Past Issues of Government Technology

Secure Signatures

Illinois hits an important benchmark by issuing its 100,000th digital certificate.

by / March 5, 2007 0
Illinois celebrated its 100,000th digital certificate issued through the state's public key infrastructure (PKI) platform in January 2007, and was the first state to reach the milestone. As of February 2007, the number grew to 102,000 digital certificates, with the state averaging 2,000 new certificates a month.

In 2006, the Illinois had 3.7 million PKI logins to its Web site -- an increase of more than 1 million from the previous year.


Efficient Infrastructure
"The governor has a big push to increase efficiency within the state, with the idea of do more with less, to reduce the amount of documentation and the amount of time it takes for citizens to interact with government," said Tony Daniels, deputy director of the Illinois Bureau of Communication and Computer Services -- a de-facto CIO position in a state that doesn't have an official CIO. "The use of PKI certificates is one of those things that helps us ensure security, but also shorten cycle times when you have to interact with the government."

The Digital Signature/Public Key Infrastructure Project allows stronger information security for both government and its citizens. It makes electronic government more convenient for citizens, but it is also a more efficient use of state funding and easier for agencies to manage.

The state uses Entrust Authority to provide encryption, digital signature and authentication capabilities for services to citizens and government entities. Illinois uses a common credential, known as a "digital ID," that enables citizens, businesses and state employees to securely and privately exchange data over the Internet.

By using the PKI, Illinois residents can view and even sign sensitive documents digitally, eliminating the need for multiple PINs, passwords or encryption keys.

To obtain a digital ID, users register online by providing information from drivers' licenses or state-issued identification cards. The PKI system crosschecks the data with state records for security purposes, and then issues a "digital ID," which citizens, businesses and state employees can use for multiple applications.

Once the digital ID authenticates citizens, they can receive personalized electronic services and forms that can be digitally signed, and they can also send or receive sensitive information in an encrypted format to protect privacy while interacting with any participating government entity.

"Obviously you can't sign a computer screen, but what you can do is enter your digital signature, so the confirmation information that is encoded including the date, Social Security number and all those things that go into creating a digital signature," Daniels said. "You can then literally sign documents, and it's accepted to be as good as you actually printing out a piece of paper and signing it in your own handwriting."

The PKI also establishes audit trails needed for electronic transactions, which is equivalent to -- or even better than -- paper trails. The result saves time, money and even the environment, because it dramatically reduces paper waste, Daniels said.


Root Cause
The Illinois PKI officially began in January 2001, with a "Root Key Generation" ceremony, which established Illinois' private signing key under very high security. The PKI encryption provides privacy protection and is difficult for intruders to infiltrate.

"Even if their personal information is compromised, that would not be sufficient to circumvent the system," Daniels said. "It's a much stricter standard and higher level of security that can be applied on a document-by-document basis."

TaxNet is one online service offered to Illinois businesses that takes advantage of the PKI platform by allowing employers to electronically file unemployment insurance tax, wage reports and state withholding forms.

More than 40 Illinois state agencies have adopted the PKI infrastructure and have built more than 100 applications that serve citizens, businesses and government agencies. State agencies that use the PKI include the Illinois Department of Central Management Services, the Department on Aging, the Department of Agriculture, the Board of Higher Education, Healthcare and Family Services, Human Services and Employment Security.

Other agencies that take advantage of the PKI system include Northwestern University, Northern Illinois University, Illinois State University, the city of Rock Island, the village of Palatine, and the city of Schaumburg.

In December 2003, Illinois broadened its PKI scope by becoming the first state to cross-certify with the Federal Bridge Certification Authority (FBCA), which enables the certified digital IDs to be used for authentication to federal government applications. Before Illinois, the FBCA had never cross-certified with an external organization.

User education is the main obstacle that residents and government agencies face when using the services offered under the PKI platform, Daniels said. But with more than a 100,000 certificates issued, he added, the problem should soon solve itself.

"There is a pent-up demand for this kind of solution," Daniels said. "The bottom line is that our public key infrastructure allows citizens of Illinois to interact remotely with government in a streamlined fashion."
Chandler Harris Contributing Writer