CEN TC 224 WG15. European Citizen Card. Brussels May 10th CEN/TC 224 WG15 European Citizen Card

Transcription

1 CEN TC 224 WG15 European Citizen Card Brussels May 10th CEN/TC 224 WG15 European Citizen Card

2 European Citizen Card Scope Smart-Card based model for e-id management User-centric: Card under control of the citizen only Interoperability based on Middleware/ Open Interfaces Strong Authentication and Privacy Enhancement key features Compliant with EU Directive on Electronic Signature Political Objective not only technical : EU requires common citizenship symbols 2

3 European Citizen Card Category Multi-part European Standard in two steps Experimental Standard first European EN Standard in a second phase Implements the Authentication Layer of an e-idm system Authentication based on Smart Card + Middleware Makes smart card security services available to external applications Specifies: Complete Smart Card specification, covering physical, electrical and security services Middleware Specification of Implementation Card profiles around a main service ( ICAO traveling card, National ID card, e-government card ) 3

4 Target: Card-based Security and Data Protection Policies e-government access requires a security policy to be implemented The ECC supports the Identification, Authentication and Digital Signature services required by any security policy Cryptographic Protocols assume that both communicating ends are secure. This is an assumption to be prooved using authentication Privacy also requires the strong authentication of the entities exchanging sensitive personal data Authentication is the key element for security policy It is only when both entities trust each other s identity that the retrieval of sensitive personal data is possible 4

5 Target: Card-based Security and Data Protection Policies The ECC authenticates an e-government Server, protecting the citizen The ECC authenticates itself to an e-government Server: Only the legitimate citizen is authorized to consult his personal record in the Server After this mutual authentication a secure channel may be established and the citizen personal data may be retrieved in a secure way The ECC is the watchdog controlling access to personal data The ECC supports a digital signature generation compliant with the terms of the European Directive 1999/93 5

6 Target: Keep Legacy through ECC Middleware The middleware hides the specific details and technology of the European Citizen Card to the external world No previous knowledge of the ECC technology is needed to create a new application Service Providers does not need to know about the card implementation: The middleware takes care The ECC middleware facilitates the coexistence of ECC with other cards enabling the migration to a common EU approach 6

7 Target: Exporting European Technology CEN TC224 WG15 is a consensual committee between EU national standards bodies Simultaneously, the European Citizen Card interoperability mechanisms are being integrated in ISO Standards This process is being done with US and Japanese industry That strategy appears efficient to consolidate the european leadership position in the Security Industry 7

8 Approach: e-id Interoperability using the ECC The Interoperability is achieved with 3 key features: A common set of card commands and data structures specified in the European Citizen Card standard part 2 A middleware which makes any ECC look the same for the external world defined in part 3 The definition of ECC profiles: e-government card, National ID card, Traveling ICAO card defined in part 4 8

9 MF MF EF.ATR EF.DIR EF.SN EF.ATR EF.DIR DF ESIGN EF.ARR EF.C.CH. AUT EF.C.CH. DS EF.C.CH. ENC EF.C.ICC. AUT EF.DM DF SIG DF eid EF.ARR EF.C.CH. AUT EF.C.CH. QES EF.C.ICC. AUT EF.DM DF QES EF.ARR EF.C.CH. QES DF ICAO DF CIA DF CIA DF.CIA (ISO ) On-Card Application EF.DIR ACD DF.CIA (ISO ) On-Card Application EF.DIR ACD France e-government ECC Application DF.CIA Data for Middleware EF.DIR List of Applications + ECC profile ACD Compliance with ISO Spain e-government ECC Application DF.CIA Data for Middleware EF.DIR List of Applications + ECC profile ACD Compliance with ISO 24727

10 Integrating the ECC into e-idm systems The ECC is integrated in an e-idm system through a Middleware Stack This standard middleware presents two interfaces: An Open Interface ( or API) that enables an e-government application to connect with the middleware and to request a service A Card Interface that connects the middleware with the ECC The Authentication Layer of the e-idm system is implemented using an ECC + Middleware This Authentication Layer appears to the Service Provider just as an Open Interface This makes the ECC standard easily compatible with any Federated Identity Management solution 10

