Professional Documents
Culture Documents
Dr Riktesh Srivastava
Associate Professor, Information Systems
Skyline University College
Sharjah, UAE.
Abstract
The paper exhibits the procedure of Emirates ID for refining the university services, not only in terms of
enrollments, but also in day to day activities of the university. The paper proposed the model for
Implementation of Emirates ID in the University through the Authorization and Content Servers. The
anticipated model is on the identical grounds of n-tier Electronic Commerce architecture, wherein,
authorization to access the data of the card will be provided by the Emirates Identity Authority (EIDA)
and University continuously updates the academic profile of the enrolled student to the EIDA . The
comprehensive prototype is presented in the paper, which illustrates the implementation and working
of the model.
Keywords
Authorization Server, Content Server, ERP, EMS, AES, HRMS.
1. Introduction
Building the smart office [1], smart hospitals [2], [3] is the emergent inclination that incorporates ubiquitous
computing. Mark Weiser [4] oversees the continuous assimilation of technologies in human lives. The
motivation of the project is to provide the two way communication channel between universities in UAE
with EIDA. In other sense, the drive of this research is to examine the implementation of Emirates ID in
handling and supporting information services and activities in Universities in UAE and providing
information to EIDA on a real time basis.
The anticipated model for developing the thorough project is based on the grounds of n-Tier
electronic commerce architecture. The project comprises the integration of the ERP systems used in the
universities
zawith the EIDA systems, thus, providing the continuous information about the academic profile
of the registered students. The task determined in the project possesses gigantic challenges in terms of
integration of various modules of ERP, the kind of information to be accessed through EIDA system, and
security management. The project tries to elucidate these experiments, although, the project expansion
is still in its infancy state.
The comprehensive paper is disseminated into 8 fragments, as follows: Section 2 demonstrates
various modules of university ERP to be integrated with the EIDA system. The section demonstrates the
process flow diagram of each these modules of ERP to be implemented in the proposed model. Section
3 delivers the framework of the project along with the complete implementation diagram of the system.
Section 4 mentions the technical layout of the project along with the integration mechanism of various
modules of ERP with the EIDA system. The section depicts the WAN Layout for the complete system.
Blueprint for Improving University Services in UAE through Emirates ID: 360 Degree Approach
Section 5 describes the VPN setup of the system and argues the security management of the project.
Section 6 mentions the database elements and ER Diagram of the various module of the project. The
section also mentions the importance of Normalization and Query optimization for the complete project
development and implementation. Section 7 identifies the predictions of the complete project.
2. Modules of ERP
The attainment of firm and standard Information Systems are gradually mutual among firms and
businesses. The ERP system instigated in the project is developed from scratch and is used for online
integration of all the departments at the Skyline University College (SUC), Sharjah. Some part of the
systems are developed and implemented from early 2013, while other part of the system are in testing
phase, though the report generated from the system are already tested and verified.
The thorough ERP is divided into 4 sections:
1) Enrollment Management System (EMS)
2) Administration and Examination System (AES)
3) Institutional Research System (IRS)
4) Human Resource System (HRS)
The section targets to deliver the acumen of every ERP module to be used in the project in facet.
The complete process flow of the proposed implementation of EMS is indicated in Figure 1. As indicated
in the Figure, the EIDA systems provides the basic information of the student based on the
Authentication code for every EIDA Scanner. Once the record is retrieved in the ERP, EMS gets the basic
records of the students and starts further processing of the record.
As mentioned in the Figure 1, the complete EMS system requires four basic requirements:
1) Eligibility of the students for the enquired course
2) VISA requirements for International student
3) Hostel Requirement for International student
4) TOC cases
Blueprint for Improving University Services in UAE through Emirates ID: 360 Degree Approach
No
Fill the Data Manually
Basic Data Available in EMS/CMS
through EIDA Systems
YES
1. BBA Major in IB
2. BBA Finance
3. BBA Information Syst.
4. BBA Marketing
5. BBA Travel & Tourism
6. MBA Emphasis on HRM
7. MBA Finance
8. MBA Marketing
9. MBA Strategic Mgmt.
YES - BBA
NO
VISA Required?
Intl or Local?
YES VISA
HR
NO - MBA
Is Hostel
Required?
YES
YES HOSTEL
Is Hostel
Required?
NO
Admin
YES HOSTEL
NO
Admin
BBA
(Refer BBA
Admissions)
NO
YES VISA
VISA Required?
Intl or Local?
TOC Case?
MBA
(Refer MBA
Admissions)
NO
TOC - Case
IRO
Enter Data to
EIDA System
(Real-Time)
END
Blueprint for Improving University Services in UAE through Emirates ID: 360 Degree Approach
HR
NO
NO
YES
Boys Hostel?
