Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 eID validations services Houcine Bel Mamoune Unit manager eID Technical Drill down Session 7 April 2005.

Published byHilary Mathews Modified over 9 years ago

Similar presentations

Presentation on theme: "1 eID validations services Houcine Bel Mamoune Unit manager eID Technical Drill down Session 7 April 2005."— Presentation transcript:

1 1 eID validations services Houcine Bel Mamoune Unit manager eID Technical Drill down Session 7 April 2005

2 2 2 eID validations services Introduction eID CA profile and hierarchy eID Repository eID LDAP eID CRL/delta CRL eID OCSP Q&A

3 3 3 Introduction eID Card Manufacturer eID Certificate Authority Citizen Belgian National Register Belgian municipalities PUK & PIN

4 4 4 Chain of Trust Belgium Root CA Belgium Root CA off line CA Tree structure Relying party trusts the Belgium Root CA key Belgium Root CA issues Citizen CA certificates Relying party verifies certificate along a certificate path leading to the root. Citizen CA Auth. Citizen cert. Sign. Citizen cert. eID CA profile and hierarchy

5 5 5 Certificate Serial Number (unique) Unique name identifying certificate owner Certificate usage (Sign./Auth.) Validity period (5 year) Public key Issuer name & signature Technical information Version (3) Signature algorithm Authority info access … Subject: Serial Number = 12345678901 G = John Fitzgerald SN = Doe CN = John Doe (Signature) C = BE Public key: Validity: 1/07/2003 10:03:00 1/07/2008 10:03:00 Certificate Serial Number: 3214 Issuer: CA-Name Signature: CA Digital signature

6 6 6 eID CA profile and hierarchy Authentication CertificateSignature Certificate

7 7 7 eID CA profile and hierarchy Citizen CA CRL distribution pointCitizen CA Authority Key identifier

8 8 8 eID CA profile and hierarchy Citizen Certificates Authority Information access Citizen Certificates CDP

9 9 9 eID repository eID CSP repository links: http://repository.eid.belgium.behttp://repository.eid.belgium.be is the eID CSP web site http://crl.eid.belgium.be http://certs.eid.belgium.be http://status.eid.belgium.be Certificate Status Web Service: provide real time certificate status Certificate Status Web Service Certificate Revocation List (CRL) Lookup Service http://ocsp.eid.belgium.be ldap.eid.belgium.be port 389 The new eID government web site: http://eid.belgium.be With link to Fedict and RRN web sites Certipost eID web shop http://www.eid-shop.be

10 10 eID repository

11 11 eID LDAP eID LDAP is the CA public directory: Accessible by using LDAP v2 on the host ldap.eid.belgium.be port 389 base dc=eid, dc=belgium, dc=be

12 12 eID CRL/ ΔCRL Used to validate certificates Include information such Issuer of the CRL Type of signature applied on the CRL Date and Time when the CRL is issued Date and Time of the next CRL update List of revoked certificates (Serial Number, Revocation date)

13 13 Certificate revocation list profile eID CRL/ ΔCRL Versionv2 Signaturesha1RSA Issuer ThisUpdate NextUpdate + 7 days RevokedCertificates UserCertificate RevocationDate CrlEntryExtensions CRL Reason CodecertificateHold(6) (for suspended certificates) Note: Otherwise NOT included! CrlExtensions Authority Key Identifiernon-critical CRL Numbernon-critical

14 14 Certificate revocation list profile eID CRL/ ΔCRL

15 15 Delta CRL profile eID CRL/ ΔCRL

16 16 eID CRL/ ΔCRL CRL/Delta CRL process

17 17 eID CRL/ ΔCRL Current CRL size for the Citizen CA 2004 is about 3,04 MB Estimated entry per future CRL/ ΔCRL size is about 38 bytes / entry  CRL size for 16 000 000 citizen certificates: 580 MB  Needs CRL splitting schema by generating several Citizen CA’s  Each CA will issue its own CRL and ΔCRL  size issue ! 3 options to mitigate it: Use ΔCRL Generate several CA certificates Use OCSP

18 18 eID OCSP The OCSP is OCSP V1 compliant (RFC2560). Suspended certificates will be marked as revoked since the “Suspended” status is currently not supported by OCSP. Goodif the certificate is issued by the CA and if the certificate is valid Revokedif the certificate is issued by the CA and the status of the certificate is revoked or the certificate is suspended Unknownif the certificate is not issued by the CA

19 19 eID OCSP Applications or relying party Citizen CA OCSP responder CRL OCSP Client Cert #123 Alice OCSP Request: Cert #123 Belgium Root CA CA DB Provide real-time status information Decrease risk of using revoked certificates Return status good, revoked or unknown Use of OCSP URL from certificate to gain access to the responder ΔCRL Web status

20 20 OCSP versus CRL/ΔCRL Your application (Offline) Certificate Revocation List Online Certificate Status Protocol eID Validation Services Back-officeCitizen

