Upload
shona-arnold
View
220
Download
0
Embed Size (px)
Citation preview
Copyright © FEDICT 2004. All rights reserved
eID : The Belgian Electronic Identity Card
Bart SIJNAVEMicrosoft eID Awareness Program
Brussels, 24 juni 2004
Copyright © FEDICT 2004. All rights reserved
Architecture & building blocks
SECURITY & PRIVACY SECURITY & PRIVACY
FEDMANFEDMAN
UMEUME
OTH
ER
AU
TH
OR
ITIE
SOTH
ER
INSTIT
UTIO
NS
FPSFPS FPSFPS FPSFPS FPSFPS
Connected
government
Connected
government
PORTAL
www.belgium.be
PORTAL
www.belgium.be
AU
TH
EN
TIC
SO
UR
CE
SA
UT
HE
NT
IC S
OU
RC
ES
USER MGT
Copyright © FEDICT 2004. All rights reserved
Contents of the chip
IDID ADDRESSADDRESS
authentication
digital signature
RRN SIGN
RRN SIGN
RRN SIGN
RRN SIGN
PKI IDENTITY
Copyright © FEDICT 2004. All rights reserved
eID : the main e-functionalities
authentication
data capture
digital signature
Copyright © FEDICT 2004. All rights reserved
eID : the main e-functionalities
authentication
data capture
digital signature
Copyright © FEDICT 2004. All rights reserved
Data capture
faster data capture data can be read directly from the card and
stored in a particular system
more accurate data capture no more manual re-entrying less error-
prone process
more efficient data capture faster processing of information
Copyright © FEDICT 2004. All rights reserved
eID : the main e-functionalities
authentication
data capture
digital signature
Copyright © FEDICT 2004. All rights reserved
Trust Hierarchy
Card
AdminCert
AdminClient
AuthElec
SignData
CryptClient
Cert
Admin
CA
Hierar
Admin
CRL
Citizen
CA
CRL
GovCA
CRL
SelfSign
Belgium
RootARL
RootSign
Belgium
Root
Server
CertObject
Cert
Admin Auth/Sign
Copyright © FEDICT 2004. All rights reserved
Certificates
Citizen’s certificates & keys
Authentication Certificate & key pair (1024 bits)
provide strong authentication (access control) web site authentication single sign-on (login) etc.
Signature Certificate & key pair (1024 bits) provide non repudiation (electronic signature
equivalent to handwritten signature) Document Signing Form Signing etc.
(Encryption Certificate & key pair) foreseen at a later stage private key backup/archiving
Auth Sign
Citizen
CA
Belgium
Root
CA
Crypt
Citizen
CA
Copyright © FEDICT 2004. All rights reserved
Trust Services
Request
Auth/Sign Validate
Register
PopulationRegistry
Secure Sites
Municipality
XKMS
OCSP
CA Factory
Citizens
CPS SLA
Copyright © FEDICT 2004. All rights reserved
Authentication
log on to web sites (SSO)
container parklibrary
access control
…
swimming pool
Copyright © FEDICT 2004. All rights reserved
eID : the main e-functionalities
authentication
data capture
digital signature
Copyright © FEDICT 2004. All rights reserved
Signature
1. Receive message 3. Check CRL/OCSP 5. Fetch public key 7. Compute reference hash2. Inspect certificate 4. Check certificate 6. Fetch signature 8. Hash, signature, public
key match?
Matching triplet?
CRL
Alice
Alice
hash
Bob
3, 4
2
1 7
6
5
8
1. Compose message 3. Generate signature 5. Collect certificate2. Compute hash 4. Collect signature 6. Send message
Alice
hash
Alice
1
2
3
5 4
6
Copyright © FEDICT 2004. All rights reserved
Card Specifications
Standard - ISO/IEC 7816 Format & Physical Characteristics Bank Card (ID1) Standard Contacts & Signals
RST,GND,CLK,Vpp,Vcc, I/O Standard Commands & Query Language (APDU) etc.
Copyright © FEDICT 2004. All rights reserved
Security
Outside
Rainbow and guilloche printing
Changeable Laser Image (CLI)
Optical Variable Ink (OVI)
Alphagram
Relief and UV print
Laser engraving
Inside
12345678
• SHA-1• RSA• SPA/DPA/… resistent• EAL5+ certified• …
Copyright © FEDICT 2004. All rights reserved
Chip specifications
Chip characteristics: Cryptoflex JavaCard 32K CPU (processor): 16 bit Micro-controller Crypto-processor:
1100 bit Crypto-Engine (RSA computation) 112 bit Crypto-Accelerator (DES computation)
ROM (OS): 136 kB (GEOS Java Virtual Machine) EEPROM (Applic + Data): 32 KB (Cristal Applet) RAM (memory): 5 KB
CPU
ROM(Operating System)
Crypto(DES,RSA)
RAM(Memory)
EEPROM(File System=
applications + data)I/O
“GEOS”JVM
“CRISTAL”Applet
ID data, Keys, Certs.
