusiness. To achieve high security measures in e-Tendering,

Public Key Infrastructure is implemented for the robust

security. PKI is the process to provide secure web based

environment guarantees the reliability of the overall system.

PKI uses asymmetric encryption/decryption technique to offer

high shielded environment. This paper discusses this fact with

integration of e-Tendering with Public Key Infrastructure.

Keyword - E-Tendering, Buyer, Bidder/Supplier, PKI,

Encryption / Decryption, Public Key/Private Key,

Authentication.

I.  I NTRODUCTION 

 A.  E-Tendering

E-Tendering is done in electronic way B2B (or B2C or

B2G) sale and purchase of goods and services. The

medium used might be the Internet or any other media like

EDI (Electronic Data Interchange) and Enterprise

Integrations (formerly known as EAI).  E-Tendering is

exchanging tender electronically. E-tendering will reduce

the burden for tender that will manage traditionally and

improve the efficiency and time taken to complete a

 purchasing. E-Tendering Portal is a website specially set up

for exchange information, Tender document electronically

on internet. In E-Tendering the key role is Buyer and

Bidder. Buyer   is a person who creates, manage and

transmit contract announcement electronically. Bidder is a person who will bid the tender for proposal.

 B.  Why Security in E-Tendering? 

Similar to other electronic commerce systems like e-

 payments, e-auctions etc., and an e-tendering is required to

address generic security requirements like confidentiality,

integrity, authentication and non-repudiation.

As tendering is carried over insecure networks, the e-

tendering system should provide communication security

which protects information that is sent, between all

 participants. This is generally achieved by using a strong

encryption. It is also essential that an e-tendering system

 provides strong storage security, as submissions are stored

in database. 

In (Head, 2003), John Barnard refers to discrepancy inusage of e-tendering scheme. He observed that, although

more than 75% of tenders are electronically advertised, less

than 40% provide electronic documentation required by the

tender process and less than 20% make electronic tender

submissions. The prime security issue, that has been the

main obstacle in a wide adoption of e-tendering, is the lack

of fairness of the e-tendering process. A secure e-tendering

solution should support both fairness and transparency in

order to guarantee tenderers to see progress of their

submission processing. It is also important that when

disputes arise, an e-tendering system should be able to

 provide a full history of the events leading up to contract

award which can be publicly verified withoutcompromising confidentiality or privacy.

C.  PKI (Public Key infrastructure)

Public-key infrastructure a comprehensive system that

 provides public-key encryption and digital signature

services to ensure confidentiality, access control, data

integrity, authentication and non-repudiation. A public-key

infrastructure is probably the most critical enterprise

security investment a company will make in the next few

years. This is mostly used in E-Business applications. PKI

Enable new business processes.

Some of the point that is covered by PKI for security is:

  Identify users accessing sensitive information?

(Authentication)

  control who accesses information (Access Control)

  Be sure communication is private but carried over the

Internet? (Privacy)

  Ensure data has not been tampered with? (Integrity)

  Provide a digital method of signing information and

transactions? (Non-repudiation)

Page 2: IJETAE_0713_35

8/13/2019 IJETAE_0713_35

http://slidepdf.com/reader/full/ijetae071335 2/6

 International Journal of Emerging Technology and Advanced Engineering

Website: www.ijetae.com (ISSN 2250-2459, ISO 9001:2008 Certified Journal, Volume 3, Issue 7, July 2013) 

218

In PKI pair of key is generated for user that is public and

 private key, public key used for encryption where as private key is used for decryption this is called as an

asymmetric key. Public key is derived from private key so

it is infeasible to derive private key from public key. When

the sender of a message uses the public key of the recipient

to encrypt it, the sender can be sure that its contents can

only be read after being decrypted by the recipient and by

no one else.

II.  E NHANCEMENT OF TRADITIONAL TENDERING TO E-

TENDERING 

Earlier Tendering process was done through Public

Service publisher (PSP) that was paper work and Tendering

 process was done manually by a person when e-Tenderingconcept was not there. Traditional tender processes can be

long and cumbersome, often taking three months or longer,

which is costly for both buyer and supplier organizations.

