AK IT-Security 1. Recap Electronic Signatures. Tobias Kellner Graz, 22.10.2014

AK IT-Security 1 Recap Electronic Signatures Tobias Kellner Graz, 22.10.2014 Das E-Government Innovationszentrum ist eine gemeinsame Einrichtung des Bundeskanzleramtes und der TU Graz

What can electronic signatures do? Graz, 22.10.2014 2

What can electronic signatures do?» Provide authenticity of originator and data» Signed data is bound to the signatory» Provide non-repudiation by the signatory» Recognition of data manipulation» On the channel» By the recipient Graz, 22.10.2014 3

Where are signatures used? Identification and authentication Signed request Officially signed administrative ruling Signed documents Applicant Portal + Documents + Application Data Back-office Decision Electronic Delivery Electronic Documents» General E-Government Process Graz, 22.10.2014 4

Legal Framework» Different types of signatures:» Electronic signature» Advanced electronic signature» Qualified electronic signature Graz, 22.10.2014 5

Signature formats» Advanced signature formats *AdES:» CAdES (ETSI TS 101 733)» CMS Advanced Electronic Signatures» Based on CMS» PAdES (ETSI TS 102 778)» PDF Advanced Electronic Signatures» Based on PDF signatures» XAdES (ETSI TS 101 903)» XML Advanced Electronic Signatures» Based on XMLDSIG Graz, 22.10.2014 6

Official Signature (Amtssignatur)» Official Documents How to recognize an public authority document? official signature Recognition of origin Determination of authenticity Graz, 22.10.2014 7

Official Signature» The E-Government law defines the official signature to identify a document s origin» Using the official signature for the electronic signature of signed documents (see 18 AVG)» The Official signature is, except for the requirement to be an advanced electronic signature, more a provision for characterization than a technical requirement. Graz, 22.10.2014 8

Signature Verification» Signature verification Signature Validation Cryptographic Validation (Signature value + Hash value) Document + Signature» Cryptographic check» Comparing the hash value message not modified» Checking the signature value ensure the signatory s authenticity Graz, 22.10.2014 9

Signature Verification» Signature verification Signature Validation Cryptographic Validation (Signature value + Hash value) Certificate Validation Document + Signature» Certificate validation» Chronological validity» Quality of the authenticity (via certification authority; qualified certificate)» Key usage» Revocation check Graz, 22.10.2014 10

What is the qualified signature in Austria? Citizen Card Graz, 22.10.2014 11

AK IT-Security 1 (E-Government) Infrastructure Citizen Card Concept Tobias Kellner Graz, 22.10.2014 Das E-Government Innovationszentrum ist eine gemeinsame Einrichtung des Bundeskanzleramtes und der TU Graz

Overview» Citizen card concept» Person identifier» Source PIN (spin)» Sector specific personal identifier (sspin)» Economic sector-specific identifier (essid)» Infrastructure» Registers» Natural person» Central population register» Source PIN (spin)» Legal person» Several registers» Source PIN (spin)» Electronic Record (ELAK) Graz, 22.10.2014 13

Citizen Card Concept» The term Citizen Card denotes a concept and not a technology.» Technological independent» Open standards» The Citizen card may be implemented on a signature card or another technology, like the mobile phone signature. Graz, 22.10.2014 14

Citizen Card ( 4 Abs. 1 E-GovG)» The Citizen Card is used to prove the unique identity of an applicant and the authenticity of an electronic submission. So it is:» Electronic Identity document and» Signature on the Internet Graz, 22.10.2014 15

Implementation of the functionality 4 Abs. 4 E-GovG:» The authenticity of an electronically filed document is provided using the electronic signature 4 Abs. 2 E-GovG:» The unique identification of a natural person is provided by the source PIN Graz, 22.10.2014 16

Identity Link» spin only stored (persistent) on the Citizen Card.» Identity Link: XML structure signed by the Source PIN Register Authority (SRA), that uniquely defines a person (spin) and this data is bound to the public key (from the qualified certificate.» spin» Personal data» Name, birthday» Public key (from qualified certificate)» Signature from the SRA... <saml:subjectconfirmationdata> <pr:person xsi:type="pr:physical <pr:identification> <pr:value>123456789012</pr:v <pr:type>http://reference.e-g </pr:identification> <pr:name> <pr:givenname>herbert</pr:given <pr:familyname>leitold</pr:fami </pr:name>... <saml:attribute AttributeName="CitizenPublicKey"... <dsig:rsakeyvalue> <dsig:modulus>snw8olcq49qnefems... <dsig:siganture>... Graz, 22.10.2014 17

