This document provides an overview of electronic identity and identity management systems. It discusses the need for electronic identity, how identity management systems work by separating identity and service providers, and the benefits of identity federations where multiple identity providers can authenticate users. It also describes some key concepts like attributes, assertions, and levels of assurance. STORK 2.0 is introduced as a large European project for cross-border authentication using electronic identities. Finally, the document outlines the agenda for an introductory session on these topics, including a discussion of the Interconnection Supporting Service.
Transformation from Identity Stone Age to Digital IdentityIJNSA Journal
Technological conversion, political interests and Business drivers has triggered a means, to establish individual characterization and personalization. People started raising concerns on multiple identities managed across various zones and hence various solutions were designed. Technological advancement has brought various issues and concerns around Identity assurance, privacy and policy enabled common Authentication framework. A compressive framework is needed to established common identity model to address national needs like standards, regulation and laws, minimum risk, interoperability and to provide user with a consistent context or user experience.
This document focuses on Transformation path of identity stone age to Identity as in state. It defines a digital identity zone model (DIZM) to showcase the Global Identity defined across the ecosystem. Also, provide insight of emerging Technology trend to enable Identity assurance, privacy and policy enabled common Authentication framework.
This paper explains the importance of data security through identity management. Businesses must
do everything practical to protect their data and IT systems from malicious parties. Hackers have many tools
and methods at their disposal, such as phishing, to steal identity data and compromise IT systems for malicious
purposes. Even failures by an organization’s own IT department to protect against malicious use from its own
employees have resulted in significant financial losses. These losses could have been prevented had adequate
identity management steps been taken. Usage of technologies such as a centralized Identity Management
System, Directory Services, or Federated Identity Management protect a user’s private information and
effectively control access to business systems. Many core IT business systems and cloud service providers can
leverage these identity management technologies to provide data security and secure access control.
Identity is at the root of who we are as individuals when it comes to matters of trust, says Gareth Niblett, Chair of the BCS Information Security Specialist Group.
Organizations in both public and private sectors are realizing the value of identity and access management technology to address mission-critical needs and to ensure appropriate access to resources across heterogeneous technology environments, and to meet rigorous compliance requirements. A well-designed identity management system is fundamental to enabling better information sharing, enhancing privacy protection, and connecting the diverse web of public and private sector agencies involved in the delivery of today's public service. This article provides an overview of identity and access management literature. It attempts to analyze the business drivers, trends, issues and challenges associated with the implementation of such systems. It then presents a strategic framework and an overall ecosystem for the implementation of identity and access management system in different contexts of applications. It also introduces possible strategies and solutions for the development of a federated national identity infrastructure. It finally sheds light on a recent government implementation in the United Arab Emirates that was launched to develop a modern identity management infrastructure to enable digital identities and support their application in e-government and e-commerce context.
Transformation from Identity Stone Age to Digital IdentityIJNSA Journal
Technological conversion, political interests and Business drivers has triggered a means, to establish individual characterization and personalization. People started raising concerns on multiple identities managed across various zones and hence various solutions were designed. Technological advancement has brought various issues and concerns around Identity assurance, privacy and policy enabled common Authentication framework. A compressive framework is needed to established common identity model to address national needs like standards, regulation and laws, minimum risk, interoperability and to provide user with a consistent context or user experience.
This document focuses on Transformation path of identity stone age to Identity as in state. It defines a digital identity zone model (DIZM) to showcase the Global Identity defined across the ecosystem. Also, provide insight of emerging Technology trend to enable Identity assurance, privacy and policy enabled common Authentication framework.
This paper explains the importance of data security through identity management. Businesses must
do everything practical to protect their data and IT systems from malicious parties. Hackers have many tools
and methods at their disposal, such as phishing, to steal identity data and compromise IT systems for malicious
purposes. Even failures by an organization’s own IT department to protect against malicious use from its own
employees have resulted in significant financial losses. These losses could have been prevented had adequate
identity management steps been taken. Usage of technologies such as a centralized Identity Management
System, Directory Services, or Federated Identity Management protect a user’s private information and
effectively control access to business systems. Many core IT business systems and cloud service providers can
leverage these identity management technologies to provide data security and secure access control.
Identity is at the root of who we are as individuals when it comes to matters of trust, says Gareth Niblett, Chair of the BCS Information Security Specialist Group.
Organizations in both public and private sectors are realizing the value of identity and access management technology to address mission-critical needs and to ensure appropriate access to resources across heterogeneous technology environments, and to meet rigorous compliance requirements. A well-designed identity management system is fundamental to enabling better information sharing, enhancing privacy protection, and connecting the diverse web of public and private sector agencies involved in the delivery of today's public service. This article provides an overview of identity and access management literature. It attempts to analyze the business drivers, trends, issues and challenges associated with the implementation of such systems. It then presents a strategic framework and an overall ecosystem for the implementation of identity and access management system in different contexts of applications. It also introduces possible strategies and solutions for the development of a federated national identity infrastructure. It finally sheds light on a recent government implementation in the United Arab Emirates that was launched to develop a modern identity management infrastructure to enable digital identities and support their application in e-government and e-commerce context.
ADoCSI: Towards a Transparent Mechanism for Disseminating Certificate Status ...John ILIADIS
Invited lecture, PhD Workshop held at the Department of Information and Communication Systems Engineering, University of the Aegean, Samos, Greece, October 2003.
The Identity of Things: Privacy & Security ConcernsSimon Moffatt
The 'Identity of Things' (IDoT) is fast becoming a critical component of the modern web.
Previously “dumb” devices are being upgraded with persistent network connectivity, enabling automatic data generation and facilitating interaction with other devices and people. Whilst this can bring significant benefits in form of personalised content and customised environmental and manufacturing settings, it also brings several concerns regarding data privacy, security and control.
Investigation of Blockchain Based Identity System for Privacy Preserving Univ...ijtsrd
Existing blockchain based identity systems are analyzed under the context of the university identity management requirements. The private or consortium blockchain is more suitable for identity system which will be used for university. The transparency of public blockchains raises some concerns for privacy and confidentiality. The most important issue is that the volume of the data generated can be very large exceeding the practical storage capabilities of the current blockchain usages. The existing identity systems are not well fixed with the university identity management system really needs, especially they remain needing the relevant issue of effective consent revocation. The append only storage of blockchain can be a barrier for implementing the revocability of consent. Some private blockchain based system has the potential vendor lock in effects. Thus, hybrid identity system is suggested for university identity management. Kyaw Soe Moe | Mya Mya Thwe "Investigation of Blockchain Based Identity System for Privacy Preserving University Identity Management System" Published in International Journal of Trend in Scientific Research and Development (ijtsrd), ISSN: 2456-6470, Volume-3 | Issue-6 , October 2019, URL: https://www.ijtsrd.com/papers/ijtsrd28095.pdf Paper URL: https://www.ijtsrd.com/computer-science/computer-security/28095/investigation-of-blockchain-based-identity-system-for-privacy-preserving-university-identity-management-system/kyaw-soe-moe
Cartesian assesses the current state of identity management, and outlines the opportunity for trusted service providers such as MNOs, financial institutions and governments to act as “digital identity authorities”.