Copyright © FEDICT 2004. All rights reserved
ID
Data specifications
Directory Structure (PKCS#15) Dir (BelPIC):
certificates & keys (PIN code protected) private and public key CA : 2048 bits private and public key citizen: 1024 bits Signatures put via RSA with SHA-1 all certificates are conform to X.509 v3
standard format (to be used by generic applications)
Microsoft CryptoAPI ( Windows) PKCS#11 ( UNIX/Linux & MacOS)
Dir (ID): contains full identity information
first name, last name, etc. address picture etc.
proprietary format (to be used by dedicated applications only)
BelPIC
AuthKey
SignKey
ID
ADR
PIC
AuthCert
SignCert
CACert
RootCert
CardKey
......
...
Copyright © FEDICT 2004. All rights reserved
Middleware specifications
Card & Reader Software Card MiddleWare
PKCS#15 ID specific applications Card is accessed as a simple file system No key management possible (no PIN) for belgian police, post, banks, etc
PKCS#11 Generic applications Only keys & Certs available via PKCS#11 API allows authentication (& signature) for Netscape, Linux, Unix, etc
MS-CSP Windows applications Only keys & certs available via MSCrypto API allows authentication (& signature) for Microsoft Explorer, Outlook, etc
Reader Driver/Firmware most part is generic (orange part) small part is specific (green part)
DLL (C-reader
DLL)
PKCS#15OpenSC
(Generic SC Interface)
PIN(pin logic
library)
Driver(Specific SC Reader Interface)
PC/SC(Generic SC
Reader Interface)
I/O
PKCS#11(Certificate & Keys
Management)
MS-CSP(Microsoft interface)
BelPICSpecificApplics
Non WinGenericApplics
WindowsGenericApplics
Copyright © FEDICT 2004. All rights reserved
Toolkit specifications
Toolkits Data Capture Toolkit
GetIdentity GetAddress GetPicture GetVersion ...
Authentication Proxy Trigger Certificate based auth Validate Certificate Return Certificate Content …
Signature Plugin PDF/XML signature support Validate Certificate Verify Signature …
DLL (C-reader
DLL)
PKCS#15OpenSC
(Generic SC Interface)
PIN(pin logic
library)
Driver(Specific SC Reader Interface)
PC/SC(Generic SC
Reader Interface)
I/O
PKCS#11(Certificate & Keys
Management)
MS-CSP(Microsoft interface)
SignPlugin
Toolkit
AuthProxy
DataCapture
Copyright © FEDICT 2004. All rights reserved
eID-toolkits
Two toolkits are under development : GUI + PKCS#11 libraries : reading, printing,
validating and visualising the contents of the eID chip
authentication proxy : easy authentication on multiple platforms
Purpose is to hide internal card changes Labeling should be straightforward if
applications use toolkits Both toolkits are free of charge Distribution through federal portal
(http://www.belgium.be/fedict Projecten eID)
RELEASED
Copyright © FEDICT 2004. All rights reserved
Labeling procedure card readers applications
creating trust for citizens, a legal basis for the government and branding for enterprises Based on industry standards :
Currently being worked out in cooperation with Banksys, CBSS
eID-label
Copyright © FEDICT 2004. All rights reserved
3048
24642165
9484
14057
4916
20262605
1956
44853981
0
10002000
3000
4000
50006000
7000
8000
900010000
11000
12000
1300014000
15000
Marche-en-Femenne
9/ 05/ 2003
Lasne
12/ 05/ 2003
Seneff e
15/ 05/ 2003
Seraing
16/ 05/ 2003
Leuven
02/ 06/ 2003
Tongeren
03/ 06/ 2003
Rochefort
10/ 06/ 2003
J abbeke
11/ 06/ 2003
Borsbeek
18/ 06/ 2003
Sint-Pieters-Woluwe
16/ 07/ 2003
Geraardsbergen
25/ 07/ 2003
Current status pilot phase (14/6)
Over
51,150 cards
distributed
Copyright © FEDICT 2004. All rights reserved
Planning
Q1 2004 Q2 2004 Q3 2004 Q4 2004 Q1 2005
D
E
C
I
S
I
O
N
Pilot phaseTarget groupsEvaluation pilot phase
Continuous advise from and support to enterprises, citizens and authorities
Installation in municipalities (578)
Gradual roll-out eID
Negociations
20/3
Copyright © FEDICT 2004. All rights reserved
Next versions of the eID card
Short term : offering the possibility of two different PINs for
authentication and digital signature
integrating the latest state-of-the art RSA algorithms
using more international data formatting
offering a more advanced status check
providing a structure for using the free space on the chip
Long term : biometrics
encryption certificats
integration of SIS card
driver’s licence
…