Presentation is loading. Please wait.

Presentation is loading. Please wait.

September 11 th 2013 Open Identity Summit 2013, Kloster Banz Marcel Selhorst Cloud-based provisioning of qualified certificates for the German ID card.

Published byMike Coppler Modified over 10 years ago

Similar presentations

Presentation on theme: "September 11 th 2013 Open Identity Summit 2013, Kloster Banz Marcel Selhorst Cloud-based provisioning of qualified certificates for the German ID card."— Presentation transcript:

1 September 11 th 2013 Open Identity Summit 2013, Kloster Banz Marcel Selhorst Cloud-based provisioning of qualified certificates for the German ID card

2 Agenda Overview: the German eID card (nPA) Post Issuance Process Security Goals and Measures Status quo and future developments Live-Demo September 11 th 2013Open Identity Summit 20132

3 Overview: The German ID Card provides classic visual identification as well as online authentication secured by EAC 2.0 Three applications on smartcard: September 11 th 2013Open Identity Summit 20133 ePass (ICAO compliant - sovereign use only) fast electronic access to id data by sovereign agencies within the European Union contains MRZ data, image and optionally fingerprints eID (Application for electronic identification - optional) online- and offline-Identification pseudonym Login-Functionality anonymous age and place verification eSign (Application for qualified electronic signatures - optional) legally binding signatures for electronic documents (QES) online and offline usable initially inactive

4 sign-me and the new ID Card enable for the first time on-the-fly post-issuance key generation and certification on an SSCD! eSign Application: what you want September 11 th 2013Open Identity Summit 20134 Using the German ID card as a secure signature creation device (SSCD) Legally equal to personal signature Full control by the citizen Signature key is generated and stored on ID card Immediate online transmission of the generated certificate to the ID Card Deletion of the generated signature key under control of the citizen Unlimited (re-)generation of signature keys possible Different certificate validity periods possible (e.g., < 1 year up to 10 years) All advantages of digital signatures in existing business processes are maintained

5 sign-me: the standard of tomorrow September 11 th 2013Open Identity Summit 20135 Signature Process from the citizens point of view: one-time registration receiving unique access code generate key pair and load certificate electronically sign documents one-time registration for all certificates requires eID to read personal data easy handling identic layout independent of the service provider selling the certificates grouping of processes one solution for many processes by grouping the required components into one online application offline signature creation already 5 different signature application components available supporting sign-me uncomplicated workflow users are guided through the necessary steps to ease the overall loading process All advantages at a glance

6 Preliminary Actions The following preparations are required before starting the certification process: 1.Buy a Comfort Reader: Standard reader with display, keypad and security module for secure key storage required for signature PIN management required for generation of qualified signatures 2.Buy a certificate from an affiliated online shop Certificates are not sold by the Bundesdruckerei directly but rather by affiliated online shops (currently: card reader manufacturer Reiner SCT) 3.Register online to obtain a re-usable authorization code Ensures that even in case of theft only the legitimate card holder can initiate the certification process. September 11 th 2013Open Identity Summit 20136

7 Registration using eID September 11 th 2013Open Identity Summit 20137 eID Service User with browser, ID card and AusweisApp 3 1 2 4 5

8 Post-Issuance Certification Process The Post-Issuance process consists of 1.entering the authorization code (received upon registration) 2.setting the signature PIN 3.selecting a revocation password (for the hotline) 4.loading the certificate in an enhanced eID session (including key generation) 5.confirming reception of the certificate (required by German signature law) September 11 th 2013Open Identity Summit 20138

9 Post-Issuance Certification Process September 11 th 2013Open Identity Summit 20139 eID Service 1 2 3 User with browser, ID card and AusweisApp

10 Post-Issuance Certification Process September 11 th 2013Open Identity Summit 201310 eID Service 1 2 3 4 User with browser, ID card and AusweisApp

11 Post-Issuance Certification Process September 11 th 2013Open Identity Summit 201311 eID Service 1 2 3 4 5 User with browser, ID card and AusweisApp

12 Post-Issuance Certification Process September 11 th 2013Open Identity Summit 201312 eID Service 1 2 3 4 5 6 User with browser, ID card and AusweisApp

13 Post-Issuance Certification Process September 11 th 2013Open Identity Summit 201313 eID Service 1 2 3 7 8 4 5 6 User with browser, ID card and AusweisApp

14 Security Goals and Measures of eID Protection against malicious chip access Mutual authentication between chip and terminal Protection against eavesdropping or manipulation of communication PACE: Password Authenticated Connection Establishment establishment of shared secret by EC-DH via PIN, CAN or MRZ establishment of a symmetric encrypted channel using AES Protection against unauthorized access to stored data Access Rights are granted by Federal Office of Administration (BVA) fine granular access rights to dedicated data groups and applications can be further limited by the citizen upon each access Assurance of Authenticity of the service provider Short lived certificate Authentication Certificate is provided to the eID Card Contains terminals access rights Data avoidance and data economy 26.02.2013Embedded World 2013 14

