1 / 23

1111 1958 - 1111

Meikäläinen Maija. F. 1111 1958 - 1111. Maija Meikäläinen. vesa.vatka@vrk.intermin.fi www.vaestorekisterikeskus.fi. Fin nish E lectronic I d entification and Supporting Technologies. General Issues. The amount of various transactions is increasing

kare
Download Presentation

1111 1958 - 1111

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Meikäläinen Maija F 1111 1958 - 1111 Maija Meikäläinen vesa.vatka@vrk.intermin.fi www.vaestorekisterikeskus.fi

  2. Finnish Electronic Identification and Supporting Technologies General Issues • The amount of various transactions is increasing • rapidly in Internet • To make it safe we need: • both sides identification, • digital signature, • encryption: - data • - data transfer • Field is developing rapidly • Important part of the information society

  3. Finnish Electronic Identification and Supporting Technologies • Identification, digital signatures and encryption is based on: • open standards: • Public Key Infrastructure • PKIX based Certificate Policy • chipcards and readers (ISO-standards, 7816-series, incl. -8) • X.509 v.3 certificates, IETF PKIX ”qualified certificate” draft • X.500- and LDAP-directories • EID-application (FINEID S4-1=PKCS#15, FINEID impl.) • => will be modified to meet EESSI requirements • highly secured environments • centralized key generation • face to face identification • voluntary involvning • cards and certificates valid for a certain time (3 years)

  4. CA- system ICL (iD2) Directory services HPY PeerLogic i500 CRL services Sonera Finnish Electronic Identification and Supporting Technologies PARTNERS Card manufacture and RA duties Setec, Police HelpDesk- services NovaCall NovoGroup

  5. request Certificate services certificate VRK ” Manual information ” Matti Bull Meikäläinen Caisse Primaire d'Assurance Maladie de CARPENTRAS sécurité sociale Application PIN -codes X.500+ CRL Registration Authority services Meikäläinen Matti Matti Meikäläinen Card delivery Face to face identification 12345 CA / CARD VTJ Application information Pregeneration of anonymic ID-cardsi (RSA-keys +PIN) Process database Certificates

  6. Electronic ID-card -99 MF FINEID appl Other data: cityappl., bankappl, user own Additional Certificates: (empl,org, customer...) ~ 6-7 Kb ~ 8-9 Kb

  7. FINEID-application (PKCS#15)

  8. Hello? -> Hi, encrypt session key • Authentication + encryption (PIN1) • Non-repudiation signature (PIN2) X.509 X.509 X.509 Allekirj FINEID-card with two keypairs • Different keys and certificates and PIN-Codes • Also trusted CA (PRC) certificate, includes CA public key

  9. Finnish Electronic Identification and Supporting Technologies • Basic fields: • version: value 2 = x.509 v.3 certificate • serial number: unique within an issuer • signature: the algorithm identifier for the algorithm used by the CA to sign the certificate • issuer: country = FI, organisation = VRK-FINSIGN Gov. CA, CommonName = Finsign CA for Citizen • validity: YYMMDDHHMMSSZ • subject: country=FI, Surname=Meikäläinen, Given name=Maija, Finuid=123456786, cn= S+G+F • subject public key: The algorithm identifier of the subject’s public key • Ext.: Key usage: digitalSignature, keyEncipherment, dataEncipherment - nonRepudiation • Certificate policies:policy identifier, OID (CP includes possible loss limitations etc.) • Authority key identifier:particular private CA key used to sign a certificate • Subject key identifier:SHA-1 hash of the value of the BIT STRING subjectPublicKey Certificate

  10. ... Finnish Electronic Identification and Supporting Technologies WHERE, HOW, WHAT? COMPANY CARD BANK CARD FINEID-APPLICATION CITIZEN CERTIFICATES (not for companycards) ROLE CERTIFICATES EMAIL CERTIFICATES ...

