copyright © fedict 2003. all rights reserved belgian electronic identity card (belpic) ir. olivier...
TRANSCRIPT
Copyright © FedICT 2003. All rights reserved
Belgian Electronic Identity Card (BELPIC)
Ir. Olivier LIBON.
Microsoft EAP – Government & Education
7 April 2005
Diegem
Copyright © FedICT 2004. All rights reserved
Agenda
FedICT (the belgian eGov strategy) Principles Objectives Planning
FedPKI (the belgian PKI initiative) Trust hierarchy Certificates Trust Services
Technical Framework (the belgian eID card) Card Layout vs Electronic Ship Data Capture vs Authentication vs Signature Card Production / Personalization Card / Chip / Data / MiddleWare / Toolkit Applications: today & tomorrow
Copyright © FedICT 2004. All rights reserved
Principles
Administration Complexity Simplification1 federal state Civil Servants3 regions / 3 communities Enterprises10 provinces / 589 Municipalities Citizens
Front-Office: Unique Data collection principle federated identity management (FedPKI) federated transactional site (FedGATE) federated information exchange (FedUME) federated network management (FedMAN)
Back-Office: Authentic Data sources principle unique citizens DB/ID (Population Registry) unique enterprises DB/ID (CrossRoads Bank for
Enterprises) unique ... DB/ID
?
Copyright © FedICT 2004. All rights reserved
MinSocMinEcoMinFinMinInt
Objectives
FedMANUnified TCP/IP Network
FedUMEUnified XML Gateway
FedGATEUnified Transactional Site
LocalUME
LocalGATE
LocalNetwork
Citizens Enterprises Civil Servants
FedPKIUnified Identity Management Framework
RegionsCommunitiesMunicipalities
Provinces
...
Copyright © FedICT 2004. All rights reserved
Planning
2001 2002 2003 2004
AuthorizationAuthentication
Static Site Transactional Site
XML Gateway XML Processing
IP Network IP Services
Citizens DB& unique IDs
Enterprises DB& unique IDs
...
FedPKI
FedGATE
FedUME
FedMAN
Unique IDs
Copyright © FedICT 2004. All rights reserved
Trust Hierarchy
Card
AdminCert
AdminClient
AuthElec
SignData
CryptClient
Cert
Admin
CA
Hierar
Admin
CRL
Citizen
CA
CRL
GovCA
CRL
SelfSign
Belgium
RootARL
RootSign
Belgium
Root
Server
CertObject
Cert
Admin Auth/Sign
EU Bridge CA
Copyright © FedICT 2004. All rights reserved
Certificates
Citizen’s certificates & keys
Authentication Certificate & key pair (1024 bits) provide strong authentication (access control)
web site authentication single sign-on (login) etc.
Signature Certificate & key pair (1024 bits) provide non repudiation (electronic signature equivalent to
handwritten signature) Document Signing Form Signing etc.
(Encryption Certificate & key pair) foreseen at a later stage private key backup/archiving
Auth Sign
Citizen
CA
Belgium
Root
CA
Crypt
Citizen
CA
Copyright © FedICT 2004. All rights reserved
Trust Services
Request
Auth/Sign Validate
Register
PopulationRegistry
Secure Sites
Municipality
XKMS
OCSP
CA Factory
Citizens
CPS SLA
Copyright © FedICT 2004. All rights reserved
Card Aim
To give Belgian citizens an electronic identity card enabling them to authenticate themselves towards diverse applications and to put digital signatures
Proof of identity
Signature tool
Copyright © FedICT 2004. All rights reserved
Visual part
From a visual point of view the same information will be visible as on the current identity card : the name the first two Christian names the first letter of the third Christian name the nationality the birth place and date the sex the place of delivery of the card the begin and end data of the validity of the card the denomination and number of the card the photo of the holder the signature of the holder the identification number of the National Register the main residence of the holder (until 31/12/2003)
Identical functionality to current identity card
Visual identification of the holder
Copyright © FedICT 2004. All rights reserved
Electronic Part
From an electronic point of view the chip will contain the same information as printed on the card, filled up with: the identity and signature keys the identity and signature certificates the accredited certification service furnisher Information necessary for authentication of the card and
securization of the electronic data the main residence of the holder
(Currently) no encryption certificates No electronic purse No biometric data Conformity with European Directive
1999/93/EC
Electronic identification of
the holder
Copyright © FedICT 2004. All rights reserved
Advanced Electronic Signature
Electronic Signatures
Advanced Electronic SignaturesArticle 2.2 (PKI technology)
Qualified Electronic Signature
+AnnexI: Q-Cert+Annex II: Q-CSP+Annex III: SSCD
Article 5.1 (identification/enrolment)
Copyright © FedICT 2004. All rights reserved
Card functions
authentication
data capture
digital signature
Copyright © FedICT 2004. All rights reserved
Authentication
log on to web sites (SSO)
container parklibrary
access control
…
swimming pool
Copyright © FedICT 2004. All rights reserved
Signature
1. Receive message 3. Check CRL/OCSP 5. Fetch public key 7. Compute reference hash2. Inspect certificate 4. Check certificate 6. Fetch signature 8. Hash, signature, public
key match?