Overview» Citizen card concept» Person identifier» Source PIN (spin)» Sector specific personal identifier (sspin)» Economic sector-specific identifier (essid)» Infrastructure» Registers» Natural person» Central population register» Source PIN (spin)» Legal person» Several registers» Source PIN (spin)» Electronic Record (ELAK) Graz, 22.10.2014 18

Source PIN Qq03dPrgcHsx3G0lKSH6SQ== Graz, 22.10.2014 19

Source PIN Legal Fundamentals» The E-Government Law (E-GovG, 2004) defines the Source PIN and its calculation as follows: 2 Z8 Stammzahl : eine zur Identifikation von natürlichen und juristischen Personen und sonstigen Betroffenen herangezogene Zahl, die demjenigen, der identifiziert werden soll, eindeutig zugeordnet ist und hinsichtlich natürlicher Personen auch als Ausgangspunkt für die Ableitung von (wirtschafts)bereichsspezifischen Personenkennzeichen ( 8 und 14) benützt wird;» Number for identification of natural and legal persons» Bound to person that should be identified» Used for calculation of sector-specific identifier Graz, 22.10.2014 20

Algorithm» Base number(12 decimals) (BN)» Convert into binary representation (5 byte)» Expand the calculation basis to 128 bit (16 byte) using the format:» BN Seed BN BN» Seed is a secret, constant, 8-bit value which is only known to the SRA» The binary representation of this value is encrypted using Triple-DES. The secret key is only known to the SRA.» The result is encoded as BASE64 Graz, 22.10.2014 21

Example spin Calculation Base number 000247681888 (E.g.: CPR-number, 12 decimals) Binary representation 00 0E C3 53 60 (5 Byte, hexadecimal representation) Expand to 128 bit 00 0E C3 53 60 FF 00 0E C3 53 60 00 0E C3 53 60 (16 Byte, Seed value set to e.g. 0xFF) Triple-DES encryption, hexadecimal Source PIN, Base64 42 AD 37 74 FA E0 70 7B 31 DC 6D 25 29 21 FA 49 (16 Byte) Qq03dPrgcHsx3G0lKSH6SQ== (24 digits) Graz, 22.10.2014 22

spin - Usage» spin stored on the Citizen Card» May be read by an agency but only for the calculation of the sector specific personal identifier(sspin)» NO STORAGE! ( 12 EGovG) 1 2 3 Graz, 22.10.2014 23

Sector specific personal identifier (sspin) j/nxdrqhp+tnye9whhdbsyuy3ha= Graz, 22.10.2014 24

Legal Fundamentals» The E-Government Law (E-GovG, 2004) defines the sector specific person identifier and its calculation as follows: 9 (1) Das bereichsspezifische Personenkennzeichen wird durch eine Ableitung aus der Stammzahl der betroffenen natürlichen Person gebildet. Die Identifikationsfunktion dieser Ableitung ist auf jenen staatlichen Tätigkeitsbereich beschränkt, dem die Datenanwendung zuzurechnen ist, in der das Personenkennzeichen verwendet werden soll (bereichsspezifisches Personenkennzeichen, bpk).» sspin is derived from the spin of the natural person» The identification of this derivation is bound to the sector the application operates in Graz, 22.10.2014 25

Legal Fundamentals» The E-Government Law (E-GovG, 2004) defines the sector specific person identifier and its calculation as follows: 9 (3) Die zur Bildung des bpk eingesetzte mathematische Verfahren (Hash-Verfahren über die Stammzahl und die Bereichskennung) werden von der Stammzahlenregisterbehörde festgelegt.» Mathematical procedures (Hash algorithm) are defined by the sourcepin register authority (SRA) Graz, 22.10.2014 26

Why sspin?» spin may not be stored outside the Citizen Card (data protection)» Natural persons are identified via a person identifier.» sspin for governmental applications» essid for private sector applications» sspin, essid: Derivation from the citizen s source PIN Graz, 22.10.2014 27

Calculation of the sspin 1. Starting point:» Source PIN, base64 encoded» Sector code: character string representing the sector according to the Bereichsabgrenzungsverordnung of the federal chancellery of Austria (normally 2 to 5 upper-case letters) 2. Build the string: spin + URN-prefix 1 and the sector code. 1) URN-Prefix := "urn:publicid:gv.at:cdid+ " Graz, 22.10.2014 28

Calculation of the sspin 3. Calculate the SHA-1 hash value over this string. 4. The resulting 160 bit number may be used for calculations within the application. If the number is needed in written form or forwarded via the Internet it has to be base64 encoded. Graz, 22.10.2014 29

Example: sspin Calculation spin, Base64 Sector code Input data for hash value calculation Hash value Qq03dPrgcHsx3G0lKSH6SQ== (24-digit) BW (ISO-8859-1, E.g.: Bauen und Wohnen) Qq03dPrgcHsx3G0lKSH6SQ==+urn:publicid:gv.at:cdid+ BW 8FF3717514 21A7EB4DC8 4F56847741 498BB2DE10 (5 x 32bit; hexadecimal representation) sspin, Base64 j/nxdrqhp+tnye9whhdbsyuy3ha= (28-digit) Graz, 22.10.2014 30

sspin - Generation 5 3 3 sspin_a Not Invertible! 1 2 3 Source PIN 6 2 0 sspin_b» sspin generation only possible using the person s Citizen Card.» spin from the Citizen Card required» Non invertible derivation» sspin spin» sspin_a sspin_b e.g. Steuern & Abgaben e.g. Bauen & Wohnen Graz, 22.10.2014 31

Identification for the Economy (essid)» Economic sector-specific PIN» Private applications (companies, associations, ) receive a sspin» The identification sphere is the company the citizen wants to interact with electronically. Outside this sphere, e.g. for other companies, this essid is not usable for identification. Graz, 22.10.2014 32

Calculation of the essid» The calculation of the essid is analogous to the calculation of the sspin as defined in the E-GovG: 14 (1) Für die Identifikation von natürlichen Personen im elektronischen Verkehr mit einem Auftraggeber des privaten Bereichs ( 5 Abs. 3 DSG 2000) kann durch Einsatz der Bürgerkarte eine spezifische Ableitung aus dem Hashwert gebildet werden, der aus der Stammzahl des Betroffenen und der Stammzahl des Auftraggebers als Bereichskennung erzeugt wird (wirtschaftsbereichsspezifisches Personenkennzeichen, wbpk). Voraussetzung hierfür ist, dass der Auftraggeber des privaten Bereichs eine für den Einsatz der Bürgerkarte taugliche technische Umgebung eingerichtet hat, in der seine Stammzahl als Bereichskennung im Errechnungsvorgang für das wbpk zur Verfügung gestellt wird. Graz, 22.10.2014 33

Algorithm Identical to the calculation of the sspin except for the base. 1. Base data:» spin of the natural person, base64 encoded» spin of the initiator (Auftraggeber) as sector code 2. Building the character string as concatenation of the natural person s spin + URN-prefix and the spin of the initiator. URN-prefix := "urn:publicid:gv.at:wbpk+xxx+ where XXX will result in the following values, if the spin of the initiator is:» a companies register number: FN» a associations register number: VR» a number within the supplementary register for natural persons: ERJ» a spin belonging to a natural, reportable person: CPR» A spin belonging to a natural person that is registered within the supplementary register: ERN Graz, 22.10.2014 34

Example essid Calculation spin, Base64 spin of the initiator Qq03dPrgcHsx3G0lKSH6SQ== (24-digit) 468924 i Prefix for the companies register number Input data for hash value calculation SHA-1 hash value essid, Base64 Qq03dPrgcHsx3G0lKSH6SQ==+urn:publicid:gv.at:wbpk+FN Qq03dPrgcHsx3G0lKSH6SQ==+urn:publicid:gv.at:wbpk+FN+ 468924i (whitespace before i removed, see step 2) 43B8485AB5 6A3FE55946 24E2966DFE 9A2A082B9C (5 x 32 bit) Q7hIWrVqP+VZRiTilm3+mioIK5w= (28-digit) Graz, 22.10.2014 35

Overview» Citizen card concept» Person identifier» Source PIN (spin)» Sector specific personal identifier (sspin)» Economic sector-specific identifier (essid)» Infrastructure» Registers» Natural person» Central population register» Source PIN (spin)» Legal person» Several registers» Source PIN (spin)» Electronic Record (ELAK) Graz, 22.10.2014 36

Citizen Card Environment (CCE) Online-Application Security-Layer Citizen Card Citizen Card Environment» Concept Citizen Card independent from the used signature creation device/ software» Online-applications need to access the Citizen Card functionality Graz, 22.10.2014 37

Security Layer» Represents the interface to» Communicate with the Citizen Card» Use the Citizen Card concept in a technology-neutral manner» XML based protocol on application layer» Transport layers are» TCP» HTTP» HTTPS Graz, 22.10.2014 38

