See discussions, stats, and author profiles for this publication at: https://www.researchgate.

net/publication/269629982

A Proposal for a Unified Identity Card for Use in an Academic Federation

Environment

Conference Paper · September 2014

DOI: 10.1109/ARES.2014.42

CITATIONS READS

2 9,770

3 authors:

Felipe Coral Sasso Ricardo Moraes

Federal University of Santa Catarina Federal University of Santa Catarina
1 PUBLICATION 2 CITATIONS 95 PUBLICATIONS 768 CITATIONS

SEE PROFILE SEE PROFILE

Jean Everson Martina

Federal University of Santa Catarina
69 PUBLICATIONS 347 CITATIONS

SEE PROFILE

Some of the authors of this publication are also working on these related projects:

PhD. Project - Verification o Multicast based Security Protocols View project

Blockchain View project

All content following this page was uploaded by Felipe Coral Sasso on 16 December 2014.

The user has requested enhancement of the downloaded file.

 2014 9th International Conference on Availability, Reliability and Security
A Proposal for an Unified Identity Card for Use in
an Academic Federation Environment
Felipe Coral Sasso, Ricardo Alexandre Reinaldo de Moraes and Jean Everson Martina
Departamento de Informática e de Estatı́stica
Universidade Federal de Santa Catarina
Florianópolis - SC - Brazil - 88040-900
Email: [email protected], {ricardo.moraes,jean.martina}@ufsc.br
Abstract—A lot of effort has been made recently to build
academic federations. However some issues are still open. The
first is off-line authentication. Today’s model of federation re-
quires systems to work on-line and synchronously, what limits its
use for some applications. Second, the data federated institutions
make available is only for computer systems and not for people.
This makes it difficult for humans involved to assess such
credentials. Finally, the federation has numerous technical and
legal issues for the provision of private data such as biometric
parameters. Even tough, these would bring a much stronger
authentication process. Therefore this research proposes to model
an identity card based on ICAO 9303 standard for usage in
academic federated environments. This proposal enables off-line
authentication, assessment of credentials by human agents and
allow the usage of private biometric data in a secure manner.
Keywords—Federations, Identity Management, Digital Docu-
ments, Biometric Data
I. I NTRODUCTION
The use of federations as a method to centralise authentica-
tion, is now a reality in academic environments. In an academic
context, each participating institution in a federation can make
available credentials from its users. These credentials can be
used in services offered by the federation, taking away from
each system the responsibility of storing credentials. Thus,
when an academic visit another institution, he can use services
offered by the hosting institution just proving his authentication
credentials from his home institution. As an example of such
federation we can mention the Incommon1 U.S., where more
than 400 higher education institutions are participating, as
well as several research centres and companies. Even with all
these implemented and running, federations in general are still
limited in the use of their credentials.
A federation consists in two main entities: Service
Providers (SPs) and Identity Providers (IdPs). IdPs are respon-
sible for managing the user’s authentication credentials and
their personal information, while SPs offer services in which
these users can access through the IdP credentials [1]. In this
way, services do not need to maintain users information and
users do not need to memorise several credentials.
Federations require both, resources and identity providers,
to be available on-line. Thus, both, the identity provider at
the home institution, as well as, the service providers must
somehow communicate in real time so that the users can access
a given service. Some applications such as the lending of books
1 http://www.incommon.org/
978-1-4799-4223-7/14 $31.00 © 2014 IEEE
DOI 10.1109/ARES.2014.42
or access to certain shared-use physical environments within
the hosting institution may not require such real-time checks.
Identities provided by the federation require the use of
computers for their verification. Thus, the use of identity
credentials is restricted to the context of computer systems,
making their use difficult or almost impossible for human
agents. Clearly, the use of credentials verified by a human
agent can help in various scenarios where identification is ordi-
nary and necessary. This also applies to agents that are not even
part of the federation but choose to accept a provided form of
identification. An example is the identification requirements for
discounted tickets in box offices from cinemas and theatres.
In addition, some data is considered private, confidential
and for restricted use. In this sense, the home institution
through its identity provider cannot share it. Thus, it is
important to act carefully with this data, otherwise the involved
institutions can suffer legal sanctions for any privacy breach.
An example of such data is the biometric information for an
authentication processes. It can be very useful as a second
authentication factor, but its collection, storage and transmis-
sion are very sensitive to privacy issues in these federated
environment activities.
To sort these problems out, it is necessary to conceive
an off-line authentication method, thus minimizing the real-
time communication between institutions. It is also necessary
equip human agents with the possibility of verifying such
identity credentials without the help of computers. Moreover,
it is mandatory that the user controls his private data, such as
biometric information, and how it will be saved, transmitted
and used. A standard that already address these problems and
is commonly used for credential transmission, evaluation and
checking is the Machine Readable Travel Document standard
(MRTD).
MRTD is a standard specified by International Civil Avi-
ation (ICAO) and laid down by the ICAO 9303 document
series[2]. This standard is the one used in passports, therefore,
it is already well understood, either in terms of software as
in terms of hardware requirements. The ICAO 9303 document
series details specifications such as the mandatory and optional
data that need to be present in such documents, how to access
it and how to verify the authenticity of such data. Furthermore,
MRTD specifies different levels of service, including one with
an integrated circuit (IC). In this IC, biometric information,
such as finger prints and iris can be safely stored. Thus, this
paper aims to propose a unified identity card for the usage
265
in academic federated environments, which is based on the
ICAO 9303 standard, but addresses specificities of academic
federations.
A detailed analysis of ICAO documents, including their
data structure, how they can be read and authenticated is
given in Section III; definition for federations, including its
importance and use in academic environments are provided
in Section IV; our proposal for an identity card with detailed
information about the required modifications relative to ICAO
documents is done in V; applications for the proposed identity
card are given in Section VI; concluding remarks and further
work are discussed in Section VII.
II. R ELATED WORK
A student card is a document that ensures to the student
the right to pay a lower price at concerts, cinema, theatres
and another activities in certain places around the world. Some
shops also offer discounts in products and services for students
who present a valid card. This card can also help a large
quantity of students by providing transportation allowances [3].
Nowadays United Nations Educational, Scientific and Cul-
tural Organization (UNESCO) recognizes the International
Student Identity Card (ISIC) as the only international proof
that a person is a student [4]. The ISIC card has been endorsed
by the UNESCO since 1968 [5]. ISIC is also supported by
the European Council on Culture and the Andean Community
of Nations. The card is recognised by universities, academic
institutions, student unions, national governments, financial
institutions and ministries of education around the world [5].
Nevertheless, ISIC card can not be used to solve the problems
previously mentioned. These problems consists in the need
for real-time communications between Identity Providers and
Service Providers, private data can not be shared and the card
does not store the student personal information. It also does
not solve the problems posed to other user in the academic
federated environment that are not students.
There are also deployments of identity cards based on the
standard of passports , such as the Carta d’Identit Elettronica,
in Italy. As seen in [6], the electronic identity card is an
instrument of personal identification and authentication for
access to the web services provided by public administration.
The technical specifications for the document were presented
at the Ministerial Decree on November 8, 2007 [7]. The card
contains stored on a microchip and an OCR personal data,
number of residency, citizenship, numeric code of the city of
issue, date of issue and expiry, beyond the photograph and
signature of the holder band. However, it is noteworthy that
after 10 years of experiment, the electronic card is limited
to a few counties and online resources have not yet been
implemented [8].
Germany also has an identity based on an ePassport.
The Personalausweis der Bundesrepublik Deutschland [9] was
instituted on November 1, 2010, has the form of a smartcard
and has some interesting security features such as [10] [11] :
• Complex security printing with multi-colour line
structures
• The German eagle as a three-dimensional and latent
image
266
• Printing visible under UV light
• Tactile printing in some places
• An integrated security thread including the document
number and the card holder’s name
• A changeable laser image on the back showing either
the ID card’s validity or the card holder’s portrait
depending on the viewing angle
• The eID card can be used only in combination with a
card reader. For this reason it is impossible to retrieve
data remotely
• Only persons holding the ID card and knowing the
PIN can authorize the transmission of data. Your
personal data are protected against misuse on the
Internet
The card also has the integrated eID Function, which can
be used to identify users on the Internet at vending machines,
in an automated and secure way [12]. The card also stores a
passport photograph and fingerprints to match the ID card its
card holder.
Besides Germany and Italy, Belgium also has an identity
card following the recommendations of the International Civil
Aviation Organization. The Belgian identification card allows
its holder to use an authentic signature. [13].
As seen in [14] Belgian identity card has three 1024-
bit RSA encryption: one to authenticate the citizen, one for
non-repudiation signatures, and one to identify the card itself
towards the Belgian government. The first two key pairs are
accompanied by certificates that are issued to the citizen: one
authentication certicate for use in client authentication, e.g.,
with SSL/TLS.
Thus, it was seen two things. First, there is already an
academic card that can be used globally, but has few electronic
security properties, as previously said. Second, some coun-
tries are successfully using identity cards following the 9303
recommendations of the documentation provided by ICAO.
Therefore, we believe it is possible that an academic card can
also be created following the recommendations of ICAO. This
card can be adapted to the actual need and requirements of a
truly globalised academic .
III. ICAO 9303
The ICAO 9303 standard is a series of documents created
by the International Civil Aviation Organization (ICAO), which
aims to describe the specifications for a Machine Readable
Travel Documents.
As described in ICAO’s website[2] work on machine-
readable travel documents began long before the appearance of
the 9303 Document, with the establishment of the ICAO Panel
on Passport Cards in 1968. They prepared recommendations
to standardise machine-readable documents, thus accelerating
the process of releasing passengers at passport controls. Later,
the specifications were published in the first edition of 9303
Document and today, it is used as a guide all over the world
for issuing travel documents[2].
A. Machine readable zone (MRZ)
The MRTDs that follow the 9303 standard use a machine-
readable zone (MRZ) to facilitate the inspection of documents.
The MRZ provides data elements formatted to be readable
by machines that use the MRTD standard. These data must
be readable both by machines and visually by humans. As
a solution to meet these requirements, an Optical Character
Recognition (OCR) scheme was specified in Doc 9303 as the
way to store and collect data from the MRZ [15]. The data
contained in MRZ can be seen in the figure 1.
Fig. 1. Construction of the machine-readable zone[16]
In the MRZ are contained key information about the
document holder. In the first row are data that indicate which
type of document is being described, the issuing state, and
document number. In the second row are user data, such as
date of birth, sex, nationality, besides the expiry date of the
document. The third row is the name of the document holder.
B. Logical Data Structure
An MRTD document nowadays has alsdo a contactless
Integrated Circuit (IC). The Logical Data Structure (LDS)
describes how the data is written in the IC and how it is
formatted, ensuring global interoperability for machine reading
[16].
To meet the requirements, LDS has some mandatory and
optional data elements. These data are grouped into Data
Groups (DG), depending on where they have been recorded: by
the issuing entity or by the receiving one. Figure 2 illustrates
the data and groups stored in the LDS.
Among all these data, the mandatory are the ones that
belong to DG1 and DG2. The biometric information, such
as data for face recognition, fingerprint and iris are stored in
groups 2, 3 and 4 respectively.
In addition to these groups, the IC also contains other
groups where important information is stored, such as:
267
Fig. 2. Data groups [16]
• DG7: Used to store signature or usual mark;
• DG11 (Additional Personal Detail): Personal informa-
tion such as address, occupation, name of parents and
phone numbers are stored;
• DG12 (Additional Document Details): Information
about the issuer of the passport is stored;
• DG16 (Person(s) to notify): Informations about per-
sons to be notified in case of emergency
The LDS also contains a header and a Data Group Presence
Map, that are stored in a EF.COM file. This header must have
the information that allows the location and decoding of the
data groups and data elements. Confirmation of authenticity
and integrity of recorded data is made by the Security Object.
Each data group is represented in this object, which is recorded
in an EF.SOD file, known as Security Object. These two files
are mandatory with all other Data Elements being optional
[16].
1) Data authentication: An MRTD that uses contactless
IC is vulnerable to some attacks. For example, the data can
be electronically read without authorisation within a distance
of several metres. Therefore, the use of Basic Access Control
(BAC) is recommended, although not required [16].
The Basic Access Control mechanism only allows access
to the contactless IC only if the receiving end proves that
it is authorised to access the LDS. This is provided by a
challenge-response protocol, where the receiving end proves
it has access to the Document Basic Access Keys, which
is derived from MRZ. These keys can be provided by an
MRZ reader machine or manually. In order to improve the
security, after the authentication, the MRTD must encrypt the
communication channel with the receiving end [16].
The challenge-response is as follow:
1) The receiving end gives some MRZ information,
which is the concatenation of Document Number,
Date of Birth and Date of Expiry. This data is printed
at the document and can be collected using either an
OCR reader or manually;
2) Both the MRTD’s contactless IC and the receiving
end generate session keys;
3) A successful authentication process is executed, and
after that, the data is sent by a secure channel.
There is another optional access control mechanism called
Extended Access Control (EAC). It is similar to the Basic
Access Control, however, in addition to the access keys already
used by BAC, another key is required. This key is called
Document Extended Access Key and is defined by the State
that issued the document. Usually this key is necessary to
access DGs with privacy requirements, such as biometric data.
The LDS has a Document Security Object (SOD), which
is signed by the issuing party and contains the LDS contents
hash. Anyone with the public key of the document signer can
verify the integrity of SOD, and consequently the integrity of
LDS. This process is called passive authentication (PA). This
process proves the authenticity and integrity of data, but it does
not prevent chip substitution or the copy of content.
The alternative way to prevent chip substitution is using
the Active Authentication (AA). This is possible due to a
challenge-response protocol between receiving end and con-
tactless IC [16].
IV. F EDERATION
According to Moreira et al. [17], an academic federation
involves educational and research institutions. It allows people
linked to these institutions to share information and resources
and access restrict services, using the institutional bond as a
basic criterion for these operations. The academic federations
aims to minimize the maintenance of databases and accounts
from the service providers and users. The information about a
person is maintained in a single place, managed by his home
institution. Service providers trust the identity management of
the institutions. They offer their services for users from those
institutions, thus creating the principle of federated identity.
Federated Identity is a mechanism used for authenticating
users from partner organizations, allowing the sharing of
identity information between security domains. In the last
years, academia and governments adopted the use of Identity
Management by the use of federations in their e-Government
services.
With the use of federated identity management, security,
usability and efficiency of systems increase. Organisations
have several benefits, for example, the reduce of administrative
costs, improvement in data quality and security as well as the
simplification of users’ identities management.
268
Several countries now have their own academic federation,
like:
• United States (Incommon): InCommon serves the U.S.
education and research communities, supporting a
common framework for trusted shared management
of access to on-line resources. Through InCommon,
Identity Providers can give their users single sign-
on convenience and privacy protection, while online
Service Providers control access to their protected
resources [18];
• Ireland (Edugate): The Edugate provides a single
access mechanism that can enable access to online
resources supporting alliances, research collaboration,
consortia and shared services. Now users can use
the credentials issued by their institution to access
Edugate enabled web sites and benefit from a person-
alized and persistent experience, with privacy features
that put the user in control [19];
• Italy (IDEM): IDEM has the aim of setting up and
supporting a common framework for Italian education
and research institutes to manage accesses to on-line
resources. To achieve this goal IDEM encourages the
development of a community based on mutual trust.
In this way, it will be easier for participants to take
right decisions on access control matter, based on
information provided by the participants themselves
[20];
• Australia (Australian Access Federation): The Aus-
tralian Access Federation provides the means for
allowing a participating institution and/or a service
provider to trust the information it receives from an-
other participating institution. This provides seamless
access to resources and secure communication by
removing most of the roadblocks to collaboration and
sharing at both the institutional and end user levels.
Organizations will benefit from the AAF as it allows
researchers to use their home institution Login to
access a growing number of participating services and
resources [21].
• Brazil (CAFe): CAFe allows each user to have a single
account at their institution of origin, valid for all
services provided to federation, eliminating the need
for multiple passwords and registration processes. The
trustworthy relationship between participating institu-
tions of the Federation allows the user to authenticate
only in its origin institution, which provides guaran-
tees of authenticity and credibility necessary to the
others [22].
There are other federations in several other countries such
as France (RENATER2 ), Japan (GakuNin3 ), Canada (CAF4 ),
among others. In addition to these nation wide projects, we
can also cite as an example the Eduroam project, which bond
most of the above mentioned federations.
2 http://www.renater.fr/
3 http://www.gakunin.jp/
4 http://www.canarie.ca/
A. Eduroam
Eduroam (education roaming) is a European project devel-
oped by TERENA [23] that aims to provide network access
for the education community. It allows students, researchers
and staff from partner institutions to obtain Internet access
when visiting other partner institutions by providing the
home-institution credentials [24] [25]. The credentials used
to authenticate the users can be stored in LDAP directories.
Furthermore, each institution have to ensure the credibility of
their users’ credentials. Thus, Eduroam uses a trust relation
between institutions through the federation concept [26].
1) How eduroam works: The eduroam service is based on
the use of international standard Remote Authentication Dial
User Service (RADIUS), published by the Internet Engineering
Task Force (IETF).
The RADIUS servers are responsible for:
• Receive connection request.
• Authenticate users.
• Returning all configuration information necessary for
the client to provide connectivity to a user.
• It can act as a proxy client to other authentication
servers.
The network infrastructure required to provide the service
uses wireless access points supporting IEEE 802.11 and IEEE
802.11i standard to provide secure access mechanisms [26].
V. P ROPOSAL FOR AN U NIFIED ACADEMIC I DENTITY
C ARD
Our proposal is to bind together these two different ideas of
machine readable documents and federations. To sort out some
of the issues present in the federated environment, such ans
the one mentioned at our introduction we plan to adapt the the
standard from ICAO 9303 to address the specific academic-
federated environment’s needs.
A. MRZ in Academic Card
As already described, the MRTD uses OCR, thus enabling
the document to be read by any machine that follows the stan-
dard MRTD. Compared with the original MRZ, an amendment
was made in the first row. Originally, the first line contains two
digits for the document type, three for Issuer State, nine for
document number, one to Validation Digits and fifteen digits
for optional information. Some of this information is irrelevant
in the academic context, while some of the space could be
better used.
Our proposal for an MRZ for an academic card is that, the
number of digits for the Document Type, and State Issuer, to
be maintained. There will be two types of document Id Student
(IS) or Id Academic (IA). This will allow the document to be
assessed by human peer to identify student for their discount
rates when provided. In the Positions of Issuer State , we will
have the country of the institution that issued the card. This
will allow any machine reading to route its connection to the
correct national federation for the electronic assessment of the
credential. The document number will variable size, besides
269
having the validation digit. Optional data in the first row, there
will be the acronym of the institution, which will separate
document number by a single character fill (<). The figure 3
shows our proposal for the MRZ in an academic card.
Fig. 3. MRZ in Academic card
Briefly explaining the proposed MRZ, we will have:
In the first line:1 to 2: The characters must be IS (Student
Id) or IA (Id Academic) to designate that this is a document
of identification. 3 to 5: The three-letter code to indicate the
state of the issuing institution.
6 to 30: Identification Number and size miscellaneous digit
validator together with Acronym University. The identification
must be separated from the acronym for character fill (<).
In the second line:1 to 6: Holder’s date of birth in format
YYMMDD. 7: Check digit on date of birth. 8: Sex of holder.
9 to 14: Date of expiry of the document in format YYMMDD.
15: Check digit on date of expiry. 16 to 18: Nationality of the
holder represented by a three-letter code. 18 to 29: Optional
data at the discretion of the institution. 30: Overall, check digit
for upper and middle machine-readable lines.
In the third line1 to 30:Holders name.
The name consists of primary and secondary identifiers,
which shall be separated by two-filler characters (<<). A
single filler character shall separate components within the
primary or secondary identifiers (<).
When the name of the document holder has only one part,
it shall be placed first in the character positions for primary
identifier, filler characters (<) being used to complete the
remaining character positions of the MRZ.
B. Inspection Zone in Academic Card
All data contained in the MRZ, except for validators digits
are also printed on the document, allowing the visual reading.
The figure 4 demonstrates how to be ahead of their academic
card.
Beyond OCR, the academic card also has a QR Code,
which will contain all the MRZ data. This will allow uni-
versities to develop their own applications to read the QR
Code. Thus, universities have the option to avoid increased
spending on purchases of passport readers, which have a
high cost, and are complicated to manage. There are some
Open Source Android Applications for reading and extracting
data from passports, like the aJMRTD 5 and andromex 6 , for
5 http://sourceforge.net/projects/ajmrtd/
6 https://code.google.com/p/androsmex/
Fig. 4. Front

creating passports. With this, each university may change the

application as you like.

Fig. 5. Back
Fig. 6. LDS in academic card

C. LDS in Academic Card

• Identification of degree, department, year of start and
The LDS has fields that can be used for biometric authen- end of the course,
tication such as Encoded Face, Encoded Finger and Encoded
Eyes. Some fields of LDS were changed to match the MRZ • Delegation of authority.
academic card. Where the Issuing State or Organization was
Each institution assumes the responsibility for issuing this
stored, it is now stored the state of the issuing institution. In
certificate, which can be written in the academic card at the
place of the Optional Data we now store the acronym of the
time of creation and securely. In practice, an academic with
institution. The LDS will also include a field for authorization,
the present card would prove his identity and the attribute
which may be stored attributes certificates for access control
certificate, ensure your student bond and any other optional
among other things.
data not standardised by our proposal.
Figure 6 shows how the LDS of Academic Card was
designed. In bold, the differences from the original version. E. Technologies
The academic card will contain the Java Card and Mifare
D. Use of Attribute Certificates
technology.
An attribute certificate (or authorization certificate) is an
1) MIFARE: MIFARE technology is a contactless smart
electronic document that contains a set of attributes that relate
card developed by Phillips in 2006. Consists of a card with
to the holder. Their format and syntax are defined by the X.509
a chip small capacity of memory and an internal antenna that
standard [27], the same standard used for digital certificates.
senses the approach of the reader through the magnetic field
The attribute certificate has no public key. It is digitally
identified by the frequency of the card (RFID). The working
signed by a trusted authority (called the Attribute Certificate
frequency of a MIFARE card is 13.56MHz. MIFARE products
Issuer Entity). It may be used alone or in conjunction with a
comply with the international standard ISO/IEC 14443, which
digital certificate. Thus, the attribute constants in the certificate
is used in more than 80% of all contactless smart cards today
attributes can be changed or even revoked without involving
[28].
the revocation of digital certificates. It is possible use the
attributes certificate to store this on the Authorization Fields. Some examples of using the MIFARE technology in a
Within the academic card, the Attributes Certificates can be Academic Card[29]:
used for many different purposes:
• Physical access to university and student home build-
• Better characterisation of the academic, ings
• Authorisation information, • Access to services such as copy machines

