HANDLING PRIVACY AND CONCURRENCY IN AN ONLINE EDUCATIONAL EVALUATION SYSTEM

Nowadays, all academic institutions exhibit and distribute their material over Internet. Moreover, e-learning and e-evaluation products is one of the most rapidly expanding areas of education and training, with nearly 30% of U.S. college and university students now taking at least one online course. However, Internet increases the vulnerability of digital educational content exploitation since it is a possibly hostile environment for secure data management. The challenge is that, given current online educational tools that are accessible by a large number of users, these educational environments handle data of varying sensitivity thus it is increasingly important to reason about and enforce information privacy guarantees in the presence of concurrency. In this paper we describe a privacy preserving approach in a concurrent online educational evaluation system. Here we propose privacy preserving approach for utilizing online concurrent evaluation of acquired student competencies that hands the increasingly complex issues of designing, developing and e-competence evaluation systems suitable for educational and e-learning environments. The proposed architecture for an online competence evaluation system offers access control and protects users private data and provides concurrent procedures for evaluating competencies.


Introduction
The huge expansion of Internet has increased the vulnerability of electronic educational environments (see Rjaibi et al. (2012), Younis et al. (2013), Chen et al. (2013), Jain and Ngoh (2003), Mason and Rennie (2006) and Morrisson (2003)). E-learning portals would be characterized as hostile environment from secure data management perspective. In most cases, educational organizations have to deal with all the open security challenges that could cause huge data losses, harm their reputation and strictly affect people's trust on them. One of the main obstacles for the wide adoption of online evaluation and e-educational tools, is the reluctance of users to participate. This reluctance can be, partially, attributed to the, relatively, low penetration of technology among citizens. However, the main reason behind this reluctance is the lack of trust towards the educational online system, which flows from the distrust of users that system may not processing concurrent access to evaluation results and may violate users' privacy. Our point of view, is that privacy and concurrency are critical requirements for ensuring that online evaluation systems produce fair results and respect users' privacy. Special care has to be taken that the algorithms, services, applications and data uploaded to the educational portal concerning the teaching material, personal information and evaluating competencies or courses and in general the whole operation of the educational management system provide concurrent processing and remain secure and confidential to all users.
The assessment of student learning is essential and the methodologies to implement it attracted great interest from the research community (see Jain and Ngoh (2003), Morrisson (2003), Yang and Lin (2002), Romansky et al. (2015), Huu Phuoc Dai et al. (2016), Aljbori et al. (2013) and Mason and Rennie (2006)). There are proposed various methods to evaluate professional skills. LeBelau et al introduce an Integrated Design Engineering Assessment and Learning System in (LeBelau et al (2014(LeBelau et al ( , 2014). Moreover there are a lot of institutions our the world that build systems for implementing assessment on the provided knowledge and learning outcomes (see (2012,2012), (2016,2016) , and 2007, 2007 ) . There is a vast majority of related research work (see Rjaibi et al. (2012), Younis et al. (2013), Chen et al. (2013), Kritzinger and Solms (2006), Mohd and Fan(2010), Saxena (2004), Yong (2007), Trek (2003, Reddy (2013), Whitson (2003) and Yand and Lin (2002)) that have proposed various security tools in order to solve certain security issues, however it is not presented a unifying secure model that focus on a particular use case including competence online evaluation.

Our contribution
Here we examine and propose a privacy preserving approach for utilizing concurrent online evaluations of users competences. The users have to prove their eligibility to participate in the evaluation process and they are able to securely share their learning outcomes and their possessed competences. The proposed model addresses a list of fundamental operational and security requirements. It is designed as a standalone solution but it can be flexibly adapted in broader educational tools and environments. This has to be the backbone of any educational organization for managing its online learning system. It is adapted in the broader competence evaluation infrastructures of educational study subjects as well as existing management platforms of educational organizations. The proposed e-competence evaluation system includes the development of a privacy preserving approach based on the cryptographic primitives called Attribute Based Credentials (Rannenberg et al (2014)). The online educational system will offer to the authorized users the concurrent procedures for evaluating their competences and providing fair results. Moreover, the users have to prove their eligibility to participate in the evaluation while, at the same time, the evaluation process preserves their privacy and ensures that produce meaningful and consistent results.
This work proposes a new architectural model with the following benefits: 1. It provides a productive environment that it is applicable in any application sector and it covers all possible use cases. 2. It is designed as a standalone solution but it can be flexibly adapted in broader management infrastructures as well as existing educational platforms. 3. It provides concurrent processing and protects users privacy rights. Moreover, it can be the backbone of any modern Internet-based educational evaluation data management system. 4. It is based on the open source idea in order to be software/hardware platform independent, it requires low development and maintenance costs and it is easily adapted to future changes. 5. It provides an effective way to increase scalability while guaranteeing security on users and data. 6. It can be a suitable component for existing open-source or even commercial educational evaluation platforms.
2 The challenge of privacy and concurrency in online evaluation system Given current online educational tools that are accessible by a large number of users, an online competence evaluation system handles data of varying sensitivity, thus it is increasingly important to reason about and enforce information privacy guarantees in the presence of concurrency.
The challenge of Concurrency : -A competence evaluation system should process concurrent accesses to its database. The statements of an online evaluation system could update the same data within multiple simultaneous transactions. Transactions executing at the same time need to produce meaningful and consistent results. Therefore, control of data concurrency and data consistency is vital in a competence evaluation systems database. -Educational data concurrency means that many users can access educational data (particularly the competence evaluation quizzes) at the same time. Educational data concurrency is provided by providing simultaneously and unlikable users actions thought the use of polymorphic pheudonymization.
-Educational Data consistency means that each user sees a consistent view of the educational data, including visible changes made by the users own transactions and transactions of other users. Educational data consistency is achieved by using timestamps. More precisely, when an annotation process finishes (i.e., educational or evaluation data), the resulted digital files are locked into a steady state by using hash function. The system stamps the state of each file so that no future modifications are possible without detection by utilizing electronic fingerprints including time.
-Educational data integrity means the educational data and structures must reflect all changes made to them in the correct sequence. Educational data integrity is achieved through the computation message authentication code (MAC) functions on stored data.
A concurrency conflict in our competence evaluation system occurs when a professor displays an entitys data in order to edit it, and then another professor updates the same entitys data before the first users change is written to the database. In our competence evaluation system, we have the detection of such conflicts, thus if a professor updates the educational content last overwrites the other users changes. In competence evaluation application, no concurrency conflict will be occurred among users since they can edit only their own competence evaluation quizzes.
The challenge of Privacy In the online educational evaluation system, we do not to use the commonly user authentication methods (e.g. PKI based) for controlling access to the online evaluation services in order to preserve users privacy and increase systems trustworthiness. Online educational system dont need to reveal users full identity profile in order to give access to educational services. In such types of applications there is, clearly, a need for a partial, and not complete, revelation of the users identity thus we suggest the use of Attribute Based Credentials. Attribute Based Credentials (ABC) are a form of authentication mechanism that allows to flexibly and selectively authenticate different attributes about an entity without revealing additional information about the entity, for more details see Bichsel et al. (2009) , Camenish (2001 and Camenish et al (2001). Privacy Attribute-Based Credentials or Privacy-ABCs, for short, is a technology that enables privacy preserving, partial authentication of users ( see Camenish et al (2002) and (2004), Rannenberg et al (2014), Zhang et al. (2016) and Liagkou et al. (2014)). Privacy-ABCs are issued just like normal electronic credentials (e.g. PKI based) using a secret signature key owned by the credential issuer. However, there is a key feature of this technology, the user is in position to transform the credentials into a new form, called presentation token that reveals only the information about him, which is really necessary in order to access a service. This new token can be easily verified with the issuers public key. The main ABC entities are four: the Issuer, the User, the Verifier, and the Revocation Authority. In general, the Issuer credentials contain certified user attributes, thereby attesting the validity of the attributes. The Verifier, or relying party, on the other hand, offers a service with limited access only to those users for whom it can verify the possession of certain attributes (or credentials). The Revocation Authority is responsible for revoking issued credentials, i.e. disabling the possibility of creating presentation tokens out of them.

Description of our architectural model
The main architecture of the competence evaluation system is shown at Figure 1. The architecture is consisted of various components that have different functionalities and roles. • An authorized officer inserts student information in the database of the Certification System • The administrator can revoke a user credential.
• The system issues credentials to the users so that to certify their identity, eg. if they are students or professors. • Users are able to browse their personal data stored in the academic institution database through their user interface. • Users are able to manage a limited subset of their personal information.
• Users are issued credentials that certify that they could participate to the ecompetence evaluation system. When a user requests a credential, through the e-competence evaluation portal then the e-competence evaluation system initiate the issuance protocol for the provided attribute based credentials.
-E-competence Evaluation System: This component implements the evaluation of the users knowledge. The procedure is the following, a user could select a study subject through the academic educational program and run the competence evaluation application. Through the Learning Outcome link, he/she will see the list of the expected learning outcomes (knowledge/skill/attitudes) for the chosen Study Subject. Whenever a user wants to evaluate a competence, he/she can access the Portal though his/her computer and complete the quizzes. After completing the evaluation, the student is informed about the evaluation result and his/her user profile will be updated automatically. The competence evaluation system performs access control.
Only users who own the required credentials are given access to the evaluation. More precisely: • The professors have credentials for satisfying the following policies: * Create a template to describe the set of competences for the study subject of the academic educational program that are responsible for. * Rate or insert a weight factor for the competence evaluation. * Create tests for the competence evaluation. The students have credentials that fulfill the following policies: • To evaluate anonymously the selected competences of a study subject to which they are registered. When the competence evaluation procedure is completed, professors and other subscribed members could have access the competence evaluation results.
-User's Interface: In order the internet browser to recognize anonymous credentials; the users must install in their pc a specific application which runs through user interface. The installed program helps user to perform operation on his credentials and initiate credential issuance and verification protocols through his user interface. Students are issued credentials that certify that are registered to the institution and they have enrolled to a study subject and they can have access its education content and participate to the competence evaluation system. If a member of academic educational institution like an undergraduate or graduate student or a subscribed user possess a valid credential that is a registered student and he is enrolled to a study subject, he will be able to: • View a Study Subject • View Announcements • View Rubrics • Access the evaluation area • Participate in self-evaluation of a selected academic or professional competence • Submit evaluation • View evaluation results • View the set of professional and academic competence -Professor's Interface:Professors are issued credentials that certify that are institution's professors and they are re registered to the institution and they are responsible for a study subject.If a professors possess a valid credential he could log into the portal and access his interface in order to: •

High Level Description of the Online Educational Evaluation System
Here, there will be a more detailed description for the realization of the online competence evaluation. The Users interact with the Educational Certification System in order to obtain their credentials, proving their studentship or their membership and their registration to corresponding study subject. The Educational Certification System provides to the students access in order to evaluate, anonymously, the competence of the subjects that they have selected. Students have to install an ABC User Client (User Service + GUI) on their computers in order to have access to User Interface and to be able to interact with components of the system. As far as security tokens are concerned, the use of a smart card is suggested. As a tamper proof device it offers security and it is the ideal hardware token for storing the Users device key. Additionally, it features a cryptographic processor which can be utilized for performing the cryptographic operations (exponentiations etc.) that are required during issuance. Moreover, it makes a User who stores his/her personal data on it, more confident and trustful. When a user wants to be registered to the online e-competence evaluation system he submits an application to the educational institute. The educational institute is responsible to check the submitted applications and to register the user to the e-competence evaluation system. Then the administration staff of the educational institute sends to the registered users an envelope containing a properly initialized smart card and the cards PIN and PUK values along with contact smart card reader and a slip of paper containing a one-time-password for the initial logging in the Educational Certification System. The first step for the new users is to log in the Educational Certification System using their matriculation numbers as usernames and their one-time passwords. Then, they are able to register their smart cards so that the E-competence evaluation system could link their smart cards with the user information residing in the system database. After a user has registered his smart card, he is able to obtain the evaluation credentials from the E-competence evaluation system. The evaluation credential proves that the user is registered to the study subject and he can access E-competence evaluation system.
It should be stressed here that each user is allowed to access the CE-competence evaluation system and provide his evaluation several times. However, only his last evaluation is taken into account due to the use of scope-exclusive pseudonyms. The E-competence evaluation system contains a database for storing eligibility policies and competence evaluation data for subsequent analysis.

Archiving Concurrency and Privacy
The Figure 2 the application layer and core components of the proposed architecture that are requires to preserve privacy and provide concurrent operations. The applica-

User Interface
Concurrency & Privacy in E-competence evaluation system -Access Control s achieved by presenting the required terms to the users stating what credentials they have to possess in order to proceed. -Key element manages the keys of all parties and keeps them up to date (key life cycle management). On input for a request for a key, it returns a (list of) cryptographic key(s) that are currently valid. -Cryptographic Evidence generates the cryptographic information required e.g., to create, present, verify or inspect a presentation issuance token. It internally orchestrates and performs the mechanism of specific cryptographic methods, such as the computation of signatures commitments, zero-knowledge proofs, etc. -Presentation Policy supports a User in choosing a preferred combination of credential and/or pseudonyms, if there are different possibilities to satisfy a given presentation policy. -Presentation Token Generator which generates a list of possible credentials and/or established pseudonyms when it receives the presentation policies as an input.
-Claim Selection helps user to choose a presentation token description and subset of the credentials that shall be used to generate the presentation token.
Typically, a User requests access to educational and evaluation data from Competence Evaluation System which in turn requests a SAML assertion from a Educational Certification System. The User is redirected to the Educational Certification System to retrieve the SAML assertion before passing it back to the Competence Evaluation System. Figure 3 illustrates the protocol flow. When the competence evaluation system receives -Students are issued credentials that certify that they are, indeed registered members of the university -Students are issued credentials that certify that are enrolled to a study subject and they can participate to the competence evaluation system -Professors are issued credentials that certify that they are professors of the university -Professors are issued credentials that certify that they are responsible for a study subject The Education Certification System will define the credentials that are required along with the corresponding attributes for those credentials that have to be revealed, or the conditions that the attributes have to fulfil. When Presentation Token Generator the presentation policies as an input, it generates a list of possible credentials and/or established pseudonyms, along with the corresponding presentation token descriptions that satisfy the presentation policies. The user can choose a presentation token description and subset of the credentials that shall be used to generate his required presentation token. When students or professors credentials are updated, the Presentation Token Generator will generate the presentation token for the chosen presentation token description (e.g. the student is enrolled to a specific study subject or the professor who is responsible for the specific study subject).
A cryptographic evidence is generated that supports the token description. The cryptographic evidence uses the required credentials, or pseudonym data from the stored credentials and the required public keys in order to return the full presentation token to the user interface.
User sends the presentation token to the Competence Evaluation System. The Competence Evaluation System passes the received presentation token and the previously sent presentation policy to Educational Certification System. Educational Certification System verifies in two steps whether the presentation token satisfies the presentation policy. First, it checks whether the statements made in the presentation token description satisfy the required statements in the presentation policy. When the first check succeeds, i.e., the presentation token description matches the presentation policy, it verifies the validity of the cryptographic evidence. To this end, stores the token and returns a description of the token to Competence Evaluation System. For supporting data concurrency tokens description includes unique identifier, which allows the Educational Certification System to retrieve the token later. If one of the checks fails, a list of error messages is returned to the application. When Competence Evaluation System receives the verification the user can access the requested educational data. If the user has the policy to modify the educational data the Competence Evaluation System signs the edited data by using a timestamp and locks the file into the repository. Competence Evaluation System locks the edited educational data by using fingerprints (hash values) in order to check that educational data has not edited by anyone else before store them (i.e., create proxies). If not, an error condition notices the professor who created the corresponding educational data. After this, the system does not allow any access to the specific data.

Conclusions
This work proposed a privacy preserving approach for processing concurrent online competence evaluations. The proposed model is designed as a standalone solution but it can be flexibly adapted in broader educational tools and environments. The proposed method could be the backbone of any educational organization for managing its educational content. Here it is described the architecture and main scenarios of an e-competence evaluation system. The future work could investigate how to use the ecompetence evaluation system as a small scale proof of concept of privacy enhancement technologies in concurrent e-learning activities in order to introduce the proposed method for the educational communities of all levels in EU. These technologies would also support privacy preserving e-education activities in discussion groups where participants would provide their concurrent opinion anonymously but after proving that they are eligible to participate in the group discussions.