The Mobile Finnish Identity Certificate

Similar documents
FINEID - S4-2 Implementation Profile 2

Public Key Infrastructure PKI. National Digital Certification Center Information Technology Authority Sultanate of Oman

SONERA MOBILE ID CERTIFICATE

TELIA MOBILE ID CERTIFICATE

PKI Knowledge Dissemination Program. PKI Standards. Dr. Balaji Rajendran Centre for Development of Advanced Computing (C-DAC) Bangalore

Public Key Cryptography Options for Trusted Host Identities in HIP

<Partner Name> <Partner Product> RSA SECURID ACCESS Authenticator Implementation Guide. Check Point SmartEndpoint Security

FINEID - S4-1 Implementation Profile 1

WAP Security. Helsinki University of Technology S Security of Communication Protocols

KeyOne. Certification Authority

INTEGRATED SECURITY SYSTEM FOR E-GOVERNMENT BASED ON SAML STANDARD

ETSI TS V7.1.0 ( )

Axway Validation Authority Suite

Design and Implementation of a Mobile Transactions Client System: Secure UICC Mobile Wallet

ActiveSecurity MyClient

Strong Authentication for Web Services using Smartcards

PKCS #15: Conformance Profile Specification

Java Card Technology-based Corporate Card Solutions

Application Note. Web Signing. Document version

Public. Atos Trustcenter. Server Certificates + Codesigning Certificates. Version 1.2

SERVICE DESCRIPTION. Population Register Centre s online services

Identity management. Tuomas Aura CSE-C3400 Information security. Aalto University, autumn 2014

SSH Communications Tectia SSH

PKI Services. Text PKI Definition. PKI Definition #1. Public Key Infrastructure. What Does A PKI Do? Public Key Infrastructures

ODYSSEY. cryptic by intent. Snorkel-TX. Feature Highlights & Technical Specifications. Odyssey Technologies Ltd.

Guide Installation and User Guide - Windows

Identity management. Tuomas Aura T Information security technology. Aalto University, autumn 2011

Leveraging HSPD-12 to Meet E-authentication E

VeinID SCANNERS FOR DIGITAL SIGNING. Hitachi s VeinID Solution for signing digital transactions enables new levels of security and user convenience.

Certificate service General description Implementation project of a national Incomes Register

Security Requirements for Crypto Devices

Guide Installation and User Guide - Mac

Unifie X Common Gateway Server (N Tier)

esign - Evolving Opportunities and Applications C E N T R E F O R D E V ELOPMENT O F A D VANCED C O MPUTING N O V E M B E R 1 5,

McAfee Endpoint Encryption

HP Instant Support Enterprise Edition (ISEE) Security overview

An Overview of Secure and Authenticated Remote Access to Central Sites

CPSC 467: Cryptography and Computer Security

Who s Protecting Your Keys? August 2018

Open Mobile API The enabler of Mobile ID solutions. Alexander Summerer, Giesecke & Devrient 30th Oct. 2014

How to Configure S/MIME for WorxMail

Public Key Infrastructure

DBsign for HTML Applications Version 4.0 Release Notes

Information technology Security techniques Telebiometric authentication framework using biometric hardware security module

Building on existing security

The SafeNet Security System Version 3 Overview

Arcot Universal Client SAFE-Compliant Digital Signatures

Mavenir Systems Inc. SSX-3000 Security Gateway

Thales nshield Series

Implementing and Administering Security in a Microsoft Windows 2000 Network Course 2820 Five days Instructor-led Published: February 17, 2004

SMART CARDS. Miguel Monteiro FEUP / DEI

SAML-Based SSO Solution

What is a Digital Certificate? Basic Problem. Digital Certificates, Certification Authorities, and Public Key Infrastructure. Sections

Digital Certificates, Certification Authorities, and Public Key Infrastructure. Sections

ISACA CISA. ISACA CISA ( Certified Information Systems Auditor ) Download Full Version :

PROTECTED EXTENSIBLE AUTHENTICATION PROTOCOL

@firma, Validation Platform for PKIs

Getting to Grips with Public Key Infrastructure (PKI)

