Advanced

Investigating Open Source Alternatives for an Electronic Identity System

Richter, Martin LU and Ahlbom, Per LU (2016) EITM01 20161
Department of Electrical and Information Technology
Abstract
Electronic IDs enable people, companies and organizations to sign documents and authenticate online. Considering the potential losses, the security in an eID system is crucial. The eID system in Sweden today, BankID, is closed source and uses proprietary standards. In our thesis we have investigated if open standard and open source can be an alternative. First we reviewed the research about security in open source contra closed source. The research was not conclusive and one can not conclude that either of them provide more security. We show that using open source is a possibility, by implementing a proof-of-concept eID solution utilizing the framework SAML 2.0 and the protocol FIDO U2F. They are both open standards and there are several... (More)
Electronic IDs enable people, companies and organizations to sign documents and authenticate online. Considering the potential losses, the security in an eID system is crucial. The eID system in Sweden today, BankID, is closed source and uses proprietary standards. In our thesis we have investigated if open standard and open source can be an alternative. First we reviewed the research about security in open source contra closed source. The research was not conclusive and one can not conclude that either of them provide more security. We show that using open source is a possibility, by implementing a proof-of-concept eID solution utilizing the framework SAML 2.0 and the protocol FIDO U2F. They are both open standards and there are several open implementations of SAML 2.0 and libraries for FIDO U2F to use. To verify that FIDO is a suitable protocol we looked at other possible two factor authentication solutions, such as OATH-HOTP and OATH-TOTP. The thesis also reviews some potential attacks against our system and we discuss how to mitigate them. (Less)
Please use this url to cite or link to this publication:
author
Richter, Martin LU and Ahlbom, Per LU
supervisor
organization
course
EITM01 20161
year
type
H2 - Master's Degree (Two Years)
subject
report number
LU/LTH-EIT 2016-499
language
English
id
8873018
date added to LUP
2016-06-07 10:01:47
date last changed
2016-06-07 10:01:47
@misc{8873018,
  abstract     = {Electronic IDs enable people, companies and organizations to sign documents and authenticate online. Considering the potential losses, the security in an eID system is crucial. The eID system in Sweden today, BankID, is closed source and uses proprietary standards. In our thesis we have investigated if open standard and open source can be an alternative. First we reviewed the research about security in open source contra closed source. The research was not conclusive and one can not conclude that either of them provide more security. We show that using open source is a possibility, by implementing a proof-of-concept eID solution utilizing the framework SAML 2.0 and the protocol FIDO U2F. They are both open standards and there are several open implementations of SAML 2.0 and libraries for FIDO U2F to use. To verify that FIDO is a suitable protocol we looked at other possible two factor authentication solutions, such as OATH-HOTP and OATH-TOTP. The thesis also reviews some potential attacks against our system and we discuss how to mitigate them.},
  author       = {Richter, Martin and Ahlbom, Per},
  language     = {eng},
  note         = {Student Paper},
  title        = {Investigating Open Source Alternatives for an Electronic Identity System},
  year         = {2016},
}