Automatic Electronic Identity Provides Information Security

June 2011
By Petr Jirásek, SIGNAL Magazine


The Automatic Liberal and User-Centric Electronic Identity, or ALUCID, security system takes a new approach to authentication to wed user convenience with security requirements.

The need to compromise security protocols may become passé.

A new approach to electronic security access employs an authentication framework designed to provide automatic identity without many of the drawbacks of traditional approaches. Instead of compromising between ease of use and effective access protection, this system aims to adopt the best of both worlds. Developed in the Czech Republic, the new approach already is in use in national and regional government organizations.

Many information technology experts believe that authentication and identity management are among the most important keys to transactions in the contemporary cyberworld. The turbulent expansion of the Internet, virtualization and mass usage of modern communications bring substantial risks. Unauthorized access to sensitive data, identity misuse and electronic personal data intrusion are among the most feared threats.

Most users more or less are conscious of the need to protect access to information systems. However, most access control tools annoy and hamper them. When these measures become too obstructive, the user becomes the weakest link in the system’s chain with his or her natural tendency to simplify the process of identification and authentication. The more different systems the user accesses, the more difficult it is to remember all the various passwords and to keep different access tokens. The most complex situation occurs when a wide set of users cooperate in a heterogeneous environment comprising diverse information systems.

Many information security experts focus on residual risk acceptance instead of searching for a compromise. Several key parameters can be used to compare various authentication methods. They include complexity of administration procedures, security level, security management and demands on users. Privacy protection, change management, the possibility of mass implementation and, last but not least, life cycle perspective also must be considered.

After two years of research into user-centric authentication, a Czech company has developed a solution that it believes will end the need for compromise between satisfactory access protection level and simplicity of usage. The company, known as ANECT, created the new automatic electronic identity system.

“We created an authentication system designed using the electronic identities infrastructure principle,” explains Libor Neumann, the developer of the automatic electronic identity concept. “It represents a novel approach to authentication, a really new authentication framework. This framework represents a comprehensive system of the concept, rules, procedures, and software and hardware components.

“The infrastructure is designed to transmit all authentications in information and communications systems via secure authentication layer,” he explains. “It takes over the risks related to authentication processes from the users and system administrators.”

In 2009, the company implemented the first prototype of the Automatic Liberal and User-Centric Electronic Identity, or ALUCID, at the Czech Republic Ministry of Culture in a pilot-use case. In 2010, ALUCID was integrated within the eHealth project of the Vysocina Regional Authority. Petr Pavlinec, the chief information officer of the regional authority, summarizes his experience with this solution: “We were facing a situation where users from regional hospitals were accessing the DRG [Diagnosis Related Group system for patient classification] application installed and administered in our facility. This was why we were looking for a secure access control solution that would be user friendly at the same time.

“The native authentication of DRG application was login- and password-based, while the system contains highly sensitive patient data,” Pavlinec explains. “We as the regional authority represent the most advanced innovator in information and communications technology among other government organizations in the Czech Republic. We are always looking for novel ideas and keeping track of the newest trends. eHealth projects are of the highest priority for us, and in addition to that, we follow a long-term strategy. The access to a patient’s digitalized data becomes a standard that brings significant improvements to health care and reduces costs. However, we have to consider the high sensitivity of records such as diagnoses and examination results. They must be protected against unauthorized access as well as against data intrusion. The logs evidencing the accesses of particular users to the data must be ultimately reliable, which we can’t achieve with simple login and password authentication because users tend to share their credentials,” he concludes.

The Vysocina Regional Authority has been cooperating successfully with ANECT for many years. Based on the trustful relationship, Pavlinec agreed with Neumann on using the automatic electronic identity concept for the eHealth project. “We especially welcome the significant simplification of the authentication both for the end users and for us,” Pavlinec says, expressing his appreciation for this solution.