Matching triplet?
CRL
Alice
Alice
hash
Bob
3, 4
2
1 7
6
5
8
1. Compose message 3. Generate signature 5. Collect certificate2. Compute hash 4. Collect signature 6. Send message
Alice
hash
Alice
1
2
3
5 4
6
Copyright © FedICT 2004. All rights reserved
Qualified Electronic Signature
Electronic Signatures
Advanced Electronic SignaturesArticle 2.2 (PKI technology)
Qualified Electronic Signature
+AnnexI: Q-Cert+Annex II: Q-CSP+Annex III: SSCD
Article 5.1 (identification/enrolment)
Copyright © FedICT 2004. All rights reserved
Production Process
Municipality
Face to face identification
De The municipalities(1)
(2) (12)
National Register
(3)
VRKVRK
CM/CP/CI(4)
ECA
ECABullBull
(7)
(8)
(5)
(9)
(6)
MeikäläinenMatti
PIN & PUK1-code
(10b)
(10a1)
(11)
(13)
(10a2)
Copyright © FedICT 2004. All rights reserved
Card Specifications
Standard - ISO/IEC 7816 Format & Physical Characteristics Bank Card (ID1) Standard Contacts & Signals RST,GND,CLK,Vpp,Vcc, I/O
Standard Commands & Query Language (APDU) etc.
Copyright © FedICT 2004. All rights reserved
Security Aspects
Outside
Rainbow and guilloche printing
Changeable Laser Image (CLI)
Optical Variable Ink (OVI)
Alphagram
Relief and UV print
Laser engraving
Inside
12345678
• SHA-1• RSA• SPA/DPA/… resistent• EAL5+ certified• …
Copyright © FedICT 2004. All rights reserved
Chip specifications
Chip characteristics: Cryptoflex JavaCard 32K CPU (processor): 16 bit Micro-controller Crypto-processor:
1100 bit Crypto-Engine (RSA computation) 112 bit Crypto-Accelerator (DES computation)
ROM (OS): 136 kB (GEOS Java Virtual Machine) EEPROM (Applic + Data): 32 KB (Cristal Applet) RAM (memory): 5 KB
CPU
ROM(Operating System)
Crypto(DES,RSA)
RAM(Memory)
EEPROM(File System=
applications + data)I/O
“GEOS”JVM
“CRISTAL”Applet
ID data, Keys, Certs.
Copyright © FedICT 2004. All rights reserved
ID
Data specifications
Directory Structure (PKCS#15) Dir (BelPIC):
certificates & keys (PIN code protected) private and public key CA : 2048 bits private and public key citizen: 1024 bits Signatures put via RSA with SHA-1 all certificates are conform to X.509 v3
standard format (to be used by generic applications) Microsoft CryptoAPI ( Windows) PKCS#11 ( UNIX/Linux & MacOS)
Dir (ID): contains full identity information
first name, last name, etc. address picture etc.
proprietary format (to be used by dedicated applications only)
BelPIC
AuthKey
SignKey
ID
ADR
PIC
AuthCert
SignCert
CACert
RootCert
CardKey
......
