Transcript Digital signature services - pki

Electronic ID Card and
Identification Service
Development in Georgia
Mikheil Kapanadze
What is Georgian eID Card?
Dual-Interface Chip
contact
contactless
Contact Interface
PKI Applet
• 2 Certificates, issued by PSDA
• Online Authentication
• Digital Signature (Qualified)
• Secured with 2 distinct PIN
codes
ICAO LDS Applet
• Compliant with ICAO 9303
• Personal Data Storage
• Secured with BAC
Contactless Interface
MIFARE 1k Classic (Emulated)
• MIFARE Application Directory
• Citizen’s Social Status data (if
applicable)
• Any 3rd party data can be deployed
• Custom-built secure reader-writer
devices are available
ICAO LDS
• Compliant with ICAO 9303
• Personal Data Storage
• Secured with BAC
PKI Applet in Details
Secure Key Storage
• Two 2048-bit RSA Keys, secured by Different PIN codes
• 4 digits for Online Authentication, 6 digits for Signature
• Authentication PIN, E-Signature Transport PIN and PUK are
delivered in secured envelope
• E-Signature PIN Code is set by the citizen
Certificate Storage
• Two Certificates, issued by PSDA and two CA certificates
• Certificate renew is possible
Certification and Trust Services
PSDA Certification Authority
• Certificates are issued instantly during personalization
• Certificate Validity – 2.5 Years
• CRL and OCSP services, with DR and load-balancing
CA Hierarchy
• GEO Root CA
• GEO Authentication CA (For Authentication Certificates)
• GEO Signing CA (For qualified e-Signature Certificates)
PSDA Time Stamping Authority
• RFC 3161 Time-stamping, mainly used for digital signatures
• DR and load-balancing
ID Card as SSCD
Private Key Security
• Signature key (RSA 2048) is generated on the card
• The private key never leaves the card
• The key material cannot be extracted from the card
PIN code Security
• 6-digit signature PIN is never delivered to the citizen
• Instead, we supply 5-digit transport PIN in secured envelope
• Signature PIN can activated ONLY ONCE
• Signature PIN change is possible. Reset is NOT
• … and it makes some problems with people who lost their envelopes
immediately
Current Figures
700 000
cards are
already
issued
The Number
is Growing
Rapidly
Current ID Card Team
Small Team
Skilled
People
External
Support
• 5 People
• Head of the Team
• Chief Architect
• Business Consultant
• 2 Junior Developers
• 2 highly skilled professionals for technical aspects
• 3 highly skilled professionals for business-related aspects
• Juniors are developing their skills rapidly
• Highly-skilled professionals from IT, Research and Development and other
departments of PSDA are involved on demand
• Inter-agency cooperation on key subjects
Current Projects
Digital Signature Portal
• Free Web-based signing with ID card, with possible commercial extensions
• Document sharing with multiple signers
• Signature Verification (ongoing)
Identity Verification Service
• Based on OpenID 2.0, AX 1.0 and PAPE
• Free service with possible commercial extensions
Digital Signature for Legal Entities (Ongoing)
• Signing as company’s authorized representative
• Signing as a notary representative
• Electronic Apostille
Current Projects
Student Card
• In cooperation with the Ministry of Education, on 2012
• Based on the concept of Citizen’s Social Status
• Students have discounts for many product (including ID card
itself)
Citizen’s Social Status
• 5 statuses can be written simultaneously on the card
• 255 statuses can be defined
• Statuses can be viewed using special application
• Uses card’s MIFARE emulator
DIGITAL SIGNATURE SERVICES
Personal Signatures
Current Status
• It’s possible to upload PDF document on the portal and sign
• You can share the document for signing to anothers
• Signature Format: PAdES
• Verification report will be added soon
Access conditions
• FREE for all eID holders, with limited space and document
lifetime
• It’s possible to have broader limits (or no limits at all) for extran
payment
Signatures for Legal Entities
Current Status
• The project is ongoing
• One of the TOP PRIORITIES of Year 2013 for PSDA
Possible fields of application
• Signing contracts on behalf of organization
• Notary services to eliminate paper documents as much as
possible
• Issuing electronically signed birth certificates, property
ownership etc.
• Electronic Apostille
Challenges for Legal Entity Signatures
Who is signing?
• Signature seems to be always performed by some natural person and
then sealed
• Do we really need to identify signer on the birth certificate?
• This is generated from the electronic system anyway!
• Workflow actions must be securely logged in the system. And
possibly go to Archive then
By whom the key is controlled?
• Sometimes, it’s a person (CEO of the company, etc)
• Sometimes the key is under control of the organization’s electronic
system
Possible solution: Attribute Certificates
Advantages
• We don’t need to establish additional issuing facilities and
manage additional secure tokens
• Attribute certificate can be issued online to eID user
• National Agency of Public Registry, Notary chamber, etc. can
act as attribute authorities
Challenges
• Attribute authorities must have required software in place
• Content of AC must be standardized
• Short-lived AC or OCSP calls?
And how about birth certificates, etc.?
Possible solutions
• We can mandate using HSM for secure key storage
• There will be a special, standard procedure of issuing and
enrolling certificate in HSM
• Thus we may say we have an SSCD and the signature is qualified
Open Questions
• Do we really need such a complexity?
• Especially, if we may need e-Apostille for such documents?
• Do we need to establish sector-based CA’s? (For banks,
insurance, government, etc.)
E-Signature and E-Document Law
Adopted in 2008
• Mainly based on European Directive 1999/93/EC
Changes are Planned
• We are establishing an inter-agency working group to propose
new changes in law
Technical regulations
• Regulations about certificate authority accreditation are in place
• Other regulations may be introduced
Signature and Document Formats
Document Format
• The current law considers only textual information as an
electronic document
• We use PDF (based on ISO/IEC 32000-1) format
Signature Format
• Signatures of *AdES family of ETSI standards were found to be
permitted under the Georgian signature law
• PAdES (ETSI TS 102 778) signatures are used
• PAdES-LTV is highly recommended as citizen’s certificates
expire in 2.5 years
Next Plans for Signatures
Make E-Signatures usable in everyday life
By further simplification of eID usage, other signature schemas, etc.
Promote digitally-born documents
Do all graduates need paper-based university diploma?
Minimize scanned documents and save time
If your diploma is electronic, there is no need to look for a scanner to upload it in online job
application system
AUTHENTICATION SERVICES
eID Login Applet
Key Features
• Written as Java Applet
• Distributed freely
• Can be embedded in any website
Challenges for Integrators
• You still need to write server-side logic
• You still need to fight with broken Java installations on
clients’ machines
Centralized Authentication System
Key Features
• Based on OpenID 2.0
• Uses Attribute Exchange 1.0 to deliver person’s
information to Relying Party
Additional Features
• Easy to integrate
• Well-documented
• Avoids problems with broken Java installation
Citizen’s consent on attribute exchange
Integration with Civil Registry WS
What is Civil Registry WS?
• SOAP web service which gives personal data
• Right now sharing with 3rd parties is possible only after
written consent of the data subject
• It’s a commercial service
Integration Possibilities
• Implement web-based consent using digital signature
• Thus, it’s possible to cover additional segment of clients
ACTIVITY IN OTHER FIELDS
Agency Profile
Who is PSDA?
• LEPL Public Service Development Agency is an entity under
umbrella of the Ministry of Justice of Georgia
• Established in 2012, based on Civil Registry Agency
Goals of the Agency
•
•
•
•
Supporting development of innovative public services
Supporting reforms in Georgia
Establishment of Civil Registry
Other activities for supporting innovation
Key Project: Seafarer’s Identity
Documents
What is SID?
• Seafarers identity document is a special document under regulations of
International Labor Organization
• It’s mainly based on ICAO 9303 with some important modifications
• Apart from SID, seafarers must also have documents which prove their
qualification and competency
PSDA Role
• We implement this project In cooperation with Maritime Transport Agency of
Georgia
• Full cycle of document issuing: from application collection to printing and
delivery
• First phase of the project is already done
• Georgian seafarers can now get new-generation documents
QUESTIONS?
Thank You!
Mikheil Kapanadze
Head of Identification Service Development Unit
Public Service Development Agency
Ministry of Justice of Georgia
[email protected]