copyright © fedict 2003. all rights reserved belgian electronic identity card (belpic) ir. olivier...

Copyright © FedICT 2003. All rights reserved

Belgian Electronic Identity Card (BELPIC)

Ir. Olivier LIBON.

Microsoft EAP – Government & Education

7 April 2005

Diegem


Agenda

FedICT (the belgian eGov strategy) Principles Objectives Planning

FedPKI (the belgian PKI initiative) Trust hierarchy Certificates Trust Services

Technical Framework (the belgian eID card) Card Layout vs Electronic Ship Data Capture vs Authentication vs Signature Card Production / Personalization Card / Chip / Data / MiddleWare / Toolkit Applications: today & tomorrow


FedICT

“the belgian eGov strategy”


Principles

Administration Complexity Simplification1 federal state Civil Servants3 regions / 3 communities Enterprises10 provinces / 589 Municipalities Citizens

Front-Office: Unique Data collection principle federated identity management (FedPKI) federated transactional site (FedGATE) federated information exchange (FedUME) federated network management (FedMAN)

Back-Office: Authentic Data sources principle unique citizens DB/ID (Population Registry) unique enterprises DB/ID (CrossRoads Bank for

Enterprises) unique ... DB/ID

?


MinSocMinEcoMinFinMinInt

Objectives

FedMANUnified TCP/IP Network

FedUMEUnified XML Gateway

FedGATEUnified Transactional Site

LocalUME

LocalGATE

LocalNetwork

Citizens Enterprises Civil Servants

FedPKIUnified Identity Management Framework

RegionsCommunitiesMunicipalities

Provinces

...


Planning

2001 2002 2003 2004

AuthorizationAuthentication

Static Site Transactional Site

XML Gateway XML Processing

IP Network IP Services

Citizens DB& unique IDs

Enterprises DB& unique IDs

...

FedPKI

FedGATE

FedUME

FedMAN

Unique IDs


FedPKI

“the belgian PKI initiative”


Trust Hierarchy

Card

AdminCert

AdminClient

AuthElec

SignData

CryptClient

Cert

Admin

CA

Hierar

Admin

CRL

Citizen

CA

CRL

GovCA

CRL

SelfSign

Belgium

RootARL

RootSign

Belgium

Root

Server

CertObject

Cert

Admin Auth/Sign

EU Bridge CA


Certificates

Citizen’s certificates & keys

Authentication Certificate & key pair (1024 bits) provide strong authentication (access control)

web site authentication single sign-on (login) etc.

Signature Certificate & key pair (1024 bits) provide non repudiation (electronic signature equivalent to

handwritten signature) Document Signing Form Signing etc.

(Encryption Certificate & key pair) foreseen at a later stage private key backup/archiving

Auth Sign

Citizen

CA

Belgium

Root

CA

Crypt

Citizen

CA


Trust Services

Request

Auth/Sign Validate

Register

PopulationRegistry

Secure Sites

Municipality

XKMS

OCSP

CA Factory

Citizens

CPS SLA


BELPIC

“the belgian electronic personal identity card”


Card Aim

To give Belgian citizens an electronic identity card enabling them to authenticate themselves towards diverse applications and to put digital signatures

Proof of identity

Signature tool


Visual part

From a visual point of view the same information will be visible as on the current identity card : the name the first two Christian names the first letter of the third Christian name the nationality the birth place and date the sex the place of delivery of the card the begin and end data of the validity of the card the denomination and number of the card the photo of the holder the signature of the holder the identification number of the National Register the main residence of the holder (until 31/12/2003)

Identical functionality to current identity card

Visual identification of the holder


Electronic Part

From an electronic point of view the chip will contain the same information as printed on the card, filled up with: the identity and signature keys the identity and signature certificates the accredited certification service furnisher Information necessary for authentication of the card and

securization of the electronic data the main residence of the holder

(Currently) no encryption certificates No electronic purse No biometric data Conformity with European Directive

1999/93/EC

Electronic identification of

the holder


Advanced Electronic Signature

Electronic Signatures

Advanced Electronic SignaturesArticle 2.2 (PKI technology)

Qualified Electronic Signature

+AnnexI: Q-Cert+Annex II: Q-CSP+Annex III: SSCD

Article 5.1 (identification/enrolment)


Card functions

authentication

data capture

digital signature


Data Capture


Authentication

log on to web sites (SSO)

container parklibrary

access control

…

swimming pool


Signature

1. Receive message 3. Check CRL/OCSP 5. Fetch public key 7. Compute reference hash2. Inspect certificate 4. Check certificate 6. Fetch signature 8. Hash, signature, public

key match?

Matching triplet?

CRL

Alice

Alice

hash

Bob

3, 4

2

1 7

6

5

8

1. Compose message 3. Generate signature 5. Collect certificate2. Compute hash 4. Collect signature 6. Send message

Alice

hash

Alice

1

2

3

5 4

6


Production Process

Municipality

Face to face identification

De The municipalities(1)

(2) (12)

National Register

(3)

VRKVRK

CM/CP/CI(4)

ECA

ECABullBull

(7)

(8)

(5)

(9)

(6)

MeikäläinenMatti

PIN & PUK1-code

(10b)

(10a1)

(11)

(13)

(10a2)


Personalization Process


Card Specifications

Standard - ISO/IEC 7816 Format & Physical Characteristics Bank Card (ID1) Standard Contacts & Signals RST,GND,CLK,Vpp,Vcc, I/O

Standard Commands & Query Language (APDU) etc.


Security Aspects

Outside

Rainbow and guilloche printing

Changeable Laser Image (CLI)

Optical Variable Ink (OVI)

Alphagram

Relief and UV print

Laser engraving

Inside

12345678

• SHA-1• RSA• SPA/DPA/… resistent• EAL5+ certified• …


Chip specifications

Chip characteristics: Cryptoflex JavaCard 32K CPU (processor): 16 bit Micro-controller Crypto-processor:

1100 bit Crypto-Engine (RSA computation) 112 bit Crypto-Accelerator (DES computation)

ROM (OS): 136 kB (GEOS Java Virtual Machine) EEPROM (Applic + Data): 32 KB (Cristal Applet) RAM (memory): 5 KB

CPU

ROM(Operating System)

Crypto(DES,RSA)

RAM(Memory)

EEPROM(File System=

applications + data)I/O

“GEOS”JVM

“CRISTAL”Applet

ID data, Keys, Certs.


ID

Data specifications

Directory Structure (PKCS#15) Dir (BelPIC):

certificates & keys (PIN code protected) private and public key CA : 2048 bits private and public key citizen: 1024 bits Signatures put via RSA with SHA-1 all certificates are conform to X.509 v3

standard format (to be used by generic applications) Microsoft CryptoAPI ( Windows) PKCS#11 ( UNIX/Linux & MacOS)

Dir (ID): contains full identity information

first name, last name, etc. address picture etc.

proprietary format (to be used by dedicated applications only)

BelPIC

AuthKey

SignKey

ID

ADR

PIC

AuthCert

SignCert

CACert

RootCert

CardKey

......

...


MiddleWare specifications

Card & Reader Software Card MiddleWare

PKCS#15 ID specific applications Card is accessed as a simple file system No key management possible (no PIN) for belgian police, post, banks, etc

PKCS#11 Generic applications Only keys & Certs available via PKCS#11 API allows authentication (& signature) for Netscape, Linux, Unix, etc

MS-CSP Windows applications Only keys & certs available via MSCrypto API allows authentication (& signature) for Microsoft Explorer, Outlook, etc

Reader Driver/Firmware most part is generic (orange part) small part is specific (green part)

PIN (pinpad)

OpenSCPKCS#15

(OpenSC Interface)

Driver(Specific SC Reader Interface)

PC/SC(Generic SC

Reader Interface)

I/O

PKCS#11(Certificate & Keys

Management)

MS-CSP(Microsoft interface)

BelPICSpecificApplics

Non WinGenericApplics

WindowsGenericApplics


Toolkit specifications

Toolkits Data Capture Toolkit

GetIdentity GetAddress GetPicture GetVersion ...

Authentication Proxy Trigger Certificate based auth Validate Certificate Return Certificate Content …

Signature Plugin PDF/XML/Xades signature support Validate Certificate Verify Signature …

I/O

SignPlugin

Toolkit

AuthProxy

DataCapture

PIN (pinpad)

OpenSCPKCS#15

(OpenSC Interface)

Driver(Specific SC Reader Interface)

PC/SC(Generic SC

Reader Interface)

PKCS#11(Certificate & Keys

Management)

MS-CSP(Microsoft interface)


SSCD

SSCD

Human Interface

Certificate Generation Application

SCD/SVDGenerator

SCA

Signature Creation Data Signature Creation Application

READER

APPLICATION


Labeling Readers

Interroperability/Quality Low-Level test scenarios

ISO7816 APDU Data Middelware Crypto Middleware +platform specific

Security Citizen (home & work) - Dedicated PC

with or without secure PINPAD with ot without secure DISPLAY with ot without secure APPLICATION

Business (public space) - Shared PC with secure PINPAD with secure DISPLAY with secure APPLICATION


Labeling Applications

Certificate Validation CRL-based (typically for businesses)

one CRL per CA per 3 hours -> Gigabytes!!! One dCRL per CA per 3 hours (free)

Direct OCSP based (typically for citizens) free up to 10 per day

Delegated OCSP based (if required) you are your own Validation Authority you are subject to accreditation & control !

Privacy Unique Identification Number (NRN)

structure collection

Extended Identity information


Integration Issues ...

CryptoAPI

Oper.System

InternetExplorer

OutlookExpress

Office

Qcertdetectionrecognition

Format(OID &NRB)

Support(OCSP, CRL

& dCRL)

Statement(Legal Value)

Qsignrecognition

FormatXadesXforms

Archive(timestamp)

Document ContentNo active content + wysiwys

Container model

CertStorebehavior

Cachingdiscovery

choice

Cryptoki Root Management(root inclusion & CTL exchange)

Acertsupport

Format(DSB)

Attributes

ProtocolsAlgorithms

RSA2048 (v2.1)

NetLogonDomain

SSL/TLSError

Handling

S/MIMEEmail

Address

S/MIMEEmail

Address


More information

Th@nk you !

For more information feel free to visit

www.fedict.be

copyright © fedict 2003. all rights reserved belgian electronic identity card (belpic) ir. olivier...

Documents

copyright fedict

rights reserved fedict

rights reserved card

rights reserved agenda

rights reserved fedpki

rights reserved planning

rights reserved belpic

belgian citizens