ensuring integrity in e-procurement systems

Copyright© Jitendra Kohli – ElectronicTender.com (India) Pvt Ltd.

No part of this presentation should be reproduced without the prior written permission of the copyright owners

Ensuring Integrity in

e-Procurement Systems (Some Issues and Possible Solutions)

Presentation at eBF (Czech Republic, 6th Nov. 2014)

by Jitendra Kohli (Managing Director – ElectronicTender)

In varied ways, the ‘Guiding Principles of Public-Procurement’ in every country talk of the same fundamental qualities–

Efficiency, Economy and ABOVE ALL -- Integrity, Probity, Transparency, Accountability, Fairness, Equitable Treatment of all, etc…

The Challenge is to TRANSPOSE the ‘High-level Principles’ into ‘Practical Procedures’ and ENSURE ‘Honest implementation’ of such procedures

Distinctive Aspects of Procurement by Government Organizations (ie Public-Procurement)

Since e-Procurement is still in a nascent phase globally, it is important for Vigilance and Regulatory authorities in various countries to appreciate that perceived benefits of e-Procurement (especially those relating to -- enhanced Confidentiality, Transparency, Accountability and Integrity are closely dependent on the design and functionality of the e-Procurement system in question

Therefore, unless proactive efforts are made to regulate e-Procurement through appropriate guidelines/ rules of operation, malpractices of traditional paper-based public procurement may continue in e-Procurement, perhaps even on a larger scale

Introduction and Objective of the Presentation

IF the Overall Objective is to enhance ‘Transparency’ and ‘Efficiency’ of the Public Procurement process

THEN to achieve the above objective, e-Procurement should be better than the manual tendering process in respect of ‘Security’ and ‘Transparency’, or at least as good. It should not be worse than the manual process

For this, the well established practices of manual tendering (especially those relating to ‘Security/ Confidentiality’, ‘Fairness’ and ‘Transparency ‘ should have at least equally good equivalents in the electronic version

Since every new technology has its own set of intrinsic problems/ loopholes, it is important to have a brief overview of these issues, especially those relating to ‘Security’ and ‘Transparency’, so that we can appreciate the ‘loopholes’, and then appropriately harness the new technology

Overall Objective of Introducing e-Procurement

To USE Technology for Checking

Corruption (ie enhancing Integrity) , it is

equally important to understand how

Technology can be MISUSED for

indulging in Corruption



Some Critical Security and Transparency

Issues and Loopholes relating to

‘e-Procurement Web-Application’

(#1) The weakest link in a chain determines its overall strength – An old saying

(# 2) Security solutions have ‘Situational’ or ‘Contextual’ relevance. A security solution which is good enough for one situation, may be counterproductive in another

(# 3) A good ‘Security Strategy’ should also take into cognizance the ‘Non-Obvious’ routes of attack

(#4) ‘Internal Threats’ are quite often more important than ‘External Threats’

Four Guiding Principles of Security (General)

Four Aspects for ensuring Information Security/ Data Protection in an e-Tendering Web-Application

(# 1) Authentication and Integrity of Electronic Records/

Documents Digitally sign all important Electronic Records in a web-application and provide

facility for verification Eg, in case of e-tendering apart from ‘Bids’, other important electronic records

should also be signed, eg – Tender Notices, Corrigenda, Tender Documents, Addenda, et al (Ref: s-85B2(b) of the IT Act 2000)

[some related aspects covered under Red Flag #4 of IPPC5 Paper II.6]

(# 2) Ensure Strong User Authentication and Authorization Features in the Web-Application In high security application like e-tendering, just a conventional ‘User Id’ and

‘Password’ may not be enough Conventional ‘Forgot Password’ feature will not suffice Important to have proper administrative hierarchy and activity-wise

authorization structure within the application

Illustration of Compromise in Security and Accountability without a proper Virtual

Administrative Hierarchy and Comprehensive Role-Authorization in

an e-Procurement System

Four Aspects for ensuring Information Security/ Data Protection in an e-Tendering Web-Application (# 3) Prevent Unauthorized Delegation (Abdication) of

Powers Guard against Unauthorized Delegation (Abdication) of Powers of a Government

Officer to the personnel of an e-Tendering portal Service Provider In an e-tendering system this may happen due to – * lack of proper administrative hierarchy and authorization structure within the

application [some related aspects covered under Red Flag #6 of IPPC5 Paper II.6]

(Example: If ‘50 senior and junior officers’ from ‘4 different departments’ of a Govt Buyer-organization are shouldering responsibility of different activities of various tenders in that organization, a situation should not arise in the e-tendering scenario where due to limitation of the e-tendering system, these departments and officers are not able to themselves execute their duly assigned roles as in the manual process, and are constrained to re-assign/ abdicate their roles and responsibilities to a few tech-savvy technicians or the personnel of the service-provider of the e-tendering system. Similarly, there should not be any such constraint/ limitation for Supplier organizations also.)

* Fear of new technology * Illegal handing over of the Private Key (PKI) of an officer to the service provider’s

personnel [Violation of s-42. (1) of the IT Act 2000); para 3(b) of Article-6 of UN Model law]

(Remedy) e-Procurement systems should have provision for creating a proper virtual administrative hierarchy with full security features at both the Buyer-end, as well as, Supplier-end


(# 4) Study the Situational or Contextual relevance of a security solution

Some examples …

Illustration of a Situational Aspect of Security with relevance to e-Procurement



(Example-1 contd …) A security feature, ‘Locking of an Account due to incorrect

authentication’, which is good enough for a mobile phone would be counterproductive in an e-tendering scenario

E-Tendering systems having feature of Locking an Account in case of multiple authentication failures scan be a boon for the tender-mafia in preventing competitors from submitting bids



(Example-2) ‘PKI based encryption of a document’ which is good enough for

secure e-mail communication (or dispatch of a small file) between two persons (sender and the final recipient) , would be counterproductive for bid-encryption and submission in an e-tendering scenario for Government organizations

Some Security Loopholes and other Drawbacks in e-Tendering Systems

where Public-Key of the Tender-Opening Officer(s), or the service provider’s personnel, is used for Bid-encryption

(Some specific points are presented in the next few slides)

Drawbacks of PKI based Bid Encryption

Animation Sample process showing how a Clandestine Copy of a Bid encrypted with

‘Public Key’ of TO-officer can be siphoned off, and decrypted outside the System

The Alleged White House Party Crashers


E-Tendering systems where final Encryption of a bid is done using PKI: This is

inadvisable from multiple angles:

In case Public-key of a TO-officer (Tender Opening Officer) is used, it reveals the identity of the officer making him prone to being influenced

A Clandestine Copy of a Bid encrypted with ‘Public Key’ of TO-officer can be siphoned off, and decrypted outside the System (This can be done irrespective of whether the encryption was done at Client-end or Server-end (Pictorial Representation with slide-show is given in the previous slide)

In case the nominated TO-officer is absent, the TOE (Tender Opening Event) will have to be suspended. Alternatively, his ‘Private Key or Digital Signature Certificate token (DSC-token)’ will have to be handed over to another person which would be a compromise and illegal

Related References:

• Section 6.7 of the Final Report of the e-Tendering Expert Group (e-TEG) appointed by the European Commission, states – “…this approach does not offer complete assurance against malicious activities…”

• Section 2.0 (Annexure-I) of DIT-Guidelines dtd 31st August 2011 highlights such security concerns

• Some related aspects covered under Red Flag # 1 of IPPC5 Paper II.6


Inadvisable for such files as per standard international books on

Cryptography (applicable irrespective of whether PKI of TO-officer or PKI of bidder is used)

Note: A typical online bid is expected to be large (consisting of ‘Online Forms’ and related ‘Detailed-Bids’) files as attachments. An e-tendering system which does not allow submission of ‘Detailed-Bids’ (eg Detailed Technical Bid) is anyway incomplete and a compromise.

