Strong Mobile Authentication in Finland (MPKI, WPKI) Special Discussion Topic Kantara Initiative Telco Identity Working Group Prepared by: Keith Uber Ubisecure.

Slides:

Advertisements

Similar presentations

Universal Electronic Signatures Tarvi Martens ESTONIA.

Advertisements

Secure Single Sign-On Across Security Domains

Open Grid Forum 19 January 31, 2007 Chapel Hill, NC Stephen Langella Ohio State University Grid Authentication and Authorization with.

Making Grants.gov Work for You: U.S. Department of Education Jacob K. Javits Gifted and Talented Students Education Program CFDA #84.206A Find. Apply.

EAuthentication Before accessing the Delphi eInvoicing System, you must be an authenticated user. This authentication process is called eAuthentication.

EDUCAUSE 2001, Indianapolis IN Securing e-Government: Implementing the Federal PKI David Temoshok Federal PKI Policy Manager GSA Office of Governmentwide.

Page 1 AT&T Billing Solutions Anti-Cramming Policy Overview May 11, 2011.

Inter-Institutional Registration UNC Cause December 4, 2007.

WPKI available technology diagram and the business model

DEVELOPER DAY BEFORE WE START, PLEASE VISIT AND SIGN UPWWW.PAYNOW.CO.ZW.

The ICAR Federated Identity Model Massimiliano Pianciamore, CEFRIEL Francesco Meschia, CSI-Piemonte

Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.

December 19, 2006 Solving Web Single Sign-on with Standards and Open Source Solutions Trey Drake AssetWorld 2007 Albuquerque, New Mexico November 2007.

© 2009 The MITRE Corporation. All rights Reserved. April 28, 2009 MITRE Public Release Statement Case Number Norman F. Brickman, Roger.

C2G and B2G Authentication and Authorization in Finland Special Discussion Topic Kantara Initiative eGov Working Group Prepared by: Keith Uber Ubisecure.

Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.

Designing and Implementing Secure ID Management Systems: BELGIUM’s Experience Washington - September 27 th, 2010 Frank LEYMAN © fedict All rights.

1 TELECOM ITALIA GROUP Trial at the University of Rome: SIM-based Services Trial at the University of Rome: SIM-based Services Author: Alessandro Rabbini.

Chapter 8 Web Security.

Overview What are the provisioning methods used in the Australian registry system? How are these provisioning systems secured?

Welcome to the Electronic Permit Submittal and Processing System (EPSAP) Professional Engineer Submittal Instructions.

European Electronic Identity Practices Country Update of Austria Peter F Brown Office of the CIO, Austrian Federal Chancellery Chair, CEN eGov Focus Group.

Mobile Identity and Mobile Authentication (mobile e-signature) Valdis Janovs Sales Director Lattelecom Technology SIA.

LEVERAGING UICC WITH OPEN MOBILE API FOR SECURE APPLICATIONS AND SERVICES Ran Zhou 1 9/3/2015.

Leveraging UICC with Open Mobile API for Secure Applications and Services Ran Zhou.

Federal Student Aid Identification username and password – this is how students and parents will sign the FAFSA application. The FSA ID process replaced.

Electronic Payment Systems. How do we make an electronic payment? Credit and debit cards Smart cards Electronic cash (digital cash) Electronic wallets.

PKI interoperability and policy in the wireless world.

1 Using PKI for the Census MSIS 2004, Geneva Mel Turner, Lise Duquet Statistics Canada.

E-Commerce Security Technologies : Theft of credit card numbers Denial of service attacks (System not availability ) Consumer privacy (Confidentiality.

Registration Processing for the Wireless Internet Ian Gordon Director, Market Development Entrust Technologies.

Elements of Trust Framework for Cyber Identity & Access Services CYBER TRUST FRAMEWORK Service Agreement Trust Framework Provider Identity Providers Credential.

EServices How to transact on the eServices website Tando Luyaba 17 September 2015.

Connect. Communicate. Collaborate Federation Interoperability Made Possible By Design: eduGAIN Diego R. Lopez (RedIRIS)

ELECTROINC COMMERCE TOOLS Chapter 6. Outline 6.0 Introduction 6.1 PUBLIC KEY INFRASTRUCTURE (PKI) AND CERTIFICATE AUTHORITIES (CAs) TRUST

SWEB SWEB Security and Privacy Technologies – Implementation Aspects Venue:SWEB Day in APV, Novi Sad Author(s):Dr. Milan Marković Organisations:MISANU.

Belgian EID Card 15/12/2004 Derette Willy eID program manager.

1 Federal Identity Management Initiatives Federal Identity Management Initatives David Temoshok Director, Identity Policy and Management GSA Office of.

Innovative Business Solutions November 2015 I Dario Belić I director of IT Development Service, ICT Division, FINA, Croatia National Identification and.

Security fundamentals Topic 5 Using a Public Key Infrastructure.

National Enrolment Service (NES) Overview October 2015 – June 2016.

Authentication and Authorisation for Research and Collaboration Christos Kanellopoulos GRNET Proposed Pilots for Libraries and eGov.

Using Public Key Cryptography Key management and public key infrastructures.

Transforming Government Federal e-Authentication Initiative David Temoshok Director, Identity Policy and Management GSA Office of Governmentwide Policy.

Federated Identity on the Web Peter Yared Chief Technologist, Network Identity Sun Microsystems, Inc. Month, 2001.

Creating a European entity Management Architecture for eGovernment Id GUIDE Keiron Salt

Secure Mobile Development with NetIQ Access Manager

Bulding blocks of e- government Ingmar Pappel. Bulding blocks of e-government  Personal Code  Digital Identity  Digital signature  X-Road  Organizations.

