We had a meeting with our project supervisor Dr.Chandana Gamage today from 3pm to 4pm to discuss about the finalizing of the project and project presentations and demonstrations.
We mainly discussed about the project presentation that is due on the 25th of March and the demonstrations on the 26th of March. We decided to do the presentation as the group as we could have different components presented by different persons. We are also having another finalizing discussing on the next Monday, the 23rd March.
We also discussed about publishing the research papers. As we already have two papers, which might need some more reviewing, we decided to do that at the earliest we can we have identified some conferenced to which we can submit. We have also decided to go for the third paper titled, “A SOA based eID System”, which we plan to complete in April.
We hope to have all the project work completed by this week so we can get ready for the presentation by the weekend.
We had a meeting with our project supervisor Dr.Chandana Gamage today from 11.30am to 12.45pm.
This is the first meeting after our exams, so the meeting was mainly focused on final stage of the project and completion. The main topics discussed are:
- Completing ICAMES Application.
- We already had the application prepared and our supervisor checked it and asked us to send it to ICAMES. (It was sent in the evening).
- Project Progress, what needs to be done in coming weeks.
- Development – Need to complete before 15th March
- Development – Prepare the standalone application user interface to look like a hand-held.
- Project Report – Need to complete before 15th March
- Presentation – Prepare a comparison of eID and OpenID.
- Research Papers, completing and publishing.
- Complete the main paper by 15th March for submission
- Work on the second paper in the last 2 weeks of March
- Can go for a third paper after that
- We will have to search for other possible places for publication
- Project Documentary
- Complete by 18th March
- Will have to do the shooting during next week
We will be having another meeting next week to update on the progress, and to plan for the second paper.
We had a meeting with our project supervisor Dr.Chandana Gamage today from 2.00pm to 3.45pm.
Summary of items that were discussed at today’s meeting.
- Draft Final Project Report
- Need to define the technical/project specific terms and phrases before using them
- Need to add some simple examples to explain the working model of the system in discussion
- Analysis the existing eID systems, try to check with following countries:
- Honk Hong
- South Korea
- Scandinavian Countries
- Other European Union Countries
- Overall architecture of the eID system (which was accidentally removed)
- Overall view of the architecture
- Services Specific/Stacked view
- Transaction View
- Lecture on Intellectual Property Rights (next week)
- Try to attend the lecture
- Try to discuss about the potential of a patent for our project
We are currently working on the Draft of the Final Project Report and the Main Research Paper which are due to be submitted by next Sunday (January 25th).
We had a meeting with our project supervisor Dr.Chandana Gamage today from 1.15pm to 2.30pm.
We were unable to have a meeting with our project supervisor and advisor Dr. Chandana Gamage for the last couple of weeks due to some mid semester exams and the little load of assignments we had. So at today’s meeting we had to discuss the progress of our project, which is now almost in its final stage and the following matters in details.
- Project Progress – We detailed out the individual progress of eac components of the project whic heach of us are working and our project supervisor was satisfied with the worked done and encouraged us to complete the things at our best we can.
- Public IP and Server for testing – We are in need of a testing server to deploy our webservice so that we could test it from different places. So we requested a public IP access for our project and Dr. Gamage was so much of helpful in getting that to us, and he sorted that our with relavent persons who were incharge of this and got things done within 15 minutes while we were at his room.
- Smart Card Development – As Ramanan had received his smart card kit we took that to the meeting to show to our supervisor. We are hopeful the work related to this could be finished as soon as possible.
- Project Demo – The next important thing discussed at this meeting was about the Final Project Demo which needs to be done on the 29th of january or in March after our exams. We decided that we will be doing the demo after our exams as we have to compelte the
- Project Report – We were asked to use more reallife examples in the report to explain things and use the same at the presentations too. Ramanan is working on cordinating this. We will have to complete the first draft for review by our supervisor by next Monday or Tuesday. We also talked about refering to the past year project reports.
- Research Papers – We discussed about the flow and content of the main research paper of the project, and I’ll post another update seperately on that soon. Also we will have to work on another couple of research papers if possible.
- Other Competitions – We also discussed about different venues where we can present our project and publish our research papers. We had a detailed discussion on that and I’ll post another seperate update on that later.
Our project is almost in it final stage, we have almost everything under control to complete it in a better were in time. I’ll keep posted about the progress of the later stage of the project in the days to come.
We had a meeting at WSO2 today from 4.00pm to 4.30pm. This meeting was scheduled with Mr. Prabath Siriwardena, but later it was changed to be with Mr. Nandana Mihindukulasuriya (who happens to be a senior to us at CSE@UoM).
The purpose of this meeting was to evaluvate the security aspects of the eID web service and to get some expert advice on what we have been doing. This turned out to be more benificial to us as Nandana ayya is an Apache Rampart committer, and that is the same module that we have been using with our web service to provide WS-Security.
We also used this as an opportunity to discuss about some other security aspects of the project and also about some of the issues we had related to web services and WS-Security. We are very thankful to Nandana ayya and Prabath ayya for allocating their valuable time for us.
We had a meeting with our project supervisor Dr.Chandana Gamage today from 10.30am to 11.05am.
We discussed about the progress of our project, and about our plans to complete the project in time.
- Progress Plan – How we are going to complete (Posted in our blog here)
- Project supervisor was satisfied with our plan and encouraged us to work according to that.
- World Summit Award (possibility of participation – http://wsa.nenasala.lk/)
- We were asked to apply for this as this could be a good chance for us.
- Research Papers
- Project supervisor suggested that if we could come up with two quality papers for publishing, it would be beneficial for us in going for higher studies. So we have decided to concentrate on that as well.
- Other topics – Buying Java Card
- We will try to get the Java card to Sri Lanka as soon as we can. At the same time we will be focusing on the USB based eID also closely.
We had a meeting with our project supervisor Dr.Chandana Gamage today from 1.30pm to 2.15pm.
After yesterday’s meeting we had a brainstorming session with all group members and discussed about the options we have for the system architecture of the eID system. So we arrange today’s meeting to discuss further on this and finalize the design. Today’s discussions lead us to a redesign of our architecture. We found that there were some flaws in our earlier architecture, in which the eID WS was sitting on the middle, which could easily lead to problems in terms of load as well as attack prone.
Changes in Design
Some points that were highlighted at the meetings.
- Moving load away from central eID WS server
- One time signed polycies for the relying parties
- Complex functionalities implemented at the WS end
- Mostly all network enabled application are now on web, so better to have a browser plugin
So we decided to make the end-user to be at the end and include one more application to our deliverables list that would be a browser plugin. This plugin will now at as the center point which will handle the message flow from relying party, web service and the eID card.
Read-only memory eID
Also we decided to add one more deliverable to our project in the form of an alternative eID card to smart card based one, using a read-only memory stick. Though this would miss some security advantages, this could give some advantage interms of cost of the device. We will have to explore into this further to get more possible implementation options. We will have to try and find ways to make a normal USB memory stick to a secure one, or else we should find some other alternative that could work for our needs.
Offline Authentication Application
We also discussed about the Offline Authentication Application and how it would work in a practical situation. We discussed to have the following two in this application and to discuss further on this to add any other as needed.
- Signed Photo Verification (Signed by Issuing Authority, updated regularly)
- PoI (Persons of Interest) Checking System
We also finalized our list of final project deliverables with our supervisor as follows.
- eID card
- Smart card based
- Read-only memory based
- Online Authentication Web Service
- Browser Plugin for online authentication
- Offline Authentication Application
- Card Issuing/Updating Application
- 2 Research Papers (3rd one if time permits)
We had a meeting with our project supervisor Dr.Chandana Gamage today from 11.45am to 12.45am.
Today’s meeting was very important as we were able to identify many issues and problems to be considered in our project. I think this is due to the shortcomings in our initial design phase, but at least we found this at this point. We identified that the architecture we were working on has some problems and needs some changes. Due to this some of the earlier code of some modules need to be changed significantly. But I think that the way things work…!
Problems we found:
- Session handling through browser (This was misinterpreted at the meeting, hope what we were thinking was OK)
- How we tie up the message flow? – How the transaction is handled among Relying Party, eID Holder, and eID System
- Protecting Privacy in transaction – This will be one big concern, but we need to decide to what level we can do this.
- Possible DoS attacks
- A model similar to the Card Space specification (I don’t think this alone will solve our problems)
- But we could adapt something from here to our system
- Changing the message flow,, having user in the middle instead of the eID System in the middle (?)
