How To Authenticate An Id Card In Germany
|
|
- Donald Richards
- 3 years ago
- Views:
Transcription
1 The New German ID Card Marian Margraf Federal Ministry of the Interior Abstract Besides their use in identity verification at police and border controls, national ID cards are frequently used for commercial applications, too. One objective of the introduction of the new national ID card on 1 November 2010 is to extend the conventional use of ID documents to the digital world. In order to meet this objective, the new ID card offers two electronic functionalities for e-business and e-government service providers: an electronic authentication and a digital signature. In the following paper we describe the electronic authentication mechanism used by the ID card, explain the differences between authentication and signature and discuss the security and privacy properties of the two applications used for e-government and e-business. 2. Introduction On 1 November 2010 Germany will start issuing new identity cards. One of the main differences compared to the previous version is the integration of an ISO compliant chip which contains a government application, e.g. for border control purposes, and two applications for e-government and e-business (authentication and signature). IT security and privacy considerations played a crucial role during the design phase of the electronical functionalities. Reliable protection for personal information required a coordinated approach to legal provisions, organisational measures and technical implementation. The legislative framework for the (current) national ID card (Personalausweisgesetz) already contains various provisions about the use of the national ID card, including restrictions. Thus, only in exceptional cases it is permitted to make a paper copy of the ID document; the serial number of the ID card must not be used for data mining purposes; and the machine-readable zone (MRZ) and the data in it must only be used for government purposes. These provisions were transferred into the legal framework for the new, electronic national ID card. However, because of the new electronic functionalities, additional security mechanisms have to be specified and implemented. Therefore, the following requirements were taken into account during the design phase of the chip functionalities: 1. all data transmissions must be encrypted; 1. all transmissions of data have to be approved by the cardholder; 1. an illicit use of the ID card by a third party must be impossible; 1. the cardholder must know to whom their personal data will be transmitted;
2 2 The New German ID Card 1. only personal data that are necessary and approved by the cardholder may be transmitted; 1. the usage of the card cannot be monitored by government institutions or other parties; 1. the ID card must enable pseudonymous authentication; 1. lost ID cards must be revocable; 1. unique identifiers must not be used, neither for the citizen nor for the ID card. The last three requirements, in particular, require a careful design of the revocation management for lost ID cards which is described in [1]. For an overview of the security mechanisms of the German ID card, please refer to [2]. In [6] you will find an overview of the privacy features and data protection mechanisms of European eid cards. 1. Commercial applications Besides their use in identity verification at police and border controls, national ID cards are frequently used for commercial applications. In all these scenarios, the cardholder identifies him-or-herself, using the ID card (and the biometric information on it), to the business partner or government officer, thereby proving a claimed identity. In normal situations, the cardholder knows the person to whom he or she proves identity because this takes place either on the premises of the commercial partner or the government, or both persons involved show each other their ID cards. This is usually the basis of the trust between the two persons and/or whether they are acting on behalf of the institution(s) they represent. In a technical sense, a mutual authentication takes place. However, both parties receive just a snap shot of the authentication, and they cannot prove the other person s identity to a third party. A signature, which can, if necessary, be presented to a court or in administrative proceedings, constitutes such a proof. The objective of the introduction of the new national ID card on 1 November 2010 is to extend the conventional use of ID documents to the digital world. In order to meet this objective, the new ID card offers two electronic functionalities for e-business and e- government service providers: 1. electronic authentication: which enables mutual authentication of two parties via the Internet in such a way that each party knows the person with whom it is communicating; 1. qualified digital signature (Qualifizierte Elektronische Signatur (QES)): which is a digital equivalent to a legally binding, hand-written signature according to the German Digital Signature Act (Signaturgesetz). The cardholder has full control over the use of both functionalities: the ability of the card to perform an electronic authentication will be enabled or disabled when the citizen receives the card (and can be changed later), and a digital signature requires the prior loading of a (qualified) certificate onto the card.
3 The New German ID Card 3 1. Electronic authentication According to the definitions in the Guidelines for Information Security Audits (Grundschutzkatalog) of the Federal Office for Information Security (Bundesamt fuer Sicherheit in der Informationstechnik (BSI)) the term electronic authentication refers to a procedure or an operation for the verification of an identity. The current procedure for service providers is normally to check the security features of an ID card that is produced and compare the photo to the customer; an equivalent online procedure requires other mechanisms. Smart-card based cryptographic protocols can replace the verification of security features, i.e., the verification of the trustworthiness of the ID card. A secret PIN, only known to the cardholder, acts as a substitute for the verification of biometric features (comparing the photo). By proving his knowledge of the PIN, the claimant proves to be the legitimate owner of the ID card. Another objective, in addition to the authentication of the cardholder to the service, is the authentication of the service to the cardholder. The means for doing this are card-verifiable certificates (CV certificates) which can be verified by the chip on the ID card. Besides the expiry date and the name of the institution that owns the certificate, they contain fine-grained information about which data categories the service provider is allowed to access. A new government institution, the Issuing Office for Certicates (Vergabestelle für Berechtigungszertifikate (VfB)) which is part of the Federal Office of Administration (Bundesverwaltungsamt (BVA)), issues these certificates to service providers. A service provider applying for a certificate has to submit evidence as to why access to personal data on their customers electronic ID cards is necessary for the service; the Issuing Office verifies, in a formal procedure, that this evidence meets the requirements. One of the main aspects of this procedure is the selection of the data fields (of the eid card) to which the access will be granted. The principle of minimal disclosure applies; for example, service providers who only need to verify whether a customer is above a certain age, will only obtain access rights to a binary inquiry function for exactly this purpose (age verification). Other services, for example online shops, might get granted access to additional personal information such as name or address. Service providers will receive their certificates from one of the trust centers that act as Certification Authorities (eid CA). A trust center that wants to provide certificates for the German electronic ID card must fulfill the requirements for issuing qualified digital signature certificates according to the German Digital Signature Act and be registered at the Federal Network Agency (Bundesnetzagentur (BNetzA)) A special option offered by the German eid card is a card-specific and service-specific identifier which enables pseudonymous authentication. If requested, the chip generates a cryptographic token from the sector ID, which is part of the certificate, and a secret key stored in the chip. Thus, this token is unique for each combination of card and service provider but different for different service providers (even using the same card) or different cards. This token or pseudonym, therefore, enables a service provider to recognize an eid card without the possibility of cross-referencing with another service provider's authentication data.
