Conference PaperPDF Available

USING eID PSEUDONYMITY AND ANONYMITY FOR STRENGTHENING USER FREEDOM IN INTERNET

Authors:

Abstract and Figures

When the Internet was designed in early 70s it main goal was to establish communication between two parties. Few decades later a saying " on the Internet, nobody knows you're a dog " was coined, representing the fundamental user right-freedom of choosing his identity in the Internet. The recent rapid growth of electronic and mobile services over Internet required strong user authentication mechanisms, where user identity was derived from his personal and biometric data. For some contemporary Internet applications this strong authentication is not desirable in society since it reduces the user freedom to express his opinion without a fear for unjust negative consequences. This paper presents an efficient solution using national biometric identity cards (eID) for conducting anonymous transactions over Internet, where by user identity is substituted by his pseudonym stored in eID biometric contact less card. The testing environment consists of two applications: (i) commenting the article in e-News, and (ii) casting a vote in a electronic election system. Paper concludes with the list strengthens and limitations of proposed solution.
Content may be subject to copyright.
A preview of the PDF is not available
... Furthermore, it claims that perturbing of responses does not prevent leakage of information, only slows it down and makes it harder to collect data in short period of time. Similar approach to protect user privacy, is presented in [18] ...
... Furthermore, it claims that the perturbing of responses does not prevent leakage of information, only slows it downs and makes it harder to collect data in short period of time. Similar approach, to protect user privacy is presented in[18], where by users are authenticated using anonymous X.509 digital certificate stored in national biometric card, and send their feedback through Internet. Our approach proposed in this paper does not require authentication in polling station as this step is done, in manual form, before citizen has casted a vote, i.e. the web form is accessible only from eligible voters during voting process. ...
Article
Full-text available
Quality of election process is the main factor for acknowledging the general election results. In this sense a feedback from voters is critical to maintain a desired quality of the process. Crowdsourcing is establishing as a standard platform for capturing feedback and new ideas from the participating stakeholders. This paper presents an efficient solution using crowdsourcing techniques for improving the quality of election processes through a simple feedback web form in polling stations. These polling stations are securely connected to the Central Election Commission monitoring room, where the overall quality in national scale can be monitored. The survey conducted with more than 600 respondents shows that this approach would be acceptable from citizens and would improve the total quality and acceptance of election results.
... The private key is protected with a PIN, which is issued to citizen in protected paper format. In (Rexha, Qerimi, Neziri, & Dervishi, 2015) is presented an Internet authentication scenario using user's real and anonym profile. ...
Article
Full-text available
Recently, not only the Internet and mobile devices are changing our daily life but also the usage of national biometric card for every government electronic services. Beside citizen authentication these electronic services require users to encrypt and digitally sign their data or documents. Therefore, biometric cards are used as processing devices for cryptographic applications, whereby there are a lot of security aspects required for secure communication, authentication and encryption among them. Those aspects will be tested in different environments, platforms, devices, PCs, mobile devices and smartcards. This paper compares those two processing systems, Match off Card vs. Match on Card, and their efficiency of encryption and signatures on the data used. How different parameters, time and size of test vectors impacts the process and the role they play on the overall system. The derived results will serve us as a guide for using one processing system in certain environment, minding the efficiency of the data.
... Furthermore, it claims that the perturbing of responses does not prevent leakage of information, only slows it downs and makes it harder to collect data in short period of time. A similar approach, to protect user privacy is presented in Rexha et al. (2015), whereby users are authenticated using an anonymous X.509 digital certificate stored in the national biometric card, and send their feedback through the internet. The approach proposed in this paper does not require authentication in a polling station as this step is done, in manual form, before citizen has casted a vote, i.e., the web form is accessible only from eligible voters during the voting process while exiting the polling station. ...
Article
Full-text available
Recently crowdsourcing is being established as the new platform for capturing ideas from multiple users, i.e., the crowd. Many companies have already shifted their approach towards utilising the power of the crowd. Transparency and quality of election process is the main factor for acknowledging the general election results. Voters, crowd feedback can be utilised to maintain a desired election process transparency and quality. This paper presents an efficient solution using crowdsourcing techniques for increasing transparency and the quality of election processes through a simple feedback web form in polling stations. These polling stations are securely connected to central election commission monitoring room, where the overall transparency and quality in national scale can be monitored. The survey conducted with more than 600 respondents shows that this approach will be acceptable from citizens and will increase the overall transparency, quality, and acceptance of election results.
Conference Paper
Full-text available
Authentication and privacy are central issues for acceptance of any e-Voting system in particular and growth of e-Services in general. This paper aims to: (i) to analyze the appropriate architecture and propose new efficient architecture of electronic voting system in Kosovo, and (ii) to analyze the threat vectors and their avoidance in such system. The novelty of implemented solution is based on using dynamic queue list generated based on voters arrivals and identification at the polling station. The proposed architecture enables citizens to cast their vote in any polling station, in opposite to paper form voting where citizen is linked to his predefined polling station. The national election commission configures the smart card, as part of electronic voting infrastructure, to allow decryption of number of records that matches the number of voters in final country wide voting list. The communication between polling stations and central server is encrypted with server's public key stored in digital certificate and every casted vote is digitally signed by ballot box private key. The developed model is used to compare the costs and efficiency of e-Voting against the traditional paper based voting system in Kosovo.
