Federated identity architecture of the european eID system

Federated identity management is a method that facilitates management of identity processes and policies among the collaborating entities without a centralized control. Nowadays, there are many federated identity solutions, however, most of them covers different aspects of the identification problem, solving in some cases specific problems. Thus, none of these initiatives has consolidated as a unique solution and surely it will remain like that in a near future. To assist users choosing a possible solution, we analyze different federated identify approaches, showing main features, and making a comparative study among them. The former problem is even worst when multiple organizations or countries already have legacy eID systems, as it is the case of Europe. In this paper, we also present the European eID solution, a purely federated identity system that aims to serve almost 500 million people and that could be extended in midterm also to eID companies. The system is now being deployed at the EU level and we present the basic architecture and evaluate its performance and scalability, showing that the solution is feasible from the point of view of performance while keeping security constrains in mind. The results show a good performance of the solution in local, organizational, and remote environments

EVALUASI PENERAPAN SINGLE SIGN-ON SAML DAN OAUTH 2.0: STUDI PADA PERGURUAN TINGGI YOGYAKARTA

Dalam memutuskan strategi Single Sign-On (SSO) yang efektif, perguruan tinggi perlu memahami manfaat SSO, mengidentifikasi kebutuhan spesifik organisasi, dan memilih protokol yang akan memenuhi kebutuhan tersebut. Kontribusi penelitian ini adalah menganalisis efektifitas penerapan SSO protokol SAML dan OAuth 2.0 pada perguruan tinggi Yogyakarta. Langkah penelitian meliputi pengumpulan data, kemudian melakukan analisis penerapan protokol SAML dan OAuth 2.0 terhadap referensi yang relevan. Pengumpulan data dilakukan melalui literatur review, observasi pada domain-domain website resmi perguruan tinggi, survei, dan wawancara kepada 22 responden dari 17 Pusat IT perguruan tinggi. Dari hasil survei dan wawancara ditemukan ketidaksesuaian penerapan protokol pada 7 perguruan tinggi yang mengintegrasikan aplikasi native (desktop-based/mobile-based) dan IoT menggunakan SAML dan juga ditemukan ketidaksesuaian penerapan protokol yaitu OAuth 2.0 pada 2 perguruan tinggi. Hasil analisis menunjukkan bahwa beberapa perguruan tinggi belum menerapkan SSO secara efektif. Meskipun 60% perguruan tinggi mengklaim telah melakukan riset dalam pemilihan protokol SSO yang digunakan, namun pada praktiknya masih dijumpai penerapan SSO yang justru menambah kompleksitas permasalahan sebelumnya.   Kata kunci: evaluasi, oauth 2.0, perguruan tinggi, saml, single sign-on &nbsp

The Review of Non-Technical Assumptions in Digital Identity Architectures

The literature on digital identity management systems (IdM) is abundant and solutions vary by technology components and non-technical requirements. In the long run, however, there is a need for exchanging identities across domains or even borders, which requires interoperable solutions and flexible architectures. This article aims to give an overview of the current research on digital identity management. We conduct a systematic literature review of digital identity solution architectures and extract their inherent non-technical assumptions. The findings show that solution designs can be based on organizational, business and trust assumptions as well as human-user assumptions. Namely, establishing the trust relationships and collaborations among participating organizations; human-users capability for maintaining private cryptographic material or the assumptions that win-win business models could be easily identified. By reviewing the key findings of solutions proposed and looking at the differences and commonalities of their technical, organizational and social requirements, we discuss their potential real-life inhibitors and identify opportunities for future research in IdM

Electronic identification for universities: Building cross-border services based on the eIDAS infrastructure

The European Union (EU) Regulation 910/2014 on electronic IDentification, Authentication, and trust Services (eIDAS) for electronic transactions in the internal market went into effect on 29 September 2018, meaning that EU Member States are required to recognize the electronic identities issued in the countries that have notified their eID schemes. Technically speaking, a unified interoperability platform—named eIDAS infrastructure—has been set up to connect the EU countries’ national eID schemes to allow a person to authenticate in their home EU country when getting access to services provided by an eIDAS-enabled Service Provider (SP) in another EU country. The eIDAS infrastructure allows the transfer of authentication requests and responses back and forth between its nodes, transporting basic attributes about a person, e.g., name, surname, date of birth, and a so-called eIDAS identifier. However, to build new eIDAS-enabled services in specific domains, additional attributes are needed. We describe our approach to retrieve and transport new attributes through the eIDAS infrastructure, and we detail their exploitation in a selected set of academic services. First, we describe the definition and the support for the additional attributes in the eIDAS nodes. We then present a solution for their retrieval from our university. Finally, we detail the design, implementation, and installation of two eIDAS-enabled academic services at our university: the eRegistration in the Erasmus student exchange program and the Login facility with national eIDs on the university portal

Providing Login and Wi-Fi Access Services With the eIDAS Network: A Practical Approach

The digital identity (or electronic identity) of a person is about being able to prove upon authentication who one is on the Internet, with a certain level of assurance, such as by means of some attributes obtained from a trustworthy Identity Provider. In Europe, the eIDAS Network allows the citizens to authenticate securely with their national credentials and to provide such personal attributes when getting access to Service Providers in a different European country. Although the eIDAS Network is more and more known, its integration with real operational services is still at an initial phase. This paper presents two eIDAS-enabled services, Login with eIDAS and Wi-Fi access with eIDAS , that we have designed, implemented, deployed, and validated at the Politecnico di Torino in Italy. The validation study involved several undergraduate students, who have run the above services with their authentication credentials and platforms and with minimal indications on their usage. The results indicate that the services were beneficial. Several advantages exist both for the users and for the Service Providers, such as resistance to some security attacks and the possibility to adopt the service without prior user registration ( e.g. for short meetings, or in public places). However, some students expressed doubts about exploiting their national eID for Wi-Fi access, mainly in connection with usability and privacy issues. We discuss also these concerns, along with advantages and disadvantages of the proposed services

Electronic identity services as sociotechnical and political-economic constructs

Electronic identification services (eIDs) have become strategic services in the global governance of online societies. In this article, we argue that eIDs are sociotechnical constructs that also have political-economic dimensions. In the European context, governmental and corporate efforts to develop eIDs are shaped by legal EU frameworks, which are almost exclusively focussed on technical and legal interoperability, such as the European Interoperability Framework (EIF) and the European Interoperability Reference Architecture (EIRA). Public concerns such as privacy, security, user empowerment and control over one’s personal information prompts developers to propose a decentralized, attribute-based system governed on a nonprofit, nonstate basis (DAN-eID). To illustrate our argument, we explore a single emerging eID system (IRMA; acronym for I Reveal My Attributes) that is developing in a national context (The Netherlands). We argue that developing eIDs requires more than engineering ingenuity and legal compliance; as sociotechnical and political-economic constructs, they involve negotiation of conflicting social and political values

Improving key exchange protocols based on sender and receiver electronic identification documents

Предмет рада докторске дисертације је сагледавање актуелних проблема везаних за појмове размена криптографских кључева и аутентификација корисника система за тајну комуникацију. Рад се бави анализом постојећих решења у области истраживања и развијањем сопственог система за тајну комуникацију. Научни циљ дисертације је унапређење протокола за размену криптографских кључева на бази личних идентификационих докумената. Извршена је анализа постојећих приступа у области истраживања с циљем да се побољша ниво заштите приликом тајне комуникације и добије основа за развој сопственог система. Комбиновањем криптографских метода које обезбеђују поверљивост, аутентичност и интегритет, уз примену стеганографских метода за размену информација на скривен начин, корисницима предложеног система се пружа могућност да на ефикасан и сигуран начин размењују тајне поруке. Анализом резултата истраживања закључено је да постоји оправданост употребе личних идентификационих докумената за размену криптографских кључева који се користе у тајној комуникацији