4 4 The New German ID Card 1. Qualified Digital Signature As already mention above, for the electronic authentication both parties receive just a snap shot of the authentication, and they cannot prove the other person s identity to a third party. A signature, which can, if necessary, be presented to a court or in administrative proceedings, constitutes such a proof. Moreover, in an authentication procedure we are going to show who we are, a signature shows our will, for example if we sign a contract. Therefore, authentication and signature are different mechanisms and there are use cases for both mechanisms. In Germany, qualified digital signatures are regulated by the German Digital Signature Act. By this act, qualified digital signatures are equivalent to hand-written signatures, up to the regularities of some special laws. The chip of the new ID card is designed to be a signature card in the sense of the German Digital Signature Act, i.e. citizen can use this card to load a qualified digital certificate and to sign electronic documents in the usual way. 1. Realization of the electronic authentication Main idea of the electronic authentication of the ID card is to establish a trusted and secure channel between the chip and the service provider. This will be done by using an authenticated Diffie-Hellman key agreement protocol. With this, we achieve to goals: 1. Both communication parties know with whom they interact (authentication). 1. The communication parties can establish a secure channel (key agreement). In order to guarantee authenticity of the communication parties, the public keys must be assigned to the respective party. This will be done, as described in the following subsections, by digital signatures and, to achieve the bond of card and cardholder, by using the secret PIN. For a description of the cryptographic protocols in detail please refer to [4]. 1. E n t e r t h e P I N ( P a s s w o r d A u t h e n t i c a t i o n Communication Protocol (PACE)) As already mentioned above a communication with the chip of the ID card can only be performed if the cardholder enter his PIN to the chip. This guarantees a so-called two-factorauthentication based on ownership (the ID card) and knowledge (the PIN). Remember that the chip is contactless, hence the PIN cannot be send over the air without additional protection. The PACE protocol that is used for PIN sharing in this context is a password authenticated Diffie-Hellman key agreement protocol that provides secure communication and explicit password-based authentication of the chip and the card reader. A proof of the security features as well as a detailed description of PACE can be found in [77].
5 The New German ID Card 5 1. Mutual Authentication (Extented Access Control (EAC)) 1. Public Key Infrastructure In order to guarantee the authenticity of ID cards and service providers, two public key infrastructures (PKI) are used. Terminal Authentication (see Subsection 3.2.2) requires the service provider to prove to the chip that it is entitled to access data on the chip. A service provider holds at least one certificate encoding its public key and access rights, and the corresponding private key. The PKI required for issuing and validating certificates for service providers consists of the following entities: 1. Country Verifying Certification Authority (CVCA) hosted by the BSI 1. eid Certification Authorities hosted by the Trust Centers 1. Service Providers Chip Authentication (see subsection 3.2.3) requires the chip of the ID card to prove to the service provider that it is an official chip belonging to a German ID card. The chip holds a static Diffie-Helmann key pair where the public key is signed by the card-manufactor. The PKI required for issuing and validating certificates and public keys for chips of German ID cards consists of the following entities: 1. Country Signing Certification Authorithy (CSCA) hosted by the BSI 1. Document Signer (DS) hosted by the card-manufactor 1. ID cards These PKIs form the basis of Extended Access Control. 1. Authentication of the Service Provider (Terminal Authentication) When a citizen wants to use the electronic authentication mechanism of his ID card he usually goes to the web-site of a service provider. The service provider sends its certificate to the citizen. This certificate then will be displayed on the screen to show the content of the certificate (data such name of the institution that owns the certificate, expiry data of the certificate and which data categories the institutions is allowed to read from the chip), the citizen confirms by entering his PIN. After this, following steps are performed by the service provider and the ID card chip: 1. The service provider sends a certificate chain to the chip. The chain starts with a certificate verifiable with the root public key stored on the chip and ends with the service provider's certificate. 1. The chip verifies the certificates. 1. The chip verifies that the service provider also holds the associated secret key to the public key (by a challenge response protocol). 1. The service provider generates an ephemeral Diffie-Hellman key pair, signs the Diffie- Hellman public key with its secret key and sends both data to the chip.
6 6 The New German ID Card 1. The chip verifies the signature using the public key which is stored in the certificate of the service provider. If all certificates and keys could be successfully verified, the chip has an authenticated Diffie- Hellman public key from the service provider. 1. Authentication of the Document (Chip Authentication) The chip of the ID card has a static Diffie-Hellman key pair. The secret key is stored on a secure storage of the chip, so can neither be read nor cloned. The public key is signed by the card manufacturer (in Germany the Bundesdruckerei) during the production process. Now the following steps are performed by the ID card chip and the service provider: 1. The chip sends its public key, the signature of the public key and the certificate of the manufacturer to the service provider. 1. The service provider checks the manufacturer's certificate using the root certificate and the signature of the chip's public key using the manufacturer's certificate. If the public key of the chip could be successfully verified, the service provider has an authenticated Diffie-Hellman public key from a chip of an official ID card. As we have seen in Section 1 one design principle was the non-use of unique identifiers for the ID card. On account of this, the Diffie-Hellman key pairs are not unique for a chip. Chips that will be produced within a period of three month will get the same key pair to use for chip authentication. As chip authentication does not authenticate the card holder but only shows, that the chip belongs to an official ID card, in fact, this is non-usual, but has no security effect. 1. Authentication of the Cardholder At this step chip and service provider have exchanged authenticated Diffie-Hellman public keys to each other. Now they can generate a common secret and derive symmetric keys to establish an encrypted and authenticated channel (using AES as the symmetric cipher and AES-MAC as the message authentication code). Now the data which can be read by the service provider will be transmitted from the chip to the service provider. As the channel is authenticated, the cardholder is authenticated too. Moreover, since the channel is encrypted, only the service provider that has sent its certificate to the chip can read these data. 1. Revocation Management 1. Revocation of Documents In order to impede the illegitimate use of lost or stolen ID cards, the cardholder has to be able to revoke them. A very common mechanism for chip cards, e.g., qualified digital signature cards, is the creation of a global revocation list that includes the (unique) public keys or the serial numbers of all revoked cards and/or certificates. The disadvantage of this mechanism is that a unique public key or serial number constitutes a card-specific identifier which acts as a direct link to the cardholder's identity. Such a mechanism therefore contradicts the design principle of minimal disclosure. For example, if one service provider has only access rights for age
7 The New German ID Card 7 verification (see above) whereas another one also has access to other personal information, such as the name, even full access to both service provider's databases must not allow a link to their client's authentication data. This notably applies in the case when pseudonyms are used. A solution to this problem is the use of service-provider-specific revocation lists, i.e., each card provides a service-provider-specific and card-specific revocation token to the service provider who verifies it against their individual service-provider-specific revocation list. The technical and organizational implementations of this concept are described in [1]. 1. Revocation of Service Providers Of course, the concession to read data from the ID card must be revocable, too. As it is not possible to store revocation lists on the chip, here another mechanism with a similar security level must be found. CV certificates have a very short validity (depending on the data that can be read from the chip 2 up to 30 days). Therefore, a recall of such a certificate can be realized by the non-issuing of a new one for this service provider. References [BKMN10] [BKMN08] [BeFK09] [Marg09] [BMI 09] [BSI 10] [BSI 10] [ENIS09] Bender, Jens; Kügler, Dennis; Margraf, Marian; Naumann, Ingo: Das Sperrmanagement im neuen deutschen Personalausweis - Sperrmanagement ohne globale chipindividuelle Merkmale, Datensicherheit und Datenschutz (DuD), 2010, p Bender, Jens, Kügler, Dennis, Margraf, Marian, Naumann, Ingo: Sicherheitsmechanismen für kontaktlose Chips im deutschen elektronischen Personalausweis. Datenschutz und Datensicherheit (DuD), 2008, p Bender, Jens, Fischlin, Marc, Kügler Kügler: Security Analysis of the PACE Key-Agreement Protocol. Information Security Conference (ISC) 2009, Lecture Notes in Computer Science, Volume 5735, Springer-Verlag, 2009, p Margraf, Marian: Der elektronische Identitätsnachweis des zukünftigen Personalausweises. in: 19. SIT-SmartCard Workshop (Fraunhofer-Institut für Sichere Informationstechnologie), Darmstadt 3./ , p Federal Ministry of Interior: Gesetz über Personalausweise und den elektronischen Identitätsnachweis, Federal Office for Information Security (BSI): Technical Guideline TR-03110, Advanced Security Mechanisms for Machine Readable Travel Documents Extended Access Control (EAC) and Password Authentication Connection Establishment (PACE), and Restricted Authentication, Version 2.03, Federal Office for Information Security (BSI): Technical Guideline TR-03127, Technical Architecture of the New German ID Card, ENISA Position Paper, Privacy Features of European eid Card Specifications, Januar 2009,
Sicherheitsaspekte des neuen deutschen Personalausweises
Sicherheitsaspekte des neuen deutschen Personalausweises Dennis Kügler Bundesamt für Sicherheit in der Informationstechnik egov Fokus 2/2013: Identity- und Access Management im E-Government Rethinking
More informationPreventing fraud in epassports and eids
Preventing fraud in epassports and eids Security protocols for today and tomorrow by Markus Mösenbacher, NXP Machine-readable passports have been a reality since the 1980s, but it wasn't until after 2001,
More informationeid Services as Part of the new German ID Card Ecosystem 27/10/2011
