Transcript Slide 1
eID:
the Belgian Electronic
Identity Card
Jan Deprest
Vlaanderen – OND-MVG – 28-06-2005
e-government
What is e-Government ?
NOT : about government
HOWEVER : it is about the
government’s customers
citizens
businesses
civil servants
e-Government principles
> total solution
> transparent (hide the internal organisation)
> “I will say it only once” - Unique Data
Source (Virtual Government)
> limit the administrative formalities
> no extra cost
> Privacy
> no digital divide
Architecture & building blocks
USER
MGT
SECURITY & PRIVACY
OTHER AUTHORITIES
PORTAL
UME
FEDMAN
FPS
FPS
FPS
AUTHENTIC SOURCES
OTHER INSTITUTIONS
www.belgium.be
FPS
Connected
government
eID - basics
A new ID-card
with the format of a bank card
and a powerful chip
Purpose eID project
Proof of identity
> To give Belgian citizens an electronic identity card
enabling them to authenticate themselves towards
diverse applications and to put digital signatures
Signature tool
Which information ?
> From a visual point of view the same
information will be visible as on the
current identity card :
Visual
identification
of the holder
•
•
•
•
•
•
•
•
•
•
•
•
the name
the first two Christian names
the first letter of the third Christian name
the nationality
the birth place and date
the sex
the place of delivery of the card
the begin and end data of the validity of the card
the denomination and number of the card
the photo of the holder
the signature of the holder
the identification number of the National Register
> Identical functionality to current identity
card
Which information ?
> From an electronic point of view the chip
will contain the same information as
printed on the card, filled up with :
•
•
•
•
the identity and signature keys
the identity and signature certificates
the accredited certification service furnisher
information necessary for authentication of the
card and securization of the electronic data
• the main residence of the holder
Electronic
identification
of the holder
>
>
>
>
(Currently) no encryption certificates
No biometric data (yet)
No electronic purse
No storage of other data
Distribution eID : how and where ?
(5)
VRK
CM/CP/CI
(4)
(8)
(6)
(10a)
(3)
CA
(9)
National
Register
ECA
Bull
(7)
Municipality
(10b)
(1)
The municipalities
De
Meikäläinen
Matti
PIN & PUK1-code
Face to face identification
(2)
(12)
(11)
(13)
eID - chip
eID,
welcome to the e-world !
Contents of the chip
PKI
IDENTITY
ID
ADDRESS
authentication
digital signature
RRN SIGN
RRN SIGN
eID : the main e-functionalities
data capture
authentication
digital signature
Data capture
> faster data capture
data can be read directly from the card
and stored in a particular system
> more accurate data capture
no more manual re-entrying less
error-prone process
> more efficient data capture
faster processing of information
eID : the main e-functionalities
data capture
authentication
digital signature
Authentication
log on to web sites (SSO)
access control
container park
…
library
swimming pool
eID : the main e-functionalities
data capture
authentication
digital signature
Signature
1. Compose message
2. Compute hash
3. Generate signature
4. Collect signature
6
5. Collect certificate
6. Send message
7
1
hash
1
6
hash
2
8
2
5
4
3
Alice
3, 4
Bob
5
Matching triplet?
1. Receive message 3. Check CRL/OCSP 5. Fetch public key 7. Compute reference hash
2. Inspect certificate 4. Check certificate 6. Fetch signature 8. Hash, signature, public
key match?
eID - PKI
Public Key Infrastructure
Trust Hierarchy
Admin
Auth/Sign
Certificates
> Citizen’s certificates & keys
• Authentication Certificate & key pair (1024 bits)
• provide strong authentication (access control)
• web site authentication
• single sign-on (login)
• etc.
• Signature Certificate & key pair (1024 bits)
• provide non repudiation (electronic signature
equivalent to handwritten signature)
• Document Signing
• Form Signing
• etc.
• (Encryption Certificate & key pair)
• foreseen at a later stage
• private key backup/archiving
Trust Services
XKMS
Register
Request
Population
Registry
Municipality
CPS
SLA
CA Factory
Citizens
Secure Sites
Auth/Sign
Validate
OCSP
eID - toolkit
Let’s make use of
the power of the eID !
eID-toolkits
> Two toolkits are under development :
GUI + PKCS#11 libraries : reading,
printing, validating and visualising the
contents of the eID chip
authentication proxy : easy
authentication on multiple platforms
> Purpose is to hide internal card changes
> Labeling should be straightforward if
applications use toolkits
> Both toolkits are free of charge
> Distribution through federal portal
(http://www.belgium.be/fedict Projecten eID)
eID-toolkits
eID-toolkits : Identity
eID-toolkits : library
eID-toolkits : Certificates
eID-toolkits : Card & PIN
eID-toolkits : Options
eID - labelling
eID compliance label
> Requirements:
• For citizens: get confidence in practices of service
providers regarding eID usage (e.g. privacy)
• For service providers: demonstrate best practices
are indeed applied regarding eID usage (e.g.
fraud)
> Inspired from two industry standards
•
: eCommerce sites
•
: eTransaction systems
Trust Services
Lot’s of auditors available
• For service providers: easy to extend a
WebTrust/SysTrust accreditation to be eID
compliant
• For auditors: easy to extend a WebTrust/SysTrust
license to become an eID compliance agent
Fast & Rather cheap compared to other schemes
Not mandatory (but no eID liability otherwise)
eID-label
> Labeling procedure
card readers
applications
creating trust for citizens, a legal basis
for the government and branding for
enterprises
Based on industry standards :
> Currently being worked out in cooperation
with Banksys, CBSS
eID - applications
Only the developers’ creativity
will limit the usage
of the eID card.
Home & Work
> Office tools
e-mail
login (local PC & network)
logon (other services)
data & program confidentiality
forms
...
Administration
> Federal
TAX-ON-WEB
VAT
DIV
…
> Municipalities
marriage
house
kids
school
library
swimming pool
container parks
…
Telecom
> Telephony
reloadable & account cards
GSM cards ==> UMTS/i-mode
> Television
Pay-TV
decryption cards
> Post
registered Mail over internet
Internet
VOIP (voice over IP)
i-mode
Finance
> Identification
netbanking (userID/Tokens)
loket (bank agency)
insurance contract (signature)
> Payment
credit cards
debit cards
electronic purse
Healthcare
> Insurance
MediCard (contract)
> Hospital
private data (hospital card, etc)
health/emergency data (blood group,
etc)
Reembursement
SIS card
pharmacy
doctors
Transport
> Public transport
ticketing
in-flight entertainment
> Parking
access
tolling
> Gas & Fuel
fuel cards
loyalty cards
Retail & Delivery
> Loyality Programs
points collection
online gift selection
> Payment Credit
contract signature
payment system (domiciliation)
> Home Delivery
online orders
data capture & digital signature
The sky is the limit !
driver’s licence
healthcare
home banking, online
opening of accounts, …
student cards,
e-learning, …
…
proof of membership
SSO, …
e-commerce
Q&A
Th@nk you !
Rue Marie Thérèse 1/3
Maria-Theresiastraat 1/3
Bruxelles 1000 Brussel
TEL +32 2 212 96 00
FAX +32 2 212 96 99
[email protected]
www.belgium.be/fedict