Suche senden
Hochladen
Belgian eID cards - technicalities
•
4 gefällt mir
•
10,975 views
B
beires
Folgen
Technical info on the Belgian eID card + use cases
Weniger lesen
Mehr lesen
Business
Technologie
Melden
Teilen
Melden
Teilen
1 von 78
Jetzt herunterladen
Downloaden Sie, um offline zu lesen
Empfohlen
Reflections on Trusting Trust
Reflections on Trusting Trust
yeokm1
Linux-wpan: IEEE 802.15.4 and 6LoWPAN in the Linux Kernel - BUD17-120
Linux-wpan: IEEE 802.15.4 and 6LoWPAN in the Linux Kernel - BUD17-120
Linaro
FreeRTOS API
FreeRTOS API
Vincent Claes
SR-IOV Introduce
SR-IOV Introduce
Lingfei Kong
Subnet calculation Tutorial
Subnet calculation Tutorial
Ritu Ranjan Shrivastwa
NIEC DELHI IoT Guest Lecture
NIEC DELHI IoT Guest Lecture
Hitesh
Cisco 2960x datasheet and supported sfp modules
Cisco 2960x datasheet and supported sfp modules
Mark Tsui
IoT and connected devices: an overview
IoT and connected devices: an overview
Pascal Bodin
Empfohlen
Reflections on Trusting Trust
Reflections on Trusting Trust
yeokm1
Linux-wpan: IEEE 802.15.4 and 6LoWPAN in the Linux Kernel - BUD17-120
Linux-wpan: IEEE 802.15.4 and 6LoWPAN in the Linux Kernel - BUD17-120
Linaro
FreeRTOS API
FreeRTOS API
Vincent Claes
SR-IOV Introduce
SR-IOV Introduce
Lingfei Kong
Subnet calculation Tutorial
Subnet calculation Tutorial
Ritu Ranjan Shrivastwa
NIEC DELHI IoT Guest Lecture
NIEC DELHI IoT Guest Lecture
Hitesh
Cisco 2960x datasheet and supported sfp modules
Cisco 2960x datasheet and supported sfp modules
Mark Tsui
IoT and connected devices: an overview
IoT and connected devices: an overview
Pascal Bodin
MQTT - REST Bridge using the Smart Object API
MQTT - REST Bridge using the Smart Object API
Michael Koster
XPDDS19: [ARM] OP-TEE Mediator in Xen - Volodymyr Babchuk, EPAM Systems
XPDDS19: [ARM] OP-TEE Mediator in Xen - Volodymyr Babchuk, EPAM Systems
The Linux Foundation
Ftp: a slideshow on File transfer protocol
Ftp: a slideshow on File transfer protocol
Lina Guha Roy
Chapter_1.pptx
Chapter_1.pptx
AadiSoni3
IoT Google Cloud Functions with Firebase
IoT Google Cloud Functions with Firebase
Shang Yi Lim
Azure Digital Twins.pdf
Azure Digital Twins.pdf
Tomasz Kopacz
Technology Behind IoT (JNTUK - Unit - 1)
Technology Behind IoT (JNTUK - Unit - 1)
FabMinds
Embedded Linux on ARM
Embedded Linux on ARM
Emertxe Information Technologies Pvt Ltd
内部統制資料(Sox法)
内部統制資料(Sox法)
Takahiro Kitajima
I2C protocol and DS1307 RTC interfacing
I2C protocol and DS1307 RTC interfacing
Bhargav Kakadiya
IoT
IoT
Ananth Kumar
Docker Networking Tip - Macvlan driver
Docker Networking Tip - Macvlan driver
Sreenivas Makam
NGINX 101: Web Traffic Encryption with SSL/TLS and NGINX
NGINX 101: Web Traffic Encryption with SSL/TLS and NGINX
NGINX, Inc.
Lab practice 1 configuring basic routing and switching (with answer)
Lab practice 1 configuring basic routing and switching (with answer)
Arz Sy
IoT Introduction Architecture and Applications
IoT Introduction Architecture and Applications
The IOT Academy
Wpa supplicant introduction
Wpa supplicant introduction
awkman
Internet of things (IoT)
Internet of things (IoT)
Tarika Verma
Project ACRN hypervisor introduction
Project ACRN hypervisor introduction
Project ACRN
IoT with Python
IoT with Python
Dr. Sanjay Shitole
IoT Networking Part 2
IoT Networking Part 2
Hitesh Mohapatra
Belgian eID cards
Belgian eID cards
beires
8 e id en security
8 e id en security
guest3cf4991
Weitere ähnliche Inhalte
Was ist angesagt?
MQTT - REST Bridge using the Smart Object API
MQTT - REST Bridge using the Smart Object API
Michael Koster
XPDDS19: [ARM] OP-TEE Mediator in Xen - Volodymyr Babchuk, EPAM Systems
XPDDS19: [ARM] OP-TEE Mediator in Xen - Volodymyr Babchuk, EPAM Systems
The Linux Foundation
Ftp: a slideshow on File transfer protocol
Ftp: a slideshow on File transfer protocol
Lina Guha Roy
Chapter_1.pptx
Chapter_1.pptx
AadiSoni3
IoT Google Cloud Functions with Firebase
IoT Google Cloud Functions with Firebase
Shang Yi Lim
Azure Digital Twins.pdf
Azure Digital Twins.pdf
Tomasz Kopacz
Technology Behind IoT (JNTUK - Unit - 1)
Technology Behind IoT (JNTUK - Unit - 1)
FabMinds
Embedded Linux on ARM
Embedded Linux on ARM
Emertxe Information Technologies Pvt Ltd
内部統制資料(Sox法)
内部統制資料(Sox法)
Takahiro Kitajima
I2C protocol and DS1307 RTC interfacing
I2C protocol and DS1307 RTC interfacing
Bhargav Kakadiya
IoT
IoT
Ananth Kumar
Docker Networking Tip - Macvlan driver
Docker Networking Tip - Macvlan driver
Sreenivas Makam
NGINX 101: Web Traffic Encryption with SSL/TLS and NGINX
NGINX 101: Web Traffic Encryption with SSL/TLS and NGINX
NGINX, Inc.
Lab practice 1 configuring basic routing and switching (with answer)
Lab practice 1 configuring basic routing and switching (with answer)
Arz Sy
IoT Introduction Architecture and Applications
IoT Introduction Architecture and Applications
The IOT Academy
Wpa supplicant introduction
Wpa supplicant introduction
awkman
Internet of things (IoT)
Internet of things (IoT)
Tarika Verma
Project ACRN hypervisor introduction
Project ACRN hypervisor introduction
Project ACRN
IoT with Python
IoT with Python
Dr. Sanjay Shitole
IoT Networking Part 2
IoT Networking Part 2
Hitesh Mohapatra
Was ist angesagt?
(20)
MQTT - REST Bridge using the Smart Object API
MQTT - REST Bridge using the Smart Object API
XPDDS19: [ARM] OP-TEE Mediator in Xen - Volodymyr Babchuk, EPAM Systems
XPDDS19: [ARM] OP-TEE Mediator in Xen - Volodymyr Babchuk, EPAM Systems
Ftp: a slideshow on File transfer protocol
Ftp: a slideshow on File transfer protocol
Chapter_1.pptx
Chapter_1.pptx
IoT Google Cloud Functions with Firebase
IoT Google Cloud Functions with Firebase
Azure Digital Twins.pdf
Azure Digital Twins.pdf
Technology Behind IoT (JNTUK - Unit - 1)
Technology Behind IoT (JNTUK - Unit - 1)
Embedded Linux on ARM
Embedded Linux on ARM
内部統制資料(Sox法)
内部統制資料(Sox法)
I2C protocol and DS1307 RTC interfacing
I2C protocol and DS1307 RTC interfacing
IoT
IoT
Docker Networking Tip - Macvlan driver
Docker Networking Tip - Macvlan driver
NGINX 101: Web Traffic Encryption with SSL/TLS and NGINX
NGINX 101: Web Traffic Encryption with SSL/TLS and NGINX
Lab practice 1 configuring basic routing and switching (with answer)
Lab practice 1 configuring basic routing and switching (with answer)
IoT Introduction Architecture and Applications
IoT Introduction Architecture and Applications
Wpa supplicant introduction
Wpa supplicant introduction
Internet of things (IoT)
Internet of things (IoT)
Project ACRN hypervisor introduction
Project ACRN hypervisor introduction
IoT with Python
IoT with Python
IoT Networking Part 2
IoT Networking Part 2
Ähnlich wie Belgian eID cards - technicalities
Belgian eID cards
Belgian eID cards
beires
8 e id en security
8 e id en security
guest3cf4991
8 e id en security
8 e id en security
guest3cf4991
Integrating the Belgian e-ID into Android - Gauthier Van Damme - droidcon.be ...
