Digital Id as E-authentication
Literature Review This article intension is to aboard the topic of E-identity (eID) as a system in charge of first identify and then authenticate an individual or its identity upon a third party system. It has to be clarified the difference among other systems like identity managers and role based authentication. To understand better this topic the following eample is provided! most countries have a physical identity card. This card is issued by a government office in charge of enroll" identify and provide the user with a verifiable information on a card. This card is used for accessing services and must be provided with enough mechanisms to make it trustable. # citi$en %ust have to presented and the official can easily verify this citi$en he or she is saying to be. &ater a brief description and comparison will be made with the above mentioned systems.
Today" citi$ens" public institutions and companies are engaged in a new technological environment that is radically changing the way we communicate" work" provision of services or new business development. In this contet" the data is the new raw material of the 'st century (illa" '*+). ,n the other hand" a large ma%ority of consumers are concerned about protecting the privacy of your personal data while they are willing to grasp all opportunities offered by the digital environment.
The positive attitude of citi$ens to share data reali$es the full potential of having a digital identity" and to ensure that the flow of personal information be continue. olicymakers are asked to provide a stable" coherent and fleible framework of balance among the fundamental rights of citi$ens and euality of conditions (/chneier" '*).
The digital identity is the only way an individual or entity is described. Digital identities contain information that establishes relationships between different individuals and entities (0indley" '**1). Digital identity has been developed by the need to know who is who in a digital interaction" the goal is to accurately determine someone2s identity in the digital world. Despite the progress made until today in digital identities" there are ways to change them" mask them or discard them to replace them. #lthough there are many developments in authentication systems and digital identification3 there is a growing need to develop unified systems for identification and verification (4amp" '**5).
Overview and History
Talking about eID and its development through history is not easy. To understand its development it is necessary to go through some key concepts and how they got together to get to the term as we know it today. The first term is the identity document was mainly created to identify enemies in wars
into a
country. The first form of legal paper identification is the passport. The first document granting acknowledgment as form of identification is dated around 51*64 by the ersian king #rtaeres granting safe passage to 7ehemiah2s to visit 8udath. In 6ritain around 55 the king could grant 9safe conduct: to stay in 6ritish territories. #round 15* the term passport began to be used with the idea of people passing through maritime ports or through the gates in city walls. (https!;;www.theguardian.com;).
In the same sense accessing services in Internet reuires an appropriate identification and authentication. The main reason for this is that Internet offers a spot where thousand of people access a service at the same time. /ome governments have made great efforts to provide a secure environment to their citi$ens when it come to access multiple off-line and on-line services. /ome companies have gone in the same direction" but it has to be taken into account that those are controlled environments with a control number of roles and users. In this sense the most appropriate term to refer to those enterprise environments is identity manager.
Malasya - 2001.
" the )
?I allows for easy securing of private data over public telecommunications networks" thus allowing"
secure electronic transactions over the Internet which include!
,nline submission of ta returns
Internet banking
/ecure email
Italy - 2001 - The Italian Electronic Identity 4ard (EI4" for short) is a polycarbonate smart card euipped with a microchip (supporting cryptographic functions) and a laser band (featuring an embedded hologram). It contains personal (e.g. name" surname" date of birth" . . . ) and biometric data (photo and fingerprint) of a citi$en. The EI4 is an identity document which" according to Italian &aws" is fully euivalent to the paper based ID card and can serve two different purposes! (i) it can be used as a traditional paper based ID-card" and (ii) can be used as an authentication credential" allowing access to network enabled government services.
Sweden - 2003 - 6ankID has been developed by a number of large banks for use by members of the public" authorities and companies. The first 6ankID was issued in '**+. 6ankID have >"1 million active users.
The customer@s identification is guaranteed by the bank issuing the 6ankID. #uthorities" companies and other organi$ations must check the validity of the customer@s identity and signature. 6ankID is available on smart card" soft certificate as well as mobile phones" iads and other tablet computers.
Norway - 2004 - The first 7orwegian customers were issued a 6ankID in '**5. #t that time" the 7orwegian banking sector had been working for four years on developing a %oint infrastructure. Today" +.1 million 7orwegians have a 6ankID" and =**"*** have 6ankID on mobile. 6ankID is used by all the country@s banks and public digital services and an increasing number of enterprises in a range of different sectors. It is an epress goal for 6ankID 7orway to stimulate increased use of 6ankID by enterprises outside the financial sector.
Electronic identification using 6ankID meets the official reuirements that apply to identity verification and binding electronic signature. 6ankID is used by all the banks in 7orway and can be used by all organisations and enterprises that are looking for secure and simple identification online.
Spain - 2006 - the /panish eID. It is in line with the EA directive on electronic ID" and it is a BsmartB identity card with a chip containing certificates for authentication and digital signature" similar to Estonian ID-kaart" 6elgian .beid and many others. The cards are issued to /panish citi$ens and can of course be used for regular Breal worldB authentication" but in order to use it electronically the sub%ect must physically go to a passport issuing police station where he;she can activate the chip on the card using a self service kiosk.
D7Ie authentication is implemented using bilateral //&" meaning that the user reuests a protected resource with /ignicat which can only be accessed if a D7Ie client certificate is attached to the reuest. This will trigger built-in browser functionality to search the computer for a smartcard;certificate" and the user enters a I7 or password to unlock the certificate. D7Ie authentication reuires that smartcard drivers for the reader and D7Ie card are present on the computer.
stonia - 200! - The Estonian identity card (Estonian! ID-kaart) is a smart card issued in Estonia by the olice and 6order Cuard 6oard (until '** by the 4iti$enship and
The card2s chip stores digitised data about the authorised user" most importantly! the user2s full name" gender" national identification number" and cryptographic keys and public key certificates. The card2s chip stores a key pair" allowing users to cryptographically sign digital documents based on principles of public key cryptography using DigiDoc. 0hile it is possible also to encrypt documents using the cardholder2s public key" this is used only infreuently" as such documents would become unreadable if the card were lost or destroyed.
"er#any - 2010 ersonalausweis. ID cards contain an I/, F***-+Gcitation neededH and I/, 555+ compatible +.1> <$ JID chip that uses the I/, KF> protocols.G+HG5H The chip stores the information given on the ID card (like name or date of birth)" the holder2s picture and" if the holder
wishes so" also his;her fingerprints. In addition" the new ID card can be used for online authentication (e.g. for age verification or for e-government applications). #n electronic signature" provided by a private company" can also be stored on the chip.
The document number" the photo and the fingerprints can supposedly be read only by law enforcement agencies and some other authorities.G1H #ll ID card agencies have been supplied with reading devices that have been certified by the Cerman ederal ,ffice for Information /ecurity (6/I). #gency staff can use these modules to display all of the personal data stored on the chip" including the digital passport photo and" where applicable" the stored fingerprints.G>H
To use the online authentication function" the holder needs a si-digit decimal I7. If the holder types in the wrong I7" he has to type in the si-digit decimal access code given on the ID card to prove he;she really possesses the ID card. If the wrong I7 is used three times" a A? must be used to unlock the chip. The data on the chip are protected by 6asic #ccess 4ontrol and Etended #ccess 4ontrol. Denmark '** 7emID. 7emID (literally! EasyID) is a common log-in solution for Danish Internet banks" government websites and some other private companies. 7emID is managed by the 7ets DanID #;/ company and came into use on 8uly " '**. Everyone in Denmark who is over 1 years old and has a 4J-7umber is eligible for a 7emID that can be used with their bank as well as public institutions. #nyone over + years old may use a 7emID for internet banking.
Asers of 7emID are assigned a uniue ID number that can be used as a username in addition to their 4J-7umber or a user-defined username.
Asers receive a card containing pairs of numbers" similar to Transaction authentication numbers. #fter logging in with a username and password" 7emID users are prompted to enter a key corresponding to a number as part of 7emID2s two-factor authentication scheme. These private keys are one time use only. #fter all of them are used the user must get new private keys" which are generally sent to the user via mail once they2re about to run out.
rivate keys are kept in a central server. This has caused criticism against the security of 7emID system ,n #pril '*+" the 7emID system shut itself down in response to a DDo/ attack" causing widespread chaos in Denmark where internet banking was not possible during the attack.G+H 0ith 8ava version .K.*L51" 7emID 8ava applet was not able to log users in. (&arsen" '*+)
$a%istan - 2012. The 4omputeri$ed 7ational Identity 4ard (47I4) is an identity card issued by akistan2s 7ational Database and Jegistration #uthority (7#DJ#). The card is issued first at the age of F. There are two types of Identity card in akistan 47I4 and /7I4. 47I4 is Ardu version computeri$ed card and /7I4 is akistan2s first national electronic identity card. The /7I4 complies with I4#, standard =+*+ and I/, standard KF>-5. The /7I4 can be used for both offline and online identification" voting" pension disbursement" social and financial inclusion programmes and other services. 7#DJ# aims to replace all F=.1 million 47I4s with /7I4s by '*'*.
