Carte d identité électronique () FedICT egovernment Ir. Olivier LIBON. Forum Telecom Liège, 27 Mars 2003 E-government Architecture et stratégie Simplification administrative Citoyens Entreprises Fonctionnaires Front-Office: Principe de la collection unique des données Portail Fédéral & FedMAN UME (Unified Messaging Engine) Back-Office: Principe des Sources Authentiques Banque carrefour des entreprises Registre National (FedPKI) PORTAIL UME BCE COMMUNICATION APPLICATION INTEGRATION Etat des projets clés (*) Etat des projets clés FEDMAN 1st phase FedMAN rounded off 16 Network Access Points 2nd phase planned January 2003 UME UME v2 delivered Stress testing : December 2002 Production: January 2003 CBE CBE in production on 2nd January 2003 Transition periode enterprise numbers Portal Static portal First version finished Open limited audience (FedMAN) : 18 November 2002 Release big audience: 27 November 2002 Transactional portal: Due Dilligence rounded off Design and development phase launched Delivery : March 2003 (*) The mentioned data are estimations of the timing. This timing is based on a series of legal and regulatory decisions of which the realization falls out of the competences of the authors.
: BELgian electronic Personal Identity Card Belgian ELectronic Personal Identity Card concept But Aspects visuels Donner à chaque citoyen belge une carte d identité électronique lui permettant de: s authentifier (preuve d identité) signer électroniquement (outil de signature) identification visuelle du porteur D un point de vue visuel: identique à la carte d identité actuelle : le nom de famille les deux premier Prénoms la première lettre du troisième prénom la nationalité le lieu et la date de naissance le sexe les dates de début et fin de validité le numéro de carte la photo la signature le numéro de registre national l adresse (jusque 31/12/2003) le lieu de délivrance la signature de l autorité Aspects électroniques Autentification Identification électronique du porteur D un point de vue électronique: la puce contient la même information que ce qui est imprimé sur la carte à l exception de: la signature du porteur qui est remplacée par une paire de clés & certificats (d autentification et de signature) la signature de l autorité est remplacée par une chaîne de certificats électroniques le protections visuelles qui sont remplacées par des protections électroniques crytpographiques (temporairement) pas de clé d encryption pas de portefeuille électronique pas d informations biométriques conforme à la directive européenne 1999/93/EC Applications: site web, bibliothèque, park à containers,
VRK Meikäläinen Matti Bull VRK Meikäläinen Matti Bull Signature X.509 v3 certificate CM - Card Manufacturer Production Process Distribution Process (5) (5) (4) CM/CP/CI (4) CM/CP/CI (10a2) (6) (8) (10a2) (6) (8) (10a1) (3) National Register (9) (7) (10a1) (3) Rijksregister (9) (7) Municipality Gemeente (1) The municipalities De (10b) De Gemeenten (1) (10b) Face to face identification PIN & PUK1-code Face to face identification PIN & PUK1-code (2) (12) (11) (2) (12) (11) (13) (13) Personlization Process CA - ificate Authority
FedPKI EIC and PKI PKI is a transparent frameworkof services, products and facilities to facilitate securization, i.e. the crucial keystonefor e- government FedPKI = PKI for civil servants and machines involved in the distribution of the electronic identity card Part project Same PKI as for citizen (simple migration from civil servants card to electronic identity card) Free use and free verification of identity certificate for relations with authorities Possibility of separate use of identity and attribute certificates Private key for digital signature securized with PIN Use of open technical standards Card Specifications Chip specifications Standard - ISO/IEC 7816 Format & Physical Characteristics Bank Card (ID1) Standard Contacts & Signals RST,GND,CLK,Vpp,Vcc, I/O Standard Commands & Query Language (APDU) Chip characteristics: Cryptoflex JavaCard 32K CPU (processor): 16 bit Micro-controller Crypto-processor: 1100 bit Crypto-Engine (RSA computation) 112 bit Crypto-Accelerator (DES computation) ROM (OS): 136 kb (GEOS Java Virtual Machine) EEPROM (Applic + Data): 32 KB (Cristal Applet) RAM (memory): 5 KB I/O Crypto ROM (DES,RSA) (Operating System) CPU EEPROM (File System= applications + data) RAM (Memory) GEOS JVM CRISTAL Applet ID data, Keys, s. Data specifications Technical specifications BelPIC Card Key Auth Key Sign Key Auth Sign CA Root Directory Structure (PKCS#15) Dir (BelPIC): certificates & keys (PIN code protected) standard format (to be used by generic applications) ID Microsoft CryptoAPI ( Windows) PKCS#11 ( UNIX/Linux & MacOS) ID Dir (ID): contains full identity information ADR first name, last name, etc. address PIC picture proprietary format (to be used by dedicated applications only) Keys and certificates private and public keyca : 2048 bits private and public key citizen: 1024 bits Signatures put via RSA with SHA-1 all certificates are conform to X.509 v3
Role, Common KeyPair Object Signing Role, Common KeyPair Object Signing CA hierarchy CA hierarchy GlobalSign GlobalSign Belgium Self- Signed Belgium RootSigned Belgium Self- Signed Common KeyPair Belgium RootSigned Administration CA Citizen CA Government CA Interface Signing Auth. SSL Server, Administration CA Citizen CA Government CA Role, Interface Signing Auth. SSL Server, Object Signing CA hierarchy ificate specifications Belgium Self- Signed Administration CA Citizen CA Government CA Interface Signing Auth. GlobalSign Belgium RootSigned SSL Server, Belgium Root CA Citizen Citizen CA CA Auth Sign Crypt Citizen s certificates & keys Authentication ificate & key pair (1024 bits) provide strong authentication (access control) web site authentication single sign-on (login) Signature ificate & key pair (1024 bits) provide non repudiation (electronic signature equivalent to handwritten signature) Document Signing Form Signing (Encryption ificate & key pair) foreseen at a later stage private key backup/archiving MiddleWare specifications Windows Generic Applics MS-CSP (Microsoft interface) PIN (pin logic library) DLL (C-reader DLL) Non Win Generic Applics PKCS#11 (ificate& Keys Management) BelPIC Specific Applics PKCS#15 OpenSC (Generic SC Interface) PC/SC (Generic SC ReaderInterface) Driver (Specific SC Reader Interface) Card & Reader Software Card MiddleWare PKCS#15 ID specific applications Card is accessed as a simple file system No key management possible (no PIN) for belgian police, post, banks, etc PKCS#11 Generic applications Only keys & s available via PKCS#11 API allows authentication (& signature) for Netscape, Linux, Unix, etc MS-CSP Windows applications Only keys & certs available via MSCryptoAPI allows authentication (& signature) for Microsoft Explorer, Outlook, etc Reader Driver/Firmware most part is generic (orange part) small part is specific (green part) PROJECT I/O
Legal framework Project Electronic signature (9 July 2001) Implementation of the European Directive 1999/93/EC Law on National Register and identity cards Simplification of the procedure to gain access to the information data from the National Register and to use the identification number Introduction electronic identity card Two parallel projects : infrastructure central : NRN decentral : cities and municipalities electronic identity card production, personalization, initialization and distribution of electronic identity card Delivery of certification services Involvement Fedict : Project reporting CA part To coordinate and elaborate applications using the EIC Control consistency with the federal portal environment Planning (*) A card and then? KICK OFF 2002 2003 Oct Nov Dec Jan Feb Mar Apr May Jun Jul Aug Sep 1 2 1 : development, testing infrastructure GO/NO GO 2 : analyse, testing, card production 3 : analyse, testing certification services 4 : start pilot 11 municipalities (Borsbeek, Leuven, Tongeren, Jabbeke, Geraardsbergen, Lasne, Seneffe, Seraing, Marche-en- Famenne, Rochefort, Sint-Pieters-Woluwe) (*) This planning is an estimation of the timing. This timing is based on a series of legal and regulatory decisions of which the realization falls out of the competences of the authors. 3 18/03 4 On the short term : e-government Examples : Tax declaration Vehicle registration (DIV) On the long term : extra possibilities such as financial sector (banks) health sector (SIS) transport (tickets, parking, ) e-security (SSO, login, ) Ultimate aim: the identity card is the only card in the wallet of the Belgian citizens.