21 21 OCSP versus CRL/ΔCRL OCSPCRL/Delta CRL Access method Online:  Transaction based relying on the OCSP server availability  About no delays between requests and answers  Gets the effective and current certificates status  Requesting service must be able to perform an online OCSP request Offline:  Download of the last CRL/DeltaCRL before any validation  Local transaction  Not synchronised with the online status; maximum of 3 hours of delay if each DeltaCRL is fetched Access protocolHTTPHTTP(s)/LDAP Local storage neededNO Very limited as transaction based YES Need to download and store locally at least the last CRL/DeltaCRL; It is disk storage consuming; Internet bandwidthLOW As transaction based HIGH It will require a high bandwidth for downloading CRL’s. As every eID citizen’s certificate is first suspended before being optionally activated  large CRL file Signed answerYES Answers are signed by the OSCP responder private key YES CRL and Delta CRL are signed by the issuing CA private key

22 22 OCSP versus CRL/ΔCRL E.g. eID OCSP validations services could be used daily in conjonction with CRL/ ΔCRL as back up Choice between OCSP and CRL/ ΔCRL is depending on your business, on your risk assessment, …  Most probably a balance between the 2 protocols

23 23 Thank You !

Download ppt "1 eID validations services Houcine Bel Mamoune Unit manager eID Technical Drill down Session 7 April 2005."

Similar presentations

DIGITAL CERTIFICATES Prof. Ravi Sandhu. 2 © Ravi Sandhu PUBLIC-KEY CERTIFICATES reliable distribution of public-keys public-key encryption sender needs.

DIGITAL CERTIFICATES Prof. Ravi Sandhu. 2 © Ravi Sandhu PUBLIC-KEY CERTIFICATES reliable distribution of public-keys public-key encryption sender needs.
An Alternative to Short Lived Certificates By Vipul Goyal Department of Computer Science & Engineering Institute of Technology Banaras Hindu University.

An Alternative to Short Lived Certificates By Vipul Goyal Department of Computer Science & Engineering Institute of Technology Banaras Hindu University.
A Framework for Distributed OCSP without Responders Certificate

A Framework for Distributed OCSP without Responders Certificate
Chapter 14 – Authentication Applications

Chapter 14 – Authentication Applications
Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.

Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.
Cryptography and Network Security Chapter 14

Cryptography and Network Security Chapter 14
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
CS5204 – Operating Systems 1 Authentication. CS 5204 – Operating Systems2 Authentication Digital signature validation proves:  message was not altered.

CS5204 – Operating Systems 1 Authentication. CS 5204 – Operating Systems2 Authentication Digital signature validation proves:  message was not altered.
Certificate Revocation Serge Egelman. Introduction What is revocation? Why do we need it? What is currently being done?

Certificate Revocation Serge Egelman. Introduction What is revocation? Why do we need it? What is currently being done?
Extended Validation Models in PKI Alternatives and Implications Marc Branchaud John Linn

Extended Validation Models in PKI Alternatives and Implications Marc Branchaud John Linn
Certificates Last Updated: Aug 29, 2013. A certificate was originally created to bind a subject to the subject’s public key Intended to solve the key.

Certificates Last Updated: Aug 29, A certificate was originally created to bind a subject to the subject’s public key Intended to solve the key.
Resource Certificate Profile Geoff Huston, George Michaelson, Rob Loomans APNIC IETF 67.

Resource Certificate Profile Geoff Huston, George Michaelson, Rob Loomans APNIC IETF 67.
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
1 ISA 562 Information Systems Theory and Practice 10. Digital Certificates.

1 ISA 562 Information Systems Theory and Practice 10. Digital Certificates.
CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.

CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.
Geneva, Switzerland, 2 June 2014 Introduction to public-key infrastructure (PKI) Erik Andersen, Q.11 Rapporteur, ITU-T Study Group 17 ITU Workshop.

Geneva, Switzerland, 2 June 2014 Introduction to public-key infrastructure (PKI) Erik Andersen, Q.11 Rapporteur, ITU-T Study Group 17 ITU Workshop.
Public Key Management and X.509 Certificates

Public Key Management and X.509 Certificates
Certification Authority. Overview  Identifying CA Hierarchy Design Requirements  Common CA Hierarchy Designs  Documenting Legal Requirements  Analyzing.

Certification Authority. Overview  Identifying CA Hierarchy Design Requirements  Common CA Hierarchy Designs  Documenting Legal Requirements  Analyzing.
Chapter 14 From Cryptography and Network Security Fourth Edition written by William Stallings, and Lecture slides by Lawrie Brown, the Australian Defence.

Chapter 14 From Cryptography and Network Security Fourth Edition written by William Stallings, and Lecture slides by Lawrie Brown, the Australian Defence.
Chapter 4 Authentication Applications. Objectives: authentication functions developed to support application-level authentication & digital signatures.

Chapter 4 Authentication Applications. Objectives: authentication functions developed to support application-level authentication & digital signatures.

Similar presentations

Ads by Google