  11. Finnish Electronic Identification and Supporting Technologies DIRECTORY SERVICE • FINSIGN CA FOR CITIZEN X.500, OPEN DIRECTORY SERVICE • CLOSED ENVIRONMENTS -> CLOSED DIRECTORIES • PERSONAL CERTIFICATES: • CERTIFICATE 1: AUTHENTICATION AND ENCRYPTION • CERTIFICATE 2: DIGITAL SIGNATURE • JUDICAL AND SERVER CERTIFICATES • CRL (Certificate Revocation List) V2 • DIRECTORY REQUESTS : LDAP V.2.0 AND V.3.0 SUPPORTED X.500 CRL

  12. X.500 -directory c = FI dmd = JULHA dmd = FINEID dmd = ... Issuer organisation level o = VRK-FINSIGN Gov. CA o = CertAll o = NovoTrust ... • cn =FinSign CA for citizen • caCertificate • cross Certificates • CRL CA level • cn =Meikäläinen Maija 123456789 or ui = 428 (cert serial number) • obj. = fieidPerson, strongAuthenticationUser or fineidUserCertificate • userCertificates (multivalue or per use), role and attribute certificates • s = Meikäläinen, g = Maija, finuid = 123456789, other attributes or • s = Meikäläinen, g = Maija, fineidSubjectDistinquishedNameString = • ”s = Meikäläinen + g = Maija + finuid = 123456789, c =fi” User level

  13. 8.) Data storage End user software: - Smart card support - Digital signature - encryption - payments integration - E-mail (S/MIME) - web - browser Smart card - Keys, PIN1,2 TJ 1 - certificates - Other data - other applications - ... Interactive electronic form 1.) Secure form 10.) Decision in storage, email to customer Firewall WWW- forms 11.) Customer reads, time stamp 3.) Strong authentication encryption of data transfer (SSL, IPSEC) WWW-server 6.) Digital Signature 4.) FINUID 123456783 Internet 7.) PIN2 5.) Maija Meikäläinen H:111111-114A addr: pöllökuja... 2.) Secure authentication (PIN1) 9.) Datacheque-> database

  14. SSO Product Login: Password: Single Sign-on SIB • Step 1:Secure Authentication • Step 2:Transparent Sign-on Network Operating System 1 Departmental Server 2 Mainframe Encrypted password Smart card SecurID token Intranet, Extranet

  15. Qualified Electronic Signature environment

  16. Baseline Qualified Certificate Policy

  17. Specific Qualified Certificate Policy

  18. Levels of certificates CA VRK-Finsign Enterpr. CA? Organizational CA’s VRK-Finsign Gov. CA Finsign Enter- prise CA for ... Finsign CA for ... Organizational CA’s Specific Qualified Certificates Qualified Certificates Qualified or non-qualifiedCertificates B2B, B2C, no FINUID RA’s - ICL Invia - TietoEnator … other SWhouses Meets the reqs by BQCP Certificates contain FINUID RA’s - police - social insurance institute - banks Two times face to face identification => widely accepted No FINUID, use is up to the org. involved May not meet the reqs coming from BQCP (i.eg. SSCD does not fulfil the required level of security

  19. Levels of signatures

  20. Finnish Electronic Identification and Supporting Technologies • Users • Finland • Public administration (100 ongoing projects) • State authorities and municipalities (0,5 mill. employees) • Private sector • banks, assurance companies, unions • telecommunication operators and Internet Services Providers • large firms • retail, e-commerce • Citizens 5 millions • Sweden SEIS interoperability, both public and private sector, • Norway SEIS interoperability in administration, citizens • EU , PKCS#15 --> global market !

  21. Where to use ? Education Banking Consuming Wireles communications Public services ... Internet Internet Mobils Satellit -TV Cabel-TV Digital -TV -TV Finnish Electronic Identification and Supporting Technologies New technologies • Development under process: • WWW (digital)-television with FINEID interoperability • GSM/WAP with and without a separate card reader • WWW-based infokiosks with FINEID interoperability • enduser card reader and • software package (ISP:s)

  22. Electronic services • The very firstservice to utilize the FINEID-card: electronic movement application • by Population Register Centre and Finnish Post • Next services among others: • Services by municipalities and regions (Tornio, Rovaniemi, Oulu, Kuusamo/ • Koillismaa, Pori, Raisio, Turku, Etelä-Karjala IT-region, Espoo, • Vantaa, Helsinki ja Joensuu. Common factors to all of these are different • application forms, electronic forms, library services etc.) • Application and financial services by the Finnish patent organization • Electronic taxservice for companies and organizations • Employment services by the Ministry of Labour • Electronic application form by the Office of Education and • social and welfare services / makropilot

  23. Electronic services • Private sector services, among others: • OKO-bank • Leonia-bank and • Mandatum bank will be offering, within a year, significantly • wider range of Internet banking services than before. • Fennia-insurance will offer sophisticated Internet insurance • services • Ge Capitals will offer financial services for car dealers and buyers • Services offered by Fortum concern consumers making contracts • for buying electricity • In addition,e.g. ICL will take FINEID-card for internal usage

More Related