Upload
arnie
View
23
Download
0
Embed Size (px)
DESCRIPTION
eID: the Belgian Electronic Identity Card. Jan Deprest Vlaanderen – OND-MVG – 28-06-2005. e-government. What is e-Government ?. NOT : about government HOWEVER : it is about the government’s customers citizens businesses civil servants. e-Government principles. total solution - PowerPoint PPT Presentation
Citation preview
eID: the Belgian Electronic
Identity CardJan Deprest
Vlaanderen – OND-MVG – 28-06-2005
e-government
What is e-Government ?
NOT : about government
HOWEVER : it is about the
government’s customers citizens businesses civil servants
e-Government principles
> total solution
> transparent (hide the internal organisation)
> “I will say it only once” - Unique Data Source (Virtual Government)
> limit the administrative formalities
> no extra cost
> Privacy
> no digital divide
Architecture & building blocks
SECURITY & PRIVACY SECURITY & PRIVACY
FEDMANFEDMAN
UMEUME
OTH
ER
AU
TH
OR
ITIE
SOTH
ER
INSTIT
UTIO
NS
FPSFPS FPSFPS FPSFPS FPSFPS
Connected
government
Connected
government
PORTAL
www.belgium.be
PORTAL
www.belgium.be
AU
TH
EN
TIC
SO
UR
CE
SA
UT
HE
NT
IC S
OU
RC
ES
USER MGT
eID - basics
A new ID-card with the format of a bank card
and a powerful chip
Purpose eID project
Proof of identity
Signature tool
> To give Belgian citizens an electronic identity card enabling them to authenticate themselves towards diverse applications and to put digital signatures
Which information ?
> From a visual point of view the same information will be visible as on the current identity card :• the name• the first two Christian names• the first letter of the third Christian name• the nationality• the birth place and date• the sex• the place of delivery of the card• the begin and end data of the validity of the card• the denomination and number of the card• the photo of the holder• the signature of the holder• the identification number of the National Register
> Identical functionality to current identity card
Visual identification of the holder
Which information ?
> From an electronic point of view the chip will contain the same information as printed on the card, filled up with :• the identity and signature keys
• the identity and signature certificates
• the accredited certification service furnisher
• information necessary for authentication of the card and securization of the electronic data
• the main residence of the holder
> (Currently) no encryption certificates> No biometric data (yet)
> No electronic purse> No storage of other data
Electronic identification of the holder
Distribution eID : how and where ?
Municipality
Face to face identification
De The municipalities(1)
(2) (12)
National Register
(3)
VRKVRK
CM/CP/CI(4)
CA
ECABullBull
(7)
(8)
(5)
(9)
(6)
MeikäläinenMatti
PIN & PUK1-code
(10b)
(10a)
(11)
(13)
eID - chip
eID,welcome to the e-world !
Contents of the chip
IDID ADDRESSADDRESS
authentication
digital signature
RRN SIGN
RRN SIGN
RRN SIGN
RRN SIGN
PKI IDENTITY
eID : the main e-functionalities
authentication
data capture
digital signature
Data capture
> faster data capture
data can be read directly from the card and stored in a particular system
> more accurate data capture
no more manual re-entrying less error-prone process
> more efficient data capture
faster processing of information
eID : the main e-functionalities
authentication
data capture
digital signature
Authentication
log on to web sites (SSO)
container parklibrary
access control
…
swimming pool
eID : the main e-functionalities
authentication
data capture
digital signature
Signature
1. Receive message 3. Check CRL/OCSP 5. Fetch public key 7. Compute reference hash2. Inspect certificate 4. Check certificate 6. Fetch signature 8. Hash, signature, public
key match?
Matching triplet?
CRL
Alice
Alice
hash
Bob
3, 4
2
1 7
6
5
8
1. Compose message 3. Generate signature 5. Collect certificate2. Compute hash 4. Collect signature 6. Send message
Alice
hash
Alice
1
2
3
5 4
6
eID - PKI
Public Key Infrastructure
Trust Hierarchy
Card
AdminCert
AdminClient
AuthElec
SignData
CryptClient
Cert
Admin
CA
Hierar
Admin
CRL
Citizen
CA
CRL
GovCA
CRL
SelfSign
Belgium
RootARL
RootSign
Belgium
Root
Server
CertObject
Cert
Admin Auth/Sign
Certificates
> Citizen’s certificates & keys
• Authentication Certificate & key pair (1024 bits)• provide strong authentication (access control)
• web site authentication• single sign-on (login)• etc.
• Signature Certificate & key pair (1024 bits)• provide non repudiation (electronic signature
equivalent to handwritten signature)• Document Signing• Form Signing• etc.
• (Encryption Certificate & key pair)• foreseen at a later stage• private key backup/archiving
Auth Sign
Citizen
CA
Belgium
Root
CA
Crypt
Citizen
CA
Trust Services
Request
Auth/Sign Validate
Register
PopulationRegistry
Secure Sites
Municipality
XKMS
OCSP
CA Factory
Citizens
CPS SLA
eID - toolkit
Let’s make use of the power of the eID !
eID-toolkits
> Two toolkits are under development :GUI + PKCS#11 libraries : reading,
printing, validating and visualising the contents of the eID chip
authentication proxy : easy authentication on multiple platforms
> Purpose is to hide internal card changes > Labeling should be straightforward if
applications use toolkits> Both toolkits are free of charge> Distribution through federal portal
(http://www.belgium.be/fedict Projecten eID)
RELEASED
eID-toolkits
eID-toolkits : Identity
eID-toolkits : library
eID-toolkits : Certificates
eID-toolkits : Card & PIN
eID-toolkits : Options
eID - labelling
eID compliance label> Requirements:
• For citizens: get confidence in practices of service providers regarding eID usage (e.g. privacy)
• For service providers: demonstrate best practices are indeed applied regarding eID usage (e.g. fraud)
> Inspired from two industry standards• : eCommerce sites• : eTransaction systems
Lot’s of auditors available• For service providers: easy to extend a
WebTrust/SysTrust accreditation to be eID compliant
• For auditors: easy to extend a WebTrust/SysTrust license to become an eID compliance agent
Fast & Rather cheap compared to other schemes Not mandatory (but no eID liability otherwise)
Trust Services
> Labeling procedure card readers applications
creating trust for citizens, a legal basis
for the government and branding for
enterprises
Based on industry standards :
> Currently being worked out in cooperation with Banksys, CBSS
eID-label
eID - applications
Only the developers’ creativity will limit the usage
of the eID card.
Home & Work
> Office toolse-mail login (local PC & network) logon (other services)data & program confidentiality forms ...
Administration
> FederalTAX-ON-WEBVATDIV…
> Municipalitiesmarriagehousekidsschool libraryswimming poolcontainer parks…
Telecom
> Telephony reloadable & account cardsGSM cards ==> UMTS/i-mode
> TelevisionPay-TVdecryption cards
> Post registered Mail over internet
InternetVOIP (voice over IP) i-mode
Finance
> Identificationnetbanking (userID/Tokens) loket (bank agency) insurance contract (signature)
> Paymentcredit cardsdebit cardselectronic purse
Healthcare
> InsuranceMediCard (contract)
> Hospitalprivate data (hospital card, etc)health/emergency data (blood group,
etc)
ReembursementSIS cardpharmacydoctors
Transport
> Public transport ticketing in-flight entertainment
> Parkingaccess tolling
> Gas & Fuel fuel cards loyalty cards
Retail & Delivery
> Loyality Programspoints collectiononline gift selection
> Payment Creditcontract signaturepayment system (domiciliation)
> Home Deliveryonline ordersdata capture & digital signature
The sky is the limit !
home banking, online opening of accounts, …
proof of membership
SSO, …
healthcare
driver’s licence
student cards, e-learning, …
…
e-commerce
Q&A
Rue Marie Thérèse 1/3Maria-Theresiastraat 1/3
Bruxelles 1000 BrusselTEL +32 2 212 96 00
FAX +32 2 212 96 99 [email protected]
www.belgium.be/fedict
Th@nk you !