The State of the Electronic Identity Market: Technologies, Infrastructure, Services and Policies

Authenticating onto systems, connecting to mobile networks and providing identity data to access services is common ground for most EU citizens, however what is disruptive is that digital technologies fundamentally alter and upset the ways identity is managed, by people, companies and governments. Technological progress in cryptography, identity systems design, smart card design and mobile phone authentication have been developed as a convenient and reliable answer to the need for authentication. Yet, these advances ar enot sufficient to satisfy the needs across people's many spheres of activity: work, leisure, health, social activities nor have they been used to enable cross-border service implementation in the Single Digital Market, or to ensure trust in cross border eCommerce. The study findings assert that the potentially great added value of eID technologies in enabling the Digital Economy has not yet been fulfilled, and fresh efforts are needed to build identification and authentication systems that people can live with, trust and use. The study finds that usability, minimum disclosure and portability, essential features of future systems, are at the margin of the market and cross-country, cross-sector eID systems for business and public service are only in their infancy. This report joins up the dots, and provides significant exploratory evidence of the potential of eID for the Single Digital Market. A clear understanding of this market is crucial for policy action on identification and authentication, eSignature and interoperability.JRC.DDG.J.4-Information Societ

BATTLE AGAINST PHISHING

Phishing is a model problem for illustrating usability concerns of privacy and security because both system designers and attackers battle using user interfaces to guide (or misguide) users. There are two novel interaction techniques to prevent spoofing. First, our browser extension provides a trusted window in the browser dedicated to username and password entry. We use a photographic image to create a trusted path between the user and this window to prevent spoofing of the window and of the text entry fields. Second, our scheme allows the remote server to generate a unique abstract image for each user and each transaction. This imag e creates a "skin" that automatica lly customizes the browser window or the user interface elements in the content of a remote web page. Our extension allows the users browser to independently compute the image that it expects to receive from the server. To authenticate cont ent from the se rver, the user can visually verify that the images match. We contrast our work with existing anti - phishing proposals. In contrast to other proposals, our scheme places a very low burden on the user in terms of effort, memory and time. To authenticate himse lf the user has to recognize only one image and remember one low entropy password, no matter how many servers he wishes to interact with. To authenticate content from an authenticated server, the us er only needs to perform one visual matching operation to compare two images. Furthermore, it places a high burden of effort on an attacker to spoof customized security indicators

Decentralized Access Control in Distributed File Systems

The Internet enables global sharing of data across organizational boundaries. Distributed file systems facilitate data sharing in the form of remote file access. However, traditional access control mechanisms used in distributed file systems are intended for machines under common administrative control, and rely on maintaining a centralized database of user identities. They fail to scale to a large user base distributed across multiple organizations. We provide a survey of decentralized access control mechanisms in distributed file systems intended for large scale, in both administrative domains and users. We identify essential properties of such access control mechanisms. We analyze both popular production and experimental distributed file systems in the context of our survey

