AK IT-Security 1. Recap Electronic Signatures. Tobias Kellner Graz,

Transcription

1 AK IT-Security 1 Recap Electronic Signatures Tobias Kellner Graz, Das E-Government Innovationszentrum ist eine gemeinsame Einrichtung des Bundeskanzleramtes und der TU Graz

2 What can electronic signatures do? Graz,

3 What can electronic signatures do?» Provide authenticity of originator and data» Signed data is bound to the signatory» Provide non-repudiation by the signatory» Recognition of data manipulation» On the channel» By the recipient Graz,

4 Where are signatures used? Identification and authentication Signed request Officially signed administrative ruling Signed documents Applicant Portal + Documents + Application Data Back-office Decision Electronic Delivery Electronic Documents» General E-Government Process Graz,

5 Legal Framework» Different types of signatures:» Electronic signature» Advanced electronic signature» Qualified electronic signature Graz,

6 Signature formats» Advanced signature formats *AdES:» CAdES (ETSI TS )» CMS Advanced Electronic Signatures» Based on CMS» PAdES (ETSI TS )» PDF Advanced Electronic Signatures» Based on PDF signatures» XAdES (ETSI TS )» XML Advanced Electronic Signatures» Based on XMLDSIG Graz,

7 Official Signature (Amtssignatur)» Official Documents How to recognize an public authority document? official signature Recognition of origin Determination of authenticity Graz,

8 Official Signature» The E-Government law defines the official signature to identify a document s origin» Using the official signature for the electronic signature of signed documents (see 18 AVG)» The Official signature is, except for the requirement to be an advanced electronic signature, more a provision for characterization than a technical requirement. Graz,

9 Signature Verification» Signature verification Signature Validation Cryptographic Validation (Signature value + Hash value) Document + Signature» Cryptographic check» Comparing the hash value message not modified» Checking the signature value ensure the signatory s authenticity Graz,

10 Signature Verification» Signature verification Signature Validation Cryptographic Validation (Signature value + Hash value) Certificate Validation Document + Signature» Certificate validation» Chronological validity» Quality of the authenticity (via certification authority; qualified certificate)» Key usage» Revocation check Graz,

11 What is the qualified signature in Austria? Citizen Card Graz,

12 AK IT-Security 1 (E-Government) Infrastructure Citizen Card Concept Tobias Kellner Graz, Das E-Government Innovationszentrum ist eine gemeinsame Einrichtung des Bundeskanzleramtes und der TU Graz

13 Overview» Citizen card concept» Person identifier» Source PIN (spin)» Sector specific personal identifier (sspin)» Economic sector-specific identifier (essid)» Infrastructure» Registers» Natural person» Central population register» Source PIN (spin)» Legal person» Several registers» Source PIN (spin)» Electronic Record (ELAK) Graz,

14 Citizen Card Concept» The term Citizen Card denotes a concept and not a technology.» Technological independent» Open standards» The Citizen card may be implemented on a signature card or another technology, like the mobile phone signature. Graz,

15 Citizen Card ( 4 Abs. 1 E-GovG)» The Citizen Card is used to prove the unique identity of an applicant and the authenticity of an electronic submission. So it is:» Electronic Identity document and» Signature on the Internet Graz,

16 Implementation of the functionality 4 Abs. 4 E-GovG:» The authenticity of an electronically filed document is provided using the electronic signature 4 Abs. 2 E-GovG:» The unique identification of a natural person is provided by the source PIN Graz,

17 Identity Link» spin only stored (persistent) on the Citizen Card.» Identity Link: XML structure signed by the Source PIN Register Authority (SRA), that uniquely defines a person (spin) and this data is bound to the public key (from the qualified certificate.» spin» Personal data» Name, birthday» Public key (from qualified certificate)» Signature from the SRA... <saml:subjectconfirmationdata> <pr:person xsi:type="pr:physical <pr:identification> <pr:value> </pr:v <pr:type> </pr:identification> <pr:name> <pr:givenname>herbert</pr:given <pr:familyname>leitold</pr:fami </pr:name>... <saml:attribute AttributeName="CitizenPublicKey"... <dsig:rsakeyvalue> <dsig:modulus>snw8olcq49qnefems... <dsig:siganture>... Graz,