Directions Answer each question individual and respond with full .docxmariona83
Directions: Answer each question individual and respond with full knowledge and understanding. Use 100% original work and turn in on before or date requested..
1. How did you apply the knowledge, skills, and attitudes from previous courses to the application of your capstone project? What did you learn from those experiences that prepared you for the capstone?
2. After implementing your capstone, you will have an opportunity to conduct a post-assessment and evaluate the success of the project. Before getting the results, what do you expect to learn from the post-assessment? Do you feel your capstone project was successful? What could you have done differently or improved upon?
3. Now that you have finished your capstone project, reflect on its function, purpose, and success with your classmates. What do you wish you had known before starting? If you wanted to continue the project, what would be your next steps?
4. During this topic, you will compile a leadership portfolio that encapsulates key assignments that helped shape you as a leader. How will this portfolio reflect your vision as a leader? How does it demonstrate your growth throughout the program?
School of Computer & Information Sciences
ITS-532 Cloud Computing
Chapter 5 – Identity as a Service (IDaaS)
Content from:
Primary Textbook: Jamsa, K. A. (2013). Cloud computing: SaaS, PaaS, IaaS, virtualization, business models, mobile, security and more. Burlington, MA: Jones & Bartlett Learning.
Secondary Textbook: Erl, T., Mahmood, Z., & Puttini, R. (2014). Cloud computing: concepts, technology, & architecture. Upper Saddle River, NJ: Prentice Hall.
1
Learning Objectives
Describe challenges related to ID management.
Describe and discuss single sign-on (SSO) capabilities.
List the advantages of IDaaS solutions.
Discuss IDaaS solutions offered by various companies.
IDaaS Defined
Identity (or identification) as a service (IDaaS)—Cloud-based approaches to managing user identities, including usernames, passwords, and access. Also sometimes referred to as “identity management as a service.
Identity and Access Management (IAM)
Identity and Access Management includes the components and policies necessary to control user identify and access privileges.
Authentication
Username/Password, digital signatures, digital certificates, biometrics
Authorization
Granular controls for mapping identities and rights
User Management
Creation and administration of new user identities, groups, passwords, and policies
Credential Management
Establishes identities and access control rules for user accounts
4
(Erl, 2014)
Single Sign-On (SSO)
Single sign-on (SSO)—PA process that allows a user to log into a central authority and then access other sites and services for which he or she has credentials.
Advantages of SSO
Fewer username and password combinations for users to remember and manage
Less password fatigue caused by the stress of managing multiple passwords
Less user time con.
Security for Future Networks: A Prospective Study of AAIsidescitation
The future Internet will rely heavily on virtualization and Cloud networking.
The project Security for Future Networks (SecFuNet)1 proposes the design of a framework
providing secure identification and authentication, secure data transfer and secure
virtualized infrastructure.
In this paper, we present some of the most important ones currently available and we
present a comparative study should examine some models and frameworks of Identity
Management. Initially, we had identified OpenID, Higgins and Shibboleth frameworks as
those providing facilities that are the closest to our proposals and our requirements.
However, with the literature prospection more frameworks have being included in our
study, which has allowed to expand our state of the art on IdM. In our study, some features
are highlighted and related with our objectives.
INFORMATION SECURITY SYNTHESIS IN ONLINE UNIVERSITIES IJNSA Journal
Information assurance is at the core of every initiative that an organization executes. For online universities, a common and complex initiative is maintaining user lifecycle and providing seamless access using one identity in a large virtual infrastructure. To achieve information assurance the management of user privileges affected by events in the user’s identity lifecycle needs to be the determining factor for access control. While the implementation of identity and access management systems makes this initiative feasible, it is the construction and maintenance of the infrastructure that makes it complex and challenging. The objective of this paper1 is to describe the complexities, propose a practical approach to building a foundation for consistent user experience and realizing security synthesis in online universities.
Blockchain for Education: Lifelong Learning Passport. Wolfgang Gräther & otherseraser Juan José Calderón
Blockchain for Education: Lifelong Learning Passport
Wolfgang Gräther
Fraunhofer FIT
Sankt Augustin, Germany
graether@fit.fraunhofer.de
Sabine Kolvenbach
Fraunhofer FIT
Sankt Augustin, Germany
kolvenbach@fit.fraunhofer.de
Rudolf Ruland
Fraunhofer FIT
Sankt Augustin, Germany
rudolf.ruland@fit.fraunhofer.de
Julian Schütte
Fraunhofer AISEC
Garching, Germany
schuette@aisec.fraunhofer.de
Christof Ferreira Torres
University of Luxembourg
Luxembourg
christof.torres@uni.lu
Florian Wendland
Fraunhofer AISEC
Garching, Germany
wendland@aisec.fraunhofer.de
Today, with the advancement of technology, the number of devices, applications,
and users is also growing. It is critical to have a solid Identity and Access
Management (IAM) solution to manage these digital identities and limit the risk of
connections. SailPoint is a pioneer in the field. Therefore, the demand for experts
knowledgeable in secure Identity and Access Management (IAM) technologies such
as SailPoint has surged. Many reputable firms provide fantastic opportunities for
these professionals with a variety of packages
Presentation given by Dr K Subramanian, Director and Professor, Advance Centre for Informatic and Innovative Learning IGNOU on August 3rd, 2011 at eWorld Forum (www.eworldforum.net) in the session Information Management and Security
Subtitled: "key concepts you need to become your institution’s local expert", this presentation outlines the concepts and terminology of Federated Access Management, and how it works. Prepared and presented at CPD25 seminar Access to e-resources: are you aready for Shibboleth?, 21 May 07, London
1. Original Post by Catherine JohnsonCryptographic MethodsCSantosConleyha
1. Original Post by Catherine Johnson
Cryptographic Methods:
Cryptography is the science of concealing information or encrypting information. Computers use complex cryptographic algorithms to enable data protection, data hiding, integrity checks, nonrepudiation services, policy enforcement, key management, and exchange, and many more (Conklin, 2018). Cryptography is classified into three types symmetric cryptography, asymmetric cryptography, and hash functions
Symmetric cryptography is also known as secret-key cryptography. It uses a single key to encrypt and decrypt data making it the simplest type of cryptography. A plain text with the key produces the same cipher similarly, the ciphertext with the key produces the plain text. "Symmetric encryption is useful for protecting data between parties with an established shared key and is also frequently used to store confidential data" (Burnett & Foster, 2004). This type of cryptography is suited for bulk encryption as it is fast and easy.
