cryptovision mindshare 2015: eIDAS as blueprint for future eID projects, Holger Funke Slide 22015-06-24
Agenda
eIDAS Regulation
TR-03110 V2.20
German ID card
POSeIDAS
Summary
cryptovision mindshare 2015: eIDAS as blueprint for future eID projects, Holger Funke Slide 32015-06-24
eIDAS Regulation
EU-Regulation No. 910/2014 on electronic identification and trust
services for electronic transactions in the internal market
(short: eIDAS Regulation)
Regulatory environment to enable secure and seamless electronic
interactions between businesses, citizens and public authorities
Objective: increase the effectiveness of public and private online
services, eBusiness and electronic commerce in the EU
Electronic Identification: Natural and legal persons shall be
enabled to use their eID in services located in other EU Member
States (MS)
Trust Services, Signature:
Should work cross-border in Europe
Same legal value as paper-based processes
General Provisions (article 1 to 5)
Electronic Identification (article 6 to 12)
Trust Services
General Provisions (article 13 to 16)
Supervision (article 17 to 19)
Qualified Trust Services (article 20 to 24)
Electronic Signatures (article 25 to 34)
Electronic Seals (article 35 to 40)
Electronic Time Stamps (article 41 to 42)
Electronic Registered Delivery Services (article 43 to 44)
Website Authentication (article 45)
Electronic Documents (article 46)
Delegations of Power and Implementing Provisions (article 47 to 48)
Final provisions (article 49 to 52)
cryptovision mindshare 2015: eIDAS as blueprint for future eID projects, Holger Funke Slide 42015-06-24
eIDAS Regulation
eIDAS
eIDAS
cryptovision mindshare 2015: eIDAS as blueprint for future eID projects, Holger Funke Slide 52015-06-24
eIDAS Regulation: Basics
Electronic Identification
There is no „must“ to introduce an identification process for MS
There is a „must“ to accept identification processes of other MS
Trust Services
Supervisory bodies for trust service providers
Electronic Signatures
eIDAS Regulation replaces 1999/93/EG (SigG)
Electronic Seals
Qualified seal of a legal person, e.g. lawyer
Electronic Time Stamps
Qualified time stamps to guarantee a significant date
cryptovision mindshare 2015: eIDAS as blueprint for future eID projects, Holger Funke Slide 62015-06-24
eIDAS Regulation: Notification
Notification of (existing) national eID schemes
No „EU-eID“, but mutual recognition of national eIDs
Notification is not mandatory
… at least legally
Recognition of notified eIDs is mandatory
Even if a MS does not notify an eID scheme itself, it has to
recognize all notified schemes from other MS
„Interoperability“ instead of „Harmonisation“
cryptovision mindshare 2015: eIDAS as blueprint for future eID projects, Holger Funke Slide 72015-06-24
eIDAS Regulation: Towards an European Digital Identity
3 Key Drivers:
Security
Border Control, Protection of Schengen Area
Growth
Digital economy with 400 million participants, EU Digital
Agenda 2020
Identity
Creating the „European Identity“
How to make it happen?
