Presentation is loading. Please wait.

Presentation is loading. Please wait.

Security and Interoperability Danny De Cock January 16th, 2012 Moldova Slides: godot.be/slidesgodot.be/slides.

Published byPrudence Bryan Modified over 9 years ago

Similar presentations

Presentation on theme: "Security and Interoperability Danny De Cock January 16th, 2012 Moldova Slides: godot.be/slidesgodot.be/slides."— Presentation transcript:

1 Security and Interoperability Danny De Cock January 16th, 2012 Moldova E-mail: Danny.DeCock@esat.kuleuven.beDanny.DeCock@esat.kuleuven.be Slides: godot.be/slidesgodot.be/slides

2 Secrets of Successful eID Environments 3 High-level actors Different sectors – eGovernment Collect and store data once, reuse where possible – eHealth Make patient records available to health care service providers – eCommerce & eBusiness Provide ability to correctly identify involved parties – Avoiding online fraud, preparing effective anti-spam measures Citizen/Customer BusinessGovernment

3 Secrets of Successful eID Environments Success depends on joined forces of public and private sector – Private sector requires return on investment (ROI) Number of contacts between a citizen and its eGovernment only does not justify huge investments – Public sector prefers eID enablers for use in public and private sector Avoid reinventing the wheel – Need to exchange of experience with successes and *failures* – Risk of lacking focus to create interoperable solutions Caveat: Systems focusing on any single sector are inherently incompatible with *similar* systems

4 Design Decisions – Basic Concepts Federated architecture – Each sector operates autonomously – Interfaces with other sectors through bus system Built around authoritative sources – Master copy of data is available at exactly one repository – Master copy = authoritative source Maximal reuse of information – No data replication – Administrations cannot re-request data already available Integrated system for user and access management – eID for all – Citizens & organizations – Autonomous management of access & use policies

5 Design Decisions – Benefits Guaranteed interoperability enhances security! – Modularity respects each organization’s sovereignty Prevents vender-lock-in – Exchanging information using standard and open protocols and data formats Guaranteed flexibility – Modularity allows updating and following Security standards Good/best practices

6 Identification & Authentication Unique identification of – Citizens – Professionals – Companies and other Service Providers (public and private sector) eID for all: Authentication & Identification tokens – Federal token – eID card – Belgian citizens & foreigners – Other tokens – companies, organizations, individuals

7 eID Card Types CitizensKids Aliens eID cardKids-ID Foreigners’ card

8 eID Card Content ID ADDRESS Authentication Signature PKICitizen Identity Data RRN = National Register Root CA CA RRN SIGNATURE RRN SIGNATURE RRN SIGNATURE RRN SIGNATURE 140x200 Pixels 8 BPP 3.224 Bytes

9 eID Card = 4 Functions Non-electronic Non-electronic 1.Visible Identification of a person Electronic Electronic 2.Digital identification Data capture Data capture 3.Prove your identity Authentication signature Authentication signature 4.Digitally sign information Non-repudiation signature Non-repudiation signature eFunctionality Enabler of eServices

10 Levels of Assurance (LoA) of Authentication Federated identity management model – E.g., Shibboleth, Liberty Alliance, CardSpace… LoA 4+ (qualified plus biometric) Setting access policies LoA 4 (qualified cert with smart card EAL4+) Sensitive medical records (e.g. HIV), Consultant notes containing opinions. Ability to Break the Glass. Bank to bank transfers LoA 3 (2-factor authentication, non-qualified cert, EAL4 smart card) Patient confidential records (non- sensitive) LoA 2 (one time password) Some Internet banking applications System administration LoA 1 (uid/password, Verisign Class 1 cert) Retrieve degree certificate. Completing public service employment application LoA 0 (no authentication) Public data

11 eID – Level 3 + 4

12 Citizen’s Federal Token – Level 2

13 How to Choose a Security Level? Responsibility of the service provider under supervision of the Privacy Commission Based on risk assessment and depending on – Type of processing: communication, consultation, alteration,… – Scope of the service: does the processing only concern the user or also concern other persons ? – Degree of sensitivity of the data processed – Possible impact of the processing In addition to right security level – Use of an electronic & time-stamped signature might be needed

