Lightweight Technical Implementation of Single Sign-On Authentication and Key Agreement Mechanism for Multiserver Architecture-Based Systems

Authentication is the primary and mandatory process for any Information and Communication Technology (ICT) application to prove the legitimacy of the genuine user. It becomes more important and crucial for public platforms like e-governance platforms. +e Government of India is transforming the country into Digital India through various e-governance initiatives based on ICT. For authentication, National e-Authentication Framework (NeAF) was proposed by the Indian government which is a policy framework for authentication. +is framework does not provide any technical and unified solution for authentication systems while it is based on centralized verification data. In this paper, we proposed a solution for the authentication which provides the unified authentication solution for the Indian e-governance system with existing infrastructure. +is solution also provides the features such as scalability, security, and transparency based on distributed computing and working on multiserver architecture. +is solution also fulfills the need of the current Indian government to provide multiple e-governance services through a single smart card.


Introduction
Authentication is the primary and mandatory process for any application to prove the legitimacy of the user [1]. It becomes more important and crucial for public platforms.
ere are many ways to prove the authenticity of the user for any application, software, or service and authentication where ICT has been used. It can be done using various techniques such as password and biometrics [2] and is used in various sectors such a banking [2,3]. But, due to the increase in Internet coverage, various organizations, groups, companies, and firms started the delivery of their services through Information Communication Technology (ICT). One of the popular examples of this type of service is e-governance. Similar to the other applications, authentication is also required it. e Government of India also took serious steps towards transforming the country to Digital India through various e-governance initiatives based on Information Communication Technology (ICT). In the pace of development, National e-Authentication Framework (NeAF) was proposed by the Indian government. NeAF has been prepared by the National e-Governance Division (NeGD) within the Department of Information Technology (DIT).
NeAF is a policy framework for authentication for the Indian e-governance system. is paper is analyzing the requirements of an authentication protocol for the Indian e-governance system under the boundaries of NeAF.
Further, the paper extends up to the implementation, its concepts, and architecture to overcome the authentication issues and provides an integrated and unified view to the whole Indian e-governance system. e problem arises that individual registration and authentication process is required for each e-governance service. erefore, a unified single sign-on authentication technique is required for the Indian e-governance system to integrate all e-governance services. e same problem is reflected in the survey conducted by us [4,5].
Due to the increase in Internet coverage, various organizations, groups, companies, and firms started the delivery of their services through Information Communication Technology (ICT); therefore, authentication is becoming the most important process to provide accessibility of the services only for a legitimate user [6]. e same concept is applying by the government to serve its citizens through various services, which is called e-governance [7][8][9].
Since the 1970s, the Government of India took serious steps towards transforming the country to Digital India through various e-governance initiatives based on Information Communication Technology (ICT) [5,10]. e journey of e-governance development in India started in 1970 with the establishment of the Department of Electronics, which is related to ICT development [11]. en, National Information Center (NIC) was established in 1977, NICNET which is a satellite-based computer network was established in 1987, and District Information System of the National Information Center (DISNIC) was launched in 1990 [12]. Ministry of Information Technology was established to monitor Information Technology-related issues in 2000, the government formally launched its National e-Governance Plan (NeGP) [13], a guideline for all types of governments under the federal structure to implement e-governance in 2000 [14], e-Authentication framework was launched for user authentication for e-governance under NeGP in 2012 [15], next version of National e-Governance Plan e-Kranti is launched to improve and strengthen the existing NeGP in 2013, and finally, Digital India was established in the year 2014. In the pace of development, National e-Authentication Framework (NeAF) was proposed by the Indian government. NeAF has been prepared by the National e-Governance Division (NeGD) within the Department of Information Technology (DIT). NeAF is a policy framework for authentication to prove the legitimacy of the citizens to access various services of/from the Indian e-governance system [16].
ere is no provision to access various services through single sign-on. User needs to register at every portal of government service, and the architecture of these services is different.
ere are various authentication techniques adopted by the respective department on their own, such as biometric, Q&A, OATH, OTP authentication, and LDAP. It creates a problem for integration and intercommunication. e second issue is the scale of the users. How can the government offer to access huge services at every point for billions of people? is paper found a solution to install the thin service over the ATM and other kiosks to access government services along with the existing financial services. Later, the architecture to implement thin service is also explained in this manuscript. erefore, the UIAP is secure, multiserver architecture-oriented, based on distributed computing, using smart card, and able to integrate the existing system and fulfill the need of billions of people to access the government services to provide a unified view to the Indian e-governance system. e available authentication framework and developments are explained at the outset of this paper which includes the National e-Authentication Framework and then e-Pramaan. en, the working of these projects is explained, and in the next section, the proposed protocol has explained its implementation process. e performance parameters are explained along with the conclusion of the work [17]. In Section 3, related work has been discussed. e existing Indian e-governance authentication system has been discussed in Section 4. e UIAP protocol proposed to integrate the Indian e-governance system has been proposed in Section 5. Section 6 explains the process to implement the UIAP for the existing Indian e-governance system. Finally, Section 7 concludes the paper.
e Government of India expressed its interest to provide a smart card for authentication for various e-governance services. e e-governance environment is working on a multiserver architecture-based environment and using distributed computing. Many researchers presented different authentication protocols both for two-layer and for multilayer architecture-based systems. e authentication schemes for multiserver architecture are available in the literature [18][19][20][21][22][23]. It has been observed that the hash-based authentication schemes are the most efficient techniques [18,22,[24][25][26]. In 2014, Hu [27] proposed a technique [19], which claims anonymity and traceability with all necessary security properties as in Li. et al.'s protocol [19]. Gaharana and Anand presented a security analysis of various multiserver authentication techniques [28]. ese techniques are based on two-way and three-way factor-based authentication [29][30][31][32][33][34]. Generally, authentication schemes are dependent on a central server that stores the verification data. Because of centrally stored verification data, these schemes are vulnerable. erefore, a new authentication scheme is required to overcome the vulnerabilities due to centrally stored verification data such as reflection attack, insider attack, and smart card loss attack, and Anand D. and Khemchandani V. proposed a technique to overcome this weakness [35,36].

Motivation of This Work
e available authentication solutions are not capable of giving a unified authentication view for the e-governance services in India. Citizens need to register themselves for each service and then the services are integrated using the ADHAAR number which is a unique identification number for citizen which is centralized. erefore, there is a requirement for an authentication technique that can give a unified view to the authentication process to access e-governance services at geographically distributed servers and departments. Along with this unified view, there is also a requirement for this authentication process that it should not depend on any centralized storage and should be able to store the related information at distributed storage. e novel authentication mechanism is the requirement of the time for the Indian e-governance system and this is the motivation for this work. Motivated by this, the paper proposes a robust and efficient user authentication scheme. e major contributions of this paper are smart card-based authentication scheme for a multiserver environment with the following selected features: Secure: all the major security threats and goals are tested Light-weighted: distributed parameters are used in place of centralized storage Single sign-on: single registration may work for all the departments as per the existing e-governance architecture Efficient: light-weighted and secure protocol which is capable of handling big amount of requests for a huge population through existing resources

Related Work
Various authentication schemes have been proposed to handle the security threats specifically for e-governance projects. Roy and Karforma proposed a secure and smart system for e-governance which is using ECDSA (Elliptic Curve Digital Signature Algorithm) based on UML [79]. In this technique, they proposed the e-governance system model dependent on Multipurpose Electronic Card (MEC). In other work, Roy et al. proposed another approach in which ECDSA was replaced with the RSA approach for object-oriented modeling of RSA digital signature. Mutual authentication is the basic security requirement that needs to incorporate in the e-governance system as in 2006. Liao et al. proposed a mutual authentication scheme. Yoon and Yoo [38] analyzed the scheme of Liao et al. and proved that it is unable to resist playback threats and offline password guessing. Other techniques have been proposed by Ku and Chen [39] and Yoon et al. [40]. Wang et al. [41] analyzed these schemes in 2007 and found the security threats such as forgery and DoS threats. To overcome these threats, Wang et al. proposed another scheme with all the security functionalities available in Ku and Chen [39] and Yoon found during the analysis such as insider attack, reflection attack, and parallel session attack [42][43][44].
Chung et al. [45] analyzed the scheme of Wang et al. [41] in 2009 and observed that the scheme is unable to resist impersonation and password guessing attack. e further author proposed a technique providing security services such as offline password guessing attack, impersonation attack, insider attack, the stolen smart card attack, and the modification of account-database attack. Additionally, the scheme was able to achieve the perfect forward secrecy [46,47]. Xu et al. [47] analyzed the Lee et al. [46] and Lee and Chiu [48] schemes and proved that these techniques are not able to resist forgery attack. en, Xu et al. [47] promulgated an improvised scheme to remove security weakness. Song [49] proposed a better scheme in which the drawback of the scheme of Xu et al. [47] has been improvised to overcome the existing impersonation attack. Chen et al. [50] analyzed the scheme of Wang et al. [41]. It has been observed Wang's technique is not able to resist the security attacks such as parallel sessions and forgery attacks. Further, Chen et al. proposed a better technique. Chen et al. [50] analyzed the techniques of Sood et al. [51] and Song [49] in 2012. According to Chen et al. [50], the improvements recommended by Song [49] and Sood et al. [51] are very sensitive to many known attacks. In this method, Chen et al. recognized security defects in the enhanced smart card-based password authentication and key agreement schemes of Sood et al. [51] and Song [49]. e technique of Sood et al. does not support an important security requirement of mutual authentication, and Song's technique was susceptible to offline guessing attacks and stolen card and thus enhanced the technique of Chen et al., which eradicated these security weaknesses, and the technique achieved mutual authentication, withstands various attacks, and is efficient. He also exposed that the technique of Sood et al. [51] has two drawbacks. Firstly, the technique is in a one-way authentication mechanism as the server verifies the authenticity of the entity and has no reciprocal mechanism of authentication. e second is erroneous input detection. Chen et al. [50] also determined the offline password guessing attack concerning Song's scheme, which led to the lack of security. Additionally, Chen et al. [50] presented an authentication mechanism to overcome the security flaws. In 2013, Li et al. [52] found that Chen et al. failed to satisfy forward secrecy and proposed an improved scheme. Jiang et al. [30] analyzed the scheme of Chen et al. [50] and found that the scheme is insecure to password guessing attack.

Authentication System for Indian e-Governance System
e journey towards authentication system for the Indian e-governance system started in 1970 with the establishment of the Department of Electronics since then many milestones have been achieved. In 1977, NIC was established. In the year 2006, the government launched NeGP (National e-Governance Plan), a guideline for all types of governments under the federal structure to implement e-governance.

National e-Authentication Framework.
is project has an objective to develop an online service delivery mechanism to authenticate the user's identity electronically to prove their legitimacy to access each government service securely. erefore, the Department of Information Technology, Government of India, has proposed the National e-Authentication Framework (NeAF). e objective of NeAF is to provide a guiding framework to all central ministries, state departments, and other government agencies for the implementation of appropriate authentication processes and mechanisms as part of their service delivery strategy. e overall objective is to Security and Communication Networks provide a trusted electronic environment where the users can transact easily and securely with the government. e framework first defines the principles of e-Authentication along with its various components such as Identity Management, Authentication, Authorization, Credential Registration, Permission Assignment, Deregistration, and Single Sign-on. e framework then defines a layered approach towards e-Authentication along with a six-step methodology to determine the business and assurance requirements of government applications, the user registration process, the implementation model, and the assessment of the chosen authentication model. It is also recommending the procedure to define the sensitivity level of the respective application for National Service Delivery Gateway (NSDG), State Service Delivery Gateway (SSDG), and Mobile Service Delivery Gateway (MSDG). Further, the framework is followed by the technical architecture of "e-Authentication" as well as the roles and responsibilities of stakeholders towards acceptance and execution of this framework [5,[53][54][55].
Implementation of the authentication is depended on the available technologies, mechanisms, and interfaces.
ese are incorporated in NeAF as illustrated in Figure 1. e following sections are describing these components.

Authentication Protocols.
e organizations build Information and Communication Technology-(ICT-) based systems to provide quality services to their end-users. Several interconnected servers are required for the efficient and effective use of these services. e user legitimacy test is very important for ICT-enabled services. Different authentication protocols to test are adopted by the various departments for their projects. For authentication, identification is important because, ultimately, the identity of the user will be proved in the authentication [37,56]. e proposed protocols and methods identified in NeAF are as follows: (1) Biometric: biometric authentication is simply the process of verifying the user's identity using measurements or other unique characteristics of his/her body and then logging in to the system, an app, a device, and so on [57]. For these body measurements (such as iris, fingerprints, palm design, face detection, and voice), specific hardware is used to extract the features and match them with already recorded features [58,59]. is technique has some disadvantages as follows: Unable to update or change because biometrics is last a lifetime "Master fingerprints" can trick many phones and scanners Vulnerabilities in biometric authentication software Creating a fake identification such as finger (spoofing the fingerprint) Hacking the biometric sensor and stealing the data (2) QnA: in this mechanism, the user can either set their own set of questions and answers during the QnA creation stage, or the application can choose to ask predefined questions to the user. It can be used as a secondary, second factor of two-factor authentication or in the password change process. It cannot be used as a primary authentication process because the vulnerability is very high and the probability to break it is also very high [60,61].
(3) OATH: this mechanism is the initiative of industrial collaboration and combined efforts to develop a strong and secure authentication scheme that is open to use. It uses open standards to endorse the implementation of strong authentication [62,63]. e objective of this scheme is to make the authentication process independent from the vendor or development platform. In this way, the development cost of the product will decrease and the use of the product will become simple [64]. ere are various levels of the OATH standard. For the basic level, OATH is using the following credentials for authentication: One-time password-(OTP-) based authentication Public key infrastructure-(PKI-) based authentication (using X.509.v3 certificate) Subscriber identity module-(SIM-) based authentication (using GSM/GPRS SIM) However, OATH is very useful, but some disadvantages are also identified as phishing, centralized, anonymity issue, etc. (4) OTP authentication: automatically generated, an alphanumeric, fixed-length string of characters used to authenticate the legitimacy of the user for a single transaction or a specific session is called a one-time password (OTP). OTP is more secure in comparison with the static or user-created password due to its randomness and single-time use. e OTPs may use as authentication login information, but generally, it is used as a second-factor authentication credential for the multifactor authentication mechanism [65,66]. (5) Kerberos, X.509 certificates: the X.509 is a type of digital certificate that uses a widely accepted public key infrastructure (PKI) standard for the verification of the identity of the user/computer/service claimed at the remote location. e X.509 certificate was firstly issued as a part of the International Telecommunications Union's Telecommunication Standardization Sector (ITU-T) and X.500 Directory Services Standard in 1988. Later, it has been identified that it is not secure against attacks and also requires a huge hierarchy. e maintenance of Kerberos is also costly as it required maintaining various lists and status of the certificates such as Certificate Revocation List (OCR) and Online Certificate Status through Online Certificate Status Protocol (OCSP) [67]. the protocol was developed for directory services in which distributed lists of information are systematized into a tree of directory information, which are stored within an LDAP database. If the user wants to access the information from an LDAP database, then he/she has to prove his/her identity. In this way, it is quite consuming. e problem with LDAP and its type of solution is the integration of the active directory at the cloud [68]. Additionally, the support for Mac and Linux platforms can be extremely burdensome. Due to these problems, drawbacks, challenges, and cons, there is a serious need for innovation within the directory realm [69,70].

Authentication
Interface. An authentication interface is one of the most core interfaces to provide a platform for the user to connect with the security framework. NeAF has announced the following authentication interfaces.

Security Assertion Markup Language (SAML).
Current software and services are working on the distributed environment in which there is a need to pass on the identification credentials from one node to another node. In this regard, SAML is very useful to open standard that allows identity providers (IdP) to pass authorization credentials to service providers (SP). e major benefit of the SAML is that a set of credentials is sufficient to access various websites/ services as one site pass on the credentials to another node.

Challenge-Response.
Two friends are only the persons known the secrets of each other. e same concept is applied for challenge-response authentication. It is an interface for authentication where one entity provides a challenge (a secrete question, etc.) and at the other end, the second entity provides the corresponding response to complete the authentication process successfully. If a second entity fails to provide a valid response, then the authentication process fails with fail status and denies the second entity to access services, computer, network, or another network resource at the first entity [71].

Remote Authentication Dial-In User Service (RADIUS).
is protocol is developed for the Network Access Servers (NAS) which requires authenticating its links and a shared authentication server along with authorization, and configuration.
erefore, this protocol is working as AAA protocol, i.e., authentication and authorization protocol for specific applications such as Network Access or IP Mobility. To authenticate the user, this protocol uses Password Authentication Protocol (PAP), Extensible Authentication Protocol (EAP), or Challenge Handshake Authentication Protocol (CHAP) and accesses text file, Database, and LDAP servers for authentication [1]. e authentication credentials are accessed from the above-said storage entities, and after completion of the authentication process, the credentials are returned back to the respective NAS [72].

OpenID.
Nowadays, every user is required to access various services available on the Internet using a computer or using mobile. It is very tough to manage the authentication credentials for all the services as all the services are deployed on different platforms and the authentication of each service is different. erefore, it is a requirement to sign in at one website and access any service without creating new passwords. is objective is achieved by the OpenID which allows the user to use an existing account to sign in to multiple websites. For OpenID authentication, the associate information with OpenID is passing to the other websites like name or email address. is information can be controlled and configured for the amount which can be shared  Security and Communication Networks with other websites. e password or authentication credentials are taking care of by the primary website which is responsible to prove the legitimacy of the user and confirm the authentication of the user and the rest websites are not able to access these authentication credentials. Hence, a user does not need to worry about an unscrupulous or insecure website compromising your identity.

e-Pramaan.
It is a framework standard for authentication of the users and also provides security for various government services on the Internet or mobile platform. It is based on the National e-Authentication framework. e e-Pramaan authentication framework is providing the exclusive unified login service for national and state-level e-governance applications. e services of e-Pramaan are implanted through SAML 2.0-based single sign-on (SSO) and provide multifactor authentication using various authentication parameters such as OTP, password, biometrics, and a digital certificate. e-Pramaan is also providing chaining of user's authentication through various government legitimate verification methods such as Aadhaar-based user identity verification and PAN-based identity verification. e details and analysis of the e-Pramaan have been provided in the next section [5]. e e-Pramaan has been proposed in 2012 and deployed in India in 2015. It is implemented on the web for the citizens. e citizen has to get registered for this service. After successful registration and authentication, the user can access the services through the given links.

Workflow of e-Pramaan.
e workflow of e-Pramaan is shown in Figure 2. To access selected e-governance services, the Government of India provides a platform through a web portal, i.e., https://epramaan.gov.in. Before accessing any authorized e-governance service, the user needs to get registered on this site. is registration process requires the user's Aadhaar information. Figure 2 illustrates the e-Pramaan workflow which requires registration followed by the login process. After successful login, the e-Pramaan website redirects the users to the specific departmental server.

Information Flow of e-Pramaan.
e information flow is illustrated in Figure 3. e process is started with two options, either the user is already registered or he/she is a new user to register. If the user is already registered, then he/ she is redirected to the login page and provides authentication credentials. ese credentials are used for the purposes of authentication at the central repository. If the user's legitimacy is proved through the mentioned process, then the system redirects the request to a user's specific page. User can then access the e-governance services for which he/she is authorized. Once, the work is completed he/she can log out from the system. However, in the case of registration, the user has three options as follows: (i) Registration using base number/voter ID (ii) Registration using driving license (iii) Registration without identity verification e registration process is successful once the information provided by the user is verified. After registration, the user can log in and access the desired services.

Sequence Flow of e-Pramaan.
To understand the sequence of intercommunication of various processes/servers of the e-Pramaan, a sequence diagram is illustrated in Figure 3. e e-Pramaan layer is intermediate between user and department's services, i.e., e-governance services. To access the information, a user requests for authentication to the e-Pramaan layer. Based on the user's credentials, the authentication process verifies the user's legitimacy through the stored information. If the user proves its legitimacy, then the e-Pramaan website redirects the request to the requested server.
e flow of information of the e-Pramaan is illustrated in Figure 4.
is flow diagram explained the flow of information for "already registered user" and also for "new user".

Analysis of NeAF and e-Pramaan.
To make the system better, it is necessary to analyze the existing authentic system of India. e observations are as follows: (i) ere is a centralized data store for authentication credentials. (ii) e whole authentication process depends on the single and centralized authentication credentials. (iii) e e-governance services are individually accessed through their authentication system. (iv) e registration process for each e-governance service is existing along with e-Pramaan registration. User is to get registered for each e-governance service individually. (v) e multiple registrations for the services of a single organization (i.e., the registration process for various e-governance services) are a redundant process. ese repetitions of the same process make citizens uncomfortable. e same results were highlighted by us in other works where government officials are also agreed on it [4,5,53,73]. (vi) rough e-Pramaan, all the suitable e-governance services are made available at a single window. But it is not the integration of all the services as claimed. It infers that there are two ways to access the system, either to access a particular e-governance service directly from the department's server or through the e-Pramaan. It means there are two authentication processes for the same service, and therefore, redundant data have to be stored for authentication of a citizen for a service.
e unified and integrated authentication system means all the e-governance services are accessible only through a single authentication system. Whether users may access through the portal of service or from the platform government provides to access their services (as in the case of e-Pramaan). To make the system more secure and safe, the authentication should not be dependent on the central authentication store; therefore, the process should be distributed and not storing data on the central data store [35]. To solve these issues, Anand and Khemchandani propose a UIAP which is explained in the next section.

Unified Integrated Authentication Protocol (UIAP)
is section explains the proposed Unified and Integrated Authentication Protocol (UIAP), which is developed not only for authentication on multiserver architecture but also provides the facility of secrecy for communication among various involved servers and layers. Because of this, the protocol can integrate the existing isolated system in a unified manner. In UIAP, once a user gets registered for any service, he/she can be authenticated to access a particular service provided by a server other than the server on which registration has been done. If the user wants to access the services from service-providing server (other than service providing server, where a user got registered), the session key will be shared between all the involved servers including service providing server where users got registered. In this way, the data required for registration are stored at the service providing server and central authentication server in a distributed manner during the registration process. is  proposed protocol contains three kinds of layers for the authentication process as a Common Service Center (CSC), the Department Service Providing Server (DS)/Department Service Used for Registration Server (DSO), and the Central Authentication Server (CAS). U i is ith user from a set of users U, h(.) is expressing a hash function, E is expressing the ciphering/encryption algorithm, k is denoting the concatenation (bitwise), ⊕ is expressing XOR operation for bit values, UID i is users U i identity, r1, r2, and r3 are denoting the random numbers at CSC, DSO, and CAS, respectively, key1 is symmetric key for encryption between CSC and DSO, key2 is symmetric key for encryption between DSO and CAS, ID DSO is used to express the ID of DSO, ID DS is used to express the ID of DS, TS 1 , TS 2 , and TS 3 and N 1 , N 2 , and N 3 are denoting the timestamps and nuances generated at CSC, DS, and CAS, respectively, PIN is used to encrypt the data read from smart card for further processing, ∆TS DSTV , ∆TS CASTV , and ∆TS DSOTV are acceptable time duration between the timestamp values generated at DS with TS 1 , CAS with TS 1 , and DSO with TS 1 , respectively, and SessKey is the final session key deduced at each layer which is used for communication after authentication. e detailed working of the UIAP is illustrated in Figure    User authentication

Security and Communication Networks
Authentication Protocol (UIAP), which is developed not only for authentication on multiserver architecture but also provides the facility of secrecy for communication among various involved servers and layers. Because of this, the protocol can integrate the existing isolated system in a unified manner. In UIAP, once a user gets registered for any service, he/she can be authenticated to access a particular service provided by a server other than the server on which registration has been done. If the user wants to access the services from service providing server (other than service providing server, where a user got registered), the session key will be shared between all the involved servers including service providing server where users got registered. In this way, the data required for registration are stored at the service providing server and central authentication server in a distributed manner during the registration process. is proposed protocol contains three kinds of layers for the authentication process as a Common Service Center (CSC), the Department Service Providing Server (DS)/Department Service Used for Registration Server (DSO), and the Central Authentication Server (CAS). e detailed working of the UIAP is illustrated in Figure 5. e responsibilities of each layer are as follows: (1) Common Service Center (CSC): the user interacts with the whole system through this layer. Generally, organizations installed various ICT kiosks, i.e., CSC to access the services. ese kiosks will be enabled with all the required resources such as computer systems, Internet, scanner, power backup, and installed nearby the residences of remote users. ese centers are useful for remote residents and also for busy persons who are unable to reach the office physically for any service. e registration can be done only from a legitimate CSC or from any legitimate office of the organization. e request for login goes from the CSC layer. CSC layer validates the registration, standardizes and formats the information, and then forwards to the next layer for further processing. (2) Department Service Providing Server (DS): there are various departments to handle a specific type of service. ese services (such as road transportation office, passport office, banks, and income tax office in case of e-governance) are only accessible by the legitimate and registered users. is layer is the set of servers, which are collectivity called as Department Service Providing Layer or DS. is layer is responsible to provide the services after validating the legitimacy of the users through CSC.
(3) Department Service Used for Registration Server (DSO): this type of servers is the members of the set of DS layer, but the primary responsibility of it is to register user and store the registration data. e stored data will be used for authentication to prove the legitimacy of the user by passing messages among CSC, DS, and CAS. is layer is also responsible to serve the users by providing services as by the DS layer. (4) Central Authentication Server (CAS): this layer has a responsibility to authenticate the users. At the time of login, this layer will identify the user's DSO server where detailed information is stored at the time of registration. erefore, there is no need to store the whole data on a central server or central cloud.
ere are three processes to implement UIAP for authentication: (i) Initialization and registration phase: this phase is responsible to register the citizens who approach to access any e-governance service. In this phase, various parameters are shared between the various communication entities and some of them are stored on these layers for the further authentication process in a distributed manner. (ii) Login phase: this main process is used to prove the legitimacy of the genuine user. If the user is unable to prove its legitimacy, then the user cannot allow accessing the system. (iii) Authentication and key agreement phase: after successful login, through the same parameters which are shared in the login phase, a session key is deduced and used for secure communication.

Lightweight Technical Implementation of UIAP
ere are several existing projects which are running on various servers to provide various services to citizens. For these services and servers, citizens have registered for individual services at a specific server. To implement the UIAP, the following components of the system are required: (i) UIAP implementation architecture: this is a framework that comprised of the relationships and interactions between application components, such as middleware systems, user interfaces, and databases. (ii) Data structure: How do we represent, organize, manage, and store the information that enables efficient access and modification for UIAP communication. (iii) Communication services: there are various standardized ways or media to propagate communication between the various layers engaged in UIAP. (iv) Integration with other e-governance services: the most challenging task to integrate the existing services with UIAP.
6.1. UIAP Implementation Architecture. e average Internet user gets to see a specific page on his/her system, through a series of interactions between various components of applications, user interfaces, middleware systems, databases, servers, and the browser. e framework which ties up this relation and interaction together is the project implementation architecture. e project implementation architecture for UIAP is illustrated in Figure 6. e user can access the e-governance services through three mediums as follows: Government kiosks (Common Service Center): under the NeGP, the government began a venture CSC to encourage the citizens for e-governance by a stand adjacent to his/her home in farther regions of anywhere in the region of the country [74]. e CSC guidelines conceive a wide variety of substances and services that could be offered as training and education, health, insurance, banking (rural and urban), entertainment, agriculture, business, skill development, etc. Web applications (HTTP-based application for laptop, desktop, or smartphone): the Government of India initiated the facility to access the various e-government services through web portals. As technology grows, the services are also provided for smartphones through Android or iOS apps. ese services are responsive and based on web application architecture [75,76]. is is also very useful as a major population is using smartphones and the Internet. erefore, it is very much mandatory to facilitate citizens with an open platform to access e-governance services.
rough existing infrastructure like bank ATMs: there is a big challenge to deploy CSC to provide the reach to the citizens to access the e-governance services. To make it available to the citizens, apart from CSC and web application platforms, the bank ATMs can be another option.
ere are about 2.2 million ATMs including 15,626 WLAs working in India to serve the citizens and it is expected to 4 million in the next couple of years. e primary objective of these machines is related to money, basic bank operations, etc. Some of the ATMs are also working for income tax filing and other government-related tasks. e working of these ATMs can be extended to serve various existing e-governance services. is idea, to provide e-governance to all the citizens through exiting the ATM network, is useful to enhance the reach [77,78].

UIAP Data Format.
To exchange data among different servers involved during the authentication process, the lightweight data-interchange format JavaScript Object Notation (JSON) can be used to reduce communication overhead. It can be considered as of the best solutions to represent the data because the JSON objects are an openstandard file format that uses human-readable text to transmit data objects consisting of attribute-value pairs and array data types or any other sterilizable value. It is a very common data format, with a diverse range of applications. So, it is useful to integrate the existing e-governance services, whether they are working on any platform and technology [79,80].
6.3. UIAP Deployment. Scalability is important for keys (used for authentication and establishment of keys) and services. To scale the authentication service for a billion people, there are two general technical options: (i) Multiple servers with proper integration and synchronization (ii) Cloud-based e-governance services can be implemented e first option is not considered efficient as it is required to develop and deploy multiple services for an effective and efficient outcome like load balancing, security, backup services, and integration synchronization. e second option is suitable to deploy the proposed authentication service for e-governance services.
e Government of India deployed its cloud platform for various e-governance services, i.e., MeghRaj (https://cloud.gov.in/). is cloud service is open for all e-governance services. e security concern can be addressed by efficiently implementing the following services: Many of these services are already deployed on the MeghRaj platform. e NIC National Cloud (MeghRaj) is presently hosting several critical applications on over 16,000 virtual servers supporting 480+ e-governance projects and 900+ user departments under Digital India. erefore, MeghRaj is the prominent, efficient, secure, and effective option to deploy the proposed authentication service UIAP.

Conclusion
e authentication process is very crucial and important for the highly scalable system providing multiple services through different servers. e same will apply to the e-governance system. e Government of India is also taken it seriously e-governance services, and therefore, NeAF and e-Pramaan projects are proposed. e-Pramaan just redirects the user to a specific departmental server to access the corresponding server after authentication. In this setup, the user has to authenticate himself/herself separately to access a specific service. erefore, to access any service (which is not read-only), he/she has to execute two authentication processes with separate credentials. To provide a single authentication service to access all services, we propose the lightweight technical implementation of single sign-on authentication and key agreement mechanism based on UIAP. is paper also explains the implementation of the authentication mechanism using lightweight SOAP services deployed over a cloud-based platform. Further, the work will be extended to make the technique able for authorization of the e-governance services.

Data Availability
e data used to support the findings of the manuscript are available within the article.

Conflicts of Interest
e authors declare that they have no conflicts of interest. Intra-service security Intra-service security