18 Overview» Citizen card concept» Person identifier» Source PIN (spin)» Sector specific personal identifier (sspin)» Economic sector-specific identifier (essid)» Infrastructure» Registers» Natural person» Central population register» Source PIN (spin)» Legal person» Several registers» Source PIN (spin)» Electronic Record (ELAK) Graz,

19 Source PIN Qq03dPrgcHsx3G0lKSH6SQ== Graz,

20 Source PIN Legal Fundamentals» The E-Government Law (E-GovG, 2004) defines the Source PIN and its calculation as follows: 2 Z8 Stammzahl : eine zur Identifikation von natürlichen und juristischen Personen und sonstigen Betroffenen herangezogene Zahl, die demjenigen, der identifiziert werden soll, eindeutig zugeordnet ist und hinsichtlich natürlicher Personen auch als Ausgangspunkt für die Ableitung von (wirtschafts)bereichsspezifischen Personenkennzeichen ( 8 und 14) benützt wird;» Number for identification of natural and legal persons» Bound to person that should be identified» Used for calculation of sector-specific identifier Graz,

21 Algorithm» Base number(12 decimals) (BN)» Convert into binary representation (5 byte)» Expand the calculation basis to 128 bit (16 byte) using the format:» BN Seed BN BN» Seed is a secret, constant, 8-bit value which is only known to the SRA» The binary representation of this value is encrypted using Triple-DES. The secret key is only known to the SRA.» The result is encoded as BASE64 Graz,

22 Example spin Calculation Base number (E.g.: CPR-number, 12 decimals) Binary representation 00 0E C (5 Byte, hexadecimal representation) Expand to 128 bit 00 0E C FF 00 0E C E C (16 Byte, Seed value set to e.g. 0xFF) Triple-DES encryption, hexadecimal Source PIN, Base64 42 AD FA E0 70 7B 31 DC 6D FA 49 (16 Byte) Qq03dPrgcHsx3G0lKSH6SQ== (24 digits) Graz,

23 spin - Usage» spin stored on the Citizen Card» May be read by an agency but only for the calculation of the sector specific personal identifier(sspin)» NO STORAGE! ( 12 EGovG) Graz,

24 Sector specific personal identifier (sspin) j/nxdrqhp+tnye9whhdbsyuy3ha= Graz,

25 Legal Fundamentals» The E-Government Law (E-GovG, 2004) defines the sector specific person identifier and its calculation as follows: 9 (1) Das bereichsspezifische Personenkennzeichen wird durch eine Ableitung aus der Stammzahl der betroffenen natürlichen Person gebildet. Die Identifikationsfunktion dieser Ableitung ist auf jenen staatlichen Tätigkeitsbereich beschränkt, dem die Datenanwendung zuzurechnen ist, in der das Personenkennzeichen verwendet werden soll (bereichsspezifisches Personenkennzeichen, bpk).» sspin is derived from the spin of the natural person» The identification of this derivation is bound to the sector the application operates in Graz,

26 Legal Fundamentals» The E-Government Law (E-GovG, 2004) defines the sector specific person identifier and its calculation as follows: 9 (3) Die zur Bildung des bpk eingesetzte mathematische Verfahren (Hash-Verfahren über die Stammzahl und die Bereichskennung) werden von der Stammzahlenregisterbehörde festgelegt.» Mathematical procedures (Hash algorithm) are defined by the sourcepin register authority (SRA) Graz,

27 Why sspin?» spin may not be stored outside the Citizen Card (data protection)» Natural persons are identified via a person identifier.» sspin for governmental applications» essid for private sector applications» sspin, essid: Derivation from the citizen s source PIN Graz,

28 Calculation of the sspin 1. Starting point:» Source PIN, base64 encoded» Sector code: character string representing the sector according to the Bereichsabgrenzungsverordnung of the federal chancellery of Austria (normally 2 to 5 upper-case letters) 2. Build the string: spin + URN-prefix 1 and the sector code. 1) URN-Prefix := "urn:publicid:gv.at:cdid+ " Graz,

29 Calculation of the sspin 3. Calculate the SHA-1 hash value over this string. 4. The resulting 160 bit number may be used for calculations within the application. If the number is needed in written form or forwarded via the Internet it has to be base64 encoded. Graz,

30 Example: sspin Calculation spin, Base64 Sector code Input data for hash value calculation Hash value Qq03dPrgcHsx3G0lKSH6SQ== (24-digit) BW (ISO , E.g.: Bauen und Wohnen) Qq03dPrgcHsx3G0lKSH6SQ==+urn:publicid:gv.at:cdid+ BW 8FF A7EB4DC8 4F BB2DE10 (5 x 32bit; hexadecimal representation) sspin, Base64 j/nxdrqhp+tnye9whhdbsyuy3ha= (28-digit) Graz,

31 sspin - Generation sspin_a Not Invertible! Source PIN sspin_b» sspin generation only possible using the person s Citizen Card.» spin from the Citizen Card required» Non invertible derivation» sspin spin» sspin_a sspin_b e.g. Steuern & Abgaben e.g. Bauen & Wohnen Graz,

32 Identification for the Economy (essid)» Economic sector-specific PIN» Private applications (companies, associations, ) receive a sspin» The identification sphere is the company the citizen wants to interact with electronically. Outside this sphere, e.g. for other companies, this essid is not usable for identification. Graz,

33 Calculation of the essid» The calculation of the essid is analogous to the calculation of the sspin as defined in the E-GovG: 14 (1) Für die Identifikation von natürlichen Personen im elektronischen Verkehr mit einem Auftraggeber des privaten Bereichs ( 5 Abs. 3 DSG 2000) kann durch Einsatz der Bürgerkarte eine spezifische Ableitung aus dem Hashwert gebildet werden, der aus der Stammzahl des Betroffenen und der Stammzahl des Auftraggebers als Bereichskennung erzeugt wird (wirtschaftsbereichsspezifisches Personenkennzeichen, wbpk). Voraussetzung hierfür ist, dass der Auftraggeber des privaten Bereichs eine für den Einsatz der Bürgerkarte taugliche technische Umgebung eingerichtet hat, in der seine Stammzahl als Bereichskennung im Errechnungsvorgang für das wbpk zur Verfügung gestellt wird. Graz,

34 Algorithm Identical to the calculation of the sspin except for the base. 1. Base data:» spin of the natural person, base64 encoded» spin of the initiator (Auftraggeber) as sector code 2. Building the character string as concatenation of the natural person s spin + URN-prefix and the spin of the initiator. URN-prefix := "urn:publicid:gv.at:wbpk+xxx+ where XXX will result in the following values, if the spin of the initiator is:» a companies register number: FN» a associations register number: VR» a number within the supplementary register for natural persons: ERJ» a spin belonging to a natural, reportable person: CPR» A spin belonging to a natural person that is registered within the supplementary register: ERN Graz,

35 Example essid Calculation spin, Base64 spin of the initiator Qq03dPrgcHsx3G0lKSH6SQ== (24-digit) i Prefix for the companies register number Input data for hash value calculation SHA-1 hash value essid, Base64 Qq03dPrgcHsx3G0lKSH6SQ==+urn:publicid:gv.at:wbpk+FN Qq03dPrgcHsx3G0lKSH6SQ==+urn:publicid:gv.at:wbpk+FN i (whitespace before i removed, see step 2) 43B8485AB5 6A3FE E2966DFE 9A2A082B9C (5 x 32 bit) Q7hIWrVqP+VZRiTilm3+mioIK5w= (28-digit) Graz,

36 Overview» Citizen card concept» Person identifier» Source PIN (spin)» Sector specific personal identifier (sspin)» Economic sector-specific identifier (essid)» Infrastructure» Registers» Natural person» Central population register» Source PIN (spin)» Legal person» Several registers» Source PIN (spin)» Electronic Record (ELAK) Graz,

37 Citizen Card Environment (CCE) Online-Application Security-Layer Citizen Card Citizen Card Environment» Concept Citizen Card independent from the used signature creation device/ software» Online-applications need to access the Citizen Card functionality Graz,

38 Security Layer» Represents the interface to» Communicate with the Citizen Card» Use the Citizen Card concept in a technology-neutral manner» XML based protocol on application layer» Transport layers are» TCP» HTTP» HTTPS Graz,

39 Security Layer» Provides the possibility to send commands to the Citizen Card:» XML (XAdES)/CMS (CAdES) signatures» Creation» Verification» Read info boxes (IdL, certificates)» NULL operation» Graz,

40 Security Layer» Source and Target of a SL-command may differ» DataURL: Parameter allows to redirect the communication Graz,

41 Authentication Classes SL» Some SL commands may only be used by special application classes:» Anonymous: no information regarding source/target» Pseudo-anonymous: information regarding source/target (not protected)» Certified: certificate-based information regarding source/target» CertifiedGovAgency: certificate-based information regarding source/target; information proves agency or service-provider of an agency (*.gv.at, agency or service-provider extension within the certificate) Graz,

42 Reading the IdL» <InfoboxReadRequest> <InfoboxIdentifier>IdentityLink</InfoboxIdentifier> <BinaryFileParameters ContentIsXMLEntity="true"/> </InfoboxReadRequest>» <InfoboxReadRequest> <InfoboxIdentifier>IdentityLink</InfoboxIdentifier> <BinaryFileParameters ContentIsXMLEntity="true"/> <BoxSpecificParameters> <IdentityLinkDomainIdentifier>urn:publicid:gv.at:wb pk+fn i</identitylinkdomainidentifier> </BoxSpecificParameters> </InfoboxReadRequest> Graz,

43 Creating an XML Signature» <CreateXMLSignatureRequest> <KeyboxIdentifier>SecureSignatureKeypair</Keyb oxidentifier> <DataObjectInfo Structure="enveloping"> <DataObject> <XMLContent>Ich bin ein einfacher Text. </XMLContent> </DataObject> <TransformsInfo> <FinalDataMetaInfo> <MimeType>text/plain</sl:MimeType> </FinalDataMetaInfo> </TransformsInfo> </DataObjectInfo> </CreateXMLSignatureRequest> Graz,

44 Smartcard Implementation» e-card may be used as Citizen Card» Also dedicated smart cards may be used (e.g. by A-Trust)» If smart card implementation is used a middleware for the card communication is needed (CCE) Graz,

45 Citizen Card Environment» CCE implements SL» Provides the smart card communication (via PCSC)» Ensures that the authentication classes are observed» Default display format for signature data» Requirement for signature creation devices for creating qualified signatures Graz,

46 Citizen Card Environment» Local CCE:» CCE is executed on the citizen s computer» SL requests are sent to a local endpoint» Implementations:» MOCCA» A-Sign Client» BDC Hotsign»» Online CCE:» Server-based CCE» SL requests are sent to a server the citizen interacts with» MOCCA Online:» SL requests processed server-side» Smart card communication on the client side via a Java applet Graz,

47 Sequence MOCCA Online SL Application server Application creates SLrequest Citizen Application forwards citizen to MOCCA server Graz,

48 Sequence MOCCA Online SL Application server MOCCA server processes SL-request Citizen Creates STAL requests in the HTTP session MOCCA server sends MOCCA applet Graz,

49 Sequence MOCCA Online SL Application server Citizen MOCCA applet grabs STAL requests from server Graz,

50 Sequence MOCCA Online SL Application server Citizen MOCCA applet uses PCSC for the smart card access MOCCA applet creates STAL responses Graz,

51 Sequence MOCCA Online SL Application server Citizen MOCCA applet sends STAL responses to the server Graz,

52 Sequence MOCCA Online SL MOCCA forwards citizen to the application server Application server Citizen MOCCA contacts the application server via DataURL Graz,

53 Sequence MOCCA Online SL MOCCA forwards citizen to the application server Application server Citizen MOCCA answers the application server via DATA URL Graz,