Asymmetric cryptography is also known as public-key cryptography. In this method, two keys are used to encrypt data. One for encoding and the other for decoding. One of the two keys stays private while the other is shared. The algorithms are based on integer factorization and discrete logarithmic problems. This encryption method is used for authentication and confidentiality.
The hash function is a special mathematical function. It performs a one-way function, which means that once the algorithm is processed, there is no feasible way to use the ciphertext to retrieve the plaintext that was used to generate it (Conklin, 2018). Hashes provide confidentiality but not integrity because even though we cannot determine the original text, we can ascertain the modified text. These are utilized in programs, text messages, and operating systems files.
Public Key Infrastructure (PKI):
It is an infrastructure that enables users to communicate securely. PKI uses the asymmetric method; one private key and one public key. The public key can only decrypt the file encrypted by the private key, which affirms the receiver and the sender's information is secure during a transaction. The challenges PKI face is the storage and protection of the keys. The encryption keys can be stolen or unrecoverable based on the measures taken to store them. Additionally, failure to issue and renew certificates can cause large-scale connectivity issues.
Physical Security:
Physical security needs to be maintained to prevent attackers from gaining access to steal data. Physical security is essential in an organization to prevent unauthorized individuals from causing harm to the business. If systems and devices are physically accessed, all files, data, information, and networks can be compromised. Granting limited access to employees to computer rooms or server rooms can prevent theft and help with intentional and unintentional damages. Perimeter security is also important, especially for sites ...
1. Original Post by Catherine JohnsonCryptographic MethodsCAbbyWhyte974
1. Original Post by Catherine Johnson
Cryptographic Methods:
Cryptography is the science of concealing information or encrypting information. Computers use complex cryptographic algorithms to enable data protection, data hiding, integrity checks, nonrepudiation services, policy enforcement, key management, and exchange, and many more (Conklin, 2018). Cryptography is classified into three types symmetric cryptography, asymmetric cryptography, and hash functions
Symmetric cryptography is also known as secret-key cryptography. It uses a single key to encrypt and decrypt data making it the simplest type of cryptography. A plain text with the key produces the same cipher similarly, the ciphertext with the key produces the plain text. "Symmetric encryption is useful for protecting data between parties with an established shared key and is also frequently used to store confidential data" (Burnett & Foster, 2004). This type of cryptography is suited for bulk encryption as it is fast and easy.
Asymmetric cryptography is also known as public-key cryptography. In this method, two keys are used to encrypt data. One for encoding and the other for decoding. One of the two keys stays private while the other is shared. The algorithms are based on integer factorization and discrete logarithmic problems. This encryption method is used for authentication and confidentiality.
The hash function is a special mathematical function. It performs a one-way function, which means that once the algorithm is processed, there is no feasible way to use the ciphertext to retrieve the plaintext that was used to generate it (Conklin, 2018). Hashes provide confidentiality but not integrity because even though we cannot determine the original text, we can ascertain the modified text. These are utilized in programs, text messages, and operating systems files.
Public Key Infrastructure (PKI):
It is an infrastructure that enables users to communicate securely. PKI uses the asymmetric method; one private key and one public key. The public key can only decrypt the file encrypted by the private key, which affirms the receiver and the sender's information is secure during a transaction. The challenges PKI face is the storage and protection of the keys. The encryption keys can be stolen or unrecoverable based on the measures taken to store them. Additionally, failure to issue and renew certificates can cause large-scale connectivity issues.
Physical Security:
Physical security needs to be maintained to prevent attackers from gaining access to steal data. Physical security is essential in an organization to prevent unauthorized individuals from causing harm to the business. If systems and devices are physically accessed, all files, data, information, and networks can be compromised. Granting limited access to employees to computer rooms or server rooms can prevent theft and help with intentional and unintentional damages. Perimeter security is also important, especially for sites ...
ADoCSI: Towards a Transparent Mechanism for Disseminating Certificate Status ...John ILIADIS
Invited lecture, PhD Workshop held at the Department of Information and Communication Systems Engineering, University of the Aegean, Samos, Greece, October 2003.
The Identity of Things: Privacy & Security ConcernsSimon Moffatt
The 'Identity of Things' (IDoT) is fast becoming a critical component of the modern web.
Previously “dumb” devices are being upgraded with persistent network connectivity, enabling automatic data generation and facilitating interaction with other devices and people. Whilst this can bring significant benefits in form of personalised content and customised environmental and manufacturing settings, it also brings several concerns regarding data privacy, security and control.
Investigation of Blockchain Based Identity System for Privacy Preserving Univ...ijtsrd
Existing blockchain based identity systems are analyzed under the context of the university identity management requirements. The private or consortium blockchain is more suitable for identity system which will be used for university. The transparency of public blockchains raises some concerns for privacy and confidentiality. The most important issue is that the volume of the data generated can be very large exceeding the practical storage capabilities of the current blockchain usages. The existing identity systems are not well fixed with the university identity management system really needs, especially they remain needing the relevant issue of effective consent revocation. The append only storage of blockchain can be a barrier for implementing the revocability of consent. Some private blockchain based system has the potential vendor lock in effects. Thus, hybrid identity system is suggested for university identity management. Kyaw Soe Moe | Mya Mya Thwe "Investigation of Blockchain Based Identity System for Privacy Preserving University Identity Management System" Published in International Journal of Trend in Scientific Research and Development (ijtsrd), ISSN: 2456-6470, Volume-3 | Issue-6 , October 2019, URL: https://www.ijtsrd.com/papers/ijtsrd28095.pdf Paper URL: https://www.ijtsrd.com/computer-science/computer-security/28095/investigation-of-blockchain-based-identity-system-for-privacy-preserving-university-identity-management-system/kyaw-soe-moe
Cartesian assesses the current state of identity management, and outlines the opportunity for trusted service providers such as MNOs, financial institutions and governments to act as “digital identity authorities”.
Directions Answer each question individual and respond with full .docxmariona83
Directions: Answer each question individual and respond with full knowledge and understanding. Use 100% original work and turn in on before or date requested..
1. How did you apply the knowledge, skills, and attitudes from previous courses to the application of your capstone project? What did you learn from those experiences that prepared you for the capstone?
2. After implementing your capstone, you will have an opportunity to conduct a post-assessment and evaluate the success of the project. Before getting the results, what do you expect to learn from the post-assessment? Do you feel your capstone project was successful? What could you have done differently or improved upon?
3. Now that you have finished your capstone project, reflect on its function, purpose, and success with your classmates. What do you wish you had known before starting? If you wanted to continue the project, what would be your next steps?
4. During this topic, you will compile a leadership portfolio that encapsulates key assignments that helped shape you as a leader. How will this portfolio reflect your vision as a leader? How does it demonstrate your growth throughout the program?
School of Computer & Information Sciences
ITS-532 Cloud Computing
Chapter 5 – Identity as a Service (IDaaS)
Content from:
Primary Textbook: Jamsa, K. A. (2013). Cloud computing: SaaS, PaaS, IaaS, virtualization, business models, mobile, security and more. Burlington, MA: Jones & Bartlett Learning.
