Presentation is loading. Please wait.

Presentation is loading. Please wait.

Copyright © FEDICT 2004. All rights reserved eID : The Belgian Electronic Identity Card Bart SIJNAVE Microsoft eID Awareness Program Brussels, 24 juni.

Published byShona Arnold Modified over 8 years ago

Similar presentations

Presentation on theme: "Copyright © FEDICT 2004. All rights reserved eID : The Belgian Electronic Identity Card Bart SIJNAVE Microsoft eID Awareness Program Brussels, 24 juni."— Presentation transcript:

1 Copyright © FEDICT 2004. All rights reserved eID : The Belgian Electronic Identity Card Bart SIJNAVE Microsoft eID Awareness Program Brussels, 24 juni 2004

2 Copyright © FEDICT 2004. All rights reserved Architecture & building blocks SECURITY & PRIVACY FEDMAN UME OTHER AUTHORITIES OTHER INSTITUTIONS FPS Connected government Connected government PORTAL www.belgium.be PORTAL www.belgium.be AUTHENTIC SOURCES USER MGT

3 Copyright © FEDICT 2004. All rights reserved eID – chip eID, welcome to the e-world !

4 Copyright © FEDICT 2004. All rights reserved Contents of the chip ID ADDRESS authentication digital signature RRN SIGN RRN SIGN RRN SIGN RRN SIGN PKIIDENTITY

5 Copyright © FEDICT 2004. All rights reserved eID : the main e-functionalities authentication data capture digital signature

6 Copyright © FEDICT 2004. All rights reserved eID : the main e-functionalities authentication data capture digital signature

7 Copyright © FEDICT 2004. All rights reserved Data capture  faster data capture data can be read directly from the card and stored in a particular system  more accurate data capture no more manual re-entrying  less error- prone process  more efficient data capture faster processing of information

8 Copyright © FEDICT 2004. All rights reserved eID : the main e-functionalities authentication data capture digital signature

9 Copyright © FEDICT 2004. All rights reserved Trust Hierarchy Card Admin Cert Admin Client Auth Elec Sign Data Crypt Client Cert Admin CA Hierar Admin CRL Citizen CA CRL Gov CA CRL SelfSign Belgium Root ARL RootSign Belgium Root Server Cert Object Cert AdminAuth/Sign

10 Copyright © FEDICT 2004. All rights reserved Certificates  Citizen’s certificates & keys  Authentication Certificate & key pair (1024 bits)  provide strong authentication (access control)  web site authentication  single sign-on (login)  etc.  Signature Certificate & key pair (1024 bits)  provide non repudiation (electronic signature equivalent to handwritten signature)  Document Signing  Form Signing  etc.  (Encryption Certificate & key pair)  foreseen at a later stage  private key backup/archiving AuthSign Citizen CA Belgium Root CA Crypt Citizen CA

11 Copyright © FEDICT 2004. All rights reserved Trust Services Request Auth/SignValidate Register Population Registry Secure Sites Municipality XKMS OCSP CA Factory Citizens CPSSLA

12 Copyright © FEDICT 2004. All rights reserved Authentication log on to web sites (SSO) container park library access control … swimming pool

13 Copyright © FEDICT 2004. All rights reserved eID : the main e-functionalities authentication data capture digital signature

14 Copyright © FEDICT 2004. All rights reserved Signature 1. Receive message 3. Check CRL/OCSP 5. Fetch public key 7. Compute reference hash 2. Inspect certificate 4. Check certificate 6. Fetch signature 8. Hash, signature, public key match? Matching triplet? CRL Alice hash Bob 3, 4 2 1 7 6 5 8 1. Compose message3. Generate signature5. Collect certificate 2. Compute hash4. Collect signature6. Send message Alice hash Alice 1 2 3 54 6

15 Copyright © FEDICT 2004. All rights reserved eID – technicalities

16 Copyright © FEDICT 2004. All rights reserved Card Specifications  Standard - ISO/IEC 7816  Format & Physical Characteristics  Bank Card (ID1)  Standard Contacts & Signals  RST,GND,CLK,Vpp,Vcc, I/O  Standard Commands & Query Language (APDU)  etc.

17 Copyright © FEDICT 2004. All rights reserved Security  Outside  Rainbow and guilloche printing  Changeable Laser Image (CLI)  Optical Variable Ink (OVI)  Alphagram  Relief and UV print  Laser engraving  Inside 12345678 SHA-1 RSA SPA/DPA/… resistent EAL5+ certified …

18 Copyright © FEDICT 2004. All rights reserved Chip specifications  Chip characteristics: Cryptoflex JavaCard 32K  CPU (processor): 16 bit Micro-controller  Crypto-processor:  1100 bit Crypto-Engine (RSA computation)  112 bit Crypto-Accelerator (DES computation)  ROM (OS): 136 kB (GEOS Java Virtual Machine)  EEPROM (Applic + Data): 32 KB (Cristal Applet)  RAM (memory): 5 KB CPU ROM (Operating System) Crypto (DES,RSA) RAM (Memory) EEPROM (File System= applications + data) I/O “GEOS” JVM “CRISTAL” Applet ID data, Keys, Certs.