YES
Check Jormand Girls Hostel
Details
Check Skyline Campus
Hostel Details
NO
YES
Arrival of the student and picked up from Airport
Meeting with Marketing Dept & Sports Department (if the students arrives in day time else
next day morning
Sports Dept Checklist (Undertaking, Letter, Kit Collections Other formalities to be signed by
the students)
Sports Dept. updates the allocated room, policy manual, handbook handed over and linked
to Finance Dept
Blueprint for Improving University Services in UAE through Emirates ID: 360 Degree Approach
Blueprint for Improving University Services in UAE through Emirates ID: 360 Degree Approach
Events Setup*
National Day Celebration
Introbash
Farewall etc..
Month
All Other Calendars Setup for Different Dept at the start of the
Academic Year*
Operational Checklist, Pre-Semester Checklist (SSD & All Dept)
The system has provision of importing the above MAIN ACADEMIC
YEAR CALENDAR details and can be used in their calendar
Month - Date From - Date to - Day - Particulars
* As student progresses
through semesters
Blueprint for Improving University Services in UAE through Emirates ID: 360 Degree Approach
STUDENTS
MARKETING
ADMIN
FINANCE
IRO
Is complete?
No
Yes
DEAN
Figure 5 exemplifies the comprehensive TOC evaluation process in much facet. The TOC Policy for BBA,
MBA and MQP are demonstrated in the Figure 5.
Selects student
TOC Policy:
BBA
1. Check for C grade and above.
2. Check for course equivalency of 70%
3. Check for equivalent credit (3/2/1)
4. If student coming from HCT, over all
CGPA should be >=2
5. Check for good standing, if not, only
student with different major to be
considered.
MBA
1. Check for B grade and above.
2. Check for course equivalency of 70%
3. Check for equivalent credit (3)
4. Check for good standing, if not, only
student with different emphasis to be
considered.
MQP:
1. Check for B grade and above.
2. Check for course equivalency of 70%
3. Check for equivalent credit (3)
End
Blueprint for Improving University Services in UAE through Emirates ID: 360 Degree Approach
HR
Check Boxes:
Own VISA,
Parent Sponsored,
Company Sponsored,
UAE Local Others
NO
YES
Is it Skyline
VISA?
NO
International
VISA?
Local VISA
YES
Complete ff forms:
A. Hostel Application Forms
B. Hostel Policy [Signature]
C. 3 months payment in advance
Hostel
Stay in?
Guardian
Refer E
(BBA &
MBA)
YES
Guardian Docs
completes? And
Transport required ?
Admin
International Student Airport Pickup & VISA Deposit Marketing Dept to inform
about the VSA and student to forward travels details at least 3 working days before
his/her travel
Blueprint for Improving University Services in UAE through Emirates ID: 360 Degree Approach
NO
Is ok?
YES
YES
Stay with
guardian?
NO
YES
Guardian Docs
complete?
END
Blueprint for Improving University Services in UAE through Emirates ID: 360 Degree Approach
Student
YES
NEW
WITH TOC?
CONTINUING
or NEW
CONTINUING
NO
END
Blueprint for Improving University Services in UAE through Emirates ID: 360 Degree Approach
The section expounds the comprehensive framework of the projected model. The ample
model is portrayed in Figure 9, and is alienated into 10 steps. It is predicted that after
accomplishment of these 10 steps, EIDA will be knowledgeable of the registration
progression of the student. Also, the projected project hoards magnanimous time of the
university authorities (Investigate about the student minutiae and pile in the system as a
standalone system). The system works as a centralized system, where, EIDA systems are
updated on real-time and continuous basis about the number of registration per course
and progression of the enrolled student for each university.
Blueprint for Improving University Services in UAE through Emirates ID: 360 Degree Approach
8
10
Looks for
TOC
Case, if
Admin and
any
Examination
Enrolment
Management
System
2
1
Data
transferred
to AES
System
Is there any
TOC?
5(A or B)
Yes
Scans Emirates
ID
Auto
Analyzing by
IRO
1(A)
Emirates ID
Scanner
No
1(B)
Gets connected to
Authorization Server
1(D)
6(A or B)
1(C)
Authorizes
the User ID
Accept the
Reject the
case Admin and
case
Examination
System
Does the
student
requires visa?
EIDA System
Pulls out the Data
from Content Server
7
GP generated
3(A)
Human Resource
Department
Figure 9: Complete Framework of the proposed model
Blueprint for Improving University Services in UAE through Emirates ID: 360 Degree Approach
The description of the 10 step procedure for the thorough application development and enactment is
depicted below:
Step 1: In the step, the student gets into the university Registration Department and presents
the Emirates ID card to the Registration Department.
Step 1(A-D): The Registration Department scans the Emirates ID Card at the Emirates ID Scanner
and enters the authorization card provided by EIDA. Based on the authorization code, the
authorization server defines the set of data to be provided. The system gets connected to the
Content Server of EIDA.
Step 2: The step pulls the data to be stored at the Enrollment Management Systems (EMS).
Step 3: After data being stored at EMS, it is pushed to the Administration and Examination
Systems (AES) for further verification.
Step 3(A): In this step AES pushes the part of data, for an International Students for VISA
processing.
Step 4: The step checks for any Transfer of Credit (TOC) case of the student. If the student is not
the case of TOC, Graduation plan of the student is automatically generated.
Step 5(A or B): The data is pushed to the IRO for verification of TOC.
Step 6(A or B): Depends of the case (being accepted, for the number of courses or rejected), the
record is again pushed back to AES, for the generation of the graduation plan.
Step 7: After verification of all the records, the Graduation plan of the student is generated.
Step 8: The record is send back to EMS, for registration purpose of the student.
Step 9: The complete updated recorded is pushed to the content server of EIDA.
Step 10: Student is informed of the registration process.
The implementation of 10 steps is illustrated as an Implementation Diagram in Figure 10 of the section:
Blueprint for Improving University Services in UAE through Emirates ID: 360 Degree Approach
Enrollment
Management
System
(EMS)
Start
Based on the ID
Scanner, the
required fields are
populated in ERP
Yes
Student meets
admission criteria?
Admission record
gets stored in EMS
No
EMS module the
details provided by
EIDA systems and
other details
required
Recorded forwarded to
Administration and Examination
(AES)
Department
Verifies the
complete
admission
process
Admission and
Registration Department
generates the Student ID
No
Yes
TOC?
Institutional
Research office
VISA Case?
IR module
completes the
TOC process
Yes
No
End
Complete academic
profile (Graduation
plan and fees
payment plan)
pushed to EIDA
system
Upon approval of
the complete
graduation plan,
data is published in
the portal
HR Department
generates the complete
details for VISA
processing
Database
Application Server(APIs)
Database Cluster
Protected Zone
DMZ ZONE
IP/MPLS
IP/MPLS
IPSEC TUNNEL
University Firewall
EIDA Scanner
EIDA Scanner
Database
Database
Blueprint for Improving University Services in UAE through Emirates ID: 360 Degree Approach
5.1 Phase-1
Internet Key Exchange (IKE or IKEv2) is the protocol used to set up a security association (SA) in the IPsec
protocol suite. IKE builds upon the Oakley protocol and ISAKMP, and forms Phase-1 of VPN formation
process. The key protocols that are suggested to be used during Phase-1 are as follows:
5.1.1 Diffie-Hellman Key Exchange Algorithm
Diffie-Hellman (DH Group) is a public-key cryptography protocol. It consents two parties to establish a
shared secret key used by encryption algorithms over an insecure communication channel. In other
words, Diffie-Hellman key exchange bids the superlative of both worlds - it uses public key techniques to
allow the exchange of a private encryption key.
Blueprint for Improving University Services in UAE through Emirates ID: 360 Degree Approach
The section provides the mechanism of DH Algorithm works for the proposed project, from the
perspective of Participating EIDA Client (PEC) and EIDA System (ES), two users who wish to establish
secure communications. We can assume that PEC and ES know nothing about each other but are in
contact.
9 step process for DH Algorithm:
1. Communicating in the clear, PEC and ES agree on two large positive integers, n and g, with the
stipulation that n is a prime number and g is a generator of n.
2. PEC randomly chooses another large positive integer, XA, which is smaller than n. XA will serve as
PEC 's private key.
3. ES similarly chooses his own private key, XB.
4. PEC computes her public key, YA, using the formula YA = (g^XA) mod n.
5. ES similarly computes his public key, YB, using the formula YB = (g^XB) mod n.
6. PEC and ES exchange public keys over the insecure circuit.
7. PEC computes the shared secret key, k, using the formula k = (YB ^XA) mod n.
8. ES computes the same shared secret key, k, using the formula k = (YA ^XB) mod n.
9. PEC and ES communicate using the symmetric algorithm of their choice and the shared secret
key, k, which was never transmitted over the insecure circuit.
How the algorithm works:
Step 1:
The algorithm generates a public key and a private key for the client (say PEC)
KeyPairGenerator PECKpairGen=KeyPairGenerator.getInstance("DH");
PECKpairGen.initialize(dhSkipParamSpec);
KeyPair PECKpair = PECKpairGen.generateKeyPair();
The KeyPairGenerator class is used to generate pairs of public and private keys.
Key pair generators are constructed using the getInstance factory methods (static methods that
return instances of a given class).
A Key pair generator for a particular algorithm creates a public/private key pair that can be used
with this algorithm. It also associates algorithm-specific parameters with each of the generated
keys.
Step 2:
PEC then encodes her public key and sends it to ES, who then retrieves the DH parameters
associated with PECs public key and uses it to generate his own key pair.
DHParameterSpec dhParamSpec =((DHPublicKey)PECPubKey).getParams();
Step 3:
ES initializes his own DH key pair
KeyPairGenerator ESKpairGen = KeyPairGenerator.getInstance("DH");
ESKpairGen.initialize(dhParamSpec);
KeyPair ESKpair = ESKpairGen.generateKeyPair();
Step 4:
Blueprint for Improving University Services in UAE through Emirates ID: 360 Degree Approach
Participating
EIDA Client
(PEC)
EIDA System
(Server)
Retrieving Data
Database
Blueprint for Improving University Services in UAE through Emirates ID: 360 Degree Approach
Shared Key
(from the file into which the DH
algorithm writes the shared text)
To Server
Provides information
to PEC based on the
authentication
In the AES rule, the number of rounds is represented by Nr, wherever Nr = ten once Nk = four, Nr = 12
when Nk = 6, and Nr = 14 once Nk = 8. The subsequent table illustrated the variations of the AES
algorithm. For the AES algorithm the block size (Nb), that represents the quantity of columns comprising
the State is Nb = 4.
AES Version
Key Length
(Nk words)
Block Size
(Nb words)
Number of Rounds
(Nr rounds)
AES128
10
AES192
AES256
6
8
4
4
Table 1: AES Variations
12
14
The basic process unit for the AES algorithm is a byte. As a result, the plaintext, cipher text and
therefore the cipher key are arranged and processed as arrays of bytes. For associate input, an output
or a cipher key denoted by a, the bytes within the ensuing array are documented as an, wherever n is in
one in every of the subsequent ranges:
Block length = 128 bits, 0 <= n < 16
Key length = 128 bits, 0 <= n < 16
Key length = 192 bits, 0 <= n < 24
Key length = 256 bits, 0 <= n < 24
All byte values within the AES algorithm are bestowed as the concatenation of their individual bit values
between braces within the order. These bytes are understood as finite field elements employing a
polynomial representation:
As an example, (or in hexadecimal) identifies the polynomial. The arrays of bytes within the AES formula
area unit described as:
7
b7 x 7 b6 x 6 b5 x 5 b4 x 4 b3 x 3 b2 x b1 x b0 x bi x i
i 0
7
As an example, {10001001} (or {85} in hexadecimal) identifies the polynomial x x 3 1 . The arrays of
bytes in the AES algorithm are represented as a 0 a1 a 2 ...a n .
All the AES algorithm operations are performed on a 2 dimensional 4x4 array of bytes that is termed the
State, and any individual byte inside the State is stated as sr,c, where letter r represent the row and
letter c denotes the column. At the start of the encoding method, the State is inhabited with the
Blueprint for Improving University Services in UAE through Emirates ID: 360 Degree Approach
plaintext. Then the cipher performs a group of substitutions and permutations on the State. When the
cipher operations are conducted on the State, the final value of the state is traced to the cipher text
output as is shown within the Figure 16.
Input Bytes
State Array
Output Bytes
in0
in4
in8
in12
in1
in5
in9
in13
in2
in6
in10
in14
in3
in7
in11
in15
SubBytes( )
ShiftRows( )
MixColumns( )
AddRoundKey ( )
ShiftRows(state)
MixColumns(state)
AddRoundKey(state, w[round*Nb, (round+1)*Nb-1])
end for
SubBytes(state)
ShiftRows(state)
AddRoundKey(state, w[Nr*Nb, (Nr+1)*Nb-1])
out = state
end
As depicted in the pseudo code, all the Nr rounds are identical with the exception of the final round
which does not include the MixColumns transformation. The array w[] represents the round keys that
are generated by the key expansion routine. In the following sections, individual transformations that
are used in each encryption round are described.
5.1.3 Secured Hash Algorithm 1 (SHA-1)
Secure Hash Algorithm 1 (SHA-1) is a hash algorithm used to authenticate packet data. IKE, AH, and ESP
can use SHA-1 for authentication [6].
All hash functions operate using the following general principles:
1. The input string is viewed as a sequence of n-byte blocks.
2. The input is processed one block at a time in an iterative fashion to produce an n-bit hash
function.
The simplest hash function is the list-by-list XOR of every block, expressed as following:
Ci=bi1 bi2 bim
where,
Ci=ith list of the hash code, 1in
M=number of n-bit blocks in the input
Bij=ith list in jth block
=XOR operation.
This is depicted in Figure 17.
bit 1
b11
bit 2..
bit n
b21
bn1
..
b12
..
:
:
..
Block2
Block m
b1m
..
bnm
Hash code
C1
..
Cn
Block1
C2
bn2
Blueprint for Improving University Services in UAE through Emirates ID: 360 Degree Approach
Note1:
Figure 17 produces a simple parity for each bit position, and is known as a longitudinal redundancy
check. It is reasonably effective for random data as a data integrity check.
Another scheme, originally proposed by NIST, used the simple XOR applied to 64 bit blocks of the
message and then an encryption of the entire message that used the cipher block-chaining (CBC) mode.
In other words, given a message consisting of a sequence of 64 bit blocks X1, X2, ., XN, define the hash
code C as the block and append the hash code as the final block:
C = XN+1 = X1 X2 . XN
Next, encrypt the entire message plus hash code, using CBC mode to produce the encrypted message Y1,
Y2, ., YN+1.
Note 2:
It was shown that the above scheme to produce a hash code is not secure.
Secure Hash Algorithm
A cryptographic hash function uses a cryptographic function as part of the hash function. An intruder or
opponent would presumably not have access to the cryptographic function. The intruder could modify
the data or the hash value or both but without knowing the Cryptographic relationship between the
data and the hash value, the intruder would be unlikely to be able to modify both in such a way that
they match. Thus, modifications could be detected at the recipients end, with a probability depending
on the strength of the cryptographic algorithm and on the degree to which the data was reduced.
The secure hash algorithm (SHA) was developed by NIST in 1993 (FIPS PUB180). A revised version
referred to as SHA-1 was issued in 1995 (FIPS PUB 180-1). The algorithm takes as input a message with a
maximum length of less than 2 64 bits
Blueprint for Improving University Services in UAE through Emirates ID: 360 Degree Approach
Blueprint for Improving University Services in UAE through Emirates ID: 360 Degree Approach
A = 67452301
B = EFCDAB89
C = 98BADCFF
D = 10325476
E = C3D2E1F0
Step 4: Process Message in 512-bit (16-Word) Blocks
The heart of the algorithm is a module, known as compression function; that consists of four rounds of
processing 20 steps each. The logic is illustrated in Figure 19. The four rounds have a similar structure,
but each uses a different primitive logical function, which we call f1, f2, f3, and f4.
Each round takes as input the current 512-bit block being administered, Yq and the 160-bit buffer value
ABCDE and apprises the contents of the buffer. Each round also uses an additive constant Kt, where 0<=
t <= 79 indicates one of the 80 steps across five rounds.
Figure 19: SHA-1 Processing of a Single 512-Bit Block (SHA-1 Compression Function)
Blueprint for Improving University Services in UAE through Emirates ID: 360 Degree Approach
In fact, only four distinct constants are used. The values, in hexadecimal and decimal are depicted in
Table 2 as follows:
Step number
Hexadecimal
0<= t <= 19
Kt = 5A827999
[ 230 x 2 ]
20<= t <= 39
Kt = 6ED9EBA1
[ 230 x 3 ]
40<= t <= 59
Kt = 8F1BBCDC
[ 230 x 5 ]
60<= t <= 79
Kt = CA62C1D6
[ 230 x 10 ]
Note 1:
The SHA-1 algorithm has the property that every bit of the hash code is a function of every bit of the
input. The complex repetition of the basic function of ft produces results that are well mixed. It is
unlikely that two messages chosen at random will have the same hash code.
Note 2:
The difficulty of coming up with two messages having the same message digest is on the order of 280
operations. The difficulty of finding a message with a given digest is on the order of 2160 operations.
Other Secure Hash Algorithms
There are other secure hash algorithms:
MD5: The MD5 message-digest algorithm was developed by Ron Rivest. It takes as input a message of
arbitrary length and produces as output a 128-bit message-digest. The input is processed in 512-bit
blocks. It is shown that MD5 is vulnerable to cryptanalysis.
RIPEMD -160: This algorithm was developed under the European RACE Integrity Primitive Evaluation
(RIPE) project, by a group of researchers, who launched partially successful attacks on MD4 and MD5.
RIPEMD-160 is quite similar to SHA-1. The algorithm takes as input a message of arbitrary length and
produces as output a 160-bit message digest. The input is processed in 512-bit blocks.
Blueprint for Improving University Services in UAE through Emirates ID: 360 Degree Approach
5.2 Phase-2
Once a Security Association is established in Phase 1, Phase 2 is IPSEC (ISAKMP) where we get into what
specifics the set up in the policies to have the keys set.
IPsec is an end-to-end security scheme operating in the Internet Layer of the Internet Protocol Suite,
while some other Internet security systems in widespread use, such as Secure Sockets Layer (SSL),
Transport Layer Security (TLS) and Secure Shell (SSH), operate in the upper layers of the TCP/IP model [7].
The section stipulates the base architecture for IPSEC as revealed in Figure 20 [8]. It pronounces how to
provide a set of security services for traffic at the IP layer, in both the IPv4 [9] and IPv6 [10] environments.
IPSEC is a set of protocols operating at the OSI architecture model Network Layer three by extending the
IP packet header to support secure exchange of packets and provides the ability to encrypt any higher
level messaging.
Architecture
ESP Protocol
AH Protocol
Encryption
Algorithm
Authentication
Algorithm
Domain of
Implementation
Key
Management
Figure 20: IPSEC architecture
Figure 20 defines how the various components of IPSEC interact. IPSEC supports two security services:
1. Authentication Header (AH) [11, 12,13],and
2. Encapsulating Security Payload (ESP) [12,13,14].
The former provides authentication of the sender and the latter provides both authentication of the
sender and encryption of the data.
Blueprint for Improving University Services in UAE through Emirates ID: 360 Degree Approach
IPSEC has been deployed widely to implement Virtual Private Networks (VPNs). As such, segmented links
may be securely networked with IP using encrypted tunnels. Since the routers perform the
encryption/decryption, the secure applications need no local cryptographic support.
Authentication Header (AH)
The AH service is used to provide data integrity, data source authentication, and replay protection
capability. The entire packet is authenticated. The authentication header format is shown in Figure 21
below:
0
78
Next Header
15 16
Length
Security Parameter Index (SPI)
Sequence Number
Authentication data
Figure 21: Authentication Header
31
Reserved
The Next Header is an 8-bit field that specifies the type of data contained in the payload. The Length
field specifies header size in 32-bit words, minus two, and the reserved field is set to zero. The Security
Parameter Index is a 32-bit number that provides the SA related to this packet. The Sequence Number
keeps track of the number of packets incrementing by one for each packet. The Authentication Data is a
variable length field that contains the Integrity Check Value (ICV). The field size must be a multiple of
32-bits and may contain padding as needed. The sender authentication header works by calculating the
ICV based on the payload, portion of the IP header, a secret authentication key, and a hash function. The
receiver performs the same calculation, and if the two values match, integrity is verified. In addition,
the source address provides authentication, and the sequence number replay protection.
Encapsulating Security Payload (ESP)
Protocol suggested during IPSEC phase-2 for transferring the payload data is Encryption Security Payload
(ESP), as indicated in Figure 22.
Blueprint for Improving University Services in UAE through Emirates ID: 360 Degree Approach
31
Security Parameter Index (SPI)
Sequence Number
Initialization Vector
Protected Data
Padding
Padding Length
Next header
Authentication Data
Figure 23: Encapsulating Security Payload
The two main components of ESP header as indicated in Figure 23 are Security Parameter Index and
Sequence Number, which is elaborates as follows:
Security Parameters Index: Classifies, when used in amalgamation with the destination
address and the security protocol (AH or ESP), the exact security association for the
communication. The receiver uses this value to determine the security association with which
this packet should be identified.
Sequence Number: Delivers anti-replay protection for the SA. It is 32-bit, incrementally
increasing number (starting from 1) that indicates the packet number sent over the security
association for the communication. The sequence number is never allowed to cycle. The
receiver checks this field to verify that a packet for a security association with this number has
not been received already. If one has been received, the packet is rejected.
The ESP trailer contains the following fields:
Padding: 0 to 255 bytes is used for 32-bit alignment and with the block size of the block cipher.
Blueprint for Improving University Services in UAE through Emirates ID: 360 Degree Approach
Padding Length: Indicates the length of the Padding field in bytes. This field is used by the
receiver to discard the Padding field.
Next Header: Identifies the nature of the payload, such as TCP or UDP.
IPSEC Modes
There are three basic IPSEC modes the transport, the tunnel, and the nested. The transport mode is
used to protect the payload of the packet only. The authentication or encryption and connection
endpoints are the same. The tunnel mode is used to protect the entire packet, which includes the
header. The authentication or encryption and connection endpoints may or may not be the same. The
nested mode is a combination of two or more tunnel modes. Normally a host can use transport or
tunnel mode and a router can use only tunnel mode.
Transport Mode
In the transport mode of operation, the TCP and Application layer data are authenticated or encrypted
between two hosts. Hence the connection and security endpoints are identical.
Figure 24 below illustrates the transport mode format using the ESP header.
IP Header
ESP Header
TCP (Encrypted)
Data (Encrypted)
Blueprint for Improving University Services in UAE through Emirates ID: 360 Degree Approach
Router
Router
IP Header
ESP Header
Net
IP Header
(Encrypted)
Router
TCP
(Encrypted)
Data
(Encrypted)
Outer
Router
In Router
IP Header
AH
Inner
Router
Out Router
IP Header
Net
Inner
Router
ESP
Outer
Router
IP Header
TCP
(Encrypted)
(Encrypted)
Figure 26: Nested Configuration
Data
(Encrypted)
Blueprint for Improving University Services in UAE through Emirates ID: 360 Degree Approach
Blueprint for Improving University Services in UAE through Emirates ID: 360 Degree Approach
Blueprint for Improving University Services in UAE through Emirates ID: 360 Degree Approach
Though the tables displayed above are the key tables that will be used to store transactions but
complete Entity Relationship diagram, Normalized table structure with attribute details will be
presented with the working model.
6.1.1 Importance of different forms of Normalization and its importance in Database Design
In relational databases the name normalization refers to a reversible step-by-step process in which an
agreed set of relations is replaced by successive collections of relations that have a progressively simpler
and more regular structure. Each step, referred to as a normal form, and defines a set of criterion (the
normal form test) that needs to be met by the different tables of the database. In this sense, to say that
a relation is in a particular normal form is an indication of the conditions that the table has met. Since
the process is reversible, the original set of relations can be improved with no loss of information. As the
normalization progresses to higher forms, the individual collection of relations becomes progressively
more restricted on the type of functional dependencies that they can satisfy and the data anomalies
that they can experience.
The objectives of the normalization process are:
To make it feasible to symbolize any relation in the database.
To find powerful relational retrieval algorithms based on a collection of primitive relational
operators.
To free relations from unwanted insertion, update, and deletion anomalies.
To decrease the need for restructuring the relations as new data types are introduced.
The first two objectives pertain specifically to the First Normal Form; the last two apply to all normal
forms.
The entire normalization process is based upon the analysis of relations, their schemes, primary keys
and functional dependencies. Whenever a relation does not meet a normal form test, the relation must
be decomposed or broken into some other relations that individually meet the criteria of the normal
form test. Initially, E. F. Codd proposed three normal forms that he called first, second, and third normal
form. These forms are generally abbreviated and referred to as INF, 2NF, and 3NF respectively. In
addition to these original normal forms there exist others such as the Boyce-Codd Normal Form (BCNF),
Fourth Normal Form (4NF), and Fifth Normal Form (5NF). The relationship between some of these
normal forms is shown in Figure 28. This figure is sometimes referred to as the normal form "onion".
Blueprint for Improving University Services in UAE through Emirates ID: 360 Degree Approach
Blueprint for Improving University Services in UAE through Emirates ID: 360 Degree Approach
Internal Representation
A query posed in a query language like SQL must first be translated to an internal representation
suitable for machine representation. Any internal query representation must be sufficiently powerful to
represent all queries in the query language. The internal representation could be relational algebra or
relational calculus since these languages are powerful enough although it will be necessary to modify
them from what was discussed in an earlier chapter so that features like Group By and aggregations may
be represented. A representation like relational algebra is procedural and therefore once the query is
represented in that representation, a sequence of operations is clearly indicated.
Logical Transformations
It must be noted that the same query may be formulated in a number of different ways that are
semantically equivalent. It is clearly desirable that all such queries be transformed into the same query
representation. To do this, we need to translate each query to some canonical form and then simplify.
This involves transformations of the query and selection of an optimal sequence of operations. The
transformations that we discuss in this section do not consider the physical representation of the
database and are designed to improve the efficiency of query processing whatever access methods
might be available. An example of such transformation has already been discussed in the examples
given. If a query involves one or more joins and a restriction, it is always going to be more efficient to
carry out the restriction first since that will reduce the size of one of the relations (assuming that the
restriction applies to only one relation) and therefore the cost of the join, often quite significantly.
Common Sub expression - In this technique, common sub expressions in the query, if any, are
recognized so as to avoid executing the same sequence of operations more than once.
Access Paths
Access Path is a software component of the DBMS maintains the physical storage of relations and
provides access paths to these relations. Often relations in a database are stored as collection of tuples
which may be accessed a tuple at a time along a given access path. The access paths may involve an
index on one or more attributes of the relation. The indexes are often implemented as B-trees. An index
may be scanned tuple by tuple providing a sequential read along the attribute or attributes in the index.
The tuples may of course be scanned using a sequential scan.
This involves selection of suitable access paths.
1. B-tree better for range queries.
2. Hashing is useless.
A relation may have one or more indexes available on it. In fact, a relation with many attributes could
well have many indexes such that the storage occupied by the indexes becomes as large as the storage
Blueprint for Improving University Services in UAE through Emirates ID: 360 Degree Approach
occupied by the relation. Indexes may use hashing or B- tree. They allow very efficient search when the
tuple with a given value of an attribute needs to be found.
The two steps are not separate and are often carried out together. The logical transformations may
involve using one or more of the following techniques:
A query may involve a number of operations and would often be a number of different ways these
operations could be processed. The DBMS must therefore estimate the cost of the different alternatives
and choose the alternative with the least estimate. The estimates of costs are often based on statistics
about the sizes of the relations and distribution of key values (or ranges).
Consider the task of estimating the cost of one of the options. The query optimizer needs to estimate
the cost of join of student and enrolment, the cost of restriction and the cost of joining the result with
subject. To estimate these costs, a DBMS would normally maintain statistics about the sizes of relations
and a histogram of the number of tuples within various key ranges. Given the statistics, the size of the
join of student and subject can be estimated as
The planner than produces a plan that presents a suggested sequence of operations as well as details of
how the operations should be carried out (for example, when an index is to be used).
Estimating Costs
It should by now be clear that most queries could be translated to a number of semantically
equivalent query plans. The process followed so far should eliminate most alternatives that are unlikely
to be efficient but one is still likely to have a number of plans that could well be reasonably efficient. The
cost of these alternatives must be estimated and the best plan selected. The cost estimation will of
course require the optimizer to consult the metadata.
The metadata or system catalog (sometime also called data dictionary) consists of descriptions of the
databases that a DBMS maintains. The following information is often available in the system catalog:
1. Name of each relation and all its attributes and their domains.
Blueprint for Improving University Services in UAE through Emirates ID: 360 Degree Approach
2.
3.
4.
5.
6.
7.
8.
9.
Often these statistics are updated only periodically and not at every update/insert/delete. Also, the
system catalog is often stored as a relational database itself making it easy to query the catalog if a user
is authorized to do so.
Information in the catalog is very important of course since query processing makes use of this
information extensively. Therefore more comprehensive and more accurate information is desirable but
maintaining more comprehensive and more accurate information also introduces additional overheads
for the complete system development and implementation.
6.1.3 Sample ER Diagram for the Project
The section presents the three sample ER Diagrams for the entire project. The sample ER diagram are
presented in Figure 29, 30 and 31 respectively. Figure 29 represents the ER diagram for EMS module of
ERP.
Blueprint for Improving University Services in UAE through Emirates ID: 360 Degree Approach
Blueprint for Improving University Services in UAE through Emirates ID: 360 Degree Approach
Blueprint for Improving University Services in UAE through Emirates ID: 360 Degree Approach
Blueprint for Improving University Services in UAE through Emirates ID: 360 Degree Approach
Return on investment
One of the foremost motives students pick to study at university is to boost their career
forecasts. This becomes progressively significant in assessment of intensifying expenses
of education, so persons want to guarantee it has been money well paid. This is even
more of a driver for international students. Maintaining the record of such students,
EIDA can help private organizations operating in UAE for the employability of the
International students, who studied in UAE.
Implementing and maintaining such a system, demands huge challenge, in terms of:
Establishing Security
Maintaining real-time backup of the complete system
Continuous updating the EIDA systems
Development and Implementation of the common ERP systems in all educational institutions
Providing Information both to educational institutions and external agencies, if required
Blueprint for Improving University Services in UAE through Emirates ID: 360 Degree Approach
References
[1] C. Le Gal, J. Martin, A. Lux, J. L. Crowley, SmartOffice: design of an intelligent environment, IEEE Intelligent
Systems, vol 16, issue 4, pp. 60-66, August 2001.
[2] P. Fuhrer, and D. Guinard, Building a Smart Hospital using RFID technologies, Proceedings of ECEH06,
Fribourg, Switzerland, 2006.
[3] Huzaifa Al Nahas, Jitender S. Deogun, Radio Frequency Identification Applications in Smart Hospitals, in
proceedings of 20th IEEE international symposium on Computer-Based Medical Systems (CBMS 2007), pp. 337342, Maribor, Slovenia, June 2007.
*4+ Mark Weiser, The computer of the 21st century, Scientific American, vol 265(3), pp.66--75, September 1991.
[5] National Institute of Standards and Technology, Federal Information Processing Standards, Publication 197,
2001.
[6] http://www.ciscopress.com/articles/article.asp?p=25470&seqNum=7; 16/11/2013; 1115hrs.
[7] http://en.wikipedia.org/wiki/IPsec; 16/11/2013; 1145 hrs.
[8] RFC 4301 - Security Architecture for the Internet Protocol.
[9] RFC 2460 - Internet Protocol, Version 6 (IPv6) Specification.
[10] RFC 791 - Internet Protocol version 4 (IPv4); RFC 2474, Definition of the Differentiated Services Field (DS Field).
[11] RFC 4302 - IP Authentication Header (AH); RFC 4305, Cryptographic Algorithm Implementation Requirements
for Encapsulating Security Payload (ESP) and Authentication Header (AH).
[12] RFC 2403 - The Use of HMAC-MD5-96 within ESP and AH.
[13] RFC 2404 - The Use of HMAC-SHA-1-96 within ESP and AH.
[14] RFC 4303 - IP Encapsulating Security Payload (ESP); RFC 4305, Cryptographic Algorithm Implementation
Requirements for Encapsulating Security Payload (ESP) and Authentication Header (AH).
[15] RFC 4306 - Internet Key Exchange (IKEv2) Protocol.
Blueprint for Improving University Services in UAE through Emirates ID: 360 Degree Approach