Secondary Textbook: Erl, T., Mahmood, Z., & Puttini, R. (2014). Cloud computing: concepts, technology, & architecture. Upper Saddle River, NJ: Prentice Hall.
1
Learning Objectives
Describe challenges related to ID management.
Describe and discuss single sign-on (SSO) capabilities.
List the advantages of IDaaS solutions.
Discuss IDaaS solutions offered by various companies.
IDaaS Defined
Identity (or identification) as a service (IDaaS)—Cloud-based approaches to managing user identities, including usernames, passwords, and access. Also sometimes referred to as “identity management as a service.
Identity and Access Management (IAM)
Identity and Access Management includes the components and policies necessary to control user identify and access privileges.
Authentication
Username/Password, digital signatures, digital certificates, biometrics
Authorization
Granular controls for mapping identities and rights
User Management
Creation and administration of new user identities, groups, passwords, and policies
Credential Management
Establishes identities and access control rules for user accounts
4
(Erl, 2014)
Single Sign-On (SSO)
Single sign-on (SSO)—PA process that allows a user to log into a central authority and then access other sites and services for which he or she has credentials.
Advantages of SSO
Fewer username and password combinations for users to remember and manage
Less password fatigue caused by the stress of managing multiple passwords
Less user time con.
Security for Future Networks: A Prospective Study of AAIsidescitation
The future Internet will rely heavily on virtualization and Cloud networking.
The project Security for Future Networks (SecFuNet)1 proposes the design of a framework
providing secure identification and authentication, secure data transfer and secure
virtualized infrastructure.
In this paper, we present some of the most important ones currently available and we
present a comparative study should examine some models and frameworks of Identity
Management. Initially, we had identified OpenID, Higgins and Shibboleth frameworks as
those providing facilities that are the closest to our proposals and our requirements.
However, with the literature prospection more frameworks have being included in our
study, which has allowed to expand our state of the art on IdM. In our study, some features
are highlighted and related with our objectives.
INFORMATION SECURITY SYNTHESIS IN ONLINE UNIVERSITIES IJNSA Journal
Information assurance is at the core of every initiative that an organization executes. For online universities, a common and complex initiative is maintaining user lifecycle and providing seamless access using one identity in a large virtual infrastructure. To achieve information assurance the management of user privileges affected by events in the user’s identity lifecycle needs to be the determining factor for access control. While the implementation of identity and access management systems makes this initiative feasible, it is the construction and maintenance of the infrastructure that makes it complex and challenging. The objective of this paper1 is to describe the complexities, propose a practical approach to building a foundation for consistent user experience and realizing security synthesis in online universities.
Blockchain for Education: Lifelong Learning Passport. Wolfgang Gräther & otherseraser Juan José Calderón
Blockchain for Education: Lifelong Learning Passport
Wolfgang Gräther
Fraunhofer FIT
Sankt Augustin, Germany
graether@fit.fraunhofer.de
Sabine Kolvenbach
Fraunhofer FIT
Sankt Augustin, Germany
kolvenbach@fit.fraunhofer.de
Rudolf Ruland
Fraunhofer FIT
Sankt Augustin, Germany
rudolf.ruland@fit.fraunhofer.de
Julian Schütte
Fraunhofer AISEC
Garching, Germany
schuette@aisec.fraunhofer.de
Christof Ferreira Torres
University of Luxembourg
Luxembourg
christof.torres@uni.lu
Florian Wendland
Fraunhofer AISEC
Garching, Germany
wendland@aisec.fraunhofer.de
Today, with the advancement of technology, the number of devices, applications,
and users is also growing. It is critical to have a solid Identity and Access
Management (IAM) solution to manage these digital identities and limit the risk of
connections. SailPoint is a pioneer in the field. Therefore, the demand for experts
knowledgeable in secure Identity and Access Management (IAM) technologies such
as SailPoint has surged. Many reputable firms provide fantastic opportunities for
these professionals with a variety of packages
Presentation given by Dr K Subramanian, Director and Professor, Advance Centre for Informatic and Innovative Learning IGNOU on August 3rd, 2011 at eWorld Forum (www.eworldforum.net) in the session Information Management and Security
Subtitled: "key concepts you need to become your institution’s local expert", this presentation outlines the concepts and terminology of Federated Access Management, and how it works. Prepared and presented at CPD25 seminar Access to e-resources: are you aready for Shibboleth?, 21 May 07, London
1. Original Post by Catherine JohnsonCryptographic MethodsCSantosConleyha
1. Original Post by Catherine Johnson
Cryptographic Methods:
Cryptography is the science of concealing information or encrypting information. Computers use complex cryptographic algorithms to enable data protection, data hiding, integrity checks, nonrepudiation services, policy enforcement, key management, and exchange, and many more (Conklin, 2018). Cryptography is classified into three types symmetric cryptography, asymmetric cryptography, and hash functions
Symmetric cryptography is also known as secret-key cryptography. It uses a single key to encrypt and decrypt data making it the simplest type of cryptography. A plain text with the key produces the same cipher similarly, the ciphertext with the key produces the plain text. "Symmetric encryption is useful for protecting data between parties with an established shared key and is also frequently used to store confidential data" (Burnett & Foster, 2004). This type of cryptography is suited for bulk encryption as it is fast and easy.
Asymmetric cryptography is also known as public-key cryptography. In this method, two keys are used to encrypt data. One for encoding and the other for decoding. One of the two keys stays private while the other is shared. The algorithms are based on integer factorization and discrete logarithmic problems. This encryption method is used for authentication and confidentiality.
The hash function is a special mathematical function. It performs a one-way function, which means that once the algorithm is processed, there is no feasible way to use the ciphertext to retrieve the plaintext that was used to generate it (Conklin, 2018). Hashes provide confidentiality but not integrity because even though we cannot determine the original text, we can ascertain the modified text. These are utilized in programs, text messages, and operating systems files.
Public Key Infrastructure (PKI):
It is an infrastructure that enables users to communicate securely. PKI uses the asymmetric method; one private key and one public key. The public key can only decrypt the file encrypted by the private key, which affirms the receiver and the sender's information is secure during a transaction. The challenges PKI face is the storage and protection of the keys. The encryption keys can be stolen or unrecoverable based on the measures taken to store them. Additionally, failure to issue and renew certificates can cause large-scale connectivity issues.
Physical Security:
Physical security needs to be maintained to prevent attackers from gaining access to steal data. Physical security is essential in an organization to prevent unauthorized individuals from causing harm to the business. If systems and devices are physically accessed, all files, data, information, and networks can be compromised. Granting limited access to employees to computer rooms or server rooms can prevent theft and help with intentional and unintentional damages. Perimeter security is also important, especially for sites ...
