Copyright © FEDICT 2004. All rights reserved eID : The Belgian Electronic Identity Card Bart SIJNAVE Microsoft eID Awareness Program Brussels, 24 juni

Copyright © FEDICT 2004. All rights reserved

eID : The Belgian Electronic Identity Card

Bart SIJNAVEMicrosoft eID Awareness Program

Brussels, 24 juni 2004


Architecture & building blocks

SECURITY & PRIVACY SECURITY & PRIVACY

FEDMANFEDMAN

UMEUME

OTH

ER

AU

TH

OR

ITIE

SOTH

ER

INSTIT

UTIO

NS

FPSFPS FPSFPS FPSFPS FPSFPS

Connected

government

Connected

government

PORTAL

www.belgium.be

PORTAL

www.belgium.be

AU

TH

EN

TIC

SO

UR

CE

SA

UT

HE

NT

IC S

OU

RC

ES

USER MGT


eID – chip

eID, welcome to the e-world !


Contents of the chip

IDID ADDRESSADDRESS

authentication

digital signature

RRN SIGN

RRN SIGN

RRN SIGN

RRN SIGN

PKI IDENTITY


eID : the main e-functionalities

authentication

data capture

digital signature



authentication

data capture

digital signature


Data capture

faster data capture data can be read directly from the card and

stored in a particular system

more accurate data capture no more manual re-entrying less error-

prone process

more efficient data capture faster processing of information



authentication

data capture

digital signature


Trust Hierarchy

Card

AdminCert

AdminClient

AuthElec

SignData

CryptClient

Cert

Admin

CA

Hierar

Admin

CRL

Citizen

CA

CRL

GovCA

CRL

SelfSign

Belgium

RootARL

RootSign

Belgium

Root

Server

CertObject

Cert

Admin Auth/Sign


Certificates

Citizen’s certificates & keys

Authentication Certificate & key pair (1024 bits)

provide strong authentication (access control) web site authentication single sign-on (login) etc.

Signature Certificate & key pair (1024 bits) provide non repudiation (electronic signature

equivalent to handwritten signature) Document Signing Form Signing etc.

(Encryption Certificate & key pair) foreseen at a later stage private key backup/archiving

Auth Sign

Citizen

CA

Belgium

Root

CA

Crypt

Citizen

CA


Trust Services

Request

Auth/Sign Validate

Register

PopulationRegistry

Secure Sites

Municipality

XKMS

OCSP

CA Factory

Citizens

CPS SLA


Authentication

log on to web sites (SSO)

container parklibrary

access control

…

swimming pool



authentication

data capture

digital signature


Signature

1. Receive message 3. Check CRL/OCSP 5. Fetch public key 7. Compute reference hash2. Inspect certificate 4. Check certificate 6. Fetch signature 8. Hash, signature, public

key match?

Matching triplet?

CRL

Alice

Alice

hash

Bob

3, 4

2

1 7

6

5

8

1. Compose message 3. Generate signature 5. Collect certificate2. Compute hash 4. Collect signature 6. Send message

Alice

hash

Alice

1

2

3

5 4

6


eID – technicalities


Card Specifications

Standard - ISO/IEC 7816 Format & Physical Characteristics Bank Card (ID1) Standard Contacts & Signals

RST,GND,CLK,Vpp,Vcc, I/O Standard Commands & Query Language (APDU) etc.


Security

Outside

Rainbow and guilloche printing

Changeable Laser Image (CLI)

Optical Variable Ink (OVI)

Alphagram

Relief and UV print

Laser engraving

Inside

12345678

• SHA-1• RSA• SPA/DPA/… resistent• EAL5+ certified• …


Chip specifications

Chip characteristics: Cryptoflex JavaCard 32K CPU (processor): 16 bit Micro-controller Crypto-processor:

1100 bit Crypto-Engine (RSA computation) 112 bit Crypto-Accelerator (DES computation)

ROM (OS): 136 kB (GEOS Java Virtual Machine) EEPROM (Applic + Data): 32 KB (Cristal Applet) RAM (memory): 5 KB

CPU

ROM(Operating System)

Crypto(DES,RSA)

RAM(Memory)

EEPROM(File System=

applications + data)I/O

“GEOS”JVM

“CRISTAL”Applet

ID data, Keys, Certs.


ID

Data specifications

Directory Structure (PKCS#15) Dir (BelPIC):

certificates & keys (PIN code protected) private and public key CA : 2048 bits private and public key citizen: 1024 bits Signatures put via RSA with SHA-1 all certificates are conform to X.509 v3

standard format (to be used by generic applications)

Microsoft CryptoAPI ( Windows) PKCS#11 ( UNIX/Linux & MacOS)

Dir (ID): contains full identity information

first name, last name, etc. address picture etc.

proprietary format (to be used by dedicated applications only)

BelPIC

AuthKey

SignKey

ID

ADR

PIC

AuthCert

SignCert

CACert

RootCert

CardKey

......

...


Middleware specifications

Card & Reader Software Card MiddleWare

PKCS#15 ID specific applications Card is accessed as a simple file system No key management possible (no PIN) for belgian police, post, banks, etc

PKCS#11 Generic applications Only keys & Certs available via PKCS#11 API allows authentication (& signature) for Netscape, Linux, Unix, etc

MS-CSP Windows applications Only keys & certs available via MSCrypto API allows authentication (& signature) for Microsoft Explorer, Outlook, etc

Reader Driver/Firmware most part is generic (orange part) small part is specific (green part)

DLL (C-reader

DLL)

PKCS#15OpenSC

(Generic SC Interface)

PIN(pin logic

library)

Driver(Specific SC Reader Interface)

PC/SC(Generic SC

Reader Interface)

I/O

PKCS#11(Certificate & Keys

Management)

MS-CSP(Microsoft interface)

BelPICSpecificApplics

Non WinGenericApplics

WindowsGenericApplics


Toolkit specifications

Toolkits Data Capture Toolkit

GetIdentity GetAddress GetPicture GetVersion ...

Authentication Proxy Trigger Certificate based auth Validate Certificate Return Certificate Content …

Signature Plugin PDF/XML signature support Validate Certificate Verify Signature …

DLL (C-reader

DLL)

PKCS#15OpenSC

(Generic SC Interface)

PIN(pin logic

library)

Driver(Specific SC Reader Interface)

PC/SC(Generic SC

Reader Interface)

I/O

PKCS#11(Certificate & Keys

Management)

MS-CSP(Microsoft interface)

SignPlugin

Toolkit

AuthProxy

DataCapture


eID - toolkits

Let’s make use of the power of eID !


eID-toolkits

Two toolkits are under development : GUI + PKCS#11 libraries : reading, printing,

validating and visualising the contents of the eID chip

authentication proxy : easy authentication on multiple platforms

Purpose is to hide internal card changes Labeling should be straightforward if

applications use toolkits Both toolkits are free of charge Distribution through federal portal

(http://www.belgium.be/fedict Projecten eID)

RELEASED


eID-toolkits


eID-toolkits : Identity


eID-toolkits : library


eID-toolkits : Certificates


eID-toolkits : Card & PIN


eID-toolkits : Options


eID - labeling


Labeling procedure card readers applications

creating trust for citizens, a legal basis for the government and branding for enterprises Based on industry standards :

Currently being worked out in cooperation with Banksys, CBSS

eID-label


eID – today & tomorrow


3048

24642165

9484

14057

4916

20262605

1956

44853981

0

10002000

3000

4000

50006000

7000

8000

900010000

11000

12000

1300014000

15000

Marche-en-Femenne

9/ 05/ 2003

Lasne

12/ 05/ 2003

Seneff e

15/ 05/ 2003

Seraing

16/ 05/ 2003

Leuven

02/ 06/ 2003

Tongeren

03/ 06/ 2003

Rochefort

10/ 06/ 2003

J abbeke

11/ 06/ 2003

Borsbeek

18/ 06/ 2003

Sint-Pieters-Woluwe

16/ 07/ 2003

Geraardsbergen

25/ 07/ 2003

Current status pilot phase (14/6)

Over

51,150 cards

distributed


Planning

Q1 2004 Q2 2004 Q3 2004 Q4 2004 Q1 2005

D

E

C

I

S

I

O

N

Pilot phaseTarget groupsEvaluation pilot phase

Continuous advise from and support to enterprises, citizens and authorities

Installation in municipalities (578)

Gradual roll-out eID

Negociations

20/3


Next versions of the eID card

Short term : offering the possibility of two different PINs for

authentication and digital signature

integrating the latest state-of-the art RSA algorithms

using more international data formatting

offering a more advanced status check

providing a structure for using the free space on the chip

Long term : biometrics

encryption certificats

integration of SIS card

driver’s licence

…


Q&A


More information

Th@nk you !

For more information feel free to visit

www.fedict.be

Documents

Copyright © FEDICT 2004. All rights reserved eID : The Belgian Electronic Identity Card Bart SIJNAVE Microsoft eID Awareness Program Brussels, 24 juni