210 likes | 688 Views
Electronic Identity Cards for User Authentication—Promise and Practice. IEEE Security & Privacy January/February 2012. Author : Andreas Poller, Ulrich Waldmann, Sven Vowé, and Sven Türpe. Presenter :黃微珊 Date : 2012/03/02. Outline. Introduction Electronic Identity (eID) Card
E N D
Electronic Identity Cards for User Authentication—Promise and Practice IEEE Security & Privacy January/February 2012 Author : Andreas Poller, Ulrich Waldmann, Sven Vowé, and Sven Türpe Presenter:黃微珊 Date:2012/03/02
Outline • Introduction • Electronic Identity (eID) Card • Electronic Identity (eID) System • Service Authorization • Security Properties • Privacy Properties • Applications for eID • Conclusion
Introduction • Traditional ID card only provided offline services, but eID card support business processes online and offline, and allow services to be provided online. • eID card promises a universal, secure authentication scheme for government and private-sector applications.
Electronic Identity (eID) Card(1/2)- New German Electronic ID Card Digital signature Back Front • The card carries human-readable data on its surface and a contactless chip inside, combining the functions of a conventional ID document and a digital authentication token.
Electronic Identity (eID) Card(2/2)-Electronic Functions • A contactless chip with three distinct electronic functions. • ePass function:reserved for government use, stores a digital representation of the cardholder’s identity. • eID function:for general applications, stores an identity record that authorized services can access with cardholder permission. • eSign function:lets cardholders store a single private key and certificate for qualified electronic signatures.
Electronic Identity (eID) System(1/3)-System Components • Four principal components participate in online authentication. The chip on the ID card verifies the user’s PIN and the eID server’s authorization certificate and releases information as authorized. eID server handles authentication on the server side and returns the result to the service. Service provider eID server On the client side, a card reader and a client software package provide interfaces to the user and the ID card. Client side
Electronic Identity (eID) System(2/3)-Cryptographic Protocols • Between the card and the reader, the Password Authenticated Connection Establishment (PACE) protocol establishes a shared session key and verifies the password without transmitting it. • Between the card and eID server, the Extended Access Control (EAC) protocol provides mutual authentication and creates a session key.
Electronic Identity (eID) System(2/3)-Cryptographic Protocols eID card uses: • AES-128 CBC (cipher block chaining) and CMAC (cipher-based message-authentication code) for messaging security. • SHA-256 for hashing. • elliptic-curve Diffie-Hellman for key establishment in PACE. • Chip authentication, and restricted identification for authorization certificates. • ECDSA (Elliptic Curve Digital Signature Algorithm) for signatures.
Electronic Identity (eID) System(3/3)-eID Authentication Use service Service provider 1. Authentication request 2. Client software displays information 4. Extended Access Control Client side 6. Authentication response eID server 5. eID function 3. User enters PIN; PIN verified with Password Authenticated Connection Establishment
Service Authorization(1/2)-Roles and Responsibilities 1. 2. 1. 2.
Service Authorization(2/2) 3. eID servers request access to the card on behalf of approved service requests. 1. Request approval 2. Get authorization certificates • The government and the private sector share eID system implementation and operation.
Security Properties • For citizens, the cryptographic protocols ensure that the eID card releases data. • For service providers, chip authentication ensures that the data received originates from a genuine and valid government-issued eID card.
Privacy Properties • Sharing a private chip authentication key among a batch of cardsmakes them indistinguishable. • eID data remains unsigned. • On-card verification.
Applications for eID Three service types: • Government services that require formal identification of citizens. • Services that must let citizens exercise their right to access personal information. • Operators of age-restricted services, such as cigarette vending machines or adult entertainment.
Conclusion(1/2) • 和傳統的身份證相比,電子身份證提供了: • 線上的身份驗證 • 電子簽名 • 具有生物識別技術
Conclusion(2/2) • 然而電子身份證的功能還沒有辦法完全發揮。 • 讀卡機的價格影響了民眾換發電子身份證的意願。 • 目前大部分的線上網站,除了部份政府報稅網站或保險公司網站,都不提供使用電子身份證來驗證身份的功能。