Assurance Requirements for Mutual User and Service Provider Authentication

Several nations and organisations have published frameworks for assurance of user authentication in the context of eGovermnent. This reflects the importance that governments see in guaranteeing that only authorized users can access eGovernment services. However, in order to ensure trusted online interaction it is equally important to obtain assurance of authentication of service providers. Unilateral authentication is obviously insufficient for securing two-way interaction, so both user authentication assurance and service provider authentication assurance must be considered. Unfortunately there are currently no satisfactory frameworks for service provider authentication in the eGovernment context. This paper first describes and compares some of the current eAuthentication frameworks for user authentication. Then it proposes an eAuthentication framework for service provider authentication, and discusses how the two types of frameworks can be integrated and aligned.

[1]  Alessio Malizia,et al.  The artificiality of natural user interfaces , 2012, CACM.

[2]  Audun Jøsang,et al.  Security Usability of Petname Systems , 2009, NordSec.

[3]  M. Stiegler Petname Systems , 2005 .

[4]  Kai A. Olsen,et al.  Internet elections: unsafe in any home? , 2012, CACM.

[5]  Amir Herzberg,et al.  TrustBar: Protecting (even Naïve) Web Users from Spoofing and Phishing Attacks , 2004 .

[6]  Stefan Mangard,et al.  A new approach to DNS security (DNSSEC) , 2001, CCS '01.

[7]  Audun Jøsang,et al.  Trust Extortion on the Internet , 2011, STM.

[8]  Sid Stamm,et al.  Certified Lies: Detecting and Defeating Government Interception Attacks against SSL (Short Paper) , 2011, Financial Cryptography.

[9]  Audun Jøsang,et al.  The OffPAD: Requirements and Usage , 2013, NSS.

[10]  Paul E. Hoffman,et al.  The DNS-Based Authentication of Named Entities (DANE) Transport Layer Security (TLS) Protocol: TLSA , 2012, RFC.

[11]  Audun Jøsang,et al.  Security Usability Principles for Vulnerability Analysis and Risk Assessment , 2007, Twenty-Third Annual Computer Security Applications Conference (ACSAC 2007).

[12]  Scott Rose,et al.  DNS Security Introduction and Requirements , 2005, RFC.

[13]  James M. Hayes The problem with multiple roots in Web browsers-certificate masquerading , 1998, Proceedings Seventh IEEE International Workshop on Enabling Technologies: Infrastucture for Collaborative Enterprises (WET ICE '98) (Cat. No.98TB100253).

[14]  Scott Rose,et al.  DNS Security Introduction and Requirements , 2005, RFC.

[15]  Paul E. Hoffman,et al.  DNSSEC Trust Anchor Publication for the Root Zone , 2016, RFC.

[16]  Stuart E. Schechter,et al.  The Emperor's New Security Indicators , 2007, 2007 IEEE Symposium on Security and Privacy (SP '07).

[17]  Audun Jøsang,et al.  Server Certificates based on DNSSEC , 2011 .