Presentation is loading. Please wait.

Presentation is loading. Please wait.

SESSION D: What You Know - What You Have - What You Are: The Role of Hardware Technologies to Provide Identity Assurance BELGIUM’s Experience Washington.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "SESSION D: What You Know - What You Have - What You Are: The Role of Hardware Technologies to Provide Identity Assurance BELGIUM’s Experience Washington."— Presentation transcript:

1 SESSION D: What You Know - What You Have - What You Are: The Role of Hardware Technologies to Provide Identity Assurance BELGIUM’s Experience Washington - September 27 th, 2010 Frank LEYMAN © fedict 2010. All rights reserved

2 MARKETING RULE: “NEVER OUTSOURCE YOUR CORE PRODUCT” 05/05/2009 | Bruxelles

3 Citizen Centricity COMMON BACK- OFFICE COMMON PROCESS FLOW COMMON KEY MODULES E- APPLICA TIONS TOOLS Mandates Attributes Delegation Roles © fedict 2010. All rights reserved

4 SECURITY LAYER … Ministry A Ministry B Ministry C Ministry Z FEDMAN Federal Service Bus National Portal Website Building Blocks © fedict 2010. All rights reserved ONLINE APPROACH

5 The eID Project > Provides Belgian Citizens with an electronic identity card. > Gives Belgian Citizens a device to claim their identity in the new digital age.

6 eID Digital Information Use without PIN ID ADDRESS RRN SIGN RRN SIGN RRN SIGN RRN SIGN IDENTITY “PIN protected” authentication digital signature PKI private public private public © fedict 2010. All rights reserved

7 eID Functionalities Authentication Identification Electronic signature Visual Identification © fedict 2010. All rights reserved

8 eID Information © fedict 2008. All rights reserved Visual identification of the card holder > From a visual point of view the same information is visible as on a regular identity card : the name the first two Christian names the first letter of the third Christian name the nationality the birth place and date the sex the place of delivery of the card the begin and end data of the validity of the card the denomination and number of the card the photo of the holder the signature of the holder the identification number of the National Register © fedict 2010. All rights reserved

9 Identification © fedict 2008. All rights reserved > From an electronic point of view the chip contains the same information as printed on the card, filled up with: the identity and signature keys the identity and signature certificates the accredited certification service furnisher information necessary for authentication of the card and integrity protection of the data the main residence of the holder > No encryption certificates > No biometric data > No electronic purse > No storage of other data Electronic identification of the holder © fedict 2010. All rights reserved

10 © fedict 2008. All rights reserved Security Aspects > Outside Rainbow and guilloche printing Changeable Laser Image (CLI) Optical Variable Ink (OVI) Alphagram Relief and UV print Laser engraving 12345678 © fedict 2010. All rights reserved

11 © fedict 2008. All rights reserved Chip specifications CPU ROM (Operating System) Crypto (DES,RSA) RAM (Memory) EEPROM (File System= applications + data) I/O “GEOS” JVM “Belpic” Applet ID data, Keys, Certs. > Chip characteristics: Cryptoflex JavaCard 32K CPU (processor): 16 bit Micro-controller Crypto-processor: 1100 bit Crypto-Engine (RSA computation) 112 bit Crypto-Accelerator (DES computation) ROM (OS): 136 kB (GEOS JRE) EEPROM (Applic + Data): 32 KB (Belpic Applet) RAM (memory): 5 KB © fedict 2010. All rights reserved

12 Other specifications Directory Structure (PKCS#15) Asymmetric cryptography: public key and private key Signatures put via RSA with SHA-1 eID cryptographic algorithm: RSA 05/05/2009 | Bruxelles

13 Data Specifications ID > Directory Structure (PKCS#15) Dir (BelPIC): certificates & keys (PIN code protected) private and public key CA : 2048 bits private and public key citizen: 1024 bits Signatures put via RSA with SHA-1 all certificates are conform to X.509 v3 standard format (to be used by generic applications) Microsoft CryptoAPI (  Windows) PKCS#11 (  UNIX/Linux & MacOS) Dir (ID): contains full identity information first name, last name, etc. address picture etc. proprietary format (to be used by dedicated applications only) BelPIC Auth Key Sign Key ID ADR PIC Auth Cert Sign Cert CA Cert Root Cert Card Key... © fedict 2010. All rights reserved

14 Public-key Cryptography > Asymmetric cryptography: public key and private key > eID cryptographic algorithm: RSA © fedict 2010. All rights reserved

15 X509 Certificate DN: Serial #: Start: End: CRL: Key: Attrib: CA DN: Unique name of holder Public key of holder Signed by the CA that issued the certificate. > Is a signed digital statement. > Links a person to a key via a trusted party (CA) © fedict 2010. All rights reserved

16 PKI Trust Hierarchy Card Admin Cert Admin Client Auth Elec Sign Client Cert Admin CA Hierar Admin CRL Citizen CA CRL Gov CA CRL SelfSign Belgium Root RootSign Belgium Root Server Cert Object Cert AdminAuth/Sign © fedict 2010. All rights reserved

17 Signature Standards > The features of a non-repudiation signature drives the need for open signature standards. XML signatures supported: ODF (Open Office 3.2) OOXML (Microsoft 2007- 2010) © fedict 2010. All rights reserved

18 Fedict eID Middleware > Software for using the eID card on a PC Identification (GUI tool + SDK) Authentication/Signature modules: PKCS#11 CSP tokenD > Platforms: Windows: XP, Vista Linux: Fedora, OpenSUSE, Debian Mac © fedict 2010. All rights reserved

19 Fedict Reverse Proxy > Used to authenticate a person via eID towards a web application using SSL. © fedict 2010. All rights reserved

20 https://mondossier.rrn.fgov.be © fedict 2010. All rights reserved TRUST

21 © fedict 2009. All rights reserved EU pilots that work on cross-border interoperability

22 OUR OBJECTIVES: To be vendor agnostic To be hardware agnostic To give the citizen the choice of access tool To follow Open Standards 05/05/2009 | Bruxelles

23 Th@nk you! FRANK LEYMAN Manager International Relations Maria-Theresiastraat 1/3 Bruxelles 1000 Brussel TEL +32 2 212 96 24 FAX +32 2 212 96 99 Frank.leyman@fedict.be www.belgium.be/fedict © fedict 2010. All rights reserved

Download ppt "SESSION D: What You Know - What You Have - What You Are: The Role of Hardware Technologies to Provide Identity Assurance BELGIUM’s Experience Washington."

Similar presentations

© fedict 2008. All rights reserved Legal aspects Belgian electronic identity card Samoera Jacobs – November 2008.

© fedict All rights reserved Legal aspects Belgian electronic identity card Samoera Jacobs – November 2008.
Confidential 1 Phoenix Security Architecture and DevID July 2005 Karen Zelenko Phoenix Technologies.

Confidential 1 Phoenix Security Architecture and DevID July 2005 Karen Zelenko Phoenix Technologies.
Trusted Symbol of the Digital Economy 1 Bill Holmes – VP Marketing ID Platform - Smart Cards.

Trusted Symbol of the Digital Economy 1 Bill Holmes – VP Marketing ID Platform - Smart Cards.
Public Key Infrastructure A Quick Look Inside PKI Technology Investigation Center 3/27/2002.

Public Key Infrastructure A Quick Look Inside PKI Technology Investigation Center 3/27/2002.
Identity and Access IDPrime MD 8840 and IDCore 8030 MicroSD cards

Identity and Access IDPrime MD 8840 and IDCore 8030 MicroSD cards
A l a d d i n. c o m eToken NG-OTP Combined PKI - OTP Authentication Solution November, 2008.

A l a d d i n. c o m eToken NG-OTP Combined PKI - OTP Authentication Solution November, 2008.
Cryptography Chapter 7 Part 4 Pages 833 to 874. PKI Public Key Infrastructure Framework for Public Key Cryptography and for Secret key exchange.

Cryptography Chapter 7 Part 4 Pages 833 to 874. PKI Public Key Infrastructure Framework for Public Key Cryptography and for Secret key exchange.
SSL : An Overview Bruhadeshwar Bezawada International Institute of Information Technology, Hyderabad.

SSL : An Overview Bruhadeshwar Bezawada International Institute of Information Technology, Hyderabad.
Lori Fitterling LI843 SSL Secured Sockets Layer. What is Secure Sockets Layer (SSL)? It is protection of data transferred over the Internet using encryption.

Lori Fitterling LI843 SSL Secured Sockets Layer. What is Secure Sockets Layer (SSL)? It is protection of data transferred over the Internet using encryption.
Certification Authority. Overview  Identifying CA Hierarchy Design Requirements  Common CA Hierarchy Designs  Documenting Legal Requirements  Analyzing.

Certification Authority. Overview  Identifying CA Hierarchy Design Requirements  Common CA Hierarchy Designs  Documenting Legal Requirements  Analyzing.
Security and Interoperability Danny De Cock January 16th, 2012 Moldova Slides: godot.be/slidesgodot.be/slides.

Security and Interoperability Danny De Cock January 16th, 2012 Moldova Slides: godot.be/slidesgodot.be/slides.
Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 23: Internet Authentication Applications.

Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 23: Internet Authentication Applications.
Lecture 23 Internet Authentication Applications

Lecture 23 Internet Authentication Applications
Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.

Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.
Introduction to PKI, Certificates & Public Key Cryptography Erwan Lemonnier.

Introduction to PKI, Certificates & Public Key Cryptography Erwan Lemonnier.
WAP Public Key Infrastructure CSCI 5939.02 – Independent Study Fall 2002 Jaleel Syed Presentation No 5.

WAP Public Key Infrastructure CSCI – Independent Study Fall 2002 Jaleel Syed Presentation No 5.
Windows Vista And Longhorn Server PKI Enhancements Avi Ben-Menahem Lead Program Manager Windows Security Microsoft Corporation.

Windows Vista And Longhorn Server PKI Enhancements Avi Ben-Menahem Lead Program Manager Windows Security Microsoft Corporation.
2-Jun-15 1 ACCESSING ON LINE SERVICES PROTECTED BY THE ITALIAN EID GIOVANNI MANCA National Center for Information technology in Public Administration (CNIPA)

2-Jun-15 1 ACCESSING ON LINE SERVICES PROTECTED BY THE ITALIAN EID GIOVANNI MANCA National Center for Information technology in Public Administration (CNIPA)
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 9: Planning and Managing Certificate Services.

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 9: Planning and Managing Certificate Services.
EID: the Belgian Electronic Identity Card Jan Deprest Vlaanderen – OND-MVG – 28-06-2005.

EID: the Belgian Electronic Identity Card Jan Deprest Vlaanderen – OND-MVG –

Similar presentations

Ads by Google