The government of Malaysia has been recently trying to improve on its delivery of services to the people. One such improvement that it has made is in the reducing of waiting hours for the renewal of a passport from two hours to only an hour. However according to the article on the Malaysian Insider dated May 10, this objective was met by increasing the number of staff at their main officers in Putrajaya and Kuala Lumpur. This solution does not solve the problem of long waiting hours endured by the people in other parts of the country nor does it expedite the renewal process at embassies abroad. It also burdens the government since hiring new staff will cost more and reduce efficiency.
Another solution that has been provided by the immigration department is to set up a kiosk at their premises. Applicants are then required to place a photograph in an envelope, and have their identity card and old passport read before making various selections on an ATM like machine. The applicant is then given a receipt that will be used when collecting the new passport. This solution is also not all encompassing since it only solves the problems faced by the immigration department and not the citizens. Citizens are still required to travel twice to the immigration offices.
Rationale
Therefore in order to solve most of the limitations present in the existing system, an online based solution is proposed. Based on this system the applicant will only have to be present at the immigration offices once and that would be to collect and pay for the new passport.
The project aims to create a secure website that will allow the user to apply for the renewal of their passport. The application is designed to be used from any internet equipped location thus allowing user to renew their passports from the comfort of their home or at a workstation in the immigration office.
Nature of challenge
The most challenging part of this project will be the implementation of an encryption algorithm that is to be used when there is a transfer of confidential information from the client to the server. Before this is achieved, there will be a need to understand the different concepts of cryptography and the suitability of using an existing encryption algorithm or a modified version. This decision is one of the many that will have to be made after in-depth research into the level of security, vulnerabilities and performance issues of the various algorithms. Another area of challenge is the testing of this system in order to determine its effectiveness. In order to do so, simulated attacks will have to be launched on the developed system. These attacks will include but not limited to packet sniffing and password cracking. Simulating and documenting these attacks will require a certain degree of technical knowhow.
C.
Brief description of project objectives.
(i.e. scope of proposal and deliverables)
The Malaysia Secured Online Passport Renewal System (MySOPReS) will provide users with the ability to apply for a renewal of passport online. This would mean that the system will not encompasses the process of creating the new passport nor will it accept payment for the new passport. It will basically allows the user to be identified and logged in before allowing him or her to upload a new photograph, check and update any information that is likely to have changed (such as the height of the person), and finally the system will allow the user to choose the number of pages and other aspects of his new passport. The process ends with the user receiving a receipt which is to be printed and shown at the collection counter when collecting the new passport.
In order to ensure that the entire system is secured, techniques such as session's management, cryptography, exception and parameter management will be used in addition to input validation, authentication and authorization.
The core functions of the system will be able to achieve the following:
Allow for users to login and logout from the system
Allow for users to view, edit or input existing or new information for the purposes of renewing a passport.
Allow users to submit the application and receive feedback from the system.
Allow for encrypted data to be decrypted and displayed to the user.
The additional features on this project will include:
Allow for users to acquire a login ID and password via SMS or email.
Allow users to change their passwords, secret questions and retrieve lost passwords.
Allow for admin to login to the system.
The special features that maybe added to the system includes:
Allow for the hiding of information on to the passport sized photo before it is transferred to the server side.
The system might also have a auditing and logging function that will allow for the monitoring of the website usage.
D.
Brief description of the resources needed by the proposal.
(i.e. hardware, software, access to information / expertise, user involvement etc.)
Hardware
The development of this system will require a single workstation with the following specification:
Desktop/Laptop - Intel Core 2 Duo Processor,2 GB Ram,40GB HDD
Printer
Modem/Router (Internet Connection)
Software
The software that will be used in the development of the system may include but are not limited to:
Website and Database development tools:
Visual Studio 2008
SQL Server 2008
Other technical development tools
VMWare
Wireshark, Airsnort
Cain and Abel
Documentation Tools
Microsoft Office 2007 (Microsoft Word, Project & Power Point)
Edraw Max
Access to information
Expertise & User Involvement
In order to complete the project I will need to consult various members of the public that will be using this system. This would include various citizens who apply for a renewal of passport for business and leisure purposes and citizens of Malaysia who are living and working abroad and are required to renew their passports at the embassy. Other than that I will also have to consult IT experts who are experienced in developing secured web application. Apart from that there may also be a need to interview personnel from the immigration department so as to find out about the various aspects of the passport renewal system.
E.
Academic research being carried out and other information, techniques being learnt.
(i.e. what are the names of books you are going to read / data sets you are going to use)
Below are a preliminary list of books that will be reviewed for the development of this system:
Michael Cross. (2007). Developer's Guide To Web Application Security. Rockland: Syngress.
Peter Wayner (2009). Disappearing Cryptography: Information Hiding: Steganography & Watermarking. Amsterdam: Morgan Kaufmann.
C.J. Date With Hugh Darwen (1997). A Guide To The SQL Standard : A User's Guide To The Standard Database Language SQL. 4th Ed. Reading: Addison Wesley.
Donny Mack, Doug Seven (2002). Programming Data-Driven Web Applications With Asp.Net . United States: Sams.
Online Review
http://csrc.nist.gov/publications/nistpubs/800-95/SP800-95.pdf
http://www.cgisecurity.com/pen-test/Auditing-and-Securing-Web-enabled-Applications.pdf
F.
Brief description of the development plan for the proposed project.
(i.e. which software methodology and why, the major areas of functions to be developed and the order in which developed)
Methodology
Based upon the type of system that is going to be developed, the waterfall model will be software methodology used in the development of this system. This is because a security centric system like the MySOPReS will require a lengthy design and documentation period so as to inspire confidence in its implementation. There is no need to rush the delivery of this project as it is not for commercial use and furthermore there is already an existing system in place. An approach like waterfall should be used so that future enhancements to the project can be easily carried out since there is adequate documentation. The waterfall model is also appropriate since this project will have a strong emphasis on planning, schedules and target dates which cannot be extended.
The system will be divided into major areas of functions. This would include the logging in module, the website interface, the database and the encryption module. The website and database will be developed concurrently before they are joined together while the logging in module and encryption module will be done later.
G.
Brief description of the evaluation and test plan for the proposed project.
(i.e. what is the success criteria and how will be evaluated & implementation will be tested, indicate the estimated size of the demonstration/test database)
Success Criteria
The success of the project will depend on the level of security that is implemented on the system in order to deter attackers from gaining access and stealing information. In order to achieve this, both the login module and encryption of the data must be able to deter attacks to a certain extend.
Testing