Certificate polygamy: a matter of trust

Tese de mestrado em Segurança Informática, apresentada à Universidade de Lisboa, através da Faculdade de Ciências, 2011O acesso a serviços disponíveis na Internet expõe os utilizadores a diversos ataques, tal como o Man-in-the-Middle (MitM). As defesas para estes ataques, tais como autenticação mútua através de uma Public Key Infrastructure (PKI), baseiam-se em infra-estruturas complexas que os utilizadores não estão disponíveis para utilizar e suportar. A enorme aceitação de métodos de autenticação designados por “acto de fé” (leap-of-faith) ou “confiar na primeira utilização” (TOFU, trust-on-first-use), utilizado em implementações comuns de SSH e TLS/SSL, dão sinais claros da pré-disposição dos utilizadores em sacrificar a segurança em prol de uma melhor usabilidade. Aliás, este é um comportamento comum na vida quotidiana das pessoas. Se alguém se apresentar apenas com um cartão de visita, teremos tendência a confiar no seu conteúdo. Apenas desconfiaremos se, mais tarde, outra identificação for apresentada. Por outras palavras, confiamos nas primeiras credenciais apresentadas. Esta temática foi abordada por soluções como o Perspectives, que fornecem autenticação tipo SSH com sondagens através de múltiplos caminhos/acessos, descrito em [1]. Através da observação e recolha das chaves públicas observadas ao longo do tempo por servidores espalhados geograficamente, designados por Notários, o Perspectives impede muitos dos ataques possíveis num cenário de TOFU. Um utilizador pode solicitar o historial de chaves de um determinado serviço, comparando-o à chave oferecida na utilização corrente, e com esse historial tomar uma decisão mais informada quanto ao aceitar uma chave que não exista em cache. No entanto, o Perspectives assume um certificado por sítio, o que não é um pressuposto válido em muitos casos. Nesse caso, como pode o utilizador distinguir entre um certificado adicional introduzido pelo serviço a que está a aceder, e uma situação de ataque, em que o certificado está a ser fornecido pelo atacante? A presente tese endereça esta temática de poligamia de certificados, aumentando a visão dos Notários por forma a fornecer uma visão consolidada de diversos certificados. Adicionalmente, sugerimos alterações a alguns módulos do Perspectives, nomeadamente o módulo de sondagem (probing) for forma a lidar com questões tais como existência de mecanismos de caching acoplados aos serviços, pela utilização de, por exemplo, proxies.Users are vulnerable to attacks, such as Man-in-the-Middle (MitM) attack, whenever they resort to services in the Internet. Common defenses for these attacks, like mutual authentication based, for example, on a Public Key Infrastructure (PKI), rely on complex infra-structures that users are unwilling to support. Huge acceptance of simple methods like Trust-on-first-use (TOFU, also known as “leap-of-faith” authentication), employed by popular implementations of SSH and TLS/SSL, clearly indicate that users are prepared to sacrifice security for the sake of low-cost and more usable solutions. Moreover, this is a behavior that users are familiar with. If one meets a person who hands over some credentials, such as nickname, email address or even a business card, one will bind those credentials to that person in all future contacts, without initially asking for his or her ID. In other words, one trusts these credentials on the first time they are seen, and then uses them in all future interactions with that person. This topic has been addressed previously in solutions like Perspectives, which provides SSH-style Host Authentication with Multi-Path Probing, as described in [1]. By observing and collecting the server’s public keys over time, maintaining them in a set of geographically disperse servers known as “Notaries”, Perspective thwarts many of the attacks that are possible in a TOFU scenario. A user can download such records on demand, comparing them with the current key provided by the site being accessed. Although not secure to all attacks, users can make a more educated decision on accepting or rejecting each certificate. However, Perspectives assumes one certificate per site, which is a false assumption in some cases. So, how can users differentiate between a distinct, legitimate certificate provided by the site, and a fake certificate provided by an attacker? This thesis addresses this certificate polygamy issue, by enhancing the concept of the Notaries used in Perspectives, and provides a consistent view of a set of certificates to the user. Moreover, it suggests changes in modules like the probing module, to keep a clear and consistent observation of certificates, despite caching and reutilization made by components such as proxies. By allowing the user (or, by company policies) to fine tune some configuration parameters, the proposed solution will provide different levels of confidence to the observed server’s public keys, thus satisfying distinct levels of security, or user proficiency

A comprehensive survey of V2X cybersecurity mechanisms and future research paths

Recent advancements in vehicle-to-everything (V2X) communication have notably improved existing transport systems by enabling increased connectivity and driving autonomy levels. The remarkable benefits of V2X connectivity come inadvertently with challenges which involve security vulnerabilities and breaches. Addressing security concerns is essential for seamless and safe operation of mission-critical V2X use cases. This paper surveys current literature on V2X security and provides a systematic and comprehensive review of the most relevant security enhancements to date. An in-depth classification of V2X attacks is first performed according to key security and privacy requirements. Our methodology resumes with a taxonomy of security mechanisms based on their proactive/reactive defensive approach, which helps identify strengths and limitations of state-of-the-art countermeasures for V2X attacks. In addition, this paper delves into the potential of emerging security approaches leveraging artificial intelligence tools to meet security objectives. Promising data-driven solutions tailored to tackle security, privacy and trust issues are thoroughly discussed along with new threat vectors introduced inevitably by these enablers. The lessons learned from the detailed review of existing works are also compiled and highlighted. We conclude this survey with a structured synthesis of open challenges and future research directions to foster contributions in this prominent field.This work is supported by the H2020-INSPIRE-5Gplus project (under Grant agreement No. 871808), the ”Ministerio de Asuntos Económicos y Transformacion Digital” and the European Union-NextGenerationEU in the frameworks of the ”Plan de Recuperación, Transformación y Resiliencia” and of the ”Mecanismo de Recuperación y Resiliencia” under references TSI-063000-2021-39/40/41, and the CHIST-ERA-17-BDSI-003 FIREMAN project funded by the Spanish National Foundation (Grant PCI2019-103780).Peer ReviewedPostprint (published version

Cryptographic security mechanism of the next generation digital tachograph system

JRC is in the process of evaluating the impact of update of the cryptographic security mechanisms for the next generation Digital Tachograph. The purpose of this document is to give background information about the cryptographic security mechanisms and vulnerabilities regarding the security mechanisms of the current Digital Tachograph System along with suggestions for the next generation Digital Tachograph security mechanisms. This document can be referred as an important reference to update the technical appendixes of the Tachograph regulation.JRC.G.7-Digital Citizen Securit

Digital Identity Scheme

학위논문(석사) -- 서울대학교대학원 : 행정대학원 글로벌행정전공, 2023. 2. Junki Kim.디지털 아이덴티티는 디지털 서비스와의 상호작용에서 개인을 고유하게 차별화하는 속성을 의미한다. 따라서 디지털 아이덴티티 전략은 디지털 아이덴티티 라이프사이클을 관리하는 정책, 기술, 조직 및 프로세스의 잘 설계된 집합체이다. 이는 디지털 변환의 필수 요소이며 디지털 신뢰를 강화하기 위한 핵심 요소이다. 그런 맥락에서, 이 논문은 국가 차원에서 디지털 아이덴티티 체계를 관리하는 데 있어 어려움을 이해하는 것을 목표로 한다. 정확성, 포괄성, 안전성, 사용 가능한 디지털 ID의 이점은 공공 및 민간 부문, 아카데미 및 국제 조직에 의해 널리 인식되고 있다. 이와 더불어 COVID-19의 세계적인 확산으로 인해 사회적 거리두기 조치와 비대면 거래가 증가하면서, 우리는 정부와 기업에 의해 개발되는 디지털 인증 플랫폼이 발전하는 것을 볼 수 있다. 그 결과, 대한민국(이하 한국)과 페루와 같은 나라들은 핸드폰, 인공지능, 빅데이터, 상호운용성, 데이터센터와 같은 부상한 기술을 활용하여 식별 및 인증 프로세스의 효율성을 높이기 위해 서로 다른 종류의 이니셔티브와 플랫폼을 개발, 시행하고 있다. 이에 따라 현재까지 정부24를 전자정부 공식포털로, 디지털원패스(Digital ONEPASS)를 디지털인증플랫폼으로 구현해 시민 비대면 인증이 가능하도록 하고 있으며, 주민등록제도(RRS)도 한국 디지털 아이덴티티 제도의 핵심요소로 자리매김하고 있다. 이와 비슷하게 페루의 경우 기존의 전자정부 접근 방식이 디지털 정부라는 새로운 패러다임으로 변모하였다는 것과, 디지털 기술은 더 이상 기술적 문제가 아니라 정치, 법률, 협력적 문제라는 이해를 바탕으로 2018년 디지털 정부가 제정되었다. 디지털 정체성을 강화하기 위해 두 개의 디지털 플랫폼이 시행되고 있는데, 하나는 시민 지향의 단일 디지털 플랫폼(GOB.PE)이며, 다른 하나는 디지털 신원 확인 및 인증을 위한 국가 플랫폼(ID)이다. 두 플랫폼은 정부에 의해 유지되고 개발된다. 이처럼 한국과 페루의 정책 사이에 유사점이 있지만 결과는 다르다. 전자정부개발지수(EDGI)에서 한국은 세계 2위, 페루는 71위, 한국은 디지털 인증 플랫폼이 구현되어 있고, 정부24는 다양한 인증을 사용하고 있다. ONE PASS, KAKAO, 삼성 PASS 등 시민을 위한 간편하고 편리한 인증 방법이 사용된다. 또한 2021년까지 정부24를 통해 온라인으로 접수된 청원은 13202만 5035건에 달하며, 증명서와 문서는 시민이 직접 프린터를 통해 출력했다. 페루의 경우 디지털 아이덴티티 전략은 디지털 정부법이 규제하는 공공부문의 디지털 아이덴티티 프레임워크를 기반으로 정부가 기본적으로 주도하는 진행형 프로세스다. 따라서, 본 연구에서는 한국의 디지털 아이덴티티 전략이 개인의 디지털 아이덴티티의 정확성, 포괄성, 보안성 및 사용성을 강화하기 위해 어떤 성과를 내고 있는지 중점적으로 살펴보려고 한다. 우리는 유엔과 경제협력개발기구(OECD)가 사용하는 프레임워크를 적용한 비교 프레임워크를 활용해 유사점과 차이점을 규명할 예정이다. 한국과 페루의 비교 연구를 수행하는 시의적절하다. 왜냐하면 페루는 한국의 디지털 아이덴티티 제도의 모범 사례와 좋은 교훈을 활용할 수 있고 더 나은 정책과 결정을 설계할 수 있기 때문이다. 본 연구에서는 한국과 페루의 ICT 전문가와 온라인 인터뷰를 통해 양국의 디지털 아이덴티티 체계에 대한 심층적인 이해를 창출하는 정성적 연구 방법을 활용하였다. 총 10명의 전문가를 인터뷰했는데, 전문가와의 인터뷰는 한국과 페루의 디지털 아이덴티티 진화에 대한 개요를 제공하고 페루의 디지털 아이덴티티 제도 구현 과정에서 발생하는 과제를 식별할 수 있다. 디지털 공공 서비스의 개발 및 제공을 지원하기 위한 강력하고 지속적인 디지털 리더십, 시의적절한 법적 프레임워크, 현대 ICT 기술이라는 세 가지 요소에서 큰 차이가 나타났음을 알 수 있었다. 하지만 이 연구결과는 또한 페루에서 디지털 아이덴티티 생태계를 조성하기 위한 목적으로 제도적 정비를 하고, 규제를 개선하며, 예산을 최적화한다면 큰 성과를 얻을 수 있음을 시사한다. 주요 키워드: 디지털 아이덴티티, 디지털 정부, 디지털 변환, 디지털 아이덴티티 전략Digital identity is the collection of attributes that uniquely differentiates a person in his interaction with digital services. The literature and previous research suggest that it is an essential component to the digital transformation and a vital element for strengthening the digital trust. Currently, due to worldwide spread of COVID-19, which has accelerated the digital transition in the public and private sector, the non-face-to-face transactions have been increased, coupled with cybercrimes such as identity theft, private data leakage, fraud, among other cybercrimes. In this sense, governments should become aware of the importance