Folien - Institute of Applied Information Processing and

AK IT-Sicherheit 1
Identity Management
Bernd Zwattendorfer
Graz, 29.10.2014
Das E-Government Innovationszentrum ist
eine gemeinsame Einrichtung des
Bundeskanzleramtes und der TU Graz
Motivation
Ref: Peter Steiner,
The New Yorker
Graz, 29.10.2014
2
Bernd Zwattendorfer
Unintended Data Twins
Graz, 29.10.2014
3
Bernd Zwattendorfer
Overview
» General
» Terms, definitions
» Identification, authentication, authorization
» Identity management
» Identity models
» Different architectures
» Identity protocols
» SAML, OpenID, OpenID Connect, CAS
» Identity management in Austria
» Citizen-to-Government (MOA-ID)
» Government-to-Government (PVP)
Graz, 29.10.2014
4
Bernd Zwattendorfer
Overview
» General
» Terms, definitions
» Identification, authentication, authorization
» Identity management
» Identity models
» Different architectures
» Identity protocols
» SAML, OpenID, OpenID Connect, CAS
» Identity management in Austria
» Citizen-to-Government (MOA-ID)
» Government-to-Government (PVP)
Graz, 29.10.2014
5
Bernd Zwattendorfer
Identity
“who a person is, or the qualities of a person or group that make them different
from others”
Ref: Cambridge Online Dictionaries
“the fact of being who or what a person or thing is”
”the characteristics determining who or what a person or thing is” Ref: Oxford Dictionaries
» Appears where the proof of being a particular
person or having specific attributes or
properties are required
» Identity describes a person’s unique and
distinctive characteristics, distinguishing them
from one another
» Name, gender, color of hair and eyes, …
» Identity in real life is often also referred to as
principal, within a digital context as subject
Graz, 29.10.2014
6
Bernd Zwattendorfer
Digital Identity
“Digital identity can be defined as the digital representation of the information
known about a specific individual or organization. [Bertino and Takahashi]
„A Digital Identity is the representation of a human identity that is used in a
distributed network interaction with other machines or people.“ [DigitalID World
magazine]
“In an identity management system identity is that set of permanent or long-lived
temporal attributes associated with an entity.” [Camp]
» Same identity properties and attributes, but
digitally available
» E.g.: name, date of birth, …
» Also: username, e-mail, …
» Applicable also to non-natural persons
» E.g. computer system, company, …
Graz, 29.10.2014
7
Bernd Zwattendorfer
Digital Identity Triangle
Digital Identity
activates
Identifier
“[email protected]”
refers to
Person
stands for
Ref: GINI-SA
Graz, 29.10.2014
8
Bernd Zwattendorfer
Digital Identity
Ref: Bertino/Takahashi
Graz, 29.10.2014
9
Bernd Zwattendorfer
Digital Identity
» Identifier
» Character string identifying a person
» May be restricted in time or in the application
sector
» E.g.: username, e-mail, URI, ssPIN, sourcePIN, …
» Credentials
» Credentials for parts or complete identity
» Used for proving identifier and/or attributes
» E.g.: password, certificate, …
» Attributes
» Describing a person’s properties
» E.g.: name, date of birth, gender, …
Graz, 29.10.2014
10
Bernd Zwattendorfer
Electronic Identity (eID)
» Aims to guarantee the unique identity of a
person (natural or legal person) ensuring trust
between parties involved in electronic
transactions
» Particularly required in sensitive areas of
applications (e.g., e-Government)
» I-S-A functions
» Identification, Signature, Authentication
» Features that need to be supported by an eID
» universality of coverage, uniqueness,
permanence, exclusivity, precision
Graz, 29.10.2014
11
Bernd Zwattendorfer
Identification, Authentication,
Authorization
Rights
Authorization
Digital Entity
Identification
Identifier
Authentication
Person
Ref: GINI-SA
Graz, 29.10.2014
12
Bernd Zwattendorfer
Identification
“Identification”: Identification is the association of a personal identifier with an
individual presenting attributes. [Clarke]
» Formerly: People knew each other
» Traditional: ID card
» Passport, identification card, driving
license, …
» Online: Electronic ID (eID), e.g. Austrian
Citizen Card
Graz, 29.10.2014
13
Bernd Zwattendorfer
Identification
» An association between a personal
attribute and an individual, that
represents different properties
» E.g.: The name “Max Mustermann”
identifies the person “Max Mustermann”.
» Unique identification is only possible if no
other person’s name is “Max
Mustermann” (within a defined context)
» Else additional attributes are required for
unique identification (e.g. date of birth,
address, …)
Graz, 29.10.2014
14
Bernd Zwattendorfer
Means of Identification
Option
Appearance
Description
Example
How the person looks
Color of skin or eyes, gender, …
Pictures on ID documents
How the person interacts with others
Voice, body language, …
Mobile phone records, video surveillance
data, credit card transactions, etc.
What the person is called by other people
Family name, name listed in national
registry or on passports, nicknames
Codes
What the person is called by an
organization
Social security number, matriculation
number, ID card numbers
Knowledge
What the person knows
Password, PIN
What the person has
Driving license, passport, smart card,
mobile phone
Bio-dynamics
What the person does
Pattern of handwritten signature
Natural physiography
What the person is
Fingerprint, retina, DNA
Imposed physical
characteristics
What the person is now
Social behavior
Names
Tokens
Height, weight, rings, necklaces, tattoos
Ref: Clarke
Graz, 29.10.2014
15
Bernd Zwattendorfer
Authentication
Authentication is proof of an attribute. [Clarke]
Authentication of identity is proving an association between an entity and an
identifier. [Clarke]
The process of verifying a subject’s identity or other claim, e.g. one or more
attributes. [GINI-SA]
» Process of proving a person’s claimed
identity or digital identity
» Traditional:
» Proof of identity (name, appearance, …) e.g.
by passport
» Online:
» Proof of identity (username) e.g. using a
password
Graz, 29.10.2014
16
Bernd Zwattendorfer
Authentication mechanisms
» “Having something” approach (ownership)
» Authentication based on “something” an entity owns
or has for proving her identity.