Article
The ongoing implementation of e-government has brought many governments to consider issuing digital identity cards. This thesis focuses on the impact of digital identity cards on the citizen’s privacy. Potential privacy threats are discussed and countermeasures that pertain to enhancing privacy are proposed. We advocate that digital identity should not solely be based on elements that disclose a citizens identity. Instead this thesis proposes a concept for digital identity cards that includes an anonymous component. This proposed approach is different from the approach taken by the current pro jects for digital identity cards. We propose a concept that comprises pseudonymous credentials as part of the citizen’s digital identity. We discuss current implementations of pseudonymous credential systems and consider problems resulting from the implementation in resource-restricted smart card environments. We discuss requirements for the use of credentials as part of the citizen’s digital identity. We discuss conceptual issues that must be addressed for a deployment of credentials. We consider the infrastructure that is necessary to support pseudonymous credentials. We discuss conceptual issues such as the choice of credential system, devices for the secure storage of credentials, non-transferability and revocation of digital credentials. An architecture is proposed that supports the use of the extended form of digital identity. We discuss barriers that must be overcome on the way to implementation. With the ongoing migration towards digital identity cards, we expect that privacy will become an issue of growing importance. This thesis contributes to the discussion on privacy in the domain of e-government and proposes anonymous services based on pseudonymous credentials as a means to alleviate potential privacy problems related to the use of electronic identity cards.
Conference Paper
A credential system is a system in which users can obtain credentials from organizations and demonstrate possession of these cre- dentials. Such a system is anonymous when transactions carried out by the same user cannot be linked. An anonymous credential system is of significant practical relevance because it is the best means of provid- ing privacy for users. In this paper we propose a practical anonymous credential system that is based on the strong RSA assumption and the decisional Diffie-Hellman assumption modulo a safe prime product and is considerably superior to existing ones: (1) We give the first practical solution that allows a user to unlinkably demonstrate possession of a credential as many times as necessary without involving the issuing or- ganization. (2) To prevent misuse of anonymity, our scheme is the first to offer optional anonymity revocation for particular transactions. (3) Our scheme offers separability: all organizations can choose their cryp- tographic keys independently of each other. Moreover, we suggest more effective means of preventing users from sharing their credentials, by in- troducing all-or-nothing sharing: a user who allows a friend to use one of her credentials once, gives him the ability to use all of her credentials, i.e., taking over her identity. This is implemented by a new primitive, called circular encryption, which is of independent interest, and can be realized from any semantically secure cryptosystem in the random oracle model.
Book
Your expert guide to information security. As businesses and consumers become more dependent on complex multinational information systems, the need to understand and devise sound information security systems has never been greater. This title takes a practical approach to information security by focusing on real-world examples. While not sidestepping the theory, the emphasis is on developing the skills and knowledge that security and information technology students and professionals need to face their challenges. The book is organized around four major themes: Cryptography: classic cryptosystems, symmetric key cryptography, public key cryptography, hash functions, random numbers, information hiding, and cryptanalysis. Access control: authentication and authorization, password-based security, ACLs and capabilities, multilevel and multilateral security, covert channels and inference control, BLP and Biba's models, firewalls, and intrusion detection systems. Protocols: simple authentication protocols, session keys, perfect forward secrecy, timestamps, SSL, IPSec, Kerberos, and GSM. Software: flaws and malware, buffer overflows, viruses and worms, software reverse engineering, digital rights management, secure software development, and operating systems security. Additional features include numerous figures and tables to illustrate and clarify complex topics, as well as problems-ranging from basic to challenging-to help readers apply their newly developed skills. A solutions manual and a set of classroom-tested PowerPoint(r) slides will assist instructors in their course development. Students and professors in information technology, computer science, and engineering, and professionals working in the field will find this reference most useful to solve their information security issues. An Instructor's Manual presenting detailed solutions to all the problems in the book is available from the Wiley editorial department. An Instructor Support FTP site is also available.
HTTP State Management Mechanism, RFC6265 The SSL Protocol Version 3.0, RFC6101 [7] Mark Stamp Information security: principles and practice
  • R Fielding
  • J Reschke
  • Hypertext Transfer Protocol
  • Freier
R. Fielding and J. Reschke, Hypertext Transfer Protocol (HTTP/1.1): Authentication, RFC7235, June 2014. [5] A. Barth., HTTP State Management Mechanism, RFC6265, April 2011. [6] Freier, et al., The SSL Protocol Version 3.0, RFC6101, August 2011. [7] Mark Stamp, Information security: principles and practice, Published by John Wiley & Sons, Inc., Hoboken, New Jersey, ISBN978-0-470-62639-9, 2011. [8] Simson Garfinkel & Gene Spafford. Web Security, Privacy & Commerce 2Ed. O'Reilly Inc., USA, ISBN = 0-596-00045-6, November 2001. [9] Stefan A Brands. Rethinking Public Key Infrastructure and Digital Certificates, Building in Privacy (Ph.D. thesis updated as book). The MIT Press, ISBN = 0-262-02491-8, 2000. [10] Internet Society available at https://www.internetsociety.org/news/global-internet-usersurvey-reveals-attitudes-usage-and-behavior, accessed December 2014.
Help files and technical notes for HIGHSEC eID App Middleware
  • Devrient Giesecke
  • Gmbh
Giesecke & Devrient GmbH, Help files and technical notes for HIGHSEC eID App Middleware, February 2014 [18]
HyperText Transfer Protocol". World Wide Web Consortium
  • Tim Berners-Lee
Berners-Lee, Tim. "HyperText Transfer Protocol". World Wide Web Consortium, available at http://www.w3.org/Protocols/HTTP/AsImplemented.html, accessed February 2014.