19 Copyright © FEDICT 2004. All rights reserved ID Data specifications  Directory Structure (PKCS#15)  Dir (BelPIC):  certificates & keys (PIN code protected)  private and public key CA : 2048 bits  private and public key citizen: 1024 bits  Signatures put via RSA with SHA-1  all certificates are conform to X.509 v3  standard format (to be used by generic applications)  Microsoft CryptoAPI ( Windows)  PKCS#11 ( UNIX/Linux & MacOS)  Dir (ID):  contains full identity information  first name, last name, etc.  address  picture  etc.  proprietary format (to be used by dedicated applications only) BelPIC Auth Key Sign Key ID ADR PIC Auth Cert Sign Cert CA Cert Root Cert Card Key...

20 Copyright © FEDICT 2004. All rights reserved Middleware specifications  Card & Reader Software  Card MiddleWare  PKCS#15  ID specific applications  Card is accessed as a simple file system  No key management possible (no PIN)  for belgian police, post, banks, etc  PKCS#11  Generic applications  Only keys & Certs available via PKCS#11 API  allows authentication (& signature)  for Netscape, Linux, Unix, etc  MS-CSP  Windows applications  Only keys & certs available via MSCrypto API  allows authentication (& signature)  for Microsoft Explorer, Outlook, etc  Reader Driver/Firmware  most part is generic (orange part)  small part is specific (green part) DLL (C-reader DLL) PKCS#15 OpenSC (Generic SC Interface) PIN (pin logic library) Driver (Specific SC Reader Interface) PC/SC (Generic SC Reader Interface) I/O PKCS#11 (Certificate & Keys Management) MS-CSP (Microsoft interface) BelPIC Specific Applics Non Win Generic Applics Windows Generic Applics

21 Copyright © FEDICT 2004. All rights reserved Toolkit specifications  Toolkits  Data Capture Toolkit  GetIdentity  GetAddress  GetPicture  GetVersion ...  Authentication Proxy  Trigger Certificate based auth  Validate Certificate  Return Certificate Content  …  Signature Plugin  PDF/XML signature support  Validate Certificate  Verify Signature  … DLL (C-reader DLL) PKCS#15 OpenSC (Generic SC Interface) PIN (pin logic library) Driver (Specific SC Reader Interface) PC/SC (Generic SC Reader Interface) I/O PKCS#11 (Certificate & Keys Management) MS-CSP (Microsoft interface) Sign Plugin Toolkit Auth Proxy Data Capture

22 Copyright © FEDICT 2004. All rights reserved eID - toolkits Let’s make use of the power of eID !

23 Copyright © FEDICT 2004. All rights reserved eID-toolkits  Two toolkits are under development : GUI + PKCS#11 libraries : reading, printing, validating and visualising the contents of the eID chip authentication proxy : easy authentication on multiple platforms  Purpose is to hide internal card changes  Labeling should be straightforward if applications use toolkits  Both toolkits are free of charge  Distribution through federal portal ( http://www.belgium.be/fedict  Projecten  eID ) RELEASED

24 Copyright © FEDICT 2004. All rights reserved eID-toolkits

25 Copyright © FEDICT 2004. All rights reserved eID-toolkits : Identity

26 Copyright © FEDICT 2004. All rights reserved eID-toolkits : library

27 Copyright © FEDICT 2004. All rights reserved eID-toolkits : Certificates

28 Copyright © FEDICT 2004. All rights reserved eID-toolkits : Card & PIN

29 Copyright © FEDICT 2004. All rights reserved eID-toolkits : Options

30 Copyright © FEDICT 2004. All rights reserved eID - labeling

31 Copyright © FEDICT 2004. All rights reserved  Labeling procedure card readers applications creating trust for citizens, a legal basis for the government and branding for enterprises Based on industry standards :  Currently being worked out in cooperation with Banksys, CBSS eID-label

32 Copyright © FEDICT 2004. All rights reserved eID – today & tomorrow

33 Copyright © FEDICT 2004. All rights reserved Current status pilot phase (14/6) Over 51,150 cards distributed

34 Copyright © FEDICT 2004. All rights reserved Planning Q1 2004Q2 2004Q3 2004Q4 2004Q1 2005 DECISION DECISION Pilot phase Target groups Evaluation pilot phase Continuous advise from and support to enterprises, citizens and authorities Installation in municipalities (578) Gradual roll-out eID Negociations 20/3