[some related aspects covered under Red Flag #3 of IPPC5 Paper II.6]

PKI based encrypted Data is vulnerable to ‘Chosen Plaintext Attack’

(In this case connivance of the tender-opening officers is not required for decrypting the clandestinely stolen copy of the encrypted bid)

o If spyware is embedded physically in the server, connivance of only service provider’s administrator is required

o If spyware is injected remotely, even the above mentioned connivance is not required

Drawbacks of PKI based Bid Encryption [Reference Document-3 of IPPC5 Paper

II.6] ()

Drawbacks of PKI based Bid Encryption ()

Drawbacks of PKI based Bid Encryption ()

Symmetric Key Length Public-Key Key Length

56 bits 384 bits

64 bits 512 bits

80 bits 768 bits

112 bits 1792 bits

128 bits 2304 bits

Symmetric and Public-Key Key-Lengths with Similar Resistances to Brute-Force Attacks

Source: Applied Cryptography, Page 166, Table 7.9


(# 4) Study the Situational or Contextual relevance of a security

solution

(Example-3) Drawbacks of Bid Encryption at Database Level [some related aspects covered under Red Flag #1 of IPPC5 Paper II.6]

In e-Tendering Systems where Encryption of Bids is done at the Database-level (and only SSL encryption is done during transit from a bidder’s system), the possibility of data theft is high:

A copy of the bid can be made just before encryption at the database level and its storage (Software programs may be designed or surreptitiously embedded for this purpose)

Note: If the bid is encrypted at database level, it does not make a difference whether the bid is encrypted with ‘PKI’ or ‘Symmetric key’.

Important: Section 3.0 (Annexure-I) of DIT-Guidelines dtd 31st August 2011 does not allow this approach



solution

(Example-4) Drawbacks of System-Generated Symmetric Key based Bid- Encryption [some related aspects covered under Red Flag #1 of IPPC5 Paper II.6 ]

Possibility of misuse by system-administrator exists in e-Procurement Systems where Encryption of Bids is done with system-generated symmetric-key



solution

(Remedy)

A Good Remedial Measure for various Bid-Encryption related Concerns: Use of a separate bidder-generated symmetric-key for encryption of each bid-part or bid-envelope. In addition, no bidder can point a finger at the Buyer for breach of bid-confidentiality)

IMPORTANT:

The e-Tendering Expert Group (e-TEG) appointed by European Union in its Final Report clearly mention that this method can ensure ‘Full Confidentiality’ in contradistinction to others.

DIT Guidelines (India) mention that this method has minimum security concerns.

Need for Secure and Transparent Online Public Tender Opening Event [some related aspects have been covered under Red Flag #2 of IPPC5

Paper II.6]

In most e-procurement systems, instead of ‘Online Public Tender Opening

Event’, there is only a rudimentary ‘Online Tender Opening’

Merely opening bids ‘online’, and then separately making them available for display to the bidders subsequently, and/ or from a different location/ screen (ie user interface) without the simultaneous online presence of bidders, does not fulfill the requirements of a proper and transparent online Public TOE

The transparency related significance of opening bids in ‘Public’, and carrying out various activities such as ‘countersigning’ of each opened bid by the TOE-officers in the simultaneous presence of the bidders has been given done away with

E-procurement systems where online TOE is conducted in this non-transparent fashion, without the simultaneous online presence of the bidders, gives rise to the possibility of bid-data tampering

Need for Secure and Transparent Online Public Tender Opening Event

A comprehensive and transparent Public Tender Opening Event is the ‘backbone of

transparency and fairness’ of the Public Procurement process, manual or electronic

Well established practices of manual tender opening (with legal and transparency related

significance) should have corresponding electronic equivalents

(Remedy)

Some relevant processes of a fair and transparent online public TOE should include:

Opening of the bids in the simultaneous online presence of the bidders with proper online

attendance record

Security Checks to assure bidders of non-tampering of their bids, et al during the online TOE

itself

One-by-one opening of the sealed bids in the simultaneous online presence of the bidders

Reading out, ie allowing bidders to download the electronic version of the salient points of

each opened bid

Procedure for seeking clarifications by the TOE officers during online Public TOE from a

bidder in the online presence of other bidders, and recording such clarifications

