Monthly Archives: August 2008

Group Discussion – 28-08-2008

We had a group discussion today afternoon. This is the summery of outcomes.

Discussion Topics:

  1. Information is contained in the eID card
  2. Problems identified
    • Lost cards
    • Forget passkeys
  3. What next?

eID will be based on Public Key Infrastructure (PKI) and certificates. In addition to any technical data, the card will contain the Certification Authority certificates and the card-holder’s identification(public) and signature(private) certificates.

One option about personal data that would be included in the card-holder’s certificates are first name, family name and a unique electronic identifier. The electronic identifier is a serial number that does not tell anything about its holder, unlike the identity card number. If the card-holder has notified that his or her e-mail address is to be inserted in the certificate when filing the card application, it could also be a part of the information content of the certificate.

On the other hand, as we are having a physical/printed interface on the card, there is the question why not we store the holder’s personal information like identity card number, home address, date of birth or other similar information on the card. But we have to decide on this as how secure this could be and how this could be used in different modes of operations.

Also we thought of two key based security to secure the data in the card. One is the PIN code which could be used to decrypt the encrypted portion of data on the card, which could include private key and any other information with similar privacy requirement. Then we could have another PUK code, which would be the pass phrase that is needed for signing with the private key. But again we have a problem of complexity where remembering two keys might be difficult.

One more problem we identified at todays discussion was about the problems on lost eID cards. The only option in that case would be to revoke the certificate pairs and to reissue with new ones. But this had a problem as we might not be able to recover any data that is already encrypted using the lost keys. The same also applies to forgetting the pass codes. We also have to think of a way to handle this problem.

We also have to submit the design document by next week, so we need to complete the design diagrams we have so far and need to formulate all in the correct format. We will be meeting tomorrow also as today and will be working on the preparation of the design document.

List of things we need to do:

  1. Find solutions to problems identified
  2. Think more on offline mode of operation, as I think we are not that sure on that
  3. Prepare design document

Filed under Meetings

R6: Initial Prototyping

[Work done from 4th August to 17th August 2008]

During the last fortnight we were focusing in developing a prototype for our eID system. And also we had a meeting with our project supervisor on August 15. This meeting was mainly focused on how we are progressing and what we need to do soon. He suggested some good way to use the eID card for the offline authentication with the privacy preserving mechanism. Before we were with some misconception about how the system could be used in an offline mode. Especially we were with the idea about to use Privacy and Unlinkability, while providing some extend of backtracking features in a protected manner. So we had some meeting with team members to discuss on the offline issue.

On the other hand we have to come with the proper prototypes for evaluation as suggested by our project supervisor. I’m and Malalasena were assigned to develop some working prototype using the webservice.

So I started to develop some basic step in client side mapping for the user authentication through the webservice, which was developed by Malalasena for the user authentication. Even though it is very tight schedule, I managing to finish it very soon.

I have to find a way to sending the data form client to server using an Applet. But In a firewall environment it is so hard get to know about the outside world for an applet which is in the client side.

Now I’m working this problem. I haven’t found any suitable way to solve this problem. I learnt about the socket program, but that won’t work in a firewall environment because client might not have a right permit ion to open a socket connection between a client and server. I hope I can overcome this problem very soon.

Filed under Reports

R6: Initial Architecture

[Work done from 4th August to 17th August 2008]

At the start of this two week period we were mainly concerned about implementing our early developed system architecture with the identified requirements. We’re doing research and we tested the WSO2 identity solution which is a kind of authentication providing system for enterprises. It uses the Windows card space authentication which has some disadvantages when it comes to speak in terms of high privacy preserving identity solution which provides some functionality like Unlinkability and Anonymity. Anyway we got a lot of understanding of how an identity solution should be implemented in a practical scenario.

Then on 15th of August 22, 2008 we had a meeting with our project supervisor Dr.Chandana Gamage. It was almost about two hours of meeting where he gave us a lot of information about implementing such eID systems with his practical experiences and they were very much helpful in understanding the problem domain very clearly. Only during this meeting we realized that our existing architecture have some drawbacks in terms of Unlinkability and Anonymity. We were advised to change some portions of our system architecture. With our project supervisor advice we redesigned our system architecture.

Presently Malalasena and Shayanthan are working on developing a prototype web service with WSAS (Web Services Application Server), while myself and Nimal working on the system architecture and the privacy issues.

Filed under Reports

R6: Problems and Redesign

[Work done from 4th August to 17th August 2008]

During this period of two we involved in developing a prototype that could be used to demonstrate our system. But we were unable to complete that due to some misunderstandings and problems. We found most of these problems after the meeting we had with our project supervisor.

We had the meeting with project supervisor on August 15. This meeting was mainly focused on how we are progressing and what we need to do soon. (Details can be found here) The main think we found was that our system architecture was not a very complete and strong one and thus needs changes. We were with some misconception about how the system could be used in an offline mode. Specially we had to address the issues such as Privacy and Unlinkability, while providing some extend of backtracking features in a protected manner.

