poster on belgian eID cards

Belgian Electronic Identity Cards
eID Card Functions
Chip Content
PKI Data
Citizen Identity Data
ID
ID
ADDRESS
ADDRESS
RRN
RRN
SIGNATURE
SIGNATURE
RRN
RRN
SIGNATURE
SIGNATURE
Authentication
Digital Signature
Data capture
Authentication
Digital Signature
International
Travel
Document
RRN = Rijksregister
Registre National
RRN, Root CA, CA,…
Signature Generation/Verification
Bob
10
Hash
1
2
Alic
e
Hash
PIN
9
Alic
e
11
11
4
3
6
Signature
Creation
Engine
Signature
Verification
Engine
8
11
5
OCSP
Alic
e
P
7
CRL
Alice
1. Compute hash of message
2. Prepare signature
3. Present user PIN
4. SCD generates digital signature
5. Collect digital signature
12
6. Retrieve signer certificate
10. Compute hash on received message
7. Verify the certificate’s revocation status
11. Verify digital signature
8. Retrieve public key from signer certificate
12. SVD outputs ‘valid signature’
9. Retrieve digital signature on the message
or ‘invalid signature’
Beware – Bob should validate Alice’s certificate – Beware
Issuing Process
Certificate Hierarchy
Card Personalizer (CP)
Card Initializer (CI)
m
Belgiu
Root CA
m
Belgiu
Root CA
(5)
ARL
(4)
(6)
(10a”)
National
Register (RRN)
(8)
Certification Authority (CA)
(9)
(10a’)
(3)
Gov
CA
Citizen
CA
Card
Admin
CA
CRL
CRL
(7)
CRL
Municipality
(10b)
(0)
Card
Admin
Cert
Admin
Auth
Cert
NonRep
Cert
Server
Cert
Code
Sign
Cert
(1)
RRN
Cert
Citizen PIN & PUK
(11)
Face to face identification
(2)
Citizen
(13)
(12)
Why Introducing an eID Card?
Typical Smartcard Architecture
• Every Belgian citizen gets a tool to
– Authenticate him/herself via email, SSL/TLS,…
– Create digital signatures equivalent with handwritten
signatures, e.g., to sign contracts electronically
Citizen’s Computer System
• Benefits
– Nation-wide PKI reduces need to deploy closed user
group PKIs
– Avoids updating legislation referring to handwritten
signatures
– Improved security and confidence in remote
transactions
– Simplification of administrative tasks through
– Faster data capture
– Home-government: consult your own files with the
government, fill out tax declarations,…
– Digital signatures protect electronic content
– Certificates link digital signatures to citizens
– The new EID card is smaller than the previous ID card
– Address changes do not necessitate a issuing a new eID
card
• Risks
– Privacy
– Market distortion
– Interoperability at European level
Keyboard
Mouse,…
Browser
PCSC
Look
Display
Feel
PIN Pad
Smartcard
Reader
ISO
7816
Visual Identity Information
Front:
•
•
•
•
•
•
•
•
•
•
•
Name
First two names
First letter of 3rd name
Title
Nationality
Birth place and date
Gender
Card number
Photo of the holder
Begin and end validity dates of the card
Hand written signature of the holder
Back:
Quick Summary Belgian eID
•
•
•
•
•
Place of delivery of the card
National Register identification number
Hand written signature of the civil servant
Main residence of the holder (cards
produced before 1/1/2004)
ICAO (cards produced since 1/1/2005)
• Initiated in 1999
– Massive rollout started end of October 2004
– Currently about 1.4 million cards produced
– About 1 million eID cards activated
• 588 of the 589 municipalities already activate eID cards
• eID card can be used to
–
–
–
–
Authenticate the cardholder
Create digital (non-repudiation) signatures
Capture citizen data electronically
Visually identify the citizen
• Chip contains administrative data (photo, address,
cardholder identity, national number,…)
• Card is valid for 5 years after production
• All Belgian citizens (+12 years) will have obtained an eID card
by end of 2009
PKI Content – Keys & Certificates
• 2 key pairs for the citizen:
– Citizen-authentication
• X.509v3 authentication certificate
– Advanced electronic (non-repudiation) signature
• X.509v3 qualified certificate
• Can be used to produce digital signatures equivalent
to handwritten signatures, cfr. European Directive
1999/93/EC
• 1 key pair for the card:
– eID card authentication (basic key pair)
• No corresponding certificate: RRN
(Rijksregister/Registre National) knows which public
key corresponds to which eID card
Who Gets an eID Card?
