Knowledge data base

Authentication

"Verified Identity Verification, e.g. Upon login, in communication between two systems or in exchange of message between users ". The Swedish data group recommends using the term authentication in the first case and message verification in the other.

Authentication is the process of ensuring a user's identity. For example, strong authentication uses two or more factors: something you have, such as a smart card and something you know, the PIN.

Authentication means being able to display one's identity to someone else. As humans, we have no problem with it every day, since we can authenticate ourselves in many different ways. For example, we know each other's voices on the phone or each other's faces when we meet.

When communicating over a network, one can not rely on such methods, but instead uses certificates or E-credentials as they are also called.

There are many different PKI solutions to authenticate users, and using digital certificates as well as two-factor authentication, one can achieve a very high level of security. A smart card in combination with a pin or a mobile ID and an app in a smartphone are two common examples of such an authentication solution.

Strong authentication

Strong authentication is also referred to as two-factor authentication (2FA) as the identification is based on two principles, "something you have" and "something you know", such as a smart card and a PIN or a smartphone with an Expisoft Mobile ID installed.

A security  solution based on 2FA offers a much stronger security guard than a username and a password, since the user is able to detect that he/she has lost his/her card / smartphone and then blocks the card and requests a new one. If someone has been unauthorized over the user's card / smartphone, he/she cannot use the e-ID stored on the smart card or the phone, since the PIN (password) is not known to the "attacker".


Authorization

In the IT context, the term "authorization" means determining who can do what in an IT system or in a particular application. Simply what rights a user should have. Therefore, the term "authentication" is often used instead of authorization.

Role-based authorization systems provide the best overview and simplicity of granting permissions to users. When a user tries to use a resource, it is verified that the user's role is entitled to use that resource. Often, a combination of role permissions and user privileges is used when the security configuration is made.

Authorization gives access to different resources based on an identity and / or role. Usually there are policies that regulate how access rights should be granted to the organization's users. Some examples of resources where users have different permissions / access rights are networks, databases, files, printers, applications, and services. Using technologies such as strong authentication, authorization and role-based eligibility control systems, are well placed to create both good control and high security in the organization's IT usage.


Mobile-ID

A Mobile ID is a personal electronic identification (e-ID) that is installed in the user's smartphone. E-identifications are stored in an application downloaded from Apple app store, Google play store, or Windows store and protected with a password.

A Mobile ID should be regarded as an employment ID, i.e. an electronic ID that identifies both you personally and the organisation you belong to. It's therefore also sometimes called an organisational (or company) personal ID.

The use of a Mobile ID is in many ways similar to the use of the electronic identification (e-ID) that we use when logging in to our Internet bank or when communicating with municipals, authorities etc. This id (or certificate) is often called a "citizen" id.

The main difference between these two types of electronic Ids is that in a citizen Id, the user's social security number is stored in the e-ID while in the Mobile ID, a job related number is stored.

An e-employment ID (i.e. Mobile-ID) contains information about the organisation's name, organisation number, holder's name and a unique ID. The unique ID is typically the employment number.

Simply put, you can say that an e-employment ID (Mobile-ID) is an electronic identity used by a company (or organisation)to identify an employee (and his/her organisation) when communicating over Internet with different companies, authorities, municipals and/or other organisations.

There are several reasons why companies, authorities and other organisations prefer to use an organisation e-ID instead of the employee's personal citizen e-ID:

  • Employees often do not want to use and expose their social security numbers in their workplaces - this is very common in the healthcare sector.
  • Since a personal citizen identification requires that a Swedish social security number is available, it cannot be used for electronic identification of foreign workers, asylum seekers, protected identities, etc.
  • The organisation may have policies or other regulations that limit how employee's social security number may be used in their profession.
  • An e-employment ID is not bound to national borders, i.e. they can be used by foreign actors, subsidiaries, etc.
  • At workplaces where citizen IDs are used, you need to write and distribute a paper (proxie) to authorise an employee to use a certain application for the organisation that owns the application. If you have several applications that the employee should use, you need to write a proxie for each application. When the user ends his/her employment, all of these proxies must be revoked - which can easily be forgotten due to human errors.
  • With an organisation e-ID, the organisation can instead revoke the users e-ID simply by revoking the employee's certificate (e-ID) when he/she ends his/her employment since this e-ID belongs to the company, i.e. there is no problem with forgotten revocation of proxies in this case.

 


Integrity, Authenticity and non repudiation

With integrity, you mean that the information you enter and remove from an IT system should not been manipulated or changed since it was created.

Authenticity means that you can guarantee (prove) that the person who claims to have created or sent a certain information is really that person he/she claims to be.

Non-repudiation refers to a state of affairs where the author of a statement will not be able to successfully challenge the authorship of the statement or validity of an associated contract. The term is often seen in a legal setting wherein the authenticity of a signature is being challenged. In such an instance, the authenticity is being "repudiated".

An electronic signature meets these three requirements. The person can not deny that he/she signed the information and it is possible to ensure that the information signed is exactly the same as the one you read/verify.

With an electronic signature, we can sign documents in the same way as with paper documents to prove its authenticity. Information can be transmitted digitally over public networks without any security risk. A qualified electronic signature is legally binding.

