| 
  • If you are citizen of an European Union member nation, you may not use this service unless you are at least 16 years old.

  • Stop wasting time looking for files and revisions. Connect your Gmail, DriveDropbox, and Slack accounts and in less than 2 minutes, Dokkio will automatically organize all your file attachments. Learn more and claim your free account.

View
 

e-Learning assessment methods

Page history last edited by PBworks 13 years, 9 months ago

User recognition in e-Learning - An Italian Perspective

 

Techniques & Methods for Bio-Metric Authentication

 


 

INTRODUCTION

Scope of the report

The objective of this report is to trace, through desk research, the general framework of experiences and tendencies in Italy in adopting security systems in ICT application with particular regards to the aspects of user recognition in e-learning solutions and in the field of such a system intend to certify the results of their distance learning.

 

Defining “e-learning authentication and assessment”

In order to guarantee absolute certainty of the system’s validity of user authentication and certification of the learning results, it is necessary to prepare a system that is able to:

 

  • Identify in an unambiguous way the user each time he/she accesses his/her computer to study;
  • Arrange a tracking system of the route taken (pages visited), of completion times (total and partial for each course section or lesson); of the results of the tests carried out during the training course;
  • Arrange a secure user identification system and validation conditions in the environment in which the certification tests are carried out of the final learning results. By validation of the test environment we mean the contextual verification of the test guarantees that the user can not receive help or support of any kind.

 

Structure of the report

This abstract underlines the main ideas of the report.

The following provides an indication of the main clusters of documentation that has established the basis of the research, as well as the glossary defining electronic and data transmission security.

 

  • Forensic Area
  • Government and legislative acts
  • Biometrics
  • Certification and digital signatures
  • Essential experience carried out by:
  1. Polytechnic of Turin
  2. ANEE (permanent Observatory of Assinform (with reference to the Industrial Association of Lombardy)
  3. CISCO
  4. CNIPA (National Centre for IT in Public Administration)
  5. CNR (National Research Centre)
  6. INDIRE (National Institute of Documentation for Innovation and Educative Research)
  7. ISVOR FIAT (Corporate University of Fiat Group)
  8. Poste Italiane (Italian postal service)
  • Glossary - Glossary of electronic– data transmission security

 

E-LEARNING ASSESSMENT METHODS

AND RELATED SOCIO-CULTURAL ISSUES

 

The Italian experience on user identification systems for distance learning students to evaluate learning results in e-learning environments can be catalogued according to the following access methods:

a. In a virtual class, or rather single individuals that have subscribed to a course and have used web based training products

b. In dedicated environments called Learning Points in which it is possible various forms of ICT in an integrated way

c. In videoconference settings that can refer to and use virtual classes/environments; or can refer to class- laboratory type settings. This second case is represented by “business television”.

In reference to these three types of learning environment, here follows a summary of identification systems that are currently being used deduced from real cases and consolidated experience.

 

“TRIO” Case

 

TRIO is a capillary network of laboratories distributed in the Tuscan region that constantly uses ICT technology for self learning training through the internet. The user identification system that accesses the training offer and the support services and learning assessment managed by

a CLMS platform (Content Learning Management System), is based exclusively on the classic system of login and password

 

“Learning Point” Case

 

Learning Points are locations which supply a blended type of training. This is a type of assisted self learning with a tutor and supported for about 25% of the learning time by teachers/contents experts either in person and/or at a distance. The user identification system when accessing the training services on line through a CLMS platform is the classic form of login and password. Learning assessment for activities carried out online is entrusted to normal platform tracking systems; vice versa the intermediate and final learning certification is given following direct contact with teachers/experts in person or at a distance through the use of videoconference system both in relation to presence in a role play and/or simulation of real conditions of use of competences acquired. This type of experience has been carried out predominantly by ISVOR Fiat, which constitutes the Corporate University of Fiat, both for the real needs of internal training and in interesting applications in the field of the Public Administration and for the development of the territorial areas and technological Parks.

 

“Business television” Case

 

The BTV (Business television) is an interesting application of the use of satellite television to connect and train in “real time” several hundreds or thousands of people displaced in a very vast area, for example in a country. The analysed case refers to a methodology used by Fiat to train its own network of sales and post sales technical assistants.

In the case of BTV, identification of the users that do not directly participate in the lesson in the television studio takes place by telephone or via login and password for internet/intranet interaction.

 

“Collaborative working Platform” Case

 

In this case, user identification for course subscribers who are allowed access with a login and password is led by a platform that provides and visualises in the teacher’s workstation the name of the interacting user. As far as learning assessment is concerned, except for the direct questions made by the teacher to the group or the singer user, the typical rules of online training through the CLMS platform apply.

 

Summary elements of experiences

 

From the point of view of user identification in the use of ICT, as concerns learning assessment and evaluation, the current situation in Italy almost sees the only condition that of assigning logins and passwords (automatic and/or by the system administrator), while the verification of results is strongly connected with CLMS platform tracking systems.

 

BIO-METRICS AUTHENTICATION EU SUPPLIER NETWORK

 

Before confronting the specific analysis of the biometric authentication system and the other themes connected with the development and use of IT, it is important to recall the attention to what was the level of awareness and political determination of the development and diffusion of information technology.

 

For this reason, please refer to the “DIGITAL REFORM TO INNOVATE ITALY” report that is provided in the attached main report, edited by the Ministry for Innovation and Technology. This report tracks, in particular, an evolutionary description of the Italian situation in the last 5-6 years supplying a historical socio-cultural analysis and legislative reform put into act by computer literacy in the development and diffused use of technologies.

 

Bio-metrics used to scan analyse Human characteristics

The desk investigation has highlighted considerable attention to the development of biometrics in the analysis and recognition of human characteristics for commercial, business and security reasons. In the last few years, this last point has become particularly topical to prevent and combat terrorism.

From the enormous amount of documentation resulting from the desk research we have identified and supply a report edited by CNIPA (National Centre for IT in Public Administration) that summarises the state of the art on this theme. We refer however to the analysis of the attachments for further investigation of the subject.

 

CNIPA report

 

Introduction

 

Due to the incessant generalised request for measures to enhance “safety”, in Italy too greater knowledge of biometric techniques is becoming rapidly diffused. Finger prints, characteristics of the iris or geometry of the hand, have at this point definitively left the world of fiction and arrived in daily life and recent measures (January 2004) adapted by the United States Administration in terms of immigration probably represent the more important example. This document analyses various aspects of biometric techniques, gives a quick illustration of the operative ways of analysing strengths and weaknesses of each use sector. Beyond, however, any general evaluation of an individual sensor or individual technique, the objective of the document, is to highlight that the correct implementation of a biometric process is based not only on the satisfaction of technical and economic factors, but also, and above all, on the complete performance of juridical and social duties, lack of consideration of which has lead in the past to misunderstandings and an evident series of failures.

 

TAXONOMY

 

The term “biometric authentication” often more simply put “biometrics”, comes from the Greek bios (life) and metros (measure), even if also used in other scientific contexts1, in today’s IT meaning, refers to the automatic identification or the verification of the identity of a person on the basis of physical and/or behavioural characteristics.

We can therefore divide biometrics into:

• Physical Biometrics which is based on the derivative data of the measurements of the physical characteristics of a person such as the iris, fingerprints, facial/ hand or other characteristics.

and:

• Behavioural Biometrics which is based on reference to behavioural characteristics such as, for example, voice emission, writing a signature, or the type of walk

 

Considering that, as we will see in more depth later, each biometric process starts with a preliminary phase called “enrolment” in which, generically2, the subject provides the biometric system, through a sensor, his/her own physical/behavioural characteristics, that is subsequently transformed into a mathematical model (template). The two operative ways of biometrics are:

• 1:1 (one-to-one) where the data produced by the biometric sensor is compared with a single template thus creating a verification process;

• 1:N (one-to-many) where the data is compared with a group of templates contained in an archive thus creating an identification process. In biometrics two recurrent terms are:

• Physical Access (Biometric control of), verification procedure of legal right of the subject to enter a room, building, district or area;

• Logical Access, (Biometric Control), verification procedure of legal right of the subject to access an IT resource.

 

For example, an employee of a company can enter an office (physical access) through biometric control of his/her own physical characteristics (for example a fingerprint) with one deposited on a smart-card (1:1 process).

In accessing his/her own computer (logical access) the same fingerprint could be compared with what is present in the authorised users archive (1:N process).

 

THE BIOMETRIC PROCESS

 

Biometric systems are characterised by a process of use that, generally, lead back to the comparison of a physical or behavioural characteristic acquired by a subject with one or more samples of the individual that have been previously recorded. Both the recording and the comparison take place according to the series of steps shown in figure 1.

 

 

Enrolment

 

In the registration process (that will now be called “enrolment”, the user provides the biometric system with one of his/her physical or behavioural characteristic by means of an acquisition device (for example a digital imprint scanner or a video camera).

The sample is processed to extract the distinctive characteristic information, that create the so-called template that can be defined as a mathematical representation of the biometric data. The template is essentially made up of a sequence of numbers from which it is, generally, impossible to reconstruct the physical characteristic and that, theoretically, is like a sort of user’s “physical password”.

At the end of the enrolment process, the template is registered in a central database, or, for example, only on a smart card.

 

Verification

 

During the verification process, the acquisition of the sample and the extraction of the template occur as explained above. The latter is compared with the one that has already been acquired to undertake both authentication and recognition.

 

Authentication

 

In the case of authentication the biometric system verifies an identity confirmation, or rather tries to provide an answer to the question “Is this person who he/she says he/she is?”, completing a 1 to 1 comparison between the template of the subject and the reference template contained in the archive (or on the smart card).

Authentication requires that identity is provided, for example, inputting a user name or a pin and the output of the comparison algorithm is a score, that corresponds to the positive verification if higher than a certain threshold, and a negative verification if it is less than the threshold. The comparison threshold is an adjustable parameter of the system.

 

Recognition/identification

 

In this case, the system determines the user’s identity, or rather it tries to provide an answer to the question “Who is the user?”, completing a series of comparisons with the biometric data contained in models recorded in its archive. When the search algorithm produces an output with a higher score to the so-called “threshold”, a sign appears (saying “matching” or “hit”).

Authentication is generally an evident (ouvert) and cooperative process whilst identification can also be evident or concealed from users (covert).

Whilst in the evident processes, the subject voluntarily claims his/her own identity, generally to access a place (physical access) or to receive a service (logical access), in the case of hidden biometrics the physical and/or behavioural characteristic(s) are compared, without the subject knowing, with data stored in an archive, with an operation that, in the case of biometrics of the somatic characteristics, is often defined “surveillance”.

 

BIOMETRIC TECHNIQUES

 

The more diffused biometric identification techniques consist in evaluating:

• Digital imprints

• Geometry of the hand http://biometrics.pbwiki.com/Authentication%20technologies#Hand/FingerGeometry

• Iris characteristics http://biometrics.pbwiki.com/Authentication%20technologies#IrisScan

• Analysis of somatic characteristics http://biometrics.pbwiki.com/Authentication%20technologies#EmergingBiometricTechnologies

• Dynamics of signature writing http://biometrics.pbwiki.com/Authentication%20technologies#DynamicSignatureVerification

• Voice characteristics http://biometrics.pbwiki.com/Authentication%20technologies#VoiceRecognition

• Retina characteristics http://biometrics.pbwiki.com/Authentication%20technologies#RetinalScan

 

Other technologies should also be added to this list, but although in evolution, at the moment, they don’t have a notable presence on the market. One could finally include DNA analysis that, even if it represents the biometric method par excellence, due to its intrinsic complexity and the impossibilities of operating in real time, isn’t commonly included within biometric techniques. We will give further information on the complete processing and the experience matured in Italy on the use of the single techniques in the main report.

 

Public key infrastructure

such as encrypted Internet transaction using digital signatures

The Italian Ministry of Innovation through the “e-government” plan has issued, making EC directives its own, orientation and laws for the regulation of infrastructures, reference standards and management methods for the use and safety of electronic transactions and electronic signature information systems (see attached integral document from the Ministry of Innovation)

In order to provide an initial general description of the type of initiatives that concern electronic security, with particular reference to the Public Administration (PA) and primary national organisations accredited for the management of the processing and digital certification of data systems, here follows some summary elements whilst for further investigation and consultation one should refer to documental elements cited in Chapter 1.

 

The model

 

The model that the government intends to implement is that of a Public Administration orientated to the user, citizen and company, a supplier of modern services, a creator of “public” values, with which it is easy to operate.

An e-government system in its more advanced developments will also represent a strong tool to involve and have citizens participate in decision making processes, evolving towards innovative models of eDemocracy.

Within this model, e-government represents a fundamental, innovative passage that inserts itself in the process of deep transformation that all public organisations are facing to serve citizens and enterprises as “clients” to be managed with maximum attention. The client concept does not mean that the Administrations operate with a view to profit, but simply put that their objective becomes that of supplying services in line with the needs of those who use it and the recipient’s satisfaction with service is an important tool to verify quality.

In order to completely fulfil this concept the Department has developed the following strategic “e-government” reference model.

 

The model is made up of six key elements:

 

• Service supplies – A group of services that should be made available in an innovative way and to a high standard for users-clients (citizens and companies). To focus the development efforts, some services have been identified as being priority for users-clients and these will be considered in the digitalisation initiative. These services will be provided via a single access point, even if they imply the intervention of more than one Administration. The internal complexities of the Public Administration are hidden from the user/client.

• Digital recognition – method of recognition of the user and secure signature through Electronic Identity Card, National Services Card and digital signature

• Access channels- a multitude of innovative channels with which the user accesses different services offered: Internet, call centres, mobiles, third party networks etc

• Supply centres – An efficient and economically optimised back office of different supply centres

• Collaboration and cooperation – Interface standard between Administrations that allow efficient and transparent external communications

• Communication infrastructure – A communication infrastructure that connects all Administrations

 

 

In addition to these components, the available technologies today are usable also to improve the efficiency of the internal processes of the Public Administration (e.g. buying goods and services from PA) and to valorise the internal human resources, raising competences and know-how.

 

Network forensic to analyse Internet use using computer and network identifiers

Also in the forensic field, the desk research has shown a broad literature both to pertaining legislative elements, and illustrative case studies concerning security.

 

Basis of national scientific take-off

 

The increasing request of services provided through data transmission networks has rendered the need to guarantee security in data processing and transmission more and more current and pressing.

While many resources have developed and there has been great effort in the development of tools for the “digital signature”, the weak loop in all security systems is authentication, or rather the verification of personal identity of the individual who accesses the system.

Biometrics provides an efficient answer to the need for authentication, providing the methodologies to recognise the personal identity on the basis of the user’s physical characteristics. There are numerous advantages:

• one avoids the use of a PIN and password that can be stolen, released, forgotten or lost,

• one can change the tolerance of the system toward false alarms on the basis of security requirements. It is extremely difficult to forge the access data.

There are multiple potential applications of these technologies and they range from access control to attendance, from automatic surveillance to the protection of valuable resources, from network security of computers to secure Internet transactions.

 

Regional Competence Centres

 

The Regional Competence Centres for e-government and Information Society (CRC) are structures distributed on the national territory and built on the base of protocols of Agreement between the Ministry for Innovation and Technologies and the Regional Presidents to favour e-government implementation in Regions and Local Authorities.

The CRC project, managed by CNIPA and by Regions, hopes to fulfil the following objectives:

• To contribute to the extension of innovation at a local level, and in particular of small municipalities, promoting the reuse of solutions, management forms associated with services, private partnerships;

• To contribute to the promotion and communication of new services of e-government for final recipients;

• To contribute to improve knowledge and the measurement of innovation, particularly as regards the use of new services and their impact on beneficiaries and on local development dynamics.

The development of the local e-government and the activities promoted by the Regional Competence Centres are available on the website www.crcitalia.it.

 

E-mail certificate

 

The guarantee of sending and receiving electronic documents between Public Administrations, citizens and companies is about to become reality.

With the DPR n.68 of 11 February 2005 certified email, in fact, acquired legal value thanks to the fact that the transmission of the message and the reception by the addressee are certified by certified electronic mail administrators (PEC) through the “receipt of acceptance” produced by the former and the “receipt of delivery” produced by the latter.

The receipts released by mail administrators are moreover subscribed through an advanced electronic signature automatically generated by the email system and based on a key asymmetric pair, one public and the other private, assuring the provenance, integrity and authenticity of the certified email message.

The certified email administrators guarantee the discretion, security (also IT viruses) and the integrity in time of IT included in the supposed “transport envelope” keeping it for thirty months.

Certified email administrators have to have set prerequisites to be included in an appropriate public link managed and controlled by the CNIPA,.

Public Administration and private organisations that are capital societies with a capital of less than 1 million Euros can manage certified email.

The sending and receiving process of the certified email is the following: the sender sends the message to his/her certified email administrator, who forwards the acceptance receipt and at the same time sends the message directly to the recipient’s inbox (if the administrator is the same) or to the recipient’s administrator assuring the collaboration of services the offered. As for a certified mail with return receipt a certified email “received” comes back from the recipient and is delivered to the email inbox (this fact is proven by the receipt that the administrator sends) independent of the fact that it was read or not.

On the 2nd November 2005 the Ministry for Innovation and Technologies signed the decree containing the “Technical rules for training, transmission and validation, also time period, of the certified email” (decree and technical attachment). In the Official Gazette of the 5th December 2005, n 283, the “Ways for requests for registration in the public list of certified email administrators” (Circolare Cnipa of 24 November 2005, n. 49) . were published.

Last update 7th December 2005

 

Digital signature

 

The promotion of the development and diffusion of the digital signature represents one of the strong points of the e-government’s policies as detected in the governmental plans. The digital signature allows, in fact, an effective and greater use of the IT and data transmission tools in the management of electronic documentation, determining a sensitive simplification in the PA activity, as well as more secure network transactions.

The minister Stanca’s objective to promote the release and use of a million digital signatures by 2003 has been broadly reached and in March 2004, 1,250,000 digital signatures were altogether issued by the certifying bodies. The use of the digital signature has, however, been stimulated by an increasing diffusion of smart cards (CIE Electronic Identità Card /CNS Naational Card for Servicesi) with the possibility of hosting digital signature certificates and the introduction of the obligation (from July 2003) for telematic sending of digitally signed documents to the Enterprise Register.

The digital signature is the result of an IT procedure that allows the subscriber to show the authenticity of the IT document and the recipient to verify provenance and integrity.

This tool uses the capacity of the asymmetric keys (double key cryptography and foresees that the owner has two keys that are attributed in an unambiguous way, “privately”, possessed and known only to him/her , and “publicly”, available in the certificate released by the issuing certifying body.

An electronically signed document (ciphered) with one of two keys can only be made “clear” (deciphered and controlled) exclusively using the other.

 

The digital signature is based on the electronic certificates released by individuals defined as “certifying bodies”. These have the task and responsibility of:

 

• Guaranteeing the digital signature association – owner,

• To publish on its own site the list of certificates of the public keys of the owners that have used their certification services,

• To keep the public list up to date with suspended or revoked certificates.

 

Italy has been amongst the first EU countries to give full judicial validity to the digital signature through various law interventions also of a technical nature amongst which the Decree by President of the Republic. 513 of the 10th November 1997 being the most significant, merged into the Single Test on the administrative documentation (D.P.R. 445 of 28 December 2000) and the D.Lgs. n.10 of 15 February 2002, that has defined the primary laws for the implementation of the community directive 1999/93/CE.

 

The Decree Law. n. 10/2002 has introduced the following news:

 

• The introduction of different typologies of electronic signatures having different juridical validity and efficiency;

• The prohibition of pre-emptive authorisation for carrying out certification activity;

• Introduction of a facultative accreditation system for “qualified” certifying bodies.

 

In particular the D.Lgs. 10/2002 has attributed to the document subscribed with advanced electronic signature, so called “strong”, (the digital signature D.P.R. 513/1997 is the main example but not the only type of signature), in the cases in which the signature is based on a qualified certificate and created with a secure device, the evidential effectiveness of the subscribed and recognised document, and if the owner, wants to disown the document edited with such tool, he/she needs to activate the complex procedure of libel of false action.

The legislative decree has moreover admitted the use of “weak” electronic signatures (electronic signatures that do not respect the technical and organisational prerequisites of security foreseen for the “strong” electronic signatures); the electronic document subscribed with such type of signature will be recognised by the organisation as written, but its evidential efficiency could be freely evaluated by a Judge.

The vigilance tool of the certifying bodies is the Department for Innovation and Technologies: in the case in which the certifying bodies want to provide “basic” certification services (that is a considerable level of quality and security) one does not need to notify the Department previously; in the case instead, in which the certifying body wants to release signature certificates with a considerable level of quality and security, thus assuming the role of “qualified” certifying body’, before starting activities, it should warn even only via data transmission the Department, which will carry out a successive control or perhaps due to motivated notification.

The certifying bodies could moreover request the Department to be recognised as “accredited” certifying bodies in the case in which they hold prerequisites of higher quality and security; in such case, the certifying body will be added to an appropriate public list held by the Department and the checks they make will be both prior and subsequent (those already accredited by AIPA are among these certifying bodies).

 

The Decree Law 10/2002 moreover foresees that the instances and the statements sent by data transmission to the PA are valid and subscribed through digital signature, based on a qualified certificate, released by an accredited certifying body and generated through a secure device for creation.

On the wake of news already introduced by the Decree Law 10/2002 and by the directive 1999/99/CE the 17th April 2003 a regulation of coordination of forms of electronic signatures was emanated.

 

The regulation has established in particular:

 

• Prerequisites that certifying bodies have to have

• Additional prerequisites for qualified certifying bodies

• The prerequisites and the accreditation procedure for the certifying bodies that intend to achieve the recognition of the possession of higher levels of quality and security for signature certificates.

• The vigilance activity on certification

• The particular obligations of both the signatory and the certifying body

• Particular laws for the PA which, in fact, for subscription of IT documents of external relevance have two alternatives, they can:

 

1. Turn to accredited certifying bodies

2. Directly carry out the release activity of qualified certificates only, but, only if part of internal activity (exclusively as regards own tools or offices) or, in the case in which the signature certificates are emitted for public or private third parties, they will have a value limited only to relationship with the certifying Administration.

With the DPCM of 13 January 2004, published in the Official Gazzette on the 27th April 2004, the new “Technical Rules for training, transmission, conservation, duplication, reproduction and validation, also temporary, of IT documents” were defined. These substitute those defined in 1999 (dpcm 8 February 1999).

The document contains dispositions for the generation, adding and control of digital signatures and it is applied to the certifying bodies that release the public “qualified” certificate according to the SingleText of the legislative and regulation dispositions on administrative documentation (Decree by President of Republic 445/2000) and successive modifications (DPR 7 April 2003 n.137) and to the “accredited” certifying bodies that have to respect the rules for temporary validation and for the protection of IT documents.

 

The IT protocol

 

The DPR 445/2000 clarifies that by the 1st January 2004 the public administrations have to supply finalised IT systems to manage IT protocol and the administrative procedures, leaving each administration the choice of organisational method and of the technology solutions to adopt.

The directive of 9th December of the Ministry for Innovation and Technologies identified the method of implementation of an IT protocol system to complete a complex normative framework to guarantee the criteria of efficiency, effectiveness and transparency of the work of Public Administrations.

The directive has, moreover, established at CNIPA a specific Centre of Competences with functions of support, address and coordination for the Administrations involved in the completion of various phases of the project.

In the construction of an IT and management protocol system of documental streams, the PA has to activate at least the so-called “minimum protocol nucleus”, with the possibility, also, of directly connecting to the archiving and conserving documents protocol system to guarantee a more efficient form of access to administrative acts, to test electronic applications of the management of documental streams and of tele-work.

 

The coordinated action of interventions for the collaboration of protocol systems has also regarded:

• The creation of an index of public administrations (IPA) as foreseen by Decree by the President of the Council of Minsiters 31/10/2000. Information on this can be found on the site http://indicepa.gov.it/;

• The completion of a certified email system that certifies the unambiguous identification of the sender and of the recipient, and the reception of the message by the recipient – according to DPR 445/2000 art.14 to provide the administration with a secure tool of exchange of official messages and, in perspective, to provide citizens and companies with an additional communication channel with the public administration characterised by speed and efficiency

All information on IT protocol systems are on URL: http://protocollo.gov.it

 

Certified E-mail

 

The guarantee of sending and receiving electronic documents between Public Administrations, citizens and companies is about to become reality.

With the Decree by the President of the Republic n.68 of 11 February 2005 certified email, in fact, acquired legal value thanks to the fact that the transmission of the message and the reception by the addressee are certified by certified electronic mail administrators (PEC) through the “receipt of acceptance” produced by the former and the “receipt of delivery” produced by the latter.

The receipts released by mail administrators are moreover subscribed through an advanced electronic signature automatically generated by the email system and based on a key asymmetric pair, one public and the other private, assuring the provenance, integrity and authenticity of the certified email message.

The certified email administrators guarantee the discretion, security (also IT viruses) and the integrity in time of IT included in the supposed “transport envelope” keeping it for thirty months.

Certified email administrators have to have set prerequisites to be included in an appropriate public link managed and controlled by the CNIPA,.

Public Administration and private organisations that are capital societies with a capital of less than 1 million Euros can manage certified email.

The sending and receiving process of the certified email is the following: the sender sends the message to his/her certified email administrator, who forwards the acceptance receipt and at the same time sends the message directly to the recipient’s inbox (if the administrator is the same) or to the recipient’s administrator assuring the collaboration of services the offered. As for a certified mail with return receipt a certified email “received” comes back from the recipient and is delivered to the email inbox (this fact is proven by the receipt that the administrator sends) independent of the fact that it was read or not.

On the 2nd November 2005 the Ministry for Innovation and Technologies signed the decree containing the “Technical rules for training, transmission and validation, also time period, of the certified email” (decree and technical attachment). In the Official Gazette of the 5th December 2005, n 283, the “Ways for requests for registration in the public list of certified email administrators” (Circolare Cnipa of 24 November 2005, n. 49) . were published.

 

Optical archiving

 

To be able to complete the electronic reform of the public administration without paper it is necessary to allow the transfer of paper archives on IT support, guaranteeing the legal effectiveness of original documents from digital archives.

Speaking of optical archiving, the IT document is intended either as an original formatted document on electronic support or as a paper document initially and then converted to electronic support.

In the management system of documental streams, the conservation and classification of the IT document becomes fundamental to guarantee integrity, identity and provenance and availability in time. It is a single unit that in relation to other documents and the current existing law, is rather broad.

Confirming the importance that covers the organisational factor within the management of an IT management system of documents, the classifying and archiving of documents is a crucial factor in the system.

The classification, in fact, what reciprocal order documents are organised in carrying out administrative activities, i.e. the relationship between the documents and their insertion in administrative processes in which the documents are produced or acquired.

The archiving system, therefore, becomes an important module of the entire system of documental management. In this sense the Single Text on administrative documentation states that each administration creates a service dedicated to the IT management of documental streams and archives.

The completion of such system, described in appropriate classification plans, that define the criteria for organising the archive, allowing external access to administrative documents and to information concerning them, both by all public administrations and by citizens that express a legitimate interest in the procedure.

Recently, there have been regulatory interventions to complete the passage from paper to digital and regulating the archiving and preservation of IT documents.

On the 3rd February 2004, in fact, the Official Gazette n27 published the decree (23rd January 2004) of the Ministry of Economics and Finance on the “Ways of fulfilment of the fiscal duties relative to IT documents and to their reproduction in different types of support”.

On the 19th February 2004 the CNIPA – the National Centre for IT in the PA, with the decision n. 11, modified the technical rules for reproducing and conserving documents on optical support foreseen in 2001.

The method of conservation remains substantially unchanged even if, for large quantities of documents, one could decide to archive them adding a temporal reference and the digital signature on IT evidence established only by the imprints of the documents to be stored.

On the 28th February 2004 the Decree Law n.52 was published in the GU n.49 as regards the European directive 2001/115/CE. The decree “modifies and harmonises the methods of billing as regards VAT”, regulating, amongst other things, the transmission of bills electronically and their conservation in a specific way.

Last update: 19th March 2004

 

Certification of roles and powers: The applicative context

 

In fulfilment of juridical and economic activities an individual can act either as a private citizen, or as a professional, of a public function, or in delegation of companies or other individuals; in which case, the juridical organisation requests legalisation of powers exercised, that generally is represented by a power of attorney, by an administrative act or by subscription in registers, rules or public records.

 

Paper world vs digital world

 

Traditionally, in the “paper” world, to attest the legitimacy of powers of exercise, it is predicted that you attach the document by undersigning an appropriate justification documentation.

In the digital world, however, the electronic signature tool is equipped to assure a notable simplification of traditional organisational processes, thanks to the use of certified electronics that can at the same time attest the identity of the signatory and the role he/she covers.

In this way, the control of electronic subscription allows one to ascertain at the same time, both the integrity and the provenance of an IT document, and the role held by the person who has undersigned it.

The simplification is even greater, when the digital signature is used with an indication of role or power in the computerised procedure: think about a public office qualified to receive documents only from one determined category of subjects (for example professionals, or entrepreneurs); in this case the selection of senders is made at the start of the procedure, automatically, with a significant reduction of subsequent controls.

 

Possibilities offered by the law on digital signatures

 

The current law on electronic signatures allows the individual that requests the release of an electronic signature to be able to specify the role in which he/she intends to act or the power of representation attributed to him/her.

Such indication is inserted by the certifying body, at the act of emission of the certificate, on the basis of the documentation exhibited by the owner or provided by a third party.

In practice, the justificatory paper documents of the role or powers, that first have to be attached to the main document, are exhibited only once to the certifying body, that does not include the details in the electronic certificate.

 

AssoCertificatori solutions

 

Naturally the national and community law contemplates general expectations that have needed a correct “translation” in technological terms; in this context we can find the solution pointed out by AssoCertificatori bodies, that, in respect of the law, carry out the certification of roles and powers, guaranteeing the full collaboration also of such electronic signature certificates.

The Technical Centre of the Unit Network for Public Administration has, in fact, complied to the standard proposed by AssoCertificatori, on the basis of a general agreement drawn up with the association, that therefore extends the guarantee of collaboration also to certificates given by the Technical Centre

The complicated standard of AssoCertificatori, finally, has received important appreciation also from group work for the standardisation of electronic signature systems of ETSI, the organisation created by the European Commission to harmonise technological systems and infrastructures within Europe.

A deeper vision of the solution described above and of the possibilities that are offered, is shown in the document “Guideline for certification of qualifications and powers of representation of owners of electronic signature certificates”, available on this site.

More detail on times and procedures of release of electronic certificates with indication of qualifications and powers of the owner will, however, be available in operative manuals on the web sites of each certifying body. http://www.assocertificatori.org/doc/weblineegiuda080703.pdf

 

For more detail please read the adopted solution. http://www.assocertificatori.org/doc/weblineegiuda080703.pdf

 

To access the “Table of Roles and Powers” go to this link http://www.assocertificatori.org/tabelle.htm

 

For more information on the standard, you can contact AssoCertificatori at the following email address: info@assocertificatori.org

3.3 Network forensic to analyse Internet use using computer and network identifiers

Also in the forensic field, the desk research has shown a broad literature both to pertaining legislative elements, and illustrative case studies concerning security

Basis of national scientific start

The increasing request of services provided through data transmission networks has rendered the need to guarantee security in data processing and transmission more and more current and pressing.

While many resources have developed and there has been great effort in the development of tools for the “digital signature”, the weak loop in all security systems is authentication, or rather the verification of personal identity of the individual who accesses the system.

Biometrics provides an efficient answer to the need for authentication, providing the methodologies to recognise the personal identity on the basis of the user’s physical characteristics. There are numerous advantages:

• one avoids the use of a PIN and password that can be stolen, released, forgotten or lost,

• one can change the tolerance of the system toward false alarms on the basis of security requirements. It is extremely difficult to forge the access data.

There are multiple potential applications of these technologies and they range from access control to attendance, from automatic surveillance to the protection of valuable resources, from network security of computers to secure Internet transactions.

 

The current debate

 

From the broad current debate the issue of conflict emerges between necessity of public control and security and the necessity to preserve the person’s privacy.

 

This leads to:

• Scientific and technological research to develop biometrics for the control and identification of people but also research and development of control systems to guarantee security of data, the integrity of networks and the prevention of fraud via data transmission;

• On the other hand solutions and legislative research to avoid identification errors and to safeguard the privacy and individual liberty of the person.

We will investigate further in the contents attached in the folder “Forensic Area”

 

Smart card with built in microprocessors used in password security system

The digital signature management system through Smart Card is quite diffused in Italy with over two million users.

Also in this case, the desk research has identified a rich mass of documentation which we will analyse in detail later.

The smart card represents an electronic document of security of registration of private data. The application fields are quite disparate. Here are some of the main ones:

 

• Electronic signature

• Access to bank data

• private personal data (statistics, medical details, …)

• Access to reserved and secure fields

 

Reference context for using the smart card

 

The SSL protocol (Secure Sockets Layer) has become the standard de facto for the security of communications between a web server and a browser. The protocol uses cryptographic technologies to public keys and provides the following security functions:

 

• Privacy of the message

• Integrity of the message

• Authentication of the web server

• (optional) Authentication of the browser

 

The protocol is structured to make its security services transparent to the final user.

So that an SSL communication can be established, at least the web server has to be supplied with a copy of key cryptographs and has to have the certificate of its key public available.

The degree of reliability that a user of a browser can attribute to the certificate of the key public of the web server, and therefore the association between the key public and the “identity” of the web server, depends on a group of factors that need to inspire trust on the reliability of the information.

The description of these factors is contained in the Certification Practice Statement (CPS), a document that includes the group of operative laws used by a Certification Authority (CA) in giving out certificates. The CPS represents the “statement of the procedure used by a Certifying body in the release of certificates” (definition drawn up by the Digital Signature Guidelines from the American Bar Association).

The current information in the certificates is defined by a policy, a group of rules that indicate the applicability of the certificate community determined by users and/or application classes with prerequisites of common security.

Each new version of CPS cancels and substitutes the previous versions, which remain however applicable to the certificates issued during their validity and up to the deadline of the same.

As an example in the report attached, there is the application of the smart card by the Italian postal service.

 

BUILT IN MICROPROCESSORS

TOWARDS AN E-LEARNING WITH BUILT IN MICROPROCESSORS

The problem with secure recognition of users that benefit from on line training services and control the conditions in which the same undertake learning verification tests, undoubtedly establishes an obstacle to the certification of learning results.

Scientific research in the biometric field and the development of support technology contribute to the solution of this problem.

However, to resolve this problem in an efficient way, it is necessary to consider the whole interaction process between the user and the data transmission system; in this sense we can identify some significant steps such as:

• User enrolment and system access

• User interaction with the system during the completion of the courses

• The formal learning verification

 

In the first step, the traditional system of login and password can be substituted by recognition of fingerprints or a tool such as a smart card or other methods taken from biometric experience in the previous chapter.

In the second step, presuming that the user is interested in participating in the course in order to learn, once the user has been identified by the assigned recognition system available on his/her workstation used for course delivery, we retain that to control the activities that he/she carries out and the outcome of interim questionnaires, the current tracking system available in any Content Learning Manager System platform that responds to the international standards SCORM can be sufficient.

 

The real control problem is connected with the third step, or rather the moment in which it is necessary to have maximum possible certainty not only of user recognition but also that he/she does not receive support or help from other people.

In this case, verification of the physical presence of the user in front of his/her workstation is not sufficient, but could be possibly achievable with an imprint recognition system installed on the mouse or an iris recognition system installed on the computer screen, as other people present in the location could help the user with vocal or written messages.

In this case, in order to validate the test, either the physical presence on site of a certifier of the execution conditions of the said test could be necessary or alternatively an audio-video recording of the location carried out at the same test as the test, so as to document, through filming at 360° that the user has effectively carried out the test completely on his/her own.

 

CONCLUSION AND RECOMMENDATIONS

 

In an e-learning system, the problem of recognising the user and certifying the performance conditions of the tests showing the true learning level is very important and must be dealt with.

It could be wise, however, to undertake a cost-benefit balance to evaluate up to what point it is worth using solutions deriving from biometric research or whether it is better to opt for the conclusive phase of the verification and certification of learning results by using more traditional solutions with a person on site.

Comments (0)

You don't have permission to comment on this page.