Federated Identity Architecture of the European eID System

Federated identity management is a method that facilitates management of identity processes and policies among the collaborating entities without a centralized control. Nowadays, there are many federated identity solutions, however, most of them covers different aspects of the identification problem, solving in some cases specific problems. Thus, none of these initiatives has consolidated as a unique solution and surely it will remain like that in a near future. To assist users choosing a possible solution, we analyze different federated identify approaches, showing main features, and making a comparative study among them. The former problem is even worst when multiple organizations or countries already have legacy eID systems, as it is the case of Europe. In this paper, we also present the European eID solution, a purely federated identity system that aims to serve almost 500 million people and that could be extended in mid-term also to eID companies. The system is now being deployed at the EU level and we present the basic architecture and evaluate its performance and scalability, showing that the solution is feasible from the point of view of performance while keeping security constrains in mind. The results show a good performance of the solution in local, organizational, and remote environments.

[1]  Anna Hosia Comparison between RADIUS and Diameter , 2022 .

[2]  William A. Arbaugh,et al.  Real 802.11 Security: Wi-Fi Protected Access and 802.11i , 2003 .

[3]  Rachna Dhamija,et al.  The Seven Flaws of Identity Management: Usability and Security Challenges , 2008, IEEE Security & Privacy.

[4]  Jennifer Lynch From Fingerprints to DNA: Biometric Data Collection in U.S. Immigrant Communities and Beyond , 2012 .

[5]  Antonio F. Gómez-Skarmeta,et al.  Formal description of the SWIFT identity management framework , 2011, Future Gener. Comput. Syst..

[6]  Laurent Bussard,et al.  An Approach to Identity Management for Service Centric Systems , 2008, ServiceWave.

[7]  Jim Schaad,et al.  Application Bridging for Federated Access Beyond Web (ABFAB) Architecture , 2016, RFC.

[8]  Jim Sermersheim,et al.  Lightweight Directory Access Protocol (LDAP): The Protocol , 2006, RFC.

[9]  David Mitton,et al.  Diameter Network Access Server Application , 2005, RFC.

[10]  Audun Jøsang,et al.  Identity management and trusted interaction in internet and mobile computing , 2014, IET Inf. Secur..

[11]  Jim Basney,et al.  Identity Federation and Attribute-based Authorization through the Globus Toolkit, Shibboleth, Grid , 2006 .

[12]  Caterina Urban,et al.  Formal analysis of Facebook Connect Single Sign-On authentication protocol , 2010 .

[13]  Elisa Bertino,et al.  Identity Management: Concepts, Technologies, and Systems , 2010 .

[14]  Ken Klingenstein,et al.  Federated Security: The Shibboleth Approach , 2004 .

[15]  Hannes Tschofenig,et al.  A Simple Authentication and Security Layer (SASL) and Generic Security Service Application Program Interface (GSS-API) Mechanism for OpenID , 2012, RFC.

[16]  Alexey Melnikov,et al.  Simple Authentication and Security Layer (SASL) , 2006, RFC.

[17]  D. Box,et al.  Simple object access protocol (SOAP) 1.1 , 2000 .

[18]  Jeff Hodges,et al.  Assertions and Protocol for the OASIS Security Assertion Markup Language (SAML) V2. 0 , 2001 .

[19]  Gabriel López Millán,et al.  Identity Federations Beyond the Web: A Survey , 2014, IEEE Communications Surveys & Tutorials.

[20]  John Linn,et al.  Generic Security Service Application Program Interface Version 2, Update 1 , 2000, RFC.

[21]  Eve Maler,et al.  User-managed access to web resources , 2010, DIM '10.

[22]  Carla Merkle Westphall,et al.  Cloud identity management: A survey on privacy strategies , 2017, Comput. Networks.

[23]  Joseph Salowey,et al.  Internet Engineering Task Force (ietf) Update to the Extensible Authentication Protocol (eap) Applicability Statement for Application Bridging for Federated Access beyond Web (abfab) , 2022 .

[24]  Siddharth Bajaj,et al.  Web Services Federation Language (WS- Federation) , 2003 .

[25]  Julian F. Reschke,et al.  The 'Basic' HTTP Authentication Scheme , 2015, RFC.

[26]  Eric Rescorla,et al.  The Transport Layer Security (TLS) Protocol Version 1.2 , 2008, RFC.

[27]  Lin Yang,et al.  A survey of Identity Management technology , 2010, 2010 IEEE International Conference on Information Theory and Information Security.

[28]  Jean-Marc Seigneur,et al.  A Survey of User-centric Identity Management Technologies , 2007, The International Conference on Emerging Security Information, Systems, and Technologies (SECUREWARE 2007).

[29]  Maciej P. Machulak,et al.  User-Managed Access (UMA) Profile of OAuth 2.0 , 2016 .

[30]  Jan Camenisch,et al.  Design and implementation of the idemix anonymous credential system , 2002, CCS '02.

[31]  Jaap-Henk Hoepman,et al.  The Identity Crisis. Security, Privacy and Usability Issues in Identity Management , 2011, ArXiv.

[32]  Tim Bray,et al.  Internet Engineering Task Force (ietf) the Javascript Object Notation (json) Data Interchange Format , 2022 .

[33]  Warwick Ford,et al.  Internet X.509 Public Key Infrastructure Certificate Policy and Certification Practices Framework , 1999, RFC.

[34]  David W. Chadwick,et al.  Federated Identity Management , 2009, FOSAD.

[35]  Jim Basney,et al.  The MyProxy online credential repository , 2005, Softw. Pract. Exp..