INFORMATION TECHNOLOGY COMMITTEE ESCB-PKI PROJECT

Digital Certificates Demystified

Public-key Infrastructure Options and choices

Digital signatures: How it s done in PDF

Installation and Configuration Last updated: May 2010

Public Key Establishment

Xceedium Xsuite. Secured by RSA Implementation Guide for 3rd Party PKI Applications. Partner Information. Last Modified: February 10 th, 2014

Using existing security infrastructures

ActivCard Strong Authentication product line. Jerome Becquart, Senior Product Manager

Key Management and Distribution

SC-3 USB Token. QUICK Reference. Copyright 2007 CRYPTOCard Corporation All Rights Reserved

CERN Certification Authority

Short-Lived Certificates as a Mobile Authentication Method

DoD Wireless Smartphone Security Requirements Matrix Version January 2011

Federal Voting Assistance Program (FVAP)

Interface. Circuit. CryptoMate

eidas Interoperability Architecture Version November 2015

Glossary. xii. Marina Yue Zhang and Mark Dodgson Downloaded from Elgar Online at 02/04/ :16:01PM via free access

SafeGuard LAN Crypt: Loading Profile Troubleshooting Guide

LPKI - A Lightweight Public Key Infrastructure for the Mobile Environments

Certificateless Public Key Cryptography

Network Security Essentials

E-services instructions The City of Helsinki e-services support, open Mon-Fri from 8 AM to 6 PM Tel.

Elliptic Curve Cryptography (ECC) based. Public Key Infrastructure (PKI) Kunal Abhishek Society for Electronic Transactions & Security (SETS), Chennai

Public Key Infrastructures

AS emas emudhra Authentication Solution

CERTIFICATE POLICY CIGNA PKI Certificates

Chapter 8 Information Technology

A demonstration is available in which the OpenEapSmartcard.NET device is used as an authentication token, controlling the access to a Wi-Fi network.

Technical report. Signature creation and administration for eidas token Part 1: Functional Specification

TLS. RFC2246: The TLS Protocol. (c) A. Mariën -

This document is a preview generated by EVS

Information Security. message M. fingerprint f = H(M) one-way hash. 4/19/2006 Information Security 1

Digital Certificates. PKI and other TTPs. 3.3

Secure Store & Forward / Digital Signatures (BC-SEC-SSF)

1. Product Overview 2. Product Features 3. Product Value 4. Comparison Chart 5. Product Applications 6. Q & A

U.S. E-Authentication Interoperability Lab Engineer

Next Generation Physical Access Control Systems A Smart Card Alliance Educational Institute Workshop

Secure Access to Private Services in Intranet for Mobile Clients

Certificate Enrollment- and Signing Services for the Cloud. A behind-the-scenes presentation of a successful cooperation between

ASIA PKI Forum Overcome PKI Deployment Obstacles. Terry Leahy, CISSP Vice President, Wells Fargo Sept 15th, 2003

OVERCOMING CHANNEL BANDWIDTH CONSTRAINTS IN SECURE SIM APPLICATIONS

Transcription:

The Mobile Finnish Identity Certificate Dr.Tech. Göran Pulkkis and BSc (Eng.) Jonny Karlsson ARCADA Polytechnic Helsinki Finland PRESENTATION OUTLINE Finnish Electronic Identity (FINEID) as a Smartcard Application Mobile Fineid based on PKI SIM Cards Standardized Mobile Signature Service Authentication Service based on Mobile FINEID Practical demonstration: authentication to a www service Mobile FINEID Deployment Issues

FINEID APPLICATION Based on open standards Public Key Infrastructure 2 key pairs, certificates and PIN Codes: Authentication + encryption Non-repudiation signature PKIX based Certificate Policy X.509v.3 certificates and X.500 and LDAP directories http://www.fineid.fi/vrk/fineid/home.nsf/pages/index_eng FINEID APPLICATION The file structure of the FINEID application is is based onthe ISO/IEC 7816-15 and PKCS#15 specification. Notice that the FINEID application must be selected prior to being able to access this file structure. The FINEID application may potentially exist in a multiapplication smart card or other interoperable token.