Political: European Building of 28 MS
Legal: Directives, Regulations
Technical: Standards (ISO, CEN, ETSI, DIN…)
cryptovision mindshare 2015: eIDAS as blueprint for future eID projects, Holger Funke Slide 82015-06-24
eIDAS Regulation: eID vs eSign
eID eSign
Authentication of (some) identity
information (amount of information
application dependent)
Legally binding transaction
(contract, full identity of signer)
Equivalent to presentation of ID-
Card in physical world
Equivalent to written signature
No transferable proof, verifiable
only by relying party
Transferable proof, verifiable by
everyone
Ephemeral – identity only verified
for one moment
Perpetual – signature valid and
verifiable in eternity (up to
cryptography)
Source: Jens Bender, BSI
ETSI Security WS 2014
cryptovision mindshare 2015: eIDAS as blueprint for future eID projects, Holger Funke Slide 92015-06-24
eIDAS Regulation: Transaction Workflow (tax declaration)
Source: Andrea Servida, EC
cryptovision mindshare 2015: eIDAS as blueprint for future eID projects, Holger Funke Slide 102015-06-24
Agenda
eIDAS Regulation
TR-03110 V2.20
German ID card
POSeIDAS
Summary
cryptovision mindshare 2015: eIDAS as blueprint for future eID projects, Holger Funke Slide 112015-06-24
eID cards in Europe: Interoperability of Specifications
Doc9303
ICAO TRs
TR-03110
v2.20
Part 1TR-03110
v1.11
LDS2.0
TR-03110
v2.20
Part 2
TR-03110
v2.20
Part 3
TR-03110
v2.20
Part 4
eMRTD
EACv1
SAC
PACEv1
BAC,
AA, PA
Writing
EACv1
eMRTD
eIDAS Token
EACv2
PACEv2
ERA, PS, RI
eIDAS
Profiles
CAv1,
TAv1,
PACEv2
cryptovision mindshare 2015: eIDAS as blueprint for future eID projects, Holger Funke Slide 122015-06-24
Structure of TR-03110
“Technical Guideline Advanced Security Mechanisms for
Machine Readable Travel Documents and eIDAS Token”
Version 2.20, February 2015
Liason between BSI (Germany) and ANSSI (France)
Mutual authentication mechanism between the terminal and the
chip based on PKI
Chip Authentication V2
Authenticates the chip as genuine
Enforces strong encryption and integrity protection of the
transmitted data
Terminal Authentication V2
Restricts access to data stored on the chip to authorized
terminals
cryptovision mindshare 2015: eIDAS as blueprint for future eID projects, Holger Funke Slide 132015-06-24
TR-03110: Extended Access Control V2
Is used to generate a chip-specific pseudonym for a certain
terminal sector
The terminal sector is an identifier shared by all terminals of a
certain service provider
This allows an (authenticated) terminal to recognize a chip
based on the pseudonym previously received from the chip
without reading out any personal data
It is computationally impossible to link pseudonyms across
terminal-sectors (privacy)
cryptovision mindshare 2015: eIDAS as blueprint for future eID projects, Holger Funke Slide 142015-06-24
TR-03110: Restricted Identification
Protocol that allows to sign data under a chip and sector specific
pseudonym
PS can be used as alternative to Restricted Identification
PS is part of a version of Chip Authentication
Variants of Pseudonymous Signatures:
Pseudonymous Signature Authentication (PSA)
Part of CAv3
Input: Token’s Ephemeral Public Key and DH Key
Agreement
Pseudonymous Signature of a Message (PSM)
Input: Message of the holder of the token
Pseudonymous Signature of Credentials (PSC)
In combination with ERA
Input: Attribute stored on Token
cryptovision mindshare 2015: eIDAS as blueprint for future eID projects, Holger Funke Slide 152015-06-24
TR-03110: Pseudonymous Signatures
Used to store requests for additional attributes on the chip
Attribute Providers (AP) can read these requests and may
provide corresponding attributes for authorized Service
Providers (SP) via storage in the chip
Attribute Provider cannot detect to which Service Provider the
chip communicates (Privacy)
cryptovision mindshare 2015: eIDAS as blueprint for future eID projects, Holger Funke Slide 162015-06-24
TR-03110: Enhanced Role Authentication
cryptovision mindshare 2015: eIDAS as blueprint for future eID projects, Holger Funke Slide 172015-06-24
Online Authentication with GAP and ERA
No third party (GAP)
Direct relationship between token and SP
No ID-Provider
No tracking
No central point of failure
ID Attributes stored on token
