Introduction to Electronic Identity Documents

Transcription

1 Tutorial Introduction to Electronic Identity Documents Klaus Schmeh cryptovision

2 I'm Klaus Schmeh, Chief Editor Marketing at cryptovision. I have published a number of books.

3 Identity Documents

4 Conventional Identity Documents

5 Identity Document Formats 0 cm 10 cm 20 cm 30 cm ID-1 Format e. g. credit card ID-2 Format e.g. old German identity card ID-3 Format e.g. passport Machine Readable Zone (MRZ)

6 MRTD Standard Made by aviation organisation ICAO MRTD: Machine Readable Travel Documents

7 Cryptography Basics

8 Symmetric Encryption secret key secret key This text is not encrypted. encryption sfd5hbtoar zksldklsli4fj fkdfkjk decryption This text is not encrypted. Cleartext Ciphertext Cleartext

9 Asymmetric Encryption public key private key This text is not encrypted. encryption sfd5hbtoar zksldklsli4fj fkdfkjk decryption This text is not encrypted. Cleartext Ciphertext Cleartext

10 Digital Signature private key public key This text is not encrypted. signing sfd5hbtoar zksldklsli4fj fkdfkjk verification correct/ incorrect Cleartext Checksum (signature)

11 Authentication Verification if somebody is the one he claims to be private key public key Alice data (challenge) signed data (response) Server

12 Basic cryptographic operations Symmetric Encryption Asymmetric Encryption Digital Signature Authentication secret key public/private key public/private key public/private key Three of these operations require public keys.

13 Questions Alice's Public Key F7 EC DD 78 2A 9B 2A 0B F7 EC E4 78 EC DD 78 F7 EC E4 78 F3 9B AB F7 EC E4 DD 78 F7 EC E4 78 F3 9B AB F D 78 F7 EC E4 F3 9B AB F7 CD 56 Is it really Alice s public key? Is the key still in use? Has the key been revoked? Is the key meant for encryption or for signatures? These questions can t be answered by only looking at the key

14 Digital Certificate Digital Certificate Person name: Alice Smith Public key: F4 56 D BB A6 93 0D Validity period: Serial number: CA name: CA 1 Signature: A6 56 D E3 BB A6 93 0D 3D

15 Who signs a digital certificate? Certification Authority signs certificates User digital User digital User digital User certificate certificate certificate digital certificate

16 Digital Certificate Standards X.509 Certificate Version Serial Number Signature Issuer Validity Subject Subject Public Key Info Authority Key Identifier Subject Key Identifier Key Usage Private Key Usage Period Policy Mappings Subject Alternative Name Issuer Alternative Name typical size: 2,000 byte Card Verifiable Certificate Profile Identifier Certification Authority Certificate Holder Certificate Holder Authorization Validity Period Key typical size: 200 byte

17 Public Key Infrastructure (PKI) Hardware and software used to manage digital certificates Key storage hardware Card Management System User Certification Authority Certificate Repository Identity Management

18 Smart Cards

19 Smart Card The chip is a small computer Smart card operating systems: CardOS STARCOS TCOS JCOP

20 Smart Card Memory with typical parameters RAM 768 byte ROM 16 KB EEPROM (Hard drive) 128 KB Clock: 4 MHz

21 Contact smart card Contactless smart card chip chip is not visible contactless reader contact reader

22 A smart card is a secure way to store a key KEY NEVER LEAVES THE CHIP data signed or encrypted data chip encrypts or computes signature with key

23 Smart Card Form Factors smart card USB token chip watch proximity token

24 More Smart Card Form Factors SIM Card microsd chip implant

25 Biometry and Smart Cards Match on Card (MoC)

26 Mosofot Program Smart Card Middleware PC software Administration tool smart card Datei Bearbeiten Ansicht Einfügen Format Fenster % * # % * # % * # skjhfksjhfkshfk lskflksjf slkfj n slkfjg slkfj slkf slkfl slkfj n slkfjg slkfj slkfj n slkfjg slkfj Driver % * # % * # % * # crypto interface Smart Card Middleware card interface The best smart card middleware on the market is sc/interface.

27 Electronic Identity Documents

28 What is an Electronic Identity Document? Identity Document + = Computer Chip Electronic Identity Document (eid) An electronic identity document is a smart card

29 Why Electronic Identity Documents? Improve identification of a person Enable new applications

30 Typical functionality of an electronic identity card Stores name, birthday, address,... Additional (nongovernment) applications: payment, ticketing, health card,... Digital Signature functionality Encryption functionality Authentication functionality

31 Electronic Identity Card Formats 0 cm 10 cm 20 cm 30 cm ID-3 Format Electronic passport ID-2 Format Not used for electronic identity documents ID-1 Format Almost all other electronic identity documents

32 Examples of Electronic Identity Documents Electronic Passport German electronic identity card Electronic Driving License Health Insurance card Company card Vehicle registration card

33 MRTD Standard ICAO also standardises electronic identity documents

34 Standardized content of an electronic identity card Logical Data Structure (LDS) DG1 DG2 DG3 DG4 DG5 DG6 DG7 DG8 DG9 DG10 DG 11 DG12 DG13 DG14 DG15 DG16 Detail(s) Recorded in MRZ Encoded Face Encoded Finger(s) Encoded Eye(s) Displayed Portrait Reserved for Furure Use Displayed Signature or Usual Mark Data Feature(s) Structure Feature(s) Substance Additional Feature(s) Personal Detail(s) Additional Personal Detail(s) Optional Detail(s) Security Options for Secondary Biometrics Active Authentication Public Key Info Person(s) to Notify Document Type Issuing State or Organsiati on Name (of Holder) Document Number Check Digit - Doc Number Nationality Date of Birth Check Digit - DOB Sex Date of Expiry Check Digit - DOE Optional Data Composite Check Digit

35 ICAO Passport By far the most popular electronic identity document Simple technology, little functionality

36 Electronic Passports About 150 countries issue Electronic Passports European Commission: Electronic Passport obligatory for members

37 National identity cards Much variety: every country deploys its own solution Interoperability in some, but not all respects

38 Cryptography and PKI used by Electronic Identity Documents

39 Attacks on electronic identity documents Complete fraud Put fake data on a fake card Cryptographic countermeasure digital signature

40 Some Attacks on electronic identity documents Cloning Copy key from a genuine card to a fake card Cryptographic countermeasure key on card cannot be read

41 Some Attacks on electronic identity documents Eavesdropping Listen to communication between card and reader Cryptographic countermeasure key on card cannot be read

42 Some Attacks on electronic identity documents Unauthorized reading Read data from card without permission Cryptographic countermeasure Inspection system needs to authenticate with key

43 Some Attacks on electronic identity documents Many attacks on electronic identity cards can be prevented with cryptography

44 Signatures and keys needed to secure an electronic identity card Inspection System Electronic Identity Card inspection system key (used for authentication) digital signature by issuer user keys (used for signature, authentication,...)

45 Java Card

46 Chip is a small computer Some smart cards support the Java Programming language Name of this technology: Java Card

47 Java program (applet) Java Card operating systems NXP: JCOP (Java Card OpenPlatform) G&D: Expert Infineon: jtop Gemalto: IDCore JavaCOS

48 The Nigerian Electronic Identity Card

49 Nigeria 168 million inhabitants capital: Abuja largest economy in Africa over 500 ethnicities

50 Nigeria has started issuing electronic identity cards cryptovision plays a key role in this project.

51 Nigerian electronic identity card Birth date Date of issuance EMV-PAN- Nummer Document number Machine Readable Zone (MRZ) Payment, banking

52 PKI for Nigerian Identity Card CVCA CSCA X.509-CA Root CA Sub CA signs signs signs One of the largest and complexest PKIs in the world. DVCA Document Signer Sub-CA

53 Payment function Every electronic identity card features a prepaid function 100 million Nigerians get access to the financial system. Largest Bank the Unbanked - initiative in history.

54 Gelsenkirchen, July 3, 2014 For the first time in history money is withdrawn with an electronic identity card from a German ATM. The card is Nigerian.

55 Nigerian electronic identity card German electronic identity card Chip contact contactless Number of users: 100 million 50 million Identity verification yes yes Signature function yes yes Nigerian card project is more ambitious. Biometry yes yes Payment yes no Banking card funtion yes no Usable as travel document yes yes Restricted Identification no yes Age verification no yes Mutual authentication (EAC2) yes yes

56 Summary

57 Electronic Identity Cards are a hot technology Inform yourself at Mindshare Visit our showroom.

58 End