54 Mobile Phone Signature» Implements the Citizen Card concept using a mobile TAN» Provided by A-Trust» SL end point: Graz,

55 Mobile Phone Signature» IdL and asymmetric key are stored by A-TRUST and protected by a hardware security module (HSM)» For the signature creation a TAN is sent to the citizen via SMS» This TAN must be entered during the signature creation process» HSM communicates directly with an SMS gateway to send the TAN Graz,

56 Mobile Phone Signature - Components Operator of the mobile phone solution User Password: ******** User User s mobile phone Graz,

57 Mobile Phone Signature - Components Operator of the mobile phone solution User Web-Frontend Password: ******** HSM - Creation of signature creation data - Decryption of stored signature creation data - Creation of qualified electronic signatures SMS Gateway Key database Signature creation data is encrypted using a key consisting of at least: - Secret password - Secret HSM key Graz,

58 Mobile Phone Signature Registration Process Operator of the mobile phone solution User Password: ******** Graz,

59 Mobile Phone Signature Registration Process Operator of the mobile phone solution User Password: ******** Verify phone ownership: Password Mob-nr. Assurance of identity Choose password Generate one-time code Announce mobile nr. Send code via SMS Code Graz,

60 Code Mobile Phone Signature Registration Process Operator of the mobile phone solution User Password: ******** Ownership verified Code Generate and encrypt the signature creation data with at least: - HSM key - Key derived from password Stored encrypted data in the database Code Graz,

61 Code Mobile Phone Signature Registration Process Operator of the mobile phone solution User Password: ******** Ownership verified Code Generate and encrypt the signature creation data with at least: - HSM key - Key derived from password Stored encrypted data in the database The usage of the signature creation data is only possible 1. within the HSM and 2. after the signature password has been entered by the signatory Code Graz,

62 Mobile Phone Signature Signature Process Operator of the mobile phone solution User Password: ******** Graz,

63 Mobile Phone Signature Signature Process Operator of the mobile phone solution User Password: ******** Request Password Mob-nr. Application issued a signature request User is redirected to signature website Enter mobile nr. Enter password Graz,

64 Mobile Phone Signature Signature Process Operator of the mobile phone solution User Password: ******** Calculate hash value of the data to be signed (from request) Display Affirmation Generate one-time code Send one-time code and hash value via SMS Code Hash value Graz,

65 Code Mobile Phone Signature Signature Process Operator of the mobile phone solution User Password: ******** Ownership verified Code Recovery of the signature creation data from the database with - HSM key - Password-derived key Verify ownership Provide one-time code Signature creation using the signature creation data Code Graz,

66 Code Mobile Phone Signature Signature Process Operator of the mobile phone solution User Password: ******** Ownership verified Recovery of the signature creation data from the database with - HSM key - Password-derived key Signature creation using the signature creation data Verify ownership Code Provide one-time code The one-time code verifies the ownership of the mobile phone The usage of the signature creation data is only possible Code 1. within the HSM and 2. after the signature password has been entered by the signatory Graz,

67 Mobile Phone Signature Signature Process Operator of the mobile phone solution User Password: ******** Return the created XML signature Signature Signature is returned to the application Graz,

68 Security Layer Conclusion» Public authority applications» and private applications MOA-(W)ID Application Request sspin Citizen Card + Identity Link Certificate spin Citizen is uniquely identified (Identity Link) and authenticated through the verification of the qualified electronic signature Graz,

69 Overview» Citizen card concept» Person identifier» Source PIN (spin)» Sector specific personal identifier (sspin)» Economic sector-specific identifier (essid)» Infrastructure» Registers» Natural person» Central population register» Source PIN (spin)» Legal person» Several registers» Source PIN (spin)» Electronic Record (ELAK) Graz,

70 AK IT-Security 1 (E-Government) Infrastructure Registers, ELAK Christian Maierhofer Graz, Das E-Government Innovationszentrum ist eine gemeinsame Einrichtung des Bundeskanzleramtes und der TU Graz

