1 / 34

Belgian Electronic Identity Card (BELPIC)

Belgian Electronic Identity Card (BELPIC). Ir. Olivier LIBON. Microsoft EAP – Government & Education 7 April 2005 Diegem. Agenda. FedICT (the belgian eGov strategy) Principles Objectives Planning FedPKI (the belgian PKI initiative) Trust hierarchy Certificates Trust Services

wayne-figueroa
Download Presentation

Belgian Electronic Identity Card (BELPIC)

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Belgian Electronic Identity Card (BELPIC) Ir. Olivier LIBON. Microsoft EAP – Government & Education 7 April 2005 Diegem

  2. Agenda • FedICT (the belgian eGov strategy) • Principles • Objectives • Planning • FedPKI(the belgian PKI initiative) • Trust hierarchy • Certificates • Trust Services • Technical Framework(the belgian eID card) • Card Layout vs Electronic Ship • Data Capture vs Authentication vs Signature • Card Production / Personalization • Card / Chip / Data / MiddleWare / Toolkit • Applications: today & tomorrow

  3. FedICT“the belgian eGov strategy”

  4. Principles • Administration Complexity  Simplification • 1 federal state Civil Servants • 3 regions / 3 communities Enterprises • 10 provinces / 589 Municipalities Citizens • Front-Office: Unique Data collection principle • federated identity management (FedPKI) • federated transactional site (FedGATE) • federated information exchange (FedUME) • federated network management (FedMAN) • Back-Office: Authentic Data sources principle • unique citizens DB/ID (Population Registry) • unique enterprises DB/ID (CrossRoads Bank for Enterprises) • unique ... DB/ID ?

  5. Objectives Citizens Enterprises Civil Servants FedPKI Unified Identity Management Framework FedGATE Unified Transactional Site Local GATE FedUME Unified XML Gateway Local UME Local Network FedMAN Unified TCP/IP Network MinInt MinFin MinEco MinSoc ... Regions Communities Municipalities Provinces

  6. Planning Authentication Authorization Transactional Site Static Site XML Gateway XML Processing IP Network IP Services 2001 2002 2003 2004 FedPKI FedGATE FedUME FedMAN Citizens DB & unique IDs Enterprises DB & unique IDs ... Unique IDs

  7. FedPKI“the belgian PKI initiative”

  8. Trust Hierarchy SelfSign Belgium Root RootSign Belgium Root Citizen CA Gov CA ARL CRL CRL CRL Data Crypt Elec Sign Client Auth Admin CA Hierar Admin Cert Admin Card Admin Client Cert Server Cert Object Cert EU Bridge CA Admin Auth/Sign

  9. Certificates Belgium Root CA Citizen CA Citizen CA Auth Sign Crypt • Citizen’s certificates & keys • Authentication Certificate & key pair (1024 bits) • provide strong authentication (access control) • web site authentication • single sign-on (login) • etc. • Signature Certificate & key pair (1024 bits) • provide non repudiation (electronic signature equivalent to handwritten signature) • Document Signing • Form Signing • etc. • (Encryption Certificate & key pair) • foreseen at a later stage • private key backup/archiving

  10. Trust Services XKMS Register Request Population Registry Municipality CPS SLA CA Factory Citizens Secure Sites Auth/Sign Validate OCSP

  11. BELPIC“the belgian electronic personal identity card”

  12. Card Aim Proof of identity • To give Belgiancitizens an electronic identity cardenabling them toauthenticate themselves towards diverse applications and to putdigitalsignatures Signature tool

  13. Visual part • From avisualpoint of view the same information will be visible as on the current identity card : • the name • the first two Christian names • the first letter of the thirdChristian name • the nationality • the birth place and date • the sex • the place of deliveryof the card • the begin and enddata of thevalidityof the card • the denomination and number of the card • the photo of the holder • the signatureof the holder • the identification number of the National Register • the main residence of the holder (until 31/12/2003) • Identical functionality to current identity card Visual identificationof the holder

  14. Electronic Part • From anelectronicpoint of view the chip will containthe same information as printed on the card, filled up with: • the identity and signature keys • the identity and signature certificates • the accredited certification service furnisher • Information necessary for authentication of the card and securizationof the electronic data • the main residence of the holder • (Currently) no encryption certificates • No electronic purse • No biometric data • Conformity with European Directive 1999/93/EC Electronicidentificationof the holder

  15. Advanced Electronic Signature Electronic Signatures Advanced Electronic Signatures Article 2.2 (PKI technology) Qualified Electronic Signature Article 5.1 (identification/enrolment) +AnnexI: Q-Cert +Annex II: Q-CSP +Annex III: SSCD

  16. Card functions data capture authentication digital signature

  17. Data Capture

  18. Authentication • log on to websites (SSO) access control container park library swimming pool …

  19. Signature hash Alice Alice Alice 1. Compose message 3. Generate signature 5. Collect certificate 2. Compute hash 4. Collect signature 6. Send message Matching triplet? 7 6 1 1 6 hash CRL 8 2 2 5 4 5 3, 4 3 Alice Bob 1. Receive message3. Check CRL/OCSP5. Fetch public key 7. Compute reference hash 2. Inspect certificate4. Check certificate6. Fetch signature 8. Hash, signature, public keymatch?