» E.g., passport, smart card, private key
» “Knowing something” approach (knowledge)
» Authentication based on presented knowledge
» E.g., password, PIN
» “Being something” approach (physical property)
» Authentication based on physical property
» E.g., fingerprint
» “Doing something” approach (behavior pattern)
» Authentication based on something an entity does
» E.g., voice recognition
Graz, 29.10.2014
17
Bernd Zwattendorfer
Multi-Factor-Authentication
» Combining different authentication
mechanisms to increase security
» E.g. Ownership and Knowledge (2factor)
» Citizen card (smart card and PIN)
» Mobile phone signature (mobile phone
and password)
» Increased security by increasing the
number of mechanisms
Graz, 29.10.2014
18
Bernd Zwattendorfer
Authorization
Authorization is a decision to allow a particular action based on an identifier or
attribute. [Clarke]
Through authorization, rights are assigned to a digital identity. [GINI-SA]
» Usually carried out after an
authentication process
» Assigning access rights to particular
resources or entitites
» E.g. Read-/write rights on file system
» Often based on roles or groups
» E.g., doctor, student, etc.
Graz, 29.10.2014
19
Bernd Zwattendorfer
Exceptions
» Identification without authentication
» Doctor wants to access patient’s data
» Doctor identifies herself, authenticates
herself and gets adequate access rights
» Patient is only identified
» Authentication without identification
» Anonymous credentials (AC)
» Prove that someone is older than 18
without revealing other identifying
attributes
Graz, 29.10.2014
20
Bernd Zwattendorfer
Summary
» Identity
» “Max Mustermann“
» Identification
» “I am Max Mustermann“
» Authentication
» “My passport proves that I am Max
Mustermann”
» Authorization
» “Max Mustermann is employed at company
A and is allowed to access Service B”
Graz, 29.10.2014
21
Bernd Zwattendorfer
Identity management (IdM)
„Identity and access management combines processes, technologies, and
policies to manage digital identities and specify how they are used to access
resources.“ [Microsoft]
» Managing identities
» Managing access rights for resources
» Managment of the identity lifecycle
» Different dimensions
» E.g. within a system (e.g. company),
network or country
Graz, 29.10.2014
22
Bernd Zwattendorfer
Identity Lifecycle
Governance
Creation
Usage
Deletion
Maintenance
Graz, 29.10.2014
23
Bernd Zwattendorfer
Identity Lifecycle
» Creation
» Create data record of the digital identity
» Contains different attributes
» Attributes may be
» self-created, self-declared
» proved and verified
» Credential is issued
Graz, 29.10.2014
24
Bernd Zwattendorfer
Identity Lifecycle
» Usage
» Used in different (personalized) services
» Authentication and authorization
» Transfer/Distribution to other systems (e.g.
other companies) respectively system
parts (e.g. internal registers/databases)
» Single sign-on (SSO)
Graz, 29.10.2014
25
Bernd Zwattendorfer
Identity Lifecycle
» Maintenance
» Attributes and their values may change
(e.g. address)
» Attributes may be added or deleted
» Attributes may have limited validity(e.g.
certificate valid for 1 year)
» Identifiers should not be changed
Graz, 29.10.2014
26
Bernd Zwattendorfer
Identity Lifecycle
» Deletion
» Validity period may expire (e.g.
certificates)
» Validity may be revoked (e.g. certificates)
» Simple deletion
» Revocation should be documented and
other systems should be informed
Graz, 29.10.2014
27
Bernd Zwattendorfer
Identity Lifecycle
» Governance
» Policies/guidelines for creation, usage,
maintenance and deletion of identities
» Policies/guidelines for authentication (e.g.
authentication level/strength)
» Policies/guidelines for authorization (e.g.
conditions for data access)
» Legal framework
» Audit – traceability of single activities
Graz, 29.10.2014
28
Bernd Zwattendorfer
Identity Types
» Complete identity
» Union of all attribute values of all identities of this person
» Partial identities
» Different set of attributes forming identities (e.g. at work,
social media, …)
Ref: FIDIS
Graz, 29.10.2014
29
Bernd Zwattendorfer
Identity Types
» Pseudonymous identities
» Decoupling of the digital identity from the real
person (by a trustworthy entity)
» Only the trustworthy entity is able to link back to
the real person
» E.g. name changed by editorial office
» E.g. Used for analysis of health data
» Anonymous identities
»
»
»
»
Decouple the digital identity from the real person
Unlinkability to real person
Normally temporary and for single transactions
E.g. completing a question form
Graz, 29.10.2014
30
Bernd Zwattendorfer
Identity Types
» Local identity
» Valid only within a closed environment
» E.g. Windows PC
» Global identity
» Valid within a wider context
» E.g. passport
» Federated identity
» Identity data shared and linked over multiple systems
» Allows systems the shared usage of identity data
» Single sign-on (SSO)
» Brokered identity
» Identity translation
» E.g. from partial identity to pseudonymous identity
because of privacy reasons
Graz, 29.10.2014
31
Bernd Zwattendorfer
Identity Threats
» Identity linking
» Information regarding an identity is collected and a profile is
derived
» E.g. persistent identifiers, personal details in social networks,
requesting more information than needed, selling personal data
» Identity theft
» One person claims to be another person
» E.g. social engineering, eavesdropping communication, credit
card fraud
» Identity manipulation
» An identity’s attributes are changed with intent
» E.g. modification of access rights
» Identity disclosure
» An identity’s attributes are disclosed
» E.g. Intentionally or unintentionally disclosure of health data
Ref: Tsolkas/Schmidt
Graz, 29.10.2014
32
Bernd Zwattendorfer
Example for Identity Theft
In the space of one hour, my entire digital life was destroyed. First my
Google account was taken over, then deleted. Next my Twitter account was
compromised, and used as a platform to broadcast racist and homophobic
messages. And worst of all, my AppleID account was broken into, and my
hackers used it to remotely erase all of the data on my iPhone, iPad, and
MacBook.
