Eprocurement ON INDIAN RAILWAYS

1
E-Procurement on Indian Railways
Strategy ,Scope Digital Security
2
Indian Railway

• Indian Railways, the worlds second largest
  railway, carries 11 million passengers each day,
  on 8520 trains departing from 7000 stations.
• TOTAL TRACK KM 108706
• ROUTE KM
  64000
• DEISEL LOCOMOTIVES 4700 NO
• ELECTRIC LOCOMOTIVES 3000 NO
• FREIGHT WAGONS 2,22,150 No
• PASSENGER COACHES 43,750 No
• NO OF EMPLOYESS 1.5 MILLION.

3
Purchases

• Indian Railways
• Annual Turnover gt Rs. 44,000 Crore.
• Annual purchases gt Rs. 11,000 Crore. Annual
  Works gt Rs. 11,000 Crore.
• Purchases made through process of competitive
  bidding.
• High value purchase only thru Open tender system.

4
Purpose Definition

• E-procurement application shall provide a common
  platform using secured Web site where the buyer
  and the sellers can participate in the
  procurement process in fair and transparent
  manner
• The e- procurement system shall be governed by
  the security features as provided under Indian I.
  T. act 2000.

5
Phases For EGP

• Phase 1. Information outflow . Tenders,
  Contracts Search view, download, High Trust
  level. Low security needs.
• Phase II. Online offer submission. Participation.
• Trust level low, High level of digital security.
• Phase III. Online Evaluation of commercial
  offers, online access. Contract Management.
• Need High level of digital security.
• Phase IV. Online decision making, contract
  performance tracking , (e- purchase).
• Application dependent, high security needs.

6
Digital Trust Tools

• Identity authentication Digital signatures .
• Protection integrity Digital
  verification.
• Confidentiality Digital
  encryption.
• Public key infrastructure (PKI) enabled data
  Encryption / Decryption.
• Storage Security Digital Archive.
• Dispute resolution Digital
  notarization
• Online payments Payment Gateway
• Record keeping Digital time
  stamping.
• Intrusion protection Fire walls and
  I.D.S.

7
Scope of work

• The scope of work include
• Uploading of Tender notices and Tender documents
  On-line on secured website with digital
  signatures.
• Submission of digitally signed electronic bids
  for Data Integrity, Authenticity, non
  repudiation, and confidentiality.
• Pre-designed Tender forms for submission of
  offers online.

8
Security features

• Introduction of Digital signatures for
• e-transactions.
• -Digital certificate obtained from
  agencies approved by Govt. of India.
• Introduction of Public Key Infrastructure for
  data encryption/decryption .
• Time stamp by certifying agency.
• 128 bit S.S.L. (secured socket layer) for secured
  data transmission .

9
Digital certification

• Standard algorithm support (MD5/RSA).
• PKI (min. key length to be 1024 bits.)
• Asymmetric and symmetric encryption.
• Payment gateway Internet banking.
• Vender logs in thru valid user I.D. and password.
  
• On successful payment transaction a unique
  payment I.D. is created to the vender.

10
Payment gateway
CA
Internet
NR authenticate users
Suppliers
website link
Payment Gateway
credit cards
Bank
11
Other features

• Time-locking of electronic tender box.
• Opening with Secured digital permission (private
  key).
• Online Tabulation Statement of electronically
  received bids .
• Online access to Tabulation Statement after
  tender opening.
• Contract amendment uploading .
• Contract performance

12
Basic digital certificate

• .

Issuers signature
Version Serial number Signature algorithm
Issuer name Validity period Subject name Subject
public key
13
Example of End User Certificate
14
Public Key Encryption
Bid document
Ciphertext

• A sends confidential data to B, knowing that only
  B can decrypt what is sent
• A encrypts with Bs public key (openly available)
• B decrypts with his own private key (kept secret)

15
Digital Signature With A Message Digest
16
Digital Encryption

• Digital encryption of data /message can be done
  at two levels.
• Symmetric encryption
• Asymmetric encryption
• 1. Online Encryption using Form data
• 2. Offline Encryption using File data
• Digital signing can be done online using form
  data and also as offline using file data.

17
Digital Decryption

• The digital decryption components can be at
  buyers Server level. (Server resident)
• These can be invoked at buyers client level from
  remote locations.
• For increased security it is suggested that
  digital decryption should be done at client level
  only seeking digital permission of authorized
  persons only.

18
Digital Signature file

• lt!DOCTYPE Envelope lt!ENTITY ds
  'http//www.w3.org/2000/09/xmldsig'gtlt!ENTITY
  c14n 'http//www.w3.org/TR/2001/REC-xml-c14n-20010
  315'gtlt!ENTITY enveloped 'http//www.w3.org/2000/09
  /xmldsigenveloped-signature'gtlt!ENTITY xslt
  'http//www.w3.org/TR/1999/REC-xslt-19991116'gtlt!EN
  TITY digest 'http//www.w3.org/2000/09/xmldsigsha
  1'gtgtltDigitalSignaturegtltFILEDATAgtlt/FILEDATAgtltIndic
  atorgtltdsSignature xmlnsds"ds"gtltdsSignedInfogt
  ltdsCanonicalizationMethod Algorithm"http//www.w
  3.org/TR/2001/REC-xml-c14n-20010315"/gtltdsSignatur
  eMethod Algorithm"http//www.w3.org/2000/09/xmlds
  igrsa-sha1"/gtltdsReference URI""gtltdsTransformsgt
  ltdsTransform Algorithm"enveloped"gtlt/dsTransfo
  rmgtlt/dsTransformsgtltdsDigestMethod
  Algorithm"digest"/gtltdsDigestValuegtzi/eDhucx85k
  RRM6f61ghf/PYElt/dsDigestValuegtlt/dsReferencegtlt/
  dsSignedInfogtltdsSignatureValuegt
• HJvtVKkKYLJxBy2yA9xLcXF5sJxVysMQgu258yRgd1yb
  xHwW0xtzkK4Br/BwkplytdtO7/
• 8uf11s6K4OTB5ipwbgClHVB9gTBSJgLZLZaCWZ90mqCpj
  SQjRU8goioZQljlsRbhfZoMP6C
• 1KDEbLQJdygDnNZcBmXlepkwco
• lt/dsSignatureValuegtltKeyInfo xmlns"http//www.w
  3.org/2000/09/xmldsig"gt ltX509Data
  xmlns"http//www.w3.org/2000/09/xmldsig"gtltX509Ce
  rtificate xmlns"http//www.w3.org/2000/09/xmldsig
  "gtMIIE3zCCA8egAwIBAgIQHh22rRsTK1JIko/FdMlQDDANBgk
  qhkiG9w0BAQQFADCB
• ozEbMBkGA1UEChMSU2FmZXNjcnlwdCBMaW1pdGVkMR8wHQYDVQ
  QLExZWZXJpU2ln
• biBUcnVzdCBOZXR3b3JrMR8wHQYDVQQLExZGb3IgVGVzdCBQdX
  Jwb3NlcyBPbmx5
• MUIwQAYDVQQDEzlTYWZlc2NyeXB0IENsYXNzIDMgQ29uc3VtZX
  IgSW5kaXZpZHVh
• bCBTdWJzY3JpYmVyIFRlc3QgQ0EwHhcNMDQwOTA2MDAwMDAwWh
  cNMDUwOTA2MjM1
• OTU5WjCCAUQxEzARBgNVBAoUClNhZmVzY3J5cHQxNTAzBgNVBA
  sULFBpbG90IENs
• YXNzIDMgQ29uc3VtZXIgSW5kaXZpZHVhbCBTdWJzY3JpYmVyMT
  YwNAYDVQQLEy1U
• ZXJtcyBvZiB1c2UgYXQgd3d3LnNhZmVzY3J5cHQuY29tL3JwYS
  AoYykgMDIxJDAi
• BgNVBAsTG0F1dGhlbnRpY2F0ZWQgYnkgU2FmZXNjcnlwdDEnMC
  UGA1UECxMeTWVt
• YmVyLCBWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMRswGQYDVQQLFB
  JFbXBsb3llZUlE
• IC0gU0YwMjcxKDAmBgNVBAMTH1Jvc2hhbiBQaWxvdCBDbGFzcy
  AzIFRlc3QxIE1h
• bmkxKDAmBgkqhkiG9w0BCQEWGXJvc2hhbm1hbmlAc2FmZXNjcn
  lwdC5jb20wgZ8w
• DQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMoQiW7LVTqDHSvukX
  2UEIv/W1AOLeBq
• 4TCoapody4i5pmOB2mmjHMPyXdR7eg6hsgyvV7JH39aO7Dn1kg
  oi0HiJO5SfPUuV
• ZaxRfg/2lpVtg6088aRdnhur9q3Z/nnj2kkDTH6UnAcqjwXq
  ZeIrHP6uzOJcdb

19
Data encryption stages

• Stage i
• hash
• 
  digital signature
• Private key
• Stage ii
• encryption of message
• by session key
• Stage iii
• encryption of session key with
  rly .
  public key.

Encrypted hash
Bid
Bid
Encrypted bid
Rly
20
(No Transcript)
21
Digital sig. P.K.I

• These shall ensure
• Authentication Digital certificate of sender
  attached with each bid document .
• Integrity Protection
• By Hash check using same one way hash function
  and senders public key.
• Authorization Only Rlys authorized persons can
  decrypt open e-tender box.
• Security Decryption not possible without
  digital permission.

22
Time stamp Digital notarization

• Notarization agency Digitally Signs the Time
  Stamp and notarize the document (using Hash )
  with private key .
• A Digital HTML Time Stamping Receipt is sent back
  to the sender for storage and records.
• Receiver can verify Integrity of message with
  notarizing agency any time later.

23
Users
4
5
Notarization
6
3
2
Tendering Org.
Administrator
Digital Receipt with Time Stamp
24
Digital Archive

• Digital Archive is data base stored in originally
  encrypted form .
• Data recovery permitted only with digital
  permission of authorized user.
• Ensures data security and integrity.
• Recommended for sensitive applications such as
  EGP.

25
Process flow chart
Attach corrigendum
Create tender notice
E-TENDER BOX
Time stamp
Attach tender document
Upload Tender
HTML receipt
encrypt
SUBMIT BID
Notarize
Digital signature
Free download
Vender Registration
Digital signature
26
post tender opening work flow
E-TENDER BOX
Time lock
Decrypt With PKI
Decrypt and Open
Upload
Generate Tabulation
View online
Store archive
CONTRACT
Notarize
27
Graph on Time scale in R. A.
28
Issues involved

• Following issues need to be addressed
• Inter-operability of digital security tools need
  to be addressed.
• No well laid down mechanism to attach proof of
  digital signatures on files after decryption .
• Difficult to secure printed copies of offers.
• Electronic submission of documents such as
  partnership deeds, authorisation- certificates,
  bank statements , income tax returns etc. which
  need authentication by public notary will still
  need to be submitted manually.

29
Issues involved

• Difficult to mix manual offers along with
  electronic bids .
• Participation by foreign suppliers --I.T. act
  permits digital certificates issued only in
  India.
• Difficulties to operate EPS for Advertised
  tenders. Low trust level.
• Dispute resolving mechanism on electronic
  transactions is yet to evolve in India.
• Industry yet to show enhanced level of trust in
  EGP.

30

Thank you
By A.K.Goel C.M.M. N Rly