With electronic signatures, we are able to digitize business processes and streamline workflows such as processing routines and decisions, stamping and other routines that today require a paper copy with the signature of a manager.


RA - Registry Authority

RA is software installed on computers that can connect to a CA system in order to create e-identities, smart cards, lock certificates etc. You can say that a RA is the client part of a CA system.


Smart cards

A smart card is a card with built-in circuits that can store and process information. The card usually consists of PVC plastics. The card may also have a hologram to counter counterfeiting.

Smart cards are used to raise the security level beyond traditional password management when users log into the company's network and IT systems.

Certificates stored on smart cards are commonly referred to as Qualified Certificates and / or Qualified EID (i.e. electronic identifications).

PKI (Public Key Infrastructure)

PKI is a digital security infrastructure that uses public and private keys. Often, this technology is used to provide secure login to computer systems for users, secure communication between different systems across different communication paths and secure management of information, with the ability to sign documents and documents.

PKI can easily be scaled up in hierarchies, where an already approved and authenticated publisher may be useful to other publishers.

 

Asymmetrical encyption

PKI uses asymmetric encryption. This is a digital security technology based on mathematical calculations, algorithms, where input values are large prime numbers. The calculations create "pairs" of even greater numbers, keys, with the special mathematical property that one number can be used to encrypt numeric data and the second number is used to decrypt (restore) data. If the starting values in the calculations are large enough, it will be impossible to find the second by means of one speech and thus break the encryption.

Asymmetric encryption in practice

Authentication and signing using PKI is an application of asymmetric encryption. You use a key pair, a public key and a private key. Upon authentication, anyone who needs can access the public section of the key pair to encrypt messages or create a login procedure in a system.

Only the one who has access to the private key can then decrypt the message and verify his/her identity during a login process.

The reverse is used when signing a purchase, transaction or document. Then a system or a proprietor of the public key can verify with the public key that a sender is the one he/she claims to be. This also applies to signatures or, for example, in financial transactions.

 

Keys are registered on a certificate

The key pair is linked to a user with a digital certificate that can be embedded on a smart card or in a soft certificate. The responsible publisher, Certificate Authority, CA, must be able to certify the person's identity. When registering in a CA system, the user must be physically identified using birth data, passports, national ID documents or another equivalent.

 

CA guarantees security

The CA certificate issuer (Certificate Authority) also owns a registered key pair, similar to a user. Only one key in the key pair is public (public key). When CA issues a new user certificate, it signs this certificate with the CA's private key and thus guarantees the user's identity. CA signing prevents anyone from creating their own certificates in someone else's name without it being detected. The CA Public Key must be available to those who use certificates or smart cards issued by this CA.

 

Verification

Programs that want to verify authenticity of a user's certificate decrypt the signature with the CA's public key. The CA's public key is distributed or retrieved from the CA certificate issuer.

The CA certificate is stored in the system (in AD) or your computer's local archive of Trusted Certificate Publisher, along with the publishers you trust. Consequently, it is confirmed that the user 's certificate, or server certificate issued by a CA you trust, is not a false certificate and that certificate has not changed after it was issued.

 

CRL over revoked certificate (barring list)

The Certificate Revocation List (CRL) is a list of revoked certificates that the certificate publisher publishes. It is an important part of the security to have access to updated versions of these lists. Certificates can be revoked for various reasons, for example, a smart card has fallen into wrong hands and the PINs of the card have been disclosed, or that a user has terminated his/he employment and should no longer have access to any system belonging to his/her former employer. For example, in the user certificate, the http-address is from where the list is dropped, or the address of a LDAP directory. The check is completely automated but can also be turned off depending on which application or browser is being used.

 

OCSP Online Certificate Status Protocol

With OCSP, you can always be sure to have the most recent and up-to-date information about a particular certificate. Each certificate contains the address of the OCSP server that has information about the certificate. A request is made for each individual certificate at a time. You can compare it to paying with a credit card through a terminal when the card's status is checked directly.

 

Certificate Life Cycle

Certificates always have a limited service life. Depending on usage, a certificate may need to be recreated after a number of years or even months. The applications that use the certificate check the validity period.

PKI solutions - usage/examples

- Authentication

Programs that use a public key to encrypt something for example an e-mail. These e-mails can only decrypted by the user with the corresponding correct private key. For example, if two or more users exchange emails also share their respective public key to others and these public keys are then used to encrypt an e-mail sent between them. Then the e-mail that arrives to the recipient, can be decrypted with the private key that only this recipient has. The recipient is the only one who can read the contents of the e-mail.

 

- Non repudiation

By signing outgoing emails, with the sender's private key, all recipients of the e-mail are guaranteed that the identity of the sender is correct. The signature is verified by the recipients using the sender's public key to decrypt the e-mail's signature. Thus, the sender can not deny that he/she has written the contents of the e-mail, the information becomes imperative.

 

- Secrecy

Encryption is used to protect data when connecting to a web server, obtain secure login to business systems, secure information exchange between machines, login to a single computer and signing. Encryption is also used to protect data stored on disk or in different files, i.e. encryption of documents, transactions, files, directories and disks.