Automatic electronic identity has five main principles. First is a user-centric concept, in which the end user has one single gadget for authentication to all systems supporting ALUCID. The second is an anonymous electronic identity, or eID. All eIDs are secret. Third is a new approach to organizational procedures for eID management. The fourth is cooperation between the information and communications systems in interlinking and disconnecting online. The fifth principle is the integrated management of eID security.

The main objective is the elimination of login names and passwords, along with all of the complications connected with using them. In ALUCID, the user has only his or her Personal Electronic Identity Gadget, or PEIG, containing all of his or her eIDs.

A PEIG can take various forms. It can be software installed on a personal computer or mobile phone, or the user can have a special hardware PEIG in the form of a universal serial bus, or USB, memory stick. Once the PEIG is activated, its owner can use it to authenticate to all systems accepting ALUCID authentication without entering any login name and password. The only action required of the user is the PEIG activation itself; all the subsequent actions are performed automatically, including creation of particular identities for different information technology systems and services.

In this concept, the electronic identifier transmitted over the network is independent of the user’s real identity, and it is anonymous. According to Neumann, this arrangement brings many advantages for personal data protection and also for identity management automation. “These identifiers are unique pseudo-random numbers, and they also can be changed in the course of time,” he explains. “They are generated and used automatically. There is no human intervention required in the entire electronic identity life cycle. This concept allows us deployment of identities of length and randomness, which is not achievable by humans. No human mistakes caused by users and administrators occur anymore. Also, issues such as login names conventions and name conflicts disappear when we implement ALUCID.”

This approach does raise the issue of how the identifier is interlinked with a particular person. The administrator must be able to recognize who is on the other side and what access rights should be assigned to that identity. Pavlinec notes, “The user registration had to be resolved before the pilot started. Since the beginning in our eHealth strategy, we required the identity management [to be] independent on the application. We searched for a unified solution that can be integrated with all information systems and services that we are using and that we plan for the future. ALUCID fits perfectly into this concept, and its value for us will increase with every application that will be integrated with our new identity management system. It brings utility value for us as well as for the users.”

The development team had to approach the identity management differently than usual. This new angle view brought unconventional procedures that are plain and secure.

Petr Nosek, the development team lead, says, “Within this pilot project we implemented two variants of user identity creation and registration procedures. They are named according to their basic principles—Activation Key and Signed Form. The key point of these principles is that in ALUCID the electronic identity is not recorded to PEIG, but it is automatically created during the first communication between the PEIG and the application.”

From a security standpoint, ALUCID represents a framework that enables the use of different security levels, different authentication protocols and different algorithms in parallel. The security configurations also can be parameterized. The most recent implementation supports three security levels, which are distinguished by their incorporated methods of authentication secrets.

Level Zero (LZ) does not operate with any authentication secret. The user is identified only by the identifier’s value. No identity verification is performed in LZ. This level is assigned for applications to legacy systems that do not allow higher level or where no higher security is required.

Level Basic (LB) uses a shared authentication secret. The user and the authorization module of ALUCID on the side of the application share a common part of the authentication secret, in addition to the unique secrets on both sides. The identity is verified by proofing the secret knowledge by the opposite party. The secret is not transmitted for regular proof of identity; it is transmitted only once in a protected regime at the moment of the identity link creation.

Level Asymmetric Cryptography (LAC) utilizes the characteristics of asymmetric algorithms, such as the pair of encryption keys—public and private—where only the public key is transmitted. But the public key is not transmitted for proof of identity; it is exchanged only at the moment of identity creation or change. The private key is not shared in any case. Various secure protocols and parameterized algorithms are implemented for private key proofing.

ALUCID technology is evolving quickly, according to ANECT officials. The company announced a broad launch of an ALUCID-based product line, which aims particularly at eHealth and eGovernment applications. The firm’s development plan focuses on a broad variety of PEIG types using various hardware gadgets, and it is finishing versions that work on Android mobile phones.

Petr Jirásek is a security and information technology consultant in Prague, Czech Republic.




Enjoyed this article? SUBSCRIBE NOW to keep the content flowing.