[36]  Pascal Aubry,et al.  ESUP-Portail: open source Single Sign-On with CAS (Central Authentication Service) , 2004 .

[37]  K. Cameron,et al.  The Laws of Identity , 2005 .

[38]  Roger M. Needham,et al.  Using encryption for authentication in large networks of computers , 1978, CACM.

[39]  Theodore Y. Ts'o,et al.  Kerberos: an authentication service for computer networks , 1994, IEEE Communications Magazine.

[40]  Kurt D. Zeilenga Lightweight Directory Access Protocol (LDAP): Technical Specification Road Map , 2006, RFC.

[41]  Ian T. Foster,et al.  Globus GridFTP: what's new in 2007 , 2007, GridNets '07.

[42]  Flemming Nielson,et al.  The logic of XACML , 2011, Sci. Comput. Program..

[43]  Dick Hardt,et al.  The OAuth 2.0 Authorization Framework , 2012, RFC.

[44]  Roy Want,et al.  An introduction to RFID technology , 2006, IEEE Pervasive Computing.

[45]  Steven M. Bellovin,et al.  Limitations of the Kerberos authentication system , 1990, CCRV.

[46]  David Cooper,et al.  Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile , 2008, RFC.

[47]  J L Hernández-Ardieta,et al.  STORK: The European Electronic Identity Interoperability Platform , 2010, IEEE Latin America Transactions.

[48]  William E. Allcock,et al.  The Globus Striped GridFTP Framework and Server , 2005, ACM/IEEE SC 2005 Conference (SC'05).

[49]  Diego R. López,et al.  The PAPI system: point of access to providers of information , 2001, Comput. Networks.

[50]  Allan C. Rubens,et al.  Remote Authentication Dial In User Service (RADIUS) , 1997, RFC.

[51]  Spencer C. Lee An Introduction to Identity Management , 2003 .

[52]  Luigi Catuogno,et al.  Achieving interoperability between federated identity management systems: A case of study , 2014, J. High Speed Networks.

[53]  Wojciech Mostowski,et al.  Efficient U-Prove Implementation for Anonymous Credentials on Smart Cards , 2011, SecureComm.

[54]  Gail-Joon Ahn,et al.  Security and Privacy Challenges in Cloud Computing Environments , 2010, IEEE Security & Privacy.

[55]  John T. Kohl,et al.  The Kerberos Network Authentication Service (V5 , 2004 .

[56]  Sam Hartman,et al.  Kerberos Principal Name Canonicalization and Cross-Realm Referrals , 2012, RFC.

[57]  Ian T. Foster,et al.  Security for Grid services , 2003, High Performance Distributed Computing, 2003. Proceedings. 12th IEEE International Symposium on.

[58]  Sean Simpson,et al.  A Survey of Security Analysis in Federated Identity Management , 2016, Privacy and Identity Management.

[59]  L. O'Gorman,et al.  Comparing passwords, tokens, and biometrics for user authentication , 2003, Proceedings of the IEEE.

[60]  A. Jøsang,et al.  User Centric Identity Management , 2005 .

[61]  Andre Scedrov,et al.  Specifying Kerberos 5 cross-realm authentication , 2005, WITS '05.

[62]  Colette Cuijpers,et al.  Eidas as guideline for the development of a pan European eid framework in futureid , 2014, Open Identity Summit.

[63]  John A. Clark,et al.  A survey of authentication protocol literature: Version 1.0 , 1997 .

[64]  Ian T. Foster Globus Toolkit Version 4: Software for Service-Oriented Systems , 2005, NPC.

[65]  Sebastian Clauß,et al.  Identity management and its support of multilateral security , 2001, Comput. Networks.

[66]  Sharath Pankanti,et al.  Biometric Recognition: Security and Privacy Concerns , 2003, IEEE Secur. Priv..

[67]  James F. Dray,et al.  Advanced Encryption Standard (AES) , 2001 .

[68]  Bernard Aboba,et al.  Extensible Authentication Protocol (EAP) , 2004, RFC.

[69]  Jostein Jensen,et al.  Federated Identity Management Challenges , 2012, 2012 Seventh International Conference on Availability, Reliability and Security.

[70]  Jörg Schwenk,et al.  Security Analysis of eIDAS - The Cross-Country Authentication Scheme in Europe , 2018, WOOT @ USENIX Security Symposium.

[71]  Muhammad Awais Shibli,et al.  Federated Identity Management (FIM): Challenges and opportunities , 2015, 2015 Conference on Information Assurance and Cyber Security (CIACS).

[72]  Leon Gommans,et al.  AAA Authorization Framework , 2000, RFC.

[73]  Antonio F. Gómez-Skarmeta,et al.  Towards Interoperabilty in Identity Federation Systems , 2017, J. Wirel. Mob. Networks Ubiquitous Comput. Dependable Appl..

[74]  Davide Maltoni,et al.  Fingerprint verification competition 2006 , 2007 .

[75]  Gabriel López Millán,et al.  Providing EAP-based Kerberos pre-authentication and advanced authorization for network federations , 2011, Comput. Stand. Interfaces.

[76]  Alfred Menezes,et al.  Authenticated Diffie-Hellman Key Agreement Protocols , 1998, Selected Areas in Cryptography.

[77]  Elaine B. Barker Digital Signature Standard (DSS) , 2013 .

[78]  Adi Shamir,et al.  A method for obtaining digital signatures and public-key cryptosystems , 1978, CACM.

[79]  Whitfield Diffie,et al.  New Directions in Cryptography , 1976, IEEE Trans. Inf. Theory.