eid Security Frank Cornelis Architect eid fedict 2008. All rights reserved



Similar documents
The Belgian e-id: hacker vs developer

FedICT. Carte d identité électronique (BELPIC) egovernment. Architecture et stratégie. E-government. Simplification administrative

Introducing etoken. What is etoken?

OECD workshop on digital identity management BELGIAN approach

TrustKey Tool User Manual

Ciphire Mail. Abstract

National Certification Authority Framework in Sri Lanka

Digital Certificates (Public Key Infrastructure) Reshma Afshar Indiana State University

Using etoken for SSL Web Authentication. SSL V3.0 Overview

PROXKey Tool User Manual

Entrust Managed Services PKI. Getting started with digital certificates and Entrust Managed Services PKI. Document issue: 1.0

Secure web transactions system

Overview of CSS SSL. SSL Cryptography Overview CHAPTER

Technical notes for HIGHSEC eid App Middleware

EXPLORING SMARTCARDS: AN INDEPENDENT LOOK TO TECHNOLOGIES AND MARKET

Overview. SSL Cryptography Overview CHAPTER 1

CALIFORNIA SOFTWARE LABS

1. Product Overview 2. Product Features 3. Comparison Chart 4. Product Applications 5. Order Information 6. Q & A

Global eid Developments. Detlef Eckert Chief Security Advisor Microsoft Europe, Middle East, and Africa

Standardizing PKI in Higher Education Apple PKI and Universal Hi-Ed Spec proposal

X.509 Certificate Generator User Manual

Savitribai Phule Pune University

Introduction to Cryptography

Web Application Entity Session Management using the eid Card Frank Cornelis 03/03/2010. Fedict All rights reserved

Secure Data Exchange Solution

PKI Uncovered. Cisco Press. Andre Karamanian Srinivas Tenneti Francois Dessart. 800 East 96th Street. Indianapolis, IN 46240

Apple Inc. Certification Authority Certification Practice Statement Worldwide Developer Relations Version 1.14 Effective Date: September 9, 2015

Risk Reduction for Electronic Signing of Large Value Business Obligations. Michał Tabor

Citrix MetaFrame XP Security Standards and Deployment Scenarios

Draft Middleware Specification. Version X.X MM/DD/YYYY

Network Security. Gaurav Naik Gus Anderson. College of Engineering. Drexel University, Philadelphia, PA. Drexel University. College of Engineering

Converged Smart Card for Identity Assurance Solutions. Crescendo Series Smart Cards

Using BroadSAFE TM Technology 07/18/05

associate professor BME Híradástechnikai Tanszék Lab of Cryptography and System Security (CrySyS)

Understanding digital certificates

OFFICE OF THE CONTROLLER OF CERTIFICATION AUTHORITIES TECHNICAL REQUIREMENTS FOR AUDIT OF CERTIFICATION AUTHORITIES

FIPS Non- Proprietary Security Policy. McAfee SIEM Cryptographic Module, Version 1.0

Digital Signature Service. e-contract.be BVBA 2 september 2015

CRESCENDO SERIES Smart Cards. Smart Card Solutions

SecureDoc Disk Encryption Cryptographic Engine

SSL Protect your users, start with yourself

FEITIAN PKI Authentication Token. epass2003 with FIPS Cer tification

Cryptosystems. Bob wants to send a message M to Alice. Symmetric ciphers: Bob and Alice both share a secret key, K.

Apple Corporate Certificates Certificate Policy and Certification Practice Statement. Apple Inc.

Guide to Obtaining Your Free WISeKey CertifyID Personal Digital Certificate (Personal eid) WISeKey 2010 / Alinghi 2010 Smartcards

HIGHSEC eid App Administration User Manual

Understanding Digital Certificates and Secure Sockets Layer (SSL)

MyKey is the digital signature software governed by Malaysia s Digital Signature Act 1997 & is accepted by the courts of law in Malaysia.

apple WWDR Certification Practice Statement Version 1.8 June 11, 2012 Apple Inc.