of digital identity management, because it is increasingly embedded in everything we do in our digital and offline life (WEF, Identity in the Digital World a new chapter in the social contract, 2018, p. 9). To deal with those issues and leverage all the potential of digital identity at national level, many countries implement a Digital Identity Scheme, which is a well-designed and articulated collection of policies, business rules, technologies, organizations, and processes in charge of governing the digital identity lifecycle to promote a digital society. Hence, countries such as The Republic of Korea (hereinafter, Korea) and The Republic of Peru (hereinafter, Peru) have been developed and implemented different kind of policies, legal instruments, initiatives, and digital technologies to enhance accessibility, efficiency and security of the identification and authentication process, for instance, Korea has issued the Electronic Government Law and implemented cross-platforms such as Government24 (정부24) as official electronic government portal, Digital ONEPASS (디지털원패스) as a digital authentication platform to enable a convenient no-face-to-face authentication of the citizens, Resident Registration System (RRS), as a fundamental national information system which manages and stores relevant personal information of Koreans, and Sharing Information System (행정정보공동이용시스템), as a interoperability platform to exchange information with governmental agencies. Moreover, Korea has a PKI Scheme which is divided into a National Public Key Infrastructure (NPKI), and a Government Public Key Infrastructure (GPKI). All these regulations, technologies and platforms are vital elements of the Korean Digital Identity Scheme. In the case of Peru, based on Law N° 26497 enacted in 1995, the government has been managing and maintaining the National Identification Registry of Peruvian. Moreover, since issuance of Digital Government Law in 2018, Peru has been implemented different kind of cross-platforms such as the Single Digital Platform for Citizen Orientation (GOB.PE), to offer one point of contact between government and citizens, National Interoperability Platform, to promote information exchange among public entities, the National Digital Government Platform, to provide cloud services to the public entities, and National Platform for Identification and Authentication of Digital Identity (ID.GOB.PE), to verify a persons identity. Although there are similarities, the outcomes are different, in the Electronic Government Development Index 2022, Korea is ranked 3rd in the world, while Peru is ranked 59th, from another side, in terms of digital identity, Korea has a digital identity ecosystem operating, for instance Government24 accepts several authentication methods which are easily and conveniently for the citizens such as ONEPASS, KAKAO, Samsung PASS, among others (MOIS, Status of Government 24, 2022). To 2021, almost 132,025,035 petitions were filed online through Government24 (MOIS, Status of Government 24, 2022). In the case of Peru, the digital identity scheme is an ongoing project, which is leading basically by the government, based on the Digital Government Law and its enforcement decree. In that vein, this research aims at understanding the components for governing and managing a Digital Identity Scheme in Korea and Peru and identifying the gap between them. Therefore, in this study we are going to focus on