&ul'aria ( 2013. MNO. 0ithin the pro%ect BImprovement of administrative services users by building on central systems of e-governmentB implemented by the
Electronic identity (e-ID) is uniuely determining the identity of the person electronically via a smart card with a universal digital code. 4ard electronic identity containing the name of the card holder" protected personal I7 code and password. The card does not contain personal data. (http!;;psc.egov.bg" '*>)
Difference among other systems
eID. In a generic way" an 9Electronic identity: is a mean for people to prove electronically that they are who they say they are and thus gain access to services. The id entity allows an entity (citi$en" business" administration) to be distinguished from any other.
Identity and access management (I#<) is the security discipline that enables the right individuals to access the right resources at the right times for the right reasons.
I#< addresses the mission-critical need to ensure appropriate access to resources across increasingly heterogeneous technology environments" and to meet increasingly rigorous compliance reuirements. This security practice is a crucial undertaking for any enterprise. It is increasingly business-aligned" and it reuires business skills" not %ust technical epertise.
Enterprises that develop mature I#< capabilities can reduce their identity management costs and" more importantly" become significantly more agile in supporting new business initiatives. (gartner.com" '*>).
/ingle sign-on (//,) is a session and user authentication service that permits a user to use one set of login credentials (e.g." name and password) to access multiple applications. The service authenticates the end user for all the applications the user has been given rights to and eliminates further prompts when the user switches applications during the same session. ,n the back end" //, is helpful for logging user activities as well as monitoring user accounts.
/ecurity issuesIn a basic web //, service" an agent module on the application server retrieves the specific authentication credentials for an individual user from a dedicated //, policy server" while authenticating the user against a user repository such as a lightweight directory access protocol (&D#) directory. (http!;;searchsecurity.techtarget.com;" '*>)
Ris%s in )on)entration o* t+e identity provider *un)tion
Identity providers serving as a common access points across many different services are prime targets of attack and present increased risk when compromised. rivacy concerns increase when the identity provider function is concentrated" and these privacy concerns must be satisfactorily addressed.
(http!;;www.secureidnews.com" '*>) To counter this concern" privacy guidelines call for the identity service provider to have little or no control or knowledge over what transpires after the user gains access to a relying party@s service.
Overlappin' *ederated identity standards
(delegated authentication that use eisting AJIs to log into any other site)" ,#ATK (a 8/,7 and http-based framework that support authori$ation protocols and is used by ,pen ID 4onnect for authentication)" and /#<&F (/ecurity #ssertion
,ther authentication standards are being developed" such the ID, #lliance= (addresses biometric and token sharing)" and 6lock#uth'*(marrying ,pen ID 4onnect with 6lockchain technology). These standards will need to be rationali$ed and proven in large scale critical infrastructure applications. (&ucas" '*>)
4hristian 7Qrgaard &arsen" 6erlingske 7yhedsbureau >. ,ctober '*+" *F!5K. http!;;www.b.dk;tech;nemid-dur-ikke-med-seneste-opdatering
http!;;psc.egov.bg;psc-electronic-identification
http!;;www.secureidnews.com;news-item;germans-microwaving-boiling-id-cards;R tagSemailutmLsourceS
ederated Identities! ,penID s /#<& s ,#uth by /herif ?oussa W 8ul >" '*+. http!;;www.softwaresecured.com;'*+;*K;>;federated-identitiesopenid-vs-saml-vs-oauth;
eter &ucas http!;;www.digitaltransactions.net;news;story;>+FK
http!;;blogs.gartner.com;it-glossary;identity-and-access-management-iam;
B//, and &D# #uthenticationB. #uthenticationworld.com. Jetrieved '*5-*1-'+.
http!;;searchsecurity.techtarget.com;definition;single-sign-on
Report from the Population Reference Bureau at http://www.prb.org (accessed September, 20!".