poster on belgian eID cards
Transcrição
poster on belgian eID cards
Belgian Electronic Identity Cards eID Card Functions Chip Content PKI Data Citizen Identity Data ID ID ADDRESS ADDRESS RRN RRN SIGNATURE SIGNATURE RRN RRN SIGNATURE SIGNATURE Authentication Digital Signature Data capture Authentication Digital Signature International Travel Document RRN = Rijksregister Registre National RRN, Root CA, CA,… Signature Generation/Verification Bob 10 Hash 1 2 Alic e Hash PIN 9 Alic e 11 11 4 3 6 Signature Creation Engine Signature Verification Engine 8 11 5 OCSP Alic e P 7 CRL Alice 1. Compute hash of message 2. Prepare signature 3. Present user PIN 4. SCD generates digital signature 5. Collect digital signature 12 6. Retrieve signer certificate 10. Compute hash on received message 7. Verify the certificate’s revocation status 11. Verify digital signature 8. Retrieve public key from signer certificate 12. SVD outputs ‘valid signature’ 9. Retrieve digital signature on the message or ‘invalid signature’ Beware – Bob should validate Alice’s certificate – Beware Issuing Process Certificate Hierarchy Card Personalizer (CP) Card Initializer (CI) m Belgiu Root CA m Belgiu Root CA (5) ARL (4) (6) (10a”) National Register (RRN) (8) Certification Authority (CA) (9) (10a’) (3) Gov CA Citizen CA Card Admin CA CRL CRL (7) CRL Municipality (10b) (0) Card Admin Cert Admin Auth Cert NonRep Cert Server Cert Code Sign Cert (1) RRN Cert Citizen PIN & PUK (11) Face to face identification (2) Citizen (13) (12) Why Introducing an eID Card? Typical Smartcard Architecture • Every Belgian citizen gets a tool to – Authenticate him/herself via email, SSL/TLS,… – Create digital signatures equivalent with handwritten signatures, e.g., to sign contracts electronically Citizen’s Computer System • Benefits – Nation-wide PKI reduces need to deploy closed user group PKIs – Avoids updating legislation referring to handwritten signatures – Improved security and confidence in remote transactions – Simplification of administrative tasks through – Faster data capture – Home-government: consult your own files with the government, fill out tax declarations,… – Digital signatures protect electronic content – Certificates link digital signatures to citizens – The new EID card is smaller than the previous ID card – Address changes do not necessitate a issuing a new eID card • Risks – Privacy – Market distortion – Interoperability at European level Keyboard Mouse,… Browser PCSC Look Display Feel PIN Pad Smartcard Reader ISO 7816 Visual Identity Information Front: • • • • • • • • • • • Name First two names First letter of 3rd name Title Nationality Birth place and date Gender Card number Photo of the holder Begin and end validity dates of the card Hand written signature of the holder Back: Quick Summary Belgian eID • • • • • Place of delivery of the card National Register identification number Hand written signature of the civil servant Main residence of the holder (cards produced before 1/1/2004) ICAO (cards produced since 1/1/2005) • Initiated in 1999 – Massive rollout started end of October 2004 – Currently about 1.4 million cards produced – About 1 million eID cards activated • 588 of the 589 municipalities already activate eID cards • eID card can be used to – – – – Authenticate the cardholder Create digital (non-repudiation) signatures Capture citizen data electronically Visually identify the citizen • Chip contains administrative data (photo, address, cardholder identity, national number,…) • Card is valid for 5 years after production • All Belgian citizens (+12 years) will have obtained an eID card by end of 2009 PKI Content – Keys & Certificates • 2 key pairs for the citizen: – Citizen-authentication • X.509v3 authentication certificate – Advanced electronic (non-repudiation) signature • X.509v3 qualified certificate • Can be used to produce digital signatures equivalent to handwritten signatures, cfr. European Directive 1999/93/EC • 1 key pair for the card: – eID card authentication (basic key pair) • No corresponding certificate: RRN (Rijksregister/Registre National) knows which public key corresponds to which eID card Who Gets an eID Card? Belgium Issuing eID Cards • A new eID card is issued to – New inhabitants – Every youngster at the age of 12 – People changing from one address to another in the local municipality – Replace a lost, stolen, damaged or expired (e)ID card – Adjust the citizen’s picture – Every citizen who asks to replace his/her old ID card – Every citizen who changes his/her name, gender,… • 6.000 cards produced and activated per working day during nationwide deployment • 4.500 cards produced and issued per month during pilot phase • 588 out of 589 municipalities issue eID cards • Target groups – Medical doctors, lawyers, eID software companies,… The Belgian eID Card… • Uses On-board key pair generation – Private keys cannot leave the eID car – Key pair generation is activated during the initialization of the eID card • Uses JavaCard technology • Can be used using software/middleware – free of charge – provided the Government • Can only be managed by the Belgian government – Citizen identity/address data is read/write for the National Registry – eID card refuses update attempts from other parties than the government Citizen Certificate Details Citizen Qualified certificate (~1000 bytes) Version: 3 (0x2) Serial Number: Signature Algorithm: sha1WithRSAEncryption (1024 bit) Issuer: C=BE, CN=Citizen CA Not valid before: Nov 12 22:41:00 2003 GMT Not valid after: Nov 12 22:41:00 2008 GMT Subject: C=BE, CN=Sophie Dupont (Signature), Signature Algorithm: sha1WithRSAEncryption (1024 bit) Issuer: C=BE, CN=Citizen CA Not valid before: Nov 12 22:40:52 2003 GMT Not valid after: Nov 12 22:40:52 2008 GMT Subject: C=BE, CN=Sophie Dupont (Authentication), Subject Public Key Info: Subject Public Key Info: X509v3 extensions: X509v3 extensions: 10:00:00:00:00:00:8d:8a:fa:33:d3:08:f1:7a:35:b2 SN=Dupont, GN=Sophie Nicole/serialNumber=60021404665 • • • • • http://www.fedict.be http://www.rijksregister.fgov.be http://eid.belgium.be http://www.eid-shop.be http://godot.be/eidforum Policy: 2.16.56.1.1.1.2.2 CPS: http://repository.eid.belgium.be Key Usage: critical, Non Repudiation Key Usage: critical, Digital Signature gium Authority Key Identifier: [D1:13: … :7F:AF:10]Bel t CA Roo CRL Distribution Points: Authority Key Identifier: [D1:13: … 7F:AF:10] CRL Distribution Points: URI:http://crl.eid.belgium.be/eidc0002.crl Citizen CA CA Issuers URI:http://certs.eid.belgium.be/belgiumrs.crt OCSP - URI:http://ocsp.eid.belgium.be Qualified certificate statements: [00......F..] Signature: [74:ae:10: … :e0:91] RSA Public Key: [Modulus (1024 bit): cf:ca:7a:77: … :5c:c5, Exponent: 65537 (0x10001)] Certificate Policies: Policy: 2.16.56.1.1.1.2.1 CPS: http://repository.eid.belgium.be Netscape Cert Type: S/MIME Authority Information Access: 10:00:00:00:00:00:0a:5d:9a:91:b1:21:dd:00:a2:7a SN=Dupont, GN=Sophie Nicole/serialNumber=60021404665 RSA Public Key: [Modulus (1024 bit): 4b:e5:7e:6e: … :86:17, Exponent: 65537 (0x10001)] Certificate Policies: References… Citizen Authentication certificate (~980 bytes) Version: 3 (0x2) Serial Number: URI:http://crl.eid.belgium.be/eidc0002.crl Gov CA Netscape Cert Type: SSL Client, S/MIME Authority Information Access: CA Issuers URI:http://certs.eid.belgium.be/belgiumrs.crt OCSP - URI:http://ocsp.eid.belgium.be Signature: [10:ac:04: … :e9:04]