  20. Qualified Electronic Signature Electronic Signatures Advanced Electronic Signatures Article 2.2 (PKI technology) Qualified Electronic Signature Article 5.1 (identification/enrolment) +AnnexI: Q-Cert +Annex II: Q-CSP +Annex III: SSCD

  21. Production Process CM/CP/CI (10a2) (11) (13) (5) VRK VRK (4) (8) (6) ECA (9) National Register (10a1) ECA (3) Bull Bull (7) Municipality (10b) (1) Meikäläinen De The municipalities Matti PIN & PUK1 - code Face to face identification (2) (12)

  22. Personalization Process

  23. Card Specifications • Standard - ISO/IEC 7816 • Format & Physical Characteristics  Bank Card (ID1) • Standard Contacts & Signals RST,GND,CLK,Vpp,Vcc, I/O • Standard Commands & Query Language (APDU) • etc.

  24. Security Aspects • Outside • Rainbow and guilloche printing • Changeable Laser Image (CLI) • Optical Variable Ink (OVI) • Alphagram • Relief and UV print • Laser engraving • Inside 12345678 • SHA-1 • RSA • SPA/DPA/… resistent • EAL5+ certified • …

  25. Chip specifications • Chip characteristics: Cryptoflex JavaCard 32K • CPU (processor): 16 bit Micro-controller • Crypto-processor: • 1100 bit Crypto-Engine (RSA computation) • 112 bit Crypto-Accelerator (DES computation) • ROM (OS): 136 kB (GEOS Java Virtual Machine) • EEPROM (Applic + Data): 32 KB (Cristal Applet) • RAM (memory): 5 KB “GEOS” JVM Crypto (DES,RSA) ROM (Operating System) “CRISTAL” Applet CPU EEPROM (File System= applications + data) I/O ID data, Keys, Certs. RAM (Memory)

  26. Data specifications • Directory Structure (PKCS#15) • Dir (BelPIC): • certificates & keys (PIN code protected) • private and public key CA : 2048 bits • private and public keycitizen: 1024 bits • Signatures put via RSA with SHA-1 • all certificates are conform to X.509 v3 • standard format (to be used by generic applications) • Microsoft CryptoAPI ( Windows) • PKCS#11 ( UNIX/Linux & MacOS) • Dir (ID): • contains full identity information • first name, last name, etc. • address • picture • etc. • proprietary format (to be used by dedicated applications only) BelPIC ID Card Key ... ID Auth Key Auth Cert ADR Sign Key Sign Cert PIC ... CA Cert ... Root Cert

  27. MiddleWare specifications Windows Generic Applics Non Win Generic Applics BelPIC Specific Applics • Card & Reader Software • Card MiddleWare • PKCS#15 ID specific applications • Card is accessed as a simple file system • No key management possible (no PIN) • for belgian police, post, banks, etc • PKCS#11 Generic applications • Only keys & Certs available via PKCS#11 API • allows authentication (& signature) • for Netscape, Linux, Unix, etc • MS-CSP Windows applications • Only keys & certs available via MSCrypto API • allows authentication (& signature) • for Microsoft Explorer, Outlook, etc • Reader Driver/Firmware • most part is generic (orange part) • small part is specific (green part) MS-CSP (Microsoft interface) PKCS#11 (Certificate & Keys Management) OpenSC PKCS#15 (OpenSC Interface) PIN (pinpad) PC/SC (Generic SC Reader Interface) Driver (Specific SC Reader Interface) I/O

  28. Toolkit specifications Sign Plugin Auth Proxy Data Capture • Toolkits • Data Capture Toolkit • GetIdentity • GetAddress • GetPicture • GetVersion • ... • Authentication Proxy • Trigger Certificate based auth • Validate Certificate • Return Certificate Content • … • Signature Plugin • PDF/XML/Xades signature support • Validate Certificate • Verify Signature • … MS-CSP (Microsoft interface) Toolkit PKCS#11 (Certificate & Keys Management) OpenSC PKCS#15 (OpenSC Interface) PIN (pinpad) PC/SC (Generic SC Reader Interface) Driver (Specific SC Reader Interface) I/O

  29. Qualified Electronic Signature Electronic Signatures Advanced Electronic Signatures Article 2.2 (PKI technology) Qualified Electronic Signature Article 5.1 (identification/enrolment) +AnnexI: Q-Cert +Annex II: Q-CSP +Annex III: SSCD

  30. SSCD Human Interface READER Signature Creation Data Signature Creation Application SCD/SVD Generator SSCD SCA APPLICATION Certificate Generation Application

  31. Labeling Readers • Interroperability/Quality • Low-Level test scenarios • ISO7816 APDU • Data Middelware • Crypto Middleware • +platform specific • Security • Citizen (home & work) - Dedicated PC • with or without secure PINPAD • with ot without secure DISPLAY • with ot without secure APPLICATION • Business (public space) - Shared PC • with secure PINPAD • with secure DISPLAY • with secure APPLICATION

  32. Labeling Applications • Certificate Validation • CRL-based (typically for businesses) • one CRL per CA per 3 hours -> Gigabytes!!! • One dCRL per CA per 3 hours (free) • Direct OCSP based (typically for citizens) • free up to 10 per day • Delegated OCSP based (if required) • you are your own Validation Authority • you are subject to accreditation & control ! • Privacy • Unique Identification Number (NRN) • structure • collection • Extended Identity information

  33. Integration Issues ...

  34. More information Th@nk you ! For more information feel free to visit www.fedict.be

More Related