Skip to main content
SpringerLink
Log in

Assurance Requirements for Mutual User and Service Provider Authentication

  • Conference paper
  • First Online:
Data Privacy Management, Autonomous Spontaneous Security, and Security Assurance (DPM 2014, QASA 2014, SETOP 2014)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 8872))

Abstract

Several nations and organisations have published frameworks for assurance of user authentication in the context of eGovermnent. This reflects the importance that governments see in guaranteeing that only authorized users can access eGovernment services. However, in order to ensure trusted online interaction it is equally important to obtain assurance of authentication of service providers. Unilateral authentication is obviously insufficient for securing two-way interaction, so both user authentication assurance and service provider authentication assurance must be considered. Unfortunately there are currently no satisfactory frameworks for service provider authentication in the eGovernment context. This paper first describes and compares some of the current eAuthentication frameworks for user authentication. Then it proposes an eAuthentication framework for service provider authentication, and discusses how the two types of frameworks can be integrated and aligned.

The work reported in this paper has been partially funded by eurostars project E!8324 OffPAD.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    http://www.gartner.com/it-glossary/identity-and-access-management-iam/.

  2. 2.

    Norwegian title: Rammeverk for autentisering og uavviselighet med og i offentlig sektor.

  3. 3.

    Called decentralized in [33].

  4. 4.

    Called secure in [33].

  5. 5.

    Called human-meaningful in [33].

References

  1. Abley, J., Schlyter, J.: DNSSEC Trust Anchor Publication for the Root Zone (2010). http://data.iana.org/root-anchors/draft-icann-dnssec-trust-anchor.txt

  2. Arends, R., Austein, R., Larson, M., Massey, D., Rose, S.: RFC 4033 - DNS Security Introduction and Requirements. IETF, March 2005. http://www.rfc-editor.org/

  3. Ateniese, G., Mangard, S.: A new approach to DNS security (DNSSEC). In: Proceedings of the 8th ACM conference on Computer and Communications Security, CCS 2001, pp. 86–95. ACM, New York (2001)

    Google Scholar 

  4. Bhavan, Y., Marg, S.: Biometrics Design Standards For UID Applications. Unique Identification Authority of India, Planning Commission, New Delhi (2009)

    Google Scholar 

  5. Bolten, J.B.: E-Authentication Guidance for Federal Agencies - Memorandum to the Heads of All Departments and Agencies (OMB M-04-04). Technical report, Executive Office of Tthe President, Office of Management and Budget, Washington, D.C. 20503 (2004)

    Google Scholar 

  6. Burr, W.E. et al.: Electronic Authentication Guideline - NIST Special Publication 800–63 Rev. 1. Technical report, National Institute of Standards and Technology, December 2011

    Google Scholar 

  7. Cooper, D., Santesson, S., Farrell, S., Boeyen, S., Housley, R., Polk, W.: RFC 5280 - Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile. IETF, May 2008

    Google Scholar 

  8. National e-Authentication Framework (NeAF). Australian Government Information Management Office, Canberra (2009)

    Google Scholar 

  9. Dierks, T., Rescorla, E.: RFC 5246 - The Transport Layer Security (TLS) Protocol Version 1.2. IETF, August 2008. http://www.ietf.org/rfc/rfc5246.txt

  10. EU. Regulation (EU) No 910/2014 of the European Parliament and of the Council of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC (eIDAS Regulation). European Union (2014)

    Google Scholar 

  11. Ferdous, M.S., Jøsang, A., Singh, K., Borgaonkar, R.: Security Usability of Petname Systems. In: Jøsang, A., Maseng, T., Knapskog, S.J. (eds.) NordSec 2009. LNCS, vol. 5838, pp. 44–59. Springer, Heidelberg (2009)

    Chapter  Google Scholar 

  12. Graux, H., Majava, J.: eID Interoperability for PEGS (Pan-European eGovernment services) - Proposal for a multi-level authentication mechanism and a mapping of existing authentication mechanisms. Technical report, EU IDABC (Interoperable Delivery of European eGovernment Services to public Administrations, Businesses and Citizens.) (2007)

    Google Scholar 

  13. Hayes, J.M.: The Problem with Multiple Roots in Web Browsers - Certificate Masquerading. In: 7th Workshop on Enabling Technologies, Infrastructure for Collaborative Enterprises (WETICE 1998). CAUSA Proceedings, pp. 306–313. IEEE Computer Society, Palo Alto, 17–19 June 1998

    Google Scholar 

  14. Herzberg, A., Gbara, A.: Protecting (even Naïve) Web Users from Spoofing and Phishing Attacks. Technical Report 2004/155, Cryptology ePrint Archive (2004)

    Google Scholar 

  15. Hoffman, P., Schlyter, J.: The DNS-Based Authentication of Named Entities (DANE) Transport Layer Security (TLS) Protocol: TLSA. IETF, August 2012. http://www.ietf.org/rfc/rfc6698.txt

  16. Hulsebosch, B., Lenzini, G., Eertink, H.: Deliverable D2.3 - STORK Quality authenticator scheme. Technical report, STORK eID Consortium (2009)

