Can eid card make life easier and more secure? Michal Ševčík Industry Solution Consultant Hewlett-Packard, Slovakia ITAPA, November 9 th, 2010

Similar documents
2 Electronic Passports and Identity Cards

Verifying emrtd Security Controls

Conformity and Interoperability Key Prerequisites for Security of eid documents. Holger Funke, 27 th April 2017, ID4Africa Windhoek

EU Passport Specification

Introduction to Electronic Identity Documents

Security of Biometric Passports ECE 646 Fall Team Members : Aniruddha Harish Divya Chinthalapuri Premdeep Varada

This paper focuses on the issue of increased biometric content. We have also published a paper on inspection systems.

Past & Future Issues in Smartcard Industry

eidas Standardisation What are the Issues and Concerns? Overview from CEN TC 224 WG 16 ESIGN Gisela Meister

Overview of cryptovision's eid Product Offering. Presentation & Demo

Legal Regulations and Vulnerability Analysis

cryptovision s Government Solutions Adam Ross, Ben Drisch cryptovision GmbH

White Paper Implementing mobile electronic identity

Advanced Security Mechanisms for Machine Readable Travel Documents and eidas Token

The EAC for MRTD. 26 January 2010

Whitepaper: GlobalTester Prove IS

Security Mechanism of Electronic Passports. Petr ŠTURC Coesys Research and Development

Austrian State Printing House

Document reader Regula 70X4M

Electronic signature framework

SmartCards as electronic signature devices Progress of standardization. Helmut Scherzer, CEN TC224/WG16 (Editor) IBM Germany

eidas Regulation in the context of Cybersecurity: Electronic seals and website certificates: Two sides of a (gold) medal?

System to assure authentication and transaction security. Presentation of the concept and product May 2009

Non Person Identities After all, who cares about me? Gilles Lisimaque & Dave Auman Identification technology Partners, Inc.

Common Criteria Protection Profile

Common Criteria Protection Profile

September OID: Public Document

COMPGA12 1 TURN OVER

Identity and capability management and federation

An Overview of Electronic Passport Security Features

Security analysis of OpenID, followed by a reference implementation of an npabased OpenID provider

Technical Guideline TR eid-client Part 2: Conformance Test Specification. Version 1.3

The epassport: What s Next?

Test plan for eid and esign compliant smart card readers with integrated EACv2

Séminaire sur la Certification Electronique

Gaining Business Value from IoT

Security Target Lite SK e-pass V1.0

Privacy-Enhancing Technologies & Applications to ehealth. Dr. Anja Lehmann IBM Research Zurich

Efficient, broad-based solution for a Swiss digital ID

Hash-based Encryption Algorithm to Protect Biometric Data in e-passport

Market Trends and Veridos solutions for epassports & ID Documents

Technical report. Signature creation and administration for eidas token Part 1: Functional Specification

PRICE LIST TRUST SERVICE PRODUCTS. Price List Version 5.9 Berlin, April Copyright 2018, Bundesdruckerei GmbH. Seite 1/9

Privacy Policy Kühnreich & Meixner GmbH Kühnreich & Meixner GmbH Kühnreich & Meixner GmbH Kühnreich & Meixner GmbH 1. Definitions

SAFE-BioPharma RAS Privacy Policy

German eid based on Extended Access Control v2

Mobile Driver s License Region IV May 24, 2017 Seattle, WA

Singapore s National Digital Identity (NDI):

How To Secure Electronic Passports. Marc Witteman & Harko Robroch Riscure 02/07/07 - Session Code: IAM-201

An Overview of Electronic Passport Security Features

Mobile Identity Management

COMPUTER NETWORK SECURITY

Evolution in cross-border interoperability of esignatures and eid. Tarvi Martens SK, Estonia

Privacy Policy CARGOWAYS Logistik & Transport GmbH

3D Face Project. Overview. Paul Welti. Sagem Défense Sécurité Technical coordinator. ! Background. ! Objectives. ! Workpackages

Identity Management: Setting Context

Privacy and Identity Management for Life. Lifelong Privacy

Security Requirements for Crypto Devices

User Authentication. Modified By: Dr. Ramzi Saifan

Open e-id implementation for temporary and future card deployments

CREDENTSYS CARD FAMILY

INTEGRATION OF TURKISH EID WITH E-GOVERNMENT & E-BUSINESS SERVICES

Polymorphic Encryption and Pseudonymization in the Dutch eid scheme. IRMA meeting, 23 September 2016

eidas Interoperability Architecture Version November 2015

Public Key Infrastructure PKI. National Digital Certification Center Information Technology Authority Sultanate of Oman

Electronic passports

E-PASSPORT SCHEME USING AUTHENTICATION PROTOCOLS ALONG WITH FACE, FINGERPRINT, PALMPRINT AND IRIS BIOMETRICS

New Paradigms of Digital Identity:

CERN Certification Authority

Authentication Technologies

Strategies for the Implementation of PIV I Secure Identity Credentials

the processing of personal data relating to him or her.

