1 / 11

Strength in diversity: lessons learnt from the Stork* projects

Strength in diversity: lessons learnt from the Stork* projects. Antonio Lioy < lioy @ polito.it > Politecnico di Torino Dip. Automatica e Informatica. Security: is mine the same as yours?. i s a door secure? p lastic? wood? s teel? no key? mechanical key? e lectronic key?

mairi
Download Presentation

Strength in diversity: lessons learnt from the Stork* projects

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Strength in diversity:lessons learnt from the Stork* projects • Antonio Lioy • < lioy @ polito.it > • Politecnico di TorinoDip. Automatica e Informatica

  2. Security: is mine the same as yours? • is a door secure? • plastic? wood? steel? • no key? mechanical key? electronic key? • who is the attacker? • what is inside the room? • there is no government-mandated standard for physical doors ... • ... so why there should be one for "computer doors"?

  3. Security: a difficult (and moving) target • a human generation is 30 years ... a computer one is just 3! • any technical solution (especially if agreed in a lengthy process) risks to be obsolete by the time of its adoption • any technical solution is vulnerable to some attack (as humans are vulnerable to diseases) • so mandate principles, not technologies: • using the same technology we can save money • ... but we increase the risk of a total attacks (as a pandemia for humans)

  4. Some security principles • security = • technical solution (minimize violations) • legislative support (violators will be prosecuted) • individual behaviour (don't make violations easy) • which is the most important factor? • security level must be adequate to the value of the protected item ... but not more! • users are typically the weak link in every security solution

  5. Stork (18 countries, 36 partners, 2008-11) • Austria • Belgio • Estonia • France • Germany • Italy • Luxembourg • Netherlands • Portugal • Slovenia • Spain • Sweden • United Kingdom • plus – Iceland • Finland, Greece, Lithuania, Slovakia • and then STORK 2.0(2012-2015)

  6. Stork: principles and results (I) • electronic identity = authentication + certified attributes • set of certified European attributes • lexicon (multilanguage attribute names) • syntax (possible values) • semantics (e.g. surname) • various authentication credentials • reusable password, one-time-password, cellphone, software certificate, smart-card • used in a transparent way and with legal value (according to the citizen's country) • mutual recognition

  7. Stork: principles and results (II) • various authentication levels • cryptographic strength of the authentication technique • strength of the identification process when distributing the credentials • QAA (Quality of Authentication Assurance) levels 1…4 • requested level (to access the service) versus effective level (depending on the authentication technique used by the citizen) • privacy protection and localization • user talks with her own country • provides explicit consent for the required attributes • compulsory and optional attributes • attributes managed end-to-end

  8. The Stork infrastructure Swedish Stork gateway service provider Italian Stork gateway 2. go Stork! 1. ask forservice 3. selectyour country 4a. consent?4b. which e-ID? e-ID + attribute provider(Italian) Italiancitizen 5a. authentication 5b. consent (final)

  9. Stork: pilots change of address e-services authentication (cross-border) safer chat ECASEurop. CommissionAuthentication Service student mobility e-delivery (cross-border)

  10. Stork 2.0 • focus on: • attributes / delegation / representation powers • integratione with non-government e-ID • three years • 2012 -2015 • many countries (~30) and partners (~60) • pilots: • business registry (e.g. single-point-of-contact) • e-health • job market (e.g. professional certifications) • e-learning • e-banking

  11. Strength in diversity • different countries use different e-IDs, with variable strength • the interoperability solution permits the use of all of them yet it does not compromise security, rather it supports adaptive security where each electronic service can request (and receive!) the appropriate level of protection • this solution does not hamper technological progress • any country can adopt a new e-ID technology without breaking its interoperability with the other countries • a smooth evolution path is possible. • the Stork* projects are a clear example that: • a compromise is often needed in deciding appropriate security measures • … but it does not have to be at the lowest common level • … and does not stop technological evolution.

More Related