1. Original Post by Catherine JohnsonCryptographic MethodsCAbbyWhyte974
1. Original Post by Catherine Johnson
Cryptographic Methods:
Cryptography is the science of concealing information or encrypting information. Computers use complex cryptographic algorithms to enable data protection, data hiding, integrity checks, nonrepudiation services, policy enforcement, key management, and exchange, and many more (Conklin, 2018). Cryptography is classified into three types symmetric cryptography, asymmetric cryptography, and hash functions
Symmetric cryptography is also known as secret-key cryptography. It uses a single key to encrypt and decrypt data making it the simplest type of cryptography. A plain text with the key produces the same cipher similarly, the ciphertext with the key produces the plain text. "Symmetric encryption is useful for protecting data between parties with an established shared key and is also frequently used to store confidential data" (Burnett & Foster, 2004). This type of cryptography is suited for bulk encryption as it is fast and easy.
Asymmetric cryptography is also known as public-key cryptography. In this method, two keys are used to encrypt data. One for encoding and the other for decoding. One of the two keys stays private while the other is shared. The algorithms are based on integer factorization and discrete logarithmic problems. This encryption method is used for authentication and confidentiality.
The hash function is a special mathematical function. It performs a one-way function, which means that once the algorithm is processed, there is no feasible way to use the ciphertext to retrieve the plaintext that was used to generate it (Conklin, 2018). Hashes provide confidentiality but not integrity because even though we cannot determine the original text, we can ascertain the modified text. These are utilized in programs, text messages, and operating systems files.
Public Key Infrastructure (PKI):
It is an infrastructure that enables users to communicate securely. PKI uses the asymmetric method; one private key and one public key. The public key can only decrypt the file encrypted by the private key, which affirms the receiver and the sender's information is secure during a transaction. The challenges PKI face is the storage and protection of the keys. The encryption keys can be stolen or unrecoverable based on the measures taken to store them. Additionally, failure to issue and renew certificates can cause large-scale connectivity issues.
Physical Security:
Physical security needs to be maintained to prevent attackers from gaining access to steal data. Physical security is essential in an organization to prevent unauthorized individuals from causing harm to the business. If systems and devices are physically accessed, all files, data, information, and networks can be compromised. Granting limited access to employees to computer rooms or server rooms can prevent theft and help with intentional and unintentional damages. Perimeter security is also important, especially for sites ...
Information security plays an important role in
governments. Its realm has been increased nowadays, especially
with resent viruses’ attacks in different governmental
organizations. The authentication is aspect of information
security, its current scheme used nowadays in the systems is
depend on the login by user name and password in addition to
one-time password or traditional secret questions, which in turn
is usually easy to predicate. This paper proposes enhanced
knowledge based authentication solution which ensures and
provides more security and usability levels for governmental
organizations.
Similar to e-Idenity-and-e-Government_ELAK-Code-Camp-Lecture_I (20)
ZGB - The Role of Generative AI in Government transformation.pdfSaeed Al Dhaheri
This keynote was presented during the the 7th edition of the UAE Hackathon 2024. It highlights the role of AI and Generative AI in addressing government transformation to achieve zero government bureaucracy
Understanding the Challenges of Street ChildrenSERUDS INDIA
By raising awareness, providing support, advocating for change, and offering assistance to children in need, individuals can play a crucial role in improving the lives of street children and helping them realize their full potential
Donate Us
https://serudsindia.org/how-individuals-can-support-street-children-in-india/
#donatefororphan, #donateforhomelesschildren, #childeducation, #ngochildeducation, #donateforeducation, #donationforchildeducation, #sponsorforpoorchild, #sponsororphanage #sponsororphanchild, #donation, #education, #charity, #educationforchild, #seruds, #kurnool, #joyhome
This session provides a comprehensive overview of the latest updates to the Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards (commonly known as the Uniform Guidance) outlined in the 2 CFR 200.
With a focus on the 2024 revisions issued by the Office of Management and Budget (OMB), participants will gain insight into the key changes affecting federal grant recipients. The session will delve into critical regulatory updates, providing attendees with the knowledge and tools necessary to navigate and comply with the evolving landscape of federal grant management.
Learning Objectives:
- Understand the rationale behind the 2024 updates to the Uniform Guidance outlined in 2 CFR 200, and their implications for federal grant recipients.
- Identify the key changes and revisions introduced by the Office of Management and Budget (OMB) in the 2024 edition of 2 CFR 200.
- Gain proficiency in applying the updated regulations to ensure compliance with federal grant requirements and avoid potential audit findings.
- Develop strategies for effectively implementing the new guidelines within the grant management processes of their respective organizations, fostering efficiency and accountability in federal grant administration.
Jennifer Schaus and Associates hosts a complimentary webinar series on The FAR in 2024. Join the webinars on Wednesdays and Fridays at noon, eastern.
Recordings are on YouTube and the company website.
https://www.youtube.com/@jenniferschaus/videos
Russian anarchist and anti-war movement in the third year of full-scale warAntti Rautiainen
Anarchist group ANA Regensburg hosted my online-presentation on 16th of May 2024, in which I discussed tactics of anti-war activism in Russia, and reasons why the anti-war movement has not been able to make an impact to change the course of events yet. Cases of anarchists repressed for anti-war activities are presented, as well as strategies of support for political prisoners, and modest successes in supporting their struggles.
Thumbnail picture is by MediaZona, you may read their report on anti-war arson attacks in Russia here: https://en.zona.media/article/2022/10/13/burn-map
Links:
Autonomous Action
http://Avtonom.org
Anarchist Black Cross Moscow
http://Avtonom.org/abc
Solidarity Zone
https://t.me/solidarity_zone
Memorial
https://memopzk.org/, https://t.me/pzk_memorial
OVD-Info
https://en.ovdinfo.org/antiwar-ovd-info-guide
RosUznik
https://rosuznik.org/
Uznik Online
http://uznikonline.tilda.ws/
Russian Reader
https://therussianreader.com/
ABC Irkutsk
https://abc38.noblogs.org/
Send mail to prisoners from abroad:
http://Prisonmail.online
YouTube: https://youtu.be/c5nSOdU48O8
Spotify: https://podcasters.spotify.com/pod/show/libertarianlifecoach/episodes/Russian-anarchist-and-anti-war-movement-in-the-third-year-of-full-scale-war-e2k8ai4
Many ways to support street children.pptxSERUDS INDIA
By raising awareness, providing support, advocating for change, and offering assistance to children in need, individuals can play a crucial role in improving the lives of street children and helping them realize their full potential
Donate Us
https://serudsindia.org/how-individuals-can-support-street-children-in-india/
#donatefororphan, #donateforhomelesschildren, #childeducation, #ngochildeducation, #donateforeducation, #donationforchildeducation, #sponsorforpoorchild, #sponsororphanage #sponsororphanchild, #donation, #education, #charity, #educationforchild, #seruds, #kurnool, #joyhome
A process server is a authorized person for delivering legal documents, such as summons, complaints, subpoenas, and other court papers, to peoples involved in legal proceedings.
