Professional Documents
Culture Documents
A National Mobile Identity Management Strategy PDF
A National Mobile Identity Management Strategy PDF
Email: wangham@univali.br
Abstract—The purpose of electronic government (e-Gov) pro- This work proposes a Mobile eID Management strategy
grams is to promote government transparency and improve aligned with the Brazilian national e-GOV strategy proposed
interactions with its citizens. One of the strategies used by in [5]. This proposal has the following premises: (1) strong
governments for the development and enhancement of e-Gov authentication mechanisms; (2) low operating and implemen-
services is the adoption of a Mobile Identity Management (IdM)
System. In this context, this paper aims to describe a Mobile eID tation costs; (3) simple to deploy and to use. Our proposed
solution for a Brazilian IdM Strategy. Our proposed solution solution focus on security, privacy, and usability using FIDO
focus on security, privacy, and usability using FIDO UAF, TEE, UAF and SAML standards. FIDO UAF [6] is a royalty-free
and SAML standards. A prototype was developed and evaluated standard based on public key cryptography, and it provides a
through functional test cases and an user usability satisfaction passwordless experience to users. The strategy uses the trusted
questionnaire. The results showed our proposed mobile eID
system contributes more to user privacy than the currently e- execution environment (TEE) available in smartphones as a
Gov services. However, we observed in the experiments that secure element, instead of the use of a SIM card [7], having
usability could be affected when the user does not understand the same level of usability and security. As a proof of concept,
alert messages. we developed a software prototype (called MID-BR) to verify
Index Terms—National Identity Management Strategy, Elec- the feasibility and applicability of the proposed model.
tronic Government, Mobile Identity
The rest of the paper is organized as follows. Section II
presents background concepts. In Section III we present the
I. I NTRODUCTION related works. Our proposal is explained in Section IV and
Electronic Government (e-Gov) programs are established on the system prototype in Section V. The system prototype
information and communications technologies to democratize evaluation is presented in Section VI. Finally, in Section VII
access information, to boost public services and to provide we present the conclusion and future works.
efficiency and effectiveness of these services [1], [2].
National identity management strategy is a set of proce- II. BACKGROUND
dures, laws, and technologies used by governments to manage In this section we provide a brief background on electronic
citizens’ electronic identities. The development and implemen- identity (eID), identity management systems (IdM), brazilian
tation of digital identity management systems are essentials national IdM strategy by Torres et al. [5], mobile identity and
steps to consolidate the e-Gov program [3]. FIDO UAF standard.
The Brazilian government has been working with some
A. Electronic Identity (eID)
initiatives to create a national identity management strategy,
such as National Civil Identity (Registro de Identidade Civil A person’s identity can be defined as a set of personal infor-
- RIC) and National Document of Identity (Documento de mation used to properly define an individual. This information
Identificação Nacional - DIN), proposed by Ministry of Justice can be the person’s name, the biometric record, the mother’s
and Superior Electoral Court respectively [2]. On the one hand, name, the date and place of birth, etc. [8]. Electronic Identity
RIC shows evident signals that the project is going to be (eID) is a set of personal information used in an electronic
discontinued, on the other, the DIN tends to become a reality context [9].
[4]. Identity management is a set of technologies, processes and
Torres et al. [5] proposed a national identity management policies that aim to assure information quality of an identity
strategy to boost Brazilian electronic government. Torres’ (identifiers, credentials, attributes) and as a consequence, that
proposal is a theoretical model based on RIC and follows this identity is safe to be used by mechanisms that performs
a centralized identity model. Service Provider (SP) can have authentication, authorization, accountability and audit [10].
different Level of Assurance (LoA) over citizen identity proof.
B. Identity Management Systems (IdM)
On the citizens’ authentication process SP can request user-
name/password authentication, one-time password (OTP) or An identity management system consists of the integration
even a mobile eID or eID embedded in a smart card. of technologies, policies and business processes. IdM system
669
Most of mobile ID solutions establish a public-private part- the usage of mobile devices considered unsafe by the
nership, nevertheless, it is not known the level of relationship Brazilian government;
among them [7]. Hence, it is not possible to identify how • the citizen’s fingerprint is used as a biometric data to
far the government dictates business policies and defines protect the private key generated in the mobile device;
which technological standards should be followed. In PPP • the “username” registered in the IdP has to go through an
solutions, the citizens must change the SIM card for one with encryption process before it is sent to the SP, generating
cryptographic functions [18], as in the case of Iceland. Since an unique pseudonym by SP; and,
all PKI-enabled SIM Card have some embedded proprietary • the premise that the digital certificates used have been
technology, the cost of ownership is higher for the final user. issued by a trusted Certificate Authority (CA). It is
In [19], apart from the usage of SIM card, the authors assumed that the trusted CA is the Brazilian Public Key
also propose multi-factor authentication and biometrics. On Infrastructure (ICP-Brasil) [26].
the other hand, [21] propose the use of NFC-enabled mobile By combining the FIDO UAF standard with technologies
device to read an eID smartcard. Hovewer, both works only embedded in the users mobile device such as TEE, the pro-
describe theoretical solution and not implementation results. posed solution increases security in the generation and storage
In general, it can be observed that the usage of the SIM of cryptographic keys used in the authentication protocols.
card as a secure element has been the most widely Mobile Since the computational support used in the system is a mobile
eID solution accepted by the governments. This is possibly device, processing capacity for sensitive information is higher
due to its implementation simplicity and its higher adherence when compared to traditional secure elements (SIM card).
to the e-Gov policies inherent to each country. Regarding solution costs, the user is responsible for the ac-
However, this implementation generates high costs with quisition of the mobile device, something common to all other
the acquisition of SIM PKI cards. These costs are usually mobile eID solutions. For the government, on the other hand,
transferred to the citizens or subsidized by the government the option to use open standards allows the implementation of
[7]. For a country like Brazil, which has a high number of low cost government SPs.
potential users, it’s necessary to analyze the financial impact Figure 1 shows a general overview of mID-BR and illus-
of a ready-to-use solution, as well as its adherence to the trates the integration between the system and the IdM strategy
standards already established by the ePING architecture. proposed in [5]. The following entities are presented in the sys-
Our proposal (mID-BR) stands out from the related works tem: mID-BR application; IdP, responsible for identifying the
because it does not bind the citizens to a mobile data plan. It citizen in the electronic environment; and the SPs, representing
relies on TEE and FIDO UAF protocol. Finally, the technolo- government services that require authentication. The mID-BR
gies used by mid-BR are aligned to ePING [25], which allows application, installed in a mobile device, consists of an active
the Brazilian Government to create its own business policies. client that directly interacts with the FIDO client provided
by the device manufacturer. mID-BR is also responsible for
IV. NATIONAL M OBILE E ID M ANAGEMENT S YSTEM
interacting with the user, the IdP and the SP in the SAML
This section describes our proposed Mobile eID Manage- assertion exchanges.
ment System for the Brazilian Electronic Government. The As shown in Figure 1, the citizen, possessing his/her FIDO
system is aligned with the interoperability standards defined ready mobile device, interacts with the government SP (Ser-
by the e-PING architecture [25] and based on the national vice Provider A) and with the IdP SAML by using the mID-
Identity Management strategy proposed by Torres et al. in [5]. BR application. The authentication and issuance of the citizen
In order to guarantee adherence to the standards recom- attributes assertion is made through the interaction between
mended by the Brazilian e-Gov program, the system adopts the the IdP and the eID database.
following interoperability standards defined by e-PING: TLS Apart from what was proposed by the national IdM strategy
(Transport Layer Security), to provide secure communication [5], the IdP implements the FIDO UAF server but keeps on
over a computer network; AES (Advanced Encryption Stan- querying database identities (eID) and the citizen attributes
dard), for symmetric encryption; X.509 standard, for digital database (RIC), according to what has been previously defined.
certificates; SAML (Security Assertion Markup Language), Even though there is a trust relationship between the entities
to exchange authentication and authorization data between (see Figure 1), the citizen attributes are only sent from the
parties; XML (EXtensible Markup Language) and JSON IdP to the government SP after the user approves the release
(JavaScript Object Notation) as data exchange standards. through a web form. This approach characterizes an user-
Some features of the Mobile eID solution can be high- centric IdM model, once every interaction with an SP must
lighted: start by the citizen identification in the IdP and requires his/her
• the usage of a centralized IdP, as defined by the national authorization to release personal attributes.
IdM strategy proposed in [5]; The system is divided in four phases: (1) Mobile eID on-
• the premise that the users mobile devices have been site registration at an authorized public agency; (2) e-Gov SP
manufactured with FIDO UAF and SE or TEE; Mobile eID registration for electronic document signing; (3)
• the FIDO UAF server should be configured to accept only Mobile eID usage to access e-Gov services; and, (4) Mobile
a specific group of hardware manufacturers, thus avoiding eID revocation.
670
IdP. In the identification process, mID-BR only requires the
citizen fingerprint to authenticate. After authentication, the
IdP presents the citizen with a web form containing a list
of personal attributes required by the SP. Only after the user
confirms the sent attributes, the IdP will generate a SAML
assertion reply to the SP.
Finally, the Mobile eID revocation phase entails the exclu-
sion of the registered public key in the IdP and in the SP. After
the key exclusion, the citizen will not be able to authenticate in
the IdP nor sign electronic documents. The revocation can be
done from the mID-BR itself, or a a public registration agency.
However, a new Mobile eID registration requires the citizen
on-site attendance, as described in the registration phase.
A. Usage scenario
The current Brazilian voting system requires the citizen to
Figure 1. Mobile eID Management System Overview physically attend the electoral section he/she belongs to in
order to vote. As a example, the usage of the Mobile eID
in Brazil, the Figure 3 presents a hypothetical situation of
In the mobile eID registration phase, shown in Figure 2, electronic voting.
the citizen must go to an authorized public agency, with
his/her FIDO ready mobile device along with an identity
card to confirm his/her identity. After confirming the citizen’s
identity, a government employee generates an “username” so
that the citizen can install the mID-BR software in the device.
The recently installed software will generate an asymmetric
encrypted key pair. The public key is sent to the government
system where it will be associated to the government attributes
database (RIC database shown in Figure 1). After the key
and the attributes are linked, the registration is complete.
According to FIDO specifications, the private key must only
be storage in the citizen’s mobile device.
Figure 3. Usage scenario – online voting
671
as a proof of concept. The prototype is composed of an user VI. R ESULTS
agent for mobile phone (mID-BR), an authentication module The prototype evaluation was performed in two stages:
for the IdP, and a SP that simulates an eGov service. functional tests executed by the developer and an external
The tools and technologies were strategically chosen based tester; and the analysis of usability satisfaction questionnaire
primarily on free softwares since the Brazilian Government results from IT professionals.
believes that they reduce costs and develop technological For the evaluation of the prototype, functional test cases
knowledge in the country. The second reason was to meet the were defined and executed. Besides, some test cases have
e-PING architecture requirements as to adhere to the ongoing evaluated the security of the solution. We configured the Nexus
standards in Brazil. 5X phone with a user profile to install the software and to
An IdM testbed, GidLab1 from RNP (Brazilian National access the Internet using the wireless network. The seven
Research Education Network), was used to host IdP and SP test cases were successfully executed, from the mobile eID
in the experiments. registration to its use and revocation.
After the evaluation of the test cases, twenty-six IT pro-
A. mID-BR App fessionals performed the guided experiment and answered the
usability satisfaction questionnaire during ten days in January
The mID-BR app was developed for Android. A LG Nexus
2018. The purpose of this questionnaire was to evaluate their
5X mobile phone (launched in 2015) was used in the experi-
satisfaction level regarding the use of the mID-BR application
ments and was chosen for using 7.1.1 Android OS version and
when accessing a fictitious government service provider.
for having fingerprint reader and TEE technology. However,
The obtained results indicate that 96.2% of the evaluators
since this phone is not FIDO certified, a FIDO client [27] was
felt comfortable during the execution of the test (use of the
used to communicate with the FIDO UAF server.
prototype). For 69.3%, performing the mobile eID registration
The mID-BR implementation was done in two layers:
in person at public entity, is considered an essential factor
• 1st layer - active client: is responsible for the communi- to increase the security of the proposed system. The opinion
cation and SAML assertions exchange between IdP and of 76.9% believe that keeping fingerprint stored on the user’s
SP, and for the interaction with the user; mobile device contributes to their privacy. About 46% prefer
• 2nd layer - FIDO interface: is responsible for the to combine more than one factor to authenticate in e-Gov
interaction with the mobile FIDO client allowing the services, but another 46.2% prefer to use only one biometric
user registration through an asymmetric cryptography key factor. For 84.6%, the eID Mobile solution improves citizen
pair. It actively participate in the authentication process, interaction with the government and helps reduce bureaucracy
requesting and receiving the information on the FIDO in the country. Finally, 88.5% of the evaluators consider that
UAF server interaction from the FIDO client. our proposed mobile eID system contributes more to user
privacy than the currently e-Gov services.
B. Identity Provider- IdP The results also showed that it is possible to guarantee the
A simpleSAMLphp authentication module, called “authFi- citizens‘ privacy through the proposed eID Mobile Manage-
doUAF”, was developed to authenticate mobile IdM system ment system. However, we observed in the experiments that
users. The “authFidoUAF” was implemented based on SAML usability could be affected when the user does not understand
specifications, was defined through an XML Authentication alert messages.
Context Declaration, and allows to validate the authentication VII. C ONCLUSION
token from FIDO UAF server. As protection mechanisms, the
Throughout the years, some countries have been developing
following were noted in the prototype:
their IdM strategies based on eID cards. However, as observed
• The token is invalidated after a pre-defined time from the in [28], those countries have faced low usage of those cards
creation date; in the citizens and e-Gov services interactions. On the other
• The token received by the active client is invalidated if the hand, as Mobile eID solutions rely on the steady increase of
token content is different from the last token generated mobile telephony services and user-friendliness, this option
by the FIDO UAF server for the same user; has a better acceptance than the card-based solutions.
• The token is immediately invalidated by the IdP after SIM card solutions have been widely adopted for the
used; Mobile eID implementation simplicity and for offering tamper
• The token is accepted only if created through the user resistance [29], [7]. However, implementing Mobile eID using
fingerprint. those cards results in high acquisition costs [7] and also costs
PHP REST Interfaces were implemented in the IdP to pro- with the hiring of data plans [24], since the citizen is identified
vide secure communication between client and FIDO server. through mobile phone networks [29]. This dependance be-
These interfaces also allow the secure communication between tween the government and the mobile network operators [22]
FIDO Server and the authFidoUAF. also creates problems for the government SPs, such as the lack
of confidence in the mobile network operators authentication
1 https://gidlab.rnp.br/ infrastructure [18].
672
In this scenario, aiming to find a solution to implement a [14] C. Bangdao and A. Roscoe, “Mobile electronic identity: securing pay-
ment on mobile phones,” in IFIP International Workshop on Information
Mobile eID in Brasil that could bypass the problems faced by Security Theory and Practices. Springer, 2011, pp. 22–37.
the solutions adopted by other countries, this paper has pre- [15] C. Rath, S. Roth, M. Schallar, and T. Zefferer, “A secure and flexible
sented a proposal of a national eID management system and, server-based mobile eid and e-signature solution,” in The Eighth Inter-
national Conference on Digital Society, 2014, pp. 7–12.
as proof-of-concept, a system prototype has been developed [16] FIDO Alliance, “About the fido alliance,” 2016. [Online]. Available:
and tested. The results obtained in the trials show that it is https://fidoalliance.org/about/overview/
possible to garantee the Mobile eID security and usability by [17] ——, “The fido uaf metadata service,” 2016. [Online].
Available: https://fidoalliance.org/wp-content/uploads/FIDO Alliance
the FIDO UAF, TEE standards and SAML specifications. Metadata Service White Paper 02122016.pdf
For future works, we suggest the study of other open-source [18] T. Martens, “Electronic identity management in estonia between
secure authentication protocols, comparing those protocols to market and state governance,” Identity in the Information Society,
vol. 3, no. 1, pp. 213–233, 2010. [Online]. Available: http:
the solution presented in this paper which uses the FIDO UAF //dx.doi.org/10.1007/s12394-010-0044-0
standards. We also suggest the study of Mobile eID technology [19] B. En-Nasry and M. D. E.-C. El Kettani, “Towards an open framework
providers, comparing them to open-source solutions, as well as for mobile digital identity management through strong authentication
methods,” in FTRA International Conference on Secure and Trust
promoting security tests in order to find possible vulnerabilities Computing, Data Management, and Application. Springer, 2011, pp.
of those solutions. 56–63. [Online]. Available: http://dx.doi.org/10.1007/978-3-642-22365-
5 8
ACKNOWLEDGMENT [20] K. Bicakci, D. Unal, N. Ascioglu, and O. Adalier, “Mobile authentication
secure against man-in-the-middle attacks,” in Mobile Cloud Computing,
The authors thank the National Research and Education Services, and Engineering (MobileCloud), 2014 2nd IEEE International
Conference on. IEEE, 2014, pp. 273–276, http://dx.doi.org/10.1109/
Network (RNP) for providing the GIdLab experimentation MobileCloud.2014.43.
environment that was essential for conducting the experiments [21] X. Wu, Y. Fan, X. Zhang, and J. Xu, “Research of eid mobile identity
and developing the prototype. This work was partially funded authentication method,” in International Conference on Trustworthy
Computing and Services. Springer, 2014, pp. 350–358. [Online].
by CAPES (Coordination for the Improvement of Higher Available: http://dx.doi.org/10.1007/978-3-662-47401-3 46
Education Personnel) and Brazilian Ministry of Justice. [22] J. Krimpe, “Mobile id,” in Proceedings of the 2014 Conference on
Electronic Governance and Open Society: Challenges in Eurasia.
R EFERENCES ACM, 2014, pp. 187–194. [Online]. Available: http://dx.doi.org/10.
