Digital Id as E-authentication

Literature Review
This article intension is to aboard the topic of E-identity (eID) as a system in charge of first identify
and then authenticate an individual or its identity upon a third party system. It has to be clarified the
difference among other systems like identity managers and role based authentication. To understand
better this topic the following example is provided: most countries have a physical identity card. This
card is issued by a government office in charge of enroll, identify and provide the user with a verifiable
information on a card. This card is used for accessing services and must be provided with enough
mechanisms to make it trustable. A citizen just have to presented and the official can easily verify this
citizen he or she is saying to be. Later a brief description and comparison will be made with the above
mentioned systems.

Today, citizens, public institutions and companies are engaged in a new technological environment that
is radically changing the way we communicate, work, provision of services or new business
development. In this context, the data is the new raw material of the 21st century (Villa, 2013). On the
other hand, a large majority of consumers are concerned about protecting the privacy of your personal
data while they are willing to grasp all opportunities offered by the digital environment.

The positive attitude of citizens to share data realizes the full potential of having a digital identity, and
to ensure that the flow of personal information be continue. Policymakers are asked to provide a stable,
coherent and flexible framework of balance among the fundamental rights of citizens and equality of
conditions (Schneier, 2011).

The digital identity is the only way an individual or entity is described. Digital identities contain
information that establishes relationships between different individuals and entities (Windley, 2005).
Digital identity has been developed by the need to know who is who in a digital interaction, the goal is
to accurately determine someone's identity in the digital world. Despite the progress made until today
in digital identities, there are ways to change them, mask them or discard them to replace them.
Although there are many developments in authentication systems and digital identification; there is a
growing need to develop unified systems for identification and verification (Camp, 2004).
Overview and History

Talking about eID and its development through history is not easy. To understand its development it is
necessary to go through some key concepts and how they got together to get to the term as we know it
today. The first term is the identity document was mainly created to identify enemies in wars into a
country. The first form of legal paper identification is the passport. The first document granting
acknowledgment as form of identification is dated around 450BC by the Persian king Artaxerxes
granting safe passage to Nehemiah's to visit Judath. In Britain around 1414 the king could grant safe
conduct to stay in British territories. Around 1540 the term passport began to be used with the idea of
people passing through maritime ports or through the gates in city walls.
(https://www.theguardian.com/).

In the same sense accessing services in Internet requires an appropriate identification and
authentication. The main reason for this is that Internet offers a spot where thousand of people access a
service at the same time. Some governments have made great efforts to provide a secure environment
to their citizens when it come to access multiple off-line and on-line services. Some companies have
gone in the same direction, but it has to be taken into account that those are controlled environments
with a control number of roles and users. In this sense the most appropriate term to refer to those
enterprise environments is identity manager.

Malasya - 2001. Malaysia has long sought to be a global leader in the information technology industry.
Beginning in 1996, the Malaysian government created the Multimedia Super Corridor, now known as
MSC Malaysia, as a government initiative to transform the nation into a knowledge -based society. As
part of this overall plan, in 1999 Malaysia began developing MyKad, one of the worlds first national e-
ID cards. Since its inception, the goal has been for MyKad to be a multipurpose smartcard to use in
both the public and private sector. The government had rolled out the MyKad to all Malaysian citizens
and permanent residents over the age of twelve by 2005. (http//:wwwprb.org, 2016)

MyKad's Public Key Infrastructure (PKI) application allows for two digital certificates to be inserted.
MyKad holders can apply and purchase the digital certificates from two of Malaysia's certification
authority, MSCTrustgate.com Sdn. Bhd. and DigiCert Sdn. Bhd..

PKI allows for easy securing of private data over public telecommunications networks, thus allowing,
secure electronic transactions over the Internet which include:
Online submission of tax returns
Internet banking
Secure email

Italy - 2001 - The Italian Electronic Identity Card (EIC, for short) is a polycarbonate smart card
equipped with a microchip (supporting cryptographic functions) and a laser band (featuring an
embedded hologram). It contains personal (e.g. name, surname, date of birth, . . . ) and biometric data
(photo and fingerprint) of a citizen. The EIC is an identity document which, according to Italian Laws,
is fully equivalent to the paper based ID card and can serve two different purposes: (i) it can be used as
a traditional paper based ID-card, and (ii) can be used as an authentication credential, allowing access
to network enabled government services.

Sweden - 2003 - BankID has been developed by a number of large banks for use by members of the
public, authorities and companies. The first BankID was issued in 2003. BankID have 6,5 million
active users. Many services are provided where citizens can use their BankID for digital identification
as well as signing transactions and documents. The services vary from online and mobile banking, e-
trade to tax declaration and are provided by government, municipality, banks and companies. BankID
is used both for identification as well as signing. According to Swedish law, and within the European
Union, BankID is an advanced signature and a signature made with a BankID is legally binding.