Access Account Activation and Electronic Signature Web Application.

Connect. Communicate. Collaborate Applying eduGAIN to network operations The perfSONAR case Diego R. Lopez (RedIRIS) Maurizio Molina (DANTE)

Digital Gujarat Portal – Citizen User Manual. How Do I Open A Portal? Go to the URL :- Screen 1.1:-

U.S. Department of Agriculture eGovernment Program eAuthentication Initiative eAuthentication Solution Screens Review Meeting October 7, 2003.

Commercial Card Expense Reporting (CCER) The Trustees of Roanoke College An internet solution Accessed via Wells Fargo’s secure Commercial Electronic Office.

Commercial Card Expense Reporting (CCER) The Trustees of Roanoke College An internet solution Accessed via Wells Fargo’s secure Commercial Electronic Office.

The Federal E-Authentication Initiative David Temoshok Director, Identity Policy GSA Office of Governmentwide Policy February 12, 2004 The E-Authentication.

Access Policy - Federation March 23, 2016

Key management issues in PGP

Secure Single Sign-On Across Security Domains

Creating and Using Your FSA ID: An Overview

Welcome to the Electronic Permit Submittal and Processing System (EPSAP) Professional Engineer Submittal Instructions.

Identity Federations - Overview

Identity management Aalto University, autumn 2013.

NOTE TO PRESENTER This presentation provides information on the FSA ID that can be used in outreach to students and parents. The presentation was created.

smartmail & smartportal: Introducing Two-Factor Authentication

X-Road as a Platform to Exchange MyData

Have you downloaded Groupcall Xpressions yet?

Employee Self-Service (ESS) Portal

Presentation transcript:

Strong Mobile Authentication in Finland (MPKI, WPKI) Special Discussion Topic Kantara Initiative Telco Identity Working Group Prepared by: Keith Uber Ubisecure Solutions Oy

Agenda National ID Commercial Identity Providers in Finland Mobile ID History Questions / Discussion

Finnish Personal Identification Number National ID number Widely used incorrectly for identification Format YYMMDD?123X Exposes both date of birth and gender

eID in Finland eID card contains name optionally address SATU (electronic identification number) Not mandatory Price 51 The SATU number can be converted to a personal identity number through a web services query to the population register

eID Statistics End of November ,800 certificates issued to date 272,200 currently valid

Population Registry Provides Web Service interface to population registry data to authorized parties (VTJKysely) Interface provides Citizen, building and real estate information Over 80 different types of attributes available Web service interface authentication at connection level using client certificates

Banks as Commercial IdPs for eGov TUPAS is a joint bank specification for electronic authentication by the Federation of Finnish Financial Services Proprietory protocol User must be strongly authenticated Typically PIN/TAN list Banks provide limited financial liability User approves and certifies the personal data released

Banks as Commercial IdPs 10+ banks Commercial service Contracts between SP and each bank required including typically Establishment fees Monthly fees Transaction fees Similar process to Verified By Visa etc

Familiar process User accesses service provider Selects a bank Redirect, authenticates at bank Redirect, returns to service

Bank authentication

Indexed TAN

Attribute release consent

Telcos as Commercial IdPs for eGov Commercial Wireless PKI (MPKI, WPKI) service launched Named Mobiilivarmenne Mobile Certificate Supported by 3 out of 4 national telcos Competing with TUPAS service

Telcos as Commercial IdPs Long history – previous studies and commercial trials commencing around 2003 to use national ID in the mobile had failed New business model, purely commercial Requires government-issued CA license with stringent auditing Application embedded in SIM (application toolkit application)

Two Profiles Authentication Signing (non-repudiation) Unique PIN codes for each type PIN codes distributed on SIM package behind scratch layer User can change own PINs through SIM menu

Old and new phones alike

Changing PIN codes

Telcos as Commercial IdPs Works while roaming (SMS based transport) Pricing for end users Elisa: 0.09 per transaction (Free until Nov 2011) Other telco pricing unknown Pricing for SP services Unpublished Expected adoption for C2G services in 2011

Process Flow (A) User accesses service provider application Users enters a telephone number and optional anti- spam code The request is sent to the operator User notified on phone of signing request User verifies session identifier on phone matches what is on screen. User reads any other binding text in the request. User presses OK to accept request User enter PIN code The request is signed on the phone and sent to the operator Operator returns user identity and possible attributes Access to the application is granted

Process Flow (B) User accesses service provider application Users enters username (and optionally password) RP retrieves existing phone number and the request is sent to the operator User notified on phone of signing request User verifies session identifier on phone matches what is on screen. User reads any other binding text in the request. User presses OK to accept request User enter PIN code The request is signed on the phone and sent to the operator Operator returns user identity and possible attributes Access to the application is granted

Standards Ficom - Finnish Federation for Communications and Teleinformatics ETSI MSS Mobile Signature Service ETSI MSS TS , TR , TS

Service Provider Integration Operator provided API ETSI MSS interface TUPAS Proxy (Emulate banking protocol) Hosted by Service Provider Operated by Telco SAML IdP Proxy Hosted by Service Provider Operated by Telco

Architecture

SAML2 SAML IdP Proxy

Architecture SAML2 SAML IdP Proxy SAML Service Provider

Authentication during a call System permits a telephone operator (or automated IVR system) to perform an authentication request during a voice call Simtoolkit application does not interrupt call Eg, obtaining blood test results from a clinic

Commercial Identity Providers Banks TUPAS Telcos Mobile Certificate Government eID Card

Summary Commercial rollout of mobile certificates has begun Standards-based architecture (ETSI MSS) Operator roaming thanks to federation One service agreement for relying party Leveraging existing identity value Ready market of existing services ready to adopt Competitive identity market

Questions / Discussion