eid Services as Part of the new German ID Card Ecosystem The new German ID Card Features ID CARD New Electronic Features 1. Biometrics Digital photo and (if desired), two electronic fingerprints Only legitimate
More informationeidas as blueprint for future eid projects cryptovision mindshare 2015 HJP Consulting Holger Funke
eidas as blueprint for future eid projects cryptovision mindshare 2015 HJP Consulting Holger Funke Agenda eidas Regulation TR-03110 V2.20 German ID card POSeIDAS Summary cryptovision mindshare 2015: eidas
More informationFAQs Electronic residence permit
FAQs Electronic residence permit General 1) When was the electronic residence permit introduced? Since 1 September 2011, foreigners in Germany have been issued with the new electronic residence permit
More informationFAQs - New German ID Card. General
FAQs - New German ID Card General 1) How to change from the old ID card to the new one? The new Law on Identification Cards came into effect on 1 November 2010. Since then, citizens can apply for the new
More informationImplementation of biometrics, issues to be solved
ICAO 9th Symposium and Exhibition on MRTDs, Biometrics and Border Security, 22-24 October 2013 Implementation of biometrics, issues to be solved Eugenijus Liubenka, Chairman of the Frontiers / False Documents
More informationKeywords: German electronic ID card, e-government and e-business applications, identity management
From Student Smartcard Applications to the German Electronic Identity Card Lucie Langer, Axel Schmidt, Alex Wiesmaier Technische Universität Darmstadt, Department of Computer Science, Darmstadt, Germany
More informationFacts about the new identity card
Facts about the new identity card Contents The new identity card At a glance... 4 In detail... 6 Photographs... 8 New ID card, new possibilities...10 Special functions... 11 The online function...12 Reader
More informationSecure Card based Voice over Internet Protocol Authentication
Secure Card based Voice over Internet Protocol Authentication By GOWSALYA.S HARINI.R CSE-B II YEAR (IFET COLLEGE OF ENGG.) Approach to Identity Card-based Voiceover-IP Authentication Abstract Voice-over-IP
More informationThe German eid-card. Jens Bender. Federal Office for Information Security Bundesamt für Sicherheit in der Informationstechnik
The German eid-card Federal Office for Information Security Bundesamt für Sicherheit in der Informationstechnik eid Workshop KU Leuven / The German Electronic ID-Card (Elektronischer Personalausweis) Motivation
More informationBiometrics for Public Sector Applications
Technical Guideline TR-03121-2 Biometrics for Public Sector Applications Part 2: Software Architecture and Application Profiles Version 2.3 Bundesamt für Sicherheit in der Informationstechnik Postfach
More informationElectronic machine-readable travel documents (emrtds) The importance of digital certificates
Electronic machine-readable travel documents (emrtds) The importance of digital certificates Superior security Electronic machine-readable travel documents (emrtds) are well-known for their good security.
More informationWhite Paper PalmSecure truedentity
White Paper PalmSecure truedentity Fujitsu PalmSecure truedentity is used for mutual service and user authentication. The user's identity always remains in the possession of the user. A truedentity server
More informationThe ID card with eid function at a glance
The ID card with eid function at a glance New possibilities, more security Since 1 November 2010, Germany has been issuing the new ID card in smart card format and with a chip. With this chip, the ID card
More informationMoving to the third generation of electronic passports
Moving to the third generation of electronic passports A new dimension in electronic passport security with Supplemental Access Control (SAC) > WHITE PAPER 2 Gemalto in brief Gemalto is the world leader
More informationElectronic Identity Cards for User Authentication Promise and Practice
Electronic Identity Cards for User Authentication Promise and Practice Andreas Poller Ulrich Waldmann Sven Vowé Sven Türpe Fraunhofer Institute for Secure Information Technology (SIT) Rheinstraße 75, 64295
More informationTechnical Guideline TR-03107-1 Electronic Identities and Trust Services in E-Government
Technical Guideline TR-03107-1 Electronic Identities and Trust Services in E-Government Part 1: Assurance levels and mechanisms Version 1.0 This translation is informative only. The normative version is
More informationTechnical Guideline eid-server. Part 2: Security Framework
Technical Guideline eid-server Part 2: Security Framework BSI TR-03130-2 Version 2.0.1 January 15, 2014 Federal Office for Information Security Post Box 20 03 63 D-53133 Bonn Phone: +49 22899 9582-0 E-Mail:
More informationDigital Certificates (Public Key Infrastructure) Reshma Afshar Indiana State University
Digital Certificates (Public Key Infrastructure) Reshma Afshar Indiana State University October 2015 1 List of Figures Contents 1 Introduction 1 2 History 2 3 Public Key Infrastructure (PKI) 3 3.1 Certificate
More informationCOMMON CERTIFICATE POLICY FOR THE EXTENDED ACCESS CONTROL INFRASTRUCTURE FOR PASSPORTS AND TRAVEL DOCUMENTS ISSUED BY EU MEMBER STATES
COMMON CERTIFICATE POLICY FOR THE EXTENDED ACCESS CONTROL INFRASTRUCTURE FOR PASSPORTS AND TRAVEL DOCUMENTS ISSUED BY EU MEMBER STATES BSI TR-03139 Version 2.1 27 May 2013 Foreword The present document
More informationSecure & privacy-preserving eid systems with Attribute-based credentials
University of Twente Faculty of Electrical Engineering, Mathematics and Computer Science (EEMCS) Master Thesis Secure & privacy-preserving eid systems with Attribute-based credentials Brinda Badarinath
More informationPublic Key Cryptography in Practice. c Eli Biham - May 3, 2005 372 Public Key Cryptography in Practice (13)
Public Key Cryptography in Practice c Eli Biham - May 3, 2005 372 Public Key Cryptography in Practice (13) How Cryptography is Used in Applications The main drawback of public key cryptography is the inherent
More informationA secure, economic infrastructure for signing of web based documents and financial affairs Overview of a server based, customer-friendly approach.
