Presentation is loading. Please wait.

Presentation is loading. Please wait.

Copyright © FedICT 2003. All rights reserved Belgian Electronic Identity Card (BELPIC) Ir. Olivier LIBON. Microsoft EAP – Government & Education 7 April.

Published byMuriel Lambert Modified over 9 years ago

Similar presentations

Presentation on theme: "Copyright © FedICT 2003. All rights reserved Belgian Electronic Identity Card (BELPIC) Ir. Olivier LIBON. Microsoft EAP – Government & Education 7 April."— Presentation transcript:

1 Copyright © FedICT 2003. All rights reserved Belgian Electronic Identity Card (BELPIC) Ir. Olivier LIBON. Microsoft EAP – Government & Education 7 April 2005 Diegem

2 Copyright © FedICT 2004. All rights reserved Agenda  FedICT (the belgian eGov strategy)  Principles  Objectives  Planning  FedPKI (the belgian PKI initiative)  Trust hierarchy  Certificates  Trust Services  Technical Framework (the belgian eID card)  Card Layout vs Electronic Ship  Data Capture vs Authentication vs Signature  Card Production / Personalization  Card / Chip / Data / MiddleWare / Toolkit  Applications: today & tomorrow

3 Copyright © FedICT 2003. All rights reserved FedICT “the belgian eGov strategy”

4 Copyright © FedICT 2004. All rights reserved Principles  Administration Complexity  Simplification  1 federal state Civil Servants  3 regions / 3 communities Enterprises  10 provinces / 589 Municipalities Citizens  Front-Office: Unique Data collection principle  federated identity management (FedPKI)  federated transactional site (FedGATE)  federated information exchange (FedUME)  federated network management (FedMAN)  Back-Office: Authentic Data sources principle  unique citizens DB/ID (Population Registry)  unique enterprises DB/ID (CrossRoads Bank for Enterprises)  unique... DB/ID ?

5 Copyright © FedICT 2004. All rights reserved MinSocMinEcoMinFinMinInt Objectives FedMAN Unified TCP/IP Network FedUME Unified XML Gateway FedGATE Unified Transactional Site Local UME Local GATE Local Network CitizensEnterprisesCivil Servants FedPKI Unified Identity Management Framework Regions Communities Municipalities Provinces...

6 Copyright © FedICT 2004. All rights reserved Planning 2001200220032004 AuthorizationAuthentication Static SiteTransactional Site XML GatewayXML Processing IP NetworkIP Services Citizens DB & unique IDs Enterprises DB & unique IDs... FedPKI FedGATE FedUME FedMAN Unique IDs

7 Copyright © FedICT 2003. All rights reserved FedPKI “the belgian PKI initiative”

8 Copyright © FedICT 2004. All rights reserved Trust Hierarchy Card Admin Cert Admin Client Auth Elec Sign Data Crypt Client Cert Admin CA Hierar Admin CRL Citizen CA CRL Gov CA CRL SelfSign Belgium Root ARL RootSign Belgium Root Server Cert Object Cert AdminAuth/Sign EU Bridge CA

9 Copyright © FedICT 2004. All rights reserved Certificates  Citizen’s certificates & keys  Authentication Certificate & key pair (1024 bits)  provide strong authentication (access control)  web site authentication  single sign-on (login)  etc.  Signature Certificate & key pair (1024 bits)  provide non repudiation (electronic signature equivalent to handwritten signature)  Document Signing  Form Signing  etc.  (Encryption Certificate & key pair)  foreseen at a later stage  private key backup/archiving AuthSign Citizen CA Belgium Root CA Crypt Citizen CA

10 Copyright © FedICT 2004. All rights reserved Trust Services Request Auth/SignValidate Register Population Registry Secure Sites Municipality XKMS OCSP CA Factory Citizens CPSSLA

11 Copyright © FedICT 2003. All rights reserved BELPIC “the belgian electronic personal identity card”

12 Copyright © FedICT 2004. All rights reserved Card Aim  To give Belgian citizens an electronic identity card enabling them to authenticate themselves towards diverse applications and to put digital signatures Proof of identity Signature tool

13 Copyright © FedICT 2004. All rights reserved Visual part  From a visual point of view the same information will be visible as on the current identity card :  the name  the first two Christian names  the first letter of the third Christian name  the nationality  the birth place and date  the sex  the place of delivery of the card  the begin and end data of the validity of the card  the denomination and number of the card  the photo of the holder  the signature of the holder  the identification number of the National Register  the main residence of the holder (until 31/12/2003)  Identical functionality to current identity card Visual identification of the holder

14 Copyright © FedICT 2004. All rights reserved Electronic Part  From an electronic point of view the chip will contain the same information as printed on the card, filled up with:  the identity and signature keys  the identity and signature certificates  the accredited certification service furnisher  Information necessary for authentication of the card and securization of the electronic data  the main residence of the holder  (Currently) no encryption certificates  No electronic purse  No biometric data  Conformity with European Directive 1999/93/EC Electronic identification of the holder

15 Copyright © FedICT 2004. All rights reserved Advanced Electronic Signature Electronic Signatures Advanced Electronic Signatures Article 2.2 (PKI technology) Qualified Electronic Signature +AnnexI: Q-Cert +Annex II: Q-CSP +Annex III: SSCD Article 5.1 (identification/enrolment)

16 Copyright © FedICT 2004. All rights reserved Card functions authentication data capture digital signature

17 Copyright © FedICT 2004. All rights reserved Data Capture

18 Copyright © FedICT 2004. All rights reserved Authentication log on to web sites (SSO) container park library access control … swimming pool

19 Copyright © FedICT 2004. All rights reserved Signature 1. Receive message 3. Check CRL/OCSP 5. Fetch public key 7. Compute reference hash 2. Inspect certificate 4. Check certificate 6. Fetch signature 8. Hash, signature, public key match? Matching triplet? CRL Alice hash Bob 3, 4 2 1 7 6 5 8 1. Compose message3. Generate signature5. Collect certificate 2. Compute hash4. Collect signature6. Send message Alice hash Alice 1 2 3 54 6

20 Copyright © FedICT 2004. All rights reserved Qualified Electronic Signature Electronic Signatures Advanced Electronic Signatures Article 2.2 (PKI technology) Qualified Electronic Signature +AnnexI: Q-Cert +Annex II: Q-CSP +Annex III: SSCD Article 5.1 (identification/enrolment)

21 Copyright © FedICT 2004. All rights reserved Production Process Municipality Face to face identification DeThe municipalities (1) (2) (12) National Register (3) VRK CM/CP/CI (4) ECA Bull (7) (8) (5) (9) (6) Meikäläinen Matti PIN & PUK1-code (10b) (10a1) (11) (13) (10a2)

22 Copyright © FedICT 2004. All rights reserved Personalization Process

23 Copyright © FedICT 2004. All rights reserved Card Specifications  Standard - ISO/IEC 7816  Format & Physical Characteristics  Bank Card (ID1)  Standard Contacts & Signals  RST,GND,CLK,Vpp,Vcc, I/O  Standard Commands & Query Language (APDU)  etc.

24 Copyright © FedICT 2004. All rights reserved Security Aspects  Outside  Rainbow and guilloche printing  Changeable Laser Image (CLI)  Optical Variable Ink (OVI)  Alphagram  Relief and UV print  Laser engraving  Inside 12345678 SHA-1 RSA SPA/DPA/… resistent EAL5+ certified …

25 Copyright © FedICT 2004. All rights reserved Chip specifications  Chip characteristics: Cryptoflex JavaCard 32K  CPU (processor): 16 bit Micro-controller  Crypto-processor:  1100 bit Crypto-Engine (RSA computation)  112 bit Crypto-Accelerator (DES computation)  ROM (OS): 136 kB (GEOS Java Virtual Machine)  EEPROM (Applic + Data): 32 KB (Cristal Applet)  RAM (memory): 5 KB CPU ROM (Operating System) Crypto (DES,RSA) RAM (Memory) EEPROM (File System= applications + data) I/O “GEOS” JVM “CRISTAL” Applet ID data, Keys, Certs.

26 Copyright © FedICT 2004. All rights reserved ID Data specifications  Directory Structure (PKCS#15)  Dir (BelPIC):  certificates & keys (PIN code protected)  private and public key CA : 2048 bits  private and public key citizen: 1024 bits  Signatures put via RSA with SHA-1  all certificates are conform to X.509 v3  standard format (to be used by generic applications)  Microsoft CryptoAPI (  Windows)  PKCS#11 (  UNIX/Linux & MacOS)  Dir (ID):  contains full identity information  first name, last name, etc.  address  picture  etc.  proprietary format (to be used by dedicated applications only) BelPIC Auth Key Sign Key ID ADR PIC Auth Cert Sign Cert CA Cert Root Cert Card Key...

27 Copyright © FedICT 2004. All rights reserved MiddleWare specifications  Card & Reader Software  Card MiddleWare  PKCS#15  ID specific applications  Card is accessed as a simple file system  No key management possible (no PIN)  for belgian police, post, banks, etc  PKCS#11  Generic applications  Only keys & Certs available via PKCS#11 API  allows authentication (& signature)  for Netscape, Linux, Unix, etc  MS-CSP  Windows applications  Only keys & certs available via MSCrypto API  allows authentication (& signature)  for Microsoft Explorer, Outlook, etc  Reader Driver/Firmware  most part is generic (orange part)  small part is specific (green part) PIN (pinpad) OpenSC PKCS#15 (OpenSC Interface) Driver (Specific SC Reader Interface) PC/SC (Generic SC Reader Interface) I/O PKCS#11 (Certificate & Keys Management) MS-CSP (Microsoft interface) BelPIC Specific Applics Non Win Generic Applics Windows Generic Applics

28 Copyright © FedICT 2004. All rights reserved Toolkit specifications  Toolkits  Data Capture Toolkit  GetIdentity  GetAddress  GetPicture  GetVersion ...  Authentication Proxy  Trigger Certificate based auth  Validate Certificate  Return Certificate Content  …  Signature Plugin  PDF/XML/Xades signature support  Validate Certificate  Verify Signature  … I/O Sign Plugin Toolkit Auth Proxy Data Capture PIN (pinpad) OpenSC PKCS#15 (OpenSC Interface) Driver (Specific SC Reader Interface) PC/SC (Generic SC Reader Interface) PKCS#11 (Certificate & Keys Management) MS-CSP (Microsoft interface)

29 Copyright © FedICT 2004. All rights reserved Qualified Electronic Signature Electronic Signatures Advanced Electronic Signatures Article 2.2 (PKI technology) Qualified Electronic Signature +AnnexI: Q-Cert +Annex II: Q-CSP +Annex III: SSCD Article 5.1 (identification/enrolment)

30 Copyright © FedICT 2004. All rights reserved SSCD Human Interface Certificate Generation Application SCD/SVD Generator SCA Signature Creation Data Signature Creation Application READER APPLICATION

31 Copyright © FedICT 2004. All rights reserved Labeling Readers  Interroperability/Quality  Low-Level test scenarios  ISO7816 APDU  Data Middelware  Crypto Middleware  +platform specific  Security  Citizen (home & work) - Dedicated PC  with or without secure PINPAD  with ot without secure DISPLAY  with ot without secure APPLICATION  Business (public space) - Shared PC  with secure PINPAD  with secure DISPLAY  with secure APPLICATION

32 Copyright © FedICT 2004. All rights reserved Labeling Applications  Certificate Validation  CRL-based (typically for businesses)  one CRL per CA per 3 hours -> Gigabytes!!!  One dCRL per CA per 3 hours (free)  Direct OCSP based (typically for citizens)  free up to 10 per day  Delegated OCSP based (if required)  you are your own Validation Authority  you are subject to accreditation & control !  Privacy  Unique Identification Number (NRN)  structure  collection  Extended Identity information

33 Copyright © FedICT 2004. All rights reserved Integration Issues...

34 Copyright © FedICT 2004. All rights reserved More information Th@nk you ! For more information feel free to visit www.fedict.be

Download ppt "Copyright © FedICT 2003. All rights reserved Belgian Electronic Identity Card (BELPIC) Ir. Olivier LIBON. Microsoft EAP – Government & Education 7 April."

Similar presentations

Universal Electronic Signatures Tarvi Martens ESTONIA.

Universal Electronic Signatures Tarvi Martens ESTONIA.
© fedict 2008. All rights reserved Legal aspects Belgian electronic identity card Samoera Jacobs – November 2008.

© fedict All rights reserved Legal aspects Belgian electronic identity card Samoera Jacobs – November 2008.
Public Key Infrastructure A Quick Look Inside PKI Technology Investigation Center 3/27/2002.

Public Key Infrastructure A Quick Look Inside PKI Technology Investigation Center 3/27/2002.
Practical Digital Signature Issues. Paving the way and new opportunities. www.oasis-open.org Juan Carlos Cruellas – DSS-X co-chair Stefan Drees - DSS-X.

Practical Digital Signature Issues. Paving the way and new opportunities. Juan Carlos Cruellas – DSS-X co-chair Stefan Drees - DSS-X.
EDUCAUSE 2001, Indianapolis IN Securing e-Government: Implementing the Federal PKI David Temoshok Federal PKI Policy Manager GSA Office of Governmentwide.

EDUCAUSE 2001, Indianapolis IN Securing e-Government: Implementing the Federal PKI David Temoshok Federal PKI Policy Manager GSA Office of Governmentwide.
Identity and Access IDPrime MD 8840 and IDCore 8030 MicroSD cards

Identity and Access IDPrime MD 8840 and IDCore 8030 MicroSD cards
SPD1 Improving Security and Access to Network with Smart Badge Eril Pasaribu CISA,CISSP Security Consultant.

SPD1 Improving Security and Access to Network with Smart Badge Eril Pasaribu CISA,CISSP Security Consultant.
Copyright © 1999, Financial Services Technology Consortium. All rights reserved. FSML and Echeck Milton M. Anderson Financial Services Technology Consortium.

Copyright © 1999, Financial Services Technology Consortium. All rights reserved. FSML and Echeck Milton M. Anderson Financial Services Technology Consortium.
SSL & SharePoint IT:Network:Applications. Agenda Secure Socket Layer Encryption 101 SharePoint Customization SharePoint Integration.

SSL & SharePoint IT:Network:Applications. Agenda Secure Socket Layer Encryption 101 SharePoint Customization SharePoint Integration.
Certification Authority. Overview  Identifying CA Hierarchy Design Requirements  Common CA Hierarchy Designs  Documenting Legal Requirements  Analyzing.

Certification Authority. Overview  Identifying CA Hierarchy Design Requirements  Common CA Hierarchy Designs  Documenting Legal Requirements  Analyzing.
Security and Interoperability Danny De Cock January 16th, 2012 Moldova Slides: godot.be/slidesgodot.be/slides.

Security and Interoperability Danny De Cock January 16th, 2012 Moldova Slides: godot.be/slidesgodot.be/slides.
Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 23: Internet Authentication Applications.

Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 23: Internet Authentication Applications.
Civil Registry Agency of the Ministry of Justice, Georgia Digital Signature Services in Georgia Mikheil Kapanadze.

Civil Registry Agency of the Ministry of Justice, Georgia Digital Signature Services in Georgia Mikheil Kapanadze.
©Centre for Development of Advanced Computing 1 State e-governance Service Delivery Gateway (SSDG)‏ A Messaging Middleware for.

©Centre for Development of Advanced Computing 1 State e-governance Service Delivery Gateway (SSDG)‏ A Messaging Middleware for.
Information security An introduction to Technology and law with focus on e-signature, encryption and third party service Yue Liu Feb.2008.

Information security An introduction to Technology and law with focus on e-signature, encryption and third party service Yue Liu Feb.2008.
Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.

Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.
DESIGNING A PUBLIC KEY INFRASTRUCTURE

DESIGNING A PUBLIC KEY INFRASTRUCTURE
Mobile Credentials Ennio J. Carboni Product Manager, Keon PKI

Mobile Credentials Ennio J. Carboni Product Manager, Keon PKI
2-Jun-15 1 ACCESSING ON LINE SERVICES PROTECTED BY THE ITALIAN EID GIOVANNI MANCA National Center for Information technology in Public Administration (CNIPA)

2-Jun-15 1 ACCESSING ON LINE SERVICES PROTECTED BY THE ITALIAN EID GIOVANNI MANCA National Center for Information technology in Public Administration (CNIPA)
European Signatures versus Global SignaturesRome, 7 April, 2003 EESSI open specifications and interoperability The state of the art in Italy Giovanni Manca.

European Signatures versus Global SignaturesRome, 7 April, 2003 EESSI open specifications and interoperability The state of the art in Italy Giovanni Manca.

Similar presentations

Ads by Google