Security Layer» Provides the possibility to send commands to the Citizen Card:» XML (XAdES)/CMS (CAdES) signatures» Creation» Verification» Read info boxes (IdL, certificates)» NULL operation» Graz, 22.10.2014 39

Security Layer» Source and Target of a SL-command may differ» DataURL: Parameter allows to redirect the communication Graz, 22.10.2014 40

Authentication Classes SL» Some SL commands may only be used by special application classes:» Anonymous: no information regarding source/target» Pseudo-anonymous: information regarding source/target (not protected)» Certified: certificate-based information regarding source/target» CertifiedGovAgency: certificate-based information regarding source/target; information proves agency or service-provider of an agency (*.gv.at, agency or service-provider extension within the certificate) Graz, 22.10.2014 41

Reading the IdL» <InfoboxReadRequest> <InfoboxIdentifier>IdentityLink</InfoboxIdentifier> <BinaryFileParameters ContentIsXMLEntity="true"/> </InfoboxReadRequest>» <InfoboxReadRequest> <InfoboxIdentifier>IdentityLink</InfoboxIdentifier> <BinaryFileParameters ContentIsXMLEntity="true"/> <BoxSpecificParameters> <IdentityLinkDomainIdentifier>urn:publicid:gv.at:wb pk+fn+468924i</identitylinkdomainidentifier> </BoxSpecificParameters> </InfoboxReadRequest> Graz, 22.10.2014 42

Creating an XML Signature» <CreateXMLSignatureRequest> <KeyboxIdentifier>SecureSignatureKeypair</Keyb oxidentifier> <DataObjectInfo Structure="enveloping"> <DataObject> <XMLContent>Ich bin ein einfacher Text. </XMLContent> </DataObject> <TransformsInfo> <FinalDataMetaInfo> <MimeType>text/plain</sl:MimeType> </FinalDataMetaInfo> </TransformsInfo> </DataObjectInfo> </CreateXMLSignatureRequest> Graz, 22.10.2014 43

Smartcard Implementation» e-card may be used as Citizen Card» Also dedicated smart cards may be used (e.g. by A-Trust)» If smart card implementation is used a middleware for the card communication is needed (CCE) Graz, 22.10.2014 44

Citizen Card Environment» CCE implements SL» Provides the smart card communication (via PCSC)» Ensures that the authentication classes are observed» Default display format for signature data» Requirement for signature creation devices for creating qualified signatures Graz, 22.10.2014 45

Citizen Card Environment» Local CCE:» CCE is executed on the citizen s computer» SL requests are sent to a local endpoint» http://127.0.0.1:3495/*» https://127.0.0.1:3496/*» Implementations:» MOCCA» A-Sign Client» BDC Hotsign»» Online CCE:» Server-based CCE» SL requests are sent to a server the citizen interacts with» MOCCA Online:» SL requests processed server-side» Smart card communication on the client side via a Java applet Graz, 22.10.2014 46

Sequence MOCCA Online SL Application server Application creates SLrequest Citizen Application forwards citizen to MOCCA server Graz, 22.10.2014 47

Sequence MOCCA Online SL Application server MOCCA server processes SL-request Citizen Creates STAL requests in the HTTP session MOCCA server sends MOCCA applet Graz, 22.10.2014 48

Sequence MOCCA Online SL Application server Citizen MOCCA applet grabs STAL requests from server Graz, 22.10.2014 49

Sequence MOCCA Online SL Application server Citizen MOCCA applet uses PCSC for the smart card access MOCCA applet creates STAL responses Graz, 22.10.2014 50

Sequence MOCCA Online SL Application server Citizen MOCCA applet sends STAL responses to the server Graz, 22.10.2014 51

Sequence MOCCA Online SL MOCCA forwards citizen to the application server Application server Citizen MOCCA contacts the application server via DataURL Graz, 22.10.2014 52

Sequence MOCCA Online SL MOCCA forwards citizen to the application server Application server Citizen MOCCA answers the application server via DATA URL Graz, 22.10.2014 53

Mobile Phone Signature» Implements the Citizen Card concept using a mobile TAN» Provided by A-Trust» www.handy-signatur.at» SL end point: https://www.handysignatur.at/mobile/https-security-layerrequest/default.apsx Graz, 22.10.2014 54

Mobile Phone Signature» IdL and asymmetric key are stored by A-TRUST and protected by a hardware security module (HSM)» For the signature creation a TAN is sent to the citizen via SMS» This TAN must be entered during the signature creation process» HSM communicates directly with an SMS gateway to send the TAN Graz, 22.10.2014 55

Mobile Phone Signature - Components Operator of the mobile phone solution User Password: ******** User User s mobile phone Graz, 22.10.2014 56

Mobile Phone Signature - Components Operator of the mobile phone solution User Web-Frontend Password: ******** HSM - Creation of signature creation data - Decryption of stored signature creation data - Creation of qualified electronic signatures SMS Gateway Key database Signature creation data is encrypted using a key consisting of at least: - Secret password - Secret HSM key Graz, 22.10.2014 57

Mobile Phone Signature Registration Process Operator of the mobile phone solution User Password: ******** Graz, 22.10.2014 58

Mobile Phone Signature Registration Process Operator of the mobile phone solution User Password: ******** Verify phone ownership: Password Mob-nr. Assurance of identity Choose password Generate one-time code Announce mobile nr. Send code via SMS Code Graz, 22.10.2014 59

Code Mobile Phone Signature Registration Process Operator of the mobile phone solution User Password: ******** Ownership verified Code Generate and encrypt the signature creation data with at least: - HSM key - Key derived from password Stored encrypted data in the database Code Graz, 22.10.2014 60

Code Mobile Phone Signature Registration Process Operator of the mobile phone solution User Password: ******** Ownership verified Code Generate and encrypt the signature creation data with at least: - HSM key - Key derived from password Stored encrypted data in the database The usage of the signature creation data is only possible 1. within the HSM and 2. after the signature password has been entered by the signatory Code Graz, 22.10.2014 61

Mobile Phone Signature Signature Process Operator of the mobile phone solution User Password: ******** Graz, 22.10.2014 62

Mobile Phone Signature Signature Process Operator of the mobile phone solution User Password: ******** Request Password Mob-nr. Application issued a signature request User is redirected to signature website Enter mobile nr. Enter password Graz, 22.10.2014 63

Mobile Phone Signature Signature Process Operator of the mobile phone solution User Password: ******** Calculate hash value of the data to be signed (from request) Display Affirmation Generate one-time code Send one-time code and hash value via SMS Code Hash value Graz, 22.10.2014 64

Code Mobile Phone Signature Signature Process Operator of the mobile phone solution User Password: ******** Ownership verified Code Recovery of the signature creation data from the database with - HSM key - Password-derived key Verify ownership Provide one-time code Signature creation using the signature creation data Code Graz, 22.10.2014 65

Code Mobile Phone Signature Signature Process Operator of the mobile phone solution User Password: ******** Ownership verified Recovery of the signature creation data from the database with - HSM key - Password-derived key Signature creation using the signature creation data Verify ownership Code Provide one-time code The one-time code verifies the ownership of the mobile phone The usage of the signature creation data is only possible Code 1. within the HSM and 2. after the signature password has been entered by the signatory Graz, 22.10.2014 66

Mobile Phone Signature Signature Process Operator of the mobile phone solution User Password: ******** Return the created XML signature Signature Signature is returned to the application Graz, 22.10.2014 67

Security Layer Conclusion» Public authority applications» and private applications MOA-(W)ID Application Request sspin Citizen Card + Identity Link Certificate spin Citizen is uniquely identified (Identity Link) and authenticated through the verification of the qualified electronic signature Graz, 22.10.2014 68

Overview» Citizen card concept» Person identifier» Source PIN (spin)» Sector specific personal identifier (sspin)» Economic sector-specific identifier (essid)» Infrastructure» Registers» Natural person» Central population register» Source PIN (spin)» Legal person» Several registers» Source PIN (spin)» Electronic Record (ELAK) Graz, 22.10.2014 69

AK IT-Security 1 (E-Government) Infrastructure Registers, ELAK Christian Maierhofer Graz, 22.10.2014 Das E-Government Innovationszentrum ist eine gemeinsame Einrichtung des Bundeskanzleramtes und der TU Graz

Registers in Austria» Public Authorities need to access» Citizen s data» Company s data» Association s data» This data is stored within databases called electronic registers» About 20 frequently used registers Graz, 22.10.2014 71

Registers in Austria German Term Zentrales Melderegister (ZMR) Stammzahlenregister (SZR) Ergänzungsregister für natürliche Personen (ERnP) Ergänzungsregister für sonstige Betroffene (ERnP) Zentrales Vereinsregister (ZVR) Firmenbuch (FB) Unternehmensregister (UR) English Term Central Population Register (CPR) SourcePIN Register (SR) Supplementary Register for natural Persons (SRnP) Supplementary Register for others concerned Register of Associations Register of company names Business Register Source: http://www.digitales.oesterreich.gv.at/site/cob 36003/6761/default.aspx Graz, 22.10.2014 72