14 Interoperable & Secure by Design Mandates & authorization credentials based on open standards, e.g., – XACML – SAML Revocation services setup by mandate manager and certification authority – OCSP – CRL Certificates, Signatures and timestamps, e.g., – X.509 – XADES-* Communication protocols – SSL/TLS

15 XAXML – Allow/Deny Service Requests…

16 Generic Policy Enforcement Model XACML-based Information Request/Reply Policy Retrieval Authentic Source Information Request/Reply Policy Repository Manager Policy Management Authentic Source Policy Enforcement (PEP) Action on application Decision Request Decision Reply Action on application PERMITTED Action on application DENIED User Application Policy Decision (PDP) Policy Administration (PAP) Policy Information (PIP) Policy Information (PIP) Slide inspired by Frank Robben

17 APPLICATIONS AuthorizationAuthen- tication PEP Role Mapper USER PAP ‘’Kephas’’ Role Mapper DB PDP Role Provider PIP Attribute Provider Role Provider DB UMAF PIP Attribute Provider DB XYZ WebApp XYZ APPLICATIONS AuthorizationAuthen- tication PEP Role Mapper USER WebApp XYZ PIP Attribute Provider PAP ‘’Kephas’’ Role Mapper DB PDP Role Provider Role Provider DB Management VAS PIP Attribute Provider DB XYZ PIP Attribute Provider DB Bailiffs PIP Attribute Provider DB Mandates Be-Health APPLICATIONS AuthorizationAuthen- tication PEP Role Mapper USER PAP ‘’Kephas’’ Provider DB Mandates Social sector (CBSS) Non social FPS (FedICT) Management VAS DB XYZ Re-using Architecture Slide inspired by Frank Robben

18 Conclusion eGovernment Services are accessible – Via open standards – With strong authentication & access management Federated system permits use of common basic services securely – Without losing any autonomy! System allows permanent evolution – Continuously changing user & organization requirements

19 Food for Thought Trust is Good – Control is Better!

20 Th@nk you! Danny De Cock Researcher Applied Cryptography Danny.DeCock@esat.kuleuven.be Slides: www.godot.be/slides © fedict 2011. All rights reserved

21 eID Card Issuing Procedure (8) (9) (10b) Citizen PIN & PUK Certification Authority (CA) Municipality National Register (RRN) Card Personalizer (CP) Card Initializer (CI) (0) (3) (4) (5) (7) (6) (13) (12) (11) Citizen (10a”) (10a’) Face to face identification (1) (2)

22 eID Card Issuing Procedure 0: Citizen receives a convocation letter or takes the initiative 1: Visit municipality with photo 2: Formal eID request is signed 3,4: CP receives eID request via RRN 5: CP prints new eID card, CI starts on-card key pairs generation 6: RRN receives part of the eID card activation code PUK1 7: CA receives certificate requests 8: CA issues two new certificates and issues new CRLs 9: CI stores these certificates on the eID card 10a: CI writes citizen data (ID, address,…) to the card, deactivates the card 10b: CI sends invitation letter with citizen’s PIN and activation code PUK2 11: Citizen receives invitation letter 12: Civil servant starts eID card activation procedure 13: eID card computes a signature with each private key, CA removes certificates from CRL

23 Certificates for Government web servers, signing citizen files, public information,… Card Administration: update address, key pair generation, store certificates,… eID Certificates Hierarchy Card Admin Cert Admin Auth Cert Card Admin CA CRL Citizen CA CRL Gov CA CRL Belgium Root CA ARL Belgium Root CA Server Cert RRN Cert Non- rep Cert Code sign Cert 1024-bit RSA 2048-bit RSA 2048-bit RSA Auth Cert Foreign - ers‘ CA CRL Non- rep Cert

24 12 May 201512 May 201512 May 2015 Slide 24 Introducting Belgian eID Cards & eGovernment Context 3 Context 2 Context 1 Abstract eGovernment Ecosystem A C F E G H B D

Download ppt "Security and Interoperability Danny De Cock January 16th, 2012 Moldova Slides: godot.be/slidesgodot.be/slides."