1 of 8 15.03.2004 14:09 Issue January 2002 A secure, economic infrastructure for signing of web based documents and financial affairs Overview of a server based, customer-friendly approach. Lothar Fritsch,
More informationEntrust Managed Services PKI. Getting started with digital certificates and Entrust Managed Services PKI. Document issue: 1.0
Entrust Managed Services PKI Getting started with digital certificates and Entrust Managed Services PKI Document issue: 1.0 Date of issue: May 2009 Copyright 2009 Entrust. All rights reserved. Entrust
More informationBSI TR-03108-1: Secure E-Mail Transport. Requirements for E-Mail Service Providers (EMSP) regarding a secure Transport of E-Mails
BSI TR-03108-1: Secure E-Mail Transport Requirements for E-Mail Service Providers (EMSP) regarding a secure Transport of E-Mails Version: 1.0 Date: 05/12/2016 Document history Version Date Editor Description
More informationA Survey on Untransferable Anonymous Credentials
A Survey on Untransferable Anonymous Credentials extended abstract Sebastian Pape Databases and Interactive Systems Research Group, University of Kassel Abstract. There are at least two principal approaches
More informationAll you need to know about the electronic residence permit (eat)
All you need to know about the electronic residence permit (eat) www.bamf.de/eaufenthaltstitel Contents Contents 1 The electronic residence permit 5 2 Photo and fingerprints 7 3 Additional provisions
More information21 CFR PART 11 ELECTRONIC RECORDS, ELECTRONIC SIGNATURES 21.11.2013. 21 CFR Part 11 Compliance PLA 2.1
21 CFR PART 11 ELECTRONIC RECORDS, ELECTRONIC SIGNATURES Compliance of PLA 2.1 21.11.2013 21 CFR Part 11 Compliance PLA 2.1 SEC. 11.2 IMPLEMENTATION. (a) For records required to be maintained but not submitted
More informationAdvanced Security Mechanisms for Machine Readable Travel Documents
Technical Guideline TR-03110-3 Advanced Security Mechanisms for Machine Readable Travel Documents Part 3 Common Specifications Version 2.10 20. March 2012 History Version Date Comment 1.00 2006-02-08 Initial
More informationServer based signature service. Overview
1(11) Server based signature service Overview Based on federated identity Swedish e-identification infrastructure 2(11) Table of contents 1 INTRODUCTION... 3 2 FUNCTIONAL... 4 3 SIGN SUPPORT SERVICE...
More informationGuide for Securing E-mail With WISeKey CertifyID Personal Digital Certificate (Personal eid)
The World Internet Security Company Solutions for Security Guide for Securing E-mail With WISeKey CertifyID Personal Digital Certificate (Personal eid) Wherever Security relies on Identity, WISeKey has
More informationMobile Driver s License Solution
Mobile Driver s License Solution Secure, convenient and more efficient Improved identity protection through secure mobile driver s licenses The introduction of a mobile driver s license is a huge opportunity
More informationState of Arkansas Policy Statement on the Use of Electronic Signatures by State Agencies June 2008
State of Arkansas Policy Statement on the Use of Electronic Signatures by State Agencies June 2008 Background In the last ten years Arkansas has enacted several laws to facilitate electronic transactions
More informationDescription of the Technical Component:
Confirmation concerning Products for Qualified Electronic Signatures according to 15 Sec. 7 S. 1, 17 Sec. 4 German Electronic Signature Act 1 and 11 Sec. 2 and 15 German Electronic Signature Ordinance
More informationThe Legal Classification of Identity-Based Signatures
The Legal Classification of Identity-Based Signatures Christoph Sorge University of Paderborn 33098 Paderborn, Germany christoph.sorge@uni-paderborn.de Abstract Identity-based cryptography has attracted
More informationNeutralus Certification Practices Statement
Neutralus Certification Practices Statement Version 2.8 April, 2013 INDEX INDEX...1 1.0 INTRODUCTION...3 1.1 Overview...3 1.2 Policy Identification...3 1.3 Community & Applicability...3 1.4 Contact Details...3
More information5 FAM 140 ACCEPTABILITY AND USE OF ELECTRONIC SIGNATURES
5 FAM 140 ACCEPTABILITY AND USE OF ELECTRONIC SIGNATURES 5 FAM 141 PURPOSE (CT-IM-112; 07-30-2010) (Office of Origin: IRM/OPS/ITI/SI/IIB) The purpose of this FAM chapter is to enable the Department to
More informationSecurity of Identity Management. Professor Brian Collins
Security of Identity Management Professor Brian Collins Headline issues Purpose of ID management and ID security Practical process and technology issues Enrolment processes Identity verification Limitations
More informationTest plan for eid and esign compliant terminal software with EACv2
Technical Guideline BSI TR-03105 Part 5.3 Test plan for eid and esign compliant terminal software with EACv2 Version: 2.0 Date: 2015-05-22 Bundesamt für Sicherheit in der Informationstechnik Postfach 20
More informationISO/IEC 24727 for secure mobile web applications
ISO/IEC 24727 for secure mobile web applications Jan Eichholz 1 Detlef Houdeau 2 Detlef Hühnlein 3 Manuel Bach 4 1 Giesecke & Devrient GmbH, jan.eichholz@gi-de.com 2 Infineon Technologies AG, detlef.houdeau@infineon.com
More informationBrocade Engineering. PKI Tutorial. Jim Kleinsteiber. February 6, 2002. Page 1
PKI Tutorial Jim Kleinsteiber February 6, 2002 Page 1 Outline Public Key Cryptography Refresher Course Public / Private Key Pair Public-Key Is it really yours? Digital Certificate Certificate Authority
More informationSecurity by Politics - Why it will never work. Lukas Grunwald DN-Systems GmbH Germany DefCon 15 Las Vegas USA
Security by Politics - Why it will never work Lukas Grunwald DN-Systems GmbH Germany DefCon 15 Las Vegas USA Agenda Motivation Some basics Brief overview epassport (MRTD) Why cloning? How to attack the
More informationContents. Identity Assurance (Scott Rea Dartmouth College) IdM Workshop, Brisbane Australia, August 19, 2008
Identity Assurance (Scott Rea Dartmouth College) IdM Workshop, Brisbane Australia, August 19, 2008 Contents Authentication and Identity Assurance The Identity Assurance continuum Plain Password Authentication
More informationQualified Electronic Signatures Act (SFS 2000:832)
