The Austrian eID Ecosystem in the Public Cloud: How to Obtain Privacy While Preserving Practicality

The Austrian eID system constitutes a main pillar within the Austrian eGovernment strategy. The eID system ensures unique identification and secure authentication for citizens protecting access to applications where sensitive and personal data is involved. In particular, the Austrian eID system supports three main use cases: Identification and authentication of Austrian citizens, electronic representation, and foreign citizen authentication at Austrian public sector applications. For supporting all these use cases, several components – either locally deployed in the applications’ domain or centrally deployed – need to communicate with each other. While local deployments have some advantages in terms of scalability, still a central deployment of all involved components would be advantageous, e.g. due to less maintenance efforts. However, a central deployment can easily lead to load bottlenecks because theoretically the whole Austrian population as well as – for foreign citizens – the whole EU population could use the provided services. To mitigate the issue on scalability, in this paper we propose the migration of main components of the ecosystem into a public cloud. However, a move of trusted services into a public cloud brings up new obstacles, particular with respect to privacy. To bypass the issue on privacy, in this paper we propose an approach on how the complete Austrian eID ecosystem can be moved into a public cloud in a privacy-preserving manner by applying selected cryptographic technologies (in particular using proxy ∗Corresponding author Email address: bernd.zwattendorfer@iaik.tugraz.at (Bernd Zwattendorfer) Preprint submitted to Journal of Information Security and Applications October 1, 2015 c ©2015 This manuscript version is made available under the CC-BY-NC-ND 4.0 license http://creativecommons.org/licenses/by-nc-nd/4.0/ ar X iv :1 60 1. 03 53 3v 1 [ cs .C R ] 1 4 Ja n 20 16 re-encryption and redactable signatures). Applying this approach, no sensitive data will be disclosed to a public cloud provider by still supporting all three main eID system use cases. We finally discuss our approach based on selected criteria.

[1]  Jan Camenisch,et al.  Anonymous credentials on a standard java card , 2009, CCS.

[2]  Christof Paar,et al.  Efficient E-cash with Attributes on MULTOS Smartcards , 2015, RFIDSec.

[3]  Isaac Agudo,et al.  BlindIdM: A privacy-preserving approach for identity management as a service , 2014, International Journal of Information Security.

[4]  Marcin,et al.  Overview of Identity Management , 2008 .

[5]  Daniel Slamanig,et al.  Privacy-preserving realization of the STORK framework in the public cloud , 2013, 2013 International Conference on Security and Cryptography (SECRYPT).

[6]  Bart Preneel,et al.  Introduction to the Belgian EID Card: BELPIC , 2004, EuroPKI.

[7]  Ron Steinfeld,et al.  Content Extraction Signatures , 2001, ICISC.

[8]  Bernd Zwattendorfer,et al.  An Overview of Cloud Identity Management-Models , 2014, WEBIST.

[9]  Kai Rannenberg,et al.  Integrating Anonymous Credentials with eIDs for Privacy-Respecting Online Authentication , 2012, APF.

[10]  Thomas Zefferer,et al.  The Austrian Identity Ecosystem: An E-Government Experience , 2014 .

[11]  Jaap-Henk Hoepman,et al.  Towards a Full-Featured Implementation of Attribute Based Credentials on Smart Cards , 2014, CANS.

[12]  Daniel Slamanig,et al.  Generalizations and Extensions of Redactable Signatures with Applications to Electronic Healthcare , 2010, Communications and Multimedia Security.

[13]  Dawn Xiaodong Song,et al.  Homomorphic Signature Schemes , 2002, CT-RSA.

[14]  Siddhartha Arora National e-ID card schemes: A European overview , 2008, Inf. Secur. Tech. Rep..

[15]  Thomas Lenz A Modular and Flexible Attribute Mapping Service to Meet National Requirements in Cross-Border eID Federations , 2015 .

[16]  Daniel Slamanig,et al.  User-centric identity as a service-architecture for eIDs with selective attribute disclosure , 2014, SACMAT '14.

[17]  Marian Margraf The New German ID Card , 2010, ISSE.

[18]  Pim Vullers,et al.  Efficient implementations of attribute-based credentials on smart cards , 2014 .

[19]  Javier López,et al.  Integrating OpenID with proxy re-encryption to enhance privacy in cloud-based identity services , 2012, 4th IEEE International Conference on Cloud Computing Technology and Science Proceedings.

[20]  Sam Hartman,et al.  The Kerberos Network Authentication Service (V5) , 2005, RFC.

[21]  Daniel Slamanig,et al.  Scalable and Privacy-Preserving Variants of the Austrian Electronic Mandate System in the Public Cloud , 2013, 2013 12th IEEE International Conference on Trust, Security and Privacy in Computing and Communications.

[22]  Radu Sion,et al.  On securing untrusted clouds with cryptography , 2010, WPES '10.

[23]  Matt Blaze,et al.  Divertible Protocols and Atomic Proxy Cryptography , 1998, EUROCRYPT.

[24]  Dimitrios Zissis,et al.  Addressing cloud computing security issues , 2012, Future Gener. Comput. Syst..

[25]  Bin Wang,et al.  Identity Federation Broker for Service Cloud , 2010, 2010 International Conference on Service Sciences.

[27]  Bernd Zwattendorfer,et al.  The Public Cloud for e-Government , 2013, Int. J. Distributed Syst. Technol..

[28]  Stefan Katzenbeisser,et al.  Redactable Signatures for Tree-Structured Data: Definitions and Constructions , 2010, ACNS.

[29]  H. Leitold,et al.  A Systematic Approach to Legal Identity Management – Best Practice Austria , 2012 .

[30]  Ron Poet,et al.  A comparative analysis of Identity Management Systems , 2012, 2012 International Conference on High Performance Computing & Simulation (HPCS).

[31]  Reinhard Posch,et al.  Security architecture of the Austrian citizen card concept , 2002, 18th Annual Computer Security Applications Conference, 2002. Proceedings..

[32]  Matthew Green,et al.  Identity-Based Proxy Re-encryption , 2007, ACNS.

[33]  Jin H. Im,et al.  Privacy , 2002, Encyclopedia of Information Systems.

[34]  Lin Yang,et al.  A survey of Identity Management technology , 2010, 2010 IEEE International Conference on Information Theory and Information Security.

[35]  Jaydip Sen,et al.  Security and Privacy Issues in Cloud Computing , 2013, ArXiv.