|
Supporting Authorize-then-Authenticate
for Wi-Fi access based on an electronic identity infrastructure
Diana Berbecaru+, Antonio Lioy,
and Cesare Cameroni
Politecnico di
Torino, Torino, Italy
{diana.berbecaru, lioy,
cesare.cameroni}@polito.it
Abstract
Federated electronic identity systems are
increasingly used in commercial and public services to let users share their
electronic identities (eIDs) across countries and
providers. In Europe, the eIDAS Regulation and its
implementation - the eIDAS Network - allowing
mutual recognition of citizen’s eIDs in various
countries, is now in action. We discuss authorization (before
authentication), named also authorize-then-authenticate (AtA),
in services exploiting the eIDAS Network. In the eIDAS Network, each European country runs a national eIDAS Node, which transfers in other Member State
countries, via the eIDAS protocol, some personal
attributes, upon successful authentication of a person in his home country.
Service Providers in foreign countries typically use these attributes to
implement authorization decisions for the requested service.
We present a scenario where AtA is required, namely
Wi-Fi access, in which the service provider has to implement access control
decisions before the person is authenticated through the eIDAS
Network with his/her national eID. The Wi-Fi access
service is highly required in public and private places (e.g. shops, hotels, a.s.o.), but its use typically involves users’
registration at service providers and is still subject to security attacks.
The eIDAS Network supports different authentication
assurance levels, thus it might be exploited for a more secure and widely
available Wi-Fi access service to the citizens with no prior registration, by
exploiting their national eIDs. We propose first a
model that discusses AtA in eIDAS-based
services, and we consider different possible implementation choices. We
describe next the implementation of AtA in an eIDAS-based Wi-Fi access service leveraging the eIDAS Network and a Zeroshell
captive portal supporting the eIDAS protocol. We
discuss the problems encountered and the deployment issues that may impact on
the service acceptance by the users and its exploitation on large scale.
Keywords: authorization, electronic identity
infrastructures, eIDAS Network, Wi-Fi access
service
+: Corresponding author: Diana Berbecaru
Dip. di Automatica e Informatica,
Politecnico di Torino, Corso Duca
degli Abruzzi 24, 10129, Torino, Italy
Tel: +39-011-090-7081, Web: https://security.polito.it/~diana/
Journal
of Wireless Mobile Networks, Ubiquitous Computing, and Dependable
Applications (JoWUA), Vol. 11, No. 2, pp. 34-54,
June 2020 [pdf]
Received: February 20, 2020; Accepted: June
2, 2020; Published: June 30, 2020
DOI:10.22667/JOWUA.2020.06.30.034
|