Notes - MCS
Identification, Authentication and Authorization
Notes - MCS
Identification, Authentication and Authorization
  • Identification, Authentication and Authorization
  • Access Control Models
    • Access types
    • Least privilege principle
    • Access control models
      • Access control kinds
    • Access control kinds
    • Separation of duties
    • Segregation of duties
    • Information flow models
    • Multilevel security
    • Windows mandatory integrity control
    • Clark-Wilson Integrity Model
  • OAuth 2.0 Authorization Framework
    • Goal
    • Roles (RFC 6749)
    • Communication endpoints
    • Application (client)
    • OAuth tokens
    • OAuth flows
      • Code flow
      • Implicit flow
      • Resource owner password flow
      • Client credentials flow
    • Proof Key for Code Exchange (PKCE, RFC 7636)
    • Device authorization grant (RFC 8628)
    • Actual protocol flow
  • Linux Security Mechanisms
    • Mechanisms
    • Linux management privileges
    • Privilege Elevation
    • Capabilities
    • Files extended attributes (xattr)
    • File capabilities
    • Capability transfer across exec
    • Control groups (cgroups)
    • Linux Security Modules (LSM)
    • AppArmor
    • Confinement
  • Authentication Protocols
    • Identity attributes
    • Authentication
    • Authentication interactions
    • Authentication of people
      • Biometrics
      • Token-based OTP generators
      • PAP & CHAP (RFC 1334, 1992, RFC 1994, 1996)
      • S/Key (RFC 2289, 1998)
      • GSM
    • Host authentication
    • Service/server authentication
    • TLS (Transport Layer Security, RFC 8446)
    • SSH (Secure Shell, RFC 4251)
    • Single Sign-On (SSO)
    • Authentication metaprotocols
    • Authentication services
    • Key distribution services
  • PAM (Pluggable Authentication Modules)
    • Motivation
    • PAM
    • PAM APIs
    • Orchestration of PAM actions
    • Module invocation
    • Configuration files
    • PAM orchestration files
    • Scenario 1 – Local authentication
    • Scenario 2 – LDAP auth with local backoff
    • Scenario 3 – MS AD auth with local backoff
  • FIDO and FIDO2 framework
    • FIDO (Fast Identity Online) Alliance
    • Universal 2nd Factor (U2F) protocol
    • WebAuthn
    • Client to Authenticator Protocol (CTAP)
    • Passkeys
  • Authentication with Trusted Third Parties / KDCs
    • Shared-key authentication
    • Key Distribution Center (KDC) concept
    • Kerberos
  • Identity Management
    • Digital Identity
    • Identity Manager (IdM)
    • Identity Provider (IdP)
    • Authoritative source
    • Identity claim
    • Approachs
    • Credential
    • Privacy issues
    • Verifiable credential (VC)
    • Self-Sovereign Identity (SSI)
    • Interoperability
    • eIDAS
  • Anonymity and Privacy
    • Privacy
    • IEEE Digital Privacy Model
    • Privacy with computing technology
    • Privacy and companies
    • Privacy and IAA
    • Identification
    • Authentication
    • Anonymity
    • Microdata privacy issues
    • Microdata privacy enhancing
    • L-Diversity
Powered by GitBook
On this page
  • Types of electronic signature
  • Electronic signature
  • Advanced electronic signature
  • Qualified electronic signature
  • Qualified trust services
  • Services electronically provided that:
  • Services, normally provided for remuneration, of:
  • Qualified (digital) certificate
  • Trusted lists (TSL)
  • eID Levels of Assurance (LoA)
  • CEF (Connecting Europe Facility) eID
  • CEF (Connecting Europe Facility) eID
  • Additional Context
  1. Identity Management

eIDAS

Electronic identification, Authentication and trust Systems

  • EU regulation on electronic identification and trust services for electronic transactions in the internal market

Sets the standards and criteria for

  • Simple electronic signature

  • Advanced electronic signature

  • Qualified electronic signature

  • Qualified certificates

  • Online trust services

Rules electronic transactions and their management

Types of electronic signature

Electronic signature

Data in an electronic format attached (or logically associated) to other electronic data that the signer uses to accept the contents of a document

Advanced electronic signature

An electronic signature that:

  • Linked to the signer in a unique way and allows their identification

  • Created using electronic signature creation data that the singer can use with a high level of trust and under his exclusive control

  • Linked and sealed with the signed data so that any subsequent modification of it is noticeable

Qualified electronic signature

Advanced electronic signture created by a qualified electronic signature creation device based on a qualified electronic signature certificate

Qualified trust services

Services electronically provided that:

Meet eIDAS requirements

  • To operate at a high level of confidence and technical security

A natural or a legal person who provides one or more trust services

  • Either as qualified or non-qualified trust service provider

Hold authenticity presumption

Services, normally provided for remuneration, of:

  • Creation, verification, and validation of electronic signatures, electronic seals or electronic time stamps, electronic registered delivery services and certificates related to those services

  • Creation, verification and validation of certificates for website authentication

  • Preservation of electronic signatures, seals or certificates related to those services.

Qualified (digital) certificate

Public key certificate issued by a qualified trust service provider

  • TSP has government-issued qualifications

Essential for non-repudiation

  • Links a signature to its owner (citizen)

Corresponding private key produces signatures with legal value

Trusted lists (TSL)

Each Member State shall establish, maintain and publish trusted lists

  • Relation (Trusted-Service Status List) of certifying entities that are registered or accredited by the accrediting authority

  • Information about qualified trust service providers for which it is responsible

  • A TSL may include information on non-qualified trust service providers

    • It shall be clearly indicated that they are not qualified according to EU Regulation

Member States shall establish, maintain and publish, in a secured manner, the electronically signed or sealed trusted lists in a form suitable for automated processing

  • Usually, XML

Member States shall notify to the Commission information on the body responsible for establishing, maintaining and publishing their national TSL

  • And details of where such lists are published, the certificates used to sign or seal the trusted lists and any changes thereto

  • In Portugal: GNS (Gabinete Nacional de Segurança)

The Commission publishes, through a secure channel, the information about member States’ TSL

  • In electronically signed or sealed form suitable for automated processing

  • LOTL (List of Trust Lists)

eID Levels of Assurance (LoA)

Confidence in the identity claimed by a person

  • How certain a service provider can be that it is you the one using your eID to authenticate to the service

    • And not someone else pretending to be you

  • The difficulty one would have to use someone else’s eID to access an online service

3 levels: low, substantial, high

The LoA considers:

  • The process of obtaining the eID scheme (enrolment)

  • How the eID means is managed, how it is designed

  • How authentication is performed

CEF (Connecting Europe Facility) eID

Citizens from an MS can prove and verify their identification when accessing on-line services in other MS

  • Using their national eIDs and connecting with their country IdP

Steps:

  1. A citizen requests an on-line service in another MS

  2. The citizen is requested to authenticate themselves by the on-line service

  3. The citizen chooses to authenticate with an eIDAS eID

  4. The authentication request is delegated to the citizen’s country

    1. Through the eIDAS network, to the citizen’s IdP

  5. The authentication result is returned to the service provider

  6. Authentication is complete

    1. And the citizen can proceed with accessing the service

CEF (Connecting Europe Facility) eID

September 29, 2018

  • All online public services requiring electronic identification assurance with substantial or high LoA must be able to accept the notified eID schemes of other EU countries

Extending the use of online services across Borders video

Additional Context

Several Pilots for testing the digital wallet

Last updated 11 months ago

eIDAS Regulation for Portugal
Potencial
EWC
NOBID
DC4EU