… and only on token
Offline capable
cryptovision mindshare 2015: eIDAS as blueprint for future eID projects, Holger Funke Slide 182015-06-24
TR-03110: Attribute Handling and Deployment (I)
Service Provider
Trusted third party (ERA)
Direct relationship between token and SP
Attribute Provider can
…provide additional attributes to token
…provide authorizations
No relationship between AP and SP
Token as privacy “firewall”
Different from ID-Provider
cryptovision mindshare 2015: eIDAS as blueprint for future eID projects, Holger Funke Slide 192015-06-24
TR-03110: Attribute Handling and Deployment (II)
Service Provider
Attribute Provider
Combination of both scenarios possible:
No third party, GAP
Third party, ERA
“Base attributes” stored on token
“Extension attributes” via attribute provider
Issuer decides which attributes are available as base or
extension attributes
SP does not need to distinguish both types of attributes
cryptovision mindshare 2015: eIDAS as blueprint for future eID projects, Holger Funke Slide 202015-06-24
TR-03110: Attribute Handling and Deployment (III)
Privacy by Design principle
Real user consent
Protected by secure element + password (2FA)
Strong authentication mechanisms:
PACE
Extended Access Control
Mutual Authentication
Data minimization (only needed information of holder are
provided)
Restricted Identification
Pseudonymous Signatures
Enhanced Role Authentication
Age Verification
cryptovision mindshare 2015: eIDAS as blueprint for future eID projects, Holger Funke Slide 212015-06-24
TR-03110: Privacy Properties
Interoperable electronic LDS covering all data fields in use in
deployed European eID infrastructures
LDS is designed to be extended easily
New data groups in Version 2.20
Modular approach
Use the protocols and configuration according to the issuer
needs
Allow future extensibility
Achieving highest levels of assurance
Technology neutrality
cryptovision mindshare 2015: eIDAS as blueprint for future eID projects, Holger Funke Slide 222015-06-24
TR-03110: Tool box for eIDAS token
cryptovision mindshare 2015: eIDAS as blueprint for future eID projects, Holger Funke Slide 232015-06-24
TR-03110: eIDAS Profiles (Part 4)
European
Passport
ID card with
MRTD app.
ID card with opt.
EU compl.
MRTD app.
Passwords MRZ, CAN MRZ, CAN, PIN,
PUK
MRZ, CAN, PIN,
PUK
Authentication
Procedure
AIP GAP GAP, AIP
Applications ePassport ePassport, eID,
eSign
ePassport, eID,
eSign
Protocols PACE, TAv1,
CAv1
PACE, TAv2,
CAv2, RI
PACE, TAv2,
CAv2, RI, TAv1,
CAv1
cryptovision mindshare 2015: eIDAS as blueprint for future eID projects, Holger Funke Slide 242015-06-24
Agenda
eIDAS Regulation
TR-03110 V2.20
German ID card
POSeIDAS
Summary
cryptovision mindshare 2015: eIDAS as blueprint for future eID projects, Holger Funke Slide 252015-06-24
German ID card (from a technical point of view)
Three applications available:
ePassport application (ICAO)
eID application (Online Authentication)
eSign application (QES)
Source: www.personalausweisportal.de
cryptovision mindshare 2015: eIDAS as blueprint for future eID projects, Holger Funke Slide 262015-06-24
German ID card: Identification process
Source: www.personalausweisportal.de
cryptovision mindshare 2015: eIDAS as blueprint for future eID projects, Holger Funke Slide 272015-06-24
ID card (Germany): Mutual Authentication
Source: BSI
cryptovision mindshare 2015: eIDAS as blueprint for future eID projects, Holger Funke Slide 282015-06-24
German ID card: Protocols
ePassport application:
BAC / PACE
Chip Authentication V1
Terminal Authentication V1
eID application
PACE
Chip Authentication V2
Terminal Authentication V2
Granular access rights for all data groups
Restricted Identification
Auxiliary Data Verification
cryptovision mindshare 2015: eIDAS as blueprint for future eID projects, Holger Funke Slide 292015-06-24
German ID card: Stored data (eID application)
Document type, Issuing State, Date of Expiry
Given Name, Family Names, Artistic name, Academic title
Date of birth, Place of birth
Nationality
Sex
Birth name
Normal Place of residence (writable for Updates)
Residence permit (eAT)
Explicite access rights for every data (PACE + TA + CA)
Write Access for Address
Service Provider needs certificate to get access!
cryptovision mindshare 2015: eIDAS as blueprint for future eID projects, Holger Funke Slide 302015-06-24
Agenda
eIDAS Regulation
TR-03110 V2.20
German ID card
POSeIDAS
Summary
cryptovision mindshare 2015: eIDAS as blueprint for future eID projects, Holger Funke Slide 312015-06-24
POSeIDAS: PersoSim
HJP developed an open source eID simulator for the
simulation of all functions of the chip application of the
German ID card (Personalausweis) – PersoSim.
It offers application developers an alternative to sample
cards to test their applications.
HJP further developed virtual Windows- and Linux-
based card readers, which allow the simulation of the
functions of the different reader types (basic, standard or
comfort reader) for the German electronic identity card
based on the technical guideline BSI TR-03119.
The migration to an Android operating system further
allows the simulation of the eID function of the ID card
with an NFC-enabled smartphone.
PersoSim is BSI-certified according to BSI TR-03105
cryptovision mindshare 2015: eIDAS as blueprint for future eID projects, Holger Funke Slide 322015-06-24
POSeIDAS: Implementation of PersoSim
Implementation of the functionality of the electronic ID
card based on BSI TR-03110:
PACE
Chip Authentication v2
Terminal Authentication v2
Restricted Identification
Age verification
Integration into Test-PKI and Beta-PKI of the BSI
Signing of data
Certificates based on PKI
Certified by BSI based on TR-03110 /TR-03105
Available here:
www.persosim.org
https://github.com/PersoSim
cryptovision mindshare 2015: eIDAS as blueprint for future eID projects, Holger Funke Slide 332015-06-24
POSeIDAS: PersoSim in the German ID landscape
cryptovision mindshare 2015: eIDAS as blueprint for future eID projects, Holger Funke Slide 342015-06-24
POSeIDAS: Overview
Prototype Implementation Open Source eIDAS-Token
Part I: Server, Part II: Simulator, Part III: Smart Card
Project in cooperation with BSI and cryptovision
Started in spring 2015
Implementation of eIDAS protocols (TR-03110 V2.20)
Simulator -> PersoSim
Smart Card -> JavaCard
Objectives:
See protocols in “real life”
Collect experience with new protocols
Reference implementation of eIDAS-Token
Review of specifcations during implementation
cryptovision mindshare 2015: eIDAS as blueprint for future eID projects, Holger Funke Slide 352015-06-24
POSeIDAS: Stages of expansion
Stage 1:
Profile „Identity card with protected MRTD application“
Stage 2:
Chip Authentication Version 3
Pseudonymous Signatures (PSA, PSM, PSC)
Stage 3:
Authorization Extensions
Stage 4:
Enhanced Role Authentication (ERA)
Management of Attributes
cryptovision mindshare 2015: eIDAS as blueprint for future eID projects, Holger Funke Slide 362015-06-24
Agenda
eIDAS Regulation
TR-03110 V2.20
German ID card
POSeIDAS
Summary
cryptovision mindshare 2015: eIDAS as blueprint for future eID projects, Holger Funke Slide 372015-06-24
Summary
eIDAS-Regulation: Interoperability of eID and eSign
Regulation No. 910/2014 is finalized
TR-03110 v2.20 as a tool box for eIDAS token is finalized
Chance to replace Login/Password
New chance for electronic signature?
German ID card is „eIDAS compliant“
First implementation of new protocols: project POSeIDAS
cryptovision mindshare 2015: eIDAS as blueprint for future eID projects, Holger Funke Slide 382015-06-24
Questions?
HJP Consulting GmbH
Holger Funke
Hauptstraße 35
33178 Borchen, Germany
tel: +49 5251 41 77 633
fax: +49 5251 41 77 666
e-mail: [email protected]
web: www.hjp-consulting.com