Digital counter-signing (by all the tender opening officers) of each opened bid, in the

simultaneous online presence of all participating bidders

Preparation of the ‘Minutes of the Tender Opening Event’ and its signing by the concerned

officers in the simultaneous online presence of the bidders…

In case of a Hybrid TOE, the Offline Bids should be opened first and

their salient points entered into the system. …

]

ANNEXURES

Drawbacks of PKI based Bid Encryption (Example of Use of Spyware for making clandestine copy of data)

DATAQUEST - April 30, 2011 - E-procurement: The Red Flags

Final Recommendations of the e-Tendering Expert

Group appointed by the European Commission



6.7 Confidentiality of Tenders Business problem/Objective: … … Mainstream approach: tenderers encrypt their tenders using public key cryptography and transmit the complete tenders to the platform. This method reasonably ensures that no one can access data transmitted before the submission deadline. In fact the process places the responsibility on the CA in charge of opening the tenders (tenders cannot be decrypted unless their private keys are used). However, this approach does not offer complete assurance against malicious activities as the decryption keys are within the CA organisation. Illegitimate copies of the tenders can in fact be produced and decrypted by unfaithful CA staff before the opening deadline. Recommendation: … … way to ensure full confidentiality is to use symmetric encryption, enforced via a tenderer generated key. The tender is transmitted in its entirety to the platform in a scrambled format and stays encrypted until a public opening date. On the public opening date, tenderers are invited to connect to the platform and remotely launch the decryption functionality with the key in their possession.



7 Opening of tenders

… …

Recommendation:

The platform must provide functionality to ensure that at least two separate users with

two different logins may unlock the tender box and decrypt the tenders. Public-key

cryptography should be used to guarantee the identity of authorised users in charge of

unlocking/decrypting the tenders. For top-level confidentiality assurance, the CA may

require that the tenders be encrypted with the symmetric key of the tenderer and keep

the tenders encrypted in the database until opening. If this is the mechanism chosen,

then the opening procedure is public event (see below, 7.3). Tenderers are in fact

required to take part in the process to enable opening of their own individual tenders

using their deciphering key.

e-Procurement Guidelines of the Indian Govt [Reference Document-2 of IPPC5 Paper II.6]

http://egovstandards.gov.in/guidelines/guidelines-for-e-procurement

‘e-Procurement Guidelines of DIT

http://egovstandards.gov.in/guidelines/guidelines-for-e-procurement



Summary of RED Flags in

e-Procurement (Int)

Red Flags in e-Procurement

(Red Flag No.1): In most e-procurement systems, the ‘Bid-

sealing/ Bid-encryption’ methodology is poor/ flawed. [Specifically, where PKI is used for bid-encryption, clandestine copies of bids can be stolen through

spyware and secretly decrypted before the Online Public Tender Opening Event, resulting in

compromise of confidentiality. Similarly, confidentiality can be compromised where the ‘main bid-

encryption’ is done at database level, and only SSL encryption is done during the transit phase from

bidder’s system to the e-procurement portal]

[Reference: Section 6.7 of the Final Report of the e-Tendering Expert Group (e-TEG)

appointed by the European Commission]

[Reference of corresponding sections of DIT Guidelines dtd 31st August 2011: Mainly Annexure-I

(section 2.0, and section 3.0). In addition, some parts of sections like 1.2, 3.1, etc and relevant

portions of Annexure-II, III, IV also have relationship with these issues]


(Red Flag No.2): In most e-procurement systems, instead of

‘Online Public Tender Opening Event’, there is only a rudimentary

‘Online Tender Opening’. [Merely opening bids ‘online’, and then separately making them available for display to the bidders

subsequently, and/ or from a different location/ screen (ie user interface) without the simultaneous

online presence of bidders, does not fulfill the requirements of a proper and transparent online Public

TOE. The transparency related significance of opening bids in ‘Public’, and carrying out various

activities such as ‘countersigning’ of each opened bid by the TOE-officers in the simultaneous presence

of the bidders has been given done away with. E-procurement systems where online TOE is

conducted in this non-transparent fashion, without the simultaneous online presence of the

bidders, gives rise to the possibility of bid-data tampering.]