Mat Honan
In many ways, this was all my fault. My accounts were daisy-chained
together. Getting into Amazon let my hackers get into my Apple ID account,
which helped them get into Gmail, which gave them access to Twitter. Had I
used two-factor authentication for my Google account, it’s possible that
none of this would have happened, because their ultimate goal was always
to take over my Twitter account and wreak havoc. Lulz.
http://www.wired.com/gadgetlab/2012/08/appleamazon-mat-honan-hacking/
Graz, 29.10.2014
33
Bernd Zwattendorfer
Challenges for Digital Identity
» Security
» To encounter any identity threat or identity compromise
» Privacy
» Minimal disclosure, anonymity, unlinkability
» Trust
» Trust relationships between all involved
entities/stakeholders are essential
» Data control
» Users should be entitled to maximum control over their own
personal data
» Usability
» Easy to understand and usable authentication mechanism
» Interoperability
» Facilitates the portability of identities
» Acceptance of different authentication mechanisms
Graz, 29.10.2014
34
Bernd Zwattendorfer
Overview
» General
» Terms, definitions
» Identification, authentication, authorization
» Identity management
» Identity models
» Different architectures
» Identity protocols
» SAML, OpenID, OpenID Connect, CAS
» Identity management in Austria
» Citizen-to-Government (MOA-ID)
» Government-to-Government (PVP)
Graz, 29.10.2014
35
Bernd Zwattendorfer
Stakeholders
Ref: Bertino/Takahashi
Graz, 29.10.2014
36
Bernd Zwattendorfer
Stakeholders
» Subject
» Digital identity of a person
» Provides identity data (attributes) to the identity provider
» Identity Provider (IdP)
» Provides identity data of the subject to the service provider
» Identification, Authentication and Authorization
» Relying Party (Service Provider - SP)
» Provides services or resources to the subject
» Relies on the identity data of the identity provider
» Control Party
» Checks compliance of policies, guidelines or laws
» Contains the possibility for audit, e.g. reproducing an
authentication process
Graz, 29.10.2014
37
Bernd Zwattendorfer
Isolated Model
» SP and IdP merge
» Authentication
directly at the SP
» IdM system only
applicable for
specific SP
» Identity data stored
and maintained at
the individual SP
Service and
Identity
Provider
Identity
Data
Provide and
access service
Identification and
authentication
User
Ref: Jøsang/Pope, 2005
Graz, 29.10.2014
38
Bernd Zwattendorfer
Central Model
Identity
Provider
Service
Provider
Identity data
transfer
Identity
Data
Identification and
authentication
Provide and
access service
User
» Identity Provider (IdP)
stores identity data
» IdP provides identity
data to the service
provider (SP)
» User has no control on
actual data transfer
» e.g., Central
Authentication Service
(CAS), Facebook
Ref: Palfrey and Gasser, 2007
Graz, 29.10.2014
39
Bernd Zwattendorfer
User-Centric Model
Identity
Provider
Service
Provider
Identity data
transfer
Identification and
authentication
Provide and
access service
» Identity data stored in
user-domain
» Usually stored on a
secure token (e.g.,
smart card)
» Explicit user consent
» e.g., Citizen Card, nPA
Identity
Data
User
Ref: Palfrey and Gasser, 2007
Graz, 29.10.2014
40
Bernd Zwattendorfer
Federated Model
Federation
Identity
Provider
Service
Provider
Identity
Provider
Identity
Data
Identity data
transfer
Identity
Data
Provide and
access service
Identification and
authentication
Domain A
Domain B
User
» Identity data
distributed across
several identity
providers
» Appropriate trust
relationship between
providers required
» IdP share common
identifier
» e.g., Shibboleth, WSFederation
Ref: Palfrey and Gasser, 2007
Graz, 29.10.2014
41
Bernd Zwattendorfer
Identity Federation
Ref: SAML 2.0 Technical Overview
Graz, 29.10.2014
42
Bernd Zwattendorfer
Single Sign-On (SSO)
SSO is the ability for a user to authenticate once to a single authentication
authority and then access other protected resources without
reauthenticating. [Clercq]
» Login once – use multiple services at
the same time
Normal login at multiple services
Graz, 29.10.2014
SSO-login at multiple services
43
Bernd Zwattendorfer
Single Sign-On (SSO)
» Advantages
» Only one authentication process
» Prevent large number of different
passwords
» Higher level of security
» More user comfort and time savings
» Disadvantages
» Central point of failure or attack
» Key to the kingdom
Graz, 29.10.2014
44
Bernd Zwattendorfer
Single Sign-On (SSO)
» Pseudo-SSO system
» Local middleware storing different credentials for
service providers
» Hidden “real” authentication using the stored
credentials at the service providers
» E.g. password manager
» True-SSO system
» Identity Provider as intermediary
» One real authentication at the identity provider
» Subsequent authentications at service providers
based on assertions from the identity provider
» E.g. identity protocols
Graz, 29.10.2014
45
Bernd Zwattendorfer
Single Logout (SLO)
» Contrary process to SSO
» Global logout at all services a user is
currently logged in
» Important security feature
» Logout at one application after SSO can
lead to open authentication sessions at
other applications
Graz, 29.10.2014
46
Bernd Zwattendorfer
Trust Management
”Trust is the characteristic whereby one entity is willing to rely upon a second entity to execute
a set of actions and/or to make a set of assertions about a set of principals and/or digital
identities. In the general sense, trust derives from some relationship (typically a business or
organizational relationship) between the entities” [Goodner and Nadalin]
» Direct Trust
» One party fully trusts the other party
without any intermediaries or another
trusted third party
» Indirect Trust
» Affected parties rely on claims asserted
by an intermediary or a common trusted
third party
Graz, 29.10.2014
47
Bernd Zwattendorfer
Overview
» General
» Terms, definitions
» Identification, authentication, authorization
» Identity management
» Identity models
» Different architectures
» Identity protocols
» SAML, OpenID, OpenID Connect
» Identity management in Austria
» Citizen-to-Government (MOA-ID)
» Government-to-Government (PVP)
Graz, 29.10.2014
48
Bernd Zwattendorfer
Identity Protocols
Identity Protocol
Identity Provider (IdP)
Service Provider (SP)
User
Graz, 29.10.2014
49
Bernd Zwattendorfer
Identity Protocols - Terminology
Compon
ent
SAML
OpenID
OAuth
Service
Service
Provider
Provider
(SP)
Relying Party Client
Subject Subject
End User
OpenID
Provider
Identity
Identity
Provider
Provider
(IdP)
Graz, 29.10.2014
OpenID
Connect
CAS
Client
Web
Service
Resource
Owner
Resource
Owner
User
Authorizatio
n
Server
AND
Resource
Server
Authorizatio
n
Server
AND
Resource
Server
Central
Authenticati
on
Server
50
Bernd Zwattendorfer
SAML
» Security Assertion Markup Language
» XML-based standard for the secure exchange
of identity and authentication data between
security domains
» Well-established standard for years
» SAML 1.0: 2002
» SAML 1.1: 2003
» SAML 2.0: 2005
» Uses existing standards (e.g. XML-Dsig, XMLEnc, SOAP, …)
» Used within other standards (e.g. WS-Security)
Graz, 29.10.2014
51
Bernd Zwattendorfer
Typical Use-Cases
» Web Single Sign-On (SSO)
» Authentication at one web site and accessing multiple
web sites without re-authentication(even beyond domainborders)
» Identity federation
» Federation of identity data across multiple
systems/domains
» Attribute-based authorization
» Authorization based on transferred attributes
» Securing Web Services
» Transportation of structured security information within
other standards
» Single Logout
» Global and simultaneous logout at multiple applications
Graz, 29.10.2014
52
Bernd Zwattendorfer
SAML Architecture
SSO Profiles, Single Logout
Profile, Attribute Profiles, …
SOAP Binding, HTTP- Artifact,
HTTP-Redirect, HTTP-Post
Binding, …
Authentication Request Protocol,
Single Logout Protocol, …
Authentication, Attribute,
Authorization Decision
Assertion
Ref: SAML 2.0 Technical Overview
Graz, 29.10.2014
53
Bernd Zwattendorfer
SAML Assertion
» Assertion = Claim of somebody about
somebody
» SAML assertions contain different
statements
» Authentication statement
» “Max Mustermann authenticated himself on
Ocotber 29, 2014 at 09:17 using a smart card.”
» Attribute statement
» “Max Mustermann was born on January 1, 1970
and is a lawyer.”
» Authorization statement
» “Yes, Max Mustermann is allowed to access this
web site”.
Graz, 29.10.2014
54
Bernd Zwattendorfer
SAML Assertion
Ref: Eve Maler
Graz, 29.10.2014
55
Bernd Zwattendorfer
SAML Assertion - Example
SAML Assertion
SAML
Authentication
Statement
SAML
Attribute
Statement
Ref: Eve Maler
Graz, 29.10.2014
56
Bernd Zwattendorfer
SAML Protocols
» SAML assertions are requested and are
returned after successful
authentication
» SAML defines different XML
request/response protocols
» The messages are transferred via
different
communication/transportation
protocols (SAML Bindings)
Graz, 29.10.2014
57
Bernd Zwattendorfer
SAML Bindings
» SAML via SOAP over HTTP
Ref: SAML 2.0 Technical Overview
Graz, 29.10.2014
58
Bernd Zwattendorfer
SAML Profiles
» Model the SAML use cases by
combining SAML Assertions, SAML
Protocols and SAML Bindings
» Single sign-on, identity federation, single
logout, …
» Profiles are standardized but own
profiles may be created
» E.g. STORK, PVP
Graz, 29.10.2014
59
Bernd Zwattendorfer
SAML Login Process
Not specified
in SAML!
Ref: SAML 2.0 Core
Graz, 29.10.2014
60
Bernd Zwattendorfer
SAML SSO Login Process
User already
authenticated->
SSO!
Ref: SAML 2.0 Core
Graz, 29.10.2014
61
Bernd Zwattendorfer
SAML Single Logout Process
Ref: SAML 2.0 Core
Graz, 29.10.2014
62
Bernd Zwattendorfer
OpenID
» Decentralized authentication and SSO
system for web-based services
» Identity (identifier) is URL- or XRI-based
(e.g. http://[email protected])
» No XML, only URL parameters
» Established standard
»
»
»
»
Version 1.0: 2005
Version 1.1: 2006
Version 2.0: 2007
Replaced by OpenID Connect in 2014
Graz, 29.10.2014
63
Bernd Zwattendorfer
OpenID Login Process
RP… Relying Party
OP … OpenID Provider
Ref: Bertino/Takahashi
Graz, 29.10.2014
64
Bernd Zwattendorfer
OpenID Messages
» OpenID authentication request
GET /moa-id.gv.at/accounts/o8/ud?
openid.assoc_handle=1.AMlYA9VMPYAFT
&openid.claimed_id=http%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0%2Fidentifier_select&openid.identity=http%3A%2F%2Fspec
s.openid.net%2Fauth%2F2.0%2Fidentifier_select
&openid.mode=checkid_setup
&openid.ns=http%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0
&openid.return_to=http%3A%2F%2Fonline.applikation.gv.at
&openid.ns.ax=http://openid.net/srv/ax/1.0
&openid.ax.mode=fetch_request
&openid.ax.type.fname=http://example.com/schema/fullname
HTTP/1.1
» OpenID authentication response
http://online.applikation.gv.at/openid_finish?
&openid.ns=http%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0
&openid.mode=id_res
&openid.op_endpoint=https%3A%2F%2Fmoa-id.gv.at%2Faccounts%2Fo8%2Fud
&openid.response_nonce=2013-08-23T15%3A56%3A58Zzeh9h37pFQHkMg
&openid.return_to=http%3A%2F% online.applikation.gv.at
&openid.assoc_handle=1.AMlYA9VMPYAFT
&openid.signed=op_endpoint%2Cclaimed_id%2Cidentity%2Creturn_to%2Cresponse_nonce%2Cassoc_handle
&openid.sig=y8jJ5Je2YlEekXYcKxRCubYP19E%3D
&openid.identity=12345==
&openid.claimed_id=12345==
&openid.ax.mode=fetch_response
&openid.ax.type.fname=http://example.com/schema/fullname
&openid.ax.value.fname=Max Mustermann
Graz, 29.10.2014
65
Bernd Zwattendorfer
OAuth
» Authorization protocol for desktop-,
web- and mobile applications
» Allows applications to access a user’s
resources
» Users don’t have to forward
credentials to the application
» Established standard
» Version 1.0: 2010
» Version 2.0 2012
Graz, 29.10.2014
66
Bernd Zwattendorfer
OAuth Process Flow
Client … Service Provider
Resource Owner … User
Authorization Server … Handles authentication of the user and authorization of the client
Resource Server … Server that hosts the protected resource
Ref: RFC 6749
Graz, 29.10.2014
67
Bernd Zwattendorfer
OpenID Connect
» Identification and authentication layer
based on OAuth 2.0
» Authentication instead of authorization
» Except the name OpenID Connect
protocol has nothing in common with
the OpenID protocol
» No XML, only URL parameter or JSON
» Standard (version 1.0) since February
2014
Graz, 29.10.2014
68
Bernd Zwattendorfer
OpenID Connect Process Flow
Graz, 29.10.2014
69
Bernd Zwattendorfer
OpenID Connect Messages
» UserInfo request
GET /userinfo HTTP/1.1
Host: moa-id.gv.at
Authorization: Bearer SlAV32hkKG
» UserInfo response
HTTP/1.1 200 OK
Content-Type: application/json;charset=UTF-8
Cache-Control: no-store
Pragma: no-cache
{
"sub":"12345==",
"given_name":"Max",
"family_name":,"Mustermann"
"birthdate":,"01-01-1990"
"gender":,"M"
}
Graz, 29.10.2014
70
Bernd Zwattendorfer
Central Authentication Service (CAS)
» Central open-source SSO solution
» CAS server written in Java
» Multiple client libraries (Java, PHP, etc.)