7 Key Management and PKIs

Card Management System Integration Made Easy: Tools for Enrollment and Management of Certificates. September 2006

RVS Seminar Deployment and Performance Analysis of JavaCards in a Heterogenous Environment. Carolin Latze University of Berne

Smart Card- An Alternative to Password Authentication By Ahmad Ismadi Yazid B. Sukaimi

[SMO-SFO-ICO-PE-046-GU-

SBClient SSL. Ehab AbuShmais

Identity Management and eid Integration

E-CERT C ONTROL M ANAGER

Public Key Infrastructure (PKI)

Digital Certificates Demystified

Number of relevant issues

Applying Cryptography as a Service to Mobile Applications

An Introduction to Cryptography as Applied to the Smart Grid

Secure Network Communications FIPS Non Proprietary Security Policy

CS 356 Lecture 28 Internet Authentication. Spring 2013

Windows Server 2008 R2 Boot Manager Security Policy For FIPS Validation

Controller of Certification Authorities of Mauritius

SecureStore I.CA. User manual. Version 2.16 and higher

Using etoken for Securing s Using Outlook and Outlook Express

Dr. Cunsheng DING HKUST, Hong Kong. Security Protocols. Security Protocols. Cunsheng Ding, HKUST COMP685C

Certification Authority. The X.509 standard, PKI and electronic documents. X.509 certificates. X.509 version 3. Critical extensions.

Enabling SSL and Client Certificates on the SAP J2EE Engine

NIST s FIPS 201: Personal Identity Verification (PIV) of Federal Employees and Contractors Masaryk University in Brno Faculty of Informatics

MCTS Guide to Configuring Microsoft Windows Server 2008 Active Directory. Chapter 11: Active Directory Certificate Services

European Electronic Identity Practices Country Update of Portugal

Technical Description. DigitalSign 3.1. State of the art legally valid electronic signature. The best, most secure and complete software for

INTRODUCTION to CRYPTOGRAPHY & CRYPTOGRAPHIC SERVICES on Z/OS BOSTON UNIVERSITY SECURITY CAMP MARCH 14, 2003

Arkansas Department of Information Systems Arkansas Department of Finance and Administration

An Introduction to Entrust PKI. Last updated: September 14, 2004

Microsoft Identity Lifecycle Manager & Gemalto.NET Solutions. Jan 23 rd, 2007

VeriSign PKI Client Government Edition v 1.5. VeriSign PKI Client Government. VeriSign PKI Client VeriSign, Inc. Government.

PUBLIC Secure Login for SAP Single Sign-On Implementation Guide

Brocade Engineering. PKI Tutorial. Jim Kleinsteiber. February 6, Page 1

CS 665: Computer System Security. Crypto Services. Hashing. Cryptographic Hash Functions. Information Assurance Module

Electronic Mail Security. Security. is one of the most widely used and regarded network services currently message contents are not secure

PC Business Banking. Technical Requirements

Citizen CA Certification Practice statement

I. Configuring Digital signature certificate in Microsoft Outlook 2003:

MetaFrame Presentation Server Security Standards and Deployment Scenarios Including Common Criteria Information

Mobility, Security and Trusted Identities: It s Right In The Palm of Your Hands. Ian Wills Country Manager, Entrust Datacard

Combatting Counterfeit Identities: The Power of Pairing Physical & Digital IDs

Apache Milagro (incubating) An Introduction ApacheCon North America

Public Key Cryptography in Practice. c Eli Biham - May 3, Public Key Cryptography in Practice (13)

Cryptography and Network Security Chapter 15

Biometrics, Tokens, & Public Key Certificates

Innovations in Digital Signature. Rethinking Digital Signatures

EUCIP - IT Administrator. Module 5 IT Security. Version 2.0

Aloaha Sign! (English Version)

Lukasz Pater CMMS Administrator and Developer

Arcot Systems, Inc. Securing Digital Identities. FPKI-TWG Mobility Solutions Today s Speaker Tom Wu Principal Software Engineer

Complying with PCI Data Security

Transcription:

eid Security Frank Cornelis Architect eid

The eid Project > Provides Belgian Citizens with an electronic identity card. > Gives Belgian Citizens a device to claim their identity in the new digital age.

eid Partners

eid Functionalities Visual Identification Identification Authentication Electronic signature

Overview eid Functionality Visual Identification Identification Authentication Electronic Signature

eid Information Visual identification of the card holder > From a visual point of view the same information is visible as on a regular identity card : the name the first two Christian names the first letter of the third Christian name the nationality the birth place and date the sex the place of delivery of the card the begin and end data of the validity of the card the denomination and number of the card the photo of the holder the signature of the holder the identification number of the National Register

Non-electronic Functionality Identity Information Face Recognition Tamper resistant > Non-electronic functionality is equivalent to regular identity card functionality. > Non-electronic functionality is equivalent to electronic functionality.