Central Population Register» Contains identity data about persons and their residence» First name» Last name» Date of birth» Gender» Citizenship» Address» CPR-number» May contain references to documents concerning civil status and citizenship.» Provider: Federal Ministry of the Interior (Bundesministerium fuer Inneres - BMI) Graz, 22.10.2014 73

Central Population Register» Authorized to issue a request:» Registry offices» Authorized entities like notaries working as court commissioner according to 16a (4) Meldegesetz» Other entities according to public law and private persons according to 16a (5) Meldegesetz» Natural persons via [1] (billable) to request a confirmation of registration. [1] http://www.bmi.gv.at/cms/bmi_zmr/buerger/ueberblick/ol_bestaetigung/start.aspx Graz, 22.10.2014 74

SourcePIN Register» Calculation of the» Identity Link (spin) and» Sector specific personal identifier (sspin)» NO STORAGE of spin» Provider: SourcePIN register authority (SRA) at the data commission» Authorized to issue a request:» Principal of the public sector» Principal of the private sector» No costs Graz, 22.10.2014 75

Source PIN Register Legal Fundamentals 6 (2) Für natürliche Personen, die im Zentralen Melderegister einzutragen sind, wird die Stammzahl durch eine mit starker Verschlüsselung gesicherte Ableitung aus ihrer ZMR-Zahl ( 16 Abs. 1 des Meldegesetzes 1991, BGBl. Nr. 9/1992) gebildet. Für alle anderen natürlichen Personen ist ihre Ordnungsnummer im Ergänzungsregister (Abs. 4) für die Ableitung der Stammzahl heranzuziehen.» Fundamental for the spin calculation for» natural persons, that are obliged to register in Austria, is the CPR-number ( 6(2) E-GovG).» other persons is the number within the supplementary register (ERnP) ( 6(4) E- GovG). Graz, 22.10.2014 76

Supplementary Register for natural Persons» Contains natural persons not included within the CPR.» If a person is not found in the CPR and SRnP (e.g. Austrian expatriates) within the citizen card creation process, she may request the entry into the SRnP.» The entry contains same entries as in the CPR, except the CPR-number.» It additionally contains the place of birth» Provider: spin Register Authority (at BMI)» Authorized to issue a request:» Principal of the public and private sector» Registry entities via the persons application Graz, 22.10.2014 77

Register for Associations» Included data:» Identification» Address» Foundation date» Constitutions, articles» Organs (Identification, sspin, function)» Provider: BMI» Authorized to issue a request:» Anybody may issue a request if no information barricade is active.» No fees» URL: http://zvr.bmi.gv.at/start Graz, 22.10.2014 78

Register of Company Names» Included data:» Identification» Legal form» Address» Organs» Power of representation» Person data» Financial resources» Legal facts» Since 2001 electronic annual balance sheet» Since 2005 electronic record of documents Graz, 22.10.2014 79

Register of Company Names» Authorized to issue a request:» Public register» Can be checked at commercial court, notaries and at the service center: help.gv.at» Via Internet at a clearing center using a user account» Costs depend on data quantity» Up-to-date excerpt: 2,40 Euro» Short excerpt: 0,70 Euro» Graz, 22.10.2014 80

Supplementary Register for others concerned» Persons listed within the register:» Legal entities not listed within the» Register of company names and» Register of associations» Included data:» Identification» Address» Legal form» Authorized representative (Organwalter)» Reference number (Ordnungsnummer)» Provider: spin Register Authority (at BMI)» The register is public Graz, 22.10.2014 81

Business Register» Combination of the» Register of Company Names» Register for Associations» Supplementary Register for others concerned» Basic data for USP» Provider: Statistic Austria Graz, 22.10.2014 82

Overview» Citizen card concept» Person identifier» Source PIN (spin)» Sector specific personal identifier (sspin)» Economic sector-specific identifier (essid)» Infrastructure» Registers» Natural person» Central population register» Source PIN (spin)» Legal person» Several registers» Source PIN (spin)» Electronic Record (ELAK) Graz, 22.10.2014 83

Person Registers Natural Persons (NP) Legal Persons (JP) Others Private Law Public Law Registers: CPR ERnP Register of company names Register of associations ERsB Natural Persons Central population register(cpr) Supplementary register for natural persons(ernp) (Persons concerned that are not recorded in the CPR) Graz, 22.10.2014 84