» History
» Initiated by the University of Yale in 2001
» Since 2005 a project of Jasig (Java Architectures Special Interest
Group)
» Mostly URL parameters, since Version 3.0 parts in XML
» Version 1.0: 2001
» Version 2.0: 2002
» Added proxy authentication
» Version 3.0: 2014
» New architecture based on plug-ins
» Further protocols: CAS 1,2,3; SAML 1.1, OpenID, OAuth 1.0,2.0
» Added XML Messages
Graz, 29.10.2014
71
Bernd Zwattendorfer
CAS Process Flow
Web Service
(Service Provider)
User
Central Authentication Server
1. Request Access
2. Start Authentication
3. Authenticate
4. Create ticket
5. Send Redirect with ticket
5. Redirect with ticket
6. Send ticket
7. Validate ticket
8. Return User Data
9. Grant Access
Graz, 29.10.2014
72
Bernd Zwattendorfer
CAS Messages
» Authentication Request (/login)
https://cas.example.org/cas/login?service=http%3A%2F%2Fwww.example.org%2Fservice
» Redirect with Ticket (/validate)
https://cas.example.org/cas/validate?service=http%3A%2F%2Fwww.example.org%2Fservice&
ticket=ST-1856339-aA5Yuvrxzpv8Tau1cYQ7
» Authentication Response
CAS 3.0
CAS 1.0
<cas:serviceResponse
xmlns:cas="http://www.yale.edu/tp/cas">
<cas:authenticationSuccess>
<cas:user>username</cas:user>
<cas:proxyGrantingTicket>PGTIOU-846788a9d...</cas:proxyGrantingTicket>
</cas:authenticationSuccess>
</cas:serviceResponse>
Yes
username
Graz, 29.10.2014
73
Bernd Zwattendorfer
Identity Provider
» Google, Facebook, Twitter
» SSO using these accounts
» Different identity providers and identity
protocols
» SAML, OpenID, OpenID Connect
Graz, 29.10.2014
74
Bernd Zwattendorfer
Summary
Ref: Sakimura
Graz, 29.10.2014
75
Bernd Zwattendorfer
Summary
Ref: Sakimura
Graz, 29.10.2014
76
Bernd Zwattendorfer
Summary
Ref: Sakimura
Graz, 29.10.2014
77
Bernd Zwattendorfer
Overview
» General
» Terms, definitions
» Identification, authentication, authorization
» Identity management
» Identity models
» Different architectures
» Identity protocols
» SAML, OpenID, OpenID Connect, CAS
» Identity management in Austria
» Citizen-to-Government (MOA-ID)
» Government-to-Government (PVP)
Graz, 29.10.2014
78
Bernd Zwattendorfer
Identity
» §2 Z (1), (7), (2) Austrian E-Government Law
“Identity”: designation of a specific person (data subject, No 7) by means of data
which are particularly suitable to distinguish persons from each other, such as, in
particular, name, date of birth and place of birth but also, for example, company
name or (alpha)numerical designations;
“Data subject”: any natural or legal person or other association or institution
having its own identity for the purposes of legal or economic relations;
“Unique identity”: designation of a specific person (data subject, No 7) by means
of one or more features enabling that data subject to be unmistakably
distinguished from all other data subjects;
Graz, 29.10.2014
79
Bernd Zwattendorfer
Identification and Authentication
» §2 (4), (5), (6) Austrian E-Government Law
“Identification”: the process necessary to validate or recognise identity;
“Authenticity”: the genuine nature of a declaration of intent or act in the sense
that the purported author of that statement or act is in fact the actual author;
“Authentication”: the process necessary to validate or recognise authenticity;
Graz, 29.10.2014
80
Bernd Zwattendorfer
The Austrian eID Infrastructure
SourcePIN Register Authority Domain
Central Register
of Residents
SourcePIN Register
BMR
Bilateral Mandate
Register
(Natural Persons)
CRR
SPR
Business Registers (Legal Persons) operated in
different organizational domains
SR
Supplementary Register
for Natural Persons
SourcePIN Register
Gateway
(SPR-GW)
Mandate Issuing Service
(MIS)
Central Register of
Associations
Supplementary
Register for Other
Concerned Parties
Company
Register
(CR)
User Domain
Citizen Card
Software (CCS)
Citizen
Service Provider
Domain
MOA-ID
Online
Application
(OA)
Austria
Foreign
Identity Provider
Foreign Country
STORK
Infrastructure
(PEPS)
F-IdP
Foreign
Citizen
Graz, 29.10.2014
81
Bernd Zwattendorfer
Central Population Register
CPR
SRnP
Ref: Rössler
Unique Identity
Every person living in Austria is registered within the CPR and a unique number (CPR
number) is assigned to him/her.
Foreigners or Austrian expatriates are registered within the Supplementary Register for
Natural Persons (SRnP)
Graz, 29.10.2014
82
Bernd Zwattendorfer
Identity Link – Electronic Identity
» XML-data structure on the Citizen Card contains the
following:
Attributes
...
<saml:SubjectConfirmationData>
<pr:Person xsi:type="pr:Physical
Identifier<pr:Identification>
<pr:Value>123456789012</pr:Valu
<pr:Type>http://reference.e-g
sPIN
</pr:Identification>
<pr:Name>
<pr:GivenName>Max</pr:Given
Credentials
<pr:FamilyName>Mustermann</pr:Fam
</pr:Name>
...
<saml:Attribute
AttributeName="CitizenPublicKey"
... <dsig:RSAKeyValue>
<dsig:Modulus>snW8OLCQ49qNefems
» Personal data
» Name, date of birth
» Source PIN
» (encrypted “CPR Number”)
» Public Keys of the
Certificates
» Signed by the
SRA
» Based on
SAML
Ref: Leitold
Graz, 29.10.2014
83
Bernd Zwattendorfer
83
Sector-specific PIN (ssPIN)
CPR
Sector „SA“
(Steuern und Abgaben)
Sector „GH“
(Gesundheit)
Sector
Sector
4csabB2…
GH
SA
5cwu4N…
No7b99t…
ssPIN „SA“
ssPIN „GH“
Unique Identity
Graz, 29.10.2014
84
Bernd Zwattendorfer
84
Example
source PIN: MDEyMzQ1Njc4OWFiY2RlZg==
ssPIN(SA):
Sector: SA (Steuern und Abgaben)
Hash input data: MDEyMzQ1Njc4OWFiY2RlZg==+urn:publicid:gv.at:cdid+SA
ssPIN(HEX) : 4f 2d 1c f2 c4 4c a4 b3 9c 1a 66 85 5b 2d e2 24 f7 bb c5 97
ssPIN(Base64): Ty0c8sRMpLOcGmaFWy3iJPe7xZc=
ssPIN for the private sector:
Firmenbuchnummer: 4924i
Hash input data: MDEyMzQ1Njc4OWFiY2RlZg==+urn:publicid:gv.at:wbpk+FN+4924i
ssPIN(HEX) : 6a 56 fd 04 42 d0 ba 18 09 5b 1a 5d 93 a4 3c 6a 20 fd 00 80
ssPIN(Base64): alb9BELQuhgJWxpdk6Q8aiD9AIA=
Graz, 29.10.2014
85
Bernd Zwattendorfer
MOA-ID
Application
Security Layer
(Identification and Authentication)
MOA-ID
Online Application
(Identity Provider)
(Service Provider)
ssPIN
+
Citizen Card
Citizen is uniquely identified
(identity link)
and authenticated by the
verification of the electronic
signature
Identity Link
Certificate
sourcePIN
Graz, 29.10.2014
Identification and
Authentification
86
Bernd Zwattendorfer
MOA-ID
» High secure authentication
» Based on the citizen card (smart card or
mobile phone signature)
» No first contact respectively
registration needed
» Unique identification is based on the
identity link
» Simple integration into online
applications
» Authentication data are transferred to the
online application via SAML Assertion
Identity protocol
Graz, 29.10.2014
87
Bernd Zwattendorfer
Previous Deployment
Identity protocol
User-centric approach
Graz, 29.10.2014
88
Bernd Zwattendorfer
New Deployment Possibilities
User-centric approach
Graz, 29.10.2014
89
Bernd Zwattendorfer
Process Flow MOA-ID
1
Web browser
2
2
Security Layer
Portal
MOA-ID
2
Signature verification
Verify Identity Link
4 5
3
Online
application
6
Citizen Card
Software
Graz, 29.10.2014
90
Bernd Zwattendorfer
Screenshot
Online Mandates
Foreign Persons
Graz, 29.10.2014
91
Bernd Zwattendorfer
Process Flow MOA-ID
1. User wants to access
an online application via
the portal
1
Web browser
2
2
Security Layer
Portal
MOA-ID
2
Signature verification
Verify Identity Link
4 5
3
Online
application
6
Citizen Card
Software
Graz, 29.10.2014
92
Bernd Zwattendorfer
Process Flow MOA-ID
2. Calling MOA-ID via
URL
Sector = “SA”
https://moa-id.gv.at/moa-idauth/StartAuthentication?Target=SA
&OA=http://oa.gv.at
Web browser
2
2
Security Layer
1
Portal
MOA-ID
2
Signature verification
Verify Identity Link
4 5
3
Online
application
6
Citizen Card
Software
Graz, 29.10.2014
93
Bernd Zwattendorfer
Process Flow MOA-ID
2. MOA-ID answers with a
Security Layer-request to
read the identity link from
the citizen card via the
citizen card software
1
Web browser
2
2
Security Layer
Portal
MOA-ID
2
Signature verification
Verify Identity Link
4 5
3
Online
application
6
Citizen Card
Software
Graz, 29.10.2014
94
Bernd Zwattendorfer
Process Flow MOA-ID
2. MOA-ID answers with a
Security Layer-request to
read the identity link from
the citizen card via the
citizen
card software
<?xml
version="1.0"
encoding="UTF-8" ?>
<sl:InfoboxReadRequest
xmlns:sl="http://www.buergerkarte.at/nam
espaces/securitylayer/1.2#">
<sl:InfoboxIdentifier>IdentityLink</sl:Infob
oxIdentifier>
<sl:BinaryFileParameters
ContentIsXMLEntity="true"/>
</sl:InfoboxReadRequest>
Web browser
DataURL: https://moa-id.gv.at/moa-idauth/VerifyIdentityLink?MOASessionID=2
2
8402548209267330385
Security Layer
1
Portal
MOA-ID
2
Signature verification
Verify Identity Link
4 5
3
Online
application
6
Citizen Card
Software
Graz, 29.10.2014
95
Bernd Zwattendorfer
Process Flow MOA-ID
2. User enters card PIN or
phone number and
password
1
Web browser
2
2
Security Layer
Portal
MOA-ID
2
Signature verification
Verify Identity Link
4 5
3
Online
application
6
Citizen Card
Software
Graz, 29.10.2014
96
Bernd Zwattendorfer
Process Flow MOA-ID
2. User enters card PIN or
phone number and
password
1
Web browser
2
2
Security Layer
Portal
MOA-ID
2
Signature verification
Verify Identity Link
4 5
3
Online
application
6
Citizen Card
Software
Graz, 29.10.2014
97
Bernd Zwattendorfer
Process Flow MOA-ID
2. Identity link is read from
the card and sent to MOAID (via DataURL) for
verification
1
Web browser
2
2
Security Layer
Portal
MOA-ID
2
Signature verification
Verify Identity Link
4 5
3
Online
application
6
Citizen Card
Software
Graz, 29.10.2014
98
Bernd Zwattendorfer
Process Flow MOA-ID
2. IDL is read from card and
sent to MOA-ID (via
<saml:Assertion AssertionID="bka.gv.at-2007-08-29T16.41.17.442" IssueInstant="2007-08-29T18:00:00.000"
DataURL) for verification
Issuer="http://www.bka.gv.at/datenschutz/Stammzahlenregisterbehoerde" MajorVersion="1" MinorVersion="0" xmlns=""
xmlns:dsig="http://www.w3.org/2000/09/xmldsig#" xmlns:pr="http://reference.e-government.gv.at/namespace/persondata/20020228#"
xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<saml:AttributeStatement>
<saml:Subject>
<saml:SubjectConfirmation>
<saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:sender-vouches</saml:ConfirmationMethod>
<saml:SubjectConfirmationData>
<pr:Person xsi:type="pr:PhysicalPersonType">
<pr:Identification>
Signaturprüfung
<pr:Value>3utiDdA4KaodrJOeMqu9PA==</pr:Value>
Match Personenbindung
<pr:Type>urn:publicid:gv.at:baseid</pr:Type>
</pr:Identification>
<pr:Name>
<pr:GivenName>Max Moritz</pr:GivenName>
<pr:FamilyName primary="undefined">Mustermann-Fall</pr:FamilyName>
</pr:Name>
<pr:DateOfBirth>1900-01-01</pr:DateOfBirth>
SL
</pr:Person>
</saml:SubjectConfirmationData>
</saml:SubjectConfirmation>
</saml:Subject>
<saml:Attribute AttributeName="CitizenPublicKey" AttributeNamespace="urn:publicid:gv.at:namespaces:identitylink:1.2">
<saml:AttributeValue>
<dsig:RSAKeyValue xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">
1
Webbrowser
2
2
Portal
MOA-ID
2
4 5
3
6
Online
Applikation (OA)
BürgerkartenUmgebung
Graz, 29.10.2014
99
Bernd Zwattendorfer
Process Flow MOA-ID
2. MOA-ID verifies the
identity link and sends a
security layer request for
signature creation to the
citizen card software
1
Web browser
2
2
Security Layer
Portal
MOA-ID
2
Signature verification
Verify Identity Link
4 5
3
Online
application
6
Citizen Card
Software
Graz, 29.10.2014
100
Bernd Zwattendorfer
Process Flow MOA-ID
2. User enters signature PIN
or TAN
1
Web
Webbrowser
browser
2
2
SL
Portal
MOA-ID
2
Signature verification
Verify Identity Link
4 5
3
Online
application
6
Citizen Card
Software
Graz, 29.10.2014
101
Bernd Zwattendorfer
Process Flow MOA-ID
2. MOA-ID verifies signature
and creates a SAML
Assertion/Artifact
1
Web browser
2
2
Security Layer
Portal
MOA-ID
2
Signature verification
Verify Identity Link
4 5
3
Online
application
6
Citizen Card
Software
Graz, 29.10.2014
102
Bernd Zwattendorfer
Process Flow MOA-ID
3. Redirect via citizen card
software to the online
application (incl. SAML
Artifact)
https://oa.gv.at?SAMLArtifact=
AAH5hs8....
1
Web browser
2
2
Security Layer
Portal
MOA-ID
2
Signature verification
Verify Identity Link
4 5
3
Online
application
6
Citizen Card
Software
Graz, 29.10.2014
103
Bernd Zwattendorfer
Process Flow MOA-ID
4. Web service request to
MOA-ID (with SAML
Artifact)
1
Web browser
2
2
Security Layer
Portal
MOA-ID
2
Signature verification
Verify Identity Link
4 5
3
Online
application
6
Citizen Card
Software
Graz, 29.10.2014
104
Bernd Zwattendorfer
Process Flow MOA-ID
4. Web service request to
MOA-ID (with SAML
Artifact)
<samlp:Request
xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol"
IssueInstant="2009-02-24T13:38:32+01:00"
MajorVersion="1" MinorVersion="0"
RequestID="6125563722598650316">
<samlp:AssertionArtifact>
Web
Webbrowser
browser
2
AAH5hs8aaZSFYHya0/cmtJ3QAR7rf54uhIsEcDMZFmm
Z1/Qldrdf4JSK
</samlp:AssertionArtifact>
</samlp:Request>
2
2
Security Layer
1
Portal
MOA-ID
Signature verification
Verify Identity Link
4 5
3
Online
application
6
Citizen Card
Software
Graz, 29.10.2014
105
Bernd Zwattendorfer
Process Flow MOA-ID
5. Web service response to
online application (with
SAML Assertion)
1
Web browser
2
2
Security Layer
Portal
MOA-ID
2
Signature verification
Verify Identity Link
4 5
3
Online
application
6
Citizen Card
Software
Graz, 29.10.2014
106
Bernd Zwattendorfer
Process Flow MOA-ID
6. Access to resources
granted
1
Web browser
2
2
Security Layer
Portal
MOA-ID
2
Signature verification
Verify Identity Link
4 5
3
Online
application
6
Citizen Card
Software
Graz, 29.10.2014
107
Bernd Zwattendorfer
Process Flow MOA-ID (new)
MOA-ID
3. Citizen card
cuthentication
via citizen card 4. SAML
software
Response
2. SAML
AuthnRequest
Online
application
5. Provide
Resource
1. Requesting
access to
application
Graz, 29.10.2014
108
Bernd Zwattendorfer
SAML AuthnRequest
Requested
authentication level
Graz, 29.10.2014
109
Bernd Zwattendorfer
SAML Response - 1/2
Sector
ssPIN
Graz, 29.10.2014
110
Bernd Zwattendorfer
SAML Response – 2/2
Authentication level
Additional attributes
Graz, 29.10.2014
111
Bernd Zwattendorfer
Authentication Level
» Assurance level of the transmitted identity
data
» Quantitative representation of identity
enrolment, credential, authentication process,
etc.
» Grounded by risk assessment of applications
» Different, but related approaches
»
»
»
»
»
NIST SP 800-63: Levels of Assurance
ISO/IEC 29115: Levels of Assurance
STORK: Quality Authentication Assurance Level
In Austria: SecClass - Sicherheitsklassen
Identity Lifecycle All have 4 levels
Governance
Graz, 29.10.2014
112
Bernd Zwattendorfer
SecClass
Identity component
Indicator for the quality of the identification and authentication
Registration quality (R)
Quality of the identification process (ID)
Quality of the identity credential issuing (IC)
Quality of the identity credential issuing entity
(IE)
Authentication quality (A)
Type and robustness of the identity credential (RC)
Graz, 29.10.2014
Quality of the authentication mechanism (AM)
113
Bernd Zwattendorfer
SecClass Example
Component
Minimal requirements to the components
The person has to be physically present in the registration process at least once.
AND
Quality of the
Stating multiple attributes (e.g. name and date of birth) that allow unique identification.
identification process(ID)
AND
The identity is validated using a legal identity document including at least a photograph or a signature
(passport, driving licence, …). The data may be validated using trustworthy instruments.
Quality of the identity
credential issuing (IC)
The person receives the identity credential after the identification process personally from the
identifying instance.
OR
The identity credentials are forwarded by mail and are activated after the identification process.
Quality of the identity
credential issuing entity
(IE)
The CSP is a public entity (public authority or agency).
OR
The CSP has qualifications according to Annex II of the EU-Directive 1999/93/EC respectively § 7 SigG.
Type and robustness of
the identity credentials
(RC)
Quality of the
authentication
mechanism (AM)
Identity credentials based on a qualified hardware-certificate according to Annex I of the EU-Directive
1999/93/EC. (Citizen Card)
Secure authentication mechanisms, based on state-of-the-art technology, providing protection against
most common threats.
Graz, 29.10.2014
114
Bernd Zwattendorfer
Portal Group (Portalverbund - PVP)
» Internal government authentication and
authorization system for civil servants
» Federation of administration portals for joint usage
of existing infrastructure
» Decentralized user management
» User data is only managed within the sourceorganization (Stammportal)
» Users may access multiple applications with only one
account
» “Legal”: portal group agreement
» Rights and duties for participation defined
» “Technical”: portal group protocol
» Reverse-proxy (HTTP header) or SAML
Graz, 29.10.2014
115
Bernd Zwattendorfer
Portal Group (PG)
Authorization
Portal provider
Applicationresponsible
User representative Portal provider
PGparticipant
xyz.gv.at
Application Portal
PGparticipant
abc.gv.at
Application X
User
Sourceportal
Rights validation
Policy Enforcement Point (PEP)
Rights management
Policy Decision Point (PDP)
Ref: PV-Whitepaper
Graz, 29.10.2014
116
Bernd Zwattendorfer
PG-Set Up
» Portal providers created a group where the portals can
authenticate against each other. Therefore, they bilaterally
agreed to the portal group agreement
(Portalverbundvereinbarung).
» The application-responsible of the application X (a data
application according to §7(4) DSG 2000) delegates
authentication and authorization to the portal provider of the
domain xyz.gv.at.
» The application-responsible has an application agreement
with the organization abc.gv.at for the application X. The
application-responsible instructs the portal provider of the
portal xyz.gv.at to assign the rights, defined within the usageagreement, to the portal abc.gv.at.
» The portal provider of abc.gv.at defines which users of the
organization abc.gv.at are allowed to access the application.
Ref: PV-Whitepaper
Graz, 29.10.2014
117
Bernd Zwattendorfer
PG-Process Flow
» The user (civil servant) authenticates at the
source-portal (Stammportal) and the sourceportal authenticates at the application portal.
» The source portal defines which application
rights are assigned to the user.
» The application portal checks if the defined
rights allow the civil servant of the requesting
organization to access the application.
» If access is allowed, the civil servant is
forwarded to the target application. The
target application enforces the rights.
Ref: Pichler
Graz, 29.10.2014
118
Bernd Zwattendorfer
Conclusion
» Identity management is essential
especially within the area of EGovernment
» Unique identification
» Legal Basis: E-Government law
» Austria provides
» a user-centered approach for C2G
» Identity data stored on the Citizen Card
» Identification and Authentication
» a federated approach for G2G
» Identity protocol: SAML 2.0
Graz, 29.10.2014
119
Bernd Zwattendorfer
References
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
»
E-Government Law:
http://www.ris.bka.gv.at/GeltendeFassung.wxe?Abfrage=Bundesnormen&Gesetzesnummer=20
003230
Fidis: http://www.fidis.net
PRIME: https://www.prime-project.eu
GINI-SA: http://www.gini-sa.eu
L. J. Camp : Digital Identity. In: Technology and Society Magazine, 2004,
http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=1337889
R. Clarke: “Human identification in Information Systems: Management Challenges and Public
Policy Issues”, Information Technology & People, 1994, Vol. 7, pp. 6-37,
http://www.rogerclarke.com/DV/HumanID.html
E. Bertino, K. Takahashi: “Identity Management: Concepts, Technologies, and Systems”, 2011
A. Tsolkas, K. Schmidt: „Rollen und Berechtigungskonzepte“, 2010
J. Palfrey, U. Gasser: „Digital Identity Interoperability and eInnovation”, 2007
J. D. Clercq: “Single Sing-On Architectures”, InfraSec 2002, pp. 40-58
SAML: http://saml.xml.org
OpenID: http://openid.net
OAUth: http://oauth.net
OpenID Connect:
N. Sakimura: „Dummy’s guide for the Difference between OAuth Authentication and OpenID”,
2011, http://nat.sakimura.org/2011/05/15/dummys-guide-for-the-difference-between-oauthauthentication-and-openid/
MOA-ID: https://joinup.ec.europa.eu/software/moa-idspss_de/description
PVP: http://reference.e-government.gv.at/Portalverbund.577.0.html
Graz, 29.10.2014
120
Bernd Zwattendorfer
Control Questions
»
»
»
»
»
»
»
»
»
»
»
»
Explain the terms identification/authentication/authorization.
What is a multi-factor-authentication? Give an example.
Explain the identity lifecycle.
Which types of identities do you know? Describe the
differences.
Enumerate identity management threats?
Which stakeholders are involved within an identity
management system?
Describe different IdM architectures.
Which identity protocols do you know? Describe one of them
in detail.
Which concepts of IdM are used within Austria?
What are levels of assurance and what are they used for?
Describe the identification and authentication process within
MOA-ID.
What is the portal group? Describe the concept.
Graz, 29.10.2014
121
Bernd Zwattendorfer
Thank you for your
attention!
Bernd Zwattendorfer –
[email protected]
www.egiz.gv.at

Download Report