FINEID APPLICATION FINEID APPLICATION

FINEID APPLICATION FINEID APPLICATION Individuality

SMARTCARDS Specific security components in user devices in mobile cellular networks are smartcards such as: SIM (Subscriber Identity Module) USIM (Universal SIM) PKI SIM (Public Key Infrastructure SIM) A SIM/USIM card securely stores an authentication key identifying a GSM/3G network user. A PKI SIM is a SIM/USIM with an integrated RSA crypto processor and storage space for private keyes. SIM Card Mobile phone a personal trusted device GSM PKI Solution Enabling Secure Mobile Communications In Finland the Population Register Centre has concluded a co-operation agreement with TeliaSonera Finland and Elisa in creating a mobile phone service for the electronic identification of a person It is possible to use the services of both public administration and the private sector Can be utilised also in communications services through the Internet, in which case the mobile phone acts like a card reader

Mobile Electronic Identity Mobile FINEID (Finnish Electronic Identity) is a mobile electronic ID for inhabitants in Finland. Based on PKI with user private keys integrated in a PKI SIM: Mobile Electronic Identity PKI SIM cards are currently issued by two Finnish operators. PKI SIM owner identities are verified by mobile citizen certificates issued by the Finnish Population Register Center (PRC).

Technical Features of a FINEID PKI SIM Contains a crypto processor and two PIN code protected private keyes: Authentication/encryption key Signature key Technical Features of a FINEID PKI SIM The corresponding X.509 certified public keys are stored in the FINEID certificate directory administrated by the PRC. http://www.fineid.fi/vrk/fineid/home.nsf/en/certificate_directory Hashes of both public keys are stored in the PKI SIM for retreival of correct certificates from the certificate directory.

Technical Features of a FINEID PKI SIM Contains a SIM Application Toolkit (SAT) application known as Wireless Internet Browser (WIB). A PKI plug-in (PKCS#7 Signature plug-in) is used to generate signatures with the private keys through function calls executed by the WIB. Function calls to, input data to, and retreival of return data from the signature plug-in are encapsulated in SMS messages transmitted over an Over the Air (OTA) connection. Mobile Signature Service (MSS) Architecture

Mobile Signature Service (MSS) Architecture Communication between the service provider and the operator is based on an ETSI TS 102.204 standarized web service interface. The interface is mainly based on: Simple Object Access Protocol (SOAP) XML HTTP/HTTPS Signature roaming is supported and is based on a public standard: ETSI TS 102 207 standard Authentication based on Mobile FINEID Example: User authentication to a Protected WEB Service 1. The user tries to access the web service using HTTP and the web service informs the user that authentication is required and asks s for the user s s phone number 2. After receiving the phone number the service provider (in this case c the web service) sends a signature request message, containing the user s s phone number, to the mobile operator. 3. The mobile operator sends a signature request to the user s s mobile phone PKI SIM, where a PKCS#1 signature is generated with the private key. 4. The PKCS#1 signature and the public key hash is sent back to the mobile operator and the user s s citizen certificate is retrieved from the PRC directory based on the hash. 5. The signature is embedded into a PKCS#7 package, containing the user certificate, and sent to the service provider. 6. After successful signature verification, the user can access the protected WEB service

Authentication based on Mobile FINEID Example: User authentication to a Protected WEB Service Practical demonstration: https://vrk.fineid.fi/hstsign/gsmtunnistus/mobiilitesti.htm MSS Architecture Evaluation The architecture of current MSS systems is complex because of the required SMS communication with the PKI SIM. An agreement between the SP and the operator is required. The technical specifications of operator specific PKI SIMs are confidential and application and service development is thus mostly operator dependent. Currently, there are no public services for mobile FINEIDs.

CONCLUSIONS Mobile Electronic Identities provide strong PKI based authentication, encryption, and digital signature services. Further work should be done on improving the usability of and on developing applications for Mobile FINEID

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback