eid security - oecd.org - oecdwith eid authentication certificate “challenge” to verify client...
TRANSCRIPT
copy fedict 2008 All rights reserved
Frank Cornelis
Architect eID
eID Security
copy fedict 2008 All rights reserved
The eID Project
gt Provides Belgian Citizens with an electronic identity card
gt Gives Belgian Citizens a device to claim their identity in the new digital age
copy fedict 2008 All rights reserved
eID Partners
eID Functionalities
copy fedict 2008 All rights reserved
Authentication
Identification
Electronic signature
Visual Identification
Overview eID Functionality
copy fedict 2008 All rights reserved
Authentication
Identification
Electronic Signature
Visual Identification
eID Information
copy fedict 2008 All rights reserved
Visual
identification
of the card
holder
gt From a visual point of view the same informationis visible as on a regular identity card
bull the name
bull the first two Christian names
bull the first letter of the third Christian name
bull the nationality
bull the birth place and date
bull the sex
bull the place of delivery of the card
bull the begin and end data of the validity of the card
bull the denomination and number of the card
bull the photo of the holder
bull the signature of the holder
bull the identification number of the NationalRegister
copy fedict 2008 All rights reserved
Non-electronic Functionality
Identity Information
Face Recognition
gt Non-electronic functionality is equivalent to regular identity card functionality
gt Non-electronic functionality is equivalent to electronic functionality
Tamper resistant
copy fedict 2008 All rights reserved
Security Aspects
gt Outside
bull Rainbow and guilloche printing
bull Changeable Laser Image (CLI)
bull Optical Variable Ink (OVI)
bull Alphagram
bull Relief and UV print
bull Laser engraving
12345678
copy fedict 2008 All rights reserved
Chip specifications
CPU
ROM
(Operating System)
Crypto
(DESRSA)
RAM
(Memory)
EEPROM
(File System=
applications + data)
IO
ldquoGEOSrdquo
JVM
ldquoBelpicrdquo
Applet
ID data
Keys Certs
gt Chip characteristics Cryptoflex JavaCard 32K
bull CPU (processor) 16 bit Micro-controller
bull Crypto-processor bull 1100 bit Crypto-Engine (RSA computation)
bull 112 bit Crypto-Accelerator (DES computation)
bull ROM (OS) 136 kB (GEOS JRE)
bull EEPROM (Applic + Data) 32 KB (Belpic Applet)
bull RAM (memory) 5 KB
Overview eID Functionality
copy fedict 2008 All rights reserved
Authentication
Identification
Electronic Signature
Visual Identification
Identification
copy fedict 2008 All rights reserved
gt From an electronic point of view thechip contains the same information as printed on the card filled up withbull the identity and signature keys
bull the identity and signature certificates
bull the accredited certification service furnisher
bull information necessary for authentication of the card and integrity protection of the data
bull the main residence of the holder
gt No encryption certificates
gt No biometric data
gt No electronic purse
gt No storage of other data
Electronicidentificationof the holder
eID Identification Advantages
copy fedict 2008 All rights reserved
Time consuming
inefficient
error-prone
fast
efficient
accurate
Overview eID Functionality
copy fedict 2008 All rights reserved
Authentication
Identification
Electronic Signature
Visual Identification
eID Authentication
copy fedict 2008 All rights reserved
Hi Alice
Hi Bob
Real world Digital world
log on to web sites
container park libraryhellip
gt Confirming the identity of the person
eID Digital Information
copy fedict 2008 All rights reserved
Use without PIN
ID ADDRESS
RRN SIGN RRN SIGN
IDENTITYldquoPIN protectedrdquo
authentication
digital signature
PKI
privatepublic
privatepublic
Data Specifications
copy fedict 2008 All rights reserved
ID
gt Directory Structure (PKCS15)
bull Dir (BelPIC)
bull certificates amp keys (PIN code protected)
bull private and public key CA 2048 bits
bull private and public key citizen 1024 bits
bull Signatures put via RSA with SHA-1
bull all certificates are conform to X509 v3
bull standard format (to be used by generic applications)
bull Microsoft CryptoAPI ( Windows)
bull PKCS11 ( UNIXLinux amp MacOS)
bull Dir (ID)
bull contains full identity information
bull first name last name etc
bull address
bull picture
bull etc
bull proprietary format (to be used by dedicated
applications only)
BelPIC
Auth
Key
Sign
Key
ID
ADR
PIC
Auth
Cert
Sign
Cert
CA
Cert
Root
Cert
Card
Key
Public-key Cryptography
copy fedict 2008 All rights reserved
gt Asymmetric cryptography public key and private key
gt eID cryptographic algorithm RSA
Cryptographic Operations
copy fedict 2008 All rights reserved
gt Encryption gt Signing
gt Problem which key belongs to Alice
X509 Certificate
Unique name of holder
Public key of holder
Signed by the CA that issued the certificate
gt Is a signed digital statement
gt Links a person to a key via a trusted party (CA)
copy fedict 2008 All rights reserved
eID Certificates
copy fedict 2008 All rights reserved
1024 bits
bull Auth + Sign Key pairs
Private key (inside the chip)
Public key (inside the certificate)
Belgium root CA cert
Self signed
Citizen CA cert
Self signed (key 2048 bits)RRN
signing
cert
Signature
cert
Authentication
cert
Belgium root CA
Root signed
AIA
PKI Trust Hierarchy
copy fedict 2008 All rights reserved
Admin AuthSign
Web Authentication
copy fedict 2008 All rights reserved
Encrypted ldquoChallengerdquo with eID Authentication
certificate
ldquoChallengerdquo to verify Client Identity
(3)
Encrypt ldquoChallengerdquo with eID Private Key
(4)
(5)
Browser client
Web Server
User Identity
SSL
(1)
(2)Validate Server
Certificate
IfWhen ldquoChallengerdquo match access granted
(7)
Decrypt ldquoChallengerdquo with Public Key from
Authentication Certificate
(6)
Overview eID Functionality
copy fedict 2008 All rights reserved
Authentication
Identification
Electronic Signature
Visual Identification
eID Electronic Signature
copy fedict 2008 All rights reserved
eID electronic signature can have the same legal value as a
handwritten signature
eID Electronic Signature
copy fedict 2008 All rights reserved
Eve
1 Receive message 3 Check CRL 5 Fetch public key 7 Compute reference hash2 Inspect certificate 4 Check certificate 6 Fetch signature 8 Hash signature public
key match
Matching triplet
hash
Bob
3 4
7
6
5
8
1 Compose message 3 Generate signature 5 Collect certificate2 Compute hash 4 Collect signature 6 Send message
Alice
1
hash
2
5 4
16
3
2
Authentication vs Signatures
copy fedict 2008 All rights reserved
Authentication Signatures
Signature with the key
corresponding with the authn
certificate
Signature with the key
corresponding with the non-
repudiation certificate
Liability is application specific Liability is regulated by law
Lifecycle of authn session is
short
Long-term lifecycle required
storage of revocation data
Signature consumer same as
signature requestor
Signature verification by 3th party
(eg court expert)
Synchronous by nature Creation can be postponed
Signature Standards
copy fedict 2008 All rights reserved
gt The features of a non-repudiation signature drives the need for open signature standards
bull PDF signatures
bull ODF signatures
bull XAdES signatures
Overview eID Functionality
copy fedict 2008 All rights reserved
Authentication
Identification
Electronic Signature
Visual Identification
Fedict eID Middleware
copy fedict 2008 All rights reserved
gt Software for using the eID card on a PC
bull Identification (GUI tool + SDK)
bull AuthenticationSignature modules
bull PKCS11
bull CSP
bull tokenD
gt Platforms
bull Windows XP Vista
bull Linux Fedora OpenSUSE Debian
bull Mac
Fedict Reverse Proxy
copy fedict 2008 All rights reserved
gt Used to authenticate a person via eID towards a web application using SSL
eID Applications
copy fedict 2008 All rights reserved
student cards
healthcare
e-commerce
Driverrsquos license
Proof of membership
SSOhellip
home banking
More Information
copy fedict 2008 All rights reserved
gtwwweidbelgiumbe
Questions amp Answers
Q amp A
copy fedict 2008 All rights reserved
Thnk you
copy fedict 2008 All rights reserved
The eID Project
gt Provides Belgian Citizens with an electronic identity card
gt Gives Belgian Citizens a device to claim their identity in the new digital age
copy fedict 2008 All rights reserved
eID Partners
eID Functionalities
copy fedict 2008 All rights reserved
Authentication
Identification
Electronic signature
Visual Identification
Overview eID Functionality
copy fedict 2008 All rights reserved
Authentication
Identification
Electronic Signature
Visual Identification
eID Information
copy fedict 2008 All rights reserved
Visual
identification
of the card
holder
gt From a visual point of view the same informationis visible as on a regular identity card
bull the name
bull the first two Christian names
bull the first letter of the third Christian name
bull the nationality
bull the birth place and date
bull the sex
bull the place of delivery of the card
bull the begin and end data of the validity of the card
bull the denomination and number of the card
bull the photo of the holder
bull the signature of the holder
bull the identification number of the NationalRegister
copy fedict 2008 All rights reserved
Non-electronic Functionality
Identity Information
Face Recognition
gt Non-electronic functionality is equivalent to regular identity card functionality
gt Non-electronic functionality is equivalent to electronic functionality
Tamper resistant
copy fedict 2008 All rights reserved
Security Aspects
gt Outside
bull Rainbow and guilloche printing
bull Changeable Laser Image (CLI)
bull Optical Variable Ink (OVI)
bull Alphagram
bull Relief and UV print
bull Laser engraving
12345678
copy fedict 2008 All rights reserved
Chip specifications
CPU
ROM
(Operating System)
Crypto
(DESRSA)
RAM
(Memory)
EEPROM
(File System=
applications + data)
IO
ldquoGEOSrdquo
JVM
ldquoBelpicrdquo
Applet
ID data
Keys Certs
gt Chip characteristics Cryptoflex JavaCard 32K
bull CPU (processor) 16 bit Micro-controller
bull Crypto-processor bull 1100 bit Crypto-Engine (RSA computation)
bull 112 bit Crypto-Accelerator (DES computation)
bull ROM (OS) 136 kB (GEOS JRE)
bull EEPROM (Applic + Data) 32 KB (Belpic Applet)
bull RAM (memory) 5 KB
Overview eID Functionality
copy fedict 2008 All rights reserved
Authentication
Identification
Electronic Signature
Visual Identification
Identification
copy fedict 2008 All rights reserved
gt From an electronic point of view thechip contains the same information as printed on the card filled up withbull the identity and signature keys
bull the identity and signature certificates
bull the accredited certification service furnisher
bull information necessary for authentication of the card and integrity protection of the data
bull the main residence of the holder
gt No encryption certificates
gt No biometric data
gt No electronic purse
gt No storage of other data
Electronicidentificationof the holder
eID Identification Advantages
copy fedict 2008 All rights reserved
Time consuming
inefficient
error-prone
fast
efficient
accurate
Overview eID Functionality
copy fedict 2008 All rights reserved
Authentication
Identification
Electronic Signature
Visual Identification
eID Authentication
copy fedict 2008 All rights reserved
Hi Alice
Hi Bob
Real world Digital world
log on to web sites
container park libraryhellip
gt Confirming the identity of the person
eID Digital Information
copy fedict 2008 All rights reserved
Use without PIN
ID ADDRESS
RRN SIGN RRN SIGN
IDENTITYldquoPIN protectedrdquo
authentication
digital signature
PKI
privatepublic
privatepublic
Data Specifications
copy fedict 2008 All rights reserved
ID
gt Directory Structure (PKCS15)
bull Dir (BelPIC)
bull certificates amp keys (PIN code protected)
bull private and public key CA 2048 bits
bull private and public key citizen 1024 bits
bull Signatures put via RSA with SHA-1
bull all certificates are conform to X509 v3
bull standard format (to be used by generic applications)
bull Microsoft CryptoAPI ( Windows)
bull PKCS11 ( UNIXLinux amp MacOS)
bull Dir (ID)
bull contains full identity information
bull first name last name etc
bull address
bull picture
bull etc
bull proprietary format (to be used by dedicated
applications only)
BelPIC
Auth
Key
Sign
Key
ID
ADR
PIC
Auth
Cert
Sign
Cert
CA
Cert
Root
Cert
Card
Key
Public-key Cryptography
copy fedict 2008 All rights reserved
gt Asymmetric cryptography public key and private key
gt eID cryptographic algorithm RSA
Cryptographic Operations
copy fedict 2008 All rights reserved
gt Encryption gt Signing
gt Problem which key belongs to Alice
X509 Certificate
Unique name of holder
Public key of holder
Signed by the CA that issued the certificate
gt Is a signed digital statement
gt Links a person to a key via a trusted party (CA)
copy fedict 2008 All rights reserved
eID Certificates
copy fedict 2008 All rights reserved
1024 bits
bull Auth + Sign Key pairs
Private key (inside the chip)
Public key (inside the certificate)
Belgium root CA cert
Self signed
Citizen CA cert
Self signed (key 2048 bits)RRN
signing
cert
Signature
cert
Authentication
cert
Belgium root CA
Root signed
AIA
PKI Trust Hierarchy
copy fedict 2008 All rights reserved
Admin AuthSign
Web Authentication
copy fedict 2008 All rights reserved
Encrypted ldquoChallengerdquo with eID Authentication
certificate
ldquoChallengerdquo to verify Client Identity
(3)
Encrypt ldquoChallengerdquo with eID Private Key
(4)
(5)
Browser client
Web Server
User Identity
SSL
(1)
(2)Validate Server
Certificate
IfWhen ldquoChallengerdquo match access granted
(7)
Decrypt ldquoChallengerdquo with Public Key from
Authentication Certificate
(6)
Overview eID Functionality
copy fedict 2008 All rights reserved
Authentication
Identification
Electronic Signature
Visual Identification
eID Electronic Signature
copy fedict 2008 All rights reserved
eID electronic signature can have the same legal value as a
handwritten signature
eID Electronic Signature
copy fedict 2008 All rights reserved
Eve
1 Receive message 3 Check CRL 5 Fetch public key 7 Compute reference hash2 Inspect certificate 4 Check certificate 6 Fetch signature 8 Hash signature public
key match
Matching triplet
hash
Bob
3 4
7
6
5
8
1 Compose message 3 Generate signature 5 Collect certificate2 Compute hash 4 Collect signature 6 Send message
Alice
1
hash
2
5 4
16
3
2
Authentication vs Signatures
copy fedict 2008 All rights reserved
Authentication Signatures
Signature with the key
corresponding with the authn
certificate
Signature with the key
corresponding with the non-
repudiation certificate
Liability is application specific Liability is regulated by law
Lifecycle of authn session is
short
Long-term lifecycle required
storage of revocation data
Signature consumer same as
signature requestor
Signature verification by 3th party
(eg court expert)
Synchronous by nature Creation can be postponed
Signature Standards
copy fedict 2008 All rights reserved
gt The features of a non-repudiation signature drives the need for open signature standards
bull PDF signatures
bull ODF signatures
bull XAdES signatures
Overview eID Functionality
copy fedict 2008 All rights reserved
Authentication
Identification
Electronic Signature
Visual Identification
Fedict eID Middleware
copy fedict 2008 All rights reserved
gt Software for using the eID card on a PC
bull Identification (GUI tool + SDK)
bull AuthenticationSignature modules
bull PKCS11
bull CSP
bull tokenD
gt Platforms
bull Windows XP Vista
bull Linux Fedora OpenSUSE Debian
bull Mac
Fedict Reverse Proxy
copy fedict 2008 All rights reserved
gt Used to authenticate a person via eID towards a web application using SSL
eID Applications
copy fedict 2008 All rights reserved
student cards
healthcare
e-commerce
Driverrsquos license
Proof of membership
SSOhellip
home banking
More Information
copy fedict 2008 All rights reserved
gtwwweidbelgiumbe
Questions amp Answers
Q amp A
copy fedict 2008 All rights reserved
Thnk you
copy fedict 2008 All rights reserved
eID Partners
eID Functionalities
copy fedict 2008 All rights reserved
Authentication
Identification
Electronic signature
Visual Identification
Overview eID Functionality
copy fedict 2008 All rights reserved
Authentication
Identification
Electronic Signature
Visual Identification
eID Information
copy fedict 2008 All rights reserved
Visual
identification
of the card
holder
gt From a visual point of view the same informationis visible as on a regular identity card
bull the name
bull the first two Christian names
bull the first letter of the third Christian name
bull the nationality
bull the birth place and date
bull the sex
bull the place of delivery of the card
bull the begin and end data of the validity of the card
bull the denomination and number of the card
bull the photo of the holder
bull the signature of the holder
bull the identification number of the NationalRegister
copy fedict 2008 All rights reserved
Non-electronic Functionality
Identity Information
Face Recognition
gt Non-electronic functionality is equivalent to regular identity card functionality
gt Non-electronic functionality is equivalent to electronic functionality
Tamper resistant
copy fedict 2008 All rights reserved
Security Aspects
gt Outside
bull Rainbow and guilloche printing
bull Changeable Laser Image (CLI)
bull Optical Variable Ink (OVI)
bull Alphagram
bull Relief and UV print
bull Laser engraving
12345678
copy fedict 2008 All rights reserved
Chip specifications
CPU
ROM
(Operating System)
Crypto
(DESRSA)
RAM
(Memory)
EEPROM
(File System=
applications + data)
IO
ldquoGEOSrdquo
JVM
ldquoBelpicrdquo
Applet
ID data
Keys Certs
gt Chip characteristics Cryptoflex JavaCard 32K
bull CPU (processor) 16 bit Micro-controller
bull Crypto-processor bull 1100 bit Crypto-Engine (RSA computation)
bull 112 bit Crypto-Accelerator (DES computation)
bull ROM (OS) 136 kB (GEOS JRE)
bull EEPROM (Applic + Data) 32 KB (Belpic Applet)
bull RAM (memory) 5 KB
Overview eID Functionality
copy fedict 2008 All rights reserved
Authentication
Identification
Electronic Signature
Visual Identification
Identification
copy fedict 2008 All rights reserved
gt From an electronic point of view thechip contains the same information as printed on the card filled up withbull the identity and signature keys
bull the identity and signature certificates
bull the accredited certification service furnisher
bull information necessary for authentication of the card and integrity protection of the data
bull the main residence of the holder
gt No encryption certificates
gt No biometric data
gt No electronic purse
gt No storage of other data
Electronicidentificationof the holder
eID Identification Advantages
copy fedict 2008 All rights reserved
Time consuming
inefficient
error-prone
fast
efficient
accurate
Overview eID Functionality
copy fedict 2008 All rights reserved
Authentication
Identification
Electronic Signature
Visual Identification
eID Authentication
copy fedict 2008 All rights reserved
Hi Alice
Hi Bob
Real world Digital world
log on to web sites
container park libraryhellip
gt Confirming the identity of the person
eID Digital Information
copy fedict 2008 All rights reserved
Use without PIN
ID ADDRESS
RRN SIGN RRN SIGN
IDENTITYldquoPIN protectedrdquo
authentication
digital signature
PKI
privatepublic
privatepublic
Data Specifications
copy fedict 2008 All rights reserved
ID
gt Directory Structure (PKCS15)
bull Dir (BelPIC)
bull certificates amp keys (PIN code protected)
bull private and public key CA 2048 bits
bull private and public key citizen 1024 bits
bull Signatures put via RSA with SHA-1
bull all certificates are conform to X509 v3
bull standard format (to be used by generic applications)
bull Microsoft CryptoAPI ( Windows)
bull PKCS11 ( UNIXLinux amp MacOS)
bull Dir (ID)
bull contains full identity information
bull first name last name etc
bull address
bull picture
bull etc
bull proprietary format (to be used by dedicated
applications only)
BelPIC
Auth
Key
Sign
Key
ID
ADR
PIC
Auth
Cert
Sign
Cert
CA
Cert
Root
Cert
Card
Key
Public-key Cryptography
copy fedict 2008 All rights reserved
gt Asymmetric cryptography public key and private key
gt eID cryptographic algorithm RSA
Cryptographic Operations
copy fedict 2008 All rights reserved
gt Encryption gt Signing
gt Problem which key belongs to Alice
X509 Certificate
Unique name of holder
Public key of holder
Signed by the CA that issued the certificate
gt Is a signed digital statement
gt Links a person to a key via a trusted party (CA)
copy fedict 2008 All rights reserved
eID Certificates
copy fedict 2008 All rights reserved
1024 bits
bull Auth + Sign Key pairs
Private key (inside the chip)
Public key (inside the certificate)
Belgium root CA cert
Self signed
Citizen CA cert
Self signed (key 2048 bits)RRN
signing
cert
Signature
cert
Authentication
cert
Belgium root CA
Root signed
AIA
PKI Trust Hierarchy
copy fedict 2008 All rights reserved
Admin AuthSign
Web Authentication
copy fedict 2008 All rights reserved
Encrypted ldquoChallengerdquo with eID Authentication
certificate
ldquoChallengerdquo to verify Client Identity
(3)
Encrypt ldquoChallengerdquo with eID Private Key
(4)
(5)
Browser client
Web Server
User Identity
SSL
(1)
(2)Validate Server
Certificate
IfWhen ldquoChallengerdquo match access granted
(7)
Decrypt ldquoChallengerdquo with Public Key from
Authentication Certificate
(6)
Overview eID Functionality
copy fedict 2008 All rights reserved
Authentication
Identification
Electronic Signature
Visual Identification
eID Electronic Signature
copy fedict 2008 All rights reserved
eID electronic signature can have the same legal value as a
handwritten signature
eID Electronic Signature
copy fedict 2008 All rights reserved
Eve
1 Receive message 3 Check CRL 5 Fetch public key 7 Compute reference hash2 Inspect certificate 4 Check certificate 6 Fetch signature 8 Hash signature public
key match
Matching triplet
hash
Bob
3 4
7
6
5
8
1 Compose message 3 Generate signature 5 Collect certificate2 Compute hash 4 Collect signature 6 Send message
Alice
1
hash
2
5 4
16
3
2
Authentication vs Signatures
copy fedict 2008 All rights reserved
Authentication Signatures
Signature with the key
corresponding with the authn
certificate
Signature with the key
corresponding with the non-
repudiation certificate
Liability is application specific Liability is regulated by law
Lifecycle of authn session is
short
Long-term lifecycle required
storage of revocation data
Signature consumer same as
signature requestor
Signature verification by 3th party
(eg court expert)
Synchronous by nature Creation can be postponed
Signature Standards
copy fedict 2008 All rights reserved
gt The features of a non-repudiation signature drives the need for open signature standards
bull PDF signatures
bull ODF signatures
bull XAdES signatures
Overview eID Functionality
copy fedict 2008 All rights reserved
Authentication
Identification
Electronic Signature
Visual Identification
Fedict eID Middleware
copy fedict 2008 All rights reserved
gt Software for using the eID card on a PC
bull Identification (GUI tool + SDK)
bull AuthenticationSignature modules
bull PKCS11
bull CSP
bull tokenD
gt Platforms
bull Windows XP Vista
bull Linux Fedora OpenSUSE Debian
bull Mac
Fedict Reverse Proxy
copy fedict 2008 All rights reserved
gt Used to authenticate a person via eID towards a web application using SSL
eID Applications
copy fedict 2008 All rights reserved
student cards
healthcare
e-commerce
Driverrsquos license
Proof of membership
SSOhellip
home banking
More Information
copy fedict 2008 All rights reserved
gtwwweidbelgiumbe
Questions amp Answers
Q amp A
copy fedict 2008 All rights reserved
Thnk you
eID Functionalities
copy fedict 2008 All rights reserved
Authentication
Identification
Electronic signature
Visual Identification
Overview eID Functionality
copy fedict 2008 All rights reserved
Authentication
Identification
Electronic Signature
Visual Identification
eID Information
copy fedict 2008 All rights reserved
Visual
identification
of the card
holder
gt From a visual point of view the same informationis visible as on a regular identity card
bull the name
bull the first two Christian names
bull the first letter of the third Christian name
bull the nationality
bull the birth place and date
bull the sex
bull the place of delivery of the card
bull the begin and end data of the validity of the card
bull the denomination and number of the card
bull the photo of the holder
bull the signature of the holder
bull the identification number of the NationalRegister
copy fedict 2008 All rights reserved
Non-electronic Functionality
Identity Information
Face Recognition
gt Non-electronic functionality is equivalent to regular identity card functionality
gt Non-electronic functionality is equivalent to electronic functionality
Tamper resistant
copy fedict 2008 All rights reserved
Security Aspects
gt Outside
bull Rainbow and guilloche printing
bull Changeable Laser Image (CLI)
bull Optical Variable Ink (OVI)
bull Alphagram
bull Relief and UV print
bull Laser engraving
12345678
copy fedict 2008 All rights reserved
Chip specifications
CPU
ROM
(Operating System)
Crypto
(DESRSA)
RAM
(Memory)
EEPROM
(File System=
applications + data)
IO
ldquoGEOSrdquo
JVM
ldquoBelpicrdquo
Applet
ID data
Keys Certs
gt Chip characteristics Cryptoflex JavaCard 32K
bull CPU (processor) 16 bit Micro-controller
bull Crypto-processor bull 1100 bit Crypto-Engine (RSA computation)
bull 112 bit Crypto-Accelerator (DES computation)
bull ROM (OS) 136 kB (GEOS JRE)
bull EEPROM (Applic + Data) 32 KB (Belpic Applet)
bull RAM (memory) 5 KB
Overview eID Functionality
copy fedict 2008 All rights reserved
Authentication
Identification
Electronic Signature
Visual Identification
Identification
copy fedict 2008 All rights reserved
gt From an electronic point of view thechip contains the same information as printed on the card filled up withbull the identity and signature keys
bull the identity and signature certificates
bull the accredited certification service furnisher
bull information necessary for authentication of the card and integrity protection of the data
bull the main residence of the holder
gt No encryption certificates
gt No biometric data
gt No electronic purse
gt No storage of other data
Electronicidentificationof the holder
eID Identification Advantages
copy fedict 2008 All rights reserved
Time consuming
inefficient
error-prone
fast
efficient
accurate
Overview eID Functionality
copy fedict 2008 All rights reserved
Authentication
Identification
Electronic Signature
Visual Identification
eID Authentication
copy fedict 2008 All rights reserved
Hi Alice
Hi Bob
Real world Digital world
log on to web sites
container park libraryhellip
gt Confirming the identity of the person
eID Digital Information
copy fedict 2008 All rights reserved
Use without PIN
ID ADDRESS
RRN SIGN RRN SIGN
IDENTITYldquoPIN protectedrdquo
authentication
digital signature
PKI
privatepublic
privatepublic
Data Specifications
copy fedict 2008 All rights reserved
ID
gt Directory Structure (PKCS15)
bull Dir (BelPIC)
bull certificates amp keys (PIN code protected)
bull private and public key CA 2048 bits
bull private and public key citizen 1024 bits
bull Signatures put via RSA with SHA-1
bull all certificates are conform to X509 v3
bull standard format (to be used by generic applications)
bull Microsoft CryptoAPI ( Windows)
bull PKCS11 ( UNIXLinux amp MacOS)
bull Dir (ID)
bull contains full identity information
bull first name last name etc
bull address
bull picture
bull etc
bull proprietary format (to be used by dedicated
applications only)
BelPIC
Auth
Key
Sign
Key
ID
ADR
PIC
Auth
Cert
Sign
Cert
CA
Cert
Root
Cert
Card
Key
Public-key Cryptography
copy fedict 2008 All rights reserved
gt Asymmetric cryptography public key and private key
gt eID cryptographic algorithm RSA
Cryptographic Operations
copy fedict 2008 All rights reserved
gt Encryption gt Signing
gt Problem which key belongs to Alice
X509 Certificate
Unique name of holder
Public key of holder
Signed by the CA that issued the certificate
gt Is a signed digital statement
gt Links a person to a key via a trusted party (CA)
copy fedict 2008 All rights reserved
eID Certificates
copy fedict 2008 All rights reserved
1024 bits
bull Auth + Sign Key pairs
Private key (inside the chip)
Public key (inside the certificate)
Belgium root CA cert
Self signed
Citizen CA cert
Self signed (key 2048 bits)RRN
signing
cert
Signature
cert
Authentication
cert
Belgium root CA
Root signed
AIA
PKI Trust Hierarchy
copy fedict 2008 All rights reserved
Admin AuthSign
Web Authentication
copy fedict 2008 All rights reserved
Encrypted ldquoChallengerdquo with eID Authentication
certificate
ldquoChallengerdquo to verify Client Identity
(3)
Encrypt ldquoChallengerdquo with eID Private Key
(4)
(5)
Browser client
Web Server
User Identity
SSL
(1)
(2)Validate Server
Certificate
IfWhen ldquoChallengerdquo match access granted
(7)
Decrypt ldquoChallengerdquo with Public Key from
Authentication Certificate
(6)
Overview eID Functionality
copy fedict 2008 All rights reserved
Authentication
Identification
Electronic Signature
Visual Identification
eID Electronic Signature
copy fedict 2008 All rights reserved
eID electronic signature can have the same legal value as a
handwritten signature
eID Electronic Signature
copy fedict 2008 All rights reserved
Eve
1 Receive message 3 Check CRL 5 Fetch public key 7 Compute reference hash2 Inspect certificate 4 Check certificate 6 Fetch signature 8 Hash signature public
key match
Matching triplet
hash
Bob
3 4
7
6
5
8
1 Compose message 3 Generate signature 5 Collect certificate2 Compute hash 4 Collect signature 6 Send message
Alice
1
hash
2
5 4
16
3
2
Authentication vs Signatures
copy fedict 2008 All rights reserved
Authentication Signatures
Signature with the key
corresponding with the authn
certificate
Signature with the key
corresponding with the non-
repudiation certificate
Liability is application specific Liability is regulated by law
Lifecycle of authn session is
short
Long-term lifecycle required
storage of revocation data
Signature consumer same as
signature requestor
Signature verification by 3th party
(eg court expert)
Synchronous by nature Creation can be postponed
Signature Standards
copy fedict 2008 All rights reserved
gt The features of a non-repudiation signature drives the need for open signature standards
bull PDF signatures
bull ODF signatures
bull XAdES signatures
Overview eID Functionality
copy fedict 2008 All rights reserved
Authentication
Identification
Electronic Signature
Visual Identification
Fedict eID Middleware
copy fedict 2008 All rights reserved
gt Software for using the eID card on a PC
bull Identification (GUI tool + SDK)
bull AuthenticationSignature modules
bull PKCS11
bull CSP
bull tokenD
gt Platforms
bull Windows XP Vista
bull Linux Fedora OpenSUSE Debian
bull Mac
Fedict Reverse Proxy
copy fedict 2008 All rights reserved
gt Used to authenticate a person via eID towards a web application using SSL
eID Applications
copy fedict 2008 All rights reserved
student cards
healthcare
e-commerce
Driverrsquos license
Proof of membership
SSOhellip
home banking
More Information
copy fedict 2008 All rights reserved
gtwwweidbelgiumbe
Questions amp Answers
Q amp A
copy fedict 2008 All rights reserved
Thnk you
Overview eID Functionality
copy fedict 2008 All rights reserved
Authentication
Identification
Electronic Signature
Visual Identification
eID Information
copy fedict 2008 All rights reserved
Visual
identification
of the card
holder
gt From a visual point of view the same informationis visible as on a regular identity card
bull the name
bull the first two Christian names
bull the first letter of the third Christian name
bull the nationality
bull the birth place and date
bull the sex
bull the place of delivery of the card
bull the begin and end data of the validity of the card
bull the denomination and number of the card
bull the photo of the holder
bull the signature of the holder
bull the identification number of the NationalRegister
copy fedict 2008 All rights reserved
Non-electronic Functionality
Identity Information
Face Recognition
gt Non-electronic functionality is equivalent to regular identity card functionality
gt Non-electronic functionality is equivalent to electronic functionality
Tamper resistant
copy fedict 2008 All rights reserved
Security Aspects
gt Outside
bull Rainbow and guilloche printing
bull Changeable Laser Image (CLI)
bull Optical Variable Ink (OVI)
bull Alphagram
bull Relief and UV print
bull Laser engraving
12345678
copy fedict 2008 All rights reserved
Chip specifications
CPU
ROM
(Operating System)
Crypto
(DESRSA)
RAM
(Memory)
EEPROM
(File System=
applications + data)
IO
ldquoGEOSrdquo
JVM
ldquoBelpicrdquo
Applet
ID data
Keys Certs
gt Chip characteristics Cryptoflex JavaCard 32K
bull CPU (processor) 16 bit Micro-controller
bull Crypto-processor bull 1100 bit Crypto-Engine (RSA computation)
bull 112 bit Crypto-Accelerator (DES computation)
bull ROM (OS) 136 kB (GEOS JRE)
bull EEPROM (Applic + Data) 32 KB (Belpic Applet)
bull RAM (memory) 5 KB
Overview eID Functionality
copy fedict 2008 All rights reserved
Authentication
Identification
Electronic Signature
Visual Identification
Identification
copy fedict 2008 All rights reserved
gt From an electronic point of view thechip contains the same information as printed on the card filled up withbull the identity and signature keys
bull the identity and signature certificates
bull the accredited certification service furnisher
bull information necessary for authentication of the card and integrity protection of the data
bull the main residence of the holder
gt No encryption certificates
gt No biometric data
gt No electronic purse
gt No storage of other data
Electronicidentificationof the holder
eID Identification Advantages
copy fedict 2008 All rights reserved
Time consuming
inefficient
error-prone
fast
efficient
accurate
Overview eID Functionality
copy fedict 2008 All rights reserved
Authentication
Identification
Electronic Signature
Visual Identification
eID Authentication
copy fedict 2008 All rights reserved
Hi Alice
Hi Bob
Real world Digital world
log on to web sites
container park libraryhellip
gt Confirming the identity of the person
eID Digital Information
copy fedict 2008 All rights reserved
Use without PIN
ID ADDRESS
RRN SIGN RRN SIGN
IDENTITYldquoPIN protectedrdquo
authentication
digital signature
PKI
privatepublic
privatepublic
Data Specifications
copy fedict 2008 All rights reserved
ID
gt Directory Structure (PKCS15)
bull Dir (BelPIC)
bull certificates amp keys (PIN code protected)
bull private and public key CA 2048 bits
bull private and public key citizen 1024 bits
bull Signatures put via RSA with SHA-1
bull all certificates are conform to X509 v3
bull standard format (to be used by generic applications)
bull Microsoft CryptoAPI ( Windows)
bull PKCS11 ( UNIXLinux amp MacOS)
bull Dir (ID)
bull contains full identity information
bull first name last name etc
bull address
bull picture
bull etc
bull proprietary format (to be used by dedicated
applications only)
BelPIC
Auth
Key
Sign
Key
ID
ADR
PIC
Auth
Cert
Sign
Cert
CA
Cert
Root
Cert
Card
Key
Public-key Cryptography
copy fedict 2008 All rights reserved
gt Asymmetric cryptography public key and private key
gt eID cryptographic algorithm RSA
Cryptographic Operations
copy fedict 2008 All rights reserved
gt Encryption gt Signing
gt Problem which key belongs to Alice
X509 Certificate
Unique name of holder
Public key of holder
Signed by the CA that issued the certificate
gt Is a signed digital statement
gt Links a person to a key via a trusted party (CA)
copy fedict 2008 All rights reserved
eID Certificates
copy fedict 2008 All rights reserved
1024 bits
bull Auth + Sign Key pairs
Private key (inside the chip)
Public key (inside the certificate)
Belgium root CA cert
Self signed
Citizen CA cert
Self signed (key 2048 bits)RRN
signing
cert
Signature
cert
Authentication
cert
Belgium root CA
Root signed
AIA
PKI Trust Hierarchy
copy fedict 2008 All rights reserved
Admin AuthSign
Web Authentication
copy fedict 2008 All rights reserved
Encrypted ldquoChallengerdquo with eID Authentication
certificate
ldquoChallengerdquo to verify Client Identity
(3)
Encrypt ldquoChallengerdquo with eID Private Key
(4)
(5)
Browser client
Web Server
User Identity
SSL
(1)
(2)Validate Server
Certificate
IfWhen ldquoChallengerdquo match access granted
(7)
Decrypt ldquoChallengerdquo with Public Key from
Authentication Certificate
(6)
Overview eID Functionality
copy fedict 2008 All rights reserved
Authentication
Identification
Electronic Signature
Visual Identification
eID Electronic Signature
copy fedict 2008 All rights reserved
eID electronic signature can have the same legal value as a
handwritten signature
eID Electronic Signature
copy fedict 2008 All rights reserved
Eve
1 Receive message 3 Check CRL 5 Fetch public key 7 Compute reference hash2 Inspect certificate 4 Check certificate 6 Fetch signature 8 Hash signature public
key match
Matching triplet
hash
Bob
3 4
7
6
5
8
1 Compose message 3 Generate signature 5 Collect certificate2 Compute hash 4 Collect signature 6 Send message
Alice
1
hash
2
5 4
16
3
2
Authentication vs Signatures
copy fedict 2008 All rights reserved
Authentication Signatures
Signature with the key
corresponding with the authn
certificate
Signature with the key
corresponding with the non-
repudiation certificate
Liability is application specific Liability is regulated by law
Lifecycle of authn session is
short
Long-term lifecycle required
storage of revocation data
Signature consumer same as
signature requestor
Signature verification by 3th party
(eg court expert)
Synchronous by nature Creation can be postponed
Signature Standards
copy fedict 2008 All rights reserved
gt The features of a non-repudiation signature drives the need for open signature standards
bull PDF signatures
bull ODF signatures
bull XAdES signatures
Overview eID Functionality
copy fedict 2008 All rights reserved
Authentication
Identification
Electronic Signature
Visual Identification
Fedict eID Middleware
copy fedict 2008 All rights reserved
gt Software for using the eID card on a PC
bull Identification (GUI tool + SDK)
bull AuthenticationSignature modules
bull PKCS11
bull CSP
bull tokenD
gt Platforms
bull Windows XP Vista
bull Linux Fedora OpenSUSE Debian
bull Mac
Fedict Reverse Proxy
copy fedict 2008 All rights reserved
gt Used to authenticate a person via eID towards a web application using SSL
eID Applications
copy fedict 2008 All rights reserved
student cards
healthcare
e-commerce
Driverrsquos license
Proof of membership
SSOhellip
home banking
More Information
copy fedict 2008 All rights reserved
gtwwweidbelgiumbe
Questions amp Answers
Q amp A
copy fedict 2008 All rights reserved
Thnk you
eID Information
copy fedict 2008 All rights reserved
Visual
identification
of the card
holder
gt From a visual point of view the same informationis visible as on a regular identity card
bull the name
bull the first two Christian names
bull the first letter of the third Christian name
bull the nationality
bull the birth place and date
bull the sex
bull the place of delivery of the card
bull the begin and end data of the validity of the card
bull the denomination and number of the card
bull the photo of the holder
bull the signature of the holder
bull the identification number of the NationalRegister
copy fedict 2008 All rights reserved
Non-electronic Functionality
Identity Information
Face Recognition
gt Non-electronic functionality is equivalent to regular identity card functionality
gt Non-electronic functionality is equivalent to electronic functionality
Tamper resistant
copy fedict 2008 All rights reserved
Security Aspects
gt Outside
bull Rainbow and guilloche printing
bull Changeable Laser Image (CLI)
bull Optical Variable Ink (OVI)
bull Alphagram
bull Relief and UV print
bull Laser engraving
12345678
copy fedict 2008 All rights reserved
Chip specifications
CPU
ROM
(Operating System)
Crypto
(DESRSA)
RAM
(Memory)
EEPROM
(File System=
applications + data)
IO
ldquoGEOSrdquo
JVM
ldquoBelpicrdquo
Applet
ID data
Keys Certs
gt Chip characteristics Cryptoflex JavaCard 32K
bull CPU (processor) 16 bit Micro-controller
bull Crypto-processor bull 1100 bit Crypto-Engine (RSA computation)
bull 112 bit Crypto-Accelerator (DES computation)
bull ROM (OS) 136 kB (GEOS JRE)
bull EEPROM (Applic + Data) 32 KB (Belpic Applet)
bull RAM (memory) 5 KB
Overview eID Functionality
copy fedict 2008 All rights reserved
Authentication
Identification
Electronic Signature
Visual Identification
Identification
copy fedict 2008 All rights reserved
gt From an electronic point of view thechip contains the same information as printed on the card filled up withbull the identity and signature keys
bull the identity and signature certificates
bull the accredited certification service furnisher
bull information necessary for authentication of the card and integrity protection of the data
bull the main residence of the holder
gt No encryption certificates
gt No biometric data
gt No electronic purse
gt No storage of other data
Electronicidentificationof the holder
eID Identification Advantages
copy fedict 2008 All rights reserved
Time consuming
inefficient
error-prone
fast
efficient
accurate
Overview eID Functionality
copy fedict 2008 All rights reserved
Authentication
Identification
Electronic Signature
Visual Identification
eID Authentication
copy fedict 2008 All rights reserved
Hi Alice
Hi Bob
Real world Digital world
log on to web sites
container park libraryhellip
gt Confirming the identity of the person
eID Digital Information
copy fedict 2008 All rights reserved
Use without PIN
ID ADDRESS
RRN SIGN RRN SIGN
IDENTITYldquoPIN protectedrdquo
authentication
digital signature
PKI
privatepublic
privatepublic
Data Specifications
copy fedict 2008 All rights reserved
ID
gt Directory Structure (PKCS15)
bull Dir (BelPIC)
bull certificates amp keys (PIN code protected)
bull private and public key CA 2048 bits
bull private and public key citizen 1024 bits
bull Signatures put via RSA with SHA-1
bull all certificates are conform to X509 v3
bull standard format (to be used by generic applications)
bull Microsoft CryptoAPI ( Windows)
bull PKCS11 ( UNIXLinux amp MacOS)
bull Dir (ID)
bull contains full identity information
bull first name last name etc
bull address
bull picture
bull etc
bull proprietary format (to be used by dedicated
applications only)
BelPIC
Auth
Key
Sign
Key
ID
ADR
PIC
Auth
Cert
Sign
Cert
CA
Cert
Root
Cert
Card
Key
Public-key Cryptography
copy fedict 2008 All rights reserved
gt Asymmetric cryptography public key and private key
gt eID cryptographic algorithm RSA
Cryptographic Operations
copy fedict 2008 All rights reserved
gt Encryption gt Signing
gt Problem which key belongs to Alice
X509 Certificate
Unique name of holder
Public key of holder
Signed by the CA that issued the certificate
gt Is a signed digital statement
gt Links a person to a key via a trusted party (CA)
copy fedict 2008 All rights reserved
eID Certificates
copy fedict 2008 All rights reserved
1024 bits
bull Auth + Sign Key pairs
Private key (inside the chip)
Public key (inside the certificate)
Belgium root CA cert
Self signed
Citizen CA cert
Self signed (key 2048 bits)RRN
signing
cert
Signature
cert
Authentication
cert
Belgium root CA
Root signed
AIA
PKI Trust Hierarchy
copy fedict 2008 All rights reserved
Admin AuthSign
Web Authentication
copy fedict 2008 All rights reserved
Encrypted ldquoChallengerdquo with eID Authentication
certificate
ldquoChallengerdquo to verify Client Identity
(3)
Encrypt ldquoChallengerdquo with eID Private Key
(4)
(5)
Browser client
Web Server
User Identity
SSL
(1)
(2)Validate Server
Certificate
IfWhen ldquoChallengerdquo match access granted
(7)
Decrypt ldquoChallengerdquo with Public Key from
Authentication Certificate
(6)
Overview eID Functionality
copy fedict 2008 All rights reserved
Authentication
Identification
Electronic Signature
Visual Identification
eID Electronic Signature
copy fedict 2008 All rights reserved
eID electronic signature can have the same legal value as a
handwritten signature
eID Electronic Signature
copy fedict 2008 All rights reserved
Eve
1 Receive message 3 Check CRL 5 Fetch public key 7 Compute reference hash2 Inspect certificate 4 Check certificate 6 Fetch signature 8 Hash signature public
key match
Matching triplet
hash
Bob
3 4
7
6
5
8
1 Compose message 3 Generate signature 5 Collect certificate2 Compute hash 4 Collect signature 6 Send message
Alice
1
hash
2
5 4
16
3
2
Authentication vs Signatures
copy fedict 2008 All rights reserved
Authentication Signatures
Signature with the key
corresponding with the authn
certificate
Signature with the key
corresponding with the non-
repudiation certificate
Liability is application specific Liability is regulated by law
Lifecycle of authn session is
short
Long-term lifecycle required
storage of revocation data
Signature consumer same as
signature requestor
Signature verification by 3th party
(eg court expert)
Synchronous by nature Creation can be postponed
Signature Standards
copy fedict 2008 All rights reserved
gt The features of a non-repudiation signature drives the need for open signature standards
bull PDF signatures
bull ODF signatures
bull XAdES signatures
Overview eID Functionality
copy fedict 2008 All rights reserved
Authentication
Identification
Electronic Signature
Visual Identification
Fedict eID Middleware
copy fedict 2008 All rights reserved
gt Software for using the eID card on a PC
bull Identification (GUI tool + SDK)
bull AuthenticationSignature modules
bull PKCS11
bull CSP
bull tokenD
gt Platforms
bull Windows XP Vista
bull Linux Fedora OpenSUSE Debian
bull Mac
Fedict Reverse Proxy
copy fedict 2008 All rights reserved
gt Used to authenticate a person via eID towards a web application using SSL
eID Applications
copy fedict 2008 All rights reserved
student cards
healthcare
e-commerce
Driverrsquos license
Proof of membership
SSOhellip
home banking
More Information
copy fedict 2008 All rights reserved
gtwwweidbelgiumbe
Questions amp Answers
Q amp A
copy fedict 2008 All rights reserved
Thnk you
copy fedict 2008 All rights reserved
Non-electronic Functionality
Identity Information
Face Recognition
gt Non-electronic functionality is equivalent to regular identity card functionality
gt Non-electronic functionality is equivalent to electronic functionality
Tamper resistant
copy fedict 2008 All rights reserved
Security Aspects
gt Outside
bull Rainbow and guilloche printing
bull Changeable Laser Image (CLI)
bull Optical Variable Ink (OVI)
bull Alphagram
bull Relief and UV print
bull Laser engraving
12345678
copy fedict 2008 All rights reserved
Chip specifications
CPU
ROM
(Operating System)
Crypto
(DESRSA)
RAM
(Memory)
EEPROM
(File System=
applications + data)
IO
ldquoGEOSrdquo
JVM
ldquoBelpicrdquo
Applet
ID data
Keys Certs
gt Chip characteristics Cryptoflex JavaCard 32K
bull CPU (processor) 16 bit Micro-controller
bull Crypto-processor bull 1100 bit Crypto-Engine (RSA computation)
bull 112 bit Crypto-Accelerator (DES computation)
bull ROM (OS) 136 kB (GEOS JRE)
bull EEPROM (Applic + Data) 32 KB (Belpic Applet)
bull RAM (memory) 5 KB
Overview eID Functionality
copy fedict 2008 All rights reserved
Authentication
Identification
Electronic Signature
Visual Identification
Identification
copy fedict 2008 All rights reserved
gt From an electronic point of view thechip contains the same information as printed on the card filled up withbull the identity and signature keys
bull the identity and signature certificates
bull the accredited certification service furnisher
bull information necessary for authentication of the card and integrity protection of the data
bull the main residence of the holder
gt No encryption certificates
gt No biometric data
gt No electronic purse
gt No storage of other data
Electronicidentificationof the holder
eID Identification Advantages
copy fedict 2008 All rights reserved
Time consuming
inefficient
error-prone
fast
efficient
accurate
Overview eID Functionality
copy fedict 2008 All rights reserved
Authentication
Identification
Electronic Signature
Visual Identification
eID Authentication
copy fedict 2008 All rights reserved
Hi Alice
Hi Bob
Real world Digital world
log on to web sites
container park libraryhellip
gt Confirming the identity of the person
eID Digital Information
copy fedict 2008 All rights reserved
Use without PIN
ID ADDRESS
RRN SIGN RRN SIGN
IDENTITYldquoPIN protectedrdquo
authentication
digital signature
PKI
privatepublic
privatepublic
Data Specifications
copy fedict 2008 All rights reserved
ID
gt Directory Structure (PKCS15)
bull Dir (BelPIC)
bull certificates amp keys (PIN code protected)
bull private and public key CA 2048 bits
bull private and public key citizen 1024 bits
bull Signatures put via RSA with SHA-1
bull all certificates are conform to X509 v3
bull standard format (to be used by generic applications)
bull Microsoft CryptoAPI ( Windows)
bull PKCS11 ( UNIXLinux amp MacOS)
bull Dir (ID)
bull contains full identity information
bull first name last name etc
bull address
bull picture
bull etc
bull proprietary format (to be used by dedicated
applications only)
BelPIC
Auth
Key
Sign
Key
ID
ADR
PIC
Auth
Cert
Sign
Cert
CA
Cert
Root
Cert
Card
Key
Public-key Cryptography
copy fedict 2008 All rights reserved
gt Asymmetric cryptography public key and private key
gt eID cryptographic algorithm RSA
Cryptographic Operations
copy fedict 2008 All rights reserved
gt Encryption gt Signing
gt Problem which key belongs to Alice
X509 Certificate
Unique name of holder
Public key of holder
Signed by the CA that issued the certificate
gt Is a signed digital statement
gt Links a person to a key via a trusted party (CA)
copy fedict 2008 All rights reserved
eID Certificates
copy fedict 2008 All rights reserved
1024 bits
bull Auth + Sign Key pairs
Private key (inside the chip)
Public key (inside the certificate)
Belgium root CA cert
Self signed
Citizen CA cert
Self signed (key 2048 bits)RRN
signing
cert
Signature
cert
Authentication
cert
Belgium root CA
Root signed
AIA
PKI Trust Hierarchy
copy fedict 2008 All rights reserved
Admin AuthSign
Web Authentication
copy fedict 2008 All rights reserved
Encrypted ldquoChallengerdquo with eID Authentication
certificate
ldquoChallengerdquo to verify Client Identity
(3)
Encrypt ldquoChallengerdquo with eID Private Key
(4)
(5)
Browser client
Web Server
User Identity
SSL
(1)
(2)Validate Server
Certificate
IfWhen ldquoChallengerdquo match access granted
(7)
Decrypt ldquoChallengerdquo with Public Key from
Authentication Certificate
(6)
Overview eID Functionality
copy fedict 2008 All rights reserved
Authentication
Identification
Electronic Signature
Visual Identification
eID Electronic Signature
copy fedict 2008 All rights reserved
eID electronic signature can have the same legal value as a
handwritten signature
eID Electronic Signature
copy fedict 2008 All rights reserved
Eve
1 Receive message 3 Check CRL 5 Fetch public key 7 Compute reference hash2 Inspect certificate 4 Check certificate 6 Fetch signature 8 Hash signature public
key match
Matching triplet
hash
Bob
3 4
7
6
5
8
1 Compose message 3 Generate signature 5 Collect certificate2 Compute hash 4 Collect signature 6 Send message
Alice
1
hash
2
5 4
16
3
2
Authentication vs Signatures
copy fedict 2008 All rights reserved
Authentication Signatures
Signature with the key
corresponding with the authn
certificate
Signature with the key
corresponding with the non-
repudiation certificate
Liability is application specific Liability is regulated by law
Lifecycle of authn session is
short
Long-term lifecycle required
storage of revocation data
Signature consumer same as
signature requestor
Signature verification by 3th party
(eg court expert)
Synchronous by nature Creation can be postponed
Signature Standards
copy fedict 2008 All rights reserved
gt The features of a non-repudiation signature drives the need for open signature standards
bull PDF signatures
bull ODF signatures
bull XAdES signatures
Overview eID Functionality
copy fedict 2008 All rights reserved
Authentication
Identification
Electronic Signature
Visual Identification
Fedict eID Middleware
copy fedict 2008 All rights reserved
gt Software for using the eID card on a PC
bull Identification (GUI tool + SDK)
bull AuthenticationSignature modules
bull PKCS11
bull CSP
bull tokenD
gt Platforms
bull Windows XP Vista
bull Linux Fedora OpenSUSE Debian
bull Mac
Fedict Reverse Proxy
copy fedict 2008 All rights reserved
gt Used to authenticate a person via eID towards a web application using SSL
eID Applications
copy fedict 2008 All rights reserved
student cards
healthcare
e-commerce
Driverrsquos license
Proof of membership
SSOhellip
home banking
More Information
copy fedict 2008 All rights reserved
gtwwweidbelgiumbe
Questions amp Answers
Q amp A
copy fedict 2008 All rights reserved
Thnk you
copy fedict 2008 All rights reserved
Security Aspects
gt Outside
bull Rainbow and guilloche printing
bull Changeable Laser Image (CLI)
bull Optical Variable Ink (OVI)
bull Alphagram
bull Relief and UV print
bull Laser engraving
12345678
copy fedict 2008 All rights reserved
Chip specifications
CPU
ROM
(Operating System)
Crypto
(DESRSA)
RAM
(Memory)
EEPROM
(File System=
applications + data)
IO
ldquoGEOSrdquo
JVM
ldquoBelpicrdquo
Applet
ID data
Keys Certs
gt Chip characteristics Cryptoflex JavaCard 32K
bull CPU (processor) 16 bit Micro-controller
bull Crypto-processor bull 1100 bit Crypto-Engine (RSA computation)
bull 112 bit Crypto-Accelerator (DES computation)
bull ROM (OS) 136 kB (GEOS JRE)
bull EEPROM (Applic + Data) 32 KB (Belpic Applet)
bull RAM (memory) 5 KB
Overview eID Functionality
copy fedict 2008 All rights reserved
Authentication
Identification
Electronic Signature
Visual Identification
Identification
copy fedict 2008 All rights reserved
gt From an electronic point of view thechip contains the same information as printed on the card filled up withbull the identity and signature keys
bull the identity and signature certificates
bull the accredited certification service furnisher
bull information necessary for authentication of the card and integrity protection of the data
bull the main residence of the holder
gt No encryption certificates
gt No biometric data
gt No electronic purse
gt No storage of other data
Electronicidentificationof the holder
eID Identification Advantages
copy fedict 2008 All rights reserved
Time consuming
inefficient
error-prone
fast
efficient
accurate
Overview eID Functionality
copy fedict 2008 All rights reserved
Authentication
Identification
Electronic Signature
Visual Identification
eID Authentication
copy fedict 2008 All rights reserved
Hi Alice
Hi Bob
Real world Digital world
log on to web sites
container park libraryhellip
gt Confirming the identity of the person
eID Digital Information
copy fedict 2008 All rights reserved
Use without PIN
ID ADDRESS
RRN SIGN RRN SIGN
IDENTITYldquoPIN protectedrdquo
authentication
digital signature
PKI
privatepublic
privatepublic
Data Specifications
copy fedict 2008 All rights reserved
ID
gt Directory Structure (PKCS15)
bull Dir (BelPIC)
bull certificates amp keys (PIN code protected)
bull private and public key CA 2048 bits
bull private and public key citizen 1024 bits
bull Signatures put via RSA with SHA-1
bull all certificates are conform to X509 v3
bull standard format (to be used by generic applications)
bull Microsoft CryptoAPI ( Windows)
bull PKCS11 ( UNIXLinux amp MacOS)
bull Dir (ID)
bull contains full identity information
bull first name last name etc
bull address
bull picture
bull etc
bull proprietary format (to be used by dedicated
applications only)
BelPIC
Auth
Key
Sign
Key
ID
ADR
PIC
Auth
Cert
Sign
Cert
CA
Cert
Root
Cert
Card
Key
Public-key Cryptography
copy fedict 2008 All rights reserved
gt Asymmetric cryptography public key and private key
gt eID cryptographic algorithm RSA
Cryptographic Operations
copy fedict 2008 All rights reserved
gt Encryption gt Signing
gt Problem which key belongs to Alice
X509 Certificate
Unique name of holder
Public key of holder
Signed by the CA that issued the certificate
gt Is a signed digital statement
gt Links a person to a key via a trusted party (CA)
copy fedict 2008 All rights reserved
eID Certificates
copy fedict 2008 All rights reserved
1024 bits
bull Auth + Sign Key pairs
Private key (inside the chip)
Public key (inside the certificate)
Belgium root CA cert
Self signed
Citizen CA cert
Self signed (key 2048 bits)RRN
signing
cert
Signature
cert
Authentication
cert
Belgium root CA
Root signed
AIA
PKI Trust Hierarchy
copy fedict 2008 All rights reserved
Admin AuthSign
Web Authentication
copy fedict 2008 All rights reserved
Encrypted ldquoChallengerdquo with eID Authentication
certificate
ldquoChallengerdquo to verify Client Identity
(3)
Encrypt ldquoChallengerdquo with eID Private Key
(4)
(5)
Browser client
Web Server
User Identity
SSL
(1)
(2)Validate Server
Certificate
IfWhen ldquoChallengerdquo match access granted
(7)
Decrypt ldquoChallengerdquo with Public Key from
Authentication Certificate
(6)
Overview eID Functionality
copy fedict 2008 All rights reserved
Authentication
Identification
Electronic Signature
Visual Identification
eID Electronic Signature
copy fedict 2008 All rights reserved
eID electronic signature can have the same legal value as a
handwritten signature
eID Electronic Signature
copy fedict 2008 All rights reserved
Eve
1 Receive message 3 Check CRL 5 Fetch public key 7 Compute reference hash2 Inspect certificate 4 Check certificate 6 Fetch signature 8 Hash signature public
key match
Matching triplet
hash
Bob
3 4
7
6
5
8
1 Compose message 3 Generate signature 5 Collect certificate2 Compute hash 4 Collect signature 6 Send message
Alice
1
hash
2
5 4
16
3
2
Authentication vs Signatures
copy fedict 2008 All rights reserved
Authentication Signatures
Signature with the key
corresponding with the authn
certificate
Signature with the key
corresponding with the non-
repudiation certificate
Liability is application specific Liability is regulated by law
Lifecycle of authn session is
short
Long-term lifecycle required
storage of revocation data
Signature consumer same as
signature requestor
Signature verification by 3th party
(eg court expert)
Synchronous by nature Creation can be postponed
Signature Standards
copy fedict 2008 All rights reserved
gt The features of a non-repudiation signature drives the need for open signature standards
bull PDF signatures
bull ODF signatures
bull XAdES signatures
Overview eID Functionality
copy fedict 2008 All rights reserved
Authentication
Identification
Electronic Signature
Visual Identification
Fedict eID Middleware
copy fedict 2008 All rights reserved
gt Software for using the eID card on a PC
bull Identification (GUI tool + SDK)
bull AuthenticationSignature modules
bull PKCS11
bull CSP
bull tokenD
gt Platforms
bull Windows XP Vista
bull Linux Fedora OpenSUSE Debian
bull Mac
Fedict Reverse Proxy
copy fedict 2008 All rights reserved
gt Used to authenticate a person via eID towards a web application using SSL
eID Applications
copy fedict 2008 All rights reserved
student cards
healthcare
e-commerce
Driverrsquos license
Proof of membership
SSOhellip
home banking
More Information
copy fedict 2008 All rights reserved
gtwwweidbelgiumbe
Questions amp Answers
Q amp A
copy fedict 2008 All rights reserved
Thnk you
copy fedict 2008 All rights reserved
Chip specifications
CPU
ROM
(Operating System)
Crypto
(DESRSA)
RAM
(Memory)
EEPROM
(File System=
applications + data)
IO
ldquoGEOSrdquo
JVM
ldquoBelpicrdquo
Applet
ID data
Keys Certs
gt Chip characteristics Cryptoflex JavaCard 32K
bull CPU (processor) 16 bit Micro-controller
bull Crypto-processor bull 1100 bit Crypto-Engine (RSA computation)
bull 112 bit Crypto-Accelerator (DES computation)
bull ROM (OS) 136 kB (GEOS JRE)
bull EEPROM (Applic + Data) 32 KB (Belpic Applet)
bull RAM (memory) 5 KB
Overview eID Functionality
copy fedict 2008 All rights reserved
Authentication
Identification
Electronic Signature
Visual Identification
Identification
copy fedict 2008 All rights reserved
gt From an electronic point of view thechip contains the same information as printed on the card filled up withbull the identity and signature keys
bull the identity and signature certificates
bull the accredited certification service furnisher
bull information necessary for authentication of the card and integrity protection of the data
bull the main residence of the holder
gt No encryption certificates
gt No biometric data
gt No electronic purse
gt No storage of other data
Electronicidentificationof the holder
eID Identification Advantages
copy fedict 2008 All rights reserved
Time consuming
inefficient
error-prone
fast
efficient
accurate
Overview eID Functionality
copy fedict 2008 All rights reserved
Authentication
Identification
Electronic Signature
Visual Identification
eID Authentication
copy fedict 2008 All rights reserved
Hi Alice
Hi Bob
Real world Digital world
log on to web sites
container park libraryhellip
gt Confirming the identity of the person
eID Digital Information
copy fedict 2008 All rights reserved
Use without PIN
ID ADDRESS
RRN SIGN RRN SIGN
IDENTITYldquoPIN protectedrdquo
authentication
digital signature
PKI
privatepublic
privatepublic
Data Specifications
copy fedict 2008 All rights reserved
ID
gt Directory Structure (PKCS15)
bull Dir (BelPIC)
bull certificates amp keys (PIN code protected)
bull private and public key CA 2048 bits
bull private and public key citizen 1024 bits
bull Signatures put via RSA with SHA-1
bull all certificates are conform to X509 v3
bull standard format (to be used by generic applications)
bull Microsoft CryptoAPI ( Windows)
bull PKCS11 ( UNIXLinux amp MacOS)
bull Dir (ID)
bull contains full identity information
bull first name last name etc
bull address
bull picture
bull etc
bull proprietary format (to be used by dedicated
applications only)
BelPIC
Auth
Key
Sign
Key
ID
ADR
PIC
Auth
Cert
Sign
Cert
CA
Cert
Root
Cert
Card
Key
Public-key Cryptography
copy fedict 2008 All rights reserved
gt Asymmetric cryptography public key and private key
gt eID cryptographic algorithm RSA
Cryptographic Operations
copy fedict 2008 All rights reserved
gt Encryption gt Signing
gt Problem which key belongs to Alice
X509 Certificate
Unique name of holder
Public key of holder
Signed by the CA that issued the certificate
gt Is a signed digital statement
gt Links a person to a key via a trusted party (CA)
copy fedict 2008 All rights reserved
eID Certificates
copy fedict 2008 All rights reserved
1024 bits
bull Auth + Sign Key pairs
Private key (inside the chip)
Public key (inside the certificate)
Belgium root CA cert
Self signed
Citizen CA cert
Self signed (key 2048 bits)RRN
signing
cert
Signature
cert
Authentication
cert
Belgium root CA
Root signed
AIA
PKI Trust Hierarchy
copy fedict 2008 All rights reserved
Admin AuthSign
Web Authentication
copy fedict 2008 All rights reserved
Encrypted ldquoChallengerdquo with eID Authentication
certificate
ldquoChallengerdquo to verify Client Identity
(3)
Encrypt ldquoChallengerdquo with eID Private Key
(4)
(5)
Browser client
Web Server
User Identity
SSL
(1)
(2)Validate Server
Certificate
IfWhen ldquoChallengerdquo match access granted
(7)
Decrypt ldquoChallengerdquo with Public Key from
Authentication Certificate
(6)
Overview eID Functionality
copy fedict 2008 All rights reserved
Authentication
Identification
Electronic Signature
Visual Identification
eID Electronic Signature
copy fedict 2008 All rights reserved
eID electronic signature can have the same legal value as a
handwritten signature
eID Electronic Signature
copy fedict 2008 All rights reserved
Eve
1 Receive message 3 Check CRL 5 Fetch public key 7 Compute reference hash2 Inspect certificate 4 Check certificate 6 Fetch signature 8 Hash signature public
key match
Matching triplet
hash
Bob
3 4
7
6
5
8
1 Compose message 3 Generate signature 5 Collect certificate2 Compute hash 4 Collect signature 6 Send message
Alice
1
hash
2
5 4
16
3
2
Authentication vs Signatures
copy fedict 2008 All rights reserved
Authentication Signatures
Signature with the key
corresponding with the authn
certificate
Signature with the key
corresponding with the non-
repudiation certificate
Liability is application specific Liability is regulated by law
Lifecycle of authn session is
short
Long-term lifecycle required
storage of revocation data
Signature consumer same as
signature requestor
Signature verification by 3th party
(eg court expert)
Synchronous by nature Creation can be postponed
Signature Standards
copy fedict 2008 All rights reserved
gt The features of a non-repudiation signature drives the need for open signature standards
bull PDF signatures
bull ODF signatures
bull XAdES signatures
Overview eID Functionality
copy fedict 2008 All rights reserved
Authentication
Identification
Electronic Signature
Visual Identification
Fedict eID Middleware
copy fedict 2008 All rights reserved
gt Software for using the eID card on a PC
bull Identification (GUI tool + SDK)
bull AuthenticationSignature modules
bull PKCS11
bull CSP
bull tokenD
gt Platforms
bull Windows XP Vista
bull Linux Fedora OpenSUSE Debian
bull Mac
Fedict Reverse Proxy
copy fedict 2008 All rights reserved
gt Used to authenticate a person via eID towards a web application using SSL
eID Applications
copy fedict 2008 All rights reserved
student cards
healthcare
e-commerce
Driverrsquos license
Proof of membership
SSOhellip
home banking
More Information
copy fedict 2008 All rights reserved
gtwwweidbelgiumbe
Questions amp Answers
Q amp A
copy fedict 2008 All rights reserved
Thnk you
Overview eID Functionality
copy fedict 2008 All rights reserved
Authentication
Identification
Electronic Signature
Visual Identification
Identification
copy fedict 2008 All rights reserved
gt From an electronic point of view thechip contains the same information as printed on the card filled up withbull the identity and signature keys
bull the identity and signature certificates
bull the accredited certification service furnisher
bull information necessary for authentication of the card and integrity protection of the data
bull the main residence of the holder
gt No encryption certificates
gt No biometric data
gt No electronic purse
gt No storage of other data
Electronicidentificationof the holder
eID Identification Advantages
copy fedict 2008 All rights reserved
Time consuming
inefficient
error-prone
fast
efficient
accurate
Overview eID Functionality
copy fedict 2008 All rights reserved
Authentication
Identification
Electronic Signature
Visual Identification
eID Authentication
copy fedict 2008 All rights reserved
Hi Alice
Hi Bob
Real world Digital world
log on to web sites
container park libraryhellip
gt Confirming the identity of the person
eID Digital Information
copy fedict 2008 All rights reserved
Use without PIN
ID ADDRESS
RRN SIGN RRN SIGN
IDENTITYldquoPIN protectedrdquo
authentication
digital signature
PKI
privatepublic
privatepublic
Data Specifications
copy fedict 2008 All rights reserved
ID
gt Directory Structure (PKCS15)
bull Dir (BelPIC)
bull certificates amp keys (PIN code protected)
bull private and public key CA 2048 bits
bull private and public key citizen 1024 bits
bull Signatures put via RSA with SHA-1
bull all certificates are conform to X509 v3
bull standard format (to be used by generic applications)
bull Microsoft CryptoAPI ( Windows)
bull PKCS11 ( UNIXLinux amp MacOS)
bull Dir (ID)
bull contains full identity information
bull first name last name etc
bull address
bull picture
bull etc
bull proprietary format (to be used by dedicated
applications only)
BelPIC
Auth
Key
Sign
Key
ID
ADR
PIC
Auth
Cert
Sign
Cert
CA
Cert
Root
Cert
Card
Key
Public-key Cryptography
copy fedict 2008 All rights reserved
gt Asymmetric cryptography public key and private key
gt eID cryptographic algorithm RSA
Cryptographic Operations
copy fedict 2008 All rights reserved
gt Encryption gt Signing
gt Problem which key belongs to Alice
X509 Certificate
Unique name of holder
Public key of holder
Signed by the CA that issued the certificate
gt Is a signed digital statement
gt Links a person to a key via a trusted party (CA)
copy fedict 2008 All rights reserved
eID Certificates
copy fedict 2008 All rights reserved
1024 bits
bull Auth + Sign Key pairs
Private key (inside the chip)
Public key (inside the certificate)
Belgium root CA cert
Self signed
Citizen CA cert
Self signed (key 2048 bits)RRN
signing
cert
Signature
cert
Authentication
cert
Belgium root CA
Root signed
AIA
PKI Trust Hierarchy
copy fedict 2008 All rights reserved
Admin AuthSign
Web Authentication
copy fedict 2008 All rights reserved
Encrypted ldquoChallengerdquo with eID Authentication
certificate
ldquoChallengerdquo to verify Client Identity
(3)
Encrypt ldquoChallengerdquo with eID Private Key
(4)
(5)
Browser client
Web Server
User Identity
SSL
(1)
(2)Validate Server
Certificate
IfWhen ldquoChallengerdquo match access granted
(7)
Decrypt ldquoChallengerdquo with Public Key from
Authentication Certificate
(6)
Overview eID Functionality
copy fedict 2008 All rights reserved
Authentication
Identification
Electronic Signature
Visual Identification
eID Electronic Signature
copy fedict 2008 All rights reserved
eID electronic signature can have the same legal value as a
handwritten signature
eID Electronic Signature
copy fedict 2008 All rights reserved
Eve
1 Receive message 3 Check CRL 5 Fetch public key 7 Compute reference hash2 Inspect certificate 4 Check certificate 6 Fetch signature 8 Hash signature public
key match
Matching triplet
hash
Bob
3 4
7
6
5
8
1 Compose message 3 Generate signature 5 Collect certificate2 Compute hash 4 Collect signature 6 Send message
Alice
1
hash
2
5 4
16
3
2
Authentication vs Signatures
copy fedict 2008 All rights reserved
Authentication Signatures
Signature with the key
corresponding with the authn
certificate
Signature with the key
corresponding with the non-
repudiation certificate
Liability is application specific Liability is regulated by law
Lifecycle of authn session is
short
Long-term lifecycle required
storage of revocation data
Signature consumer same as
signature requestor
Signature verification by 3th party
(eg court expert)
Synchronous by nature Creation can be postponed
Signature Standards
copy fedict 2008 All rights reserved
gt The features of a non-repudiation signature drives the need for open signature standards
bull PDF signatures
bull ODF signatures
bull XAdES signatures
Overview eID Functionality
copy fedict 2008 All rights reserved
Authentication
Identification
Electronic Signature
Visual Identification
Fedict eID Middleware
copy fedict 2008 All rights reserved
gt Software for using the eID card on a PC
bull Identification (GUI tool + SDK)
bull AuthenticationSignature modules
bull PKCS11
bull CSP
bull tokenD
gt Platforms
bull Windows XP Vista
bull Linux Fedora OpenSUSE Debian
bull Mac
Fedict Reverse Proxy
copy fedict 2008 All rights reserved
gt Used to authenticate a person via eID towards a web application using SSL
eID Applications
copy fedict 2008 All rights reserved
student cards
healthcare
e-commerce
Driverrsquos license
Proof of membership
SSOhellip
home banking
More Information
copy fedict 2008 All rights reserved
gtwwweidbelgiumbe
Questions amp Answers
Q amp A
copy fedict 2008 All rights reserved
Thnk you
Identification
copy fedict 2008 All rights reserved
gt From an electronic point of view thechip contains the same information as printed on the card filled up withbull the identity and signature keys
bull the identity and signature certificates
bull the accredited certification service furnisher
bull information necessary for authentication of the card and integrity protection of the data
bull the main residence of the holder
gt No encryption certificates
gt No biometric data
gt No electronic purse
gt No storage of other data
Electronicidentificationof the holder
eID Identification Advantages
copy fedict 2008 All rights reserved
Time consuming
inefficient
error-prone
fast
efficient
accurate
Overview eID Functionality
copy fedict 2008 All rights reserved
Authentication
Identification
Electronic Signature
Visual Identification
eID Authentication
copy fedict 2008 All rights reserved
Hi Alice
Hi Bob
Real world Digital world
log on to web sites
container park libraryhellip
gt Confirming the identity of the person
eID Digital Information
copy fedict 2008 All rights reserved
Use without PIN
ID ADDRESS
RRN SIGN RRN SIGN
IDENTITYldquoPIN protectedrdquo
authentication
digital signature
PKI
privatepublic
privatepublic
Data Specifications
copy fedict 2008 All rights reserved
ID
gt Directory Structure (PKCS15)
bull Dir (BelPIC)
bull certificates amp keys (PIN code protected)
bull private and public key CA 2048 bits
bull private and public key citizen 1024 bits
bull Signatures put via RSA with SHA-1
bull all certificates are conform to X509 v3
bull standard format (to be used by generic applications)
bull Microsoft CryptoAPI ( Windows)
bull PKCS11 ( UNIXLinux amp MacOS)
bull Dir (ID)
bull contains full identity information
bull first name last name etc
bull address
bull picture
bull etc
bull proprietary format (to be used by dedicated
applications only)
BelPIC
Auth
Key
Sign
Key
ID
ADR
PIC
Auth
Cert
Sign
Cert
CA
Cert
Root
Cert
Card
Key
Public-key Cryptography
copy fedict 2008 All rights reserved
gt Asymmetric cryptography public key and private key
gt eID cryptographic algorithm RSA
Cryptographic Operations
copy fedict 2008 All rights reserved
gt Encryption gt Signing
gt Problem which key belongs to Alice
X509 Certificate
Unique name of holder
Public key of holder
Signed by the CA that issued the certificate
gt Is a signed digital statement
gt Links a person to a key via a trusted party (CA)
copy fedict 2008 All rights reserved
eID Certificates
copy fedict 2008 All rights reserved
1024 bits
bull Auth + Sign Key pairs
Private key (inside the chip)
Public key (inside the certificate)
Belgium root CA cert
Self signed
Citizen CA cert
Self signed (key 2048 bits)RRN
signing
cert
Signature
cert
Authentication
cert
Belgium root CA
Root signed
AIA
PKI Trust Hierarchy
copy fedict 2008 All rights reserved
Admin AuthSign
Web Authentication
copy fedict 2008 All rights reserved
Encrypted ldquoChallengerdquo with eID Authentication
certificate
ldquoChallengerdquo to verify Client Identity
(3)
Encrypt ldquoChallengerdquo with eID Private Key
(4)
(5)
Browser client
Web Server
User Identity
SSL
(1)
(2)Validate Server
Certificate
IfWhen ldquoChallengerdquo match access granted
(7)
Decrypt ldquoChallengerdquo with Public Key from
Authentication Certificate
(6)
Overview eID Functionality
copy fedict 2008 All rights reserved
Authentication
Identification
Electronic Signature
Visual Identification
eID Electronic Signature
copy fedict 2008 All rights reserved
eID electronic signature can have the same legal value as a
handwritten signature
eID Electronic Signature
copy fedict 2008 All rights reserved
Eve
1 Receive message 3 Check CRL 5 Fetch public key 7 Compute reference hash2 Inspect certificate 4 Check certificate 6 Fetch signature 8 Hash signature public
key match
Matching triplet
hash
Bob
3 4
7
6
5
8
1 Compose message 3 Generate signature 5 Collect certificate2 Compute hash 4 Collect signature 6 Send message
Alice
1
hash
2
5 4
16
3
2
Authentication vs Signatures
copy fedict 2008 All rights reserved
Authentication Signatures
Signature with the key
corresponding with the authn
certificate
Signature with the key
corresponding with the non-
repudiation certificate
Liability is application specific Liability is regulated by law
Lifecycle of authn session is
short
Long-term lifecycle required
storage of revocation data
Signature consumer same as
signature requestor
Signature verification by 3th party
(eg court expert)
Synchronous by nature Creation can be postponed
Signature Standards
copy fedict 2008 All rights reserved
gt The features of a non-repudiation signature drives the need for open signature standards
bull PDF signatures
bull ODF signatures
bull XAdES signatures
Overview eID Functionality
copy fedict 2008 All rights reserved
Authentication
Identification
Electronic Signature
Visual Identification
Fedict eID Middleware
copy fedict 2008 All rights reserved
gt Software for using the eID card on a PC
bull Identification (GUI tool + SDK)
bull AuthenticationSignature modules
bull PKCS11
bull CSP
bull tokenD
gt Platforms
bull Windows XP Vista
bull Linux Fedora OpenSUSE Debian
bull Mac
Fedict Reverse Proxy
copy fedict 2008 All rights reserved
gt Used to authenticate a person via eID towards a web application using SSL
eID Applications
copy fedict 2008 All rights reserved
student cards
healthcare
e-commerce
Driverrsquos license
Proof of membership
SSOhellip
home banking
More Information
copy fedict 2008 All rights reserved
gtwwweidbelgiumbe
Questions amp Answers
Q amp A
copy fedict 2008 All rights reserved
Thnk you
eID Identification Advantages
copy fedict 2008 All rights reserved
Time consuming
inefficient
error-prone
fast
efficient
accurate
Overview eID Functionality
copy fedict 2008 All rights reserved
Authentication
Identification
Electronic Signature
Visual Identification
eID Authentication
copy fedict 2008 All rights reserved
Hi Alice
Hi Bob
Real world Digital world
log on to web sites
container park libraryhellip
gt Confirming the identity of the person
eID Digital Information
copy fedict 2008 All rights reserved
Use without PIN
ID ADDRESS
RRN SIGN RRN SIGN
IDENTITYldquoPIN protectedrdquo
authentication
digital signature
PKI
privatepublic
privatepublic
Data Specifications
copy fedict 2008 All rights reserved
ID
gt Directory Structure (PKCS15)
bull Dir (BelPIC)
bull certificates amp keys (PIN code protected)
bull private and public key CA 2048 bits
bull private and public key citizen 1024 bits
bull Signatures put via RSA with SHA-1
bull all certificates are conform to X509 v3
bull standard format (to be used by generic applications)
bull Microsoft CryptoAPI ( Windows)
bull PKCS11 ( UNIXLinux amp MacOS)
bull Dir (ID)
bull contains full identity information
bull first name last name etc
bull address
bull picture
bull etc
bull proprietary format (to be used by dedicated
applications only)
BelPIC
Auth
Key
Sign
Key
ID
ADR
PIC
Auth
Cert
Sign
Cert
CA
Cert
Root
Cert
Card
Key
Public-key Cryptography
copy fedict 2008 All rights reserved
gt Asymmetric cryptography public key and private key
gt eID cryptographic algorithm RSA
Cryptographic Operations
copy fedict 2008 All rights reserved
gt Encryption gt Signing
gt Problem which key belongs to Alice
X509 Certificate
Unique name of holder
Public key of holder
Signed by the CA that issued the certificate
gt Is a signed digital statement
gt Links a person to a key via a trusted party (CA)
copy fedict 2008 All rights reserved
eID Certificates
copy fedict 2008 All rights reserved
1024 bits
bull Auth + Sign Key pairs
Private key (inside the chip)
Public key (inside the certificate)
Belgium root CA cert
Self signed
Citizen CA cert
Self signed (key 2048 bits)RRN
signing
cert
Signature
cert
Authentication
cert
Belgium root CA
Root signed
AIA
PKI Trust Hierarchy
copy fedict 2008 All rights reserved
Admin AuthSign
Web Authentication
copy fedict 2008 All rights reserved
Encrypted ldquoChallengerdquo with eID Authentication
certificate
ldquoChallengerdquo to verify Client Identity
(3)
Encrypt ldquoChallengerdquo with eID Private Key
(4)
(5)
Browser client
Web Server
User Identity
SSL
(1)
(2)Validate Server
Certificate
IfWhen ldquoChallengerdquo match access granted
(7)
Decrypt ldquoChallengerdquo with Public Key from
Authentication Certificate
(6)
Overview eID Functionality
copy fedict 2008 All rights reserved
Authentication
Identification
Electronic Signature
Visual Identification
eID Electronic Signature
copy fedict 2008 All rights reserved
eID electronic signature can have the same legal value as a
handwritten signature
eID Electronic Signature
copy fedict 2008 All rights reserved
Eve
1 Receive message 3 Check CRL 5 Fetch public key 7 Compute reference hash2 Inspect certificate 4 Check certificate 6 Fetch signature 8 Hash signature public
key match
Matching triplet
hash
Bob
3 4
7
6
5
8
1 Compose message 3 Generate signature 5 Collect certificate2 Compute hash 4 Collect signature 6 Send message
Alice
1
hash
2
5 4
16
3
2
Authentication vs Signatures
copy fedict 2008 All rights reserved
Authentication Signatures
Signature with the key
corresponding with the authn
certificate
Signature with the key
corresponding with the non-
repudiation certificate
Liability is application specific Liability is regulated by law
Lifecycle of authn session is
short
Long-term lifecycle required
storage of revocation data
Signature consumer same as
signature requestor
Signature verification by 3th party
(eg court expert)
Synchronous by nature Creation can be postponed
Signature Standards
copy fedict 2008 All rights reserved
gt The features of a non-repudiation signature drives the need for open signature standards
bull PDF signatures
bull ODF signatures
bull XAdES signatures
Overview eID Functionality
copy fedict 2008 All rights reserved
Authentication
Identification
Electronic Signature
Visual Identification
Fedict eID Middleware
copy fedict 2008 All rights reserved
gt Software for using the eID card on a PC
bull Identification (GUI tool + SDK)
bull AuthenticationSignature modules
bull PKCS11
bull CSP
bull tokenD
gt Platforms
bull Windows XP Vista
bull Linux Fedora OpenSUSE Debian
bull Mac
Fedict Reverse Proxy
copy fedict 2008 All rights reserved
gt Used to authenticate a person via eID towards a web application using SSL
eID Applications
copy fedict 2008 All rights reserved
student cards
healthcare
e-commerce
Driverrsquos license
Proof of membership
SSOhellip
home banking
More Information
copy fedict 2008 All rights reserved
gtwwweidbelgiumbe
Questions amp Answers
Q amp A
copy fedict 2008 All rights reserved
Thnk you
Overview eID Functionality
copy fedict 2008 All rights reserved
Authentication
Identification
Electronic Signature
Visual Identification
eID Authentication
copy fedict 2008 All rights reserved
Hi Alice
Hi Bob
Real world Digital world
log on to web sites
container park libraryhellip
gt Confirming the identity of the person
eID Digital Information
copy fedict 2008 All rights reserved
Use without PIN
ID ADDRESS
RRN SIGN RRN SIGN
IDENTITYldquoPIN protectedrdquo
authentication
digital signature
PKI
privatepublic
privatepublic
Data Specifications
copy fedict 2008 All rights reserved
ID
gt Directory Structure (PKCS15)
bull Dir (BelPIC)
bull certificates amp keys (PIN code protected)
bull private and public key CA 2048 bits
bull private and public key citizen 1024 bits
bull Signatures put via RSA with SHA-1
bull all certificates are conform to X509 v3
bull standard format (to be used by generic applications)
bull Microsoft CryptoAPI ( Windows)
bull PKCS11 ( UNIXLinux amp MacOS)
bull Dir (ID)
bull contains full identity information
bull first name last name etc
bull address
bull picture
bull etc
bull proprietary format (to be used by dedicated
applications only)
BelPIC
Auth
Key
Sign
Key
ID
ADR
PIC
Auth
Cert
Sign
Cert
CA
Cert
Root
Cert
Card
Key
Public-key Cryptography
copy fedict 2008 All rights reserved
gt Asymmetric cryptography public key and private key
gt eID cryptographic algorithm RSA
Cryptographic Operations
copy fedict 2008 All rights reserved
gt Encryption gt Signing
gt Problem which key belongs to Alice
X509 Certificate
Unique name of holder
Public key of holder
Signed by the CA that issued the certificate
gt Is a signed digital statement
gt Links a person to a key via a trusted party (CA)
copy fedict 2008 All rights reserved
eID Certificates
copy fedict 2008 All rights reserved
1024 bits
bull Auth + Sign Key pairs
Private key (inside the chip)
Public key (inside the certificate)
Belgium root CA cert
Self signed
Citizen CA cert
Self signed (key 2048 bits)RRN
signing
cert
Signature
cert
Authentication
cert
Belgium root CA
Root signed
AIA
PKI Trust Hierarchy
copy fedict 2008 All rights reserved
Admin AuthSign
Web Authentication
copy fedict 2008 All rights reserved
Encrypted ldquoChallengerdquo with eID Authentication
certificate
ldquoChallengerdquo to verify Client Identity
(3)
Encrypt ldquoChallengerdquo with eID Private Key
(4)
(5)
Browser client
Web Server
User Identity
SSL
(1)
(2)Validate Server
Certificate
IfWhen ldquoChallengerdquo match access granted
(7)
Decrypt ldquoChallengerdquo with Public Key from
Authentication Certificate
(6)
Overview eID Functionality
copy fedict 2008 All rights reserved
Authentication
Identification
Electronic Signature
Visual Identification
eID Electronic Signature
copy fedict 2008 All rights reserved
eID electronic signature can have the same legal value as a
handwritten signature
eID Electronic Signature
copy fedict 2008 All rights reserved
Eve
1 Receive message 3 Check CRL 5 Fetch public key 7 Compute reference hash2 Inspect certificate 4 Check certificate 6 Fetch signature 8 Hash signature public
key match
Matching triplet
hash
Bob
3 4
7
6
5
8
1 Compose message 3 Generate signature 5 Collect certificate2 Compute hash 4 Collect signature 6 Send message
Alice
1
hash
2
5 4
16
3
2
Authentication vs Signatures
copy fedict 2008 All rights reserved
Authentication Signatures
Signature with the key
corresponding with the authn
certificate
Signature with the key
corresponding with the non-
repudiation certificate
Liability is application specific Liability is regulated by law
Lifecycle of authn session is
short
Long-term lifecycle required
storage of revocation data
Signature consumer same as
signature requestor
Signature verification by 3th party
(eg court expert)
Synchronous by nature Creation can be postponed
Signature Standards
copy fedict 2008 All rights reserved
gt The features of a non-repudiation signature drives the need for open signature standards
bull PDF signatures
bull ODF signatures
bull XAdES signatures
Overview eID Functionality
copy fedict 2008 All rights reserved
Authentication
Identification
Electronic Signature
Visual Identification
Fedict eID Middleware
copy fedict 2008 All rights reserved
gt Software for using the eID card on a PC
bull Identification (GUI tool + SDK)
bull AuthenticationSignature modules
bull PKCS11
bull CSP
bull tokenD
gt Platforms
bull Windows XP Vista
bull Linux Fedora OpenSUSE Debian
bull Mac
Fedict Reverse Proxy
copy fedict 2008 All rights reserved
gt Used to authenticate a person via eID towards a web application using SSL
eID Applications
copy fedict 2008 All rights reserved
student cards
healthcare
e-commerce
Driverrsquos license
Proof of membership
SSOhellip
home banking
More Information
copy fedict 2008 All rights reserved
gtwwweidbelgiumbe
Questions amp Answers
Q amp A
copy fedict 2008 All rights reserved
Thnk you
eID Authentication
copy fedict 2008 All rights reserved
Hi Alice
Hi Bob
Real world Digital world
log on to web sites
container park libraryhellip
gt Confirming the identity of the person
eID Digital Information
copy fedict 2008 All rights reserved
Use without PIN
ID ADDRESS
RRN SIGN RRN SIGN
IDENTITYldquoPIN protectedrdquo
authentication
digital signature
PKI
privatepublic
privatepublic
Data Specifications
copy fedict 2008 All rights reserved
ID
gt Directory Structure (PKCS15)
bull Dir (BelPIC)
bull certificates amp keys (PIN code protected)
bull private and public key CA 2048 bits
bull private and public key citizen 1024 bits
bull Signatures put via RSA with SHA-1
bull all certificates are conform to X509 v3
bull standard format (to be used by generic applications)
bull Microsoft CryptoAPI ( Windows)
bull PKCS11 ( UNIXLinux amp MacOS)
bull Dir (ID)
bull contains full identity information
bull first name last name etc
bull address
bull picture
bull etc
bull proprietary format (to be used by dedicated
applications only)
BelPIC
Auth
Key
Sign
Key
ID
ADR
PIC
Auth
Cert
Sign
Cert
CA
Cert
Root
Cert
Card
Key
Public-key Cryptography
copy fedict 2008 All rights reserved
gt Asymmetric cryptography public key and private key
gt eID cryptographic algorithm RSA
Cryptographic Operations
copy fedict 2008 All rights reserved
gt Encryption gt Signing
gt Problem which key belongs to Alice
X509 Certificate
Unique name of holder
Public key of holder
Signed by the CA that issued the certificate
gt Is a signed digital statement
gt Links a person to a key via a trusted party (CA)
copy fedict 2008 All rights reserved
eID Certificates
copy fedict 2008 All rights reserved
1024 bits
bull Auth + Sign Key pairs
Private key (inside the chip)
Public key (inside the certificate)
Belgium root CA cert
Self signed
Citizen CA cert
Self signed (key 2048 bits)RRN
signing
cert
Signature
cert
Authentication
cert
Belgium root CA
Root signed
AIA
PKI Trust Hierarchy
copy fedict 2008 All rights reserved
Admin AuthSign
Web Authentication
copy fedict 2008 All rights reserved
Encrypted ldquoChallengerdquo with eID Authentication
certificate
ldquoChallengerdquo to verify Client Identity
(3)
Encrypt ldquoChallengerdquo with eID Private Key
(4)
(5)
Browser client
Web Server
User Identity
SSL
(1)
(2)Validate Server
Certificate
IfWhen ldquoChallengerdquo match access granted
(7)
Decrypt ldquoChallengerdquo with Public Key from
Authentication Certificate
(6)
Overview eID Functionality
copy fedict 2008 All rights reserved
Authentication
Identification
Electronic Signature
Visual Identification
eID Electronic Signature
copy fedict 2008 All rights reserved
eID electronic signature can have the same legal value as a
handwritten signature
eID Electronic Signature
copy fedict 2008 All rights reserved
Eve
1 Receive message 3 Check CRL 5 Fetch public key 7 Compute reference hash2 Inspect certificate 4 Check certificate 6 Fetch signature 8 Hash signature public
key match
Matching triplet
hash
Bob
3 4
7
6
5
8
1 Compose message 3 Generate signature 5 Collect certificate2 Compute hash 4 Collect signature 6 Send message
Alice
1
hash
2
5 4
16
3
2
Authentication vs Signatures
copy fedict 2008 All rights reserved
Authentication Signatures
Signature with the key
corresponding with the authn
certificate
Signature with the key
corresponding with the non-
repudiation certificate
Liability is application specific Liability is regulated by law
Lifecycle of authn session is
short
Long-term lifecycle required
storage of revocation data
Signature consumer same as
signature requestor
Signature verification by 3th party
(eg court expert)
Synchronous by nature Creation can be postponed
Signature Standards
copy fedict 2008 All rights reserved
gt The features of a non-repudiation signature drives the need for open signature standards
bull PDF signatures
bull ODF signatures
bull XAdES signatures
Overview eID Functionality
copy fedict 2008 All rights reserved
Authentication
Identification
Electronic Signature
Visual Identification
Fedict eID Middleware
copy fedict 2008 All rights reserved
gt Software for using the eID card on a PC
bull Identification (GUI tool + SDK)
bull AuthenticationSignature modules
bull PKCS11
bull CSP
bull tokenD
gt Platforms
bull Windows XP Vista
bull Linux Fedora OpenSUSE Debian
bull Mac
Fedict Reverse Proxy
copy fedict 2008 All rights reserved
gt Used to authenticate a person via eID towards a web application using SSL
eID Applications
copy fedict 2008 All rights reserved
student cards
healthcare
e-commerce
Driverrsquos license
Proof of membership
SSOhellip
home banking
More Information
copy fedict 2008 All rights reserved
gtwwweidbelgiumbe
Questions amp Answers
Q amp A
copy fedict 2008 All rights reserved
Thnk you
eID Digital Information
copy fedict 2008 All rights reserved
Use without PIN
ID ADDRESS
RRN SIGN RRN SIGN
IDENTITYldquoPIN protectedrdquo
authentication
digital signature
PKI
privatepublic
privatepublic
Data Specifications
copy fedict 2008 All rights reserved
ID
gt Directory Structure (PKCS15)
bull Dir (BelPIC)
bull certificates amp keys (PIN code protected)
bull private and public key CA 2048 bits
bull private and public key citizen 1024 bits
bull Signatures put via RSA with SHA-1
bull all certificates are conform to X509 v3
bull standard format (to be used by generic applications)
bull Microsoft CryptoAPI ( Windows)
bull PKCS11 ( UNIXLinux amp MacOS)
bull Dir (ID)
bull contains full identity information
bull first name last name etc
bull address
bull picture
bull etc
bull proprietary format (to be used by dedicated
applications only)
BelPIC
Auth
Key
Sign
Key
ID
ADR
PIC
Auth
Cert
Sign
Cert
CA
Cert
Root
Cert
Card
Key
Public-key Cryptography
copy fedict 2008 All rights reserved
gt Asymmetric cryptography public key and private key
gt eID cryptographic algorithm RSA
Cryptographic Operations
copy fedict 2008 All rights reserved
gt Encryption gt Signing
gt Problem which key belongs to Alice
X509 Certificate
Unique name of holder
Public key of holder
Signed by the CA that issued the certificate
gt Is a signed digital statement
gt Links a person to a key via a trusted party (CA)
copy fedict 2008 All rights reserved
eID Certificates
copy fedict 2008 All rights reserved
1024 bits
bull Auth + Sign Key pairs
Private key (inside the chip)
Public key (inside the certificate)
Belgium root CA cert
Self signed
Citizen CA cert
Self signed (key 2048 bits)RRN
signing
cert
Signature
cert
Authentication
cert
Belgium root CA
Root signed
AIA
PKI Trust Hierarchy
copy fedict 2008 All rights reserved
Admin AuthSign
Web Authentication
copy fedict 2008 All rights reserved
Encrypted ldquoChallengerdquo with eID Authentication
certificate
ldquoChallengerdquo to verify Client Identity
(3)
Encrypt ldquoChallengerdquo with eID Private Key
(4)
(5)
Browser client
Web Server
User Identity
SSL
(1)
(2)Validate Server
Certificate
IfWhen ldquoChallengerdquo match access granted
(7)
Decrypt ldquoChallengerdquo with Public Key from
Authentication Certificate
(6)
Overview eID Functionality
copy fedict 2008 All rights reserved
Authentication
Identification
Electronic Signature
Visual Identification
eID Electronic Signature
copy fedict 2008 All rights reserved
eID electronic signature can have the same legal value as a
handwritten signature
eID Electronic Signature
copy fedict 2008 All rights reserved
Eve
1 Receive message 3 Check CRL 5 Fetch public key 7 Compute reference hash2 Inspect certificate 4 Check certificate 6 Fetch signature 8 Hash signature public
key match
Matching triplet
hash
Bob
3 4
7
6
5
8
1 Compose message 3 Generate signature 5 Collect certificate2 Compute hash 4 Collect signature 6 Send message
Alice
1
hash
2
5 4
16
3
2
Authentication vs Signatures
copy fedict 2008 All rights reserved
Authentication Signatures
Signature with the key
corresponding with the authn
certificate
Signature with the key
corresponding with the non-
repudiation certificate
Liability is application specific Liability is regulated by law
Lifecycle of authn session is
short
Long-term lifecycle required
storage of revocation data
Signature consumer same as
signature requestor
Signature verification by 3th party
(eg court expert)
Synchronous by nature Creation can be postponed
Signature Standards
copy fedict 2008 All rights reserved
gt The features of a non-repudiation signature drives the need for open signature standards
bull PDF signatures
bull ODF signatures
bull XAdES signatures
Overview eID Functionality
copy fedict 2008 All rights reserved
Authentication
Identification
Electronic Signature
Visual Identification
Fedict eID Middleware
copy fedict 2008 All rights reserved
gt Software for using the eID card on a PC
bull Identification (GUI tool + SDK)
bull AuthenticationSignature modules
bull PKCS11
bull CSP
bull tokenD
gt Platforms
bull Windows XP Vista
bull Linux Fedora OpenSUSE Debian
bull Mac
Fedict Reverse Proxy
copy fedict 2008 All rights reserved
gt Used to authenticate a person via eID towards a web application using SSL
eID Applications
copy fedict 2008 All rights reserved
student cards
healthcare
e-commerce
Driverrsquos license
Proof of membership
SSOhellip
home banking
More Information
copy fedict 2008 All rights reserved
gtwwweidbelgiumbe
Questions amp Answers
Q amp A
copy fedict 2008 All rights reserved
Thnk you
Data Specifications
copy fedict 2008 All rights reserved
ID
gt Directory Structure (PKCS15)
bull Dir (BelPIC)
bull certificates amp keys (PIN code protected)
bull private and public key CA 2048 bits
bull private and public key citizen 1024 bits
bull Signatures put via RSA with SHA-1
bull all certificates are conform to X509 v3
bull standard format (to be used by generic applications)
bull Microsoft CryptoAPI ( Windows)
bull PKCS11 ( UNIXLinux amp MacOS)
bull Dir (ID)
bull contains full identity information
bull first name last name etc
bull address
bull picture
bull etc
bull proprietary format (to be used by dedicated
applications only)
BelPIC
Auth
Key
Sign
Key
ID
ADR
PIC
Auth
Cert
Sign
Cert
CA
Cert
Root
Cert
Card
Key
Public-key Cryptography
copy fedict 2008 All rights reserved
gt Asymmetric cryptography public key and private key
gt eID cryptographic algorithm RSA
Cryptographic Operations
copy fedict 2008 All rights reserved
gt Encryption gt Signing
gt Problem which key belongs to Alice
X509 Certificate
Unique name of holder
Public key of holder
Signed by the CA that issued the certificate
gt Is a signed digital statement
gt Links a person to a key via a trusted party (CA)
copy fedict 2008 All rights reserved
eID Certificates
copy fedict 2008 All rights reserved
1024 bits
bull Auth + Sign Key pairs
Private key (inside the chip)
Public key (inside the certificate)
Belgium root CA cert
Self signed
Citizen CA cert
Self signed (key 2048 bits)RRN
signing
cert
Signature
cert
Authentication
cert
Belgium root CA
Root signed
AIA
PKI Trust Hierarchy
copy fedict 2008 All rights reserved
Admin AuthSign
Web Authentication
copy fedict 2008 All rights reserved
Encrypted ldquoChallengerdquo with eID Authentication
certificate
ldquoChallengerdquo to verify Client Identity
(3)
Encrypt ldquoChallengerdquo with eID Private Key
(4)
(5)
Browser client
Web Server
User Identity
SSL
(1)
(2)Validate Server
Certificate
IfWhen ldquoChallengerdquo match access granted
(7)
Decrypt ldquoChallengerdquo with Public Key from
Authentication Certificate
(6)
Overview eID Functionality
copy fedict 2008 All rights reserved
Authentication
Identification
Electronic Signature
Visual Identification
eID Electronic Signature
copy fedict 2008 All rights reserved
eID electronic signature can have the same legal value as a
handwritten signature
eID Electronic Signature
copy fedict 2008 All rights reserved
Eve
1 Receive message 3 Check CRL 5 Fetch public key 7 Compute reference hash2 Inspect certificate 4 Check certificate 6 Fetch signature 8 Hash signature public
key match
Matching triplet
hash
Bob
3 4
7
6
5
8
1 Compose message 3 Generate signature 5 Collect certificate2 Compute hash 4 Collect signature 6 Send message
Alice
1
hash
2
5 4
16
3
2
Authentication vs Signatures
copy fedict 2008 All rights reserved
Authentication Signatures
Signature with the key
corresponding with the authn
certificate
Signature with the key
corresponding with the non-
repudiation certificate
Liability is application specific Liability is regulated by law
Lifecycle of authn session is
short
Long-term lifecycle required
storage of revocation data
Signature consumer same as
signature requestor
Signature verification by 3th party
(eg court expert)
Synchronous by nature Creation can be postponed
Signature Standards
copy fedict 2008 All rights reserved
gt The features of a non-repudiation signature drives the need for open signature standards
bull PDF signatures
bull ODF signatures
bull XAdES signatures
Overview eID Functionality
copy fedict 2008 All rights reserved
Authentication
Identification
Electronic Signature
Visual Identification
Fedict eID Middleware
copy fedict 2008 All rights reserved
gt Software for using the eID card on a PC
bull Identification (GUI tool + SDK)
bull AuthenticationSignature modules
bull PKCS11
bull CSP
bull tokenD
gt Platforms
bull Windows XP Vista
bull Linux Fedora OpenSUSE Debian
bull Mac
Fedict Reverse Proxy
copy fedict 2008 All rights reserved
gt Used to authenticate a person via eID towards a web application using SSL
eID Applications
copy fedict 2008 All rights reserved
student cards
healthcare
e-commerce
Driverrsquos license
Proof of membership
SSOhellip
home banking
More Information
copy fedict 2008 All rights reserved
gtwwweidbelgiumbe
Questions amp Answers
Q amp A
copy fedict 2008 All rights reserved
Thnk you
Public-key Cryptography
copy fedict 2008 All rights reserved
gt Asymmetric cryptography public key and private key
gt eID cryptographic algorithm RSA
Cryptographic Operations
copy fedict 2008 All rights reserved
gt Encryption gt Signing
gt Problem which key belongs to Alice
X509 Certificate
Unique name of holder
Public key of holder
Signed by the CA that issued the certificate
gt Is a signed digital statement
gt Links a person to a key via a trusted party (CA)
copy fedict 2008 All rights reserved
eID Certificates
copy fedict 2008 All rights reserved
1024 bits
bull Auth + Sign Key pairs
Private key (inside the chip)
Public key (inside the certificate)
Belgium root CA cert
Self signed
Citizen CA cert
Self signed (key 2048 bits)RRN
signing
cert
Signature
cert
Authentication
cert
Belgium root CA
Root signed
AIA
PKI Trust Hierarchy
copy fedict 2008 All rights reserved
Admin AuthSign
Web Authentication
copy fedict 2008 All rights reserved
Encrypted ldquoChallengerdquo with eID Authentication
certificate
ldquoChallengerdquo to verify Client Identity
(3)
Encrypt ldquoChallengerdquo with eID Private Key
(4)
(5)
Browser client
Web Server
User Identity
SSL
(1)
(2)Validate Server
Certificate
IfWhen ldquoChallengerdquo match access granted
(7)
Decrypt ldquoChallengerdquo with Public Key from
Authentication Certificate
(6)
Overview eID Functionality
copy fedict 2008 All rights reserved
Authentication
Identification
Electronic Signature
Visual Identification
eID Electronic Signature
copy fedict 2008 All rights reserved
eID electronic signature can have the same legal value as a
handwritten signature
eID Electronic Signature
copy fedict 2008 All rights reserved
Eve
1 Receive message 3 Check CRL 5 Fetch public key 7 Compute reference hash2 Inspect certificate 4 Check certificate 6 Fetch signature 8 Hash signature public
key match
Matching triplet
hash
Bob
3 4
7
6
5
8
1 Compose message 3 Generate signature 5 Collect certificate2 Compute hash 4 Collect signature 6 Send message
Alice
1
hash
2
5 4
16
3
2
Authentication vs Signatures
copy fedict 2008 All rights reserved
Authentication Signatures
Signature with the key
corresponding with the authn
certificate
Signature with the key
corresponding with the non-
repudiation certificate
Liability is application specific Liability is regulated by law
Lifecycle of authn session is
short
Long-term lifecycle required
storage of revocation data
Signature consumer same as
signature requestor
Signature verification by 3th party
(eg court expert)
Synchronous by nature Creation can be postponed
Signature Standards
copy fedict 2008 All rights reserved
gt The features of a non-repudiation signature drives the need for open signature standards
bull PDF signatures
bull ODF signatures
bull XAdES signatures
Overview eID Functionality
copy fedict 2008 All rights reserved
Authentication
Identification
Electronic Signature
Visual Identification
Fedict eID Middleware
copy fedict 2008 All rights reserved
gt Software for using the eID card on a PC
bull Identification (GUI tool + SDK)
bull AuthenticationSignature modules
bull PKCS11
bull CSP
bull tokenD
gt Platforms
bull Windows XP Vista
bull Linux Fedora OpenSUSE Debian
bull Mac
Fedict Reverse Proxy
copy fedict 2008 All rights reserved
gt Used to authenticate a person via eID towards a web application using SSL
eID Applications
copy fedict 2008 All rights reserved
student cards
healthcare
e-commerce
Driverrsquos license
Proof of membership
SSOhellip
home banking
More Information
copy fedict 2008 All rights reserved
gtwwweidbelgiumbe
Questions amp Answers
Q amp A
copy fedict 2008 All rights reserved
Thnk you
Cryptographic Operations
copy fedict 2008 All rights reserved
gt Encryption gt Signing
gt Problem which key belongs to Alice
X509 Certificate
Unique name of holder
Public key of holder
Signed by the CA that issued the certificate
gt Is a signed digital statement
gt Links a person to a key via a trusted party (CA)
copy fedict 2008 All rights reserved
eID Certificates
copy fedict 2008 All rights reserved
1024 bits
bull Auth + Sign Key pairs
Private key (inside the chip)
Public key (inside the certificate)
Belgium root CA cert
Self signed
Citizen CA cert
Self signed (key 2048 bits)RRN
signing
cert
Signature
cert
Authentication
cert
Belgium root CA
Root signed
AIA
PKI Trust Hierarchy
copy fedict 2008 All rights reserved
Admin AuthSign
Web Authentication
copy fedict 2008 All rights reserved
Encrypted ldquoChallengerdquo with eID Authentication
certificate
ldquoChallengerdquo to verify Client Identity
(3)
Encrypt ldquoChallengerdquo with eID Private Key
(4)
(5)
Browser client
Web Server
User Identity
SSL
(1)
(2)Validate Server
Certificate
IfWhen ldquoChallengerdquo match access granted
(7)
Decrypt ldquoChallengerdquo with Public Key from
Authentication Certificate
(6)
Overview eID Functionality
copy fedict 2008 All rights reserved
Authentication
Identification
Electronic Signature
Visual Identification
eID Electronic Signature
copy fedict 2008 All rights reserved
eID electronic signature can have the same legal value as a
handwritten signature
eID Electronic Signature
copy fedict 2008 All rights reserved
Eve
1 Receive message 3 Check CRL 5 Fetch public key 7 Compute reference hash2 Inspect certificate 4 Check certificate 6 Fetch signature 8 Hash signature public
key match
Matching triplet
hash
Bob
3 4
7
6
5
8
1 Compose message 3 Generate signature 5 Collect certificate2 Compute hash 4 Collect signature 6 Send message
Alice
1
hash
2
5 4
16
3
2
Authentication vs Signatures
copy fedict 2008 All rights reserved
Authentication Signatures
Signature with the key
corresponding with the authn
certificate
Signature with the key
corresponding with the non-
repudiation certificate
Liability is application specific Liability is regulated by law
Lifecycle of authn session is
short
Long-term lifecycle required
storage of revocation data
Signature consumer same as
signature requestor
Signature verification by 3th party
(eg court expert)
Synchronous by nature Creation can be postponed
Signature Standards
copy fedict 2008 All rights reserved
gt The features of a non-repudiation signature drives the need for open signature standards
bull PDF signatures
bull ODF signatures
bull XAdES signatures
Overview eID Functionality
copy fedict 2008 All rights reserved
Authentication
Identification
Electronic Signature
Visual Identification
Fedict eID Middleware
copy fedict 2008 All rights reserved
gt Software for using the eID card on a PC
bull Identification (GUI tool + SDK)
bull AuthenticationSignature modules
bull PKCS11
bull CSP
bull tokenD
gt Platforms
bull Windows XP Vista
bull Linux Fedora OpenSUSE Debian
bull Mac
Fedict Reverse Proxy
copy fedict 2008 All rights reserved
gt Used to authenticate a person via eID towards a web application using SSL
eID Applications
copy fedict 2008 All rights reserved
student cards
healthcare
e-commerce
Driverrsquos license
Proof of membership
SSOhellip
home banking
More Information
copy fedict 2008 All rights reserved
gtwwweidbelgiumbe
Questions amp Answers
Q amp A
copy fedict 2008 All rights reserved
Thnk you
X509 Certificate
Unique name of holder
Public key of holder
Signed by the CA that issued the certificate
gt Is a signed digital statement
gt Links a person to a key via a trusted party (CA)
copy fedict 2008 All rights reserved
eID Certificates
copy fedict 2008 All rights reserved
1024 bits
bull Auth + Sign Key pairs
Private key (inside the chip)
Public key (inside the certificate)
Belgium root CA cert
Self signed
Citizen CA cert
Self signed (key 2048 bits)RRN
signing
cert
Signature
cert
Authentication
cert
Belgium root CA
Root signed
AIA
PKI Trust Hierarchy
copy fedict 2008 All rights reserved
Admin AuthSign
Web Authentication
copy fedict 2008 All rights reserved
Encrypted ldquoChallengerdquo with eID Authentication
certificate
ldquoChallengerdquo to verify Client Identity
(3)
Encrypt ldquoChallengerdquo with eID Private Key
(4)
(5)
Browser client
Web Server
User Identity
SSL
(1)
(2)Validate Server
Certificate
IfWhen ldquoChallengerdquo match access granted
(7)
Decrypt ldquoChallengerdquo with Public Key from
Authentication Certificate
(6)
Overview eID Functionality
copy fedict 2008 All rights reserved
Authentication
Identification
Electronic Signature
Visual Identification
eID Electronic Signature
copy fedict 2008 All rights reserved
eID electronic signature can have the same legal value as a
handwritten signature
eID Electronic Signature
copy fedict 2008 All rights reserved
Eve
1 Receive message 3 Check CRL 5 Fetch public key 7 Compute reference hash2 Inspect certificate 4 Check certificate 6 Fetch signature 8 Hash signature public
key match
Matching triplet
hash
Bob
3 4
7
6
5
8
1 Compose message 3 Generate signature 5 Collect certificate2 Compute hash 4 Collect signature 6 Send message
Alice
1
hash
2
5 4
16
3
2
Authentication vs Signatures
copy fedict 2008 All rights reserved
Authentication Signatures
Signature with the key
corresponding with the authn
certificate
Signature with the key
corresponding with the non-
repudiation certificate
Liability is application specific Liability is regulated by law
Lifecycle of authn session is
short
Long-term lifecycle required
storage of revocation data
Signature consumer same as
signature requestor
Signature verification by 3th party
(eg court expert)
Synchronous by nature Creation can be postponed
Signature Standards
copy fedict 2008 All rights reserved
gt The features of a non-repudiation signature drives the need for open signature standards
bull PDF signatures
bull ODF signatures
bull XAdES signatures
Overview eID Functionality
copy fedict 2008 All rights reserved
Authentication
Identification
Electronic Signature
Visual Identification
Fedict eID Middleware
copy fedict 2008 All rights reserved
gt Software for using the eID card on a PC
bull Identification (GUI tool + SDK)
bull AuthenticationSignature modules
bull PKCS11
bull CSP
bull tokenD
gt Platforms
bull Windows XP Vista
bull Linux Fedora OpenSUSE Debian
bull Mac
Fedict Reverse Proxy
copy fedict 2008 All rights reserved
gt Used to authenticate a person via eID towards a web application using SSL
eID Applications
copy fedict 2008 All rights reserved
student cards
healthcare
e-commerce
Driverrsquos license
Proof of membership
SSOhellip
home banking
More Information
copy fedict 2008 All rights reserved
gtwwweidbelgiumbe
Questions amp Answers
Q amp A
copy fedict 2008 All rights reserved
Thnk you
eID Certificates
copy fedict 2008 All rights reserved
1024 bits
bull Auth + Sign Key pairs
Private key (inside the chip)
Public key (inside the certificate)
Belgium root CA cert
Self signed
Citizen CA cert
Self signed (key 2048 bits)RRN
signing
cert
Signature
cert
Authentication
cert
Belgium root CA
Root signed
AIA
PKI Trust Hierarchy
copy fedict 2008 All rights reserved
Admin AuthSign
Web Authentication
copy fedict 2008 All rights reserved
Encrypted ldquoChallengerdquo with eID Authentication
certificate
ldquoChallengerdquo to verify Client Identity
(3)
Encrypt ldquoChallengerdquo with eID Private Key
(4)
(5)
Browser client
Web Server
User Identity
SSL
(1)
(2)Validate Server
Certificate
IfWhen ldquoChallengerdquo match access granted
(7)
Decrypt ldquoChallengerdquo with Public Key from
Authentication Certificate
(6)
Overview eID Functionality
copy fedict 2008 All rights reserved
Authentication
Identification
Electronic Signature
Visual Identification
eID Electronic Signature
copy fedict 2008 All rights reserved
eID electronic signature can have the same legal value as a
handwritten signature
eID Electronic Signature
copy fedict 2008 All rights reserved
Eve
1 Receive message 3 Check CRL 5 Fetch public key 7 Compute reference hash2 Inspect certificate 4 Check certificate 6 Fetch signature 8 Hash signature public
key match
Matching triplet
hash
Bob
3 4
7
6
5
8
1 Compose message 3 Generate signature 5 Collect certificate2 Compute hash 4 Collect signature 6 Send message
Alice
1
hash
2
5 4
16
3
2
Authentication vs Signatures
copy fedict 2008 All rights reserved
Authentication Signatures
Signature with the key
corresponding with the authn
certificate
Signature with the key
corresponding with the non-
repudiation certificate
Liability is application specific Liability is regulated by law
Lifecycle of authn session is
short
Long-term lifecycle required
storage of revocation data
Signature consumer same as
signature requestor
Signature verification by 3th party
(eg court expert)
Synchronous by nature Creation can be postponed
Signature Standards
copy fedict 2008 All rights reserved
gt The features of a non-repudiation signature drives the need for open signature standards
bull PDF signatures
bull ODF signatures
bull XAdES signatures
Overview eID Functionality
copy fedict 2008 All rights reserved
Authentication
Identification
Electronic Signature
Visual Identification
Fedict eID Middleware
copy fedict 2008 All rights reserved
gt Software for using the eID card on a PC
bull Identification (GUI tool + SDK)
bull AuthenticationSignature modules
bull PKCS11
bull CSP
bull tokenD
gt Platforms
bull Windows XP Vista
bull Linux Fedora OpenSUSE Debian
bull Mac
Fedict Reverse Proxy
copy fedict 2008 All rights reserved
gt Used to authenticate a person via eID towards a web application using SSL
eID Applications
copy fedict 2008 All rights reserved
student cards
healthcare
e-commerce
Driverrsquos license
Proof of membership
SSOhellip
home banking
More Information
copy fedict 2008 All rights reserved
gtwwweidbelgiumbe
Questions amp Answers
Q amp A
copy fedict 2008 All rights reserved
Thnk you
PKI Trust Hierarchy
copy fedict 2008 All rights reserved
Admin AuthSign
Web Authentication
copy fedict 2008 All rights reserved
Encrypted ldquoChallengerdquo with eID Authentication
certificate
ldquoChallengerdquo to verify Client Identity
(3)
Encrypt ldquoChallengerdquo with eID Private Key
(4)
(5)
Browser client
Web Server
User Identity
SSL
(1)
(2)Validate Server
Certificate
IfWhen ldquoChallengerdquo match access granted
(7)
Decrypt ldquoChallengerdquo with Public Key from
Authentication Certificate
(6)
Overview eID Functionality
copy fedict 2008 All rights reserved
Authentication
Identification
Electronic Signature
Visual Identification
eID Electronic Signature
copy fedict 2008 All rights reserved
eID electronic signature can have the same legal value as a
handwritten signature
eID Electronic Signature
copy fedict 2008 All rights reserved
Eve
1 Receive message 3 Check CRL 5 Fetch public key 7 Compute reference hash2 Inspect certificate 4 Check certificate 6 Fetch signature 8 Hash signature public
key match
Matching triplet
hash
Bob
3 4
7
6
5
8
1 Compose message 3 Generate signature 5 Collect certificate2 Compute hash 4 Collect signature 6 Send message
Alice
1
hash
2
5 4
16
3
2
Authentication vs Signatures
copy fedict 2008 All rights reserved
Authentication Signatures
Signature with the key
corresponding with the authn
certificate
Signature with the key
corresponding with the non-
repudiation certificate
Liability is application specific Liability is regulated by law
Lifecycle of authn session is
short
Long-term lifecycle required
storage of revocation data
Signature consumer same as
signature requestor
Signature verification by 3th party
(eg court expert)
Synchronous by nature Creation can be postponed
Signature Standards
copy fedict 2008 All rights reserved
gt The features of a non-repudiation signature drives the need for open signature standards
bull PDF signatures
bull ODF signatures
bull XAdES signatures
Overview eID Functionality
copy fedict 2008 All rights reserved
Authentication
Identification
Electronic Signature
Visual Identification
Fedict eID Middleware
copy fedict 2008 All rights reserved
gt Software for using the eID card on a PC
bull Identification (GUI tool + SDK)
bull AuthenticationSignature modules
bull PKCS11
bull CSP
bull tokenD
gt Platforms
bull Windows XP Vista
bull Linux Fedora OpenSUSE Debian
bull Mac
Fedict Reverse Proxy
copy fedict 2008 All rights reserved
gt Used to authenticate a person via eID towards a web application using SSL
eID Applications
copy fedict 2008 All rights reserved
student cards
healthcare
e-commerce
Driverrsquos license
Proof of membership
SSOhellip
home banking
More Information
copy fedict 2008 All rights reserved
gtwwweidbelgiumbe
Questions amp Answers
Q amp A
copy fedict 2008 All rights reserved
Thnk you
Web Authentication
copy fedict 2008 All rights reserved
Encrypted ldquoChallengerdquo with eID Authentication
certificate
ldquoChallengerdquo to verify Client Identity
(3)
Encrypt ldquoChallengerdquo with eID Private Key
(4)
(5)
Browser client
Web Server
User Identity
SSL
(1)
(2)Validate Server
Certificate
IfWhen ldquoChallengerdquo match access granted
(7)
Decrypt ldquoChallengerdquo with Public Key from
Authentication Certificate
(6)
Overview eID Functionality
copy fedict 2008 All rights reserved
Authentication
Identification
Electronic Signature
Visual Identification
eID Electronic Signature
copy fedict 2008 All rights reserved
eID electronic signature can have the same legal value as a
handwritten signature
eID Electronic Signature
copy fedict 2008 All rights reserved
Eve
1 Receive message 3 Check CRL 5 Fetch public key 7 Compute reference hash2 Inspect certificate 4 Check certificate 6 Fetch signature 8 Hash signature public
key match
Matching triplet
hash
Bob
3 4
7
6
5
8
1 Compose message 3 Generate signature 5 Collect certificate2 Compute hash 4 Collect signature 6 Send message
Alice
1
hash
2
5 4
16
3
2
Authentication vs Signatures
copy fedict 2008 All rights reserved
Authentication Signatures
Signature with the key
corresponding with the authn
certificate
Signature with the key
corresponding with the non-
repudiation certificate
Liability is application specific Liability is regulated by law
Lifecycle of authn session is
short
Long-term lifecycle required
storage of revocation data
Signature consumer same as
signature requestor
Signature verification by 3th party
(eg court expert)
Synchronous by nature Creation can be postponed
Signature Standards
copy fedict 2008 All rights reserved
gt The features of a non-repudiation signature drives the need for open signature standards
bull PDF signatures
bull ODF signatures
bull XAdES signatures
Overview eID Functionality
copy fedict 2008 All rights reserved
Authentication
Identification
Electronic Signature
Visual Identification
Fedict eID Middleware
copy fedict 2008 All rights reserved
gt Software for using the eID card on a PC
bull Identification (GUI tool + SDK)
bull AuthenticationSignature modules
bull PKCS11
bull CSP
bull tokenD
gt Platforms
bull Windows XP Vista
bull Linux Fedora OpenSUSE Debian
bull Mac
Fedict Reverse Proxy
copy fedict 2008 All rights reserved
gt Used to authenticate a person via eID towards a web application using SSL
eID Applications
copy fedict 2008 All rights reserved
student cards
healthcare
e-commerce
Driverrsquos license
Proof of membership
SSOhellip
home banking
More Information
copy fedict 2008 All rights reserved
gtwwweidbelgiumbe
Questions amp Answers
Q amp A
copy fedict 2008 All rights reserved
Thnk you
Overview eID Functionality
copy fedict 2008 All rights reserved
Authentication
Identification
Electronic Signature
Visual Identification
eID Electronic Signature
copy fedict 2008 All rights reserved
eID electronic signature can have the same legal value as a
handwritten signature
eID Electronic Signature
copy fedict 2008 All rights reserved
Eve
1 Receive message 3 Check CRL 5 Fetch public key 7 Compute reference hash2 Inspect certificate 4 Check certificate 6 Fetch signature 8 Hash signature public
key match
Matching triplet
hash
Bob
3 4
7
6
5
8
1 Compose message 3 Generate signature 5 Collect certificate2 Compute hash 4 Collect signature 6 Send message
Alice
1
hash
2
5 4
16
3
2
Authentication vs Signatures
copy fedict 2008 All rights reserved
Authentication Signatures
Signature with the key
corresponding with the authn
certificate
Signature with the key
corresponding with the non-
repudiation certificate
Liability is application specific Liability is regulated by law
Lifecycle of authn session is
short
Long-term lifecycle required
storage of revocation data
Signature consumer same as
signature requestor
Signature verification by 3th party
(eg court expert)
Synchronous by nature Creation can be postponed
Signature Standards
copy fedict 2008 All rights reserved
gt The features of a non-repudiation signature drives the need for open signature standards
bull PDF signatures
bull ODF signatures
bull XAdES signatures
Overview eID Functionality
copy fedict 2008 All rights reserved
Authentication
Identification
Electronic Signature
Visual Identification
Fedict eID Middleware
copy fedict 2008 All rights reserved
gt Software for using the eID card on a PC
bull Identification (GUI tool + SDK)
bull AuthenticationSignature modules
bull PKCS11
bull CSP
bull tokenD
gt Platforms
bull Windows XP Vista
bull Linux Fedora OpenSUSE Debian
bull Mac
Fedict Reverse Proxy
copy fedict 2008 All rights reserved
gt Used to authenticate a person via eID towards a web application using SSL
eID Applications
copy fedict 2008 All rights reserved
student cards
healthcare
e-commerce
Driverrsquos license
Proof of membership
SSOhellip
home banking
More Information
copy fedict 2008 All rights reserved
gtwwweidbelgiumbe
Questions amp Answers
Q amp A
copy fedict 2008 All rights reserved
Thnk you
eID Electronic Signature
copy fedict 2008 All rights reserved
eID electronic signature can have the same legal value as a
handwritten signature
eID Electronic Signature
copy fedict 2008 All rights reserved
Eve
1 Receive message 3 Check CRL 5 Fetch public key 7 Compute reference hash2 Inspect certificate 4 Check certificate 6 Fetch signature 8 Hash signature public
key match
Matching triplet
hash
Bob
3 4
7
6
5
8
1 Compose message 3 Generate signature 5 Collect certificate2 Compute hash 4 Collect signature 6 Send message
Alice
1
hash
2
5 4
16
3
2
Authentication vs Signatures
copy fedict 2008 All rights reserved
Authentication Signatures
Signature with the key
corresponding with the authn
certificate
Signature with the key
corresponding with the non-
repudiation certificate
Liability is application specific Liability is regulated by law
Lifecycle of authn session is
short
Long-term lifecycle required
storage of revocation data
Signature consumer same as
signature requestor
Signature verification by 3th party
(eg court expert)
Synchronous by nature Creation can be postponed
Signature Standards
copy fedict 2008 All rights reserved
gt The features of a non-repudiation signature drives the need for open signature standards
bull PDF signatures
bull ODF signatures
bull XAdES signatures
Overview eID Functionality
copy fedict 2008 All rights reserved
Authentication
Identification
Electronic Signature
Visual Identification
Fedict eID Middleware
copy fedict 2008 All rights reserved
gt Software for using the eID card on a PC
bull Identification (GUI tool + SDK)
bull AuthenticationSignature modules
bull PKCS11
bull CSP
bull tokenD
gt Platforms
bull Windows XP Vista
bull Linux Fedora OpenSUSE Debian
bull Mac
Fedict Reverse Proxy
copy fedict 2008 All rights reserved
gt Used to authenticate a person via eID towards a web application using SSL
eID Applications
copy fedict 2008 All rights reserved
student cards
healthcare
e-commerce
Driverrsquos license
Proof of membership
SSOhellip
home banking
More Information
copy fedict 2008 All rights reserved
gtwwweidbelgiumbe
Questions amp Answers
Q amp A
copy fedict 2008 All rights reserved
Thnk you
eID Electronic Signature
copy fedict 2008 All rights reserved
Eve
1 Receive message 3 Check CRL 5 Fetch public key 7 Compute reference hash2 Inspect certificate 4 Check certificate 6 Fetch signature 8 Hash signature public
key match
Matching triplet
hash
Bob
3 4
7
6
5
8
1 Compose message 3 Generate signature 5 Collect certificate2 Compute hash 4 Collect signature 6 Send message
Alice
1
hash
2
5 4
16
3
2
Authentication vs Signatures
copy fedict 2008 All rights reserved
Authentication Signatures
Signature with the key
corresponding with the authn
certificate
Signature with the key
corresponding with the non-
repudiation certificate
Liability is application specific Liability is regulated by law
Lifecycle of authn session is
short
Long-term lifecycle required
storage of revocation data
Signature consumer same as
signature requestor
Signature verification by 3th party
(eg court expert)
Synchronous by nature Creation can be postponed
Signature Standards
copy fedict 2008 All rights reserved
gt The features of a non-repudiation signature drives the need for open signature standards
bull PDF signatures
bull ODF signatures
bull XAdES signatures
Overview eID Functionality
copy fedict 2008 All rights reserved
Authentication
Identification
Electronic Signature
Visual Identification
Fedict eID Middleware
copy fedict 2008 All rights reserved
gt Software for using the eID card on a PC
bull Identification (GUI tool + SDK)
bull AuthenticationSignature modules
bull PKCS11
bull CSP
bull tokenD
gt Platforms
bull Windows XP Vista
bull Linux Fedora OpenSUSE Debian
bull Mac
Fedict Reverse Proxy
copy fedict 2008 All rights reserved
gt Used to authenticate a person via eID towards a web application using SSL
eID Applications
copy fedict 2008 All rights reserved
student cards
healthcare
e-commerce
Driverrsquos license
Proof of membership
SSOhellip
home banking
More Information
copy fedict 2008 All rights reserved
gtwwweidbelgiumbe
Questions amp Answers
Q amp A
copy fedict 2008 All rights reserved
Thnk you
Authentication vs Signatures
copy fedict 2008 All rights reserved
Authentication Signatures
Signature with the key
corresponding with the authn
certificate
Signature with the key
corresponding with the non-
repudiation certificate
Liability is application specific Liability is regulated by law
Lifecycle of authn session is
short
Long-term lifecycle required
storage of revocation data
Signature consumer same as
signature requestor
Signature verification by 3th party
(eg court expert)
Synchronous by nature Creation can be postponed
Signature Standards
copy fedict 2008 All rights reserved
gt The features of a non-repudiation signature drives the need for open signature standards
bull PDF signatures
bull ODF signatures
bull XAdES signatures
Overview eID Functionality
copy fedict 2008 All rights reserved
Authentication
Identification
Electronic Signature
Visual Identification
Fedict eID Middleware
copy fedict 2008 All rights reserved
gt Software for using the eID card on a PC
bull Identification (GUI tool + SDK)
bull AuthenticationSignature modules
bull PKCS11
bull CSP
bull tokenD
gt Platforms
bull Windows XP Vista
bull Linux Fedora OpenSUSE Debian
bull Mac
Fedict Reverse Proxy
copy fedict 2008 All rights reserved
gt Used to authenticate a person via eID towards a web application using SSL
eID Applications
copy fedict 2008 All rights reserved
student cards
healthcare
e-commerce
Driverrsquos license
Proof of membership
SSOhellip
home banking
More Information
copy fedict 2008 All rights reserved
gtwwweidbelgiumbe
Questions amp Answers
Q amp A
copy fedict 2008 All rights reserved
Thnk you
Signature Standards
copy fedict 2008 All rights reserved
gt The features of a non-repudiation signature drives the need for open signature standards
bull PDF signatures
bull ODF signatures
bull XAdES signatures
Overview eID Functionality
copy fedict 2008 All rights reserved
Authentication
Identification
Electronic Signature
Visual Identification
Fedict eID Middleware
copy fedict 2008 All rights reserved
gt Software for using the eID card on a PC
bull Identification (GUI tool + SDK)
bull AuthenticationSignature modules
bull PKCS11
bull CSP
bull tokenD
gt Platforms
bull Windows XP Vista
bull Linux Fedora OpenSUSE Debian
bull Mac
Fedict Reverse Proxy
copy fedict 2008 All rights reserved
gt Used to authenticate a person via eID towards a web application using SSL
eID Applications
copy fedict 2008 All rights reserved
student cards
healthcare
e-commerce
Driverrsquos license
Proof of membership
SSOhellip
home banking
More Information
copy fedict 2008 All rights reserved
gtwwweidbelgiumbe
Questions amp Answers
Q amp A
copy fedict 2008 All rights reserved
Thnk you
Overview eID Functionality
copy fedict 2008 All rights reserved
Authentication
Identification
Electronic Signature
Visual Identification
Fedict eID Middleware
copy fedict 2008 All rights reserved
gt Software for using the eID card on a PC
bull Identification (GUI tool + SDK)
bull AuthenticationSignature modules
bull PKCS11
bull CSP
bull tokenD
gt Platforms
bull Windows XP Vista
bull Linux Fedora OpenSUSE Debian
bull Mac
Fedict Reverse Proxy
copy fedict 2008 All rights reserved
gt Used to authenticate a person via eID towards a web application using SSL
eID Applications
copy fedict 2008 All rights reserved
student cards
healthcare
e-commerce
Driverrsquos license
Proof of membership
SSOhellip
home banking
More Information
copy fedict 2008 All rights reserved
gtwwweidbelgiumbe
Questions amp Answers
Q amp A
copy fedict 2008 All rights reserved
Thnk you
Fedict eID Middleware
copy fedict 2008 All rights reserved
gt Software for using the eID card on a PC
bull Identification (GUI tool + SDK)
bull AuthenticationSignature modules
bull PKCS11
bull CSP
bull tokenD
gt Platforms
bull Windows XP Vista
bull Linux Fedora OpenSUSE Debian
bull Mac
Fedict Reverse Proxy
copy fedict 2008 All rights reserved
gt Used to authenticate a person via eID towards a web application using SSL
eID Applications
copy fedict 2008 All rights reserved
student cards
healthcare
e-commerce
Driverrsquos license
Proof of membership
SSOhellip
home banking
More Information
copy fedict 2008 All rights reserved
gtwwweidbelgiumbe
Questions amp Answers
Q amp A
copy fedict 2008 All rights reserved
Thnk you
Fedict Reverse Proxy
copy fedict 2008 All rights reserved
gt Used to authenticate a person via eID towards a web application using SSL
eID Applications
copy fedict 2008 All rights reserved
student cards
healthcare
e-commerce
Driverrsquos license
Proof of membership
SSOhellip
home banking
More Information
copy fedict 2008 All rights reserved
gtwwweidbelgiumbe
Questions amp Answers
Q amp A
copy fedict 2008 All rights reserved
Thnk you
eID Applications
copy fedict 2008 All rights reserved
student cards
healthcare
e-commerce
Driverrsquos license
Proof of membership
SSOhellip
home banking
More Information
copy fedict 2008 All rights reserved
gtwwweidbelgiumbe
Questions amp Answers
Q amp A
copy fedict 2008 All rights reserved
Thnk you
More Information
copy fedict 2008 All rights reserved
gtwwweidbelgiumbe
Questions amp Answers
Q amp A
copy fedict 2008 All rights reserved
Thnk you
Questions amp Answers
Q amp A
copy fedict 2008 All rights reserved
Thnk you