71 Registers in Austria» Public Authorities need to access» Citizen s data» Company s data» Association s data» This data is stored within databases called electronic registers» About 20 frequently used registers Graz,

72 Registers in Austria German Term Zentrales Melderegister (ZMR) Stammzahlenregister (SZR) Ergänzungsregister für natürliche Personen (ERnP) Ergänzungsregister für sonstige Betroffene (ERnP) Zentrales Vereinsregister (ZVR) Firmenbuch (FB) Unternehmensregister (UR) English Term Central Population Register (CPR) SourcePIN Register (SR) Supplementary Register for natural Persons (SRnP) Supplementary Register for others concerned Register of Associations Register of company names Business Register Source: /6761/default.aspx Graz,

73 Central Population Register» Contains identity data about persons and their residence» First name» Last name» Date of birth» Gender» Citizenship» Address» CPR-number» May contain references to documents concerning civil status and citizenship.» Provider: Federal Ministry of the Interior (Bundesministerium fuer Inneres - BMI) Graz,

74 Central Population Register» Authorized to issue a request:» Registry offices» Authorized entities like notaries working as court commissioner according to 16a (4) Meldegesetz» Other entities according to public law and private persons according to 16a (5) Meldegesetz» Natural persons via [1] (billable) to request a confirmation of registration. [1] Graz,

75 SourcePIN Register» Calculation of the» Identity Link (spin) and» Sector specific personal identifier (sspin)» NO STORAGE of spin» Provider: SourcePIN register authority (SRA) at the data commission» Authorized to issue a request:» Principal of the public sector» Principal of the private sector» No costs Graz,

76 Source PIN Register Legal Fundamentals 6 (2) Für natürliche Personen, die im Zentralen Melderegister einzutragen sind, wird die Stammzahl durch eine mit starker Verschlüsselung gesicherte Ableitung aus ihrer ZMR-Zahl ( 16 Abs. 1 des Meldegesetzes 1991, BGBl. Nr. 9/1992) gebildet. Für alle anderen natürlichen Personen ist ihre Ordnungsnummer im Ergänzungsregister (Abs. 4) für die Ableitung der Stammzahl heranzuziehen.» Fundamental for the spin calculation for» natural persons, that are obliged to register in Austria, is the CPR-number ( 6(2) E-GovG).» other persons is the number within the supplementary register (ERnP) ( 6(4) E- GovG). Graz,

77 Supplementary Register for natural Persons» Contains natural persons not included within the CPR.» If a person is not found in the CPR and SRnP (e.g. Austrian expatriates) within the citizen card creation process, she may request the entry into the SRnP.» The entry contains same entries as in the CPR, except the CPR-number.» It additionally contains the place of birth» Provider: spin Register Authority (at BMI)» Authorized to issue a request:» Principal of the public and private sector» Registry entities via the persons application Graz,

78 Register for Associations» Included data:» Identification» Address» Foundation date» Constitutions, articles» Organs (Identification, sspin, function)» Provider: BMI» Authorized to issue a request:» Anybody may issue a request if no information barricade is active.» No fees» URL: Graz,

79 Register of Company Names» Included data:» Identification» Legal form» Address» Organs» Power of representation» Person data» Financial resources» Legal facts» Since 2001 electronic annual balance sheet» Since 2005 electronic record of documents Graz,

80 Register of Company Names» Authorized to issue a request:» Public register» Can be checked at commercial court, notaries and at the service center: help.gv.at» Via Internet at a clearing center using a user account» Costs depend on data quantity» Up-to-date excerpt: 2,40 Euro» Short excerpt: 0,70 Euro» Graz,

81 Supplementary Register for others concerned» Persons listed within the register:» Legal entities not listed within the» Register of company names and» Register of associations» Included data:» Identification» Address» Legal form» Authorized representative (Organwalter)» Reference number (Ordnungsnummer)» Provider: spin Register Authority (at BMI)» The register is public Graz,

82 Business Register» Combination of the» Register of Company Names» Register for Associations» Supplementary Register for others concerned» Basic data for USP» Provider: Statistic Austria Graz,