Similar presentations

© fedict 2008. All rights reserved Legal aspects Belgian electronic identity card Samoera Jacobs – November 2008.

© fedict All rights reserved Legal aspects Belgian electronic identity card Samoera Jacobs – November 2008.
Experiences with Massive PKI Deployment and Usage Daniel Kouřil, Michal Procházka Masaryk University & CESNET Security and Protection of Information 2009.

Experiences with Massive PKI Deployment and Usage Daniel Kouřil, Michal Procházka Masaryk University & CESNET Security and Protection of Information 2009.
Digital Certificate Installation & User Guide For Class-2 Certificates.

Digital Certificate Installation & User Guide For Class-2 Certificates.
Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.

Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.
Digital Certificate Installation & User Guide For Class-2 Certificates.

Digital Certificate Installation & User Guide For Class-2 Certificates.
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
© Southampton City Council Sean Dawtry – Southampton City Council The Southampton Pathfinder for Smart Cards in public services.

© Southampton City Council Sean Dawtry – Southampton City Council The Southampton Pathfinder for Smart Cards in public services.
Grid Computing, B. Wilkinson, 20045a.1 Security Continued.

Grid Computing, B. Wilkinson, 20045a.1 Security Continued.
Claudia Diaz, Hannelore Dekeyser, Markulf Kohlweiss, Girma Nigusse K.U.Leuven IDIS Workshop 29/05/2008 [Work done in the context of the ADAPID project]

Claudia Diaz, Hannelore Dekeyser, Markulf Kohlweiss, Girma Nigusse K.U.Leuven IDIS Workshop 29/05/2008 [Work done in the context of the ADAPID project]
Secure Communication Architectures.

Secure Communication Architectures.
1 eID validations services Houcine Bel Mamoune Unit manager eID Technical Drill down Session 7 April 2005.

1 eID validations services Houcine Bel Mamoune Unit manager eID Technical Drill down Session 7 April 2005.
Certification Authority. Overview  Identifying CA Hierarchy Design Requirements  Common CA Hierarchy Designs  Documenting Legal Requirements  Analyzing.

Certification Authority. Overview  Identifying CA Hierarchy Design Requirements  Common CA Hierarchy Designs  Documenting Legal Requirements  Analyzing.
Chief Information Officer Branch Gestion du dirigeant principal de l’information “We will have a world class public key infrastructure in place” Prime.

Chief Information Officer Branch Gestion du dirigeant principal de l’information “We will have a world class public key infrastructure in place” Prime.
Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.

Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.
1 ARPA A regional infrastructure for secure role-based access to RTRT services Ing. Laura Castellani Tuscany Region.

1 ARPA A regional infrastructure for secure role-based access to RTRT services Ing. Laura Castellani Tuscany Region.
Lesson 12 Cryptography for E-Commerce. Approaches to Network Security Separate Security Protocol--SSL Application-Specific Security--SHTTP Security with.

Lesson 12 Cryptography for E-Commerce. Approaches to Network Security Separate Security Protocol--SSL Application-Specific Security--SHTTP Security with.
2-Jun-15 1 ACCESSING ON LINE SERVICES PROTECTED BY THE ITALIAN EID GIOVANNI MANCA National Center for Information technology in Public Administration (CNIPA)

2-Jun-15 1 ACCESSING ON LINE SERVICES PROTECTED BY THE ITALIAN EID GIOVANNI MANCA National Center for Information technology in Public Administration (CNIPA)
XACML 2.0 and Earlier Hal Lockhart, Oracle. What is XACML? n XML language for access control n Coarse or fine-grained n Extremely powerful evaluation.

XACML 2.0 and Earlier Hal Lockhart, Oracle. What is XACML? n XML language for access control n Coarse or fine-grained n Extremely powerful evaluation.
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 9: Planning and Managing Certificate Services.

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 9: Planning and Managing Certificate Services.
Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.

Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.

Similar presentations

Ads by Google