    Google Scholar 

  17. ISO. ISO/IEC 29115:2013. Entity authentication assurance framework. ISO, Geneva, Switzerland (2013)

    Google Scholar 

  18. ITU. Recommendation X.800, Security Architecture for Open Systems Interconnection for CCITT Applications. International Telecommunications Union (formerly known as the International Telegraph and Telephone Consultantive Committee), Geneva (1991) (X.800 is a re-edition of IS7498-2)

    Google Scholar 

  19. Jøsang, A., AlFayyadh, B., Grandison, T., AlZomai, M., McNamara, J.: Security Usability Principles for Vulnerability Analysis and Risk Assessment. In: The Proceedings of the Annual Computer Security Applications Conference (ACSAC 2007), Miami Beach, December 2007

    Google Scholar 

  20. Jøsang, A., Møllerud, P.M., Cheung, E.: Web Security: The Emperors New Armour. In: The Proceedings of the European Conference on Information Systems (ECIS2001), Bled, Slovenia, June 2001

    Google Scholar 

  21. Jøsang, A.: Trust extortion on the internet. In: Meadows, C., Fernandez-Gago, C. (eds.) STM 2011. LNCS, vol. 7170, pp. 6–21. Springer, Heidelberg (2012)

    Chapter  Google Scholar 

  22. Jøsang, A., Dar, K.S.: Server certificates based on DNSSEC. In: Proceedings of NordSec2011, Tallin, October 2011

    Google Scholar 

  23. Keizer, G.: Computerworld: DigiNotar dies from certificate hack caper (2011). http://www.computerworld.com/s/article/9220175/DigiNotar_dies_from_certificate_hack_caper

  24. Microsoft. Microsoft Security Bulletin MS01-017 (March 22, 2001): Erroneous VeriSign-Issued Digital Certificates Pose Spoofing Hazard (2001). http://www.microsoft.com/technet/security/bulletin/MS01-017.asp

  25. Miller, M.S.: Lambda for Humans: The PetName Markup Language. Resources library for \(E\) (2000). http://www.erights.org/elib/capability/pnml.html

  26. Ministry of Communications and Information Technology. e-Pramaan: Framework for e-Authentication. Government of India, Delhi, Version 1.0, October 2012

    Google Scholar 

  27. Ministry of Government Administration Reform: Framework for Authentication and Non-Repudiation in Electronic Communication with and within the Public Sector (in Norwegian: Rammeverk for autentisering og uavviselighet i elektronisk kommunikasjon med og i offentlig sektor). Technical report, Norwegian Government (2008)

    Google Scholar 

  28. Kai, A.: Olsen and Hans Fredrik Nordhaug. Internet Elections: Unsafe in Any Home? Commun. ACM 55(8), 36–38 (2012)

    Article  Google Scholar 

  29. Schechter, S.E., Dhamija, R., Ozment, A., Fischer, I.: The emperor’s new security indicators. In: IEEE Symposium on Security and Privacy, 2007. SP 2007, pp. 51–65, May 2007

    Google Scholar 

  30. Soghoian, C., Stamm, S.: Certified lies: detecting and defeating government interception attacks against SSL (Short Paper). In: Danezis, G. (ed.) FC 2011. LNCS, vol. 7035, pp. 250–259. Springer, Heidelberg (2012)

    Chapter  Google Scholar 

  31. Stiegler, M.: Petname Systems. Technical Report HPL-2005-148, HP Laboratories Palo Alto, 15 August 2005

    Google Scholar 

  32. Varmedal, K.A., Klevjer, H., Hovlandsvåg, J., Jøsang, A., Vincent, J., Miralabé, L.: The OffPAD: requirements and usage. In: Lopez, J., Huang, X., Sandhu, R. (eds.) NSS 2013. LNCS, vol. 7873, pp. 80–93. Springer, Heidelberg (2013)

    Chapter  Google Scholar 

  33. Bryce (Zooko) Wilcox-O’Hearn: Names: Decentralized, secure, human-meaningful: Choose two (2005). http://www.zooko.com/distnames.html

Download references

Author information

Authors and Affiliations

  1. University of Oslo, Oslo, Norway

    Audun Jøsang

Authors
  1. Audun Jøsang
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Audun Jøsang .

Editor information

Editors and Affiliations

  1. Télécom SudParis, Evry, France

    Joaquin Garcia-Alfaro

  2. Universitat Autònoma de Barcelona, Bellaterra, Spain

    Jordi Herrera-Joancomartí

  3. Imperial College London, London, United Kingdom

    Emil Lupu

  4. Universität Passau, Passau, Germany

    Joachim Posegga

  5. University of Urbino, Urbino, Italy

    Alessandro Aldini

  6. Pisa Research Area, National Research Council - CNR, Pisa, Italy

    Fabio Martinelli

  7. Technische Universität Darmstadt, Darmstadt, Germany

    Neeraj Suri

Rights and permissions

Reprints and permissions

Copyright information

© 2015 Springer International Publishing Switzerland

About this paper

Cite this paper

Jøsang, A. (2015). Assurance Requirements for Mutual User and Service Provider Authentication. In: Garcia-Alfaro, J., et al. Data Privacy Management, Autonomous Spontaneous Security, and Security Assurance. DPM QASA SETOP 2014 2014 2014. Lecture Notes in Computer Science(), vol 8872. Springer, Cham. https://doi.org/10.1007/978-3-319-17016-9_3

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-17016-9_3

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-17015-2

  • Online ISBN: 978-3-319-17016-9

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation