1111 1958 - 1111

1111 1958 - 1111

Meikäläinen Maija

Maija Meikäläinen

F

[email protected]

• both sides identification,• digital signature, • encryption: - data

- data transfer• Field is developing rapidly• Important part of the information society

Finnish Electronic Identificationand Supporting Technologies

•The amount of various transactions is increasing rapidly in Internet• To make it safe we need:

General Issues


Identification, digital signatures and encryption is based on:• open standards:

• Public Key Infrastructure• PKIX based Certificate Policy• chipcards and readers (ISO-standards, 7816-series, incl. -8)• X.509 v.3 certificates, IETF PKIX ”qualified certificate” draft• X.500- and LDAP-directories• EID-application (FINEID S4-1=PKCS#15, FINEID impl.)• => will be modified to meet EESSI requirements

• highly secured environments • centralized key generation• face to face identification

• voluntary involvning• cards and certificates valid for a certain time (3 years)


HelpDesk-servicesNovaCall

NovoGroup

Card manufactureand RA dutiesSetec, Police

CA-systemICL (iD2)

Directoryservices

HPYPeerLogic i500

CRLservicesSonera

PARTNERS

Meikäläinen

Matti

Caisse Primaire d'Assurance Maladiede CARPENTRAS sécurité sociale

VRK

MeikäläinenMatti

PIN -codes

Registration Authority services

Face to face identification

Application

” Manual information ”

Application information

Process database

Pregeneration of anonymicID-cardsi (RSA-keys +PIN)

VTJ

CertificatesCertificate services

Bull

request

X.500+CRL

certificate

Meikäläinen

Matti

12345

Card delivery

CA / CARD

MF

FINEID

appl

Other data:cityappl.,bankappl,

userown

Electronic ID-card -99

~ 8-9 Kb

~ 6-7 KbAdditional Certificates:(empl,org,customer...)

ODFupdate: SYS

PrK #1update: NEV

PrK #2update: NEV

Cert #1update: SYS

Cert #2update: SYS

CDF #2for new certsupdate: PIN 1

PrKDFupdate: SYS

CDF #1card holder certs

update: SYS

CDF #3trusted certsupdate: SYS

CA Cert #1update: SYS

DODFupdate: PIN 1

AODFupdate: SYS

PIN #1update: NEV

PIN #2update: NEV

UnusedSpaceupdate: PIN 1

Empty areaupdate: PIN 1

TokenInfoupdate: NEV

EF (DIR)update: PIN 1

FINEID-application (PKCS#15)

FINEID-card with two keypairs

•Different keys and certificates and PIN-Codes

X.509

•Also trusted CA (PRC) certificate, includes CA

public key

Allekirj

X.509• Non-repudiation signature (PIN2)

X.509 Hello? -> Hi, encryptsession key

• Authentication + encryption (PIN1)

CertificateBasic fields:

• version: value 2 = x.509 v.3 certificate

• serial number: unique within an issuer

• signature : the algorithm identifier for the algorithm used by the CA to sign the certificate

• issuer: country = FI, organisation = VRK-FINSIGN Gov. CA, CommonName = Finsign CA for Citizen

• validity: YYMMDDHHMMSSZ

• subject: country=FI, Surname=Meikäläinen, Given name=Maija, Finuid=123456786, cn= S+G+F

• subject public key: The algorithm identifier of the subject’s public key Ext.: Key usage: digitalSignature, keyEncipherment, dataEncipherment - nonRepudiation

Certificate policies: policy identifier, OID (CP includes possible loss limitations etc.)

Authority key identifier: particular private CA key used to sign a certificate

Subject key identifier: SHA-1 hash of the value of the BIT STRING subjectPublicKey



WHERE, HOW, WHAT?

FINEID-APPLICATION

...COMPANY CARD BANK CARD

CITIZEN CERTIFICATES(not for companycards)

ROLE CERTIFICATES EMAIL CERTIFICATES

...

X.500

• FINSIGN CA FOR CITIZEN X.500, OPEN DIRECTORY SERVICE

• CLOSED ENVIRONMENTS -> CLOSED DIRECTORIES

• PERSONAL CERTIFICATES:

• CERTIFICATE 1: AUTHENTICATION AND ENCRYPTION

• CERTIFICATE 2: DIGITAL SIGNATURE

• JUDICAL AND SERVER CERTIFICATES

• CRL (Certificate Revocation List) V2

• DIRECTORY REQUESTS : LDAP V.2.0 AND V.3.0 SUPPORTED

DIRECTORYSERVICE


CRL

c = FI

dmd = JULHA dmd = FINEID dmd = ...

o = VRK-FINSIGNGov. CA o = CertAll o = NovoTrust ...

Issuer organisation

level

cn =FinSign CA for citizen• caCertificate• cross Certificates• CRL

CA level

cn =Meikäläinen Maija 123456789 or ui = 428 (cert serial number) • obj. = fieidPerson, strongAuthenticationUser or fineidUserCertificate• userCertificates (multivalue or per use), role and attribute certificates• s = Meikäläinen, g = Maija, finuid = 123456789, other attributes or s = Meikäläinen, g = Maija, fineidSubjectDistinquishedNameString = ”s = Meikäläinen + g = Maija + finuid = 123456789, c =fi”

User level

X.500 -directory

End user software:- Smart card support- Digital signature- encryption

- payments

integration- E-mail (S/MIME)- web-browser

Smart card- Keys, PIN1,2- certificates- Other data- other applications- ...

Firewall

WWW-server

Internet

WWW-forms

3.) Strong authenticationencryption of data transfer (SSL,IPSEC)

4.) FINUID1234567835.) Maija

MeikäläinenH:111111-114Aaddr: pöllökuja...

2.) Secure authentication (PIN1)

1.) Secure form

6.) Digital Signature

7.) PIN2

8.) Data storage

TJ 1

9.) Datacheque-> database

10.) Decision in storage, email tocustomer

11.) Customer reads,time stamp

Interactive electronic formInteractive electronic form

Single Sign-on

SSO Product

DepartmentalServer

Mainframe

NetworkOperatingSystem

SIB

Login:Password:

Step 1:Secure Authentication

Step 2:Transparent Sign-on

Encrypted password

SecurID token

Smart card

2

1

Intranet, Extranet

E E S S I S t a n d a r d s O v e r v i e w

E E S S I S t a n d a r d s O v e r v i e w

O v e r v i e w O OO v e r v i e w O v e r vi e w

S i g n a t u r e c r e a t i o np r o c e s s a n de n v i r o n m e n t

S i g n a t u r e v a l i d a t i o np r o c e s s a n d e n v i r o n m e n tS i g n a t u r e f o r m a t

a n d s y n t a xC r e a t i o n

d e v i c e

Q u a l i f i e d C e r t i f i c a t ep o l i c y

T r u s t w o r t h y s y s t e m

C e r t i f i c a t i o n S e r v i c e P r o v i d e r

S u b s c r i b e r / s i g n e r R e l y i n g p a r t yC E N E - S I G N

E T S I E S I

Q u a l i f i e d c e r t i f i c a t e

T i m eS t a m p

T i m eS t a m p

Qualified Electronic Signature environment

Internaldocuments

Relyingparties

Subscriber(User)

Recogni sed Confor manceCertifi cati on Body

CSP

Qualifi ed Certif icate

OID

Auditor s

Business Application us ingQuali fied Electroni c

Sign atures

Europea n Directive Requirem en ts

Baselin e Qualif ied Certificat e P olicy

Su bscr iberAgreement

CPSSu bscr iberObligati ons

CSP Obligat ions

Recom mendedUsage

Baseline Qualified Certificate Policy

Inter naldocument s

Rely ingpar ties

S ubscrib er(U ser )

Recogn ised Con for man ceCert ifi cation Body

CS P

Qual ifi ed Cer tif icate

OID

Aud ito rs

Bu si ness Appli catio n u singQu ali fied Electron ic

S ign atu res

Eu ro pean Directive Requ iremen ts

S pecif ic Q ual ifi ed Cert ifi cate P ol icy

S ubscriber

Agreemen t

CP SS ubscriber

Obl iga tion s

Baseli ne +S pecifi c CSP

Ob liga tion s

Recom men ded

Usage

Baseli ne Q ual ifi ed Cert ifi cate P ol icy

Add itio nal comm un it y

/ a ppli catio n specif ic

requ irem ent s

Specific Qualified Certificate Policy

CA

VRK-Finsign Gov. CA

Finsign CA for ...

VRK-FinsignEnterpr. CA? Organizational CA’s

Finsign Enter-prise CA for ...

Certificates contain FINUIDRA’s- police- social insurance institute- banksTwo times face to face identification => widely accepted

B2B, B2C, no FINUIDRA’s- ICL Invia- TietoEnator… other SWhousesMeets the reqs by BQCP

Organizational CA’s

Specific Qualified Certificates Qualified Certificates Qualified or non-qualifiedCertificates

No FINUID, use is up tothe org. involvedMay not meet the reqscoming from BQCP(i.eg. SSCD does not fulfil the required levelof security

Levels of certificates

Framework for EESSI Standards & Classesfor Electronic Signatures

Security/Quality level

Signature Creation Device

Certificate Policy

Electronic Signature Syntax

Trustworthy System

Signature with long validity

Qualified Electronic signature Signature for limited value transactions

äå

Levels of signatures

UsersFinland• Public administration (100 ongoing projects)

• State authorities and municipalities (0,5 mill. employees)• Private sector

•banks, assurance companies, unions•telecommunication operators and Internet Services Providers•large firms•retail, e-commerce

• Citizens 5 millions• Sweden SEIS interoperability, both public and private sector, • Norway SEIS interoperability in administration, citizens• EU , PKCS#15 --> global market !



Mobils InternetInternet

Satellit -TV

Cabel-TV

Digital -TV-TV

Where to use ?

Education Banking Consuming Wireles communications Public services ...

New technologiesDevelopment under process:

• WWW (digital)-television with

FINEID interoperability

• GSM/WAP with and without a

separate card reader

• WWW-based infokiosks with

FINEID interoperability

• enduser card reader and

software package (ISP:s)

• The very first service to utilize the FINEID-card: electronic movement application by Population Register Centre and Finnish Post

Electronic services

Next services among others:• Services by municipalities and regions (Tornio, Rovaniemi, Oulu, Kuusamo/ Koillismaa, Pori, Raisio, Turku, Etelä-Karjala IT-region, Espoo, Vantaa, Helsinki ja Joensuu. Common factors to all of these are different application forms, electronic forms, library services etc.)

• Application and financial services by the Finnish patent organization• Electronic taxservice for companies and organizations • Employment services by the Ministry of Labour• Electronic application form by the Office of Education and• social and welfare services / makropilot

Private sector services, among others:

• OKO-bank • Leonia-bank and • Mandatum bank will be offering, within a year, significantly wider range of Internet banking services than before.

• Fennia-insurance will offer sophisticated Internet insurance services

• Ge Capitals will offer financial services for car dealers and buyers

• Services offered by Fortum concern consumers making contracts for buying electricity

• In addition,e.g. ICL will take FINEID-card for internal usage

Electronic services

Documents

1111 1958 - 1111