270
 • Micro payment for student restaurants
• Logical access to PCs and services
2) Java Card: Java Card technology enables smart cards
and other devices with very limited memory to run small
applications, called applets, that employ Java technology. It
provides smart card manufacturers with a secure and interop-
erable execution platform that can store and update multiple
applications on a single device. Java Card technology is
compatible with existing smart card standards [30].
Smart card vendors and issuers benefit from several unique
features of Java Card technology, which is [30]:
• Interoperability
• Security
• Multi-Application-capability
• Dynamic
• Compatible with Existing Standards
F. Incremental Deployment
Following this proposal, it is possible that even entities with
limited financial resources can adhere to standard. Following
the proposal historically laid down by ICAO, the entities will
have three options for issuing the proposed academic card.
They are listed below:
• Only VIZ: If an entity has limited financial resources,
it can issue the academic card with the Visual Inspec-
tion Zone (VIZ) without the MRZ and LDS, allowing
only visual inspection by humans.
• VIZ, MRZ and QR Code: To entities who want
an academic card that can be read by humans and
machines. In this scheme a series of validation can
already be imposed in the electronic forms of the
document.
• Full Functionality: To entities that want a fully func-
tional card with VIZ, MRZ and LDS, where it can
enjoy biometric authentication and the features of the
proposal.
VI. A PPLICATIONS IN ACADEMIC ENVIRONMENTS
Several applications for standardised academic cards can be
listed, as presence control, automated issuance of certificates
and authentication in online courses.
1) Attendance control: Is something easy to be applied in
an academic environment. The university can use contacless
readers to control the presence of academics who have a card
following the proposal. The student only need to swipe their
card in the reader. The biometry in embedded in the card can
be used as a proof of presence signed by the card.
2) Using Academic Cards for authentication in MOOCs:
As shown in Haggard [31] Massive Open Online Courses
(MOOCs) is the term that emerged in 2008 for a particular type
of open online course format. MOOCs have quickly gained
popularity, expanded, and evolved. An example of how to use
for authentication MOOCs would the student have at hand a
271
card reader. Thus, the system could, through facial recognition
and the use of the academic card with facial information,
execute a continuous authentication. It would compare the
portrait in the card with the image of the student who is doing
the course. It would guarantee authentication and exclusive
dedication to the computer screen. In this way, it is easier to
evaluate the performance of this student.
3) Access to controlled places: The student can also access
another controlled places beyond the classroom using the
academic card such as the university restaurant, where the card
could storage its tickets or credits to be used there. Another
idea is using this card to access conferences, events, libraries
and so on.
4) Digital certificates issuance: Another area of applica-
tion is an automated issuance of certificates using the card.
This process consists of generating a certificate request by
extracting the user’s credentials from the card. This is possible
because the institution already verified them when he was
registered in the federation. These certificates can be used for
short-term, as in conferences for access to wireless networks.
It can also be used for more classical applications, as authen-
tication of students and staff in the various academic systems.
VII. F INAL R EMARKS
In this paper we presented a proposal for an academic
card based on ICAO standard contributing to the concept of
federation. Our proposal can authenticate users in an off-line
way, allow for biometric authentication and enable human
beings to assess the validity of federated credentials.
In order to show that the idea is feasible, we presented a
detailed study about each field of a document that follows the
ICAO standard, suggesting appropriate modifications to meet
the academic needs. We also presented potential applications
to the academic card, as presence control, authentication in
Massive Open Online Courses, access to controlled places and
digital certificates issuance.
In order to improve our proposal, we are moving towards a
real implementation of this card in the academic environment.
With the deployment of the actual card we will be able to
assess even more details regarding its usability and feasibility.
R EFERENCES
[1] R. Baldoni, “Federated identity management systems in e-government:
the case of italy,” EG, vol. 9, no. 1, pp. 64–84, 2012.
[2] Mrtd history. International Civil Aviation Organization. [Online].
Available: http://www.icao.int/Security/mrtd/Pages/MRTDHistory.aspx
[3] Benefits. ISIC Association. [Online]. Available:
http://www.isic.org/benefits/
[4] O que a carteira mundial do estudante. Carteira Mundial do Estudante.
[Online]. Available: http://www.carteiradoestudante.com.br/saiba-tudo-
carteira-mundial.aspx
[5] About isic. ISIC Association. [Online]. Available:
http://www.isic.org/about-us/
[6] Carta d’identit elettronica - cie. Ministero Dell’Interno. [Online].
Available: http://www.interno.gov.it/mininterno/site/it/temi/
servizi demografici/scheda 006.html
[7] Decreto 8 novembre 2007. Ministero Dell’Interno. [Online]. Available:
http://www.interno.gov.it/mininterno/site/it/sezioni/servizi/legislazione
/enti locali/0997 2007 11 08 Decreto 8 novembre 2007.html
 [8] Che fine ha fatto la carta d’identit elettronica? Wired It. [Online]. [31] S. Haggard. (2013) The maturing of the mooc. [Online]. Available:
Available: http://daily.wired.it/news/politica/2011/05/13/carta-identita- https://www.gov.uk/government/uploads/system/uploads/attachment data/
digitale.html file/240193/13-1173-maturing-of-the-mooc.pdf
[9] Neue anwendung fr die online-ausweisfunktion.
Der Neue Personalausweis. [Online]. Available:
http://www.personalausweisportal.de/DE/Home/home node.html
[10] Security and data protection. Der Neue Personalausweis. [Online].
Available: http://www.personalausweisportal.de/EN/Citizens/Security/
security node.html
[11] Features. Der Neue Personalausweis. [Online]. Avail-
able: http://www.personalausweisportal.de/EN/Citizens/The-New-
Identity-Card/Features/Features node.html
[12] Electronic identification with the new german national
identity card. Der Neue Personalausweis. [Online]. Avail-
able: http://www.personalausweisportal.de/EN/Citizens/Electronic-
Identification/Electronic-Identification node.html
[13] The id card. City of Brussels. [Online]. Available:
http://www.brussels.be/artdet.cfm/4827
[14]
[15] (2008) Part 3 - machine readable official travel documents. volume 1 -
mrtds with machine readable data stored in optical character recognition
format. International Civil Aviation Organization. [Online]. Available:
http://www.icao.int/publications/Documents/9303 p3 v1 cons en.pdf
[16] (2008) Part 3 - machine readable official travel doc-
uments. volume 2 - specifications for electronically en-
abled mrtds with biometric identification capability. In-
ternational Civil Aviation Organization. [Online]. Available:
http://www.icao.int/publications/Documents/9303 p3 v2 cons en.pdf
[17] Moreira, E.Q., Everton Didone Foscarini, da Silva Junior, G.C., Alixan-
drina, L.A.O., Neto, L.P.V., Rossetto, S., Federao CAFe Implantao do
Provedor de Identidade. Rede Nacional de Ensino e Pesquisa - RNP.
Rede Nacional de Ensino e Pesquisa, 2011.
[18] About incommon. InCommon. [Online]. Available:
http://www.incommon.org/about.html
[19] About edugate. Edugate. [Online]. Available:
http://www.edugate.ie/content/about-us
[20] About idem. Italian identity federation of universities and research
institutes for authentication and authorization. [Online]. Available:
https://www.idem.garr.it/en/about
[21] About australian access federation. Australian Access Federation.
[Online]. Available: http://aaf.edu.au/about/
[22] The federated academic community. Rede Nacional de Ensino e
Pesquisa. [Online]. Available: http://portal.rnp.br/web/servicos/cafe-en
[23] About terena. Trans-European Research and Education Networking
Association. [Online]. Available: http://www.terena.org/about/
[24] About eduroam. Trans-European Research and Education Networking
Association. [Online]. Available: https://www.eduroam.org/
[25] K. Wierenga and L. Florio, “Eduroam: past, present and future.”
in TNC, O. Martin, R. Barbera, A. Binczewski, D. Chadwick,
T. Hanss, J. Kanner, K. Meynell, J. Nabrzyski, V. Reijs,
D. A. Robertson, K. Wierenga, T. C. Schmidt, A. Sundstrm,
and S. Williams, Eds. TERENA, 2005. [Online]. Available:
http://dblp.uni-trier.de/db/conf/tnc/tnc2005.html
[26] Débora C. Muchaluat Saade, Ricardo Campanha Carrano, Edelberto
Franco Silva, Eduroam: Acesso sem fio seguro para a Comunidade
Acadêmica Federada. Rede Nacional de Ensino e Pesquisa, 2013.
[Online]. Available: http://www.scribd.com/doc/125531184/Eduroam-
Acesso-sem-Fio-Seguro-para-Comunidade-Academica-Federada
[27] Itu-t rec. x.509 iso/iec 9594-8. International Telecom-
munication Union. [Online]. Available: http://www.itu.int/ITU-
T/recommendations/rec.aspx?rec=9590
[28] About mifare. Mifare. [Online]. Available:
http://www.mifare.net/en/aboutmifare/
[29] Applications. Mifare. [Online]. Available:
http://www.mifare.net/en/applications/
[30] About java card technology. Oracle. [Online]. Available:
http://www.oracle.com/technetwork/java/javame/javacard/overview/
about/index.html

272

View publication stats