In traditional, tendering process tendering was done

through envelop or paper which has many disadvantages

like wastage of time, paper, money, fraud in tendering,

human errors and fraudulent. The process of Tendering was

very tedious as all the work was done through a paper or

envelops. In this security was main concern as may be the

 bid amount could be stolen or leaked. Hence to overcome

with these issues government and private industries had

found out the way for online tendering i.e. e-Tendering. In

e-Tendering the whole process is carried out online. Userneed to be authenticated and submit the bid electronically

so there is very little chance to breach that security. All the

work done through web portal and the data will be store

directly in to the database. No one has the access to the web

application and the database. But still there is a risk may be

someone hack bid data from that web portal. It may be

 possible that the data or information stored in database is in

readable format so if hacker hack this data bidder can be

loose that entire bid. Hence again the concern was the same

i.e. security to avoid such malfunctioning.

Figure I: Enhancement of Traditional Tendering To e -Tendering

This can be avoided by implementing E-Tendering with

PKI. The data in the database will be stored in strongly

encrypted format in unreadable format and no one can read

that data without decrypt it. Public key infrastructure is

very helpful and highly secure in e-Tendering. In

Asymmetric PKI Implementation whole process carried out

at client end. Secure submission of bid from bidder

computer to the server should be done after the bid is

encrypted using PKI and further submitted to the server

through SSL encryption. Only the encrypted file submitted

 by the bidder should be stored and decrypted at theTendering Opening Event (TOE) [3].

III.  IMPLEMENTATION OF PKI I N E-TENDERING 

E-Tendering system requires security like

confidentiality, integrity, Non-Repudiation as well as

Authentication [1].  Hence, for implementing e-tendering

system we need this requirement. This requirement will be

fulfilled with implementing PKI in system. PKI

Component includes digital Certificate, Public and Private

Key, Secure Socket Layer (SSL), Certificate Authority.

Page 3: IJETAE_0713_35

8/13/2019 IJETAE_0713_35

http://slidepdf.com/reader/full/ijetae071335 3/6

Page 4: IJETAE_0713_35

8/13/2019 IJETAE_0713_35

http://slidepdf.com/reader/full/ijetae071335 4/6

 International Journal of Emerging Technology and Advanced Engineering

Website: www.ijetae.com (ISSN 2250-2459, ISO 9001:2008 Certified Journal, Volume 3, Issue 7, July 2013) 

220

Hence, the data are completely secured it gets stored in

un-readable format, Also if someone tempers the data, itdoes not get decrypted. The data can be decrypted only

with the supplier’s private key only. Supplier, himself only

is the authorized person to view the bid. All the documents

uploaded also get encrypted & stored either in database

server

As, PKI uses asymmetric Encryption /Decryption, It is

impossible to decrypt the data after final bid submission,

Entire bid gets encrypted & stored in database. Private key

with which bid is decrypted is available with concerned

 person/officer before the public tender opening event. An

Internet Standard Secure Protocol SSL is used in PKI that

will secure data by encrypting data at the time of

transmission. Before bid is submitted to the database serverthe computer are protected with SSL Encryption and

Database level Encryption. And it will be decrypted

accordingly and after reaching to the server the SSL

Encryption is removed and bid is again encrypted with

PKI. [2, 3]

Figure III: Bid Submission Process

C.  Bid Evaluation

Bid evaluation process will be carried out at buyer end buyer will create the committee. This committee is

responsible for bid opening. After analysing the entire bid

will be evaluated and comparative report will be generated

and result will be shared and appropriate supplier will get

the award of contract (AOC).

Figure IV: Bid Evaluation Process

 D.  Tender Process Cycle

 Buyer End:  The supplier has to login in his account for

Tender creation & publishing the tender online. After

 publishing of the tender, that tender is available for bid

submission. If any correction is done in the

information/requirement of the tender, then tender

Corrigendum is done. Hence, the tender is again available

for bid submission.

On the tender opening date i.e. BID EVALUATION; the

tender is evaluated with the digital certificate (private key)

of the buyer at buyer end. The supplier whose bid is

minimum is awarded the contract.