Integrating the Belgian e-ID into Android - Gauthier Van Damme - droidcon.be ...
tcs digital world
The Future of Secure Documents
The Future of Secure Documents
Darren Corbett
Tutorial 3 peter kustor
Tutorial 3 peter kustor
egovernment
Gov belgium id
Gov belgium id
fadliwiryawirawan
Europe | Electronic IDs
Europe | Electronic IDs
Corporate Registers Forum
The Concept of Electronic ID Cards. How do they work.Development of Electroni...
The Concept of Electronic ID Cards. How do they work.Development of Electroni...
E-Government Center Moldova
Identity and Access Management and electronic Identities _ Belgian Federal Go...
Identity and Access Management and electronic Identities _ Belgian Federal Go...
E-Government Center Moldova
Georgian eID
Georgian eID
Valeri Tkeshelashvili
Semlex's Biopass - ENG
Semlex's Biopass - ENG
Semlex Europe
Brokerage 2007 presentation security
Brokerage 2007 presentation security
imec.archive
E-Paper Technology Documentation
E-Paper Technology Documentation
Rajesh Gaddam
Europe | EU Approach to Data Exchange (Carsten Schmidt)
Europe | EU Approach to Data Exchange (Carsten Schmidt)
Corporate Registers Forum
EU Digital Identity Wallet - INNOPAY.pptx
EU Digital Identity Wallet - INNOPAY.pptx
INNOPAY1
Enter e-Estonia: the story of a successful digital society - Indrek Onnik - S...
Enter e-Estonia: the story of a successful digital society - Indrek Onnik - S...
TOPdesk
Fiduciary Documents
Fiduciary Documents
Semlex Europe
Ähnlich wie Belgian eID cards - technicalities
(18)
Belgian eID cards
Belgian eID cards
8 e id en security
8 e id en security
8 e id en security
8 e id en security
Integrating the Belgian e-ID into Android - Gauthier Van Damme - droidcon.be ...
Integrating the Belgian e-ID into Android - Gauthier Van Damme - droidcon.be ...
The Future of Secure Documents
The Future of Secure Documents
Tutorial 3 peter kustor
Tutorial 3 peter kustor
Gov belgium id
Gov belgium id
Europe | Electronic IDs
Europe | Electronic IDs
The Concept of Electronic ID Cards. How do they work.Development of Electroni...
The Concept of Electronic ID Cards. How do they work.Development of Electroni...
Identity and Access Management and electronic Identities _ Belgian Federal Go...
Identity and Access Management and electronic Identities _ Belgian Federal Go...
Georgian eID
Georgian eID
Semlex's Biopass - ENG
Semlex's Biopass - ENG
Brokerage 2007 presentation security
Brokerage 2007 presentation security
E-Paper Technology Documentation
E-Paper Technology Documentation
Europe | EU Approach to Data Exchange (Carsten Schmidt)
Europe | EU Approach to Data Exchange (Carsten Schmidt)
EU Digital Identity Wallet - INNOPAY.pptx
EU Digital Identity Wallet - INNOPAY.pptx
Enter e-Estonia: the story of a successful digital society - Indrek Onnik - S...
Enter e-Estonia: the story of a successful digital society - Indrek Onnik - S...
Fiduciary Documents
Fiduciary Documents
Kürzlich hochgeladen
FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756
FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756
dollysharma2066
VVVIP Call Girls In Greater Kailash ➡️ Delhi ➡️ 9999965857 🚀 No Advance 24HRS...
VVVIP Call Girls In Greater Kailash ➡️ Delhi ➡️ 9999965857 🚀 No Advance 24HRS...
Call Girls In Delhi Whatsup 9873940964 Enjoy Unlimited Pleasure
(Anamika) VIP Call Girls Napur Call Now 8617697112 Napur Escorts 24x7
(Anamika) VIP Call Girls Napur Call Now 8617697112 Napur Escorts 24x7
Call Girls in Nagpur High Profile Call Girls
unwanted pregnancy Kit [+918133066128] Abortion Pills IN Dubai UAE Abudhabi
unwanted pregnancy Kit [+918133066128] Abortion Pills IN Dubai UAE Abudhabi
Abortion pills in Kuwait Cytotec pills in Kuwait
Mysore Call Girls 8617370543 WhatsApp Number 24x7 Best Services
Mysore Call Girls 8617370543 WhatsApp Number 24x7 Best Services
Dipal Arora
Enhancing and Restoring Safety & Quality Cultures - Dave Litwiller - May 2024...
Enhancing and Restoring Safety & Quality Cultures - Dave Litwiller - May 2024...
Dave Litwiller
A DAY IN THE LIFE OF A SALESMAN / WOMAN
A DAY IN THE LIFE OF A SALESMAN / WOMAN
IlamathiKannappan
Call Girls Hebbal Just Call 👗 7737669865 👗 Top Class Call Girl Service Bangalore
Call Girls Hebbal Just Call 👗 7737669865 👗 Top Class Call Girl Service Bangalore
amitlee9823
Call Girls Ludhiana Just Call 98765-12871 Top Class Call Girl Service Available
Call Girls Ludhiana Just Call 98765-12871 Top Class Call Girl Service Available
Seo
FULL ENJOY Call Girls In Majnu Ka Tilla, Delhi Contact Us 8377877756
FULL ENJOY Call Girls In Majnu Ka Tilla, Delhi Contact Us 8377877756
dollysharma2066
Katrina Personal Brand Project and portfolio 1
Katrina Personal Brand Project and portfolio 1
kcpayne
Call Girls In DLf Gurgaon ➥99902@11544 ( Best price)100% Genuine Escort In 24...
Call Girls In DLf Gurgaon ➥99902@11544 ( Best price)100% Genuine Escort In 24...
lizamodels9
How to Get Started in Social Media for Art League City
How to Get Started in Social Media for Art League City
Eric T. Tung
MONA 98765-12871 CALL GIRLS IN LUDHIANA LUDHIANA CALL GIRL
MONA 98765-12871 CALL GIRLS IN LUDHIANA LUDHIANA CALL GIRL
Seo
Falcon Invoice Discounting platform in india
Falcon Invoice Discounting platform in india
Falcon Invoice Discounting
Business Model Canvas (BMC)- A new venture concept
Business Model Canvas (BMC)- A new venture concept
P&CO
Call Girls Zirakpur👧 Book Now📱7837612180 📞👉Call Girl Service In Zirakpur No A...
Call Girls Zirakpur👧 Book Now📱7837612180 📞👉Call Girl Service In Zirakpur No A...
Sheetaleventcompany
Dr. Admir Softic_ presentation_Green Club_ENG.pdf
Dr. Admir Softic_ presentation_Green Club_ENG.pdf
Admir Softic
Insurers' journeys to build a mastery in the IoT usage
Insurers' journeys to build a mastery in the IoT usage
Matteo Carbone
Call Girls In Panjim North Goa 9971646499 Genuine Service
Call Girls In Panjim North Goa 9971646499 Genuine Service
ritikaroy0888
Kürzlich hochgeladen
(20)
FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756
FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756
VVVIP Call Girls In Greater Kailash ➡️ Delhi ➡️ 9999965857 🚀 No Advance 24HRS...
VVVIP Call Girls In Greater Kailash ➡️ Delhi ➡️ 9999965857 🚀 No Advance 24HRS...
(Anamika) VIP Call Girls Napur Call Now 8617697112 Napur Escorts 24x7
(Anamika) VIP Call Girls Napur Call Now 8617697112 Napur Escorts 24x7
unwanted pregnancy Kit [+918133066128] Abortion Pills IN Dubai UAE Abudhabi
unwanted pregnancy Kit [+918133066128] Abortion Pills IN Dubai UAE Abudhabi
Mysore Call Girls 8617370543 WhatsApp Number 24x7 Best Services
Mysore Call Girls 8617370543 WhatsApp Number 24x7 Best Services
Enhancing and Restoring Safety & Quality Cultures - Dave Litwiller - May 2024...
Enhancing and Restoring Safety & Quality Cultures - Dave Litwiller - May 2024...
A DAY IN THE LIFE OF A SALESMAN / WOMAN
A DAY IN THE LIFE OF A SALESMAN / WOMAN
Call Girls Hebbal Just Call 👗 7737669865 👗 Top Class Call Girl Service Bangalore
Call Girls Hebbal Just Call 👗 7737669865 👗 Top Class Call Girl Service Bangalore
Call Girls Ludhiana Just Call 98765-12871 Top Class Call Girl Service Available
Call Girls Ludhiana Just Call 98765-12871 Top Class Call Girl Service Available
FULL ENJOY Call Girls In Majnu Ka Tilla, Delhi Contact Us 8377877756
FULL ENJOY Call Girls In Majnu Ka Tilla, Delhi Contact Us 8377877756
Katrina Personal Brand Project and portfolio 1
Katrina Personal Brand Project and portfolio 1
Call Girls In DLf Gurgaon ➥99902@11544 ( Best price)100% Genuine Escort In 24...
Call Girls In DLf Gurgaon ➥99902@11544 ( Best price)100% Genuine Escort In 24...
How to Get Started in Social Media for Art League City
How to Get Started in Social Media for Art League City
MONA 98765-12871 CALL GIRLS IN LUDHIANA LUDHIANA CALL GIRL
MONA 98765-12871 CALL GIRLS IN LUDHIANA LUDHIANA CALL GIRL
Falcon Invoice Discounting platform in india
Falcon Invoice Discounting platform in india
Business Model Canvas (BMC)- A new venture concept
Business Model Canvas (BMC)- A new venture concept
Call Girls Zirakpur👧 Book Now📱7837612180 📞👉Call Girl Service In Zirakpur No A...
Call Girls Zirakpur👧 Book Now📱7837612180 📞👉Call Girl Service In Zirakpur No A...
Dr. Admir Softic_ presentation_Green Club_ENG.pdf
Dr. Admir Softic_ presentation_Green Club_ENG.pdf
Insurers' journeys to build a mastery in the IoT usage
Insurers' journeys to build a mastery in the IoT usage
Call Girls In Panjim North Goa 9971646499 Genuine Service
Call Girls In Panjim North Goa 9971646499 Genuine Service
Belgian eID cards - technicalities
1.
Belgian eID Card
Technicalities Danny De Cock Danny.DeCock@esat.kuleuven.be Katholieke Universiteit Leuven/Dept. Elektrotechniek (ESAT) Computer Security and Industrial Cryptography (COSIC) Kasteelpark Arenberg 10 B-3001 Heverlee Belgium Belgian eID Card Technicalities Slide 1 © K.U.Leuven/ESAT/COSIC, http://www.esat.kuleuven.be/cosic 9 October 2006
2.
For Your Information
☺ The copyright holder of this information is Danny De Cock (email: godot@godot.be), further referenced as the author The information expressed in this document reflects the author's personal opinions and do not represent his employer's view in any way All information is provided as is, without any warranty of any kind Use or re-use of any part of this information is only authorized for personal or not-for-profit use, and requires prior permission by the author Slide 2 Belgian eID Card Technicalities © K.U.Leuven/ESAT/COSIC, http://www.esat.kuleuven.be/cosic 9 October 2006
3.
Visual Aspects Front:
Name First two names First letter of 3rd name Title Nationality Birth place and date Gender Card number Photo of the holder Begin and end validity dates of the card Hand written signature of the holder Back side: Place of delivery of the card National Register identification number Hand written signature of the civil servant Main residence of the holder (cards produced before 1/1/2004) International Civil Aviation Organization (ICAO)- specified zone (cards produced since 1/1/2005) Slide 3 Belgian eID Card Technicalities © K.U.Leuven/ESAT/COSIC, http://www.esat.kuleuven.be/cosic 9 October 2006
4.
Visual Security Mechanisms Rainbow
and guilloche printing Changeable Laser Image (CLI) 12345678 Optical Variable Ink (OVI) Alpha gram Relief and UV print Laser engraving Slide 4 Belgian eID Card Technicalities © K.U.Leuven/ESAT/COSIC, http://www.esat.kuleuven.be/cosic 9 October 2006
5.
The Belgian eID
card… Uses On-board key pair generation Private keys cannot leave the eID card Key pair generation is activated during the initialization of the eID card Uses JavaCard technology Can be used using software/middleware – free of charge – provided the Government Can only be managed by the Belgian government Citizen identity/address data is read/write for the National Registry eID card refuses update attempts from other parties than the government Slide 5 Belgian eID Card Technicalities © K.U.Leuven/ESAT/COSIC, http://www.esat.kuleuven.be/cosic 9 October 2006
6.
Belgian eID Project
Time line 13 Dec 1999: European Directive 1999/93/EC on Electronic Signatures 22 Sept 2000: Council of Ministers approves eID card concept study 19 July 2001: Council of Ministers approves basic concepts (smart card, citizen-certificates, no integration with SIS card, Ministry of Internal Affairs is responsible for RRN’s infrastructure, pilot municipalities, helpdesk, card production, legal framework,… Fedict for certification services 3 Jan 2002: Council of Ministers assigns RRN’s infrastructure to NV Steria 1999 2000 2001 2002 2002 2003 2004 2005 2009 27 Sept 2002: Council of End of 2009: all citizens have an eID Ministers assigns card card production to NV Zetes, certificate services to NV September 2005: all newly issued ID Belgacom cards are eID cards 31 March 2003: first 4 eID 27 September 2004: start of nation-wide roll-out cards issued to civil servants 25 January 2004: start of pilot phase evaluation 9 May 2003: first pilot municipality 25 July 2003: eleventh pilot municipality started starts issuing eID cards Slide 6 Belgian eID Card Technicalities © K.U.Leuven/ESAT/COSIC, http://www.esat.kuleuven.be/cosic 9 October 2006
7.
Who gets an
electronic Identity Card? A new eID card is issued to New Belgian citizens Every youngster at the age of 12 People changing from one address to another in the local municipality Replace a lost, stolen, damaged or expired (e)ID card Specific groups who requested a priority Medical doctors, lawyers, eID software companies,… A kid@card is issued to Children younger than 12 E.g., 307.000 identity proofs issued to children in 2005 Slide 7 Belgian eID Card Technicalities © K.U.Leuven/ESAT/COSIC, http://www.esat.kuleuven.be/cosic 9 October 2006
8.
Belgium issuing eID
cards 1 Million cards produced and issued in 6 months All 589 municipalities issue eID cards Today over 4 million eID cards produced and about 3.5 million activated Starting to issue kid@cards Planning foreigners card Slide 8 Belgian eID Card Technicalities © K.U.Leuven/ESAT/COSIC, http://www.esat.kuleuven.be/cosic 9 October 2006
9.
eID Card Content
PKI Citizen Identity Data ID ADDRESS ID ADDRESS Authentication Digital Signature RRN RRN RRN RRN SIGNATURE SIGNATURE SIGNATURE SIGNATURE 140x200 Pixels 8 BPP RRN, Root CA, CA,… 3.224 Bytes RRN = National Register Slide 9 Belgian eID Card Technicalities © K.U.Leuven/ESAT/COSIC, http://www.esat.kuleuven.be/cosic 9 October 2006
10.
Identity Files Content Identity
file (~160 bytes) Citizen’s main address file (~120 bytes) Chip-specific: Street + number Chip number Zip code Citizen-specific: Municipality Name Digital signature on main address and First 2 names the identity file issued by the RRN First letter of 3rd first name Citizen’s JPEG photo ~3 Kbytes RRN identification number Nationality Birth location and date King, Prince, Count, Earl, Baron,… Baron,… Gender No status, white cane (blind people), yellow Noble condition cane (partially sighted people), extended Special status minority, any combination SHA-1 hash of citizen photo Belgian citizen, European community citizen, Card-specific: non-European community citizen, bootstrap non- Card number card, habilitation/machtigings card Validity’s begin and end date Card delivery municipality m Belgiu A Root C Document type Digital signature on identity file issued by the RRN Citizen Gov CA CA Slide 10 Belgian eID Card Technicalities © K.U.Leuven/ESAT/COSIC, http://www.esat.kuleuven.be/cosic 9 October 2006
11.
PKI Content –
Keys & Certificates 2 key pairs for the citizen: Citizen-authentication X.509v3 authentication certificate Advanced electronic (non-repudiation) signature X.509v3 qualified certificate Can be used to produce digital signatures equivalent to handwritten signatures, cfr. European Directive 1999/93/EC 1 key pair for the card: eID card authentication (basic key pair) No corresponding certificate: RRN (Rijksregister/Registre National) knows which public key corresponds to which eID card Slide 11 Belgian eID Card Technicalities © K.U.Leuven/ESAT/COSIC, http://www.esat.kuleuven.be/cosic 9 October 2006
12.
Signature Types –
EU Directive 1999/93/EC Electronic Signatures E.g., email signature Advanced Electronic Signatures Article 2.2 (PKI technology) E.g., digital signature Qualified Electronic Signature Article 5.1 (identification/enrolment) +Annex I: Q-Cert +Annex II: Q-CSP +Annex III: SSCD E.g., digital signature combined with qualified certificate Slide 12 Belgian eID Card Technicalities © K.U.Leuven/ESAT/COSIC, http://www.esat.kuleuven.be/cosic 9 October 2006
13.
eID Certificates Hierarchy
m Belgiu m Belgiu A Root C 2048-bit RSA CA Root ARL Citizen Card Gov 2048-bit RSA Admin CA CA CA CRL CRL CRL Code Non- Server Auth RRN Cert Card sign rep Cert Cert Cert Admin Admin 1024-bit RSA Cert Cert Card Administration: Certificates for update address, key pair Government web servers, generation, store signing citizen files, public certificates,… information,… Slide 13 Belgian eID Card Technicalities © K.U.Leuven/ESAT/COSIC, http://www.esat.kuleuven.be/cosic 9 October 2006
14.
Location of the
Certificates m Belgiu m Belgiu A Root C CA Certificate Root embedded in ARL most commercial browsers Certificate obtained by applications using eID cards Citizen Card Gov Admin CA CA CA CRL CRL CRL Certificate stored in full in every eID card Code Non- Server Auth RRN Cert Card Public key of this sign rep Cert Cert Cert Admin Admin certificate is Cert Cert stored in every eID card Slide 14 Belgian eID Card Technicalities © K.U.Leuven/ESAT/COSIC, http://www.esat.kuleuven.be/cosic 9 October 2006
15.
eID Card Types
0-6 years Kids Card, no certificates 6-12 years Kids Card, only authentication certificate 12-18 years eID Card, only authentication certificate 18- years eID Card, both authentication and non-repudiation certificate Non-Belgians Foreigners card Slide 15 Belgian eID Card Technicalities © K.U.Leuven/ESAT/COSIC, http://www.esat.kuleuven.be/cosic 9 October 2006
16.
eID Card Issuing
Procedure (1/2) Card Personalizer (CP) Card Initializer (CI) (5) (4) (6) (10a”) (8) National Certification Authority (CA) Register (RRN) (9) (10a’) (3) (7) Municipality (10b) (0) (1) Citizen PIN & PUK (11) Face to face identification Citizen (2) (13) (12) Slide 16 Belgian eID Card Technicalities © K.U.Leuven/ESAT/COSIC, http://www.esat.kuleuven.be/cosic 9 October 2006
17.
eID Card Issuing
Procedure (2/2) 0: Citizen receives a convocation 9: CI stores these certificates on the letter or takes the initiative eID card 1: Visit municipality with photo 10a: CI writes citizen data (ID, address,…) to the card, 2: Formal eID request is signed deactivates the card 3,4: CP receives eID request via 10b: CI sends invitation letter with RRN citizen’s PIN and activation 5: CP prints new eID card, CI starts code PUK2 on-card key pairs generation 11: Citizen receives invitation letter 6: RRN receives part of the eID 12: Civil servant starts eID card card activation code PUK1 activation procedure 7: CA receives certificate requests 13: eID card computes a signature 8: CA issues two new certificates with each private key, CA and issues new CRLs removes certificates from CRL Slide 17 Belgian eID Card Technicalities © K.U.Leuven/ESAT/COSIC, http://www.esat.kuleuven.be/cosic 9 October 2006
18.
Citizen Certificate Details
Citizen Qualified certificate (~1000 bytes) Citizen Authentication certificate (~980 bytes) Version: 3 (0x2) Version: 3 (0x2) Serial Number: Serial Number: 10:00:00:00:00:00:8d:8a:fa:33:d3:08:f1:7a:35:b2 10:00:00:00:00:00:0a:5d:9a:91:b1:21:dd:00:a2:7a Signature Algorithm: sha1WithRSAEncryption (1024 bit) Signature Algorithm: sha1WithRSAEncryption (1024 bit) Issuer: C=BE, CN=Citizen CA, SN=200501 Issuer: C=BE, CN=Citizen CA, SN=200501 Not valid before: Apr 2 22:41:00 2005 GMT Not valid before: Apr 2 22:40:52 2005 GMT Not valid after: Apr 2 22:41:00 2010 GMT Not valid after: Apr 2 22:40:52 2010 GMT Subject: C=BE, CN=Sophie Dupont (Signature), Subject: C=BE, CN=Sophie Dupont (Authentication), SN=Dupont, GN=Sophie SN=Dupont, GN=Sophie Nicole/serialNumber=60050100093 Nicole/serialNumber=60050100093 Subject Public Key Info: Subject Public Key Info: RSA Public Key: [Modulus (1024 bit): 4b:e5:7e:6e: … :86:17, RSA Public Key: [Modulus (1024 bit): cf:ca:7a:77: … :5c:c5, Exponent: 65537 (0x10001)] Exponent: 65537 (0x10001)] X509v3 extensions: X509v3 extensions: Certificate Policies: Certificate Policies: m Belgiu Policy: 2.16.56.1.1.1.2.1 Policy: 2.16.56.1.1.1.2.2 A Root C CPS: http://repository.eid.belgium.be http://repository.eid.belgium.be CPS: http://repository.eid.belgium.be http://repository.eid.belgium.be Key Usage: critical, Non Repudiation Key Usage: critical, Digital Signature Authority Key Identifier: [D1:13: … :7F:AF:10] Authority Key Identifier: [D1:13: … 7F:AF:10] Citizen Gov CRL Distribution Points: CRL Distribution Points: CA CA URI:http://crl.eid.belgium.be/eidc0002.crl URI:http://crl.eid.belgium.be/eidc0002.crl Netscape Cert Type: S/MIME Netscape Cert Type: SSL Client, S/MIME Authority Information Access: Authority Information Access: CA Issuers - URI:http://certs.eid.belgium.be/belgiumrs.crt CA Issuers - URI:http://certs.eid.belgium.be/belgiumrs.crt OCSP - URI:http://ocsp.eid.belgium.be OCSP - URI:http://ocsp.eid.belgium.be Qualified certificate statements: [00......F..] Signature: [74:ae:10: … :e0:91] Signature: [10:ac:04: … :e9:04] Slide 18 Belgian eID Card Technicalities © K.U.Leuven/ESAT/COSIC, http://www.esat.kuleuven.be/cosic 9 October 2006
19.
Today’s eID Card
Applications Belgian eID Card Technicalities Slide 19 © K.U.Leuven/ESAT/COSIC, http://www.esat.kuleuven.be/cosic 9 October 2006
20.
Today’s eID Card
Applications eGovernment eCommerce Official document requests Online opening of new account Marital status, Birth certificate,… certificate,… Digital Rights Management Access to RRN database Qualified signature Contract signing eTax eBanking Tax form declaration + consultation Online mortgage request eJustice eMail Electronic submission of conclusions in court cases Registered mail Authenticated email eAccess Client authentication for web servers eWork Access control, e.g., container park, Time registration library, swimming pool,… pool,… eAdministration eMove Data capture Water invoices Car matriculation registration Energy contracts Signing eForms Signing PDFs eLogin Windows Gina, Vista, Citrix eHealth Access to patient file Slide 20 Belgian eID Card Technicalities © K.U.Leuven/ESAT/COSIC, http://www.esat.kuleuven.be/cosic 9 October 2006
21.
eID Card Chip
Specifications Cryptoflex JavaCard 32K Belgian eID Card Java Applet CPU (processor): 16 bit Microcontroller Java Card API f Interpreter Crypto-processor: Card 1100 bit Crypto-Engine Manager Java Card Virtual Machine (RSA computation) Basic Operating System 112 bit Crypto-Accelerator (DES computation) Infineon Chip SLE66CX322P ROM (OS): 136 kB (GEOS Java Virtual Machine) EEPROM (Application + Data): 32 KB (Cristal Applet) RAM (memory): 5 KB Crypto ROM (DES,RSA) (Operating System) Standard - ISO/IEC 7816 EEPROM Format & Physical Characteristics (File System= I/O ⇔ Bank Card (ID1) applications + data) CPU Standard Contacts & Signals ⇔ RAM RST, GND, CLK, Vpp, Vcc, I/O (Memory) Standard Commands & Query Language (APDU) Slide 21 Belgian eID Card Technicalities © K.U.Leuven/ESAT/COSIC, http://www.esat.kuleuven.be/cosic 9 October 2006
22.
eID Card Middleware Windows
Non Win BelPIC PKCS#15 file system for ID applications Generic Generic Specific Apps Apps Apps All eID-related data (certificates, photo, address, identity files,…) MS-CSP No key management (Microsoft PKCS#11 standard interface to crypto interface) tokens PKCS#11 Abstraction of signing functions (Certificate & Keys (authentication, digital signatures) Management) Access to certificates PKCS#15 PIN Available for Unix, Windows, MacOSX,… (pin logic OpenSC CSP for Microsoft Platforms library) (Generic SC Interface) Only keys & certificates available via DLL PC/SC MSCrypto API (C-reader (Generic SC Allows authentication (& signature) DLL) Reader Interface) For Microsoft Explorer, Outlook,… Driver (Specific SC Reader Interface) I/O Slide 22 Belgian eID Card Technicalities © K.U.Leuven/ESAT/COSIC, http://www.esat.kuleuven.be/cosic 9 October 2006
23.
Typical Smartcard Architecture
Citizen’s Computer System Browser Keyboard PCSC Mouse,… Display Look Smartcard Reader ISO PIN Pad Feel 7816 Slide 23 Belgian eID Card Technicalities © K.U.Leuven/ESAT/COSIC, http://www.esat.kuleuven.be/cosic 9 October 2006
24.
PIN Entry…
Belgian eID Card Technicalities Slide 24 © K.U.Leuven/ESAT/COSIC, http://www.esat.kuleuven.be/cosic 9 October 2006
25.
Various Authentication Interfaces
Authentication of a transaction, client authentication, digital signature,… requires a PIN to be presented to reflect the cardholder’s consent Low Level of Confidence High Slide 25 Belgian eID Card Technicalities © K.U.Leuven/ESAT/COSIC, http://www.esat.kuleuven.be/cosic 9 October 2006
26.
Terrifying Window
PIN entry Window Your eID card is about to create a qualified signature Enter your PIN for qualified signatures: ****** Slide 26 Belgian eID Card Technicalities © K.U.Leuven/ESAT/COSIC, http://www.esat.kuleuven.be/cosic 9 October 2006
27.
Typical Use Cases
Belgian eID Card Technicalities Slide 27 © K.U.Leuven/ESAT/COSIC, http://www.esat.kuleuven.be/cosic 9 October 2006
28.
Using an Authentication
Certificate Case study: Alice visits a website which uses client authentication 1. 2. PIN Browser eID card 3. Web Site Citizen Alic 4. e Alic 5. e The web server Alice visits sends a The browser sends the hashed challenge 1. 3. random challenge to her browser to Alice’s eID card to sign it Alice confirms she wants to log in on the The browser retrieves the signature and 2. 4. web site by presenting her PIN to her Alice’s certificate from her eID card eID card and authorizes the signature The web server receives Alice’s 5. generation signature and certificate Slide 28 Belgian eID Card Technicalities © K.U.Leuven/ESAT/COSIC, http://www.esat.kuleuven.be/cosic 9 October 2006
29.
Signature Generation/Verification
Bob 10 Hash 1 9 11 Alic Alic e Hash e PIN 11 4 3 2 Signature Verification 6 Engine 8 11 Signature 5 OCSP 12 Creation Engine A lic e 7 CRL P Alice 1. Compute hash of message 6. Retrieve signer certificate 10. Compute hash on received message 2. Prepare signature 7. Verify the certificate’s revocation status 11. Verify digital signature 3. Present user PIN 8. Retrieve public key from signer certificate 12. SVD outputs ‘valid signature’ 4. SCD generates digital signature 9. Retrieve digital signature on the message or ‘invalid signature’ 5. Collect digital signature Beware – Bob should validate Alice’s certificate – Beware Slide 29 Belgian eID Card Technicalities © K.U.Leuven/ESAT/COSIC, http://www.esat.kuleuven.be/cosic 9 October 2006
30.
Signature Generation Steps
Alice’s application Calculates the cryptographic hash 1. on the data to be signed Prepares her eID card to generate 2. an authentication signature or to 1 generate a non-repudiation signature Alic e hash PIN Alice presents her PIN to her eID 3. card 4 3 2 Her card generates the digital 4. signature on the cryptographic 5 Signature hash Creation Engine The application collects the digital 5. signature from her eID card P Alice Bob receives an envelope with a digitally signed message and a certificate Slide 30 Belgian eID Card Technicalities © K.U.Leuven/ESAT/COSIC, http://www.esat.kuleuven.be/cosic 9 October 2006
31.
Signature Verification Steps Bob
Retrieves the potential sender’s Bob 6. certificate 10 hash Verifies the certificate’s 7. revocation status 9 11 Alic Extracts Alice’s public key from e 8. 11 her certificate Signature Retrieves the signature from the Verification 9. 6 Engine 8 message 11 Calculates the hash on the 10. OCSP 12 received message Alic e 7 Verifies the digital signature 11. CRL with the public key and the hash If the verification succeeds, Bob 12. knows that the eID card of Alice was used to produce the digital signature “The message comes from Alice” is a business decision Slide 31 Belgian eID Card Technicalities © K.U.Leuven/ESAT/COSIC, http://www.esat.kuleuven.be/cosic 9 October 2006
32.
eID full CRL
sizes A CRL is valid for seven days after it is issued A new CRL is issued together with a new Delta CRL A Delta CRL refers to a particular Base CRL which is always younger than 7 days OCSP queries the database with the most recent certificate status information OCSP = Online Certificate Status Protocol Slide 32 Belgian eID Card Technicalities © K.U.Leuven/ESAT/COSIC, http://www.esat.kuleuven.be/cosic 9 October 2006 Frequently updated graphs available at http://www.godot.be
33.
Signing Key Pair
Properties Private signing key only available to the signer Signer explicitly authorizes the Signature Creation Engine to generate a digital signature with the signing key, e.g., by presenting a PIN (personal identification number, cfr. Bank cards) Signer protects the hash of his/her message with his/her signing key Verifier recovers this hash correctly only if the right verification key is used Private signing key corresponds to the public verification key If the Signature Verification Engine (SVE) outputs ‘valid signature’, the verification key corresponds to the signing key If the SVE outputs ‘invalid signature’ the triplet (message, digital signature, verification key) does not match: The message may have been altered The verification key may be wrong, i.e., does not correspond to the signing key The certificate of the signer may have been revoked (or suspended) Private signing key is kept in the smartcard Public verification key usually accompanies the digital signature Integrity of the verification key is protected through the signer’s certificate Slide 33 Belgian eID Card Technicalities © K.U.Leuven/ESAT/COSIC, http://www.esat.kuleuven.be/cosic 9 October 2006
34.
Archiving Signed Data
m Belgiu CA Root Digital signatures remain valid forever if one stores: The digitally signed data The digital signature on the data Citizen CA The signer’s certificate A proof of validity of the signer’s certificate The verification timestamp of the signature Alic e Bottom line: The integrity of this data should be protected! There is no need to retrieve the status of a certificate in the past! Protect your proofs in a digital vault Alic e Slide 34 Belgian eID Card Technicalities © K.U.Leuven/ESAT/COSIC, http://www.esat.kuleuven.be/cosic 9 October 2006
35.
Signature & Certificate
Validation Belgian eID Card Technicalities Slide 35 © K.U.Leuven/ESAT/COSIC, http://www.esat.kuleuven.be/cosic 9 October 2006
36.
Signature Validation A digital
signature protects the integrity of information Alic e A digital signature computed on some data is valid if and only if Message The signature verification engine confirms that the hash Data value computed on the data matches the digital signature when applying the signature verification mechanism using the public key found in the corresponding certificate The certificate is valid (cfr. next slide) Hash value All the key usage and certificate policies of the certificates in the certificate chain match the context wherein the data hash is used (e.g., code signing, client authentication, server authentication,…) Digital signature Caveat: When was this signature computed? Revoked ≠ Invalid Public key Keep a log of valid signatures Signer certificate Hash function features: Given a hash value of a document: hard to find a document with that hash value that Given a document and its hash value: hard to find a second document with the same hash value document Hard to find two distinct documents that have an identical hash value Alic e Slide 36 Belgian eID Card Technicalities © K.U.Leuven/ESAT/COSIC, http://www.esat.kuleuven.be/cosic 9 October 2006
37.
Certificate (Chain) Validation
A certificate protects the identity of the holder of the corresponding private key Given a self-signed certificate Root CA protects the CA certificate which is used to Self- validate a non-CA certificate signed A Root C A certificate Cert is valid if and only if The certificate’s digital signature is (cryptographically) valid given the certificate issuer’s certificate certificate’ issuer’ (CA certificate) The certificate issuer’s certificate is valid (using that certificate’s issuer certificate. This may be the issuer’ certificate’ same certificate if self-signed) self- The time of certificate validation lies within the validity period of all these certificates All certificate extensions must match the respective profiles and key usages None of these certificates is known as invalid, i.e., CA Their serial numbers have not been revoked Check the revocation status of a certificate using CRLs or OCSP Depending on the required security level, one may decide to rely on the OCSP, or on a local CRL level, copy, or on a local CRL copy in combination with a recent Delta CRL Offline validation is possible using CRL, preferably combined with Delta CRL with OCSP (Online Certificate Status Protocol) requires a live network connection network Cert Certificate chain is linked with the CRLs through the Authority Key Identifier Valid ≠ Trustworthy One should check whether the self-signed (Root CA) certificate can be trusted self- Slide 37 Belgian eID Card Technicalities © K.U.Leuven/ESAT/COSIC, http://www.esat.kuleuven.be/cosic 9 October 2006
38.
Certificate Revocation Lists
(CRLs) Complete CRL Enumerates all certificate serial numbers that should not be trusted Typically (very) large, e.g., >500 Kbytes “NextUpdate” 7 days after creation Full Full Full Full Full Certificates of new eID cards Appear as on hold Disappear when activated Suspended certificates appear as on hold for up to 7 days Complete CRLs Items without reason code remain revoked forever One complete CRL is referred to as the Base CRL Delta CRL Lists all differences between the current complete CRL and the current Base CRL ∆ Typically small, e.g., <25 Kbytes ∆ “NextUpdate” 7 days after creation ∆ Reason codes: Base Full Base Full On hold ― newly issued eID card certificate is not yet activated, Full or has been suspended Remove from CRL ― eID card certificate has been activated None ― eID card certificate has been revoked Delta CRLs vs. Base CRL Slide 38 Belgian eID Card Technicalities © K.U.Leuven/ESAT/COSIC, http://www.esat.kuleuven.be/cosic 9 October 2006
39.
OCSP vs. CRLs
– ‘‘Is the certificate valid?’’ Two options to make this business decision: Do it yourself and use CRLs and Delta-CRLs Trust a third party and use OCSP Use the Online Certificate Status Protocol (OCSP) where a trusted OCSP Responder answers the question with either ‘‘yes’’, ‘‘no’’, or ‘‘I do not know’’ Remaining issues: An OCSP Responder may use the most recent certificate status information (CSI) An OCSP Responder does not have to use the most recent CSI! The Responder typically uses CRLs to produce its answers How to trust the OCSP Response? Ideal for a few situations: If only a few certificates per time unit must be validated E.g., for citizens who wish to validate a certificate ‘‘from time to time’’ ‘‘from time’’ To authenticate high-impact transactions E.g., cash withdrawal, account closure, physical or electronic access control access Certificate Revocation Lists (CRLs) The digital signature verifier collects the (most recent) CRLs for the certificates in the certificate chain These CRLs may become extremely large (e.g., several megabytes) Delta-CRLs Delta-CRLs may be very large (e.g., half a megabyte) Delta-Delta CRLs Note: Delta-Delta-CRLs are typically a few kilobytes each, but there is no standard… Delta- Delta- standard Slide 39 Belgian eID Card Technicalities © K.U.Leuven/ESAT/COSIC, http://www.esat.kuleuven.be/cosic 9 October 2006
40.
Summary on Validity
Statuses Digital Signature CRL, OCSP Response Valid Valid Invalid Invalid m Belgiu Gov A Root C CA Expired eID Card (Signature Certificate Creation Device) Valid Non- Auth rep Cert Cert Valid Invalid Suspended Invalid Revoked Suspended Expired Revoked Unknown Expired Slide 40 Belgian eID Card Technicalities © K.U.Leuven/ESAT/COSIC, http://www.esat.kuleuven.be/cosic 9 October 2006
41.
Signature Validity Over
Time Belgian eID Card Technicalities Slide 41 © K.U.Leuven/ESAT/COSIC, http://www.esat.kuleuven.be/cosic 9 October 2006
42.
Signature Validity ABCDE
FGHI JK Time Certificates expire Signature verification eID card expires Signature generation eID card activation [CJ]: New valid signatures may be generated eID certificates stored [AC], [K,∞[: All signature verifications fail in eID card [J,∞[: Illegal to generate new signatures eID card initialization [C,∞[: Signatures can be legally binding if verified in [CJ[ Slide 42 Belgian eID Card Technicalities © K.U.Leuven/ESAT/COSIC, http://www.esat.kuleuven.be/cosic 9 October 2006
43.
Signature Validity with
Revocation ABCDE FGHI JK Time Revoked certificate Signature Certificates expire Suspended certificate verification eID card expires Incident eID card Signature Last valid signature before the incident activation generation [GH]: Signatures created in [GI] should be invalid, H may be equal to I [I,∞[: Illegal to generate new signatures [CG[: New valid signatures may be generated [AC], [H,∞[: Signature verification returns invalid [CF]: Signatures validated before F may be valid forever Slide 43 Belgian eID Card Technicalities © K.U.Leuven/ESAT/COSIC, http://www.esat.kuleuven.be/cosic 9 October 2006
44.
Long Term Signatures Alice
produces a digital signature on data D that will resist time: Alice collects a time stamp t1 from a trusted third party (TTP) Alice produces a digital signature SAlice(D,t1) on the time stamp t1 and the data D TTP validates a digital signature SAlice(D,t1) at time t2 TTP computes a digital signature STTP(SAlice(D,t1),t2) if and only if the TTP Has validated Alice’s digital signature, and Confirms that the signature and Alice’s full certificate chain was valid at time t2 Alice can now indefinitely rely on STTP(SAlice(D,t1),t2), even if her certificate must be revoked, e.g., at time t3 (after t2), or if her certificate expires t1 SAlice(D,t1) t2 STTP(SAlice(D,t1),t2) t3 Time Note: This procedure assumes that no cryptographic weaknesses are discovered in the signature generation and validation algorithms and procedures Slide 44 Belgian eID Card Technicalities © K.U.Leuven/ESAT/COSIC, http://www.esat.kuleuven.be/cosic 9 October 2006
45.
eID Test Cards
& Shop Belgian eID Card Technicalities Slide 45 © K.U.Leuven/ESAT/COSIC, http://www.esat.kuleuven.be/cosic 9 October 2006
46.
eID Shop (1/2)
http://www.eid-shop.be Slide 46 Belgian eID Card Technicalities © K.U.Leuven/ESAT/COSIC, http://www.esat.kuleuven.be/cosic 9 October 2006 Data used without explicit authorization from Certipost/Zetes
47.
eID Shop (2/2)
1035 € eID Development Toolkit 735 € eID Starter Kit premium + option eID Starter Kit Premium 130 € eID Starter Kit Light 85 € •1 smart card with a pair of valid certificates •3 pair of soft certificates (expired, revoked and suspended) + eID tested smart card reader + 3 additional smart cards with certificates (revoked, suspended and expired) 250 € eID Yearly Versioning Service 4 eID test cards, yearly update + eID development tools (JAVA crypto library, sample codes, documentation, …) Slide 47 Belgian eID Card Technicalities © K.U.Leuven/ESAT/COSIC, http://www.esat.kuleuven.be/cosic 9 October 2006 Data used without explicit authorization from Certipost/Zetes
48.
Summary – Good
To Know (1/2) An eID card is valid for 5 years Signing functions of an eID card issued to minors (<18 years) is not activated Any citizen can ask to deactivate the authentication and signature functions Once deactivated, always deactivated Professional groups can request an eID card, even before their local municipality has become eID-enabled 24/7 helpdesk is available In case of loss, theft or destruction of an eID card An eID card is first suspended before it is irreversibly revoked Phone: 02/518.21.17 (Dutch), 02/518.21.16 (French) Fax: 02/518.25.21 Email: helpdesk@rrn.fgov.be Slide 48 Belgian eID Card Technicalities © K.U.Leuven/ESAT/COSIC, http://www.esat.kuleuven.be/cosic 9 October 2006
49.
Summary – Good
To Know (2/2) All electronic signatures can be used as an alternative for a handwritten signature, given that one can prove that the signature corresponds to something which only the author of the content to be signed could create A judge may ask: ‘‘Is this handwritten signature yours?’’ ‘‘Did you sign this electronic data?’’ Everyone older than 14 must carry his/her (e)ID card The qualified electronic signature is the only type of signature that will automatically be given the same legal value as a handwritten signature A qualified signature is an advanced electronic signature based on a qualified certificate and produced by a secure signature creation device Slide 49 Belgian eID Card Technicalities © K.U.Leuven/ESAT/COSIC, http://www.esat.kuleuven.be/cosic 9 October 2006
50.
That’s it…
Belgian eID Card Technicalities Slide 50 © K.U.Leuven/ESAT/COSIC, http://www.esat.kuleuven.be/cosic 9 October 2006
51.
Questions? Belgian eID card
information on the Internet http://eid.belgium.be http://www.rijksregister.fgov.be http://www.fedict.be http://www.belgium.be http://www.cardreaders.be Test cards can be ordered at http://www.eid-shop.be Source code examples are available at http://www.belgium.be/zip/middleware_source_code_nl.html http://www.belgium.be/zip/middleware_source_code_fr.html Myself Danny.DeCock@esat.kuleuven.be keywords: “godot eID” http://godot.be Yourself https://www.mijndossier.rrn.fgov.be https://www.mondossier.rrn.fgov.be https://www.meindossier.rrn.fgov.be Slide 51 Belgian eID Card Technicalities © K.U.Leuven/ESAT/COSIC, http://www.esat.kuleuven.be/cosic 9 October 2006
52.
Backup Slides
Belgian eID Card Technicalities Slide 52 © K.U.Leuven/ESAT/COSIC, http://www.esat.kuleuven.be/cosic 9 October 2006
53.
eID Card Administration Mutual
authentication of the card and the external party Role-based access control Supported roles: 1: delete/create files: data, keys, certificates 2: create files: data, keys, certificates 3: generate new key pairs 4: store new citizen certificates 5: store new Root CA certificate 7: update citizen address or identity file 8: store the Role-CA’s new public key Slide 53 Belgian eID Card Technicalities © K.U.Leuven/ESAT/COSIC, http://www.esat.kuleuven.be/cosic 9 October 2006
54.
Comparing eID and
Bank Card Functionalities Customer Identification Citizen Identification Data Capture Data Capture Authentication Strong Authentication Electronic Transactions Authentication ATM Transactions Digital Signatures Electronic Purse eID Card Access Control Access Control Self-Bank Container Park, Swimming Pool, Library,… Slide 54 Belgian eID Card Technicalities © K.U.Leuven/ESAT/COSIC, http://www.esat.kuleuven.be/cosic 9 October 2006
55.
eID & Bank
Cards Crypto 2 Citizen Key Pairs Transactions with vending machines, ATMs, phone booths, Citizen-authentication parking meters,… X.509v3 authentication certificate MAC-based use chip card Advanced electronic (non- Home banking repudiation) signature MAC-based X.509v3 qualified certificate Family of secret master keys Can be used to produce digital Uses chip card or Digipass signatures equivalent to MAC authenticates login, handwritten signatures, cfr. transaction European Directive 1999/93/EC PKI-based 1 eID Card-specific Key Pair Closed user group PKI eID card authentication (basic Key pair stored in key file or key pair) smart card No corresponding certificate: Banking organization issues RRN (Rijksregister/Registre certificate National) knows which public key corresponds to which eID Digital signature authenticates card login, transaction Slide 55 Belgian eID Card Technicalities © K.U.Leuven/ESAT/COSIC, http://www.esat.kuleuven.be/cosic 9 October 2006
56.
CA Certificate Details
Root CA certificate (920 bytes) CA certificate (975 bytes) Version: 3 (0x2) Version: 3 (0x2) Serial Number: Serial Number: 58:0b:05:6c:53:24:db:b2:50:57:18:5f:f9:e5:a6:50 6f:77:79:33:30:25:e3:cf:92:55:b9:7a:8a:0b:30:e5 Signature Algorithm: sha1WithRSAEncryption (2048 bit) Signature Algorithm: sha1WithRSAEncryption (2048 bit) Issuer: C=BE, CN=Belgium Root CA Issuer: C=BE, CN=Belgium Root CA Not valid before: Jan 26 23:00:00 2003 GMT Not valid before: Apr 10 12:00:00 2003 GMT Not valid after : Jan 26 23:00:00 2014 GMT Not valid after : Jun 26 23:00:00 2009 GMT Subject: C=BE, CN=Belgium Root CA Subject: C=BE, CN=Citizen CA Subject Public Key Info: Subject Public Key Info: RSA Public Key: [Modulus (2048 bit): 00:c8:a1:71: … :b0:6f, RSA Public Key: [Modulus (2048 bit): 00:c9:ae:05: … :cb:71, Exponent: 65537 (0x10001)] Exponent: 65537 (0x10001)] X509v3 extensions: X509v3 extensions: Certificate Policies: Certificate Policies: Policy: 2.16.56.1.1.1 Policy: 2.16.56.1.1.1.2 CPS: http://repository.eid.belgium.be CPS: http://repository.eid.belgium.be Key Usage: critical, Certificate Sign, CRL Sign Key Usage: critical, Certificate Sign, CRL Sign Subject Key Identifier: [10:F0: … :8E:DB:E6] Subject Key Identifier: [D1:13: … :7F:AF:10] Authority Key Identifier: [10:F0: … :8E:DB:E6] Authority Key Identifier: [10:F0: … :8E:DB:E6] CRL Distribution Points: URI:http://crl.eid.belgium.be/belgium.crl Netscape Cert Type: SSL CA, S/MIME CA, Object Signing CA Netscape Cert Type: SSL CA, S/MIME CA, Object Signing CA Basic Constraints: critical, CA:TRUE Basic Constraints: critical, CA:TRUE, pathlen:0 m Belgiu A Root C Signature: [c8:6d:22: … :43:2a] Signature: [b2:0c:30: … :18:6e] Citizen Gov CA CA Slide 56 Belgian eID Card Technicalities © K.U.Leuven/ESAT/COSIC, http://www.esat.kuleuven.be/cosic 9 October 2006
57.
Government Certificate Details
Government CA certificate (~979 bytes) RRN certificate (~808 bytes) Version: 3 (0x2) Version: 3 (0x2) Serial Number: Serial Number: 99:6f:14:78:8e:ea:69:6a:3d:2e:93:42:81:2b:66:f0 01:00:00:00:00:00:f8:20:18:9e:17 Signature Algorithm: sha1WithRSAEncryption (2048 bit) Signature Algorithm: sha1WithRSAEncryption (1024 bit) Issuer: C=BE, CN=Belgium Root CA Issuer: C=BE, CN=Government CA Not valid before: Jan 27 00:00:00 2003 GMT Not valid before: Oct 9 09:06:09 2003 GMT Not valid after: Jan 27 00:00:00 2009 GMT Not valid after: Jan 26 09:06:09 2009 GMT Subject: C=BE, CN=Government CA Subject: C=BE, CN=RRN, O=RRN Subject Public Key Info: Subject Public Key Info: RSA Public Key: [Modulus (2048 bit): 00:ac:c9:a0: … :89:13, RSA Public Key: [Modulus (1024 bit): 00:db:72:4d: … :80:0d, Exponent: 65537 (0x10001)] Exponent: 65537 (0x10001)] X509v3 extensions: X509v3 extensions: Certificate Policies: Certificate Policies: Policy: 2.16.56.1.1.1.3 Policy: 2.16.56.1.1.1.3.1 CPS: http://repository.eid.belgium.be http://repository.eid.belgium.be CPS: http://repository.eid.belgium.be http://repository.eid.belgium.be Key Usage: critical, Certificate Sign, CRL Sign Key Usage: critical, Digital Signature, Non Repudiation Subject Key Identifier: [F5:DB: … :D1:8B:D6] Subject Key Identifier: [09:22: … :30:01:37] Authority Key Identifier: [10:F0: … :8E:DB:E6] Authority Key Identifier: [F5:DB: … :D1:8B:D6] CRL Distribution Points: CRL Distribution Points: URI:http://crl.eid.belgium.be/belgium.crl URI:http://crl.eid.belgium.be/government.crl Netscape Cert Type: SSL CA, S/MIME CA, Object Signing CA Basic Constraints: critical, CA:TRUE, pathlen:0 m Belgiu A Root C Signature: [a0:53:21: … :1d:c9] Signature: [12:89:cd: … :ca:2a] Citizen Gov CA CA Slide 57 Belgian eID Card Technicalities © K.U.Leuven/ESAT/COSIC, http://www.esat.kuleuven.be/cosic 9 October 2006
58.
Certificate Revocation List
details Citizen CRL (+500 Kbyte) Citizen Delta CRL (~15 Kbyte) Version 2 (0x1) Version 2 (0x1) Signature Algorithm: sha1WithRSAEncryption (2048 bit) Signature Algorithm: sha1WithRSAEncryption (2048 bit) sha1WithRSAEncryption Issuer: C=BE, CN=Citizen CA Issuer: C=BE, CN=Citizen CA Creation date: Apr 6 15:19:23 2004 GMT Creation date: Apr 8 17:43:14 2004 GMT Next update: Apr 13 15:19:23 2004 GMT Next update: Apr 15 17:43:14 2004 GMT CRL extensions: CRL extensions: Authority Key Identifier: [D1:13: ... :7F:AF:10] Authority Key Identifier: [D1:13: ... :7F:AF:10] CRL Number: 4294995040 CRL Number: 4294995072 Delta CRL Indicator: critical, 4294995040 Revoked Certificates: Revoked Certificates: Serial Number: 1000000000000004B823FAE7B1BB44B1 Revocation Date: Jan 14 12:56:50 2004 GMT Serial Number: 100000000000007E5B11506303959320 CRL Reason Code: Certificate Hold Revocation Date: Apr 8 16:33:23 2004 GMT Serial Number: 10000000000000062F6A1BB1431902D4 CRL Reason Code: Certificate Hold Revocation Date: Oct 23 23:15:11 2003 GMT Serial Number: 100000000000091ACC84FC377F8A6ECE CRL Reason Code: Certificate Hold Revocation Date: Apr 8 16:55:14 2004 GMT Serial Number: 100000000000001243778BEFF61123DE CRL Reason Code: Remove From CRL Revocation Date: Jan 12 10:19:24 2004 GMT Serial Number: 100000000000127BE2DA18842E8A7BAC Serial Number: 10000000000000125DC2DF2031534033 Revocation Date: Apr 8 15:20:13 2004 GMT Revocation Date: Sep 5 09:49:44 2003 GMT CRL Reason Code: Remove From CRL Serial Number: 100000000000091ACC84FC377F8A6ECE Serial Number: 1000000000001902ECF11657FE2813A5 m Belgiu Revocation Date: Dec 16 17:24:15 2003 GMT Revocation Date: Apr 8 16:29:54 2004 GMT A Root C CRL Reason Code: Certificate Hold Serial Number: 100000000000FDFF72C4E59AD46AFC21 Serial Number: 100000000000092135CE8FB8F0D66093 Revocation Date: Apr 8 17:33:31 2004 GMT Revocation Date: Nov 13 17:18:49 2003 GMT CRL Reason Code: Remove From CRL …. Serial Number: 100000000000FE6A4ACD4ECF04233442 Citizen Gov Revocation Date: Apr 8 15:32:38 2004 GMT CA CA … Signature: [95:19:b2: ... :21:31] Signature: [64:20:22: ... :c3:5e] Slide 58 Belgian eID Card Technicalities © K.U.Leuven/ESAT/COSIC, http://www.esat.kuleuven.be/cosic 9 October 2006
59.
Decryption vs Signing Alice
encrypts data for Bob Alice signs data using her using his encryption key private signing key Bob decrypts the message Bob validates Alice’s with his private signature with her public decryption key verification key Initial step: Alice must fetch Single step: Alice pushes Bob’s encryption certificate her certificate to Bob beforehand Backups of a signing key Decryption key should be compromise non- backed up to deal with repudiation properties “emergencies” Slide 59 Belgian eID Card Technicalities © K.U.Leuven/ESAT/COSIC, http://www.esat.kuleuven.be/cosic 9 October 2006
60.
No need for
encryption certificates! Alice sends a digitally signed message to Bob Alic Alice Bob e Bob asks Alice’s encryption key Give me Alice’s authentic encryption key Bob Alic e E Bob sends an encrypted message Alice Slide 60 Belgian eID Card Technicalities © K.U.Leuven/ESAT/COSIC, http://www.esat.kuleuven.be/cosic 9 October 2006
61.
Cryptographic Primitives These slides
can be downloaded at http://godot.be recently presented slides Belgian eID Card Technicalities Slide 61 © K.U.Leuven/ESAT/COSIC, http://www.esat.kuleuven.be/cosic 9 October 2006
62.
Typical Secure Communications
Message Alice Bob Requirements: Confidentiality: nobody other than Alice and Bob should be able to get access to the Message Integrity of data: Bob must be sure that the Message is not altered while in transit Authenticity of sender: Bob must be sure that the Message is sent by Alice Methods: Confidentiality: encryption Data integrity and sender’s authenticity: digital signature Slide 62 Belgian eID Card Technicalities © K.U.Leuven/ESAT/COSIC, http://www.esat.kuleuven.be/cosic 9 October 2006
63.
Symmetric Encryption
Ciphertext Alice Bob Alice and Bob share a symmetric encryption key Alice produces the Cipher text given her Message and the symmetric encryption key sends the Cipher text over an insecure network Bob recovers the actual Message applying the symmetric encryption key to the Cipher text Slide 63 Belgian eID Card Technicalities © K.U.Leuven/ESAT/COSIC, http://www.esat.kuleuven.be/cosic 9 October 2006
64.
Asymmetric Encryption
Ciphertext Alice Bob Bob has a public encryption key and a private decryption key Alice uses Bob’s public encryption key Alice produces the Cipher text given her Message and Bob’s public encryption key sends the Cipher text over an insecure network Bob recovers the Message by applying his private decryption key to the Cipher text Slide 64 Belgian eID Card Technicalities © K.U.Leuven/ESAT/COSIC, http://www.esat.kuleuven.be/cosic 9 October 2006
65.
Asymmetric Authentication Mechanism
Message, Digital Signature Alice Bob Alice has a public verification key and a private signing key Bob uses Alice’s public verification key Alice produces a Digital signature on the Message using her private signing key sends the Message together with the Digital signature over an insecure network Bob receives Message and verifies the Digital signature using Alice’s public verification key Slide 65 Belgian eID Card Technicalities © K.U.Leuven/ESAT/COSIC, http://www.esat.kuleuven.be/cosic 9 October 2006
66.
Symmetric Authentication Mechanism
Message, MAC Alice Bob Alice and Bob share a secret key Both Alice and Bob can compute a valid MAC using that key Alice produces a MAC on the Message using her secret key sends the Message together with the MAC over an insecure network Bob receives Message and verifies the MAC using the secret key he shares with Alice Slide 66 Belgian eID Card Technicalities MAC = Message Authentication Code © K.U.Leuven/ESAT/COSIC, http://www.esat.kuleuven.be/cosic 9 October 2006
67.
European Directive 1999/93/EC
Belgian eID Card Technicalities Slide 67 © K.U.Leuven/ESAT/COSIC, http://www.esat.kuleuven.be/cosic 9 October 2006
68.
European Directive 1999/93/EC Intention Definitions Requirements
Annex I ― qualified certificates Annex II ― certificate service provider Annex III ― secure signature creation device Recommendations Annex IV ― signature verification Slide 68 Belgian eID Card Technicalities © K.U.Leuven/ESAT/COSIC, http://www.esat.kuleuven.be/cosic 9 October 2006
69.
Directive – Intention
An advanced electronic signature (i.e., a signature which is 1. linked to (s)he who created it using a signature creation device which only (s)he can control) satisfies the legal requirements of a signature in relation to data in electronic form in the same manner as a handwritten signature satisfies those requirements in relation to paper-based data; and is admissible as evidence in legal proceedings Legislation on handwritten signatures can easily be recycled!! An electronic signature is not denied legal effectiveness 2. and admissibility as evidence in legal proceedings solely on the grounds that it is: in electronic form, or 1. not based upon a qualified certificate, or 2. not based upon a qualified certificate issued by an accredited 3. certification-service-provider, or not created by a secure signature-creation device 4. Slide 69 Belgian eID Card Technicalities © K.U.Leuven/ESAT/COSIC, http://www.esat.kuleuven.be/cosic 9 October 2006
70.
Directive – Definitions Electronic
signature: data in electronic form attached to or logically associated with other electronic data and which serve as a method of authentication Advanced electronic signature: an electronic signature which meets the requirements that it is uniquely linked to the signatory 1. it is capable of identifying the signatory 2. it is created using means that the signatory can maintain under his sole control, and , 3. it is linked to the data to which it relates in such a manner that any subsequent change of the data is detectable that 4. Signatory: a person who holds a signature-creation device and acts either on his own behalf or on behalf of the natural or legal person or entity he represents Signature-creation data: unique data, such as private cryptographic keys, which are used by the signatory to create an electronic signature Signature-creation device: configured software or hardware to produce the signature-creation data Secure-signature-creation device: a signature-creation device which meets the requirements specified in Annex III Signature-verification-data: data, such as public cryptographic keys, which are used for the verification of an electronic signature Certificate: an electronic attestation which links signature-verification data to a person and confirms the identity of that person Qualified certificate: a certificate which meets the requirements in Annex I and is provided by a certification-service-provider who fulfils the requirements in Annex II Certification-service-provider: an entity or a legal or natural person who issues certificates or provides other services related to electronic signatures Slide 70 Belgian eID Card Technicalities © K.U.Leuven/ESAT/COSIC, http://www.esat.kuleuven.be/cosic 9 October 2006
71.
Annex I –
Qualified Certificates Conditions Requirements for qualified certificates Qualified certificates must contain: an indication that the certificate is issued as a qualified certificate 1. the identification of the certification-service-provider and the State in which it is 2. established the name of the signatory or a pseudonym, which shall be identified as such 3. provision for a specific attribute of the signatory to be included if relevant, depending 4. on the purpose for which the certificate is intended signature-verification data which correspond to signature-creation data under the 5. control of the signatory an indication of the beginning and end of the period of validity of the certificate 6. the identity code of the certificate 7. the advanced electronic signature of the certification-service-provider issuing it 8. limitations on the scope of use of the certificate, if applicable; and 9. limits on the value of transactions for which the certificate can be used, if applicable 10. Slide 71 Belgian eID Card Technicalities © K.U.Leuven/ESAT/COSIC, http://www.esat.kuleuven.be/cosic 9 October 2006
Jetzt herunterladen