380 likes | 534 Views
Electronic ID Applications in Government and Enterprise Organizations Shaked Vax eID, Application Acceleration and Application Security Product Manager November 2009. Agenda. The Proliferation of Electronic ID Applications Electronic ID Applications Challenges & Emerging Standards
E N D
Electronic ID Applications in Government and Enterprise OrganizationsShaked VaxeID, Application Acceleration and Application Security Product ManagerNovember 2009
Agenda • The Proliferation of Electronic ID Applications • Electronic ID Applications Challenges & Emerging Standards • Electronic ID Projects: Examples and Requirements • AppDirector Solution for Electronic ID Applications
Electronic ID Applications are Emerging • Incentives include: • Easier information exchange and sharing between several service providers / institutions • Providing more services from the customer viewpoint • Ensuring customer privacy and data authenticity • One digital ID card to centrally access various private/personal information and services – online • Medical History • Payments • Financial info • Etc.
Digital ID Government Example Belgium's 10 million citizens will soon use their new digital eID cards to vote, file taxes, bank accounts and make purchases on the Internet
Understanding Electronic ID Applications • Mr. “B. Clean” eID card The government issues a “smart” digital ID card for the citizen The ID card includes a digital certification issued by the government
How It Works? Mr. B. Clean visits a new dentist The dentist scans Mr. B. Clean’s ID card to validate his insurance information for service eligibility No need to maintain and/or access a proprietary database!
How It Works? – cont. • The dentist’s PC “calls” the insurance company • The insurance online service identifies Mr. B. Clean using his digital ID • As part of the authentication process, the insurance company confirms that Mr. B. Clean’s ID is valid and was issued by a trusted Certificate Authority (CA)
Electronic ID Applications Challenges • Always have in hand the most up-to-date certificates – and only them! • Ensure the authenticity of client’s information and identity Both are equally important to address – as we’ll learn next… Two prominent challenges are associated with EID applications:
Tracking the Up-to-Date Certificates Can Become a Nightmare Which means that the CA management and authentication processes are decoupled / detached from each other Companies should always ensure that the digital ID is genuine and valid, where: • Digital IDs are issued by the government • The government manages all CAs • Digital IDs are authenticated by companies • Companies query for latest CA info every few hours to keep track of them
The Solution: Trusted services Status List How will companies keep track of this distributed mechanism? • Trusted-Services status List (TSL) defines how to query for the latest, most up-to-date CA information from a central location (the government) • TSL is an EU/ETSI* standard (TS 102 231 v2.1.1) • ETSI is recognized as an official European Standards Organization by the European Commission (EC) * ETSI = European Telecommunications Standards Institute
AppDirector Provides Full Support for TSL The result: Full support for Electronic ID Application deployment with minimal operational impact -- reducing time, operations and OPEX! • With the release of AppDirector 2.12, Radware ADC solution supports TSL! • The related configuration is reduced to minimum • All authentications and configurations of AppDirector are automatically updated using the TSL standard
eID Deployment all across Europe • The EC’s Interoperable Delivery of European eGovernment Services to public Administrations, Businesses and Citizens (IDABC) drives IT opportunities to encourage and support the delivery of cross-border public sector services • Objective: allow the electronic identification of the citizens for the use of eGovernment services at the national level • Tax declaration, request or completion of administrative documents, etc.
Secure Electronic Identity Management (EIM) Trend • These requirements strive to ensure the authenticity of a client’s identity and information, i.e. making sure that the data has not been manipulated in any way Public access to IT services over the Web significantly increases The European Community and governments require the use of European Standards in the domain of citizens access to Information Technology Services
Ensuring Client’s Data Authenticity with Hash Algorithms • Employing a hash algorithm is a way to ensure that data was not changed after it was created • How does it work? The hash algorithm produces a “fingerprint” or “signature” that can be validated for identification • Hash algorithm examples: • MD5 • SHA (Secure Hash Algorithm) family • More…
Hash Algorithms Have a Long History of Being Cracked • Message Digest 5 (MD5), designed on 1991 at MIT • On August 17, 2004: discovered first real vulnerability • On March 18, 2006: an algorithm was published that could find a collision within one minute on a single notebook computer • Based on Moore’s law and the increasing processing power, these vulnerabilities are becoming more relevant since today no super computer is required! • Using modest, everyday equipment, malicious users can cause huge issues
MD5 Vulnerability Broken using 200 Sony PS3… December 30 2008 200 PlayStation 3
MD5 Vulnerability Broken using 200 Sony PS3… MD5 Was Broken By 200 PS3
Moving to use SHA-1: Vulnerabilities also found… The result: Secure Hash Algorithm 1 (SHA-1) was recommended to be used instead of MD5 Security Flaws and Weakness found in SHA-1
Breaking SHA-1 The question is not if but when will SHA-1 be compromised?
Gradually moving to SHA-2: The latest, strongest algorithm National Institute of Standards and Technology (NIST): US Government Should Use SHA-2 after 2010 “Federal agencies should stopusing SHA-1 for digital signatures, digital time stamping …as soon as practical, and must use the SHA-2 … after 2010.” Note: SHA-2 consists of a family of hash algorithms including: SHA-224, SHA-256, SHA-384, SHA-512
AppDirector Provides Full Support for SHA-2 The result: Full support for Electronic ID Applications deployment while delivering the strongest means of certificate identification and ensuring no compromise of client data authenticity! With the release of AppDirector 2.12, Radware ADC solution supports SHA-2!
Electronic ID Projects Examples http://www.epractice.eu/ We see several “public” projects – starting in EU but emerging all around the globe – all with EIM/EID requirements, for example: • Government initiated • Real Estate Ownership records • Tax payments • Consortium of insurance services initiated • Pension Funds • Health-care organizations initiated • Access to patient medical records • Financial services organizations initiated • Access to pension funds, limited accounts • Utilities companies initiated • Bills status and payments
Use of eID & eSignature in Estonia eID Project Deployment in Spain
India Launches World’s Largest eID Project • Indian government initiated the largest e-governance project that aims to provide a unique identification (UID) number to each of its >1B citizens by 2011 • The goal: eliminate the need for multiple identification mechanisms, prevalent across various government departments.
US-Senate Voted for Federally Approved ID Cards • Part of the REAL ID (Rearing and Empowering America for Longevity against acts of International Destruction) Act of 2005, state driver's licenses and state ID cards need to comply with security, authentication, and issuance standards • Although still a contravertial bill -- under the consideration of a legislature -- its approval means a high potential eID deployment
EID Deployments Typical Requirements • Conforming with EC EIM established standards • Ensure security with dynamically updating authentication infrastructure (TSL) • Supporting emerging certificate standards requirements (SHA-2) • Offload the authentication validation infrastructure • Support for the most up-to-date CA standard including • Online Certificate Status Protocol (OCSP)
AppDirector Unique Value Proposition AppDirector is the only ADC solution in the market providing: • Full support for SHA-2 • Offload SSL with SHA-2 signed certificates • Validate client certificates that are based on SHA-2 • Support encrypted backend connection to servers using SHA-2 • Full support for TSL • Ensure security with dynamically updating authentication infrastructure • In addition, full support for the most up-to-date CA standards -- OCSP
Summary The road to e-ID is paved – start your journey with Radware today!
Questions? ? ? ?
Application Delivery & Security Focus Why Radware? Your Smart Choice! On Demand Application Infrastructure Business Smart Data Center Solutions