Upload
ashlee-griffith
View
242
Download
0
Tags:
Embed Size (px)
Citation preview
Belgian EID Card
15/12/2004
Derette Willy eID program manager
2
Agenda
Role of Steria in the project
Actual status of the Roll out
o Different actors
o Global planning
The Belpic Project
Use of the eID card
Contents of the EID Card
The trusted CA Hierarchy
The Trusted Services
Mutual Authentication SSL V3
Realisations – How to Use – Quick Scan
3
ManagedServices
50%
SystemsIntegration
50%
Core businesses Markets
PublicGovernment
30%
Manufacturing Utilities
Transport30%
Banking&
Insurance25%
Telecom15%
Consulting10%
Identity Card of Steria
8400 employees of which 230 in Belux987 M € revenue (2003) of which 36 M€ in Belux
Belux: Public: 48%, Industry: 25 %Finance: 27 %
Belux: MS: 34 % ; SI: 60% ; C: 6 %
4
BELPIC project: role of Steria
Design of architecture (central and local)
Software Developmentmodifications on mainframenew application serversPC’s in the municipalities
Infrastructure delivery(central and local)
Project management
5
Card & CA setup
Pilot (11)
GO roll out
RA/Infrastrucutre
2002
Jan … … Dec
2003
Jan … Jun … Dec
12/06
Jan
2004
… Mar … Jul
Roll Out infrastructure
Contract
…
2005Jan
7 months
Prep. Site SurveysInstallation &
training
T0 T0 + 2M T0 + 7M
Operational fase
T0 + 5Y
T0 + 3M T0 + 5M
AA BB CC
BELPIC project: actors / planning
6
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
100%
30
/08
/20
04
6/0
9/2
00
4
13
/09
/20
04
20
/09
/20
04
27
/09
/20
04
4/1
0/2
00
4
11
/10
/20
04
18
/10
/20
04
25
/10
/20
04
1/1
1/2
00
4
8/1
1/2
00
4
15
/11
/20
04
22
/11
/20
04
29
/11
/20
04
6/1
2/2
00
4
13
/12
/20
04
20
/12
/20
04
27
/12
/20
04
3/0
1/2
00
5
10
/01
/20
05
17
/01
/20
05
24
/01
/20
05
31
/01
/20
05
% Gemeenten Installatie
% Gemeenten Basculement
7
8
BELPIC project
Aim of Belpic-project Give Belgian citizens an electronic identity card enabling them
to authenticate themselves towards diverse applications and to put digital signatures
Chip contains the same information as printed on the card (name, first names, nationality, birth place and date, sex, validity of the card, photo, signature, identification number) filled up with:
Certificates (signature, authentication)
The main residence of the holder
No other information on the card is allowed!
Proof of identity & Signature toolNo Encryption
9
Use of e-ID
Customer identification (data capture)No errorsVery fast (Complete) Identity information => Profiling
Strong authenticationUniversal solution (advantage for the customer)SSO (Single sign on) => one authentication server“State of the art” (= Replacement of the token) / No pin mailers
SignatureAnywhere, anytime.Simplicity ( token)Non repudiation
EncryptionNo encryption for the moment (foreseen at a later stage)Private key backup & archiving issue
10
ID
ADR
Photo
PUK1/2
ADR = adres
ID = Ident)
PH = hash photo
Cert_Cit-Auth
Cert_Cit-Sign
Pin code
PUK1/3
BELPIC Contents of EID Card
Cert_CA-Cit
Cert_RRNAS
Prik_Cit-Auth
Prik_Cit-Sign
PubK_CA-Role
Private keysCertificates
Public keys
Prik_Base
Pin Code Housekeeping
Activate & Unblock
eID identity data
PuK_Base
Role 7
WDe/2002
Cert_CA-RootS (ID+ADR+PH)
11
The trusted CA hierarchyThe trusted CA hierarchyGlobalsign Top Root CA
Selfsigned
Belgium Root SignedBelgium Self Signed
eID Citizen CA
- Signature (1024 bits)
- Cert_SAW-Enc
- Authentication (1024 b)
Government CA Administration CA Forthcoming CA
- Cert_SAW-Sign
- Cert_RRNAS
- Cert_RRNDMZ
- (Cert_XKMS)
- Cert_Role-7 ?
WDe/2002
Selfsigned
eID
12
Trusted Services
• Registration
• Authentication
Secure Sites
Municipality
OCSP
Or
CRL
Certification Authority
Citizens
National Register
Control &Registration
Authentication& Signature
Validation
CRL
Certificate Request
1
2
13
13
13
Digitally Signing a Message
Hash Hash
Encryption
Sender’s Private key
Encrypted
Hash
Digital Signature
Hash Algorithm
Network
Hash Algorithm
Encrypted
Hash
Hash
= ?
Sender Receiver
Sender’s Public KeyWDe/2002
14
Web ServerUser
SSL v3 Mutual Authentication
Connect to server (server name)
Acknowledge presence
Sending of challenge (RND)
Server encrypts with its Private key
Send back with Certificate chain
Check cert. Validity & server name
If OK notify server
Server sends challenge
Browser encrypts with private key
Of authentication certificate (PIN code)
Encrypted challenge +certificate chain
(authent. Certificate only if chain NA)
Server checks (OCSP-CRL)
If ok notify user
Agree on session key
Browser generates key & encrypt with
Pub. Key server. Sent to server.
Secure StoreSecure Store
Cert_Cit-AuthCertChain_Server
15
How using?
Steria has developed modules / methods forGetting User Identity: Name, First Name, Gender, Birth date, Birth place, Nationality, National Register Number, Address, Photo.Authenticating Card Holder: Authentication with the authentication private key of the card holder.Signing Data: Signing data by the Card with the non-repudiation private key of the card holder.
ApplicationsStand Alone ApplicationClient/Server ApplicationLight Client : Browser applicationPC Emulation to a central environment
16
Examples: Stand-alone application
17
How using?
PC ClientClient / Server
application
Stand Alone PCRich Client
BrowserLight Client
Terminal Emulation
Central ServerMicrosoft, Unix, Mainframe