We found it very difficult these into our previously decided design, so we decided to have meeting with team members to discuss on these issues. As of the outcomes of these meetings, we found that our design has the ability of providing the desired amount of privacy requirements when it is running in the online mode. But we had some conflicting issues when it is running on offline mode. In terms of the eID card also we are having difficulties again when it comes to protecting privacy offline. This happens because even if we restrict access to digital data in card, we have no way so far to ristrict access to data printed on card. Thus we are still reading on this issues.

On the other hand we have the tight schedules in which we have to come up with prototypes for evaluation as suggested by our project supervisor. So we decided that we would go on making a very basic web service that could later be extended to match our needs. So Malalasena and Shayanthan are working on the prototype webservice, while I’m working with Ramanan on the system architecture design and issues related to privacy in offline and online.

Filed under Reports

R6: Into Web Services

[Work done from 4th August to 17th August 2008]

On 15th of August we had a meeting with Dr.Chandana Gamage and we discussed lots of things regards the project. In that meeting we mainly concerned about the Privacy and Unlinkability of the eID. Because of less Privacy and Unlinkability maybe case failure of the eID system, Dr.Chandana Gamage advice us to increase the Privacy and Unlinkability of the eID project comparing to other similar implementations. In that meeting he provided some suggestion and let us come up with a better solution.

After this meeting we had several meetings regards the new requirements and how to extend the project according the new requirements. And also we discussed about the keeping our project according to Digital Identity standards (seven laws of Identity). Finally we realize that, in the case of the “online authentication” our system design needs no changes. But in the case “offline authentication” our system has short of some features.

Because of Web service part is one of the main parts of the eID system and we got more clear idea about the web service part rather than other part of the system, I started develop web service part of the system in this week.

Regards,
B.A.Malalasena

Filed under Reports

Meeting with Project Supervisor (15-08-2008)

We had a meeting with our project supervisor Dr. Chandana Gamage today from 1.15pm to 3.45pm.

Main Points

  • Privacy –
    The privacy of the holder will be the key feature in our eID when comparing to other similar implementations. Thus we must ensure privacy protection is there in the very system level.
  • Unlinkability –
    This is another feature which should be provided and would be another important aspect. [Example use case: at police check points they need not to keep recording every checked users details, but they can cross check the card ID or serial number with existing suspects list and provide a way to indicate whether to check that person further or not.]
  • Back tracking with proper legal concern –
    On the other hand when unlinkability conflicts with the need for back tracking which might be a need for authorities to track back a person in past. But this track back logs should not be used by any person but it should be done with proper legal permission and with the concern of the user.

One solution Dr. Gamage suggested is like this. Encrypt every log save with Sign-Private-(secret—).

Dr. Chandana Gamage suggested that we should study about this issues and come up with possible solutions by next week. He also mentioned that it is better to have a very clear idea about what we are planing to do and then move into developing.

We will also need to make a prototype really ver soon, for the next evaluation.

Rough Architecture Design

We also discussed about a basic overall architecture and few possible use cases of the system.

Used to authenticate the holder to

  • A person
    • Online
    • Offline
  • A computer/application system
    • Online
  1. Access a service from RP
  2. Relying Party (RP)
  3. Authentication request to eID-WS
  4. eID Web Service (eID-WS)
  5. Access user eID card connected to user PC
  6. Validate user
  7. Reply from eID-WS to RP (Yes/No) + Any further detail requested again with the concern of the eID holder
  8. Normal operation continues

Development Components

We have divided the project development into the following distinct components, but many of them have interdependency.

  • eID Card
  • Offline Application/API/Library
  • Web Services
    • Request handling – from relying party
    • Request procesing
      • Accessing eID card – with holder
      • Using back end system and DB
    • Reply request – to relying party
  • Back end infrastrcture
    • Key server
    • Database
  • Issuing authority application systems

Filed under Meetings

R5: Presentation and Feedback

[Work done from 21st July to 3rd August 2008]

On 24th of July we had our first formal presentation, and the day before that day we completed the presentation and did a demonstration to our project supervisor Dr.Chandana Gamage. He gave us his feedbacks and they were really helpful to make up our presentation in a structured way. Earlier we planned two of us to do the presentation. But later after the feedbacks of our supervisor we reduced our number of slides to 5 where the contents came up to 3 pages, we decided one of us to do the presentation because the unnecessary swaps would have ruined the timing of our presentation. On the day of our formal presentation, the presentation was done to the coordinator Dr.Shantha Fernando and supervisor Dr.Chandana Gamage. The feedbacks we gained in this occasion was an up thrust for us to boost the development activities.

Then we were advised to create a website for our project and we implemented the basic version of our website within 24 hrs at our own domain name http://www.project-eid.org. We’re still in the process of updating our website.

