Design and Implementation of a Secure Scheme for the C/S Mode E-Government System

“…Another similar work in the same year was proposed by Feng [15], but instead of a centralised CA and a directorymanaged escrow, a client-server architecture was proposed to authenticate and validate users. In this architecture, users are required to provide a certificate to prove identity along with their private key.…”

“…Furthermore, even though they provide session control based on access requests [2] [15], there is no way of preventing unauthorised access to the backend using the proposed models, unless audit trails are set on the database, and direct login requests to the back-end are detected.…”

“…In conclusion, considering the restrictions in adopting a directory-like structure for access control on eGovernment services, and the limitations regarding certificate management for every citizen, both certificate-based access control models for authentication [2] [15] are not scalable. Moreover, none of the proposed models solves the lack of evidence and audit trails in databases that are accessed without authorisation, which hinders the possibility to carry out effective digital investigations.…”

“…As analysed in section II, the Client-Server model proposed by Feng [15] provides access control based on two elements of authentication: the user certificate and the private key. Considering that, in PKI, key management involves distribution and revocation [17], the latter is simple as any compromised key needs to be revoked once from the directory and the escrow.…”

“…Hence, credentials in transit over the Internet are protected during SSL Handshake. 2) A centralised Authentication Service (AS): deployed into a SSL protected Web Server to provide one entry point for user registration and user authentication, as suggested by Zhong [2] and Feng [15]. However, a security measure is implemented using an algorithm for adding a salt to the password [19] before hashing and storing it [20] into the Application Database Server.…”

An authentication and auditing architecture for enhancing security on egovernment services

“…Another similar work in the same year was proposed by Feng [15], but instead of a centralised CA and a directorymanaged escrow, a client-server architecture was proposed to authenticate and validate users. In this architecture, users are required to provide a certificate to prove identity along with their private key.…”

“…Furthermore, even though they provide session control based on access requests [2] [15], there is no way of preventing unauthorised access to the backend using the proposed models, unless audit trails are set on the database, and direct login requests to the back-end are detected.…”

“…In conclusion, considering the restrictions in adopting a directory-like structure for access control on eGovernment services, and the limitations regarding certificate management for every citizen, both certificate-based access control models for authentication [2] [15] are not scalable. Moreover, none of the proposed models solves the lack of evidence and audit trails in databases that are accessed without authorisation, which hinders the possibility to carry out effective digital investigations.…”

“…As analysed in section II, the Client-Server model proposed by Feng [15] provides access control based on two elements of authentication: the user certificate and the private key. Considering that, in PKI, key management involves distribution and revocation [17], the latter is simple as any compromised key needs to be revoked once from the directory and the escrow.…”

“…Hence, credentials in transit over the Internet are protected during SSL Handshake. 2) A centralised Authentication Service (AS): deployed into a SSL protected Web Server to provide one entry point for user registration and user authentication, as suggested by Zhong [2] and Feng [15]. However, a security measure is implemented using an algorithm for adding a salt to the password [19] before hashing and storing it [20] into the Application Database Server.…”

An authentication and auditing architecture for enhancing security on egovernment services