The customers identification is guaranteed by the bank issuing the BankID. Authorities, companies
and other organizations must check the validity of the customers identity and signature. BankID is
available on smart card, soft certificate as well as mobile phones, iPads and other tablet computers.

Norway - 2004 - The first Norwegian customers were issued a BankID in 2004. At that time, the
Norwegian banking sector had been working for four years on developing a joint infrastructure. Today,
3.5 million Norwegians have a BankID, and 900,000 have BankID on mobile. BankID is used by all
the countrys banks and public digital services and an increasing number of enterprises in a range of
different sectors. It is an express goal for BankID Norway to stimulate increased use of BankID by
enterprises outside the financial sector.
Electronic identification using BankID meets the official requirements that apply to identity
verification and binding electronic signature. BankID is used by all the banks in Norway and can be
used by all organisations and enterprises that are looking for secure and simple identification online.

Spain - 2006 - the Spanish eID. It is in line with the EU directive on electronic ID, and it is a "smart"
identity card with a chip containing certificates for authentication and digital signature, similar to
Estonian ID-kaart, Belgian .beid and many others. The cards are issued to Spanish citizens and can of
course be used for regular "real world" authentication, but in order to use it electronically the subject
must physically go to a passport issuing police station where he/she can activate the chip on the card
using a self service kiosk.

DNIe authentication is implemented using bilateral SSL, meaning that the user requests a protected
resource with Signicat which can only be accessed if a DNIe client certificate is attached to the request.
This will trigger built-in browser functionality to search the computer for a smartcard/certificate, and
the user enters a PIN or password to unlock the certificate. DNIe authentication requires that smartcard
drivers for the reader and DNIe card are present on the computer.

Estonia - 2007 - The Estonian identity card (Estonian: ID-kaart) is a smart card issued in Estonia by
the Police and Border Guard Board (until 2010 by the Citizenship and Migration Board) of the Ministry
of Internal Affairs. It is recognised for travel by all member states of the European Union and EFTA
and some other European countries as an official travel document.

The card's chip stores digitised data about the authorised user, most importantly: the user's full name,
gender, national identification number, and cryptographic keys and public key certificates. The card's
chip stores a key pair, allowing users to cryptographically sign digital documents based on principles of
public key cryptography using DigiDoc. While it is possible also to encrypt documents using the card-
holder's public key, this is used only infrequently, as such documents would become unreadable if the
card were lost or destroyed.

Germany - 2010 Personalausweis. ID cards contain an ISO 18000-3[citation needed] and ISO 14443
compatible 13.56 MHz RFID chip that uses the ISO 7816 protocols.[3][4] The chip stores the
information given on the ID card (like name or date of birth), the holder's picture and, if the holder
wishes so, also his/her fingerprints. In addition, the new ID card can be used for online authentication
(e.g. for age verification or for e-government applications). An electronic signature, provided by a
private company, can also be stored on the chip.

The document number, the photo and the fingerprints can supposedly be read only by law enforcement
agencies and some other authorities.[5] All ID card agencies have been supplied with reading devices
that have been certified by the German Federal Office for Information Security (BSI). Agency staff can
use these modules to display all of the personal data stored on the chip, including the digital passport
photo and, where applicable, the stored fingerprints.[6]

To use the online authentication function, the holder needs a six-digit decimal PIN. If the holder types
in the wrong PIN, he has to type in the six-digit decimal access code given on the ID card to prove
he/she really possesses the ID card. If the wrong PIN is used three times, a PUK must be used to unlock
the chip. The data on the chip are protected by Basic Access Control and Extended Access Control.
Denmark 2010 NemID. NemID (literally: EasyID) is a common log-in solution for Danish Internet
banks, government websites and some other private companies. NemID is managed by the Nets DanID
A/S company and came into use on July 1, 2010. Everyone in Denmark who is over 15 years old and
has a CPR-Number is eligible for a NemID that can be used with their bank as well as public
institutions. Anyone over 13 years old may use a NemID for internet banking.

Users of NemID are assigned a unique ID number that can be used as a username in addition to their
CPR-Number or a user-defined username.

Users receive a card containing pairs of numbers, similar to Transaction authentication numbers. After
logging in with a username and password, NemID users are prompted to enter a key corresponding to a
number as part of NemID's two-factor authentication scheme. These private keys are one time use only.
After all of them are used the user must get new private keys, which are generally sent to the user via
mail once they're about to run out.

