Presentation is loading. Please wait.

Presentation is loading. Please wait.

Brno, 29. April 2003 2 nd International Scientific Conference Security and Protection of Information Austrian e-Government.

Published byJourney Searight Modified over 9 years ago

Similar presentations

Presentation on theme: "Brno, 29. April 2003 2 nd International Scientific Conference Security and Protection of Information Austrian e-Government."— Presentation transcript:

1 Brno, 29. April 2003 Herbert.Leitold@a-sit.at1/45 2 nd International Scientific Conference Security and Protection of Information Austrian e-Government and Citizen Card Initiatives Herbert Leitold Secure Information Technology Center – Austria (A-SIT)

2 Brno, 29. April 2003 Herbert.Leitold@a-sit.at2/45 About myself Working for A-SIT Confirmation body under Austrian Signature Law Notified body w.r.t. EU Electronic Signature Directive 1999/93/EC Advises public authorities in ICT security aspects Activities include Technology assessment activities Electronic signatures, biometrics, IT security tools, … Standardization EESSI: Common Criteria Protection Profiles that support the EU Electronic Signature Directive White Book “Austrian Citizen Card”

3 Brno, 29. April 2003 Herbert.Leitold@a-sit.at3/45 2 nd International Scientific Conference Security and Protection of Information @ Table of Contents Introduction e-Government in Europe Austrian e-Government basics Unique identification Electronic signatures & e-Gov. European dimension Austrian dimension Austrian citizen card concept Identification/Confidentiality levels Conclusions

4 Brno, 29. April 2003 Herbert.Leitold@a-sit.at4/45 Internet penetration in the EU Source: Europ. Commission (eEurope benchmarking 2002) 50 %

5 Brno, 29. April 2003 Herbert.Leitold@a-sit.at5/45 e-Government in Europe: Public services online 2001-2002 Source: Europ. Commission (eEurope benchmarking 2002) 50 %

6 Brno, 29. April 2003 Herbert.Leitold@a-sit.at6/45 e-Government in Europe: Internet users visiting e-Government sites Source: Europ. Commission (eEurope benchmarking 2002) 50 %

7 Brno, 29. April 2003 Herbert.Leitold@a-sit.at7/45 Source: Eurobarometer (eEurope benchmarking 2001) e-Government in Europe: Government services online 2001

8 Brno, 29. April 2003 Herbert.Leitold@a-sit.at8/45 ICT-structure for e-government in Austria

9 Brno, 29. April 2003 Herbert.Leitold@a-sit.at9/45 The starting points... Austrian cabinet council decision (Nov. 2000) … to employ chip-card technology to improve citizen’s access to public services … to supplement the planned health insurance card with electronic signature “White book” citizen card (June 2001) defines general requirements and strategic decisions from an authority’s perspective

10 Brno, 29. April 2003 Herbert.Leitold@a-sit.at10/45 Guiding principles … The administration doing it’s core business Open for the market to provide services Portals, helpdesks Linked via Open Interfaces Choice of access for citizens

11 Brno, 29. April 2003 Herbert.Leitold@a-sit.at11/45 General structure STANDARD BUILDING BLOCKS Identification Confidentiality Standard forms xml – print xml – signature e-delivery e-payment.. Knowledge Management OPEN INTERFACEPORTAL

12 Brno, 29. April 2003 Herbert.Leitold@a-sit.at12/45 The overall communication for e-Government

13 Brno, 29. April 2003 Herbert.Leitold@a-sit.at13/45 2 nd International Scientific Conference Security and Protection of Information Unique identification The problem of unique identification considering PKI, certificates, etc. Data protection requirements Process specific ID solution followed in Austria

14 Brno, 29. April 2003 Herbert.Leitold@a-sit.at14/45 EU Signature Directive (1999/93/EC) defines: considering §2(b), why is there a problem with unique identification ? § 2. ‘advanced electronic signature’ means an electronic signature which meets the following requirements: (a)it is uniquely linked to the signatory; (b)it is capable of identifying the signatory; (c)it is created using means that the signatory can maintain under his sole control; and (d)it is linked to the data to which it relates in such a manner that any subsequent change of the data is detectable; The “identification problem”

15 Brno, 29. April 2003 Herbert.Leitold@a-sit.at15/45 Certification service provider (CSP) Subscriber/signatory/signer Relying party Certificate holds Issuer Name of signatory (pseudonym) Public key Attributes Validity period etc. How to avoid digital twins? High quality identification at the CSP The PKI “magic triangle”