...
Copyright © FedICT 2004. All rights reserved
MiddleWare specifications
Card & Reader Software Card MiddleWare
PKCS#15 ID specific applications Card is accessed as a simple file system No key management possible (no PIN) for belgian police, post, banks, etc
PKCS#11 Generic applications Only keys & Certs available via PKCS#11 API allows authentication (& signature) for Netscape, Linux, Unix, etc
MS-CSP Windows applications Only keys & certs available via MSCrypto API allows authentication (& signature) for Microsoft Explorer, Outlook, etc
Reader Driver/Firmware most part is generic (orange part) small part is specific (green part)
PIN (pinpad)
OpenSCPKCS#15
(OpenSC Interface)
Driver(Specific SC Reader Interface)
PC/SC(Generic SC
Reader Interface)
I/O
PKCS#11(Certificate & Keys
Management)
MS-CSP(Microsoft interface)
BelPICSpecificApplics
Non WinGenericApplics
WindowsGenericApplics
Copyright © FedICT 2004. All rights reserved
Toolkit specifications
Toolkits Data Capture Toolkit
GetIdentity GetAddress GetPicture GetVersion ...
Authentication Proxy Trigger Certificate based auth Validate Certificate Return Certificate Content …
Signature Plugin PDF/XML/Xades signature support Validate Certificate Verify Signature …
I/O
SignPlugin
Toolkit
AuthProxy
DataCapture
PIN (pinpad)
OpenSCPKCS#15
(OpenSC Interface)
Driver(Specific SC Reader Interface)
PC/SC(Generic SC
Reader Interface)
PKCS#11(Certificate & Keys
Management)
MS-CSP(Microsoft interface)
Copyright © FedICT 2004. All rights reserved
Qualified Electronic Signature
Electronic Signatures
Advanced Electronic SignaturesArticle 2.2 (PKI technology)
Qualified Electronic Signature
+AnnexI: Q-Cert+Annex II: Q-CSP+Annex III: SSCD
Article 5.1 (identification/enrolment)
Copyright © FedICT 2004. All rights reserved
SSCD
SSCD
Human Interface
Certificate Generation Application
SCD/SVDGenerator
SCA
Signature Creation Data Signature Creation Application
READER
APPLICATION
Copyright © FedICT 2004. All rights reserved
Labeling Readers
Interroperability/Quality Low-Level test scenarios
ISO7816 APDU Data Middelware Crypto Middleware +platform specific
Security Citizen (home & work) - Dedicated PC
with or without secure PINPAD with ot without secure DISPLAY with ot without secure APPLICATION
Business (public space) - Shared PC with secure PINPAD with secure DISPLAY with secure APPLICATION
Copyright © FedICT 2004. All rights reserved
Labeling Applications
Certificate Validation CRL-based (typically for businesses)
one CRL per CA per 3 hours -> Gigabytes!!! One dCRL per CA per 3 hours (free)
Direct OCSP based (typically for citizens) free up to 10 per day
Delegated OCSP based (if required) you are your own Validation Authority you are subject to accreditation & control !
Privacy Unique Identification Number (NRN)
structure collection
Extended Identity information
Copyright © FedICT 2004. All rights reserved
Integration Issues ...
CryptoAPI
Oper.System
InternetExplorer
OutlookExpress
Office
Qcertdetectionrecognition
Format(OID &NRB)
Support(OCSP, CRL
& dCRL)
Statement(Legal Value)
Qsignrecognition
FormatXadesXforms
Archive(timestamp)
Document ContentNo active content + wysiwys
Container model
CertStorebehavior
Cachingdiscovery
choice
Cryptoki Root Management(root inclusion & CTL exchange)
Acertsupport
Format(DSB)
Attributes
ProtocolsAlgorithms
RSA2048 (v2.1)
NetLogonDomain
SSL/TLSError
Handling
S/MIMEEmail
Address
S/MIMEEmail
Address