Strong Electronic Identification: Survey & Scenario Planning

The deployment of more high-risk services such as online banking and government services on the Internet has meant that the need and demand for strong electronic identity is bigger today more than ever. Different stakeholders have different reasons for moving their services to the Internet, including cost savings, being closer to the customer or citizen, increasing volume and value of services among others. This means that traditional online identification schemes based on self-asserted identities are no longer sufficient to cope with the required level of assurance demanded by these services. Therefore, strong electronic identification methods that utilize identifiers rooted in real world identities must be provided to be used by customers and citizens alike on the Internet. This thesis focuses on studying state-of-the-art methods for providing reliable and mass market strong electronic identity in the world today. It looks at concrete real-world examples that enable real world identities to be transferred and used in the virtual world of the Internet. The thesis identifies crucial factors that determine what constitutes a strong electronic identity solution and through these factors evaluates and compares the example solutions surveyed in the thesis. As the Internet become more pervasive in our lives; mobile devices are becoming the primary devices for communication and accessing Internet services. This has thus, raised the question of what sort of strong electronic identity solutions could be implemented and how such solutions could adapt to the future. To help to understand the possible alternate futures, a scenario planning and analysis method was used to develop a series of scenarios from underlying key economic, political, technological and social trends and uncertainties. The resulting three future scenarios indicate how the future of strong electronic identity will shape up with the aim of helping stakeholders contemplate the future and develop policies and strategies to better position themselves for the future

Strong Electronic Identification: Survey & Scenario Planning

The deployment of more high-risk services such as online banking and government services on the Internet has meant that the need and demand for strong electronic identity is bigger today more than ever. Different stakeholders have different reasons for moving their services to the Internet, including cost savings, being closer to the customer or citizen, increasing volume and value of services among others. This means that traditional online identification schemes based on self-asserted identities are no longer sufficient to cope with the required level of assurance demanded by these services. Therefore, strong electronic identification methods that utilize identifiers rooted in real world identities must be provided to be used by customers and citizens alike on the Internet. This thesis focuses on studying state-of-the-art methods for providing reliable and mass market strong electronic identity in the world today. It looks at concrete real-world examples that enable real world identities to be transferred and used in the virtual world of the Internet. The thesis identifies crucial factors that determine what constitutes a strong electronic identity solution and through these factors evaluates and compares the example solutions surveyed in the thesis. As the Internet become more pervasive in our lives; mobile devices are becoming the primary devices for communication and accessing Internet services. This has thus, raised the question of what sort of strong electronic identity solutions could be implemented and how such solutions could adapt to the future. To help to understand the possible alternate futures, a scenario planning and analysis method was used to develop a series of scenarios from underlying key economic, political, technological and social trends and uncertainties. The resulting three future scenarios indicate how the future of strong electronic identity will shape up with the aim of helping stakeholders contemplate the future and develop policies and strategies to better position themselves for the future

NFC Security Solution for Web Applications

Töö eesmärgiks on võrrelda erinevaid eksisteerivaid veebirakenduste turvalahendusi, analüüsida NFC sobivust turvalahenduste loomiseks ning pakkuda välja uus NFC autentimise ja signeerimise lahendus läbi Google Cloud Messaging teenuse ja NFC Java Card’i. Autori pakutud lahendus võimaldab kasutajal ennast autentida ja signeerida läbi NFC mobiiliseadme ja NFC Java Card’i, nõudmata kasutajalt eraldi kaardilugejat. Antud lahendust on võimalik kasutada kui ühtset kasutajatuvastamise viisi erinevatele rakendustele, ilma lisaarenduseta.This thesis compares existing and possible security solutions for web applications, analyses NFC compatibility for security solutions and proposes a new NFC authentication and signing solution using Google Cloud Messaging service and NFC Java Card. This new proposed solution enables authentication and signing via NFC enabled mobile phone and NFC Java Card without any additional readers or efforts to be made. This smart card solution can be used within multiple applications and gives the possibility to use same authentication solution within different applications

Eesti elektrooniline ID-kaart ja selle turvaväljakutsed

Eesti elektrooniline isikutunnistust (ID-kaart) on üle 18 aasta pakkunud turvalist elektroonilist identiteeti Eesti kodanikele. Avaliku võtme krüptograafia ja kaardile talletatud privaatvõti võimaldavad ID-kaardi omanikel juurde pääseda e-teenustele, anda juriidilist jõudu omavaid digiallkirju ning elektrooniliselt hääletada. Käesolevas töös uuritakse põhjalikult Eesti ID-kaarti ning sellega seotud turvaväljakutseid. Me kirjeldame Eesti ID-kaarti ja selle ökosüsteemi, seotud osapooli ja protsesse, ID-kaardi elektroonilist baasfunktsionaalsust, seotud tehnilisi ja juriidilisi kontseptsioone ning muid seotud küsimusi. Me tutvustame kõiki kasutatud kiipkaardiplatforme ja nende abil väljastatud isikutunnistuste tüüpe. Iga platformi kohta esitame me detailse analüüsi kasutatava asümmeetrilise krüptograafia funktsionaalsusest ning kirjeldame ja analüüsime ID-kaardi kauguuendamise lahendusi. Lisaks esitame me süstemaatilise uurimuse ID-kaardiga seotud turvaintsidentidest ning muudest sarnastest probleemidest läbi aastate. Me kirjeldame probleemide tehnilist olemust, kasutatud leevendusmeetmeid ning kajastust ajakirjanduses. Käesoleva uurimustöö käigus avastati mitmeid varem teadmata olevaid turvaprobleeme ning teavitati nendest seotud osapooli. Käesolev töö põhineb avalikult kättesaadaval dokumentatsioonil, kogutud ID-kaartide sertifikaatide andmebaasil, ajakirjandusel,otsesuhtlusel seotud osapooltega ning töö autori analüüsil ja eksperimentidel.For more than 18 years, the Estonian electronic identity card (ID card) has provided a secure electronic identity for Estonian residents. The public-key cryptography and private keys stored on the card enable Estonian ID card holders to access e-services, give legally binding digital signatures and even cast an i-vote in national elections. This work provides a comprehensive study on the Estonian ID card and its security challenges. We introduce the Estonian ID card and its ecosystem by describing the involved parties and processes, the core electronic functionality of the ID card, related technical and legal concepts, and the related issues. We describe the ID card smart card chip platforms used over the years and the identity document types that have been issued using these platforms. We present a detailed analysis of the asymmetric cryptography functionality provided by each ID card platform and present a description and security analysis of the ID card remote update solutions that have been provided for each ID card platform. As yet another contribution of this work, we present a systematic study of security incidents and similar issues the Estonian ID card has experienced over the years. We describe the technical nature of the issue, mitigation measures applied and the reflections on the media. In the course of this research, several previously unknown security issues were discovered and reported to the involved parties. The research has been based on publicly available documentation, collection of ID card certificates in circulation, information reflected in media, information from the involved parties, and our own analysis and experiments performed in the field.https://www.ester.ee/record=b541416

Data Ingredients: smart disclosure and open government data as complementary tools to meet policy objectives. The case of energy efficiency.

Open government data are considered a key asset for eGovernment. One could argue that governments can influence other types of data disclosure, as potential ingredients of innovative services. To discuss this assumption, we took the example of the U.S. 'Green Button' initiative – based on the disclosure of energy consumption data to each user – and analysed 36 energy-oriented digital services reusing these and other data, in order to highlight their set of inputs. We find that apps suggesting to a user a more efficient consumption behaviour also benefit from average retail electricity cost/price information; that energy efficiency 'scoring' apps also need, at least, structured and updated information on buildings performance; and that value-added services that derive insights from consumption data frequently rely on average energy consumption information. More in general, most of the surveyed services combine consumption data, open government data, and corporate data. When setting sector-specific agendas grounded on data disclosure, public agencies should therefore consider (contributing) to make available all three layers of information. No widely acknowledged initiatives of energy consumption data disclosure to users are being implemented in the EU. Moreover, browsing EU data portals and websites of public agencies, we find that other key data ingredients are not supplied (or, at least, not as open data), leaving room for possible improvements in this arena