83 Overview» Citizen card concept» Person identifier» Source PIN (spin)» Sector specific personal identifier (sspin)» Economic sector-specific identifier (essid)» Infrastructure» Registers» Natural person» Central population register» Source PIN (spin)» Legal person» Several registers» Source PIN (spin)» Electronic Record (ELAK) Graz,

84 Person Registers Natural Persons (NP) Legal Persons (JP) Others Private Law Public Law Registers: CPR ERnP Register of company names Register of associations ERsB Natural Persons Central population register(cpr) Supplementary register for natural persons(ernp) (Persons concerned that are not recorded in the CPR) Graz,

85 Base registers: CPR (ZMR) and Supplementary Register (ERnP) CPR ERnP Graz,

86 Registers for natural Persons Name Competence Amount Central Population Register(CPR) BM.I 9,8 Mio Register of Standard Documents Registry Office 1,5 Mio Supplementary Register for natural Persons (ERnP) DSK Source PIN Register BM.I Central Register for Weapons (ZWR) Weapons Office Criminal Record Register BPD Wien Register of births, marriages and deaths - Zentrales Personenstandsregister (planed) Graz,

87 Overview» Citizen card concept» Person identifier» Source PIN (spin)» Sector specific personal identifier (sspin)» Economic sector-specific identifier (essid)» Infrastructure» Registers» Natural person» Central population register» Source PIN (spin)» Legal person» Several registers» Source PIN (spin)» Electronic Record (ELAK) Graz,

88 Person Registers Natural Persons (NP) Legal Persons (JP) Others Private Law Public Law Registers: CPR ERnP Register of company names Register of associations ERsB Not natural persons ( companies ) Companies register (FB) Register of associations (ZVR) Supplementary register for other persons concerned (ERsB) : Persons concerned that don t have to be listed within the FB or ZVR (e.g. University). Graz,

89 Registers for legal Persons Name Competence Amount Companies register (Firmenbuch) BMJ Register of associations (Vereinsregister) BM.I Central professional register (Gewerberegister) BMWFJ Supplementary register for other persons concerned (ERsB) BKA? Business register (Unternehmensregister) BKA Graz,

90 Mandates» A legal person will not get a Citizen Card.» Legal persons are represented by natural persons, e.g. business leader. Mandates More on Graz,

91 Overview» Citizen card concept» Person identifier» Source PIN (spin)» Sector specific personal identifier (sspin)» Economic sector-specific identifier (essid)» Infrastructure» Registers» Natural person» Central population register» Source PIN (spin)» Legal person» Several registers» Source PIN (spin)» Electronic Record (ELAK) Graz,

92 ELAK» Electronic Record (ELektronischer AKt)» Used since 2004» Replace paper-based procedures» ARGE ELAK provided a Combination of» Document management» Electronic record processing workflow Fabasoft egov-suite Graz,

93 Why ELAK?» Beginning of egovernment:» Electronic web forms for citizens» Printed at the public authorities» Hard copies are processed by different employees at authorities» Reply acknowledgment letter to citizen Graz,

94 Why ELAK?» Beginning of egovernment» Electronic web forms for citizens» Printed at the public authorities» Hard copies are processed by different employees at authorities» Reply acknowledgment letter to citizen Graz,

95 Why ELAK?» Beginning of egovernment» Electronic web forms for citizens» Printed at the public authorities» Hard copies are processed by different employees at authorities» Reply acknowledgment letter to citizen» Modern egovernment» Continuous, electronic governmental processes Graz,

96 ELAK - Advantages» The electronic record represents the ORIGINAL record» No hard copies are processed paper based applications may be scanned» Electronic signatures» Electronic dual delivery» Automated processing (e.g. for confirmation of registration)» Employee independent processing» Full-text search within the records» Reduction of cycle time up to 20%» Electronic payment of fees Graz,

97 ELAK Stages» Receive input document» Paper-based documents or» Electronic documents via web forms» Selection of misdirected documents» Verify signatures» Register document» Scan documents» Perform optical character recognition (ORC) for full-text search» Add document to management system create new request» (Manually) entering meta data» Assign unique ID to every document» Allocation» To responsible employee(s)» Employee verifies responsibility» Accept or forward to other role respectively employee» Allocation may be carried out automatically based on predefined rules Graz,