1145/2729104.2729133
[1] ONU, “e-government survey,” Economy & Social Affairs, 2014. [23] J. Prusa, “E-identity,” in IST-Africa Conference, 2015. IEEE, 2015,
[2] J. A. Torres12, H. Peixoto, F. de Deus, and R. de Sousa Junior, “An pp. 1–10. [Online]. Available: http://dx.doi.org/10.1109/ISTAFRICA.
analysis of the brazilian challenges to advance in e-government,” in 2015.7190586
Proceedings of the 15th European Conference on eGovernment 2015: [24] E. Kerttula, “A novel federated strong mobile signature service—the
ECEG 2015. Academic Conferences Limited, 2015, p. 283. finnish case,” Journal of Network and Computer Applications, vol. 56,
[3] OECD, National strategies and policies for digital identity management pp. 101–114, 2015. [Online]. Available: http://dx.doi.org/10.1016/j.jnca.
in OECD countries. OECD Publishing, 2011. 2015.06.007
[4] GOV.BR, “Projeto de lei da câmara n. 19, de 2017,” [25] GOV.BR, “Portaria slti/mp no 92, de 24 de dezembro de 2014.”
2017. [Online]. Available: https://www25.senado.leg.br/web/atividade/ [Online]. Available: http://eping.governoeletronico.gov.br/,year=2014
materias/-/materia/128224 [26] I. Brasil, “Infra-estrutura de chaves públicas brasileira,” 2016. [Online].
[5] J. A. Torres, G. Verzeletti, R. Távora, R. T. de Sousa Júnior, E. de Mello, Available: http://www.iti.gov.br/icp-brasil
and M. Wangham, “A national identity management strategy to [27] E. R. De Mello, “A dummy fido uaf client suitable to conduct
enhance the brazilian electronic government,” CLEI Electronic development tests on android smartphones that are not fido ready,”
Journal, vol. 20, no. 3, pp. 8:1–8:21, 2017. [Online]. Available: Mar. 2017. [Online]. Available: https://doi.org/10.5281/zenodo.375567
http://www.clei.org/cleiej-beta/index.php/cleiej/article/view/37 [28] A. Ruiz-Martı́nez, D. Sánchez-Martı́nez, M. Martı́nez-Montesinos, and
[6] S. Srinivas, J. Kemp, and F. Alliance, “Fido uaf architectural overview,” A. F. Gómez-Skarmeta, “A survey of electronic signature solutions
2014. in mobile devices,” Journal of Theoretical and Applied Electronic
[7] T. Zefferer and P. Teufl, “Leveraging the adoption of mobile eid Commerce Research, vol. 2, no. 3, p. 94, 2007.
and e-signature solutions in europe,” in Electronic Government and [29] T. van Do, T. Jonvik, I. Jorstad, and T. Van Do, “Better user protection
the Information Systems Perspective. Springer, 2015, pp. 86–100. with mobile identity,” in IT Convergence and Security (ICITCS),
[Online]. Available: http://dx.doi.org/10.1007/978-3-319-22389-6 7 2013 International Conference on. IEEE, 2013, pp. 1–4. [Online].
[8] NSTC, “Identity management task force report,” Sub- Available: http://dx.doi.org/10.1109/ICITCS.2013.6717809
comiittee on Biometrics and Identity Management, 2008.
[Online]. Available: https://www.whitehouse.gov/sites/default/files/
microsites/ostp/nstc-identitymgmt-2008.pdf
[9] S. Clauß and M. Köhntopp, “Identity management and its support
of multilateral security,” Computer Networks, vol. 37, no. 2, pp.
205–219, 2001. [Online]. Available: http://dx.doi.org/10.1016/S1389-
1286(01)00217-1
[10] T. ITU, “Series Y,” Rec. ITU-T Y, vol. 2720, 2009. [Online]. Available:
https://www.itu.int/rec/T-REC-Y/en
[11] A. Bhargav-Spantzel, J. Camenisch, T. Gross, and D. Sommer, “User
centricity,” Journal of Computer Security, vol. 15, no. 5, pp. 493–527,
2007. [Online]. Available: http://dx.doi.org/10.3233/JCS-2007-15502
[12] A. Jøsang and S. Pope, “User centric identity management,” in AusCERT
Asia Pacific Information Technology Security Conference. Citeseer,
2005, p. 77.
[13] I. Naumann and G. Hogben, “Privacy features of european eid card
specifications,” Network Security, vol. 2008, no. 8, pp. 9–13, 2008.
[Online]. Available: http://dx.doi.org/10.1016/S1353-4858(08)70097-7
673