Authentication and security integration for ecampus services at the university of applied sciences harz using the German electronic identity card/eid and egovernment standards

A eCampus security shell architecture was developed and deployed to improve the security of existing university management systems (legacy UMS), integrating innovative eGovernment Standards e.g. the German Electronic Identity Card (GeID), the eGovernment Protocol OSCI and qualified Signatures (QES). 1 Problem and requirements The challenge was to improve the security of an existing university management systems (legacy UMS/HIS), by satisfying of particular interoperability requirements (INTOP) and by integrating innovative eGovernment Standards e.g. the German Electronic Identity Card (GeID), the eGovernment Protocol OSCI [www.xoev.de] and qualified Signatures (QES). Especially, these security requirements should be satisfied: privacy and data protection, integrity, (multi factor) authentication. The additional INTOP requirements included particular boundary conditions and restrictions for the security implementations as follows: no changes of existing (legacy) UMS interfaces and GUI; no discrimination of applicants or students without GeID. 2 The eCampus security shell architecture To achieve the above requirements and conditions, the following eCampus security components must be integrated in an additional security shell for the legacy UMS (as a sort of "security satellite systems"): the eCampus registry to store/check additional security credentials for users (e.g. GeID Pseudonyms, QES certificates, OSCI certificates); the eCampus Server to host additional eCampus secured applications; the eCampus Mediator as a trusted Security Gateway between OSCI based secure communications (incl. signed data) and the legacy http based web interfaces of the