SESSION D: What You Know - What You Have - What You Are: The Role of Hardware Technologies to Provide Identity Assurance BELGIUM’s Experience Washington.

Slides:

Advertisements

Similar presentations

© fedict All rights reserved Legal aspects Belgian electronic identity card Samoera Jacobs – November 2008.

Advertisements

Confidential 1 Phoenix Security Architecture and DevID July 2005 Karen Zelenko Phoenix Technologies.

Trusted Symbol of the Digital Economy 1 Bill Holmes – VP Marketing ID Platform - Smart Cards.

Public Key Infrastructure A Quick Look Inside PKI Technology Investigation Center 3/27/2002.

Identity and Access IDPrime MD 8840 and IDCore 8030 MicroSD cards

A l a d d i n. c o m eToken NG-OTP Combined PKI - OTP Authentication Solution November, 2008.

Cryptography Chapter 7 Part 4 Pages 833 to 874. PKI Public Key Infrastructure Framework for Public Key Cryptography and for Secret key exchange.

SSL : An Overview Bruhadeshwar Bezawada International Institute of Information Technology, Hyderabad.

Lori Fitterling LI843 SSL Secured Sockets Layer. What is Secure Sockets Layer (SSL)? It is protection of data transferred over the Internet using encryption.

Certification Authority. Overview  Identifying CA Hierarchy Design Requirements  Common CA Hierarchy Designs  Documenting Legal Requirements  Analyzing.

Security and Interoperability Danny De Cock January 16th, 2012 Moldova Slides: godot.be/slidesgodot.be/slides.

Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 23: Internet Authentication Applications.

Lecture 23 Internet Authentication Applications

Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.

Introduction to PKI, Certificates & Public Key Cryptography Erwan Lemonnier.

WAP Public Key Infrastructure CSCI – Independent Study Fall 2002 Jaleel Syed Presentation No 5.

Windows Vista And Longhorn Server PKI Enhancements Avi Ben-Menahem Lead Program Manager Windows Security Microsoft Corporation.

2-Jun-15 1 ACCESSING ON LINE SERVICES PROTECTED BY THE ITALIAN EID GIOVANNI MANCA National Center for Information technology in Public Administration (CNIPA)

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 9: Planning and Managing Certificate Services.

EID: the Belgian Electronic Identity Card Jan Deprest Vlaanderen – OND-MVG –

An Introduction to Security Concepts and Public Key Infrastructure (PKI) Mary Thompson.

FIT3105 Smart card based authentication and identity management Lecture 4.

Designing and Implementing Secure ID Management Systems: BELGIUM’s Experience Washington - September 27 th, 2010 Frank LEYMAN © fedict All rights.

November 1, 2006Sarah Wahl / Graduate Student UCCS1 Public Key Infrastructure By Sarah Wahl.

CN1276 Server Kemtis Kunanuraksapong MSIS with Distinction MCTS, MCDST, MCP, A+

Copyright, 1996 © Dale Carnegie & Associates, Inc. Digital Certificates Presented by Sunit Chauhan.

TrustPort Public Key Infrastructure. Keep It Secure Table of contents  Security of electronic communications  Using asymmetric cryptography.

PKI Network Authentication Dartmouth Applications Robert Brentrup Educause/Dartmouth PKI Summit July 27, 2005.

Computer Science Public Key Management Lecture 5.

Digital Signature Xiaoyan Guo/ Xiaohang Luo/

Copyright © FedICT All rights reserved Belgian Electronic Identity Card (BELPIC) Ir. Olivier LIBON. Microsoft EAP – Government & Education 7 April.

Deploying a Certification Authority for Networks Security Prof. Dr. VICTOR-VALERIU PATRICIU Cdor.Prof. Dr. AUREL SERB Computer Engineering Department Military.

Digital Certificates With Chuck Easttom. Digital Signatures  Digital Signature is usually the encryption of a message or message digest with the sender's.

Chapter 3 Mohammad Fozlul Haque Bhuiyan Assistant Professor CITI Jahangirnagar University.

Chapter 14 Encryption: A Matter Of Trust. Awad –Electronic Commerce 2/e © 2004 Pearson Prentice Hall 2 OBJECTIVES What is Encryption? Basic Cryptographic.

Identity and Access Mgmt and electronic Identities Belgian Federal Government Walter Van Assche January 16 th, 2012 Chisinau.

Renesas Electronics America Inc. © 2010 Renesas Electronics America Inc. All rights reserved. Secure MCU REA FAE Training – June A Rev

©Copyrights 2011 Eom, Hyeonsang All Rights Reserved Distributed Information Processing 20 th Lecture Eom, Hyeonsang ( 엄현상 ) Department of Computer Science.

_______________________________________________________________________________________________________________ E-Commerce: Fundamentals and Applications1.

SSL / TLS in ITDS Arun Vishwanathan 23 rd Dec 2003.

E-Commerce Security Technologies : Theft of credit card numbers Denial of service attacks (System not availability ) Consumer privacy (Confidentiality.

Types of Oparating Systems. Operating Systems Is a software system, a set of computer programs designed to perform many tasks including the effective.

Citizen Centric Public Service Delivery: the Belgian approach International Symposium on “connected Governance” SSPA – Roma – 21-22/11/2009 Frank LEYMAN.

© Fedict All rights reserved Fedict and e-government in Belgium Bert Beyl - Sam Van den Eynde Euro India summit - 14/10/2011.

每时每刻可信安全 1The DES algorithm is an example of what type of cryptography? A Secret Key B Two-key C Asymmetric Key D Public Key A.

Cryptography Encryption/Decryption Franci Tajnik CISA Franci Tajnik.

Unit 1: Protection and Security for Grid Computing Part 2

Certificate-Based Operations. Module Objectives By the end of this module participants will be able to: Define how cryptography is used to secure information.

Copyright © FEDICT All rights reserved eID : The Belgian Electronic Identity Card Bart SIJNAVE Microsoft eID Awareness Program Brussels, 24 juni.

Smart Card Technology & Features

Digital Signatures A Brief Overview by Tim Sigmon April, 2001.

Key Management. Session and Interchange Keys  Key management – distribution of cryptographic keys, mechanisms used to bind an identity to a key, and.

Introduction to Public Key Infrastructure January 2004 CSG Meeting Jim Jokl.

DIGITAL SIGNATURE. GOOD OLD DAYS VS. NOW GOOD OLD DAYS FILE WHATEVER YOU WANT – PUT ‘NA’ OR ‘-’ OR SCRATCH OUT FILE BACK DATED, FILE BLANK FORMS, FILE.

Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®

1. 2 Overview In Exchange security is managed by assigning permissions in Active Directory Exchange objects are secured with DACL and ACEs Permissions.

SWEB SWEB Security and Privacy Technologies – Implementation Aspects Venue:SWEB Day in APV, Novi Sad Author(s):Dr. Milan Marković Organisations:MISANU.

Belgian EID Card 15/12/2004 Derette Willy eID program manager.

Security fundamentals Topic 5 Using a Public Key Infrastructure.

Creating and Managing Digital Certificates Chapter Eleven.

1 Thuy, Le Huu | Pentalog VN Web Services Security.

Key Management. Authentication Using Public-Key Cryptography  K A +, K B + : public keys Alice Bob K B + (A, R A ) 1 2 K A + (R A, R B,K A,B ) 3 K A,B.

The social, economical and political impact of the eID Jan DEPREST – L-SEC – 19-may-2005.

Digital Signatures and Digital Certificates Monil Adhikari.

Copyright Statement Copyright Robert J. Brentrup This work is the intellectual property of the author. Permission is granted for this material to.

Citizen Centric Public Service Delivery: the Belgian approach TAIEX Multi-country seminar on eGovernment - April 27 th, 2010 Session: Putting public services.

1 1 Social Security Platform James Wu We Simplify Security.

Belgian Federal Public Service for ICT Strategic cell

Presentation transcript:

SESSION D: What You Know - What You Have - What You Are: The Role of Hardware Technologies to Provide Identity Assurance BELGIUM’s Experience Washington - September 27 th, 2010 Frank LEYMAN © fedict All rights reserved

MARKETING RULE: “NEVER OUTSOURCE YOUR CORE PRODUCT” 05/05/2009 | Bruxelles

Citizen Centricity COMMON BACK- OFFICE COMMON PROCESS FLOW COMMON KEY MODULES E- APPLICA TIONS TOOLS Mandates Attributes Delegation Roles © fedict All rights reserved

SECURITY LAYER … Ministry A Ministry B Ministry C Ministry Z FEDMAN Federal Service Bus National Portal Website Building Blocks © fedict All rights reserved ONLINE APPROACH

The eID Project > Provides Belgian Citizens with an electronic identity card. > Gives Belgian Citizens a device to claim their identity in the new digital age.

eID Digital Information Use without PIN ID ADDRESS RRN SIGN RRN SIGN RRN SIGN RRN SIGN IDENTITY “PIN protected” authentication digital signature PKI private public private public © fedict All rights reserved

eID Functionalities Authentication Identification Electronic signature Visual Identification © fedict All rights reserved

eID Information © fedict All rights reserved Visual identification of the card holder > From a visual point of view the same information is visible as on a regular identity card : the name the first two Christian names the first letter of the third Christian name the nationality the birth place and date the sex the place of delivery of the card the begin and end data of the validity of the card the denomination and number of the card the photo of the holder the signature of the holder the identification number of the National Register © fedict All rights reserved

Identification © fedict All rights reserved > From an electronic point of view the chip contains the same information as printed on the card, filled up with: the identity and signature keys the identity and signature certificates the accredited certification service furnisher information necessary for authentication of the card and integrity protection of the data the main residence of the holder > No encryption certificates > No biometric data > No electronic purse > No storage of other data Electronic identification of the holder © fedict All rights reserved

© fedict All rights reserved Security Aspects > Outside Rainbow and guilloche printing Changeable Laser Image (CLI) Optical Variable Ink (OVI) Alphagram Relief and UV print Laser engraving © fedict All rights reserved

© fedict All rights reserved Chip specifications CPU ROM (Operating System) Crypto (DES,RSA) RAM (Memory) EEPROM (File System= applications + data) I/O “GEOS” JVM “Belpic” Applet ID data, Keys, Certs. > Chip characteristics: Cryptoflex JavaCard 32K CPU (processor): 16 bit Micro-controller Crypto-processor: 1100 bit Crypto-Engine (RSA computation) 112 bit Crypto-Accelerator (DES computation) ROM (OS): 136 kB (GEOS JRE) EEPROM (Applic + Data): 32 KB (Belpic Applet) RAM (memory): 5 KB © fedict All rights reserved

Other specifications Directory Structure (PKCS#15) Asymmetric cryptography: public key and private key Signatures put via RSA with SHA-1 eID cryptographic algorithm: RSA 05/05/2009 | Bruxelles

Data Specifications ID > Directory Structure (PKCS#15) Dir (BelPIC): certificates & keys (PIN code protected) private and public key CA : 2048 bits private and public key citizen: 1024 bits Signatures put via RSA with SHA-1 all certificates are conform to X.509 v3 standard format (to be used by generic applications) Microsoft CryptoAPI (  Windows) PKCS#11 (  UNIX/Linux & MacOS) Dir (ID): contains full identity information first name, last name, etc. address picture etc. proprietary format (to be used by dedicated applications only) BelPIC Auth Key Sign Key ID ADR PIC Auth Cert Sign Cert CA Cert Root Cert Card Key... © fedict All rights reserved

Public-key Cryptography > Asymmetric cryptography: public key and private key > eID cryptographic algorithm: RSA © fedict All rights reserved

X509 Certificate DN: Serial #: Start: End: CRL: Key: Attrib: CA DN: Unique name of holder Public key of holder Signed by the CA that issued the certificate. > Is a signed digital statement. > Links a person to a key via a trusted party (CA) © fedict All rights reserved

PKI Trust Hierarchy Card Admin Cert Admin Client Auth Elec Sign Client Cert Admin CA Hierar Admin CRL Citizen CA CRL Gov CA CRL SelfSign Belgium Root RootSign Belgium Root Server Cert Object Cert AdminAuth/Sign © fedict All rights reserved

Signature Standards > The features of a non-repudiation signature drives the need for open signature standards. XML signatures supported: ODF (Open Office 3.2) OOXML (Microsoft ) © fedict All rights reserved

Fedict eID Middleware > Software for using the eID card on a PC Identification (GUI tool + SDK) Authentication/Signature modules: PKCS#11 CSP tokenD > Platforms: Windows: XP, Vista Linux: Fedora, OpenSUSE, Debian Mac © fedict All rights reserved

Fedict Reverse Proxy > Used to authenticate a person via eID towards a web application using SSL. © fedict All rights reserved

© fedict All rights reserved TRUST

© fedict All rights reserved EU pilots that work on cross-border interoperability

OUR OBJECTIVES: To be vendor agnostic To be hardware agnostic To give the citizen the choice of access tool To follow Open Standards 05/05/2009 | Bruxelles

you! FRANK LEYMAN Manager International Relations Maria-Theresiastraat 1/3 Bruxelles 1000 Brussel TEL FAX © fedict All rights reserved