Base registers: CPR (ZMR) and Supplementary Register (ERnP) CPR ERnP Graz, 22.10.2014 85

Registers for natural Persons Name Competence Amount Central Population Register(CPR) BM.I 9,8 Mio Register of Standard Documents Registry Office 1,5 Mio Supplementary Register for natural Persons (ERnP) DSK 12.000 Source PIN Register BM.I Central Register for Weapons (ZWR) Weapons Office 230.000 Criminal Record Register BPD Wien 206.000 Register of births, marriages and deaths - Zentrales Personenstandsregister (planed) Graz, 22.10.2014 86

Overview» Citizen card concept» Person identifier» Source PIN (spin)» Sector specific personal identifier (sspin)» Economic sector-specific identifier (essid)» Infrastructure» Registers» Natural person» Central population register» Source PIN (spin)» Legal person» Several registers» Source PIN (spin)» Electronic Record (ELAK) Graz, 22.10.2014 87

Person Registers Natural Persons (NP) Legal Persons (JP) Others Private Law Public Law Registers: CPR ERnP Register of company names Register of associations ERsB Not natural persons ( companies ) Companies register (FB) Register of associations (ZVR) Supplementary register for other persons concerned (ERsB) : Persons concerned that don t have to be listed within the FB or ZVR (e.g. University). Graz, 22.10.2014 88

Registers for legal Persons Name Competence Amount Companies register (Firmenbuch) BMJ 220.000 Register of associations (Vereinsregister) BM.I 120.000 Central professional register (Gewerberegister) BMWFJ 720.000 Supplementary register for other persons concerned (ERsB) BKA? Business register (Unternehmensregister) BKA 920.000 Graz, 22.10.2014 89

Mandates» A legal person will not get a Citizen Card.» Legal persons are represented by natural persons, e.g. business leader. Mandates More on 30.10.2014 Graz, 22.10.2014 90

Overview» Citizen card concept» Person identifier» Source PIN (spin)» Sector specific personal identifier (sspin)» Economic sector-specific identifier (essid)» Infrastructure» Registers» Natural person» Central population register» Source PIN (spin)» Legal person» Several registers» Source PIN (spin)» Electronic Record (ELAK) Graz, 22.10.2014 91

ELAK» Electronic Record (ELektronischer AKt)» Used since 2004» Replace paper-based procedures» ARGE ELAK provided a Combination of» Document management» Electronic record processing workflow Fabasoft egov-suite Graz, 22.10.2014 92

Why ELAK?» Beginning of egovernment:» Electronic web forms for citizens» Printed at the public authorities» Hard copies are processed by different employees at authorities» Reply acknowledgment letter to citizen Graz, 22.10.2014 93

Why ELAK?» Beginning of egovernment» Electronic web forms for citizens» Printed at the public authorities» Hard copies are processed by different employees at authorities» Reply acknowledgment letter to citizen Graz, 22.10.2014 94

Why ELAK?» Beginning of egovernment» Electronic web forms for citizens» Printed at the public authorities» Hard copies are processed by different employees at authorities» Reply acknowledgment letter to citizen» Modern egovernment» Continuous, electronic governmental processes Graz, 22.10.2014 95

ELAK - Advantages» The electronic record represents the ORIGINAL record» No hard copies are processed paper based applications may be scanned» Electronic signatures» Electronic dual delivery» Automated processing (e.g. for confirmation of registration)» Employee independent processing» Full-text search within the records» Reduction of cycle time up to 20%» Electronic payment of fees Graz, 22.10.2014 96

ELAK Stages» Receive input document» Paper-based documents or» Electronic documents via web forms» Selection of misdirected documents» Verify signatures» Register document» Scan documents» Perform optical character recognition (ORC) for full-text search» Add document to management system create new request» (Manually) entering meta data» Assign unique ID to every document» Allocation» To responsible employee(s)» Employee verifies responsibility» Accept or forward to other role respectively employee» Allocation may be carried out automatically based on predefined rules Graz, 22.10.2014 97

ELAK Stages» Journalizing» Assign a request to a subject area (Fachgebiet)» Create unique request ID» Other references or documents may be added to the request» Based on the subject area a predefined processing of the request may be carried out» Einsichtsvorschreibung» Information which departments within the public authority may be concerned» Defined by the responsible employee» May be defined before/while/after the processing and approbation phase» The other departments may add information or even close a request» Processing» Employee creates a proposal for the treatment of the request» Employee also creates the required documents» Process the request as proposed» Finished case is signed by the employee and stored. Graz, 22.10.2014 98

ELAK Stages» Approbation» Based on the proposal» Pre-approbations may be required based on hierarchy by other employees» The approving employees may modify the case» Modifications are logged within the system» A new version is created for every modification» Only one person should approve the final version of the case (e.g. department leader)» Attestation, dispatch, final copy» Attachments may be added» Final copy is attested and forwarded (mail, fax, paper, )» Procedure is logged (when, what, how has the final copy been sent)» Deposition and Archiving» Electronic archiving» Organizational archiving Graz, 22.10.2014 99

EDIAKT II» XML format description for communication between two entities» Between public authorities» Between public authorities and economy sector» Between public authorities and citizens» 5 levels of integration» Level 0 to Level 4» Depends on grade of integration within the entities IT system Graz, 22.10.2014 100

EDIAKT II Level 0» Sender (S) electronically forwards EDIAKT packet to recipient (R)» R receives packet and may view it using an EDIAKT viewer» Read meta data» Read process data» Extract embedded documents» Verify electronic signatures» Everything is done manually Graz, 22.10.2014 101

EDIAKT II Level 1» S electronically forwards EDIAKT packet to R» R receives packet and operates a KIS (Kanzleiinformationssystem)» EDIAKT is automatically registered within the KIS» Automated logging based on the metadata» Additional information may be viewed using an EDIAKT viewer Graz, 22.10.2014 102

EDIAKT II Level 2» S electronically forwards EDIAKT packet to R» R receives packet and operates an ELAK system» Packet is automatically registered within the ELAK system» Automated assignment to a subject area based on meta data» Pre-defined record processing predefined within the ELAK system may be added automatically» Additional information may be viewed using an EDIAKT viewer Graz, 22.10.2014 103

EDIAKT II Level 3» S electronically forwards EDIAKT packet to R» R receives packet and operates an ELAK system» Packet is automatically registered within the ELAK system» Automated assignment to a subject area based on meta data» In contrast to level 2 the process data is extracted from the EDIAK packet and the electronic record is initialized using this process data» Additional information may be viewed using an EDIAKT viewer Graz, 22.10.2014 104

EDIAKT II Level 4» S electronically forwards EDIAKT packet to R» R receives packet and operates an ELAK system» The complete EDIAKT packet (structure, content and process data) is imported into the ELAK system.» All objects are mapped to objects and structures from the R s ELAK system» No additional viewer required, because everything is available via the ELAK system Graz, 22.10.2014 105

EDIAKT II Types» EDIAKT-light» R is able to process at least one business matter with one document automatically» EDIAKT-complete» R is able to interpret the information automatically on all levels (Accumulated) file EDIAKT light Business case Business process Document EDIAKT complete Source: http://reference.e-government.gv.at/uploads/media/ediakt-ii-1-1-0-2005-1214.pdf Graz, 22.10.2014 106

EDIAKT II XML Schema» Five elements» Header» Receiver (using PersonData schema)» Sender (using PersonData schema)» Purpose» CoveringLetter» ProcessData (optional)» XPDL standard» Describe process model used by sender s workflow» MetaData» Id, notice, date, time,» Payload» 4 Layers: Document, business process, business case, (accumulated) file» Signature (optional)» XMLDsig standard signature Graz, 22.10.2014 107

EDIAKT II Sample Graz, 22.10.2014 108

EDIAKT II Sample Graz, 22.10.2014 109

EDIAKT II Sample Graz, 22.10.2014 110

EDIAKT II Sample Graz, 22.10.2014 111

Follow us on Twitter https://twitter.com/egov_egiz Thanks for your attention! Slides have been created supported by the Federal Chancellery of Austria. Tobias Kellner tobias.kellner@egiz.gv.at Christian Maierhofer christian.maierhofer@egiz.gv.at www.egiz.gv.at

References/Additional Information» http://reference.e-government.gv.at/uploads/media/stammzahlbpk-algorithmen-1_1_1-20070131.pdf» http://www.stammzahlenregister.gv.at/» www.bürgerkarte.at» http://www.ris.bka.gv.at/geltendefassung.wxe?abfrage=bundesnor men&gesetzesnummer=20003230» http://www.digitales.oesterreich.gv.at/site/6761/default.aspx» http://www.digitales.oesterreich.gv.at/site/5231/default.aspx Graz, 22.10.2014 113