Investigating Open Source Alternatives for an Electronic Identity System
(2016) EITM01 20161Department of Electrical and Information Technology
- Abstract
- Electronic IDs enable people, companies and organizations to sign documents and authenticate online. Considering the potential losses, the security in an eID system is crucial. The eID system in Sweden today, BankID, is closed source and uses proprietary standards. In our thesis we have investigated if open standard and open source can be an alternative. First we reviewed the research about security in open source contra closed source. The research was not conclusive and one can not conclude that either of them provide more security. We show that using open source is a possibility, by implementing a proof-of-concept eID solution utilizing the framework SAML 2.0 and the protocol FIDO U2F. They are both open standards and there are several... (More)
- Electronic IDs enable people, companies and organizations to sign documents and authenticate online. Considering the potential losses, the security in an eID system is crucial. The eID system in Sweden today, BankID, is closed source and uses proprietary standards. In our thesis we have investigated if open standard and open source can be an alternative. First we reviewed the research about security in open source contra closed source. The research was not conclusive and one can not conclude that either of them provide more security. We show that using open source is a possibility, by implementing a proof-of-concept eID solution utilizing the framework SAML 2.0 and the protocol FIDO U2F. They are both open standards and there are several open implementations of SAML 2.0 and libraries for FIDO U2F to use. To verify that FIDO is a suitable protocol we looked at other possible two factor authentication solutions, such as OATH-HOTP and OATH-TOTP. The thesis also reviews some potential attacks against our system and we discuss how to mitigate them. (Less)
Please use this url to cite or link to this publication:
http://lup.lub.lu.se/student-papers/record/8873018
- author
- Richter, Martin LU and Ahlbom, Per LU
- supervisor
-
- Martin Hell LU
- organization
- course
- EITM01 20161
- year
- 2016
- type
- H2 - Master's Degree (Two Years)
- subject
- report number
- LU/LTH-EIT 2016-499
- language
- English
- id
- 8873018
- date added to LUP
- 2016-06-07 10:01:47
- date last changed
- 2016-06-07 10:01:47
@misc{8873018, abstract = {{Electronic IDs enable people, companies and organizations to sign documents and authenticate online. Considering the potential losses, the security in an eID system is crucial. The eID system in Sweden today, BankID, is closed source and uses proprietary standards. In our thesis we have investigated if open standard and open source can be an alternative. First we reviewed the research about security in open source contra closed source. The research was not conclusive and one can not conclude that either of them provide more security. We show that using open source is a possibility, by implementing a proof-of-concept eID solution utilizing the framework SAML 2.0 and the protocol FIDO U2F. They are both open standards and there are several open implementations of SAML 2.0 and libraries for FIDO U2F to use. To verify that FIDO is a suitable protocol we looked at other possible two factor authentication solutions, such as OATH-HOTP and OATH-TOTP. The thesis also reviews some potential attacks against our system and we discuss how to mitigate them.}}, author = {{Richter, Martin and Ahlbom, Per}}, language = {{eng}}, note = {{Student Paper}}, title = {{Investigating Open Source Alternatives for an Electronic Identity System}}, year = {{2016}}, }