Qualified Electronic Signatures Act (SFS 2000:832) The following is hereby enacted 1 Introductory provision 1 The purpose of this Act is to facilitate the use of electronic signatures, through provisions
More informationL@Wtrust Class 3 Registration Authority Charter
Class 3 Registration Authority Charter Version 1.0 applicable from 09 November 2010 Building A, Cambridge Park, 5 Bauhinia Street, Highveld Park, South Africa, 0046 Phone +27 (0)12 676 9240 Fax +27 (0)12
More informationVoIP Security. Seminar: Cryptography and Security. 07.06.2006 Michael Muncan
VoIP Security Seminar: Cryptography and Security Michael Muncan Overview Introduction Secure SIP/RTP Zfone Skype Conclusion 1 Introduction (1) Internet changed to a mass media in the middle of the 1990s
More informationDen Gode Webservice - Security Analysis
Den Gode Webservice - Security Analysis Cryptomathic A/S September, 2006 Executive Summary This report analyses the security mechanisms provided in Den Gode Web Service (DGWS). DGWS provides a framework
More informationNational Identity Exchange Federation (NIEF) Trustmark Signing Certificate Policy. Version 1.1. February 2, 2016
National Identity Exchange Federation (NIEF) Trustmark Signing Certificate Policy Version 1.1 February 2, 2016 Copyright 2016, Georgia Tech Research Institute Table of Contents TABLE OF CONTENTS I 1 INTRODUCTION
More informationNecessary processing of personal data: the need-toknow principle and processing data from the new German identity card
Necessary processing of personal data: the need-toknow principle and processing data from the new German identity card Harald Zwingelberg 1 1 Unabhängiges Landeszentrum für Datenschutz Schleswig-Holstein,
More informationThe Advantages and Disadvantages of Using SIP For Identity Cards
152 Secure Communication Using Electronic Identity Cards for Voice over IP Communication, Home Energy Management, and emobility Rainer Falk, Steffen Fries, Hans Joachim Hof Corporate Technology Siemens
More informationController of Certification Authorities of Mauritius
Contents Pg. Introduction 2 Public key Infrastructure Basics 2 What is Public Key Infrastructure (PKI)? 2 What are Digital Signatures? 3 Salient features of the Electronic Transactions Act 2000 (as amended)
More informationSmart Card- An Alternative to Password Authentication By Ahmad Ismadi Yazid B. Sukaimi
Smart Card- An Alternative to Password Authentication By Ahmad Ismadi Yazid B. Sukaimi Purpose This paper is intended to describe the benefits of smart card implementation and it combination with Public
More informationAsymmetric cryptosystems fundamental problem: authentication of public keys
Network security Part 2: protocols and systems (a) Authentication of public keys Università degli Studi di Brescia Dipartimento di Ingegneria dell Informazione 2014/2015 Asymmetric cryptosystems fundamental
More informationThe Convergence of IT Security and Physical Access Control
The Convergence of IT Security and Physical Access Control Using a Single Credential to Secure Access to IT and Physical Resources Executive Summary Organizations are increasingly adopting a model in which
More informationBest Practices for the Use of RF-Enabled Technology in Identity Management. January 2007. Developed by: Smart Card Alliance Identity Council
Best Practices for the Use of RF-Enabled Technology in Identity Management January 2007 Developed by: Smart Card Alliance Identity Council Best Practices for the Use of RF-Enabled Technology in Identity
More informationCertification Practice Statement (ANZ PKI)
Certification Practice Statement March 2009 1. Overview 1.1 What is a Certification Practice Statement? A certification practice statement is a statement of the practices that a Certification Authority
More informationExtended SSL Certificates
Introduction Widespread usage of internet has led to the growth of awareness amongst users, who now associate green address bar with security. Though people are able to recognize the green bar, there is
More informationHKUST CA. Certification Practice Statement
HKUST CA Certification Practice Statement IN SUPPORT OF HKUST CA CERTIFICATION SERVICES Version : 2.1 Date : 12 November 2003 Prepared by : Information Technology Services Center Hong Kong University of
More informationWhat Does it Mean to be PIVish in PACS ICAM PIV in E-PACS Guidance v2.0.2 the short form. December 3, 2012
Federal CIO Council Information Security and Identity Management Committee IDManagement.gov What Does it Mean to be PIVish in PACS ICAM PIV in E-PACS Guidance v2.0.2 the short form December 3, 2012 HSPD-12
More informationInformation & Communication Security (SS 15)
Information & Communication Security (SS 15) Electronic Signatures Dr. Jetzabel Serna-Olvera @sernaolverajm Chair of Mobile Business & Multilateral Security Goethe University Frankfurt www.m-chair.de Agenda
More informationCommon Criteria Protection Profile for Inspection Systems (IS) BSI-CC-PP-0064. Version 1.01 (15 th April 2010)
Common Criteria Protection Profile for BSI-CC-PP-0064 Version 1.01 (15 th April 2010) Federal Office for Information Security Postfach 20 03 63 53133 Bonn Phone: +49 228 99 9582-0 e-mail: zertifizierung@bsi.bund.de
More informationUnderstanding Digital Signature And Public Key Infrastructure
Understanding Digital Signature And Public Key Infrastructure Overview The use of networked personnel computers (PC s) in enterprise environments and on the Internet is rapidly approaching the point where
More informationPublic Key Infrastructure (PKI)
Public Key Infrastructure (PKI) In this video you will learn the quite a bit about Public Key Infrastructure and how it is used to authenticate clients and servers. The purpose of Public Key Infrastructure
More information1 Public Key Cryptography and Information Security
International Carpathian Control Conference ICCC 2002 MALENOVICE, CZECH REPUBLIC May 27-30, 2002 IMPLEMENTATION ISSUES OF PKI TECHNOLOGY Victor-Valeriu PATRICIU, Marin BICA and Ion BICA Department of Computer
More informationEnd User Encryption Key Protection Policy
End User Encryption Key Protection Policy Free Use Disclaimer: This policy was created by or for the SANS Institute for the Internet community. All or parts of this policy can be freely used for your organization.