Privacy Notice - Stora Enso s Supplier and Stakeholder Register. 1 Purpose

Chip Authentication for E-Passports: PACE with Chip Authentication Mapping v2

Interagency Advisory Board Meeting Agenda, February 2, 2009

WHAT FUTURE FOR CONTACTLESS CARD SECURITY?

Future Expansion for emrtd PKI Mark Joynes, Entrust

Submission Cover Page

Authentication & Authorization

Biometric Passport from a Security Perspective

Data subject ( Customer or Data subject ): individual to whom personal data relates.

MAESON MAHERRY. 3 Factor Authentication and what it means to business. Date: 21/10/2013

Jrsys Mobile Banking Solutions

Technical Solutions Novel Challenges to Privacy Privacy Enhancing Technologies Examples

Digital Signatures Act 1

Information memorandum. SUNČANI HVAR d.d.

U-Prove Technology Overview

Security Target Lite for CEITEC epassport Module CTC21001 with EAC

Hong Kong Access Federation (HKAF) Identity Management Practice Statement (IMPS)

Lecture 9 User Authentication

SECURITY TARGET LITE FOR IDEAL PASS V2.0.1 EAC WITH PACE APPLICATION

eid Consulting References

Enabling a World-Class National ICT Sector

Talenom Plc. Description of Data Protection and Descriptions of Registers

eid Applications Cross Border Authentication

DoD Common Access Card Convergence of Technology Access/E-Commerce/Biometrics

DigitalPersona Altus. Solution Guide

Technical Requirements of the GDPR

Security Aspects of Trust Services Providers

Digital Certificates. PKI and other TTPs. 3.3

Transcription:

Can eid card make life easier and more secure? Michal Ševčík Industry Solution Consultant Hewlett-Packard, Slovakia ITAPA, November 9 th, 2010

Content eid Primary Functions eid Privacy Features and Security Threats Identification / Authentication using eid Conclusions and Outlook 2

New German eid Standard: All non-biometric data electronically stored Digital photograph (only for entitled authorities, e.g. police and border control) Upon request (no extra charge): electronic ID function (access only to certain non-biometric data fields) Two fingerprints (only for entitled authorities, e.g. police and border control) Upon request (extra costs): Qualified electronic signature 3

Demand for a Secure Identification Online Percentage of the German Internet users who would use an electronic identity card for identification For following online services Banking E-Government Auctions Shopping Games 4

Basic Terminology Identification is a process to recognize an entity from the real world and to establish its identity. Identification of the person is submitting information related to that person (eg name), which are necessary for its unambiguous designations in relation to the system (eg hospital IS) 5

Basic Terminology cont. Authentication of the person is a process of verifying the authenticity of the declared identity of the person. Authentication approaches could be based on: what the person knows - knowledge of passwords, access codes, PINs etc. - password authentication what the person has - an identity card, passport, magnetic card, etc. token authentication what the person is - authentication using biometric parameters (fingerprint, face or palms biometrics,...) - biometric authentication 6

eid Primary and Extra Functions Primary functions Identification (in real as well as electronic world) Authentication (in real as well as electronic world) Qualified Digital Signature (QC) Encryption 7

eid Primary and Extra Functions Extra functions / Other applications Restricted Identity / Pseudonyms / Sector Identifiers Data comparison (e.g. age verification, document expiry) Data & Application modification (e.g. holder s permanent address, health insurance, certificates) Emergency data set provisioning Special data provisioning (health insurance membership) 8