Discussed about the progress on the eID Card development. As we wanted to use Java Card, decided to order and buy a Java Card and Reader for this purpose. We will have to decide on a suitable card soon and buy as it could help us progress faster. We will have to find a way to get it from Singapore or some place.
Read Only USB Token:
Even though we are doing main development using Java Card, project supervisor suggested us to have another option also with Read-only USB tokens as it could add value to the project. We will have to look into this too.
- Need to update the project web site regularly (Seems missing a lot lately)
- Having regular meetings with project supervisor, as it would help us greatly to identify flaws and issues in the project progress.
- We need to speed up thing a little more as we have a lot more to do
We had a group discussion today afternoon. This is the summery of outcomes.
- Information is contained in the eID card
- Problems identified
- Lost cards
- Forget passkeys
- What next?
eID will be based on Public Key Infrastructure (PKI) and certificates. In addition to any technical data, the card will contain the Certification Authority certificates and the card-holder’s identification(public) and signature(private) certificates.
One option about personal data that would be included in the card-holder’s certificates are first name, family name and a unique electronic identifier. The electronic identifier is a serial number that does not tell anything about its holder, unlike the identity card number. If the card-holder has notified that his or her e-mail address is to be inserted in the certificate when filing the card application, it could also be a part of the information content of the certificate.
On the other hand, as we are having a physical/printed interface on the card, there is the question why not we store the holder’s personal information like identity card number, home address, date of birth or other similar information on the card. But we have to decide on this as how secure this could be and how this could be used in different modes of operations.
Also we thought of two key based security to secure the data in the card. One is the PIN code which could be used to decrypt the encrypted portion of data on the card, which could include private key and any other information with similar privacy requirement. Then we could have another PUK code, which would be the pass phrase that is needed for signing with the private key. But again we have a problem of complexity where remembering two keys might be difficult.
One more problem we identified at todays discussion was about the problems on lost eID cards. The only option in that case would be to revoke the certificate pairs and to reissue with new ones. But this had a problem as we might not be able to recover any data that is already encrypted using the lost keys. The same also applies to forgetting the pass codes. We also have to think of a way to handle this problem.
We also have to submit the design document by next week, so we need to complete the design diagrams we have so far and need to formulate all in the correct format. We will be meeting tomorrow also as today and will be working on the preparation of the design document.
List of things we need to do:
- Find solutions to problems identified
- Think more on offline mode of operation, as I think we are not that sure on that
- Prepare design document
We had a meeting with our project supervisor Dr. Chandana Gamage today from 1.15pm to 3.45pm.
- Privacy –
The privacy of the holder will be the key feature in our eID when comparing to other similar implementations. Thus we must ensure privacy protection is there in the very system level.
- Unlinkability –
This is another feature which should be provided and would be another important aspect. [Example use case: at police check points they need not to keep recording every checked users details, but they can cross check the card ID or serial number with existing suspects list and provide a way to indicate whether to check that person further or not.]
- Back tracking with proper legal concern –
On the other hand when unlinkability conflicts with the need for back tracking which might be a need for authorities to track back a person in past. But this track back logs should not be used by any person but it should be done with proper legal permission and with the concern of the user.
One solution Dr. Gamage suggested is like this. Encrypt every log save with Sign-Private-(secret—).
Dr. Chandana Gamage suggested that we should study about this issues and come up with possible solutions by next week. He also mentioned that it is better to have a very clear idea about what we are planing to do and then move into developing.
We will also need to make a prototype really ver soon, for the next evaluation.
Rough Architecture Design
We also discussed about a basic overall architecture and few possible use cases of the system.
Used to authenticate the holder to
- A person
- A computer/application system
- Access a service from RP
- Relying Party (RP)
- Authentication request to eID-WS
- eID Web Service (eID-WS)
- Access user eID card connected to user PC
- Validate user
- Reply from eID-WS to RP (Yes/No) + Any further detail requested again with the concern of the eID holder
- Normal operation continues
We have divided the project development into the following distinct components, but many of them have interdependency.
- eID Card
- Offline Application/API/Library
- Web Services
- Request handling – from relying party
- Request procesing
- Accessing eID card – with holder
- Using back end system and DB
- Reply request – to relying party
- Back end infrastrcture
- Issuing authority application systems