11 Interoperability T=0: The middleware and the ECC behave the same Service Provider Data Specific France ECC DF. CIA EF. DIR ACD / CCD ID Provider ( Gov CA) Identification Layer Authentication Layer Middleware Open Interface Commands and responses described in the ECC part 3 standard Open Interface Card Interface DF.CIA (ISO ) On-Card Application EF.DIR ACD DF.CIA (ISO ) On-Card Application EF.DIR ACD Data Specific Spain ECC DF. CIA EF. DIR ACD / CCD 11

12 Interoperability (II) 1. The Middleware now adapts to the specificities of ECC A and ECC B 2. From the Identification Layer, both ECC look identical Service Provider ID Provider ( Gov CA) Identification Layer Interface Commands and responses described on ECC part 3 standard Middleware adapted to A Authentication Layer Middleware adapted to B Middleware DF.CIA (ISO ) On-Card Application EF.DIR ACD DF.CIA (ISO ) On-Card Application EF.DIR ACD Card Commands and responses described on ECC part 2 standard 12

13 ECC interoperability scheme: Case 1 Identification Layer Client application Service Provider 1: Get ID Request 4 5: Auth ECC 6: Auth Resp Request Standard API Connection/Discovery Services Authentication Services Middleware Libraries: API request into ECC APDU Middleware Card Instruction Layer (Native APDU generation) Middleware Stack 3 2: APDU Get 7: APDU Auth 8: APDU Resp ECC Compliant Card Card Interface Authentication Layer 13

14 ECC interoperability scheme: Case 2 Identification Layer Client application Service Provider 10: ID OK 5: Verify ID e-id Issuer 1: Get ID Request 4 6: Auth ECC Request 9: Auth Resp Standard API Connection/Discovery Services Authentication Services Middleware Libraries: API request into ECC APDU Middleware Card Instruction Layer (Native APDU generation) Middleware Stack 3 2: APDU Get 7: APDU Auth 8: APDU Resp ECC Compliant Card Card Interface Authentication Layer 14

15 European Citizen Card Pro s First European Standard focused on Public Administrations Powerful discovery mechanism based on ISO open standard Industry-led effort : Multi-sourcing Complementarity with e-idm schemes Effective security provided to any e-idm Societal aspects considered: Privacy and e-inclusion Enables transition from existing schemes 15

16 European Citizen Card Con s Client applications must comply with Middleware API requirements On-going standard-setting process Lack of implementation Other e-id card-based schemes deployed Lack of visibility in relation with endorsement by governments 16

17 Relations with other models Accomodates naturally of any e-idm scheme based on middeware ( eg, TLS) Provide Authentication services to any e-idm scheme made up of an ID Agent- ID Provider and Service Provider Federation 17

18 Background slides 18 CEN/TC 224 WG15 European Citizen Card

19 ECC part 3 : Interoperability framework Country/end-users community A (not-on-us) Country/end-users community B (on-us) Foreign Public Administration or not-on-us smart card community 2 Home Member state Identity Provider Client RADIUS Network Access Server(optional) 4 5a IOP#3 Home PC 1 IOP#4 5b Browser embedded client-application (ActiveX Object, applet) Generic request interpreter 3 Server RADIUS (optional) Identification database, LDAP Directory etc End-user IOP#2 IOP#1 Middleware specific to country or smart card community Middleware libraries 19 ECC-2 compliant card, ISO/IEC compliant card

20 ISO / CEN complementarities CEN TC224 ISO SC17 Cards ISO SC27 Security ISO SC37 Biometrics WG15 ECC ISO 7816, ISO ISO Match on Card e-id Management ISO ISO WG16 esign ISO ISO 9796, 9797, 9798 ISO ISO ISO WG17 PP ISO cc 3.0 CEN TC 251 ehealth ISO e-id Management 20

21 Accreditation following national law IDP1 IDP2 TTP e-id1 e-id2 Reg1 Reg2 e-id Credential Validated [1] SP Initiates Identification Validate [ e-id ] DF.CIA (ISO ) On-Card Application EF.DIR ACD [2] ECC sends e-id response challenge Service Provider Certificate Recipient Recoverable data (Access Control List, Credentials, Data Sets for IOP) European Citizen Card Middleware 21