What is the point of small housing associations.pptxPaul Smith
Given the small scale of housing associations and their relative high cost per home what is the point of them and how do we justify their continued existance
1. i4M Lab
1
ΕΛΛΑΚ Μονάδες Αριστείας (ΜΑ. ΕΛΛΑΚ)
Σχολείο Ανοικτού Κώδικα ΕΛ / ΛΑΚ: e-Identity & e-Government
(Hλεκτρονική ταυτότητα στη Δημόσια Διοίκηση και Τοπική Αυτοδιοίκηση)
UAegean Center of Excellence (CoE) – Open Source Software in Transport
and Shipping
University of the Aegean
Dpt of Financial and Management Engineering & Dpt of Shipping and Transportation Services
Session: I
Stelios Lelis , i4M Lab, UAegean
Harris Papadakis, i4M Lab, UAegean
@ i-nformation M-anagement Lab
i4M Lab
2. i4M Lab
Ταυτότητα Σεμιναρίου
Το Πανεπιστήμιο Αιγαίου, στα πλαίσια του έργου Μονάδες Αριστείας
Ελεύθερου Λογισμικού / Λογισμικού Ανοικτού Κώδικα (ΕΛ/ΛΑΚ)1,
διοργανώνει Σχολείο Ανοικτού Κώδικα ΕΛ / ΛΑΚ με θέμα «e-Identity &
e-Government (Hλεκτρονική ταυτότητα στη Δημόσια Διοίκηση και
Τοπική Αυτοδιοίκηση)».
1 Το υποέργο Μονάδες Αριστείας ΕΛ/ΛΑΚ υλοποιείται στο πλαίσιο του έργου «Ηλεκτρονικές Υπηρεσίες για την Ανάπτυξη και
Διάδοση του Ανοιχτού Λογισμικού» του Προγράμματος «Ψηφιακή Σύγκλιση». Το έργο συγχρηματοδοτείται από το ΕΤΠΑ.
2
3. i4M Lab
Σήμερα 03.11.2015
3
Introductory session: Electronic
Identity: Organization and
Fundamentals, STORK2.0,
Interconnection Supporting Service
16:00 - 20:00 4 ώρες
Στέλιος Λέλης
Χαράλαμπος
Παπαδάκης
4. i4M Lab
Online tools και άλλα
Πολλά, θα σας ενημερώσουμε προοδευτικά
Τώρα, η βασική αναφορά για την ύλη του μαθήματος
https://openeclass.aegean.gr/courses/OPENSOURCE102/
... Και στην επικοινωνία
seminar e-mailing list: e-identity-iss-community@googlegroups.com
Ομάδα διδασκαλίας και συντονισμού
Στέλιος Λέλης
Χάρης Παπαδάκης
Πέτρος Καβάσαλης
4
5. i4M Lab
INTRODUCTORY SESSION: ELECTRONIC
IDENTITY: ORGANIZATION AND FUNDAMENTALS,
STORK2.0, INTERCONNECTION SUPPORTING
SERVICE
Session I
5
6. i4M Lab
Session I: agenda
Electronic Government – Electronic Identity: Organization
and Fundamentals
STORK2.0
Interconnection Supporting Service
6
7. i4M Lab
Session I: agenda
Electronic Government – Electronic Identity: Organization
and Fundamentals
STORK2.0
Interconnection Supporting Service
7
9. i4M Lab
electronic Identity
electronic Identity
an “Electronic identity” is a means for people to prove electronically that they are who
they say they are and thus gain access to services. The identity allows an entity
(citizen, business, administration) to be distinguished from any other.
It is the representation of an entity (or group of entities) in the form of one or more
information elements which allow the entity(s) to be uniquely recognized within a
context to the extent that is necessary (for the relevant applications).
a person’s (digital) identity comprises a set of attributes, and only a subset of these
attributes are necessary to allow the person to be sufficiently recognized within a given
context.
examples
TaxisNet, University account, Facebook account, Google account
9
10. i4M Lab
needs and motives
Citizens and businesses need to have an electronic presence
protected from abuse and misuse
confirming unequivocally who they are in electronic transactions
with different forms according to their wishes
o e.g. in certain circumstances, a person might wish to present himself as the CEO
of a company and in a separate context as the beneficiary of a health insurance.
They need to have available descriptions of themselves.
a citizen filling in an online administrative form, a business offering a service
or preparing a tender, or an administration wishing to share information…
should all be able to dispense with the time wasting and cost involved in
forever answering the same questions in ever more forms
the corresponding data should be trusted and considered authentic
10
11. i4M Lab
main benefits
Supporting e-services
Improving security in terms of accountability
Generating economies of scale
Increasing administrative efficiency and reducing costs
Reducing the burden when engaging with the administration
Limiting possibilities for fraud, identity theft and phishing
Supporting mutual recognition of documents and certificates in cross-
sector and cross-border situations.
11
13. i4M Lab
identity management systems
Identity Management
The whole process of managing of users identity information
Identity Management Systems
A set of functions and capabilities (e.g. administration, management and
maintenance, discovery, communication exchanges, correlation and binding,
policy enforcement, authentication and assertions) used for:
o assurance of identity information (e.g., identifiers, credentials, attributes);
o assurance of the identity of an entity (e.g., users/subscribers, groups, user
devices, organizations, network and service providers, network elements and
objects, and virtual objects)
o enabling business and security applications.
13
14. i4M Lab
separating identity and service provider
Identity Provider (IdP)
Responsible for (a) providing identifiers for users looking to interact with a
system, and (b) asserting to such a system that such an identifier presented
by a user is known to the provider, and (c) possibly providing other
information about the user that is known to the provider
14
15. i4M Lab
advantages of having separate IdPs
For the service providers (SP):
They can focus on products and services, not on identity management
A higher number of potential users.
Users are demanding federated services. No more sign-in processes.
For the identity providers (IdP):
They are becoming key entities on the Internet
They can specialize on providing several authentication mechanisms and
privacy policies
They obtain a lot of information about user activities and user profiles.
15
16. i4M Lab
adding attribute providers
Attribute Provider (AP)
Responsible for (a) providing identity information for users looking to interact
with a system, and (b) asserting to such a system that such information
presented by a user is known to the provider
16
17. i4M Lab
need to federate identity
How many different user accounts do you have?
University, Enterprise, Google, Facebook, Twitter, LinkedIn…
How many different passwords?
This is a usual “sign in” process:
You choose a username, a password and provide additional data
The account is activated through clicking on a link received by mail
Now you can access to the service providing your credentials
Repeat these steps for all the services you want to be part of.
There is a need to federate and to manage the identity
17
18. i4M Lab
identity federations
An identity federation is a collection of organizations that agree to
interoperate under a certain rule set.
