Copyright © FEDICT 2004. All rights reserved eID : The Belgian Electronic Identity Card Bart SIJNAVE Microsoft eID Awareness Program Brussels, 24 juni.

Slides:



Advertisements
Similar presentations
© fedict All rights reserved Legal aspects Belgian electronic identity card Samoera Jacobs – November 2008.
Advertisements

Public Key Infrastructure A Quick Look Inside PKI Technology Investigation Center 3/27/2002.
Digital Certificate Installation & User Guide For Class-2 Certificates.
EDUCAUSE 2001, Indianapolis IN Securing e-Government: Implementing the Federal PKI David Temoshok Federal PKI Policy Manager GSA Office of Governmentwide.
A l a d d i n. c o m eToken NG-OTP Combined PKI - OTP Authentication Solution November, 2008.
Chap 2 System Structures.
Operating-System Structures
Cross Platform Single Sign On using client certificates Emmanuel Ormancey, Alberto Pace Internet Services group CERN, Information Technology department.
Security and Interoperability Danny De Cock January 16th, 2012 Moldova Slides: godot.be/slidesgodot.be/slides.
Password? CLASP Project Update C5 Meeting, 16 June 2000 Denise Heagerty, IT/IS.
Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.
Mobile Credentials Ennio J. Carboni Product Manager, Keon PKI
Kerberos and PKI Cooperation Daniel Kouřil, Luděk Matyska, Michal Procházka Masaryk University AFS & Kerberos Best Practices Workshop 2006.
EID: the Belgian Electronic Identity Card Jan Deprest Vlaanderen – OND-MVG –
An Introduction to Security Concepts and Public Key Infrastructure (PKI) Mary Thompson.
Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.
FIT3105 Smart card based authentication and identity management Lecture 4.
Designing and Implementing Secure ID Management Systems: BELGIUM’s Experience Washington - September 27 th, 2010 Frank LEYMAN © fedict All rights.
X.509 at the University of Michigan CIC-RPG Meeting June 7, 1999 Kevin Coffman Bill Doster
Copyright, 1996 © Dale Carnegie & Associates, Inc. Digital Certificates Presented by Sunit Chauhan.
SESSION D: What You Know - What You Have - What You Are: The Role of Hardware Technologies to Provide Identity Assurance BELGIUM’s Experience Washington.
Christopher Chapman | MCT Content PM, Microsoft Learning, PDG Planning, Microsoft.
Computer Science Public Key Management Lecture 5.
Digital Signature Xiaoyan Guo/ Xiaohang Luo/
Page 1 Sandboxing & Signed Software Paul Krzyzanowski Distributed Systems Except as otherwise noted, the content of this presentation.
Copyright © FedICT All rights reserved Belgian Electronic Identity Card (BELPIC) Ir. Olivier LIBON. Microsoft EAP – Government & Education 7 April.
European Electronic Identity Practices Country Update of Spain Date: 26 May 2005.
Lecture 9: Security via PGP CS 436/636/736 Spring 2012 Nitesh Saxena.
Masud Hasan Secure Project 1. Secure It uses Digital Certificate combined with S/MIME capable clients to digitally sign and.
Secure r How do you do it? m Need to worry about sniffing, modifying, end- user masquerading, replaying. m If sender and receiver have shared secret.
Epayment System using Java April, Computer Security and Electronic Payment System Cho won chul Kim Hee Dae Lee Jung Hwan Yoon Won Jung.
© GlobalSign. A GMO Internet Inc group company. Authentication. Security. Trust. Code Signing Distributing trustworthy software over the Internet.
The Windows NT ® 5.0 Public Key Infrastructure Charlie Chase Program Manager Windows NT Security Microsoft Corporation.
TNC2004 Rhodes 1 Authentication and access control in Sympa mailing list manager Serge Aumont & Olivier Salaün May 2004.
Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®
Chapter 2: Operating-System Structures. 2.2 Silberschatz, Galvin and Gagne ©2005 Operating System Concepts Chapter 2: Operating-System Structures Operating.
Java Security Pingping Ma Nov 2 nd, Overview Platform Security Cryptography Authentication and Access Control Public Key Infrastructure (PKI)
1 Apache and Virtual Sites and SSL Dorcas Muthoni.
ArcGIS Server and Portal for ArcGIS An Introduction to Security
Certificate-Based Operations. Module Objectives By the end of this module participants will be able to: Define how cryptography is used to secure information.
Module 9: Fundamentals of Securing Network Communication.
Secure Messaging Workshop The Open Group Messaging Forum February 6, 2003.
1 Securing Data and Communication. 2 Module - Securing Data and Communication ♦ Overview Data and communication over public networks like Internet can.
Cryptography and Network Security (CS435) Part Twelve (Electronic Mail Security)
Using Encryption with Microsoft SQL Server 2000 Kevin McDonnell Technical Lead SQL Server Support Microsoft Corporation.
Zetes : Be eID applications & readers Belgian eID : applications & card readers Microsoft Event June Bart Symons
Security Many secure IT systems are like a house with a locked front door but with a side window open -somebody.
Belgian EID Card 15/12/2004 Derette Willy eID program manager.
EID Awareness Session for Financial Services Microsoft’s initiatives related to Electronic Identity Card (eID) eID Excitement Wave for Financial Services.
Creating and Managing Digital Certificates Chapter Eleven.
Deck 10 Accounting Information Systems Romney and Steinbart Linda Batch March 2012.
The social, economical and political impact of the eID Jan DEPREST – L-SEC – 19-may-2005.
PAYware Transact Terminal Interface Manager
Digital Signatures and Digital Certificates Monil Adhikari.
Copyright Statement Copyright Robert J. Brentrup This work is the intellectual property of the author. Permission is granted for this material to.
Citizen Centric Public Service Delivery: the Belgian approach TAIEX Multi-country seminar on eGovernment - April 27 th, 2010 Session: Putting public services.
Security. Security Needs Computers and data are used by the authorized persons Computers and their accessories, data, and information are available to.
Security is one of the most widely used and regarded network services
Chapter 2: System Structures
Product Manager, Keon PKI
Basic Network Encryption
Using SSL – Secure Socket Layer
CERN Certificates platform Emmanuel Ormancey / Anatoly Gladkov
Secure Electronic Transaction (SET) University of Windsor
X-Road as a Platform to Exchange MyData
K!M SAA LOGICAL SECURITY Strong Adaptive Authentication
Basic Network Encryption
Electronic Payment Security Technologies
Presentation transcript:

Copyright © FEDICT All rights reserved eID : The Belgian Electronic Identity Card Bart SIJNAVE Microsoft eID Awareness Program Brussels, 24 juni 2004

Copyright © FEDICT All rights reserved Architecture & building blocks SECURITY & PRIVACY FEDMAN UME OTHER AUTHORITIES OTHER INSTITUTIONS FPS Connected government Connected government PORTAL PORTAL AUTHENTIC SOURCES USER MGT

Copyright © FEDICT All rights reserved eID – chip eID, welcome to the e-world !

Copyright © FEDICT All rights reserved Contents of the chip ID ADDRESS authentication digital signature RRN SIGN RRN SIGN RRN SIGN RRN SIGN PKIIDENTITY

Copyright © FEDICT All rights reserved eID : the main e-functionalities authentication data capture digital signature

Copyright © FEDICT All rights reserved eID : the main e-functionalities authentication data capture digital signature

Copyright © FEDICT All rights reserved Data capture  faster data capture data can be read directly from the card and stored in a particular system  more accurate data capture no more manual re-entrying  less error- prone process  more efficient data capture faster processing of information

Copyright © FEDICT All rights reserved eID : the main e-functionalities authentication data capture digital signature

Copyright © FEDICT All rights reserved Trust Hierarchy Card Admin Cert Admin Client Auth Elec Sign Data Crypt Client Cert Admin CA Hierar Admin CRL Citizen CA CRL Gov CA CRL SelfSign Belgium Root ARL RootSign Belgium Root Server Cert Object Cert AdminAuth/Sign

Copyright © FEDICT All rights reserved Certificates  Citizen’s certificates & keys  Authentication Certificate & key pair (1024 bits)  provide strong authentication (access control)  web site authentication  single sign-on (login)  etc.  Signature Certificate & key pair (1024 bits)  provide non repudiation (electronic signature equivalent to handwritten signature)  Document Signing  Form Signing  etc.  (Encryption Certificate & key pair)  foreseen at a later stage  private key backup/archiving AuthSign Citizen CA Belgium Root CA Crypt Citizen CA

Copyright © FEDICT All rights reserved Trust Services Request Auth/SignValidate Register Population Registry Secure Sites Municipality XKMS OCSP CA Factory Citizens CPSSLA

Copyright © FEDICT All rights reserved Authentication log on to web sites (SSO) container park library access control … swimming pool

Copyright © FEDICT All rights reserved eID : the main e-functionalities authentication data capture digital signature

Copyright © FEDICT All rights reserved Signature 1. Receive message 3. Check CRL/OCSP 5. Fetch public key 7. Compute reference hash 2. Inspect certificate 4. Check certificate 6. Fetch signature 8. Hash, signature, public key match? Matching triplet? CRL Alice hash Bob 3, Compose message3. Generate signature5. Collect certificate 2. Compute hash4. Collect signature6. Send message Alice hash Alice

Copyright © FEDICT All rights reserved eID – technicalities

Copyright © FEDICT All rights reserved Card Specifications  Standard - ISO/IEC 7816  Format & Physical Characteristics  Bank Card (ID1)  Standard Contacts & Signals  RST,GND,CLK,Vpp,Vcc, I/O  Standard Commands & Query Language (APDU)  etc.

Copyright © FEDICT All rights reserved Security  Outside  Rainbow and guilloche printing  Changeable Laser Image (CLI)  Optical Variable Ink (OVI)  Alphagram  Relief and UV print  Laser engraving  Inside SHA-1 RSA SPA/DPA/… resistent EAL5+ certified …

Copyright © FEDICT All rights reserved Chip specifications  Chip characteristics: Cryptoflex JavaCard 32K  CPU (processor): 16 bit Micro-controller  Crypto-processor:  1100 bit Crypto-Engine (RSA computation)  112 bit Crypto-Accelerator (DES computation)  ROM (OS): 136 kB (GEOS Java Virtual Machine)  EEPROM (Applic + Data): 32 KB (Cristal Applet)  RAM (memory): 5 KB CPU ROM (Operating System) Crypto (DES,RSA) RAM (Memory) EEPROM (File System= applications + data) I/O “GEOS” JVM “CRISTAL” Applet ID data, Keys, Certs.

Copyright © FEDICT All rights reserved ID Data specifications  Directory Structure (PKCS#15)  Dir (BelPIC):  certificates & keys (PIN code protected)  private and public key CA : 2048 bits  private and public key citizen: 1024 bits  Signatures put via RSA with SHA-1  all certificates are conform to X.509 v3  standard format (to be used by generic applications)  Microsoft CryptoAPI ( Windows)  PKCS#11 ( UNIX/Linux & MacOS)  Dir (ID):  contains full identity information  first name, last name, etc.  address  picture  etc.  proprietary format (to be used by dedicated applications only) BelPIC Auth Key Sign Key ID ADR PIC Auth Cert Sign Cert CA Cert Root Cert Card Key...

Copyright © FEDICT All rights reserved Middleware specifications  Card & Reader Software  Card MiddleWare  PKCS#15  ID specific applications  Card is accessed as a simple file system  No key management possible (no PIN)  for belgian police, post, banks, etc  PKCS#11  Generic applications  Only keys & Certs available via PKCS#11 API  allows authentication (& signature)  for Netscape, Linux, Unix, etc  MS-CSP  Windows applications  Only keys & certs available via MSCrypto API  allows authentication (& signature)  for Microsoft Explorer, Outlook, etc  Reader Driver/Firmware  most part is generic (orange part)  small part is specific (green part) DLL (C-reader DLL) PKCS#15 OpenSC (Generic SC Interface) PIN (pin logic library) Driver (Specific SC Reader Interface) PC/SC (Generic SC Reader Interface) I/O PKCS#11 (Certificate & Keys Management) MS-CSP (Microsoft interface) BelPIC Specific Applics Non Win Generic Applics Windows Generic Applics

Copyright © FEDICT All rights reserved Toolkit specifications  Toolkits  Data Capture Toolkit  GetIdentity  GetAddress  GetPicture  GetVersion ...  Authentication Proxy  Trigger Certificate based auth  Validate Certificate  Return Certificate Content  …  Signature Plugin  PDF/XML signature support  Validate Certificate  Verify Signature  … DLL (C-reader DLL) PKCS#15 OpenSC (Generic SC Interface) PIN (pin logic library) Driver (Specific SC Reader Interface) PC/SC (Generic SC Reader Interface) I/O PKCS#11 (Certificate & Keys Management) MS-CSP (Microsoft interface) Sign Plugin Toolkit Auth Proxy Data Capture

Copyright © FEDICT All rights reserved eID - toolkits Let’s make use of the power of eID !

Copyright © FEDICT All rights reserved eID-toolkits  Two toolkits are under development : GUI + PKCS#11 libraries : reading, printing, validating and visualising the contents of the eID chip authentication proxy : easy authentication on multiple platforms  Purpose is to hide internal card changes  Labeling should be straightforward if applications use toolkits  Both toolkits are free of charge  Distribution through federal portal (  Projecten  eID ) RELEASED

Copyright © FEDICT All rights reserved eID-toolkits

Copyright © FEDICT All rights reserved eID-toolkits : Identity

Copyright © FEDICT All rights reserved eID-toolkits : library

Copyright © FEDICT All rights reserved eID-toolkits : Certificates

Copyright © FEDICT All rights reserved eID-toolkits : Card & PIN

Copyright © FEDICT All rights reserved eID-toolkits : Options

Copyright © FEDICT All rights reserved eID - labeling

Copyright © FEDICT All rights reserved  Labeling procedure card readers applications creating trust for citizens, a legal basis for the government and branding for enterprises Based on industry standards :  Currently being worked out in cooperation with Banksys, CBSS eID-label

Copyright © FEDICT All rights reserved eID – today & tomorrow

Copyright © FEDICT All rights reserved Current status pilot phase (14/6) Over 51,150 cards distributed

Copyright © FEDICT All rights reserved Planning Q1 2004Q2 2004Q3 2004Q4 2004Q DECISION DECISION Pilot phase Target groups Evaluation pilot phase Continuous advise from and support to enterprises, citizens and authorities Installation in municipalities (578) Gradual roll-out eID Negociations 20/3

Copyright © FEDICT All rights reserved Next versions of the eID card Short term : offering the possibility of two different PINs for authentication and digital signature integrating the latest state-of-the art RSA algorithms using more international data formatting offering a more advanced status check providing a structure for using the free space on the chip Long term : biometrics encryption certificats integration of SIS card driver’s licence …

Copyright © FEDICT All rights reserved Q&A

Copyright © FEDICT All rights reserved More information you ! For more information feel free to visit