Electronic Authentication for University Transactions using eIDAS Konstantinos Gerakos, Michael Malippis, Constantina Costopoulou, and Maria Ntaliani Informatics Laboratory, Department of Agricultural Economics and Rural Development, Agricultural University of Athens, Athens, Greece {
[email protected],
[email protected],
[email protected],
[email protected]}
Abstract. The lack of a comprehensive European Union cross-border and cross-sector framework for secure, easy-to-use and authenticated electronic transactions has led to the electronic IDentification and Authentication Services (eIDAS) regulation. The main objective of this article is to describe the connection of existing services of the Agricultural University of Athens to the Greek eIDAS node. In this context, it describes the connection of the Erasmus exchange student identification service (i.e. student mobility service) to the node. Specifically, the optimization of the existing service procedures and the development of automated Web Services based and compatible with the eIDAS regulation are presented. Keywords: Security, Identification, Authentication, Erasmus Program
1
Introduction
Cloud computing and web services have led to radical changes in services provided by government agencies. Throughout the world, governmental organizations are upgrading their Information Technology (IT) systems to provide automated work to the public, as well as their collaborators nationwide. Cross-border applications have been proven beneficial and useful for citizens and businesses, but still problems of compatibility occur at the level of user authentication in the form of transnational services [1]. The European Commission (EC) has acknowledged the problem of not having a “comprehensive EU cross-border and cross-sector framework for secure, trustworthy and easy-to-use electronic transactions that encompasses electronic identification and trust services [2,3]. In this light, EC has issued a regulation on electronic IDentification and Authentication Services (eIDAS), which sets standards for secure certification services for all citizens of the European Union member states. In this paper, we describe the conversion of services provided by the Agricultural University of Athens (AUA) to the Erasmus exchange students in order to be compatible with the European eIDAS regulation. In addition, the automation of the user certification service at collaborating universities is examined. It is investigated whether
2
such a cloud-based information system and web services targeting users from different EU member states adopting eIDAS can facilitate the process. We also present a system architecture that is under development by the AUA and is intended to provide support services to students who wish to visit the AUA within the framework of the Erasmus program. The following paper is organized as follows. In section 2 we describe the eIDAS regulation, as well as the “Transformation of Greek e-Gov Services to eIDAS Crossborder Services" action, referring to the connection of existing Greek public services to the Greek eIDAS node. In section 3 we present the AUA Erasmus office procedures for authenticating exchange students from EU universities, as well as the problems encountered by an information system. Section 4 proposes a solution to the detected problems by developing Web Services and the system architecture. Finally, the conclusions are given.
2
eIDAS Description
In 2014, EC established a regulation on electronic identification seeking to enhance trust in electronic transactions. eIDAS has replaced the Electronic Signatures Directive, contributing to the development of specific applications. It addresses citizens from different countries and gives guidance on how to use the local electronic identification (eID) of their countries of origin by government agencies (i.e. ministries, universities, institutions) in other member countries. eIDAS is based on geographically dispersed servers among the EU countries that make up the eIDAS nodes. According to the interoperability architecture of eIDAS, an eIDAS node is described as an operational entity involved in cross-border authentication of citizens [4]. A eIDAS node can have different roles:
eIDAS Connector: an eIDAS node requesting a cross-border authentication; eIDAS Service: an eIDAS node providing cross-border authentication, which could be either proxy based or middleware based.
In the following, an eIDAS identification process scenario is given (Figure 1). A user originates from country B, is located in country A. In order to obtain authentication using the identity service of country B he/she connecst to the local eIDAS Connector. This node will communicate according to the parameters that will be given by the user with eIDAS service node in the country B, which turn will contact the country B identity service. Upon successful identification, the user can use government services in country A. A recent action by the EC entitled as "Transformation of Greek e-Gov Services to eIDAS Cross-border Services", regards connecting existing Greek public services to the Greek eIDAS node. The action will integrate the following groups of services: government services for business and citizens, healthcare and social security related services and academia and research services in partner Universities. To reach this
3
objective, this action will firstly adapt the above services to be integrated with eIDAS, in order to be able to request, receive and process the new set of identification data received from the eIDAS node under the eIDAS Regulation; and secondly connect services to eIDAS node to allow for cross-border authentication. Finally, this action will support Greece in meeting the requirements of the eIDAS Regulation and will facilitate access to Greek public e-services for all EU citizens and businesses using their national eID, and thus ensure cross-border mobility and support and strengthen the Digital Single Market.
Fig.1 eIDAS identification process
3
AUA Erasmus Office Procedures
This section briefly describes the procedures followed by an exchange student for getting authentication in order to attend AUA courses. The Erasmus program for student mobility started in 1987 and is now part of more than 4,000 universities. AUA participates in the Erasmus program and until today has accepted hundreds of exchange students. The usual procedure for an exchange student of a collaborating university to participate in the Erasmus program at AUA involves filling an application with a list of the courses he/she wishes to attend and which must correspond to courses in his/her department's curriculum and submitting attestations to the competent services. Exchange students wishing to attend AUA courses should be identified by the AUA Erasmus office and should be given a student identity card.
4
This process is complex, as the corresponding services of the Erasmus offices of the collaborating universities require additional attestations and applications, which are often incompatible with those issued by the Greek state. In addition, success attendance of courses requires the grades by the AUA teaching staff. The collaborating university requires specific papers issued by the relevant departments of the AUA. These papers are provided by the AUA Erasmus office. Unfortunately, this process involves time-consuming and complicated actions that separate for each university. An information system could simplify some of these processes, but it would encounter additional difficulties, as demonstrated in the use case below. 3.1
Course Enrollment Use Case
This section presents a use case that depicts the process of the enrollment of an exchange student in a course provided by the AUA. The student applies and chooses one or more courses offered by the AUA that are in accordance with his/her curriculum in the university of origin. The AUA Erasmus office may approve or reject applications. Similarly, the Erasmus office at his/her university abroad may approve or reject applications. Finally, the AUA Erasmus office is responsible for the communicating the student’ s grade to his/her university. 1. 2.
3.
4. 5.
User Registration. The user (exchange student) provides all the necessary information and the AUA Erasmus office identifies and registers him / her. User Login. The user connects to AUA online services. The usual way is through the credentials (username and password) assigned by the AUA Erasmus office. Selection of courses. The user selects the courses he/she wants to attend. The courses to be chosen are dynamically recovered based on the student's origin department. Validation of courses. The AUA Erasmus office validates the courses the student has chosen and informs the relevant Department Secretariat. Completion of studies. By exchange student’s graduation, the AUA Erasmus office sends his/her grade to the corresponding office at the collaborating university.
The aforementioned use case process, presents certain limitations that make the automation process more difficult. The most important limitations are: The identification of exchange students requires the involvement of an official in charge of this competence. Upon completion of the exchange student study, the grades that will be sent to the collaborating university should also be validated.
5
4
Description of eIDAS based Web Services
Previously, we outlined the process of course enrollment for an exchange student within the framework of the Erasmus program. In this section, the above limitation will be resolved using eIDAS-compliant services. Specifically, AUA seeking to optimize the procedure and upgrade the services it provides, intends to develop automated Web Services based and compatible with the EU eIDAS Regulation. Web Services will use eIDAS as follows: For user authentication. Any EU citizen will be able to authenticate and access the services through their local Service Provider. For electronic signatures. By using electronic signatures in eIDAS standards, the AUA hopes to improve service performance. Using eIDAS we present the basic flow for a new use case that solves the problems that were previously encountered. Moreover, the AUA Erasmus office is no longer concerned neither responsible for the identification and authentication of the exchange students and the process is automated. 4.1
Student Mobility Service – Erasmus Exchange Program
The steps followed by an Erasmus exchange student in order to register for a course in AUA are described, below (Figure 2):
The student visits the web portal for the AUA Erasmus (Erasmus Student Information System) and logs in providing the eIDAS acquired from his/her country of origin The portal redirects his/her request for login in the web service of the AUA web server to grant permission to registered users The web service recognizes that the student has provided the eIDAS credentials and contacts to the eIDAS node that confirms the eIDAS registered users Upon confirmation from the eIDAS node, the web service grants access for the web portal. In case the student logs in for the first time the web service creates a local account in correspondence with the student’s eIDAS account The student registers in the courses that he/she wants to attend and the selections are saved in the local database of the AUA web server AUA Erasmus office is notified on the student registration and accepts, modifies or rejects the registration. Upon the completion of studies AUA Erasmus office sends the grades of the exchange student to the corresponding office at the collaborating university officially signed
6
Fig. 2 eIDAS based service architecture
5
Conclusion
The adoption of eIDAS in software development facilitates the implementation of systems aimed at authenticating transnational agreements, such as the Erasmus program. eIDAS provides a solution to citizens’ authentication from other countries and simplifies the processes required by the information systems. By using eIDAS service, AUA reduces the processes of identification, registration and importing users into AUA database and certifying them by checking their credentials. AUA will be considered as a responsible government agency for students’ certification and identification. As other researchers note the major challenge that eIDAS has to face is its full adoption by all member countries as well as its general acceptance by citizens [5, 6]. Also, another great advantage of eIDAS that the AUA intends to utilize is its standards for electronic signatures. Electronic signatures according to the eIDAS regulation can be categorized based on their acceptance by the other EU member states to qualified and advanced. Furthermore, qualified electronic signature shall have the equivalent legal effect of a handwritten signature [3]. AUA intends to speed up processes by providing web services that will provide users with predefined forms for the input of useful data and their publication electronically by means of electronic signatures.
7
References 1. Sideridis, A. B., Protopappas, L., Tsiafoulis, S., & Pimenidis, E. (2015, December). Smart cross-border e-gov systems and applications. In International Conference on e-Democracy (pp. 151-165). Springer, Cham. 2. Cuijpers, C. M. K. C., & Schroers, J. (2014). eIDAS as guideline for the development of a pan European eID framework in FutureID. 3. European Union (2014). “Wording taken from the explanatory memorandum of eIDAS”, http://eurlex.europa.eu/legal-content/EN/TXT/?uri=CELEX:52012PC0238. 4. Joinup collaborative platform.: eIDAS – Interoperability Architecture. Version 1.00., November 2015 5. Stasis, A., Kalogirou, V., & Tsiafoulis, S. (2013, December). Generic Services for Cross Domain Use in e-Government. In International Conference on e-Democracy (pp. 64-72). Springer, Cham. 6. The European Parliament and the Council of the European Union: Regulation (EU) No 910/2014 of the European Parliament and of the Council of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC". July 2014
Acknowledgement This work has been partially supported by the Innovation and Networks Executive Agency of the European Commission with no: 2015-EL-IA-0083 entitled “Transformation of Greek e-Gov Services to eIDAS cross-border Services”.