35 Copyright © FEDICT 2004. All rights reserved Next versions of the eID card Short term : offering the possibility of two different PINs for authentication and digital signature integrating the latest state-of-the art RSA algorithms using more international data formatting offering a more advanced status check providing a structure for using the free space on the chip Long term : biometrics encryption certificats integration of SIS card driver’s licence …

36 Copyright © FEDICT 2004. All rights reserved Q&A

37 Copyright © FEDICT 2004. All rights reserved More information Th@nk you ! For more information feel free to visit www.fedict.be

Download ppt "Copyright © FEDICT 2004. All rights reserved eID : The Belgian Electronic Identity Card Bart SIJNAVE Microsoft eID Awareness Program Brussels, 24 juni."

Similar presentations

© fedict 2008. All rights reserved Legal aspects Belgian electronic identity card Samoera Jacobs – November 2008.

© fedict All rights reserved Legal aspects Belgian electronic identity card Samoera Jacobs – November 2008.
Public Key Infrastructure A Quick Look Inside PKI Technology Investigation Center 3/27/2002.

Public Key Infrastructure A Quick Look Inside PKI Technology Investigation Center 3/27/2002.
Digital Certificate Installation & User Guide For Class-2 Certificates.

Digital Certificate Installation & User Guide For Class-2 Certificates.
EDUCAUSE 2001, Indianapolis IN Securing e-Government: Implementing the Federal PKI David Temoshok Federal PKI Policy Manager GSA Office of Governmentwide.

EDUCAUSE 2001, Indianapolis IN Securing e-Government: Implementing the Federal PKI David Temoshok Federal PKI Policy Manager GSA Office of Governmentwide.
A l a d d i n. c o m eToken NG-OTP Combined PKI - OTP Authentication Solution November, 2008.

A l a d d i n. c o m eToken NG-OTP Combined PKI - OTP Authentication Solution November, 2008.
Chap 2 System Structures.

Chap 2 System Structures.
Operating-System Structures

Operating-System Structures
Cross Platform Single Sign On using client certificates Emmanuel Ormancey, Alberto Pace Internet Services group CERN, Information Technology department.

Cross Platform Single Sign On using client certificates Emmanuel Ormancey, Alberto Pace Internet Services group CERN, Information Technology department.
Security and Interoperability Danny De Cock January 16th, 2012 Moldova Slides: godot.be/slidesgodot.be/slides.

Security and Interoperability Danny De Cock January 16th, 2012 Moldova Slides: godot.be/slidesgodot.be/slides.
Password? CLASP Project Update C5 Meeting, 16 June 2000 Denise Heagerty, IT/IS.

Password? CLASP Project Update C5 Meeting, 16 June 2000 Denise Heagerty, IT/IS.
Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.

Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.
Mobile Credentials Ennio J. Carboni Product Manager, Keon PKI

Mobile Credentials Ennio J. Carboni Product Manager, Keon PKI
Kerberos and PKI Cooperation Daniel Kouřil, Luděk Matyska, Michal Procházka Masaryk University AFS & Kerberos Best Practices Workshop 2006.

Kerberos and PKI Cooperation Daniel Kouřil, Luděk Matyska, Michal Procházka Masaryk University AFS & Kerberos Best Practices Workshop 2006.
EID: the Belgian Electronic Identity Card Jan Deprest Vlaanderen – OND-MVG – 28-06-2005.

EID: the Belgian Electronic Identity Card Jan Deprest Vlaanderen – OND-MVG –
An Introduction to Security Concepts and Public Key Infrastructure (PKI) Mary Thompson.

An Introduction to Security Concepts and Public Key Infrastructure (PKI) Mary Thompson.
Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.

Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.
FIT3105 Smart card based authentication and identity management Lecture 4.

FIT3105 Smart card based authentication and identity management Lecture 4.
Designing and Implementing Secure ID Management Systems: BELGIUM’s Experience Washington - September 27 th, 2010 Frank LEYMAN © fedict 2010. All rights.

Designing and Implementing Secure ID Management Systems: BELGIUM’s Experience Washington - September 27 th, 2010 Frank LEYMAN © fedict All rights.
X.509 at the University of Michigan CIC-RPG Meeting June 7, 1999 Kevin Coffman Bill Doster

X.509 at the University of Michigan CIC-RPG Meeting June 7, 1999 Kevin Coffman Bill Doster
Copyright, 1996 © Dale Carnegie & Associates, Inc. Digital Certificates Presented by Sunit Chauhan.

Copyright, 1996 © Dale Carnegie & Associates, Inc. Digital Certificates Presented by Sunit Chauhan.

Similar presentations

Ads by Google