Philippine National Public Key Infrastructure (PNPKI)
Public Key Infrastructure or PKI allows users of public networks like the Internet to privately exchange data securely. PKI is essentially a set of hardware, software, policies, personnel and procedures needed to create, manage, distribute, use, store and revoke digital certificates. Data security through the PKI is an essential component of the E-Government Master Plan and the Integrated Government Philippines (iGovPhil) Program. The PKI is one of the core services being offered by the iGovPhil program and will foster trust in the government by ensuring secure and reliable online transactions.
All government online applications stand to benefit from the use of the PKI and this ultimately improves service delivery of the government to its citizens. At the heart of the PKI is the concept of digital certificates. These certificates are very small files that can be stored on your computer, an ordinary flash drive or USB token. Through the use of certificates issued and digitally signed by a Certificate Authority (CA), the PKI ensures that the sender of data is indeed the source and that the said data has not been tampered with in transit. PKI can be used to encrypt data such as email or online transactions.
PKI will also be an integral part of iGovPhil applications, such as the Online Payment Gateway System, National Archive Records and Management System (NARMIS) and Government-Wide Email System (GovMail), that will require secure communication and encryption. If your agency uses email to communicate with other agencies and the public, or has online transactions with the public or has plans to do so, then you need PKI. Among the applications that use PKI are:
- Authentication in Web applications
- Electronic Documents and Forms Signing
- Virtual Private Networks (VPNs)
- Wireless Networks
- Email and Instant Messaging
Some applications, such as email, are fairly easy to configure to integrate with PKI and only requires the users to register and receive their digital certificates. More complicated applications, such as that for online transactions, would require some development time. Eventually, digital certificates will be issued to private individuals to facilitate transactions with government as well as to secure their personal electronic communication. While the iGovPhil Program is already hard at work to churn out applications that take advantage of the PKI, there is still much to be done. Wouldn’t it be nice if we can file our income tax returns online, bid on government procurement proceedings, apply for loans, and pay our taxes in the convenience of our home, knowing full well that our transactions are secure and tamper-proof? All these applications require the PKI and it is only a matter of time before they become a reality.
WHO CAN AVAIL
- Government agencies and personnel
- Private individuals
- Government computers, servers and machines
- Vastly improves verifiable identification of an individual or entity
Passwords are often, if not exclusively, used to authorize access to computer systems and applications. A password, even if it has a 10-character length, only provides 80-bits of security, and inconvenient discipline must be imposed on users so the passwords they choose are not easily breached. A Digital Certificate issued by the PKI will have at a minimum of 2048-bit system generated key to further ensure user identity. This is actually an oversimplified comparison since the complex computations add significant obstacles to those that would compromise a Digital Certificate.
- Digital Certificates imbue on to data sufficient integrity for acceptance as evidence in a court of law
The U.S., Canada, Korea, Singapore and Malaysia, to name a few, already have laws, as does the Philippines, which provide the legal framework for legally recognizing digitally signed data as proper evidence for courts. This allows a document in digital form to be signed as if it were a paper document. Moreover, the “signing” also makes the document tamperproof since the smallest change (1-bit) will be detected upon verification.
- Provides significant protection against unauthorized access of common communications
The government already relies on ICTs and this is increasing. ICTs, however, cannot be secured by traditional methods because of their very nature. Encryption methods being used are not regulated. Moreover, the use of ICTs by criminals and enemies of the state all the more requires that legitimate users employ similar if not better technologies to keep ahead.
To put the PKI’s 4096-bit capability into perspective, Wi-Fi at most can use a 14-character or 96-bit “password” by which to encrypt traffic.