TÜBİTAK BİLGEM Developing PKI Technology in Turkey

Issue 71 - November 2016

Information, giving its name to our era, is one of the major sources of prosperity which determines the future and welfare of nations. Today, strategic information is an invaluable national asset for the developed countries which is under threat and it must be protected. As the technology evolves information has penetrated every facet of daily life, and its security has become a very important subject for daily life. All of the major nations which have achieved economic and technological independence in addition to their administrative and military independence, are trying to eliminate dependency in this important area, and they are developing their national solutions to overcome the information security threats. Owning critical technologies and solving the problems related to national security independently are two main targets for the countries so that they can achieve a safe, wealthy future.  E-government solutions for faster, easy and reliable administrative, judicial and social processes can be developed on a solid, stable information security infrastructure.

Authentication, authorization, confidentiality, integrity and non-repudiation are the major security requirements for e-government projects and can be provided by Public Key Infrastructure (PKI) technology. An electronic certificate is a kind of digital id for a person, an organization or a device. Since it is signed by a trusted authority, it is forgery resistant and can be digitally verified. Basically, a certificate contains the owners name, serial number, validity period, cryptographic public key and the digital signature of the issuing Certification Authority (CA). Electronic certificates can be used for generating signature and encryption purposes in order to achieve the aforementioned security services.

National Public Key Infrastructure (MA3) project has started at TÜBİTAK BİLGEM in the early 2000’s. Under this project, ESYA (Electronic Certificate Management Infrastructure) PKI CA Software, KERMEN PKI Client and ESYA E-Signature Libraries have been developed. ESYA 2.0 is the only PKI CA software in Turkey and among several in the world which has received Common Criteria (CC) EAL+4 certificate conformant to CIMC Protection Profile. ESYA CA, which has been deployed in Government Certification Center, and in many other public, private companies, is being used to issue millions of e-certificates for the major e-government projects in Turkey such as National ID Card, National Judiciary Informatics System, E-Invoice, E-Archive, E-Registry, Online Cash Register, E-Prescription, E-Official Correspondence and E-Customs etc. More than 70.000 computers are running KERMEN for secure desktop and messaging purposes.  ESYA E-Signature Libraries are secure, reliable implementations of ETSI CAdES/XAdES/PAdES/ASiC standards which have been tested with many other libraries in the interoperability tests worldwide, named ETSI Plug Tests. These libraries, which can be downloaded and freely used, are the keystones for these e-government projects 

The MA3 project team in TÜBİTAK BİLGEM is not only developing PKI products, but also preparing Certificate, CRL, OCSP, E-Signature profiles to be used within Turkey. These profiles are guidelines to CA’s and software vendors in order to provide interoperability and a true path to walk on. As an ETSI member, TÜBİTAK BİLGEM is contributing to the development of e-signature standards in the Electronic Signature Infrastructure Working Group, and as a technical expert representing Turkish Armed Forces, contributing to the development of NATO PKI Certification Policy in the NATO PKI Advisory Group.

The benefit to Turkey from the e-Government projects is invaluable. At a short glance to give a few examples, in the Ministry of Justice, the processes speed up incredibly, the dispatch of a court order used to take sometimes a week from Gebze to İstanbul, and it is now it is completed in seconds. The Ministry has saved millions just due to the decrease in paper and mailing costs. The Turkish Revenue Administration (RA) is an e-government champion with the projects e-invoice, e-registry, e-archive and online cash registers. With e-Invoice, the companies have to send their e-signed invoices to the recipients via RA. Banks can also access to the invoices online. As a result, all invoices can be checked, money flow can be controlled and the income of the companies is readily available. With e-Registry, companies are using e-signature to sign their financial records. Formerly some large companies, such as telecommunication companies, were building big warehouses to store these records, since legally they have to keep these papers for 20 years. They were spending huge amounts on notaries’ approval of these records. By e-Registry, after signing and time stamping these records, they are sending some part of it to RA and they no longer need to store the hardcopies. Online cash registers are preventing the fraud by using e-signature, and giving RA the opportunity to inspect all the transactions.

These successful products are gaining the attention of a wide range of countries from Europe to Middle Asia and the Gulf Region. It is an important goal for TÜBİTAK BİLGEM and its business partners to introduce these assets worldwide. Mr. Orhan Muratoğlu, Vice President of TÜBİTAK BİLGEM for Business Development, emphasizes the importance of this issue as “TÜBİTAK BİLGEM is playing a major role  by facilitating the e-government projects with the efforts spent on PKI. Turkey is one of the several countries in the world which is designing its own smartcard chip, developing its operating system and building a PKI system on top of it. We carry the honor of sharing our expertise with all ally countries.”