how the Digital Identity Scheme of Korea is performing to strengthen accuracy, inclusiveness, security, and usability of digital identity of persons. We are going to establish the similarities and differences by using a comparison framework which is an adaptation of the frameworks used by the United Nations (UN), International Telecommunication Union (UIT) and Organization for Economic Cooperation and Development (OECD). Additionally, in this moment, undertaking a comparison study between Korea and Peru is a relevant work, because Peru is implementing transversal digital government platforms based on the Digital Government Law, and based on that we are dealing with cybercrimes and digital threats, that is why we can learn of the best practices and good lessons of the Digital Identity Scheme in Korea and design better policies and decisions for Peruvian implementation. This research was carried out by using a qualitative research method which involved online interviews with ICT specialists from Korea and Peru to generate an in-depth understanding of the digital identity scheme of both countries. A total of ten specialists were interviewed. Interviews provide an overview of the digital identity evolution in Korea and allow me to identify challenges and policy recommendations in the implementation process of Digital Identity Scheme in Peru. Based on the results the big differences are integrated in three factors: strong and continuous digital leadership, timely legal framework, and modern ICT technology to support development and public services rendering. However, the results also suggest that it is possible to get big achievements on the Digital Identity Scheme in Peru, making institutional arrangements, enhancing digital regulation and optimizing the budget with the purpose to create a sustainable digital identity ecosystem.ABSTRACT 5 LIST OF ABBREVIATIONS 9 LIST OF TABLES 9 CHAPTER 1: INTRODUCTION 12 1.1 STUDY BACKGROUND 12 1.2 BACKGROUND OF THE COUNTRIES 20 1.3 THEORETICAL BACKGROUND 27 1.4 PURPOSE OF THE RESEARCH 39 CHAPTER 2. KEY CONCEPTS AND FRAMEWORK 43 CHAPTER 3: LITERATURE REVIEW 77 CHAPTER 4: DIGITAL IDENTITY IN KOREA AND PERU 86 4.1 LEGAL FRAMEWORK 86 4.2 TECHNOLOGY 100 4.3 GOVERNANCE AND LEADERSHIP 116 4.4 BUDGET 120 4.5 MARKET 122 4.6 FINDINGS 122 CHAPTER 5: CONCLUSIONS 132 5.1 SUMMARY OF THE THESIS 132 5.2 POLICY COMPARISON 143 5.3 POLICY RECOMMENDATIONS 145 5.4 LIMITATIONS OF THE RESEARCH 150 REFERENCES 152 APPENDICES 158 APPENDIX 1. QUESTIONNAIRE 158 APPENDIX 2. MATRIZ OF COMPARISON 167석

Information Security Synthesis in Online Universities

Information assurance is at the core of every initiative that an organization executes. For online universities, a common and complex initiative is maintaining user lifecycle and providing seamless access using one identity in a large virtual infrastructure. To achieve information assurance the management of user privileges affected by events in the user's identity lifecycle needs to be the determining factor for access control. While the implementation of identity and access management systems makes this initiative feasible, it is the construction and maintenance of the infrastructure that makes it complex and challenging. The objective of this paper1 is to describe the complexities, propose a practical approach to building a foundation for consistent user experience and realizing security synthesis in online universities.Comment: 20 page