Security Aspects > Outside Rainbow and guilloche printing Changeable Laser Image (CLI) 12345678 Optical Variable Ink (OVI) Alphagram Relief and UV print Laser engraving

Chip specifications > Chip characteristics: Cryptoflex JavaCard 32K CPU (processor): 16 bit Micro-controller Crypto-processor: 1100 bit Crypto-Engine (RSA computation) 112 bit Crypto-Accelerator (DES computation) ROM (OS): 136 kb (GEOS JRE) EEPROM (Applic + Data): 32 KB (Belpic Applet) RAM (memory): 5 KB GEOS Crypto ROM JVM (DES,RSA) (Operating System) Belpic EEPROM Applet I/O CPU (File System= applications + data) RAM ID data, Keys, Certs. (Memory)

Overview eid Functionality Visual Identification Identification Authentication Electronic Signature

Identification Electronic identification of the holder > From an electronic point of view the chip contains the same information as printed on the card, filled up with: the identity and signature keys the identity and signature certificates the accredited certification service furnisher information necessary for authentication of the card and integrity protection of the data the main residence of the holder > No encryption certificates > No biometric data > No electronic purse > No storage of other data

eid Identification Advantages Time consuming inefficient error-prone fast efficient accurate

Overview eid Functionality Visual Identification Identification Authentication Electronic Signature

eid Authentication > Confirming the identity of the person Real world Digital world Hi Alice! log on to web sites Hi Bob! container park library

eid Digital Information PKI PIN protected IDENTITY Use without PIN public private ID ADDRESS authentication public private digital signature RRN SIGN RRN SIGN

Data Specifications BelPIC Card Key Auth Key Sign Key...... Auth Cert Sign Cert CA Cert Root Cert ID ID ADR PIC... > Directory Structure (PKCS#15) Dir (BelPIC): certificates & keys (PIN code protected) private and public key CA : 2048 bits private and public key citizen: 1024 bits Signatures put via RSA with SHA-1 all certificates are conform to X.509 v3 standard format (to be used by generic applications) Dir (ID): Microsoft CryptoAPI ( Windows) PKCS#11 ( UNIX/Linux & MacOS) contains full identity information first name, last name, etc. address picture etc. proprietary format (to be used by dedicated applications only)

Public-key Cryptography > Asymmetric cryptography: public key and private key > eid cryptographic algorithm: RSA

Cryptographic Operations > Encryption > Signing > Problem: which key belongs to Alice?

X509 Certificate > Is a signed digital statement. > Links a person to a key via a trusted party (CA) Unique name of holder Public key of holder Signed by the CA that issued the certificate.

eid Certificates RRN signing cert. Belgium root CA cert. Self signed Self signed (key 2048 bits) Citizen CA cert. Signature cert. Authentication cert. Auth + Sign Key pairs 1024 bits AIA Belgium root CA Root signed Private key (inside the chip) Public key (inside the certificate)

PKI Trust Hierarchy Admin Auth/Sign

Web Authentication SSL Web Server Browser client (1) Validate Server (2) Certificate (3) Challenge to verify Client Identity (6) Decrypt Challenge with Public Key from Authentication Certificate User Identity (4) Encrypt Challenge with eid Private Key (5) Encrypted Challenge with eid Authentication certificate (7) If/When Challenge match access granted

Overview eid Functionality Visual Identification Identification Authentication Electronic Signature

eid Electronic Signature eid electronic signature can have the same legal value as a handwritten signature

eid Electronic Signature 1. Compose message 3. Generate signature 5. Collect certificate 2. Compute hash 4. Collect signature 6. Send message 1 6 1 7 6 hash hash 3 2 5 4 3, 4 2 5 8 Alice Eve Bob Matching triplet? 1. Receive message 3. Check CRL 5. Fetch public key 7. Compute reference hash 2. Inspect certificate 4. Check certificate 6. Fetch signature 8. Hash, signature, public key match?

Authentication vs. Signatures Authentication Signature with the key corresponding with the authn certificate. Liability is application specific. Lifecycle of authn session is short. Signatures Signature with the key corresponding with the nonrepudiation certificate. Liability is regulated by law. Long-term lifecycle: required storage of revocation data. Signature consumer same as signature requestor. Signature verification by 3th party (e.g. court expert) Synchronous by nature. Creation can be postponed.

Signature Standards > The features of a non-repudiation signature drives the need for open signature standards. PDF signatures ODF signatures XAdES signatures

Overview eid Functionality Visual Identification Identification Authentication Electronic Signature

Fedict eid Middleware > Software for using the eid card on a PC Identification (GUI tool + SDK) Authentication/Signature modules: PKCS#11 CSP tokend > Platforms: Windows: XP, Vista Linux: Fedora, OpenSUSE, Debian Mac

Fedict Reverse Proxy > Used to authenticate a person via eid towards a web application using SSL.

eid Applications healthcare Driver s license home banking student cards Proof of membership SSO, e-commerce

More Information? >www.eid.belgium.be

Questions & Answers Q & A Th@nk you!

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information