16 Brno, 29. April 2003 Herbert.Leitold@a-sit.at16/45 The “identification problem” High-quality identification at the CSP personal appearance, present a photo ID Authority’s processes require identification certificate not sufficient “digital twins” problem Possible solutions Online-access to CSP’s registration records Government-owned PKI (has access to registration records) Permanent/unique ID in the certificate Alternatives ? CSP

17 Brno, 29. April 2003 Herbert.Leitold@a-sit.at17/45 Data protection concerns A unique ID (central registration number CRN) is available in the Austrian central registry based on data out of a 2001 census central registration system launched in 2002 CRN may not be used with official proceedings cross-search violates data-protection rules However, process-specific IDs may be used e.g. a ID for tax declarations e.g. a (different) ID for social security matters

18 Brno, 29. April 2003 Herbert.Leitold@a-sit.at18/45 Preserving data protection

19 Brno, 29. April 2003 Herbert.Leitold@a-sit.at19/45 Process-specific ID derived from national central registration number combined with a process- specific number Cryptographic hash prevents tracing back to registration numbers observes data protection requirements replaces UID/PWD schemes

20 Brno, 29. April 2003 Herbert.Leitold@a-sit.at20/45 A XML data structure that holds data often used in official proceedings Given name, family name, date of birth the citizen’s unique ID (CRN) and a citizen’s public key (the citizen may have several) signed by the Ministry of Interior Ties PKI data to an “official electronic identity” Stored with the citizen card under the citizen’s control Persona-binding PKI Official registry (CRN) persona-binding

21 Brno, 29. April 2003 Herbert.Leitold@a-sit.at21/45 2 nd International Scientific Conference Security and Protection of Information Electronic signatures and e-Government EU signature directive the European dimension Requirements for SSCDs Evaluation of components Austrian signature law Relation to the EU directive Directive 1999/93/EC

22 Brno, 29. April 2003 Herbert.Leitold@a-sit.at22/45 EU Signature Directive (1999) lays down: EESSI developed technical standards e.g. Common Criteria protection profiles (SSCD-PP, CMCSO-PP,..) EU Commission/A9C to publish reference numbers – binding for EU § 5(1) Member States shall ensure that advanced electronic signatures which are based on a qualified certificate and which are created by a secure-signature-creation device: (a) satisfy the legal requirements of a signature in relation to data in electronic form in the same manner as a handwritten signature satisfies those requirements in relation to paper-based data; and... EU electronic signature directive

23 Brno, 29. April 2003 Herbert.Leitold@a-sit.at23/45 secure signature-creation device Annex III covers requirements for secure signature-creation devices to ensure the functionality of advanced electronic signatures; it does not cover the entire system environment in which such devices operate; … means a signature-creation device which meets the requirements laid down in Annex III; The conformity of secure signature-creation-devices with the requirements laid down in Annex III shall be determined by appropriate public or private bodies designated by Member States. EU electronic signature directive (cntd.)

24 Brno, 29. April 2003 Herbert.Leitold@a-sit.at24/45 Certification service provider (CSP) Subscriber/signatory/signer Relying party creation device Signature-creation process and environment Signature-format and syntax Signature-validation process and environment Trustworthy systems Qualified certificate Qualified certificate policy Electronic Signature Standards (EESSI)

25 Brno, 29. April 2003 Herbert.Leitold@a-sit.at25/45 Certification service provider (CSP) Subscriber/signatory/signer Relying party creation device Signature-creation process and environment Signature-format and syntax Signature-validation process and environment Trustworthy systems Qualified certificate Qualified certificate policy CMCSO-PP CMCKG-PP SSCD-PP Common Criteria Protection Profiles

26 Brno, 29. April 2003 Herbert.Leitold@a-sit.at26/45 Type 1: SCD generation Type 2: SCD usage (“to sign”) Type 3: “both 1&2” SSCDs (3 types defined by EESSI)

27 Brno, 29. April 2003 Herbert.Leitold@a-sit.at27/45 SSCD – a different view

28 Brno, 29. April 2003 Herbert.Leitold@a-sit.at28/45 FCS_COP.1/SIGNING FCS_COP.1/CORRESP FCS_CKM.1 FCS_CKM.1 / _CKM.4 FPT_PHP.1 / _PHP.3 FIA_AFL.2, ……. FTP_ITC.1 FTP_TRP.1 (*) FTP_ITC.1 FIA_UAU.1 FMT_SMR.1 (Adm./Sign.) FDP_ACF.1 SFRs – a few of them

29 Brno, 29. April 2003 Herbert.Leitold@a-sit.at29/45 Austrian signature law (2000) requirements wrt. evaluation of technical components vary § 18(1) Technical components which allow the forgery of signed data to be reliably recognized and reliably prevent unauthorized use of signature creation data procedures shall be used […]. […] (5)The technical components and procedures for generating secure signatures must be constantly and adequately verified using state-of-the-art technology. Compliance with security requirements must be certified by a confirmation body (§ 19). EU vs. Austrian electronic signature rules

30 Brno, 29. April 2003 Herbert.Leitold@a-sit.at30/45 2 nd International Scientific Conference Security and Protection of Information Austrian Citizen Card a single specific smart-card? requirements of the citizen card logical view to the card security layer / security capsule How the model is used

31 Brno, 29. April 2003 Herbert.Leitold@a-sit.at31/45 National ID card with chip (2003) Health insurance card “health care certificate + el. signature” (for each citizen 2004) ATM card / bank account cards with electronic signatures (expected for 2004) further initiatives: CSPs issuing qualified certificates Austrian computer society member card new technologies (PDAs, cell phones, WIM) student service cards Several smart-card initiatives …

32 Brno, 29. April 2003 Herbert.Leitold@a-sit.at32/45 Concept “Austrian Citizen Card” Defines general minimum requirements: secure electronic signatures i.e., legal equivalence to handwritten signatures, additional key-pairs ‘general signatures’, encryption info-boxes to store data persona binding, certificates, power of attorney access control to info-boxes DH key exchange session key certificates

33 Brno, 29. April 2003 Herbert.Leitold@a-sit.at33/45 Some definitions … Security Capsule: Combination of the security-relevant components wrt. electronic signatures clear responsibility / liability (signature law) Security Layer: An interface that provides a logical view to the security capsule

34 Brno, 29. April 2003 Herbert.Leitold@a-sit.at34/45 Security Capsule Application add. memory Security-Layer card-interface (e.g. PKCS#11) Hash function PIN padtrustw. viewer Security Layer vs. Security Capsule

35 Brno, 29. April 2003 Herbert.Leitold@a-sit.at35/45 Security Capsule Security-Layer Elements of the Austrian Citizen Card

36 Brno, 29. April 2003 Herbert.Leitold@a-sit.at36/45 Simple request/response scheme Application sends request Security Capsule responds Result or Error code Protocol elements encoded in XML Transport layer bindings TCP/IP, SSL/TLS (socket communication) HTTP/HTTPS (capsule acts as simple Webserver) Security Capsule Request Response Security Layer Protocol

37 Brno, 29. April 2003 Herbert.Leitold@a-sit.at37/45 Application submit form

38 Brno, 29. April 2003 Herbert.Leitold@a-sit.at38/45 Application return result

39 Brno, 29. April 2003 Herbert.Leitold@a-sit.at39/45 Using the concept for payment

40 Brno, 29. April 2003 Herbert.Leitold@a-sit.at40/45 2 nd International Scientific Conference Security and Protection of Information Identification / Confidentiality levels e-Government processes have different requirements wrt. identification or confidentiality Three Security levels Replacing UID/PWD

41 Brno, 29. April 2003 Herbert.Leitold@a-sit.at41/45 Server Browser SSL/TLS Based on “conventional” SSL/TLS Security Level I no specific requirements

42 Brno, 29. April 2003 Herbert.Leitold@a-sit.at42/45 Server Browser active component SCT: time URL 1 3 SSL/TLS Authentic. Block: time URL ID 2 Security Level II usual G2C services

43 Brno, 29. April 2003 Herbert.Leitold@a-sit.at43/45 bind the SSL/TLS certificates to citizen card Server Browser SSL/TLS active component Security Level III specific confidentiality requirements

44 Brno, 29. April 2003 Herbert.Leitold@a-sit.at44/45 Current State Security Layer Demonstrator implemented in JAVA Used by developers “golden device” for developing security capsules to test e-Government applications in early stages Some e-Government applications Applications to social insurance (operational) Registration of a business in Vienna (operational) Petitions to federal ministries (end 2002) Penal records (Q1 2003) Tax declarations online (Q1 2003)

45 Brno, 29. April 2003 Herbert.Leitold@a-sit.at45/45 2 nd International Scientific Conference Security and Protection of Information Conclusions  Security capsule / layer provide a technology-neutral interface to the Austrian citizen card  Electronic signatures are a central element  Concept is the basis of Austrian e-Government initiatives e-Austria

46 Brno, 29. April 2003 Herbert.Leitold@a-sit.at46/45 2 nd International Scientific Conference Security and Protection of Information Thank you for your attention ! Herbert.Leitold@a-sit.at

Download ppt "Brno, 29. April 2003 2 nd International Scientific Conference Security and Protection of Information Austrian e-Government."