98 ELAK Stages» Journalizing» Assign a request to a subject area (Fachgebiet)» Create unique request ID» Other references or documents may be added to the request» Based on the subject area a predefined processing of the request may be carried out» Einsichtsvorschreibung» Information which departments within the public authority may be concerned» Defined by the responsible employee» May be defined before/while/after the processing and approbation phase» The other departments may add information or even close a request» Processing» Employee creates a proposal for the treatment of the request» Employee also creates the required documents» Process the request as proposed» Finished case is signed by the employee and stored. Graz,

99 ELAK Stages» Approbation» Based on the proposal» Pre-approbations may be required based on hierarchy by other employees» The approving employees may modify the case» Modifications are logged within the system» A new version is created for every modification» Only one person should approve the final version of the case (e.g. department leader)» Attestation, dispatch, final copy» Attachments may be added» Final copy is attested and forwarded (mail, fax, paper, )» Procedure is logged (when, what, how has the final copy been sent)» Deposition and Archiving» Electronic archiving» Organizational archiving Graz,

100 EDIAKT II» XML format description for communication between two entities» Between public authorities» Between public authorities and economy sector» Between public authorities and citizens» 5 levels of integration» Level 0 to Level 4» Depends on grade of integration within the entities IT system Graz,

101 EDIAKT II Level 0» Sender (S) electronically forwards EDIAKT packet to recipient (R)» R receives packet and may view it using an EDIAKT viewer» Read meta data» Read process data» Extract embedded documents» Verify electronic signatures» Everything is done manually Graz,

102 EDIAKT II Level 1» S electronically forwards EDIAKT packet to R» R receives packet and operates a KIS (Kanzleiinformationssystem)» EDIAKT is automatically registered within the KIS» Automated logging based on the metadata» Additional information may be viewed using an EDIAKT viewer Graz,

103 EDIAKT II Level 2» S electronically forwards EDIAKT packet to R» R receives packet and operates an ELAK system» Packet is automatically registered within the ELAK system» Automated assignment to a subject area based on meta data» Pre-defined record processing predefined within the ELAK system may be added automatically» Additional information may be viewed using an EDIAKT viewer Graz,

104 EDIAKT II Level 3» S electronically forwards EDIAKT packet to R» R receives packet and operates an ELAK system» Packet is automatically registered within the ELAK system» Automated assignment to a subject area based on meta data» In contrast to level 2 the process data is extracted from the EDIAK packet and the electronic record is initialized using this process data» Additional information may be viewed using an EDIAKT viewer Graz,

105 EDIAKT II Level 4» S electronically forwards EDIAKT packet to R» R receives packet and operates an ELAK system» The complete EDIAKT packet (structure, content and process data) is imported into the ELAK system.» All objects are mapped to objects and structures from the R s ELAK system» No additional viewer required, because everything is available via the ELAK system Graz,

106 EDIAKT II Types» EDIAKT-light» R is able to process at least one business matter with one document automatically» EDIAKT-complete» R is able to interpret the information automatically on all levels (Accumulated) file EDIAKT light Business case Business process Document EDIAKT complete Source: Graz,

107 EDIAKT II XML Schema» Five elements» Header» Receiver (using PersonData schema)» Sender (using PersonData schema)» Purpose» CoveringLetter» ProcessData (optional)» XPDL standard» Describe process model used by sender s workflow» MetaData» Id, notice, date, time,» Payload» 4 Layers: Document, business process, business case, (accumulated) file» Signature (optional)» XMLDsig standard signature Graz,

108 EDIAKT II Sample Graz,

109 EDIAKT II Sample Graz,

110 EDIAKT II Sample Graz,

111 EDIAKT II Sample Graz,

112 Follow us on Twitter Thanks for your attention! Slides have been created supported by the Federal Chancellery of Austria. Tobias Kellner Christian Maierhofer

113 References/Additional Information» men&gesetzesnummer= » Graz,