eID: the Belgian Electronic Identity Card Jan Deprest Vlaanderen – OND-MVG –

e-government

What is e-Government ? NOT : about government HOWEVER : it is about the government’s customers citizens businesses civil servants

e-Government principles > total solution > transparent (hide the internal organisation) > “I will say it only once” - Unique Data Source (Virtual Government) > limit the administrative formalities > no extra cost > Privacy > no digital divide

Architecture & building blocks SECURITY & PRIVACY FEDMAN UME OTHER AUTHORITIES OTHER INSTITUTIONS FPS Connected government Connected government PORTAL PORTAL AUTHENTIC SOURCES USER MGT

eID - basics A new ID-card with the format of a bank card and a powerful chip

Purpose eID project Proof of identity Signature tool > To give Belgian citizens an electronic identity card enabling them to authenticate themselves towards diverse applications and to put digital signatures

Which information ? > From a visual point of view the same information will be visible as on the current identity card : the name the first two Christian names the first letter of the third Christian name the nationality the birth place and date the sex the place of delivery of the card the begin and end data of the validity of the card the denomination and number of the card the photo of the holder the signature of the holder the identification number of the National Register > Identical functionality to current identity card Visual identification of the holder

Which information ? > From an electronic point of view the chip will contain the same information as printed on the card, filled up with : the identity and signature keys the identity and signature certificates the accredited certification service furnisher information necessary for authentication of the card and securization of the electronic data the main residence of the holder > (Currently) no encryption certificates > No biometric data (yet) > No electronic purse > No storage of other data Electronic identification of the holder

Distribution eID : how and where ? Municipality Face to face identification DeThe municipalities (1) (2) (12) National Register (3) VRK CM/CP/CI (4) CA ECA Bull (7) (8) (5) (9) (6) Meikäläinen Matti PIN & PUK1-code (10b) (10a) (11) (13)

eID - chip eID, welcome to the e-world !

Contents of the chip ID ADDRESS authentication digital signature RRN SIGN RRN SIGN RRN SIGN RRN SIGN PKIIDENTITY

eID : the main e-functionalities authentication data capture digital signature

Data capture > faster data capture data can be read directly from the card and stored in a particular system > more accurate data capture no more manual re-entrying  less error-prone process > more efficient data capture faster processing of information

eID : the main e-functionalities authentication data capture digital signature

Authentication log on to web sites (SSO ) container park library access control … swimming pool

eID : the main e-functionalities authentication data capture digital signature

Signature 1. Receive message 3. Check CRL/OCSP 5. Fetch public key 7. Compute reference hash 2. Inspect certificate 4. Check certificate 6. Fetch signature 8. Hash, signature, public key match? Matching triplet? CRL Alice hash Bob 3, Compose message3. Generate signature5. Collect certificate 2. Compute hash4. Collect signature6. Send message Alice hash Alice

eID - PKI Public Key Infrastructure

Trust Hierarchy Card Admin Cert Admin Client Auth Elec Sign Data Crypt Client Cert Admin CA Hierar Admin CRL Citizen CA CRL Gov CA CRL SelfSign Belgium Root ARL RootSign Belgium Root Server Cert Object Cert AdminAuth/Sign

Certificates > Citizen’s certificates & keys Authentication Certificate & key pair (1024 bits) provide strong authentication (access control) web site authentication single sign-on (login) etc. Signature Certificate & key pair (1024 bits) provide non repudiation (electronic signature equivalent to handwritten signature) Document Signing Form Signing etc. (Encryption Certificate & key pair) foreseen at a later stage private key backup/archiving AuthSign Citizen CA Belgium Root CA Crypt Citizen CA

Trust Services Request Auth/SignValidate Register Population Registry Secure Sites Municipality XKMS OCSP CA Factory Citizens CPSSLA

eID - toolkit Let’s make use of the power of the eID !

eID-toolkits > Two toolkits are under development : GUI + PKCS#11 libraries : reading, printing, validating and visualising the contents of the eID chip authentication proxy : easy authentication on multiple platforms > Purpose is to hide internal card changes > Labeling should be straightforward if applications use toolkits > Both toolkits are free of charge > Distribution through federal portal (  Projecten  eID) RELEASED

eID-toolkits

eID-toolkits : Identity

eID-toolkits : library

eID-toolkits : Certificates

eID-toolkits : Card & PIN

eID-toolkits : Options

eID - labelling

eID compliance label > Requirements: For citizens: get confidence in practices of service providers regarding eID usage (e.g. privacy) For service providers: demonstrate best practices are indeed applied regarding eID usage (e.g. fraud) > Inspired from two industry standards : eCommerce sites : eTransaction systems  Lot’s of auditors available For service providers: easy to extend a WebTrust/SysTrust accreditation to be eID compliant For auditors: easy to extend a WebTrust/SysTrust license to become an eID compliance agent  Fast & Rather cheap compared to other schemes  Not mandatory (but no eID liability otherwise) Trust Services

> Labeling procedure card readers applications creating trust for citizens, a legal basis for the government and branding for enterprises Based on industry standards : > Currently being worked out in cooperation with Banksys, CBSS eID-label

eID - applications Only the developers’ creativity will limit the usage of the eID card.

Home & Work > Office tools login (local PC & network) logon (other services) data & program confidentiality forms...

Administration > Federal TAX-ON-WEB VAT DIV … > Municipalities marriage house kids school library swimming pool container parks …

Telecom > Telephony reloadable & account cards GSM cards ==> UMTS/i-mode > Television Pay-TV decryption cards > Post registered Mail over internet  Internet VOIP (voice over IP) i-mode

Finance > Identification netbanking (userID/Tokens) loket (bank agency) insurance contract (signature) > Payment credit cards debit cards electronic purse

Healthcare > Insurance MediCard (contract) > Hospital private data (hospital card, etc) health/emergency data (blood group, etc)  Reembursement SIS card pharmacy doctors

Transport > Public transport ticketing in-flight entertainment > Parking access tolling > Gas & Fuel fuel cards loyalty cards

Retail & Delivery > Loyality Programs points collection online gift selection > Payment Credit contract signature payment system (domiciliation) > Home Delivery online orders data capture & digital signature

The sky is the limit ! home banking, online opening of accounts, … proof of membership SSO, … healthcare driver’s licence student cards, e-learning, … … e-commerce

Q&A

Rue Marie Thérèse 1/3 Maria-Theresiastraat 1/3 Bruxelles 1000 Brussel TEL FAX you !