Compliance with Legislation and Standards EU Directive 95/46/EC (data protection) No enforced standard yet (ECC) Different initiatives: BSI TR-03110, Advanced Security Mechanisms for Machine Readable Travel Documents Extended Access Control (EAC), Password Authenticated Connection Establishment (PACE), and Restricted Identification (RI)Version 2.05 CEN/TS 15480-1, Identification card systems European Citizen Card Part 1: Physical, electrical and transport protocol characteristics CEN/TS 15480-2, Identification card systems European Citizen Card Part 2: Logical data structures and card services pren 14890 Application interface for smart cards used as secured signature creation devices (part 1 basic requirements, part 2 additional services) ENISA recommendations/reports 9

eid Card Practical Use Age Age verification verification- -to to verify verify whether whether a person person is is older older or or younger younger than than a given given age age to to get get access access to to age-restricted age-restricted services services or or products products Address Address verification verification- -to to verify verify whether whether a person person lives lives in in a certain certain area area or or not not to to gain gain access access to to locally locally restricted restricted services services Credit Card Registration Registration- -to to give give nonbiometribiometric data data for for e-business e-business non- (e.g. (e.g. first first name, name, surname, surname, address) address) Web Web forms forms- -automated fill-in fill-in function function (to (to avoid avoid typing typing errors errors and and to to save save time) time) Pseudonymity Pseudonymityand and registration registration- - to to get get access access to to social social e-communities e-communities (e.g. (e.g. weblog, weblog, bulletin bulletin board, board, web web album) album) Access Access verification verification- -to to get get admittance admittance to to restricted restricted areas areas (e.g. (e.g. access access to to fair fair grounds, grounds, to to company company premises) premises) 10

Contact vs Contact-less Platform Contact-less Platform + Technology of the future Higher comfort Durability / Longer Lifetime Memory, Speed - Special PED reader QES certified Contact Platform + Proven Technology in EU/SK Readers availability Personalization reliability - Limited usage 11

eid Security Protocols in Context (GAP) Chip and eservice provider connected via network 1. PACE (contactless chip) 1. User terminal requires PIN 2. After successful PIN verification secure messaging is setup to read data from chip 2. eservice Provider (Terminal) Authentication 1. CV certificate is shown and provider is being authenticated with corresponding secret key 2. After successful certificate verification access to chip data is granted 3. Passive Authentication Security object verification is performed to confirm integrity of chip data 4. Chip Authentication (authenticity of chip&data) Chip restarts secure messaging between chip and eservice provider 12

eid Security Protocols Applications Trusted provisioning of electronic identity (identification, authentication) for citizens with regard to egovernment, ehealth, ebusiness, ebanking Document Verification Access Control regarding data modification Access Control regarding post-personalization eid concept guarantees a high level of card holder s data security Reading data from eid card only after card holder's explicit consent via PIN Data from eid card may be required only by certified service providers Data from eid chip are transmitted to a service provider via strongly secured channel 13

eid Privacy Features Access control mechanisms Secure communication between the card, the middleware and the server Selective Disclosure (EU data protection, Directive 95/46/EC) Verify-only mode Privacy-respecting use of unique identifiers Domain-specific UIDs (or sector-specific UIDs or sector-specific personal identifiers) Pseudonymous authentication 14

Security Threats Counterfeiting (card security features) Skimming (BAC, PACE, EAC) Eavesdropping (BAC, PACE, EAC) Document fingerprinting (not a unique CA or AA key pair) Cloning (CA or AA) Alteration (PA) Substitution (PA) 15

Security Threats cont. Man-in-the-middle attacks (CA + TA = EAC) Signing a bogus document (EAC, QES legislation) User authenticates to a bogus server (TA) Loss or Theft of card (PIN, PACE) Physical Attacks (chip CC EAL 5) Side-Channel Attacks (reader & chip certification CC EAL 5) Location Tracking (RI, pseudonyms) Behavioural Profiling (RI, pseudonyms) Proving the trustworthiness of personal information to a third party (EAC) 16

Classification of eservices Anonymous access to public information Authenticated access to own data Authorized access to registers QES required modification of data; transactions 17

eservice Distributed Alt. 18

eservice Distributed Alt. 19

eservice Distributed Alt. Chip Authentication Terminal Authentication EAC Holder s PC with chip communication middleware Certify provider DVCA eservice Provider PKI for verification Certify DVCA CVCA certificates CVCA 20

eservice Scenario Central Alt. egovernment Use Cases Inquiry Data submission / modification ebanking Opening a bank account Transferring money from a bank account 21

ehealth Scenario ehealth ehealth Use Cases Visiting a doctor Diagnostics Visiting a pharmacy Research 22

Conclusions and Outlook SK is 10 years behind, no need to start with cheques Open and multi-application concept Security and privacy are the biggest concerns Compatibility with ECC profile Usage for different sectors: egovernment, ehealth, ebanking, evoting, Social Networks, Municipalities, Corparate 23

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback