Belgian EID Card

15/12/2004

Derette Willy eID program manager

2

Agenda

Role of Steria in the project

Actual status of the Roll out

o Different actors

o Global planning

The Belpic Project

Use of the eID card

Contents of the EID Card

The trusted CA Hierarchy

The Trusted Services

Mutual Authentication SSL V3

Realisations – How to Use – Quick Scan

3

ManagedServices

50%

SystemsIntegration

50%

Core businesses Markets

PublicGovernment

30%

Manufacturing Utilities

Transport30%

Banking&

Insurance25%

Telecom15%

Consulting10%

Identity Card of Steria

8400 employees of which 230 in Belux987 M € revenue (2003) of which 36 M€ in Belux

Belux: Public: 48%, Industry: 25 %Finance: 27 %

Belux: MS: 34 % ; SI: 60% ; C: 6 %

4

BELPIC project: role of Steria

Design of architecture (central and local)

Software Developmentmodifications on mainframenew application serversPC’s in the municipalities

Infrastructure delivery(central and local)

Project management

5

Card & CA setup

Pilot (11)

GO roll out

RA/Infrastrucutre

2002

Jan … … Dec

2003

Jan … Jun … Dec

12/06

Jan

2004

… Mar … Jul

Roll Out infrastructure

Contract

…

2005Jan

7 months

Prep. Site SurveysInstallation &

training

T0 T0 + 2M T0 + 7M

Operational fase

T0 + 5Y

T0 + 3M T0 + 5M

AA BB CC

BELPIC project: actors / planning

6

0%

10%

20%

30%

40%

50%

60%

70%

80%

90%

100%

30

/08

/20

04

6/0

9/2

00

4

13

/09

/20

04

20

/09

/20

04

27

/09

/20

04

4/1

0/2

00

4

11

/10

/20

04

18

/10

/20

04

25

/10

/20

04

1/1

1/2

00

4

8/1

1/2

00

4

15

/11

/20

04

22

/11

/20

04

29

/11

/20

04

6/1

2/2

00

4

13

/12

/20

04

20

/12

/20

04

27

/12

/20

04

3/0

1/2

00

5

10

/01

/20

05

17

/01

/20

05

24

/01

/20

05

31

/01

/20

05

% Gemeenten Installatie

% Gemeenten Basculement

7

8

BELPIC project

Aim of Belpic-project Give Belgian citizens an electronic identity card enabling them

to authenticate themselves towards diverse applications and to put digital signatures

Chip contains the same information as printed on the card (name, first names, nationality, birth place and date, sex, validity of the card, photo, signature, identification number) filled up with:

Certificates (signature, authentication)

The main residence of the holder

No other information on the card is allowed!

Proof of identity & Signature toolNo Encryption

9

Use of e-ID

Customer identification (data capture)No errorsVery fast (Complete) Identity information => Profiling

Strong authenticationUniversal solution (advantage for the customer)SSO (Single sign on) => one authentication server“State of the art” (= Replacement of the token) / No pin mailers

SignatureAnywhere, anytime.Simplicity ( token)Non repudiation

EncryptionNo encryption for the moment (foreseen at a later stage)Private key backup & archiving issue

10

ID

ADR

Photo

PUK1/2

ADR = adres

ID = Ident)

PH = hash photo

Cert_Cit-Auth

Cert_Cit-Sign

Pin code

PUK1/3

BELPIC Contents of EID Card

Cert_CA-Cit

Cert_RRNAS

Prik_Cit-Auth

Prik_Cit-Sign

PubK_CA-Role

Private keysCertificates

Public keys

Prik_Base

Pin Code Housekeeping

Activate & Unblock

eID identity data

PuK_Base

Role 7

WDe/2002

Cert_CA-RootS (ID+ADR+PH)

11

The trusted CA hierarchyThe trusted CA hierarchyGlobalsign Top Root CA

Selfsigned

Belgium Root SignedBelgium Self Signed

eID Citizen CA

- Signature (1024 bits)

- Cert_SAW-Enc

- Authentication (1024 b)

Government CA Administration CA Forthcoming CA

- Cert_SAW-Sign

- Cert_RRNAS

- Cert_RRNDMZ

- (Cert_XKMS)

- Cert_Role-7 ?

WDe/2002

Selfsigned

eID

12

Trusted Services

• Registration

• Authentication

Secure Sites

Municipality

OCSP

Or

CRL

Certification Authority

Citizens

National Register

Control &Registration

Authentication& Signature

Validation

CRL

Certificate Request

1

2

13

13

13

Digitally Signing a Message

Hash Hash

Encryption

Sender’s Private key

Encrypted

Hash

Digital Signature

Hash Algorithm

Network

Hash Algorithm

Encrypted

Hash

Hash

= ?

Sender Receiver

Sender’s Public KeyWDe/2002

14

Web ServerUser

SSL v3 Mutual Authentication

Connect to server (server name)

Acknowledge presence

Sending of challenge (RND)

Server encrypts with its Private key

Send back with Certificate chain

Check cert. Validity & server name

If OK notify server

Server sends challenge

Browser encrypts with private key

Of authentication certificate (PIN code)

Encrypted challenge +certificate chain

(authent. Certificate only if chain NA)

Server checks (OCSP-CRL)

If ok notify user

Agree on session key

Browser generates key & encrypt with

Pub. Key server. Sent to server.

Secure StoreSecure Store

Cert_Cit-AuthCertChain_Server

15

How using?

Steria has developed modules / methods forGetting User Identity: Name, First Name, Gender, Birth date, Birth place, Nationality, National Register Number, Address, Photo.Authenticating Card Holder: Authentication with the authentication private key of the card holder.Signing Data: Signing data by the Card with the non-repudiation private key of the card holder.

ApplicationsStand Alone ApplicationClient/Server ApplicationLight Client : Browser applicationPC Emulation to a central environment

16

Examples: Stand-alone application

17

How using?

PC ClientClient / Server

application

Stand Alone PCRich Client

BrowserLight Client

Terminal Emulation

Central ServerMicrosoft, Unix, Mainframe