September 11 th 2013 Open Identity Summit 2013, Kloster Banz Marcel Selhorst Cloud-based provisioning of qualified certificates for the German ID card.

Slides:

Advertisements

Similar presentations

1 NETaction NETaction Customer Satisfaction Manager By Daniels Associates Inc.

Advertisements

© fedict All rights reserved Legal aspects Belgian electronic identity card Samoera Jacobs – November 2008.

Confidential 1 Phoenix Security Architecture and DevID July 2005 Karen Zelenko Phoenix Technologies.

1 ABCs of PKI TAG Presentation 18 th May 2004 Paul Butler.

Fundamental Digital Electronics Fundamental Digital Electronics.

Taxpayers registration and e-services provided by the Estonian Tax and Customs Board Karin Aleksandrov Chief Expert Service Management Department.

Digital Certificate Installation & User Guide For Class-2 Certificates.

Installation & User Guide

Internet Basics and Information Literacy

How to Build a REST API Using ASP.NET Web API Fernando Cardenas 10/8/20131.

Gareth Ellis Senior Solutions Consultant Session 5a Key and PIN Management.

Digital Certificate Installation & User Guide For Class-2 Certificates.

Micro Risk Why do we clean so often? Does the cleaning make the product safer? Process Improvement & Product Services September

20&27 May Agenda 1.Highlight the difference between system flow of e- Invoice and paper invoice – 15 minutes 2.Demonstrate the operation procedure.

Digital Certificate Installation & User Guide For Class-2 Certificates.

Secure Sockets Layer eXtended (SSLX) Next Generation Internet Security Overview Presentation April 2011.

SECURITY IN E-COMMERCE VARNA FREE UNIVERSITY Prof. Teodora Bakardjieva.

Department of Labor HSPD-12

ESign-Online Digital Signature Service February 2015 Controller of Certifying Authorities Department of Electronics and Information Technology Ministry.

Cross Platform Single Sign On using client certificates Emmanuel Ormancey, Alberto Pace Internet Services group CERN, Information Technology department.

Online Banking Fraud Prevention Recommendations and Best Practices This document provides you with fraud prevention best practices that every employee.

The Estonian Electronic Signature Legislation and case studies EESSI Seminar Budapest, Taavi Valdlo Estonian Informatics Centre

WAP Public Key Infrastructure CSCI – Independent Study Fall 2002 Jaleel Syed Presentation No 5.

Federal Information Processing Standard (FIPS) 201, Personal Identity Verification for Federal Employees and Contractors Tim Polk May.

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 9: Planning and Managing Certificate Services.

E-Procurement: Digital Signatures and Role of Certifying Authorities Jagdeep S. Kochar CEO, (n)Code Solutions.

Chapter 11: Active Directory Certificate Services

Geneva, Switzerland, September 2014 Introduction of ISO/IEC Identity Proofing Patrick Curry Director, British Business Federation Authority.

Beyond HIPAA, Protecting Data Key Points from the HIPAA Security Rule.

TrustPort Public Key Infrastructure. Keep It Secure Table of contents  Security of electronic communications  Using asymmetric cryptography.

© Julia Wilk (FHÖV NRW) 1 Digital Signatures. © Julia Wilk (FHÖV NRW)2 Structure 1. Introduction 2. Basics 3. Elements of digital signatures 4. Realisation.

P O L I C E D E P A R T M E N T  Biometric passport – Passport Act – Issuing a biometric passport – Development project  Biometric Passport To Biometric.

Legal Scanning Scan your documents with IRISPowerscan™ Wim Cops – I.R.I.S.

Digital Signature Xiaoyan Guo/ Xiaohang Luo/

Digital Signature Technologies & Applications Ed Jensen Fall 2013.

Security systems need to be able to distinguish the “white hats” from the “black hats”. This all begins with identity. What are some common identifiers.

Digital Certificate Installation & User Guide For Class - 2 Certificates.

European Electronic Identity Practices Country Update of Austria Peter F Brown Office of the CIO, Austrian Federal Chancellery Chair, CEN eGov Focus Group.

1 Card Scanning Solutions SigniShell CSSN – Card Scanning Solutions THE ULTIMATE SIGNATURE CAPTURE & AUTHENTICATION SOLUTION.

Chapter 10: Authentication Guide to Computer Network Security.

Access and Identity Management System (AIMS) Federal Student Aid PESC Fall 2009 Data Summit October 20, 2009 Balu Balasubramanyam.

Electronic Identity Cards for User Authentication—Promise and Practice IEEE Security & Privacy January/February 2012 Author : Andreas Poller, Ulrich Waldmann,

Introduction to Secure Messaging The Open Group Messaging Forum April 30, 2003.

Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®

Establishing a Digital Identity Martin Roe - Director of Technology, Royal Mail ViaCode.

Configuring Directory Certificate Services Lesson 13.

Risks of data manipulation and theft Gateway Average route travelled by an sent via the Internet from A to B Washington DC A's provider Paris A.

Certificate-Based Operations. Module Objectives By the end of this module participants will be able to: Define how cryptography is used to secure information.

Secure Messaging Workshop The Open Group Messaging Forum February 6, 2003.

Federal Acquisition Service U.S. General Services Administration eOffer/eMod Training eOffer/eMod Training Keonia Cobbins Systems Development Office of.

Electronic PostMark (EPM) Project Overview May, 2003 Copyright Postal Technology Centre.

DIGITAL SIGNATURE.

Belgian EID Card 15/12/2004 Derette Willy eID program manager.

Data protection as an integral part of OOP implementations: The Austrian approach Peter Kustor.

The German eID and eIDAS

Security fundamentals Topic 5 Using a Public Key Infrastructure.

© Copyright 2009 SSLPost 01. © Copyright 2009 SSLPost 02 a recipient is sent an encrypted that contains data specific to that recipient the data.

Presented by: Defense Manpower Data Center Access Card Office

Security Systems | ST/SRM3-NA | 4/6/2016 © 2016 Robert Bosch LLC and affiliates. All rights reserved. 1 Ensure data security in a hyper-connected world.

Vijay V Vijayakumar.  Implementations  Server Side Security  Transmission Security  Client Side Security  ATM’s.

PKI Services for CYPRUS STOCK EXCHANGE Kostas Nousias.

Mar 18, 2003Mårten Trolin1 Agenda Parts that need to be secured Card authentication Key management.

U.S. Department of Agriculture eGovernment Program eAuthentication Initiative eAuthentication Solution Screens Review Meeting October 7, 2003.

Commercial Card Expense Reporting (CCER) The Trustees of Roanoke College An internet solution Accessed via Wells Fargo’s secure Commercial Electronic Office.

A l a d d I n. c o m Strong Authentication and Beyond Budai László, IT Biztonságtechnikai tanácsadó.

DATA SECURITY FOR MEDICAL RESEARCH

ESign Aashutosh.

Authentication.

Installation & User Guide

E-identities (and e-signatures)

Presentation transcript:

September 11 th 2013 Open Identity Summit 2013, Kloster Banz Marcel Selhorst Cloud-based provisioning of qualified certificates for the German ID card

Agenda Overview: the German eID card (nPA) Post Issuance Process Security Goals and Measures Status quo and future developments Live-Demo September 11 th 2013Open Identity Summit 20132

Overview: The German ID Card provides classic visual identification as well as online authentication secured by EAC 2.0 Three applications on smartcard: September 11 th 2013Open Identity Summit ePass (ICAO compliant - sovereign use only) fast electronic access to id data by sovereign agencies within the European Union contains MRZ data, image and optionally fingerprints eID (Application for electronic identification - optional) online- and offline-Identification pseudonym Login-Functionality anonymous age and place verification eSign (Application for qualified electronic signatures - optional) legally binding signatures for electronic documents (QES) online and offline usable initially inactive

sign-me and the new ID Card enable for the first time on-the-fly post-issuance key generation and certification on an SSCD! eSign Application: what you want September 11 th 2013Open Identity Summit Using the German ID card as a secure signature creation device (SSCD) Legally equal to personal signature Full control by the citizen Signature key is generated and stored on ID card Immediate online transmission of the generated certificate to the ID Card Deletion of the generated signature key under control of the citizen Unlimited (re-)generation of signature keys possible Different certificate validity periods possible (e.g., < 1 year up to 10 years) All advantages of digital signatures in existing business processes are maintained

sign-me: the standard of tomorrow September 11 th 2013Open Identity Summit Signature Process from the citizens point of view: one-time registration receiving unique access code generate key pair and load certificate electronically sign documents one-time registration for all certificates requires eID to read personal data easy handling identic layout independent of the service provider selling the certificates grouping of processes one solution for many processes by grouping the required components into one online application offline signature creation already 5 different signature application components available supporting sign-me uncomplicated workflow users are guided through the necessary steps to ease the overall loading process All advantages at a glance

Preliminary Actions The following preparations are required before starting the certification process: 1.Buy a Comfort Reader: Standard reader with display, keypad and security module for secure key storage required for signature PIN management required for generation of qualified signatures 2.Buy a certificate from an affiliated online shop Certificates are not sold by the Bundesdruckerei directly but rather by affiliated online shops (currently: card reader manufacturer Reiner SCT) 3.Register online to obtain a re-usable authorization code Ensures that even in case of theft only the legitimate card holder can initiate the certification process. September 11 th 2013Open Identity Summit 20136

Registration using eID September 11 th 2013Open Identity Summit eID Service User with browser, ID card and AusweisApp

Post-Issuance Certification Process The Post-Issuance process consists of 1.entering the authorization code (received upon registration) 2.setting the signature PIN 3.selecting a revocation password (for the hotline) 4.loading the certificate in an enhanced eID session (including key generation) 5.confirming reception of the certificate (required by German signature law) September 11 th 2013Open Identity Summit 20138

Post-Issuance Certification Process September 11 th 2013Open Identity Summit eID Service User with browser, ID card and AusweisApp

Post-Issuance Certification Process September 11 th 2013Open Identity Summit eID Service User with browser, ID card and AusweisApp

Post-Issuance Certification Process September 11 th 2013Open Identity Summit eID Service User with browser, ID card and AusweisApp

Post-Issuance Certification Process September 11 th 2013Open Identity Summit eID Service User with browser, ID card and AusweisApp

Post-Issuance Certification Process September 11 th 2013Open Identity Summit eID Service User with browser, ID card and AusweisApp

Security Goals and Measures of eID Protection against malicious chip access Mutual authentication between chip and terminal Protection against eavesdropping or manipulation of communication PACE: Password Authenticated Connection Establishment establishment of shared secret by EC-DH via PIN, CAN or MRZ establishment of a symmetric encrypted channel using AES Protection against unauthorized access to stored data Access Rights are granted by Federal Office of Administration (BVA) fine granular access rights to dedicated data groups and applications can be further limited by the citizen upon each access Assurance of Authenticity of the service provider Short lived certificate Authentication Certificate is provided to the eID Card Contains terminals access rights Data avoidance and data economy Embedded World

Security Goals and Measures of sign-me stolen ID cards can be revoked temporarily or permanently certificates are revoked automatically certificates expire along with ID card the cards authenticity and the citizens identity are checked before generating the certificate using one single eID session for key generation export of signature verification key certificate generation and storage on card ensures a strong binding between certificate, public key and ID card Signing Key Pair Algorithm: ECDSA with Brainpool P256r1 curve September 11 th 2013Open Identity Summit

Status quo and future developments System is currently in pilot phase Operational phase starting 2014 Currently in development: signature portal for Post-issuance certification quick and easy signing of electronic documents workflow easily integrable for companies (very little development required) September 11 th 2013Open Identity Summit generate document to be signed deliver document to sign-me portal user signs online signature validation incl. report document is returned to portal

Thank You Live-Demo Marcel Selhorst Software Architect Bundesdruckerei GmbH Telefon: September 11 th 2013Open Identity Summit