25th of July we had a meeting with Mr.Ruchith at WSO2. He introduced two of his team mates for the future needs because he is about to leave abroad for his further studies. The WSO2 team have developed a product named WSO2 Identity solution. We discussed about the possibilities of getting some idea out of that product. We are still in the process of doing the case study with identity solution.

We have also divided our project responsibilities among team members and we are targeting 15th August as the next deadline for some demonstratable outcome from each member.

Filed under Reports

R5: Creating the Project Website

[Work done from 21st July to 3rd August 2008]

We had the first formal presentation on the 24th of July which was to on the work done up to end of June 2008. We prepared for the presentation as the group and did a demonstration of that on the 22nd to our project supervisor Dr. Chandana Gamage. He suggested us with few changes that could be done and that helped us make the presentation even better. I did the presentation on behalf of our group and we had a mixed feedback including places where we need to fast up and we were asked to come up with a demonstratable outcome before the semester end.

Next we were asked to create a project website and we created ours’s at www.project-eid.org. We are in the precess of keeping it upto date with latest updates of the project.

On 25th Friday we had meeting with Mr.Ruchith Fernando at WSO2 and his team who work on WSO2 Identity Solution. In that meeting we discussed about similarities and differences between WSO2 Identity Solution and eID project. We found that trying out WSO2 Identity Solution before proceeding on the project would be beneficial to us. So we started do that and completed installing and configuring. Malalasena is working on that.

We also decided to go with a USB Memory Stick based card and not a Smart Card. The reason for this was the cost factor and complexity. We have also decided that the USB Memory Stick can be fully read only type or partial read only where the private key can be kept. We have been experimenting with TrueCrypt (http://www.truecrypt.org/) which could be used for these purposes sometimes.

We have also divided our project responsibilities among team members and we are targeting 15th August as the next deadline for some demonstratable outcome from each member.

Filed under Reports

R5: WSO2 Identity Solution and eID

[Work done from 21st July to 3rd August 2008]

24th of July we did the 1st Formal presentation. So within first one week time period we were busy with preparing a short presentation. So we discussed about the presentation, with project supervisor Dr.Chandana Gamage. We had two meetings with him during that period. Those meetings were very helpful to us regarding the presentation preparing. He gave us lots of important points for preparing and doing the presentation.

And also he advised us to publish a website for the eID project. So during this period we created website (www.project-eid.org) and published it.

After the first formal presentation about eID project, I have been working on the WSO2 Identity Solution. It is open source project developed by WSO2 and we had idea of using this open source Identity Solution in our project.

Because of the Identity Solution is a turning Point of the eID project, Dr. Chandana Gamage advice us to have a meeting with WSO2. On 25th Friday we had meeting with the Identity solution Project manager Mr.Ruchith Fernando at WSO2. In that meeting we discussed about similarities and differences between WSO2 Identity Solution and eID project. He provided lots of important information that would be helpful for implementation of the eID.

Last week we installed the Identity Solution at Level 4 project lab and we configure the that and we did testing on Identity solution. (Get OpenID and downloaded Infocard (Windows CardSpace) authentication)

Regards,
B.A.Malalasena

Filed under Reports

R5: Java Applets and USB Access

[Work done from 21st July to 3rd August 2008]

We had very interesting and effective progress in our project during the last fortnight. First half of the week we mainly focus on the demonstration about our project progress to the Subject coordinator. We met our supervisor Dr.Chandana Gamage two times for that presentation.

  1. Meeting with Dr.Chandana Gamage Regarding the short demo – During the first meeting he guided us how to prepair the presentation slides.  He gave some important points to prepare the slides. And after the preparation of the slides we did the first formal demo in front of the supervisor in advanced. He suggested us to keep the time and suggest us to make some changes in the slides.
  2. Prepare & Presented the Demonstration
  3. Meeting with Mr.Ruchith Fernando – As we planed last week we met Mr.Ruchith Fernando in his office WSO2. He introduced two other peoples there who were the subordinated for him during the WSO2 identity solution. They gave us valuable points about the Microsoft CadeSpace and the web services.
  4. Find some way to connect with USB based stick through the Java Applets – I found some methods to read the data from the USP through the Java Applets.

Problems Found

When I started to develop some applets I found that the Java applets downloaded from the Internet (Servers) or from any remote sources are restricted from reading and writing files and making network connections on client host systems. They are also restricted from starting  other programs, loading libraries, or making native calls on the client host system. In general, applets downloaded from a network or remote sources are considered untrusted.

Overcome the Problems

I post some post in the Java fourms and got the help from Java expertes. They guyed me to use the Signed applets  that provide a way to verify that the applet is downloaded from a reliable source and can be trusted to run with the permissions  granted in the policy file. The Java 2 platform introduced the notion of signed applets. And the   Signing an applet ensures that an applet’s origin and its integrity are guaranteed by a certificate authority (CA) and that  it can be trusted to run with the permissions granted in the policy file. I used that method and try to overcome that problems.

Filed under Reports