Presentation is loading. Please wait.

Presentation is loading. Please wait.

The Austrian Governmental eDelivery System Technical Aspects Ankara, March 17th, 2015 Christian Maierhofer, EGIZ The E-Government Innovation Center is.

Published byTristin Fonner Modified over 9 years ago

Similar presentations

Presentation on theme: "The Austrian Governmental eDelivery System Technical Aspects Ankara, March 17th, 2015 Christian Maierhofer, EGIZ The E-Government Innovation Center is."— Presentation transcript:

1 The Austrian Governmental eDelivery System Technical Aspects Ankara, March 17th, 2015 Christian Maierhofer, EGIZ The E-Government Innovation Center is a joint initiative of the Federal Chancellery and Graz University of Technology

2 Christian Maierhofer, EGIZAnkara, March 17th, 2015 eGovernment Innovation Center (EGIZ) Joint initiative with the Federal Chancellery (FCA) Started in 2005 Head: R. Posch (CIO of FCA) Fields of Research: Electronic Signatures Electronic Mandates Electronic Delivery Cloud Security Interoperability eGovernment

3 Christian Maierhofer, EGIZAnkara, March 17th, 2015 Agenda Overview – eID in Austria eDelivery – Electronic Delivery Process eDelivery – A sending application‘s perspective

4 Christian Maierhofer, EGIZAnkara, March 17th, 2015 Agenda Overview – eID in Austria eDelivery – Electronic Delivery Process eDelivery – A sending application‘s perspective

5

6

7 Christian Maierhofer, EGIZAnkara, March 17th, 2015 The Austrian Citizen Card The term “Citizen Card” denotes a concept not a concrete implementation Technological independent The Citizen card may be implemented on the base of Smart cards, like the health insurance card (eCard) Mobile phones, like the Mobile phone signature (used by 470.000 citizens ~ 5.6%)

8 Christian Maierhofer, EGIZAnkara, March 17th, 2015 The Austrian Citizen Card (§ 4 Par. 1 E-GovG) The Citizen Card is used to prove the unique identity of an applicant and the authenticity of an electronic submission. Create qualified electronic signatures Legally equal to handwritten signatures So it is: Electronic Identity document and Signature on the Internet

9 Christian Maierhofer, EGIZAnkara, March 17th, 2015 Legal Framework Advanced Electronic Signature §2 1. ‘electronic signature’ means data in electronic form which are attached to or logically associated with other electronic data and which serve as a method of authentication; §2 2. ‘advanced electronic signature’ means an electronic signature which meets the following requirements: (a) it is uniquely linked to the signatory; (b) it is capable of identifying the signatory; (c) it is created using means that the signatory can maintain under his sole control; and (d) it is linked to the data to which it relates in such a manner that any subsequent change of the data is detectable; Electronic Signature

10 Christian Maierhofer, EGIZAnkara, March 17th, 2015 Legal Framework Qualified Electronic signature Legal Effects  Equivalent to handwritten signatures – except a few cases (e.g. family law) §2 3a. advanced electronic signatures which are based on a qualified certificate and which are created by a secure-signature-creation device §5 (a) satisfy the legal requirements of a signature in relation to data in electronic form in the same manner as a hand-written signature satisfies those requirements in relation to paper-based data; and (b) are admissible as evidence in legal proceedings.

11 Christian Maierhofer, EGIZAnkara, March 17th, 2015 The Austrian Citizen Card § 4 Par. 4 E-GovG: The authenticity of an electronically filed document is provided using an electronic signature § 4 Par. 2 E-GovG: The unique identification of a natural person is provided by the source PIN (sPIN)  Technical representation: Identity Link

12 Christian Maierhofer, EGIZAnkara, March 17th, 2015 Identity Link XML structure, signed by the Source PIN Register Authority (SRA), that uniquely identifies a person. This structure is bound to the public key from the qualified certificate and includes: sPIN Personal data Name, birthday Public key (from qualified certificate) Signature from the SRA The private key is stored on a secure token... <pr:Person xsi:type="pr:Physical 123456789012</pr:V http://reference.e-g Herbert</pr:Given Leitold</pr:Fami... snW8OLCQ49qNefems...

13 Christian Maierhofer, EGIZAnkara, March 17th, 2015 Identification Central Register of Residents (CRR) Every natural person is uniquely identified by the CRR number Source PIN (sPIN) Calculation based on encrypted CRR-ID May only be decrypted by the Source Pin Register Authority (SRA) May NOT be directly used for identification May only be stored (persistent) on the Token (SSCD) Sector Specific PIN (ssPIN) Based on non-invertible derivation from the sPIN Calculated for a specific sector the online service operates in

14 Christian Maierhofer, EGIZAnkara, March 17th, 2015 ssPIN Generation ssPIN generation only possible using the person’s Citizen Card. sPIN from the Citizen Card required Non invertible derivation ssPIN ↛ sPIN ssPIN_A ↛ ssPIN_B Not Invertible! e.g. Sector Taxese.g. Sector Health

15 Christian Maierhofer, EGIZAnkara, March 17th, 2015 Application Login MOA-ID (Identity Provider) MOA-ID (Identity Provider) Online application Request Access to Application Citizen Card authentication -Read Identity Link -Calculate ssPIN -Sign Authentication Data Authentication Request Auth. Data Response Provide Resource

16 Christian Maierhofer, EGIZAnkara, March 17th, 2015 Online Mandates – Why?  Alice allows Bob to act on behalf of herself AliceBob Signed Mandate Online application -Representative -Access rights -Allowed applications Mandate Database

17 Christian Maierhofer, EGIZAnkara, March 17th, 2015 Online Mandates – Why? Bilateral authorization For certain actions

18 Christian Maierhofer, EGIZAnkara, March 17th, 2015 Online Mandates – Why? Bridge between non- natural and natural persons Company representative Association representative Bilateral authorization For certain actions

19 Christian Maierhofer, EGIZAnkara, March 17th, 2015 Online Mandates – Why? Professional representation Accountant Lawyers Official representative Bridge between non- natural and natural persons Company representative Association representative Bilateral authorization For certain actions

20 Christian Maierhofer, EGIZAnkara, March 17th, 2015 Online Mandates - Architecture

21 Christian Maierhofer, EGIZAnkara, March 17th, 2015 Electronic Online Mandates Fully automated online electronic mandate system Based on Citizen Card identification but mandates NOT stored on the card Mandates are stored by a trusted authority Mandates for natural and non-natural persons No paper-based application required Just-in-Time generation Data of mandatory (sPIN) Define constraints No revocation required

22 Christian Maierhofer, EGIZAnkara, March 17th, 2015 HELP.gv.at and USP.gv.at in numbers In April 2014 HELP.gv.at and USP.gv.at had 1.224.439 visits. In April 2014 4.500.845 pages were accessed via HELP.gv.at and USP.gv.at had. Average dwell time on website: 5.06 minutes 180 Live situations (e.g. marriage, passport,…) 3.000 textual pages of content, 700 terms

23 Christian Maierhofer, EGIZAnkara, March 17th, 2015 HELP.gv.at and USP.gv.at in numbers In April 2014 HELP.gv.at and USP.gv.at had 1.224.439 visits. In April 2014 HELP.gv.at and USP.gv.at had 4.500.845 page impressions. Average dwell time on website: 5.06 minutes 180 Live situations (e.g. marriage, passport,…) 3.000 textual pages of content, 700 terms About 424 counters within public authorities would have to be available 7 days a week @ 24 hours a day to overcome this inrush…

24 Christian Maierhofer, EGIZAnkara, March 17th, 2015 Agenda Overview – eID in Austria eDelivery – Electronic Delivery Process eDelivery – A sending application‘s perspective

25 Christian Maierhofer, EGIZAnkara, March 17th, 2015 eDelivery – Components eDelivery applications Proof of delivery High quality authentication provided by Austrian citizen card Central lookup service Holds all recipient data Delivery agents/service Provide electronic mailboxes to recipients Delivery Agent 1 Delivery Agent 2 Delivery Agent n eDelivery Application 1 eDelivery Application 1 eDelivery Application 2 eDelivery Application 2 eDelivery Application n eDelivery Application n Central Lookup Service

26 Christian Maierhofer, EGIZAnkara, March 17th, 2015 Application tier Broker tier Delivery tier eDelivery – Components Delivery Agent 1 Delivery Agent 2 Delivery Agent n eDelivery Application 1 eDelivery Application 1 eDelivery Application 2 eDelivery Application 2 eDelivery Application n eDelivery Application n Central Lookup Service

27 Christian Maierhofer, EGIZAnkara, March 17th, 2015 Application tier Broker tier Delivery tier eDelivery – Components Delivery Agent 1 Delivery Agent 2 Delivery Agent n eDelivery Application 1 eDelivery Application 1 eDelivery Application 2 eDelivery Application 2 eDelivery Application n eDelivery Application n Central Lookup Service LDIF(LDAP)

28 Christian Maierhofer, EGIZAnkara, March 17th, 2015 Application tier Broker tier Delivery tier eDelivery – Components Delivey Agent 1 Delivery Agent 2 Delivery Agent n eDelivery Application 1 eDelivery Application 1 eDelivery Application 2 eDelivery Application 2 eDelivery Application n eDelivery Application n Central Lookup Service LDIF(LDAP) ssPIN_ZUNameDate of Birth …DeliveryAgent- URL Doc Format s Encryption Cert ae231d34Alice11.1.1999da1.delivery.atpdf, xml, txt ---- ae231d34Alice11.1.1999da2.delivery.atpdfMIIExjCCA6 6gAwIBA…. 2988dfedBob22.2.1990da1.delivery.atpdf, xml, txt ----

29 Christian Maierhofer, EGIZAnkara, March 17th, 2015 Application tier Broker tier Delivery tier eDelivery – Components Delivery Agent 1 Delivery Agent 2 Delivery Agent n eDelivery Application 1 eDelivery Application 1 eDelivery Application 2 eDelivery Application 2 eDelivery Application n eDelivery Application n Central Lookup Service ? ? ?

30 Christian Maierhofer, EGIZAnkara, March 17th, 2015 Application tier Broker tier Delivery tier eDelivery – Components Delivey Agent 1 Delivery Agent 2 Delivery Agent n eDelivery Application 1 eDelivery Application 1 eDelivery Application 2 eDelivery Application 2 eDelivery Application n eDelivery Application n Central Lookup Service ? ? ? → Necessary because no domain name based addressing model → Unique ID & Demographics → With which delivery agent is a recipient registered? → Necessary because no domain name based addressing model → Unique ID & Demographics → With which delivery agent is a recipient registered?

31 Christian Maierhofer, EGIZAnkara, March 17th, 2015 Application tier Broker tier Delivery tier eDelivery – Components Delivery Agent 1 Delivery Agent 2 Delivery Agent n eDelivery Application 1 eDelivery Application 1 eDelivery Application 2 eDelivery Application 2 eDelivery Application n eDelivery Application n

32 Christian Maierhofer, EGIZAnkara, March 17th, 2015 Application tier Broker tier Delivery tier eDelivery – Components Delivery Agent 1 Delivery Agent 2 Delivery Agent n eDelivery Application 1 eDelivery Application 1 eDelivery Application 2 eDelivery Application 2 eDelivery Application n eDelivery Application n No intra-provider communication

33 Christian Maierhofer, EGIZAnkara, March 17th, 2015 AT eDelivery – an example Delivery Agent 1 Delivery Agent 2 Delivery Agent n eDelivery Application 1 Central Lookup Service

34 Christian Maierhofer, EGIZAnkara, March 17th, 2015 AT eDelivery – an example Delivery Agent 1 Delivery Agent 2 Delivery Agent n eDelivery Application 1 Central Lookup Service Precondition: Central Lookup Service holds all recipient data from all Delivery Agents

35 Christian Maierhofer, EGIZAnkara, March 17th, 2015 AT eDelivery – an example ? Send Query for recipient: ssPIN_ZU or Name and date of birth or Name and notification email or Name and postal address Delivery Agent 1 Delivery Agent 2 Delivery Agent n eDelivery Application 1 Central Lookup Service

36 Christian Maierhofer, EGIZAnkara, March 17th, 2015 AT eDelivery – an example ? Delivery Agent 1 Delivery Agent 2 Delivery Agent n eDelivery Application 1 Central Lookup Service HTTPs GET Request XML over HTTPs Response HTTPs GET Request XML over HTTPs Response

37 Christian Maierhofer, EGIZAnkara, March 17th, 2015 AT eDelivery – an example ? Answer contains: URL of Delivery Agent(s) the recipient is registered with Usable document formats Optionally encryption certificate Delivery Agent 1 Delivery Agent 2 Delivery Agent n eDelivery Application 1 Central Lookup Service OK X X

38 Christian Maierhofer, EGIZAnkara, March 17th, 2015 AT eDelivery – an example ? Answer contains: URL of Delivery Agent(s) the recipient is registered with Usable document formats Optionally encryption certificate Delivery Agent 1 Delivery Agent 2 Delivery Agent n eDelivery Application 1 Central Lookup Service OK X X If recipient is registered with multiple DAs: ►Prefer accounts with encryption certificate ►Otherwise freedom of choice If recipient is registered with multiple DAs: ►Prefer accounts with encryption certificate ►Otherwise freedom of choice

39 Christian Maierhofer, EGIZAnkara, March 17th, 2015 AT eDelivery – an example Zustell -Kopf ? Transmit delivery to delivery agent. Delivery Agent 1 Delivery Agent 2 Delivery Agent n eDelivery Application 1 OK X X

40 Christian Maierhofer, EGIZAnkara, March 17th, 2015 AT eDelivery – an example Zustell -Kopf ? Transmit delivery to delivery agent. Delivery Agent 1 Delivery Agent 2 Delivery Agent n eDelivery Application 1 OK X X

41 Christian Maierhofer, EGIZAnkara, March 17th, 2015 AT eDelivery – an example Zustell -Kopf ? Transmit delivery to delivery agent. Delivery Agent 1 Delivery Agent 2 Delivery Agent n eDelivery Application 1 OK X X

42 Christian Maierhofer, EGIZAnkara, March 17th, 2015 AT eDelivery – an example @ Recipient must immediately be informed via e-mail or SMS when a new delivery has been received Delivery Agent 1 eDelivery Application 1

43 Christian Maierhofer, EGIZAnkara, March 17th, 2015 AT eDelivery – an example Pick-up by logging in at the web-portal of the delivery agent. Receipt must be carried out using the Austrian citizen card by signing a delivery confirmation/proof of receipt. Delivery Agent 1 eDelivery Application 1

44 Christian Maierhofer, EGIZAnkara, March 17th, 2015 AT eDelivery – an example The delivery can now be opened or saved on the local computer. Delivery agent portal functions are very similar to web-mail systems Delivery Agent 1 eDelivery Application 1

45 Christian Maierhofer, EGIZAnkara, March 17th, 2015 Agenda Overview – eID in Austria eDelivery – Electronic Delivery Process eDelivery – A sending application‘s perspective

46 Christian Maierhofer, EGIZAnkara, March 17th, 2015 Component on sender side Sender needs a technical application ensuring the connection to Central Lookup Server Query recipient Delivery Agent Transmission of eDelivery Delivery Agent Central Lookup Server ? eDelivery Application

47 Christian Maierhofer, EGIZAnkara, March 17th, 2015 Component on sender side Sender needs a technical application ensuring the connection to Central Lookup Server Query recipient Delivery Agent Transmission of eDelivery eDelivery clients Open source (MOA-ZS) Propietary solutions … Delivery Agent Central Lookup Server ? eDelivery Application ED-Client

48 Christian Maierhofer, EGIZAnkara, March 17th, 2015 Delivery Software MOA-ZS MOA-ZS is a open source middleware for senders Web service interface for simple integration in backend applications Covers all necessary steps Acceptance of delivery documents from backend applications Central lookup service query Forward documents to delivery service providers Reception and processing of delivery confirmations

49 Christian Maierhofer, EGIZAnkara, March 17th, 2015 MOA-ZS in a nutshell (1) Backend Application Backend Application MOA-ZS Delivery service Central Lookup Service Central Lookup Service OK X X Web service oid

50 Christian Maierhofer, EGIZAnkara, March 17th, 2015 MOA-ZS in a nutshell (2) Backend Application Backend Application MOA-ZS Delivery service Central Lookup Service Central Lookup Service OK X X Forwarding the deliver request – recipient address as: a)Delivery-ssPIN (ssPIN[ZU]) b)Name + an address registered at the delivery service (electronic or postal) [ + birthday at RSa quality] c) Name + postal address | birthday + ssPIN of the own sector (ssPIN[ZU] is calculated via the SourcePin Register) 1 oid

51 Christian Maierhofer, EGIZAnkara, March 17th, 2015 MOA-ZS – Acceptance of a document

52 Christian Maierhofer, EGIZAnkara, March 17th, 2015 MOA-ZS in a nutshell (3) Backend Application Backend Application MOA-ZS Delivery service Central Lookup Service Central Lookup Service OK X X Forwarding the deliver request – recipient address as: a)Delivery-ssPIN (ssPIN[ZU]) b)Name + an address registered at the delivery service (electronic or postal) [ + birthday at RSa quality] c) Name + postal address | birthday + ssPIN of the own sector (ssPIN[ZU] is calculated via the SourcePin Register) 1 oid Source PIN Registe r ?

53 Christian Maierhofer, EGIZAnkara, March 17th, 2015 MOA-ZS in a nutshell (5) Backend Application Backend Application MOA-ZS Delivery service Central Lookup Service Central Lookup Service OK X X Querying the central lookup serivce oid 23

54 Christian Maierhofer, EGIZAnkara, March 17th, 2015 Central Lookup Service - Query Transport level SSL client authentication (Gov-OID) Request types Single- / Bulk request Combining identity attributes (Encrypted) delivery-ssPIN (Sector “ZU”) respectively SourcePin (non- natural persons) Name + birthday Name + notification address (email)

55 Christian Maierhofer, EGIZAnkara, March 17th, 2015 Query- Example Single-Query(HTTP-GET) https://zkopf.zustellung.gv.at/Query?givenName=MAx&sn=Mustermann &mail=max@mustermann.at Bulk-Query (SOAP Web-Service)

56 Christian Maierhofer, EGIZAnkara, March 17th, 2015 Central Lookup Service - Reply -Not registered -Temporarily not registered not reachable reachable - Delivery-Token -Recipient’s ID + billing data - Address of the delivery service - Accepted data formats of the recipient - Possible encryption certificate If more delivery services have to be considered: -Prefer the service where the user has configured an encryption certificate; else sender’s can freely choose

57 Christian Maierhofer, EGIZAnkara, March 17th, 2015 Response - Example

58 Christian Maierhofer, EGIZAnkara, March 17th, 2015 MOA-ZS in a nutshell (5) Backend Application Backend Application MOA-ZS Delivery service Central Lookup Service Central Lookup Service OK X X Forwarding to the delivery service 4 5 oid

59 Christian Maierhofer, EGIZAnkara, March 17th, 2015 Forward to Delivery Service Transport level SSL client authentication (administration-OID) Data Delivery token (ID + billing data) Address for delivery confirmation (email, WS) Sender’s data Meta data Subject Delivery ID Delivery quality

60 Christian Maierhofer, EGIZAnkara, March 17th, 2015 Example

61 Christian Maierhofer, EGIZAnkara, March 17th, 2015 MOA-ZS in a nutshell (4) Backend Application Backend Application MOA-ZS Delivery service Central Lookup Service Central Lookup Service OK X X MOA-ZS returns OK to the application, if the delivery was successful. 6 oid

62 Christian Maierhofer, EGIZAnkara, March 17th, 2015 MOA-ZS in a nutshell (6) Backend Application Backend Application MOA-ZS Delivery service Central Lookup Service Central Lookup Service OK X X Feedback about the delivery success – optional acknowledgement of receipt – is either sent directly to the special application or (if configured) to MOA-ZS. 7 oid

63 Christian Maierhofer, EGIZAnkara, March 17th, 2015 Delivery Confirmation - Example

64 Christian Maierhofer, EGIZAnkara, March 17th, 2015 Benefits for Authorities May be delivered electronically with delivery confirmation (RSa or RSb) May be delivered electronically without delivery confirmation (standard letter quality) Document is considered to be delivered (Zustellwirkung) without being picked-up by the recipient Effective date of delivery is always documented for authorities(electronic advice of delivery); for instance the effective data of pickup of the document by the recipient (using her electronic signature) Delivery confirmation is sent back to the sending authority by the delivery service. Authority may automatically process this advice of delivery respectively assign it to an act.

65 Christian Maierhofer, EGIZAnkara, March 17th, 2015 Benefits for Authorities (2) Fee for governmental deliveries (to be paid by the delivering authority): Half of the standard letter postage + VAT = 0,37 Euro Possible postal notification fee = 0,744 Euro Max. 1,116 Euro for RSa or RSb Conventional: 4,75 Euro (RSa) respectively 2,65 Euro (RSb) + additional costs (print, enveloping, …)

66 Christian Maierhofer, EGIZAnkara, March 17th, 2015 Citizen‘s Point of View 1.Document arrives at the delivery service 2.Email notification is sent to recipient 3.Login mobile signature or citizen card (respectively automatically triggered signature); acknowledgement of receipt gets signed 4.Check document, store or forward it 2 1 4 3

67 Christian Maierhofer, EGIZAnkara, March 17th, 2015 Notifications issued by the Delivery Service 1.Electronic notification (immediately to all electronic registered addresses) 2.Electronic notification (if not picked up within 48 hours) 3.Postal notification (if not picked up within the next 24 hours and the recipient has registered a delivery address therefor) 2 3 1

68 Christian Maierhofer, EGIZAnkara, March 17th, 2015 Example

69 Christian Maierhofer, EGIZAnkara, March 17th, 2015 Mail Pickup according to § 35 POP.deliveryservice.xy.at STANDARD MAILCLIENT (POP) LOGIN TO DELIVERY BROWSER+CITIZEN CARD PICKUP MAILCLIENT + CERTIFICATE Identification based on the configure SSL client certificate. Delivery confirmation based on SSL handshake (of the mail client or the browser) according to §35 (3) ZustG. E.g. simple clicking a Link in the notification email.

70 Christian Maierhofer, EGIZAnkara, March 17th, 2015 Dual Delivery Brings together traditional delivery with electronic delivery Intention: deliver electronically If electronic delivery not possible: Postal delivery (Printing, Enveloping, …) ONE interface

71 Christian Maierhofer, EGIZAnkara, March 17th, 2015 Dual Delivery - Architecture

72 Christian Maierhofer, EGIZAnkara, March 17th, 2015 Dual Delivery Senders need to register at dual delivery system Unique profile id Address data Billing details Authentication information (TLS client authentication) Steps of dual delivery Addressing in advance (which delivery channels are supported?) Delivery request Single or Bulk requests Delivery receipts processing Communication with printing channel

73 Christian Maierhofer, EGIZAnkara, March 17th, 2015 Delivery fee trend - Styria 1.5.2011 POST-AG delivery fee increased 1.7.20112 POST-AG delivery fee increased Start of dual delivery Budget for delivery fees € 210.000 per year € 170.000 per year € 610.000 per year DI. Herbert Huettenbrenner

74 Thank you for your attention… Ankara, March 17th, 2015 Christian Maierhofer, EGIZ The E-Government Innovation Center is a joint initiative of the Federal Chancellery and Graz University of Technology

75 Christian Maierhofer, EGIZAnkara, March 17th, 2015 Additional Information

76 Christian Maierhofer, EGIZAnkara, March 17th, 2015 Example sPIN Calculation Base number000247681888 (E.g.: CPR-number, 12 decimals) Binary representation 00 0E C3 53 60 (5 Byte, hexadecimal representation) Expand to 128 bit00 0E C3 53 60 FF 00 0E C3 53 60 00 0E C3 53 60 (16 Byte, Seed value set to e.g. 0xFF) Triple-DES encryption, hexadecimal 42 AD 37 74 FA E0 70 7B 31 DC 6D 25 29 21 FA 49 (16 Byte) Source PIN, Base64 Qq03dPrgcHsx3G0lKSH6SQ== (24 digits)

77 Christian Maierhofer, EGIZAnkara, March 17th, 2015 Example: ssPIN Calculation sPIN, Base64Qq03dPrgcHsx3G0lKSH6SQ== (24-digit) Sector codeBW (ISO-8859-1, E.g.: Bauen und Wohnen) Input data for hash value calculation Qq03dPrgcHsx3G0lKSH6SQ==+urn:publicid:gv.at:cdid+ BW Hash value8FF3717514 21A7EB4DC8 4F56847741 498BB2DE10 (5 x 32bit; hexadecimal representation) ssPIN, Base64j/NxdRQhp+tNyE9WhHdBSYuy3hA= (28-digit)

78 Christian Maierhofer, EGIZAnkara, March 17th, 2015 Mobile Phone Signature IdL and asymmetric key are stored by A-TRUST and protected by a hardware security module (HSM) For the signature creation a TAN is sent to the citizen via SMS This TAN must be entered during the signature creation process HSM communicates directly with an SMS gateway to send the TAN

79 Christian Maierhofer, EGIZAnkara, March 17th, 2015 Operator of the mobile phone solutionUser Mobile Phone Signature - Components User’s mobile phone User Password: ********

80 Christian Maierhofer, EGIZAnkara, March 17th, 2015 Operator of the mobile phone solutionUser Mobile Phone Signature - Components Key database Signature creation data is encrypted using a key consisting of at least: -Secret password -Secret HSM key SMS Gateway Web-Frontend HSM -Creation of signature creation data -Decryption of stored signature creation data -Creation of qualified electronic signatures Password: ********

81 Christian Maierhofer, EGIZAnkara, March 17th, 2015 Operator of the mobile phone solutionUser Mobile Phone Signature – Registration Process Password: ********

82 Christian Maierhofer, EGIZAnkara, March 17th, 2015 Operator of the mobile phone solutionUser Mobile Phone Signature – Registration Process Announce mobile nr. Choose password Password Assurance of identity Mob-nr. Verify phone ownership: Generate one-time code Send code via SMS Code Password: ********

83 Christian Maierhofer, EGIZAnkara, March 17th, 2015 Operator of the mobile phone solutionUser Mobile Phone Signature – Registration Process Code Generate and encrypt the signature creation data with at least: -HSM key -Key derived from password Stored encrypted data in the database Ownership verified Code Password: ********

84 Christian Maierhofer, EGIZAnkara, March 17th, 2015 Operator of the mobile phone solutionUser Generate and encrypt the signature creation data with at least: -HSM key -Key derived from password Stored encrypted data in the database Ownership verified Mobile Phone Signature – Registration Process Code The usage of the signature creation data is only possible 1.within the HSM and 2.after the signature password has been entered by the signatory Password: ********

85 Christian Maierhofer, EGIZAnkara, March 17th, 2015 Operator of the mobile phone solutionUser Mobile Phone Signature – Signature Process Password: ********

86 Christian Maierhofer, EGIZAnkara, March 17th, 2015 Operator of the mobile phone solutionUser Application issued a signature request User is redirected to signature website Password Enter mobile nr. Mob-nr. Enter password Request Mobile Phone Signature – Signature Process Password: ********

87 Christian Maierhofer, EGIZAnkara, March 17th, 2015 Operator of the mobile phone solutionUser Mobile Phone Signature – Signature Process Calculate hash value of the data to be signed (from request) Generate one-time code Send one-time code and hash value via SMS Code Affirmation Display Password: ******** Hash value

88 Christian Maierhofer, EGIZAnkara, March 17th, 2015 Operator of the mobile phone solutionUser Mobile Phone Signature – Signature Process Provide one-time code Code Recovery of the signature creation data from the database with -HSM key -Password-derived key Signature creation using the signature creation data Ownership verified Code Verify ownership Password: ********

89 Christian Maierhofer, EGIZAnkara, March 17th, 2015 Operator of the mobile phone solutionUser Recovery of the signature creation data from the database with -HSM key -Password-derived key Signature creation using the signature creation data Ownership verified Mobile Phone Signature – Signature Process Provide one-time code Code Verify ownership Password: ******** The one-time code verifies the ownership of the mobile phone The usage of the signature creation data is only possible 1.within the HSM and 2.after the signature password has been entered by the signatory

90 Christian Maierhofer, EGIZAnkara, March 17th, 2015 Operator of the mobile phone solutionUser Mobile Phone Signature – Signature Process Signature is returned to the application Signature Return the created XML signature Password: ********

Download ppt "The Austrian Governmental eDelivery System Technical Aspects Ankara, March 17th, 2015 Christian Maierhofer, EGIZ The E-Government Innovation Center is."

Similar presentations

1 Proposal for a Regulation on Electronic identification and trust services for electronic transactions in the internal market (COM(2012 238 final) {SWD(2012)

1 Proposal for a Regulation on Electronic identification and trust services for electronic transactions in the internal market (COM( final) {SWD(2012)
© fedict 2008. All rights reserved Legal aspects Belgian electronic identity card Samoera Jacobs – November 2008.

© fedict All rights reserved Legal aspects Belgian electronic identity card Samoera Jacobs – November 2008.
How eID and eSignatures work in a cross-border setting Wendy Carrara SPOCS Deputy Programme Director eID workshop Reaping the benefits of eID in different.

How eID and eSignatures work in a cross-border setting Wendy Carrara SPOCS Deputy Programme Director eID workshop Reaping the benefits of eID in different.
Mr. Aivars Paegle, Legal manager at The Register of Enterprises of the Republic of Latvia, Juridical Division Workshop on Single Institution for Registration.

Mr. Aivars Paegle, Legal manager at The Register of Enterprises of the Republic of Latvia, Juridical Division Workshop on Single Institution for Registration.
EGovernment Vision, Policies and Implementations in Austria Prof. Dr. Reinhard Posch CHIEF INFORMATION OFFICER.

EGovernment Vision, Policies and Implementations in Austria Prof. Dr. Reinhard Posch CHIEF INFORMATION OFFICER.
Digital Stamps of Companies Tarvi Martens SK, Estonia.

Digital Stamps of Companies Tarvi Martens SK, Estonia.
Workshop on registered electronic mail policies and implementations Ankara, 16-17 March 2015 Davide Mula The use of electronic signatures.

Workshop on registered electronic mail policies and implementations Ankara, March 2015 Davide Mula The use of electronic signatures.
EDUCAUSE 2001, Indianapolis IN Securing e-Government: Implementing the Federal PKI David Temoshok Federal PKI Policy Manager GSA Office of Governmentwide.

EDUCAUSE 2001, Indianapolis IN Securing e-Government: Implementing the Federal PKI David Temoshok Federal PKI Policy Manager GSA Office of Governmentwide.
Mountain View 25, 26 Sept 2007 The importance of incorporating XAdES extensions into ongoing XML-Sig work W3C Workshop on Next Steps for XML Signature.

Mountain View 25, 26 Sept 2007 The importance of incorporating XAdES extensions into ongoing XML-Sig work W3C Workshop on Next Steps for XML Signature.
1 Exploring Acceptance and Legal Nature of eRecords Within a Paper-Based Framework Electronic Signature & Records Association November 14, 2012 Rafael.

1 Exploring Acceptance and Legal Nature of eRecords Within a Paper-Based Framework Electronic Signature & Records Association November 14, 2012 Rafael.
Workshop on registered electronic mail policies and implementations (ETT 57074) Ankara, 16.3. – 17.3. 2015.

Workshop on registered electronic mail policies and implementations (ETT 57074) Ankara, –
INFORMATION TECHNOLOGY LAW LECTURE 3- ELECTRONIC SIGNATURE Dr. Kadir Bas.

INFORMATION TECHNOLOGY LAW LECTURE 3- ELECTRONIC SIGNATURE Dr. Kadir Bas.
Respecting Privacy in Global Networks/ Guernsey, Wednesday 11 th April,2007 1 Paula Ortiz López Spanish Data Protection Agency.

Respecting Privacy in Global Networks/ Guernsey, Wednesday 11 th April, Paula Ortiz López Spanish Data Protection Agency.
Civil Registry Agency of the Ministry of Justice, Georgia Digital Signature Services in Georgia Mikheil Kapanadze.

Civil Registry Agency of the Ministry of Justice, Georgia Digital Signature Services in Georgia Mikheil Kapanadze.
Legal Issues on PKI & qualified electronic certificates. THIBAULT VERBIEST Attorney-at-law at the Brussels and Paris Bar Professor at the Universities.

Legal Issues on PKI & qualified electronic certificates. THIBAULT VERBIEST Attorney-at-law at the Brussels and Paris Bar Professor at the Universities.
Information security An introduction to Technology and law with focus on e-signature, encryption and third party service Yue Liu Feb.2008.

Information security An introduction to Technology and law with focus on e-signature, encryption and third party service Yue Liu Feb.2008.
DIGITAL SIGNATURE AND ELECTRONIC DOCUMENTS IN ITALY Prof. Pierluigi Ridolfi AIPA Authority for Information Technology in the Public Administration V. Solferino,

DIGITAL SIGNATURE AND ELECTRONIC DOCUMENTS IN ITALY Prof. Pierluigi Ridolfi AIPA Authority for Information Technology in the Public Administration V. Solferino,
The Estonian Electronic Signature Legislation and case studies EESSI Seminar Budapest, 2001-05-08 Taavi Valdlo Estonian Informatics Centre

The Estonian Electronic Signature Legislation and case studies EESSI Seminar Budapest, Taavi Valdlo Estonian Informatics Centre
Some initiatives of the Belgian government in order to stimulate E-government Frank Robben General manager Crossroads Bank for Social Security Sint-Pieterssteenweg.

Some initiatives of the Belgian government in order to stimulate E-government Frank Robben General manager Crossroads Bank for Social Security Sint-Pieterssteenweg.
Ros.gov.uk Recording and safeguarding your rights CROBECO 25 November 2010 Kevin Ramsay Legal Services Registers of Scotland ARTL.

Ros.gov.uk Recording and safeguarding your rights CROBECO 25 November 2010 Kevin Ramsay Legal Services Registers of Scotland ARTL.

Similar presentations

Ads by Google