15 Security Goals and Measures of sign-me stolen ID cards can be revoked temporarily or permanently certificates are revoked automatically certificates expire along with ID card the cards authenticity and the citizens identity are checked before generating the certificate using one single eID session for key generation export of signature verification key certificate generation and storage on card ensures a strong binding between certificate, public key and ID card Signing Key Pair Algorithm: ECDSA with Brainpool P256r1 curve September 11 th 2013Open Identity Summit 201315

16 Status quo and future developments System is currently in pilot phase Operational phase starting 2014 Currently in development: signature portal for Post-issuance certification quick and easy signing of electronic documents workflow easily integrable for companies (very little development required) September 11 th 2013Open Identity Summit 201316 generate document to be signed deliver document to sign-me portal user signs online signature validation incl. report document is returned to portal

17 Thank You Live-Demo Marcel Selhorst Software Architect Bundesdruckerei GmbH Telefon: +49 30 2598 3243 E-Mail: marcel.selhorst@bdr.de September 11 th 2013Open Identity Summit 201317

Download ppt "September 11 th 2013 Open Identity Summit 2013, Kloster Banz Marcel Selhorst Cloud-based provisioning of qualified certificates for the German ID card."

Similar presentations

1 NETaction NETaction Customer Satisfaction Manager By Daniels Associates Inc.

1 NETaction NETaction Customer Satisfaction Manager By Daniels Associates Inc.
© fedict 2008. All rights reserved Legal aspects Belgian electronic identity card Samoera Jacobs – November 2008.

© fedict All rights reserved Legal aspects Belgian electronic identity card Samoera Jacobs – November 2008.
Confidential 1 Phoenix Security Architecture and DevID July 2005 Karen Zelenko Phoenix Technologies.

Confidential 1 Phoenix Security Architecture and DevID July 2005 Karen Zelenko Phoenix Technologies.
1 ABCs of PKI TAG Presentation 18 th May 2004 Paul Butler.

1 ABCs of PKI TAG Presentation 18 th May 2004 Paul Butler.
28.05.20131Fundamental Digital Electronics. 28.05.20132Fundamental Digital Electronics.

Fundamental Digital Electronics Fundamental Digital Electronics.
Taxpayers registration and e-services provided by the Estonian Tax and Customs Board Karin Aleksandrov Chief Expert Service Management Department.

Taxpayers registration and e-services provided by the Estonian Tax and Customs Board Karin Aleksandrov Chief Expert Service Management Department.
Digital Certificate Installation & User Guide For Class-2 Certificates.

Digital Certificate Installation & User Guide For Class-2 Certificates.
Installation & User Guide

Installation & User Guide
Internet Basics and Information Literacy

Internet Basics and Information Literacy
How to Build a REST API Using ASP.NET Web API Fernando Cardenas 10/8/20131.

How to Build a REST API Using ASP.NET Web API Fernando Cardenas 10/8/20131.
Gareth Ellis Senior Solutions Consultant Session 5a Key and PIN Management.

Gareth Ellis Senior Solutions Consultant Session 5a Key and PIN Management.
Digital Certificate Installation & User Guide For Class-2 Certificates.

Digital Certificate Installation & User Guide For Class-2 Certificates.
Micro Risk Why do we clean so often? Does the cleaning make the product safer? Process Improvement & Product Services September 20131.

Micro Risk Why do we clean so often? Does the cleaning make the product safer? Process Improvement & Product Services September
20&27 May 2013 1. Agenda 1.Highlight the difference between system flow of e- Invoice and paper invoice – 15 minutes 2.Demonstrate the operation procedure.

20&27 May Agenda 1.Highlight the difference between system flow of e- Invoice and paper invoice – 15 minutes 2.Demonstrate the operation procedure.
Digital Certificate Installation & User Guide For Class-2 Certificates.

Digital Certificate Installation & User Guide For Class-2 Certificates.
Secure Sockets Layer eXtended (SSLX) Next Generation Internet Security Overview Presentation April 2011.

Secure Sockets Layer eXtended (SSLX) Next Generation Internet Security Overview Presentation April 2011.
SECURITY IN E-COMMERCE VARNA FREE UNIVERSITY Prof. Teodora Bakardjieva.

SECURITY IN E-COMMERCE VARNA FREE UNIVERSITY Prof. Teodora Bakardjieva.
Department of Labor HSPD-12

Department of Labor HSPD-12
ESign-Online Digital Signature Service February 2015 Controller of Certifying Authorities Department of Electronics and Information Technology Ministry.

ESign-Online Digital Signature Service February 2015 Controller of Certifying Authorities Department of Electronics and Information Technology Ministry.
Cross Platform Single Sign On using client certificates Emmanuel Ormancey, Alberto Pace Internet Services group CERN, Information Technology department.

Cross Platform Single Sign On using client certificates Emmanuel Ormancey, Alberto Pace Internet Services group CERN, Information Technology department.

Similar presentations

Ads by Google