Belgium Issuing eID Cards
• A new eID card is issued to
– New inhabitants
– Every youngster at the age of 12
– People changing from one address to another in the
local municipality
– Replace a lost, stolen, damaged or expired (e)ID card
– Adjust the citizen’s picture
– Every citizen who asks to replace his/her old ID card
– Every citizen who changes his/her name, gender,…
•
6.000 cards
produced and
activated per
working day
during nationwide
deployment
•
4.500 cards
produced and
issued per
month during
pilot phase
•
588 out of 589
municipalities
issue eID
cards
• Target groups
– Medical doctors, lawyers, eID software companies,…
The Belgian eID Card…
• Uses On-board key pair generation
– Private keys cannot leave the eID car
– Key pair generation is activated during the initialization
of the eID card
• Uses JavaCard technology
• Can be used using software/middleware – free of charge –
provided the Government
• Can only be managed by the Belgian government
– Citizen identity/address data is read/write for the
National Registry
– eID card refuses update attempts from other parties
than the government
Citizen Certificate Details
Citizen Qualified certificate (~1000 bytes)
Version: 3 (0x2)
Serial Number:
Signature Algorithm: sha1WithRSAEncryption (1024 bit)
Issuer: C=BE, CN=Citizen CA
Not valid before: Nov 12 22:41:00 2003 GMT
Not valid after: Nov 12 22:41:00 2008 GMT
Subject: C=BE, CN=Sophie Dupont (Signature),
Signature Algorithm: sha1WithRSAEncryption (1024 bit)
Issuer: C=BE, CN=Citizen CA
Not valid before: Nov 12 22:40:52 2003 GMT
Not valid after: Nov 12 22:40:52 2008 GMT
Subject: C=BE, CN=Sophie Dupont (Authentication),
Subject Public Key Info:
Subject Public Key Info:
X509v3 extensions:
X509v3 extensions:
10:00:00:00:00:00:8d:8a:fa:33:d3:08:f1:7a:35:b2
SN=Dupont, GN=Sophie
Nicole/serialNumber=60021404665
•
•
•
•
•
http://www.fedict.be
http://www.rijksregister.fgov.be
http://eid.belgium.be
http://www.eid-shop.be
http://godot.be/eidforum
Policy: 2.16.56.1.1.1.2.2
CPS: http://repository.eid.belgium.be
Key Usage: critical, Non Repudiation
Key Usage: critical, Digital Signature
gium
Authority Key Identifier: [D1:13: … :7F:AF:10]Bel t CA
Roo
CRL Distribution Points:
Authority Key Identifier: [D1:13: … 7F:AF:10]
CRL Distribution Points:
URI:http://crl.eid.belgium.be/eidc0002.crl
Citizen
CA
CA Issuers URI:http://certs.eid.belgium.be/belgiumrs.crt
OCSP - URI:http://ocsp.eid.belgium.be
Qualified certificate statements: [00......F..]
Signature: [74:ae:10: … :e0:91]
RSA Public Key: [Modulus (1024 bit): cf:ca:7a:77: …
:5c:c5, Exponent: 65537 (0x10001)]
Certificate Policies:
Policy: 2.16.56.1.1.1.2.1
CPS: http://repository.eid.belgium.be
Netscape Cert Type: S/MIME
Authority Information Access:
10:00:00:00:00:00:0a:5d:9a:91:b1:21:dd:00:a2:7a
SN=Dupont, GN=Sophie
Nicole/serialNumber=60021404665
RSA Public Key: [Modulus (1024 bit): 4b:e5:7e:6e: …
:86:17, Exponent: 65537 (0x10001)]
Certificate Policies:
References…
Citizen Authentication certificate (~980 bytes)
Version: 3 (0x2)
Serial Number:
URI:http://crl.eid.belgium.be/eidc0002.crl
Gov
CA
Netscape Cert Type: SSL Client, S/MIME
Authority Information Access:
CA Issuers URI:http://certs.eid.belgium.be/belgiumrs.crt
OCSP - URI:http://ocsp.eid.belgium.be
Signature: [10:ac:04: … :e9:04]