Private keys are kept in a central server. This has caused criticism against the security of NemID
system On 11 April 2013, the NemID system shut itself down in response to a DDoS attack, causing
widespread chaos in Denmark where internet banking was not possible during the attack.[3] With Java
version 1.7.0_45, NemID Java applet was not able to log users in. (Larsen, 2013)
Pakistan - 2012. The Computerized National Identity Card (CNIC) is an identity card issued by
Pakistan's National Database and Registration Authority (NADRA). The card is issued first at the age
of 18. There are two types of Identity card in Pakistan CNIC and SNIC. CNIC is Urdu version
computerized card and SNIC is Pakistan's first national electronic identity card. The SNIC complies
with ICAO standard 9303 and ISO standard 7816-4. The SNIC can be used for both offline and online
identification, voting, pension disbursement, social and financial inclusion programmes and other
services. NADRA aims to replace all 89.5 million CNICs with SNICs by 2020.

Bulgaria 2013. . Within the project "Improvement of administrative services users by building
on central systems of e-government" implemented by the Ministry of Transport, Information
Technology and Communications with the financial support of Operational Program "Administrative
Capacity", co-financed by the European Union through the European Social Fund created management
system of electronic identification of Bulgarian citizens and register for e-identity.

Electronic identity (e-ID) is uniquely determining the identity of the person electronically via a smart
card with a universal digital code. Card electronic identity containing the name of the card holder,
protected personal PIN code and password. The card does not contain personal data.
(http://psc.egov.bg, 2016)

Difference among other systems

eID. In a generic way, an Electronic identity is a mean for people to prove electronically that they are
who they say they are and thus gain access to services. The id entity allows an entity (citizen,
business, administration) to be distinguished from any other.

Identity and access management (IAM) is the security discipline that enables the right individuals to
access the right resources at the right times for the right reasons.

IAM addresses the mission-critical need to ensure appropriate access to resources across increasingly
heterogeneous technology environments, and to meet increasingly rigorous compliance requirements.
This security practice is a crucial undertaking for any enterprise. It is increasingly business-aligned, and
it requires business skills, not just technical expertise.

Enterprises that develop mature IAM capabilities can reduce their identity management costs and, more
importantly, become significantly more agile in supporting new business initiatives. (gartner.com,
2016).

Single sign-on (SSO) is a session and user authentication service that permits a user to use one set of
login credentials (e.g., name and password) to access multiple applications. The service authenticates
the end user for all the applications the user has been given rights to and eliminates further prompts
when the user switches applications during the same session. On the back end, SSO is helpful for
logging user activities as well as monitoring user accounts.

Security issuesIn a basic web SSO service, an agent module on the application server retrieves the
specific authentication credentials for an individual user from a dedicated SSO policy server, while
authenticating the user against a user repository such as a lightweight directory access protocol (LDAP)
directory. (http://searchsecurity.techtarget.com/, 2016)

Risks in concentration of the identity provider function

Identity providers serving as a common access points across many different services are prime targets
of attack and present increased risk when compromised. Privacy concerns increase when the identity
provider function is concentrated, and these privacy concerns must be satisfactorily addressed.
(http://www.secureidnews.com, 2016) To counter this concern, privacy guidelines call for the identity
service provider to have little or no control or knowledge over what transpires after the user gains
access to a relying partys service.

Overlapping federated identity standards

Multiple standards exist and continue to evolve. They include Open ID16 (delegated authentication that
use existing URIs to log into any other site), OAUTH17 (a JSON and http-based framework that
support authorization protocols and is used by Open ID Connect for authentication), and SAML18
(Security Assertion Markup Language, an Extensible Markup Language (XML) standard that allow
single logon to affiliated but separate business-to-business and business-to-consumer web sites and
systems). (Koussa, 2013)

Other authentication standards are being developed, such the FIDO Alliance19 (addresses biometric
and token sharing), and BlockAuth20(marrying Open ID Connect with Blockchain technology). These
standards will need to be rationalized and proven in large scale critical infrastructure applications.
(Lucas, 2016)

Management

Christian Nrgaard Larsen, Berlingske Nyhedsbureau

16. October 2013, 08:47. http://www.b.dk/tech/nemid-dur-ikke-med-seneste-opdatering

http://psc.egov.bg/psc-electronic-identification

http://www.secureidnews.com/news-item/germans-microwaving-boiling-id-cards/?
tag=email&utm_source=MailerMailer&utm_medium=email&utm_content=Germans+microwaving
%2C+boiling+ID+cards&
Federated Identities: OpenID Vs SAML Vs OAuth
by Sherif Koussa | Jul 16, 2013. http://www.softwaresecured.com/2013/07/16/federated-identities-
openid-vs-saml-vs-oauth/

Peter Lucas
http://www.digitaltransactions.net/news/story/6387

http://blogs.gartner.com/it-glossary/identity-and-access-management-iam/

"SSO and LDAP Authentication". Authenticationworld.com. Retrieved 2014-05-23.

http://searchsecurity.techtarget.com/definition/single-sign-on

Report from the Population Reference Bureau at http://www.prb.org (accessed

September, 2016).