The rule set typically consists of legal frameworks, policies and technical
profiles and standards. It provides the necessary trust and security to
exchange identity information to access services within the federation
Supported by a set of technologies and processes that let computer systems
dynamically distribute identity information and delegate identity tasks across
security domains.
Users are distributed among several identity management systems
There are different IdPs and APs
The existing IdPs and APs can be based on different technologies internally,
but they must agree on a common language for external communication
18
21. i4M Lab
organization and function II
8 different steps:
1. The resource is requested to the SP
2. User is redirected to the SSO service
3. User is authenticated by the IdP at the SSO Service
4. Response containing the Authentication Statement
5. The response is forwarded to the assertion consumer service
6. Once the assertions are verified the user is redirected
7. New request to the SP including authorization assertions
8. The user obtains the requested service
21
22. i4M Lab
a practical example
Shibolleth
Shibboleth is among the world's most widely deployed federated
identity solutions, connecting users to applications both within and
between organizations. Every software component of the Shibboleth
system is free and open source.
https://shibboleth.net/
Accessing content on Springer web site with a University Account…
http://link.springer.com/chapter/10.1007/3-540-45636-8_4
22
23. i4M Lab
Session I: agenda
Electronic Government – Electronic Identity: Organization
and Fundamentals
STORK2.0
Interconnection Supporting Service
23
24. i4M Lab
Ηλεκτρονική Ταυτοποίηση Βασισμένη σε
Χαρακτηριστικά
24
Πολίτης,
Εκπρόσωπος
Εξουσιοδοτήσεις (πχ. Εταιρίας)
Ρόλος (πχ. Δικηγόρος, Ιατρός)
ΑΦΜ, ΑΜΚΑ
Οντότητες Στοιχείο
Ταυτοποίησης
Αναγνωριστικά
Ημερομηνία Γέννησης
Επώνυμο
Όνομα
Αναγνωριστικός Αριθμός
Ιδιότητες, Χαρακτηριστικά
Ακαδημαϊκοί Τίτλοι
Βασικά Χαρακτηριστικά
27. i4M Lab
LoA eIDAS
27
Assurance level Elements needed
Low - The electronic identification means shall utilise at least one authentication factor.
- The electronic identification means shall be designed so that it can be assumed to be
used only if under the control of the subject to whom it belongs.
Substantial - The electronic identification means shall utilise at least two authentication factors from
different authentication factor categories.
- The electronic identification means shall be designed so that it can reasonably be
assumed to be used only if under the control of the subject to whom it belongs.
High - The electronic identification means shall utilise at least two authentication factors from
different authentication factor categories and protect the electronic identification means
against duplication and tampering.
- The electronic identification means shall be designed so that it can be reliably protected
by the subject to whom it belongs against use by others.
Electronic identification means characteristics and design
Commission Implementing Regulation (EU) 2015/1502
28. i4M Lab
Επίπεδα Διασφάλισης Ποιότητας Ηλεκτρονικής
Ταυτοποίησης (eidas QAA)
28
STORK QAA eIDAS
Assurance level
Elements needed
2 Low Χαμηλή αξιοπιστία (πχ. username/password – one
authentication factor )
3 Substantial Σημαντική αξιοπιστία (πχ. ψηφιακά πιστοποιητικά -
two authentication factors )
4 High Υψηλή αξιοπιστία (πχ. έξυπνες κάρτες/usb token –
i.e. dynamic two authentication factor )
31. i4M Lab
Χώρες συνδεμένες στο STORK2.0
31
Austria
Belguim
Czech
Republic
Estonia
France
Greece
Iceland
Italy
lithuania
luxembourg
Netherlands
Slovenia
England
Turkey
Slovakia
Portugal
Sweden
Schweizland
Spain
32. i4M Lab
Κύκλος Εμπιστοσύνης
Κάθε PEPS διαχειρίζεται αρχεία καταγραφής
java keystore
Δημιουργία σχέσεων εμπιστοσύνης με
τρίτους συμπεριλαμβάνοντας τα
πιστοποιητικά τους (ή και τα πιστοποιητικά
της αντίστοιχης Αρχής Πιστοποίησης (CA
authority)) στο δικό τους αρχείο keystore
Κάθε PEPS διαχειρίζεται τρία τέτοια αρχεία
keystore δύο εκ των οποίων
επικεντρώνονται στην υλοποίηση του
κύκλου εμπιστοσύνης ενώ το τρίτο
χρησιμοποιείται για την αποθήκευση
κρυπτογραφικού υλικού
32
33. i4M Lab
STORK packages
PEPS / VIDP
SAML engine
Signature & DTL
Anonymity
Version Control
MS package
SP package
AP package
33
34. i4M Lab
STORK functionality
StdIDP -standard authentication
AUB - authentication on behalf of
PV- Powers Validation
VIDP - Virtual IDP (for
authentication of Austrian citizens
in portals from other MS)
XHTMLSign - for authentication
of users in Austrian Portals
VC - Version Control
Anonimity (for eAcademia pilot)
DocSign - Digital signature of pdf
documents (indicate the solution
chosen)
DTL - Document Transport Layer
DomSpecAtt - Domain Specific
Attributes (eAcademia Pilot)
Data aggregation/ multiples
values
34
36. i4M Lab
eID - Data model Description
36
Field Type Values and comments
eIdentifier String
NC/NC/xxxxxxxxx… NC=NationalityCode, the
first one the country of the eIdentifier, the
second one the destination country.
givenName String
surname String inheritedFamilyName / adoptedFamilyName
inheritatedFamilyName String
adoptedFamilyName String
gender String(1) F (Female) / M (Male)
nationalityCode String(2) ISO 3166-1 alpha-2
maritalStatus String(1)
S (Single) / M (Married) / P (Separated)
D (Divorced) / W (Widowed)
dateOfBirth Date (basic format of ISO 8601) YYYYMMDD / YYYYMM / YYYY
countryCodeOfBirth String(4)
ISO 3166-3. Please note that this code is
equal to ISO3166-1 alpha-2 in the majority
of countries, but includes 4 letter
abbreviations for disappeared countries. E.g.
DDDE for the DDR or YGCS for Yugoslavia.
……
39. i4M Lab
Timeline
39
Timeline
Workshop
agreement
17-07-15
1st eIDAS
compliant
CEF eID
version
18-09-15
STORK
ends
30-09-15
eIDAS
MW
Adapter
01-12-15
eIDAS
Proxy
Adapter
01-03-16
eSENS
ends
30-03-16
STORK 2.0
Governance
&
Maintenance
handover
State of play
(Organisatio
n and name)
1
2
STORK 2.0
knowledge
transfer
3
Dissemination
plan
4
Press release
future of
STORK 2.0
6
eIDAS MW
adapter
7
STORK 1.0 phase out
Define technical solution
STORK 2.0 features analysis and
prioritisation
9
Press release
future of
eSENS
eIDAS technically compliant version
go live
8
Knowledge
transfer
13
5
18-09-18
Mandatory
eID
recognition
eIDAS node
with STORK
2.0 features
eIDAS node
with other
features
12
14 15
10
CEF eID
packaged
16
eIDAS proxy
adapter
11
40. i4M Lab
Ελληνικό Δίκτυο STORK 2.0
40
STORK 2.0
ΓΕΜΗ ΑΙΓΑΙΟΥ ΕΡΜΗΣ
ΕΔΕΤ
World
Bridge
NBG
eProcur
ement
ΔΟΑΤΑΠ
ΓΕΕΘΑ
ΑΣΕΠ
Αρχαιολογικό
Κτηματολόγιο
Παρατηρητήρι
ο Η/Μ
Ακτινοβολιών
41. i4M Lab
Session I: agenda
Electronic Government – Electronic Identity: Organization
and Fundamentals
STORK2.0
Interconnection Supporting Service
41
42. i4M Lab
The STORK 2.0 Interconnection Supporting
Service
STORK 2.0 Supporting Service (SS) is a middle man between the
STORK 2.0 system and any Domain Application does not want to
implement the STORK 2.0 protocol.
Essentially it translates STORK 2.0 requests back and forth into any
other protocol used by the DA.
STORK2.0 is free / open source available at JoinUp
https://joinup.ec.europa.eu/node/137745
43. i4M Lab
The STORK 2.0 Interconnection Supporting
Service
Up to date, SS provides support for Json-based and Web Service based
communication with DAs
Its modular design makes it easy to add support for other protocols-
methods.
44. i4M Lab
JSON vs. STORK2.0 SAML - Request
Json STORK2.0 SAML
… x 3 pages
47. i4M Lab
Supporting Service Architecture
The following diagram illustrates how the Supporting Service handles all
STORK 2.0 complexity
48. i4M Lab
Supporting Service Architecture
Authentication process flow diagrams using the Supporting
Service
49. i4M Lab
Supporting Service configuration
The Supporting Service is a Java EE Web Application. It has been tested in Tomcat
7.0 and can be co-hosted with the Service Provider or in a separate server.
All the configuration information is available in the file: sp.properties. There are a
number of options to set:
The list of available C-PEPS for the Supporting Service (country.number with the number
of known C-PEPS and for each country: country<X>.name, country<X>.url)
Configuration information to identify the Supporting Service as a STORK2.0 service
provider (provider.name, sp.sector, sp.aplication, sp.country).
The QAA that the Service Provider is accepting (sp.qaalevel).
Finally, the URLs to communicate with all the required modules:
o speps.url: The URL where the S-PEPS is running.
o sp.return: The URL to return to this SP when STORK finishes the identification and attribute
gathering.
o ds.url: The URL of the Service Provider API to retrieve the requested Attribute List.
o ss.url: The URL of the Service Provider API to send the gathered Attribute Values.
o sr.url: The URL to redirect the user once the Supporting Service has completed its task.
50. i4M Lab
STORK 2.0 PHP API for the Supporting Service
The PHP API includes the following files:
database.sql for creating the two tables required by the PHP API
index.html to demonstrate how a web site will utilize the PHP API
private.php to demonstrate how a private page works (in our example
we just check that the user has a valid session and the
$_SESSION["user_logged"] variable is set).
stork2-common.php contains functions shared among the scripts. For
example how to generate a random token and how to open a database
connection.
stork2-config.php is the file included by all scripts. It contains all the
configuration information and additional includes that are required.
51. i4M Lab
STORK 2.0 PHP API for the Supporting Service
Request
stork2-request.php creates a new token, stores the attributes to request
in the database and redirects the user to the STORK 2.0 Supporting
Service.
stork2-attributes.php provides a JSON output of the Attribute List.
Accesed by the Supporting Service to retrieve the requested Attribute
List.
52. i4M Lab
STORK 2.0 PHP API for the Supporting Service
Reply
stork2-values.php is accessed by STORK2.0 to decodes the JSON
object that contains the response and stores the values in the database.
stork2-login.php will check the credentials provided by STORK2.0 and
redirect the user to the private section of the service provider or to an
error page accordingly.
53. i4M Lab
STORK 2.0 PHP API for the Supporting Service
stork2-specific.php is the file that contains the functions to be implemented
by the service provider in order to define its specific functionality. The
functions are:
get_attribute_list that returns an array with the attributes to be requested (name
and if it is required).
assign_user_roles that receives an array of attributes with their values. It must
process this array, start a session and set the proper session variables. Then if
everything was OK it must return TRUE and if NOT it must return FALSE. For
example return FALSE if a required attribute contains no value.
authenticate_supporting_service is used to authenticate API calls from the
Supporting Service. The two API calls are stork2-attributes.php and stork2-
values.php. Since the service provider and the Supporting Service will be running
on the same network we assume that the communication channel with them can
be trusted (if not we can apply VPN). So a plain username/password
authentication is sufficient. But more authentication methods can be supported if
required (ie. Certificate based authentication).
54. i4M Lab
Extending the Supporting Service
The SS has a modular design and care has been taken in order to be easily adapted to specific DA needs. If a
DA requires a specific communication protocol (for example Web Services) then we only need to extend the
following two classes:
1. RetrievePersonalAttributeList, in order to retrieve the Attribute List from the DA
2. SavePersonalAttributeList, in order to save the Attribute Values to the DA.
The RetrievePersonalAttributeList has only one abstract method that need to be implemented for the DA
specific functionality. The signature of the method is:
protected IPersonalAttributeList retrievePersonalAttributeList(String token)
For the storage of the Attribute Values the SavePersonalAttributeList class must be extended that contains
only one abstract method: savePersonalAttributeList. The signature of the method is:
protected String savePersonalAttributeList(String token, IPersonalAttributeList pal)
55. i4M Lab
The STORK2.0 Attribute Provider
The STORK2.0 Attribute Provider (AP) is the system providing Attribute
Information
APs come from different domains (e.g. Academic, Business, Health) and
provide associated attributes (e.g. Academic AP provides ‘isStudent’,
‘hasDegree’ etc.)
Multiple APs are connecting to the STORK2.0 infrastructure through the
PEPSes
56. i4M Lab
The Demo AP
STORK2.0 provides a free/open source DemoAP
DemoAP allows organizations to quickly deploy their own APs
There are more than 20 APs in several European Countries based on the
DemoAP
DemoAP – STORK2.0 Communication
STORK2.0 SAML protocol
An Interconnection Supporting Service for APs?
57. i4M Lab
Example AP – University of the Aegean
An adaptation of DemoAP
Deploys both
Identity Linking with Shared Identifiers (for quick attribute retrieval)
Connection with UAegean LDAP
Retrieves Attribute Information from several Systems of the University
(Data Bases)