More informationElectronic Signatures for Legal Persons. Michael Sonntag 1
Electronic Signatures for Legal Persons Michael Sonntag 1 Electronic signatures are an important part of E-Commerce. Contracts can be concluded mostly in any form, but to proof their existence and content
More informationStrong Security in Multiple Server Environments
White Paper Strong Security in Multiple Server Environments VeriSign OnSite for Server IDs Contents 1. Introduction 1 2. Security Solutions: The Digital ID System 2 2.1. What Is a Digital ID? 2 2.2 How
More informationIBM i Version 7.3. Security Digital Certificate Manager IBM
IBM i Version 7.3 Security Digital Certificate Manager IBM IBM i Version 7.3 Security Digital Certificate Manager IBM Note Before using this information and the product it supports, read the information
More informationSavitribai Phule Pune University
Savitribai Phule Pune University Centre for Information and Network Security Course: Introduction to Cyber Security / Information Security Module : Pre-requisites in Information and Network Security Chapter
More informationQualified mobile electronic signatures: Possible, but worth a try?
Qualified mobile electronic signatures: Possible, but worth a try? Lothar Fritsch 1, Johannes Ranke 2, Heiko Rossnagel 1 Interest level of audience: 3 - for application developers (interested in IT security)
More informationOperational and Technical security of Electronic Passports
European Agency for the Management of Operational Cooperation at the External Borders of the Member States of the European Union Operational and Technical security of Electronic Passports Warsaw, Legal
More informationECCA 2014 Conference Santander 26.05.2014
ECCA 2014 Conference Santander 26.05.2014 Introducing -Technology For Strong Authentication Section 3- IT-Systems, Softwareintegration Department 6 Information And Communication Services Dezernat6 - Informations-
More informationDiscover Germany s Electronic Passport
Discover Germany s Electronic Passport Starting 1 Nov. 2007 E-Passport 2nd Generation www.epass.de 1 Introducing Germany s e-passport If you want to know why there are electronic passports and how to recognize
More informationGlossary of Key Terms
and s Branch Glossary of Key Terms The terms and definitions listed in this glossary are used throughout the s Package to define key terms in the context of. Access Control Access The processes by which
More informationAn Open ecard Plug-in for accessing the German national Personal Health Record
An Open ecard Plug-in for accessing the German national Personal Health Record Raik Kuhlisch 1 Dirk Petrautzki 2 Johannes Schmölz 3 Ben Kraufmann 1 Florian Thiemer 1 Tobias Wich 3 Detlef Hühnlein 3 Thomas
More informationEnhanced Privacy ID (EPID) Ernie Brickell and Jiangtao Li Intel Corporation
Enhanced Privacy ID (EPID) Ernie Brickell and Jiangtao Li Intel Corporation 1 Agenda EPID overview EPID usages Device Authentication Government Issued ID EPID performance and standardization efforts 2
More informationComSign Ltd. Certification Practice Statement (CPS)
ComSign Ltd. Certification Practice Statement (CPS) Procedures relating to issuing electronic certificates that comply with provisions of the Electronic Signature Law and its regulations. Version 3. 1.1.
More informationArkansas Department of Information Systems Arkansas Department of Finance and Administration
Arkansas Department of Information Systems Arkansas Department of Finance and Administration Title: Electronic Signature Standard Document Number: SS 70 011 Effective Date: Act 722 of 2007 requires state
More informationesign FAQ 1. What is the online esign Electronic Signature Service? 2. Where the esign Online Electronic Signature Service can be used?
esign FAQ 1. What is the online esign Electronic Signature Service? esign Electronic Signature Service is an innovative initiative for allowing easy, efficient, and secure signing of electronic documents
More informationMOBILE SECURITY. Enabling Mobile Qualified Signatures with Certification On Demand. Heiko Rossnagel. Abstract. Introduction
Enabling Mobile Qualified Signatures with Certification On Demand Heiko Rossnagel Abstract Despite a legal framework being in place for several years, the market share of qualified electronic signatures
More informationLow Assurance Protection Profile for a VPN gateway
LAPP VPN gateway Low Assurance Protection Profile for a VPN gateway Version: 1.4 Date: 29/04/2005 Filename: lapp4_14 Product: VPN gateway Sponsor: SRC Security Research & Consulting GmbH, Graurheindorfer
More informationMeeting the FDA s Requirements for Electronic Records and Electronic Signatures (21 CFR Part 11)
Meeting the FDA s Requirements for Electronic Records and Electronic Signatures (21 CFR Part 11) Executive Summary...3 Background...4 Internet Growth in the Pharmaceutical Industries...4 The Need for Security...4
More informationWhat security and assurance standards does Trustis use for TMDCS certificate services?
Frequently Asked Questions What is a Digital Certificate? What is a Root Certificate? How do Digital Certificates Work? Who needs a Digital Certificate? How do I get a Digital Certificate Can I use my
More informationaddressed. Specifically, a multi-biometric cryptosystem based on the fuzzy commitment scheme, in which a crypto-biometric key is derived from
Preface In the last decade biometrics has emerged as a valuable means to automatically recognize people, on the base is of their either physiological or behavioral characteristics, due to several inherent
More informationConCERTO Secure Solutions for Converged Systems
ConCERTO Secure Solutions for Converged Systems Distribution for Switzerland: insinova ag www.insinova.ch Jens Albrecht Email: jens.albrecht@insinova.ch Phone: +41 41 748 72 05 September 2011 SCM Microsystems
More informationEricsson Group Certificate Value Statement - 2013
COMPANY INFO 1 (23) Ericsson Group Certificate Value Statement - 2013 COMPANY INFO 2 (23) Contents 1 Ericsson Certificate Value Statement... 3 2 Introduction... 3 2.1 Overview... 3 3 Contact information...
More informationEPASSPORT WITH BASIC ACCESS CONTROL AND ACTIVE AUTHENTICATION
COMMON CRITERIA PROTECTION PROFILE EPASSPORT WITH BASIC ACCESS CONTROL AND ACTIVE AUTHENTICATION Draft Version 1.0 TURKISH STANDARDS INSTITUTION TABLE OF CONTENTS Common Criteria Protection Profile...
More informationProtection Profile for UK Dual-Interface Authentication Card
Protection Profile for UK Dual-Interface Authentication Card Version 1-0 10 th July 2009 Reference: UNKT-DO-0002 Introduction This document defines a Protection Profile to express security, evaluation
More informationCertification Practice Statement
Certification Practice Statement Revision R1 2013-01-09 1 Copyright Printed: January 9, 2013 This work is the intellectual property of Salzburger Banken Software. Reproduction and distribution require
More informationTransnet Registration Authority Charter
Registration Authority Charter Version 3.0 is applicable from Effective Date Inyanda House 21 Wellington Road Parktown, 2193 Phone +27 (0)11 544 9368 Fax +27 (0)11 544 9599 Website: http://www.transnet.co.za/
More informationCRYPTOGRAPHY AS A SERVICE
CRYPTOGRAPHY AS A SERVICE Peter Robinson RSA, The Security Division of EMC Session ID: ADS R01 Session Classification: Advanced Introduction Deploying cryptographic keys to end points such as smart phones,
More informationModule 7 Security CS655! 7-1!
Module 7 Security CS655! 7-1! Issues Separation of! Security policies! Precise definition of which entities in the system can take what actions! Security mechanism! Means of enforcing that policy! Distributed
More informationOB10 - Digital Signing and Verification
Global Headquarters 90 Fetter Lane London EC4A 1EN Tel: +44 (0) 870 165 7410 Fax: +44 (0) 207 240 2696 OB10 - Digital Signing and Verification www.ob10.com Version 2.4 March 2013 Summary In order to comply
More informationThe DoD Public Key Infrastructure And Public Key-Enabling Frequently Asked Questions
The DoD Public Key Infrastructure And Public Key-Enabling Frequently Asked Questions May 3, 2004 TABLE OF CONTENTS GENERAL PKI QUESTIONS... 1 1. What is PKI?...1 2. What functionality is provided by a
More informationAuthentication Types. Password-based Authentication. Off-Line Password Guessing
Authentication Types Chapter 2: Security Techniques Background Secret Key Cryptography Public Key Cryptography Hash Functions Authentication Chapter 3: Security on Network and Transport Layer Chapter 4:
More informationPostSignum CA Certification Policy applicable to qualified personal certificates
PostSignum CA Certification Policy applicable to qualified personal certificates Version 3.0 7565 Page 1/60 TABLE OF CONTENTS 1 Introduction... 5 1.1 Review... 5 1.2 Name and clear specification of a document...
More informationPKD Board ICAO PKD unclassified B-Tec/37. Procedures for the ICAO Public Key Directory
Procedures for the ICAO Public Key Directory last modification final 1/13 SECTION 1 INTRODUCTION 1.1 As part of the MRTD initiative by ICAO, the Participants will upload to and download from the PKD, their
More informationEvidence of Identity: Breeder Documents and Beyond Barry J. Kefauver International national Standards ds Organization ation Why Care? A false passport in the hands of a terrorist is as dangerous as a bomb
More informationSecurity Digital Certificate Manager
IBM i Security Digital Certificate Manager 7.1 IBM i Security Digital Certificate Manager 7.1 Note Before using this information and the product it supports, be sure to read the information in Notices,
More information