Robust Efficiency Evaluation of NextCloud and GoogleCloud

Cloud storage services such as GoogleCloud and NextCloud have become increasingly popular among Internet users and businesses. Despite the many encrypted file cloud systems being implemented worldwide today for different purposes, we are still faced with the problem of their usage, security, and performance. Although some cloud storage solutions are very efficient in communication across different clients, others are better in file encryption, such as images, videos, and text files. Therefore, it is evident that the efficiency of these algorithms varies based on the purpose and type of encryption and compression. This paper focuses on the comparative analysis of NextCloud with composed end-to-end solutions that use both an unencrypted cloud storage and an encrypted solution. In this paper, we measured the network use, file output size, and computation time of given workloads for two different services to thoroughly evaluate the efficiency of NextCloud and GoogleCloud. Our findings concluded that there is similar network usage and synchronization time. However, GoogleCloud had more CPU utilization than NextCloud. On the other hand, NextCloud had a longer delay when uploading files to their cloud service. Our experimental results show that the evaluation model is considered robust if its output and forecasts are consistently accurate, even if one or more of the input variables or assumptions are drastically changed due to unforeseen circumstances

Building Trust Networks

The common agreement in the industry is that the Public Key Infrastructure is complex and expensive. From the year 1976 with the introduction of public key cryptography and the introduction of PKI concept in 1977 a lot of scientific resources has been spent on creation of usable key exchange systems and concepts to build trust networks. Most EU Member States have implemented their own national Public Key Infrastructure solutions mainly to enable strong authentication of citizens. They are however not the only systems within the EU to utilize PKI. Due to the nature of the PKI it is most convenient or suitable in an environment with stakeholders with similar agendas. This has resulted in several new PKI developments for specific purposes, within one industry or one vertical such as healthcare. Some Member States have tried to incorporate vertical needs with an all-purpose PKI solution, such as the Austrian eID card with so called sector specific certificates (http://ec.europa.eu/idabc/en/document/4486/5584). From the CIA (Confidentiality, Integrity, Availability) triangle public key cryptography provides confidentiality and integrity. The modern world however has more requirements in environments where sensitive information is being exchanged. It is not enough to know identity of the entity trying to access the information, but to also know the entity permissions or privileges regarding the requested resource. The authorization process grants the user specific permissions to e.g. access, modify or delete resources. A pure PKI does not allow us to build complex authorization policies, and therefore some of the Member States have built (authentication and) authorization solutions on top of existing authentication infrastructures, especially in the eGovernment sector. The scientific community has also tried to solve this issue by creating extensions to the basic PKI concept, and some of these concepts have been successful. Another problem with large scales systems is the key distribution. Managing a large number of keys using a central solution such as PKI has proven to be problematic in certain conditions. Either there are tradeoffs in security, or problems with application support. The last issue deals with public key cryptography itself. Current cryptography relies on the fact that it provides enough security based on availability of the resources, i.e. computational power. New approaches have been introduced both scientifically and commercially by moving away from the mathematics to other areas such as quantum mechanics. This paper is a quick review on some of the existing systems and their benefits and inherent challenges as well as a short introduction to new developments in the areas of authentication, authorization and key distribution.JRC.G.6-Security technology assessmen

Analysis and evaluation of security developments in electronic payment methods

This master thesis with the name "Analysis and Evaluation of Security Developments in Electronic Payment Methods," aims to make a compendium of the technologies and standards used on today's payment card transactions since there is no such compendium available today. This thesis also evaluates the security of the technologies used and the amount of effort required by merchants for the compliance of the Payment Card Industry Data Security Standard (PCI DSS). With the results of these evaluations, it was possible to make recommendations to the merchants using payment cards as a form of payment and to the manufacturers of payment cards. Recommendations that its intention is to increase the security of the card payment transactions