Similar presentations

© fedict 2008. All rights reserved Legal aspects Belgian electronic identity card Samoera Jacobs – November 2008.

© fedict All rights reserved Legal aspects Belgian electronic identity card Samoera Jacobs – November 2008.
A strategy for a Secure Information Society –

A strategy for a Secure Information Society –
1 ABCs of PKI TAG Presentation 18 th May 2004 Paul Butler.

1 ABCs of PKI TAG Presentation 18 th May 2004 Paul Butler.
Digital Certificate Installation & User Guide For Class-2 Certificates.

Digital Certificate Installation & User Guide For Class-2 Certificates.
Bundesamt für Sicherheit in der Informationstechnik EESSI - WS May 11.-12., 2000, Paris, Folie 1/18Klaus J. Keus, BSI Electronic Signatures in Germany,

Bundesamt für Sicherheit in der Informationstechnik EESSI - WS May , 2000, Paris, Folie 1/18Klaus J. Keus, BSI Electronic Signatures in Germany,
Digital Stamps of Companies Tarvi Martens SK, Estonia.

Digital Stamps of Companies Tarvi Martens SK, Estonia.
Digital Certificate Installation & User Guide For Class-2 Certificates.

Digital Certificate Installation & User Guide For Class-2 Certificates.
Telia Research AB György Endersz 2001-05-08 1 European Electronic Signature Standardisation Initiative EESSI Budapest Seminar at the Hungarian Communication.

Telia Research AB György Endersz European Electronic Signature Standardisation Initiative EESSI Budapest Seminar at the Hungarian Communication.
The Austrian Governmental eDelivery System Technical Aspects Ankara, March 17th, 2015 Christian Maierhofer, EGIZ The E-Government Innovation Center is.

The Austrian Governmental eDelivery System Technical Aspects Ankara, March 17th, 2015 Christian Maierhofer, EGIZ The E-Government Innovation Center is.
CP3397 ECommerce.

CP3397 ECommerce.
Policy interoperability in electronic signatures Andreas Mitrakas EESSI International event, Rome, 7 April 2003.

Policy interoperability in electronic signatures Andreas Mitrakas EESSI International event, Rome, 7 April 2003.
Cryptography and Network Security

Cryptography and Network Security
FIPS 201 Personal Identity Verification For Federal Employees and Contractors National Institute of Standards and Technology Information Technology Laboratory.

FIPS 201 Personal Identity Verification For Federal Employees and Contractors National Institute of Standards and Technology Information Technology Laboratory.
SECURITY IN E-COMMERCE VARNA FREE UNIVERSITY Prof. Teodora Bakardjieva.

SECURITY IN E-COMMERCE VARNA FREE UNIVERSITY Prof. Teodora Bakardjieva.
Identity Management Based on P3P Authors: Oliver Berthold and Marit Kohntopp P3P = Platform for Privacy Preferences Project.

Identity Management Based on P3P Authors: Oliver Berthold and Marit Kohntopp P3P = Platform for Privacy Preferences Project.
Jaroslav Pinkava May 2001 Certification Authority in Praxis. Security Aspects. Conference Security and Protection of Information Ing. Jaroslav Pinkava,

Jaroslav Pinkava May 2001 Certification Authority in Praxis. Security Aspects. Conference Security and Protection of Information Ing. Jaroslav Pinkava,
2002 10 21 Implementation of Electronic Signature Law Kęstutis Andrijauskas Information Society Development Committee under the Government of the Republic.

Implementation of Electronic Signature Law Kęstutis Andrijauskas Information Society Development Committee under the Government of the Republic.
PAPERLESS BUSINESS in GEORGIAN FINANCIAL SECTOR NANA ENUKIDZE - Advisor to the Governor.

PAPERLESS BUSINESS in GEORGIAN FINANCIAL SECTOR NANA ENUKIDZE - Advisor to the Governor.
M.Sc. Hrvoje Brzica Boris Herceg, MBA Financial Agency – FINA Ph.D. Hrvoje Stancic, assoc. prof. Faculty of Humanities and Social Sciences Long-term Preservation.

M.Sc. Hrvoje Brzica Boris Herceg, MBA Financial Agency – FINA Ph.D. Hrvoje Stancic, assoc. prof. Faculty of Humanities and Social Sciences Long-term Preservation.
Respecting Privacy in Global Networks/ Guernsey, Wednesday 11 th April,2007 1 Paula Ortiz López Spanish Data Protection Agency.

Respecting Privacy in Global Networks/ Guernsey, Wednesday 11 th April, Paula Ortiz López Spanish Data Protection Agency.

Similar presentations

Ads by Google