Page 5: IJETAE_0713_35

8/13/2019 IJETAE_0713_35

http://slidepdf.com/reader/full/ijetae071335 5/6

 International Journal of Emerging Technology and Advanced Engineering

Website: www.ijetae.com (ISSN 2250-2459, ISO 9001:2008 Certified Journal, Volume 3, Issue 7, July 2013) 

221

Figure V: Tender Process Cycle

Supplier End:  The supplier has to login in his account

for bidding for appropriate tender. Supplier has to plug-in

e-Token consisting of his valid CLASS III digital

certificates. After logging into the system supplier will be

allowed to bid for the tender. The tender data will be stored

in an encrypted format. Supplier will be able to edit his bid

until he has not done final bid submission. After final bid

submission, supplier cannot edit the bid. He can only view

the result of the bid.

TABLE I

COMPARISON OF E-TENDERING PROCESS WITHOUT PKI AND WITH

PKI IMPLEMENTATION 

e-Tendering Process

Without PKI

e-Tendering Process With

PKI Component

Data is not Highly Secured Data is Highly secured by

Asymmetric key

Data is stored in plain text andhence it is vulnerable forcritical information

Data is stored in encryptedformat. Impossible to decryptthe encrypted data.

In Symmetric key Each

message has been encrypted

with the same key so attacker

can figure out the key that is

used for encryption anddecryption

In Asymmetric key Message

has been decrypted with

different key so there is no

 possibility of hacker can

hack data

Does not provides

confidentiality, non-

repudiation 

Provides true confidentiality

and non-repudiation

Does not follows security

norms set by govt. of India

Implementing PKI follows

all the security norms set by

govt. of India as per IT Act

2000

In simple e-Tendering,

maximum symmetric

encryption methodology can

 be applied that provides

security up to some extent

In e-Tendering with PKI,

symmetric as well as

asymmetric encryption

methodologies can be applied

that provides maximum

security

Symmetric

Encryption/Decryption takes

 place at server side if the key

is leaked data becomes

insecure

Asymmetric

Encryption/decryption

happens at the client end and

the data travels in an

encrypted format hence,

your data becomes secure

Page 6: IJETAE_0713_35

8/13/2019 IJETAE_0713_35

http://slidepdf.com/reader/full/ijetae071335 6/6

 International Journal of Emerging Technology and Advanced Engineering

Website: www.ijetae.com (ISSN 2250-2459, ISO 9001:2008 Certified Journal, Volume 3, Issue 7, July 2013) 

222

IV.  CONCLUSION 

The article focuses the importance of e-Commerce through e-Tendering with high security implementation through PKI. Asdiscussed in paper, through PKI provides securities likeauthentication, privacy, integrity and non-repudiation in electronictendering process. The process proves reliable, secure and time

efficient with little human intervention. Complete automaticsystem can be achieved through precise implementation of

 proposed architecture. The article concludes the advantages of e-Tendering with PKI than e-Tendering without PKI. The overall

system can be shielded more properly through combination of both private key and public key.

REFERENCES

[1]  Vijayakrishnan Pasupathinathan, Josef Pieprzyk, “A Fair E-

Tendering Protocol” , ACAC, Department of Computing, Macquarie

University, Sydney, Australia

[2]  Quality requirements of eProcurement System

[3]  PKI Ensures Fair, Fast & Secure e-Procurement, TCS

[4]  PKI and e-Procurement-An Indian Perspective, (n) Code Solutions[5]  Ameera Damsika, Dulhan Ranasinghe, Dhananjay Kulkarni,”A

 Novel Mechanism for Secure E-Tendering in an open electronic

tender”,  Asia Pacific Institute of Information Technology  –   Sri

Lanka

[6]  Haslina Mohd, Mlohd Afdhal Muhammad Robie, Fauziah Baharom,

 Nazib Nordin, Norida muhd Darus,Mohamed AliSaip, Azman

Yasmi, Azida Zainol, Nor Laily hashim, “Misuse Case Modeling for

Secure E-Tendering System” ,2012 

[7]  Jitendra Kohli, “Red Flags In E-Procurement/ E-Tendering For

 public Procurement and Some Remedial Measures”, IIT(Delhi) 

[8]  “Information Technology Act 2000 ”, Government of India 

[9]  Government of Gujarat Industries and Mines Department,“Introduction of E-Procurement System in all the Government

Departments and Heads of Department, Boards, Corporations of the

State Government, Nigams and Societies under the administrativecontrol of the State Government and which are funded by the

Government” , 2006