(section 6.3), and also relevant portions in other sections of Annexure-I. In addition, relevant portions

of Annexure-II, III, IV also have relationship with these issues]


(Red Flag No.3): Most e-procurement systems, do not have the

functionality to accept ‘encrypted (ie sealed) detailed bids’.

[Some systems ‘do not encrypt the technical bid at all’, ie neither the electronic template of the

technical bid, nor the detailed technical bid. In such systems, typically ‘only summarized financial data

in electronic templates’ is encrypted. This is against the established practices of ensuring

confidentiality of technical bids.]

[Reference of corresponding sections of DIT Guidelines dtd 31st August 2011 : Mainly Annexure-I

(section 2.5), and also relevant portions in other sections of Annexure-I (eg 6.1, 6.2, etc). In addition,

relevant portions of Annexure-III, IV also have relationship with these issues.]

(Red Flag No.4): Many e-procurement systems do not have the

functionality for digital signing of important electronic records

which are part of the e-procurement application. [As a result, such e-procurement systems are not in full compliance of the IT Act 2000, and certain

guidelines of the CVC.]

[Reference of corresponding sections of DIT Guidelines dtd 31st August 2011 : Mainly Annexure-I

(section 6.), and also relevant portions in other sections of Annexure-I. In addition, some parts of

sections like 3.1, 4.1 etc, and relevant portions of Annexure-II, III, IV also have relationship with

these issues.]


(Red Flag No.5): In most e-procurement systems, functionality

of the e-tendering system is limited [eg all types of bidding

methodologies are not supported]. [In some cases only ‘single-stage-single-envelope’ bidding is supported. Similarly many systems do not

support the submission of ‘supplementary bids (viz modification, substitution and withdrawal)’ after final

submission, but before elapse of deadline for submission]. This is against the established practices

of manual tendering.]


(section 6.1), and also relevant portions in other sections of Annexure-I. In addition, some parts of

sections like 3.1, 4.1 etc, and relevant portions of Annexure-II, III, IV also have relationship with

these issues.]


(Red Flag No.6): Many e-procurement systems are such that it

results in abdication of powers of the concerned officers of the

Government Purchase department. [Furthermore, in some situations it results in handing over the private-keys (PKI) of the concerned officers

to others, which is a violation of s-42(1) of the IT Act.]


(section 5.), and also relevant portions in other sections of Annexure-I. In addition, some parts of

sections like 4.1 etc, and relevant portions of Annexure- II, III, IV also have relationship with these

issues.]

(Allied Red Flag No. i): Diluting the Focus on Security,

Transparency and Functionality of the core e-Procurement system by

diverting attention to Integration with Backend ERP/ other Financial

Systems


(Allied Red Flag No. ii) Misconceptions and Myths about

Certification/ Testing Security Tests like Cert-In, STQC, OWASP … etc are useful but not sufficient

[The above tests are general in nature, and do have anything specific to address the intricacies of e-

procurement. Regulatory Authorities in each country should formulate comprehensive guidelines/

regulations for checking the intricacies of e-procurement, and have certifying bodies for testing/ certifying

various e-procurement systems being offered in the country for compliance with such guidelines]

(Customization invalidates any previous Certification) If e-procurement software is customized for each

project, the above mentioned general security tests performed on some previous version of the software,

lose their relevance)

Information for accessing the Paper titled, ‘Red Flags in e-Procurement, and Some remedial Measures’

Presented by Jitendra Kohli at the International Public Procurement Conference (IPPC5)

held at Seattle, USA, in August 2012

URL: http://www.ippa.org/IPPC5/Proceedings/Part2/Paper2-6.pdf

Other Useful References: - Final Report of the e-Tendering Expert Group (eTEG) issued in 2013 (especially section 6.7 relating to Bid Confidentiality) - Guidelines on e-Procurement issued by the Department of Information Technology (Government of India) on 31st August 2011

Jitendra Kohli

[email protected]

LinkedIn: http://in.linkedin.com/in/jitendrakohli

mailto:[email protected]

http://in.linkedin.com/in/jitendrakohli