1111 1958 - 1111
DESCRIPTION
Meikäläinen Maija. F. 1111 1958 - 1111. Maija Meikäläinen. [email protected] www.vaestorekisterikeskus.fi. Fin nish E lectronic I d entification and Supporting Technologies. General Issues. The amount of various transactions is increasing - PowerPoint PPT PresentationTRANSCRIPT
• both sides identification,• digital signature, • encryption: - data
- data transfer• Field is developing rapidly• Important part of the information society
Finnish Electronic Identificationand Supporting Technologies
•The amount of various transactions is increasing rapidly in Internet• To make it safe we need:
General Issues
Finnish Electronic Identificationand Supporting Technologies
Identification, digital signatures and encryption is based on:• open standards:
• Public Key Infrastructure• PKIX based Certificate Policy• chipcards and readers (ISO-standards, 7816-series, incl. -8)• X.509 v.3 certificates, IETF PKIX ”qualified certificate” draft• X.500- and LDAP-directories• EID-application (FINEID S4-1=PKCS#15, FINEID impl.)• => will be modified to meet EESSI requirements
• highly secured environments • centralized key generation• face to face identification
• voluntary involvning• cards and certificates valid for a certain time (3 years)
Finnish Electronic Identificationand Supporting Technologies
HelpDesk-servicesNovaCall
NovoGroup
Card manufactureand RA dutiesSetec, Police
CA-systemICL (iD2)
Directoryservices
HPYPeerLogic i500
CRLservicesSonera
PARTNERS
Meikäläinen
Matti
Caisse Primaire d'Assurance Maladiede CARPENTRAS sécurité sociale
VRK
MeikäläinenMatti
PIN -codes
Registration Authority services
Face to face identification
Application
” Manual information ”
Application information
Process database
Pregeneration of anonymicID-cardsi (RSA-keys +PIN)
VTJ
CertificatesCertificate services
Bull
request
X.500+CRL
certificate
Meikäläinen
Matti
12345
Card delivery
CA / CARD
MF
FINEID
appl
Other data:cityappl.,bankappl,
userown
Electronic ID-card -99
~ 8-9 Kb
~ 6-7 KbAdditional Certificates:(empl,org,customer...)
ODFupdate: SYS
PrK #1update: NEV
PrK #2update: NEV
Cert #1update: SYS
Cert #2update: SYS
CDF #2for new certsupdate: PIN 1
PrKDFupdate: SYS
CDF #1card holder certs
update: SYS
CDF #3trusted certsupdate: SYS
CA Cert #1update: SYS
DODFupdate: PIN 1
AODFupdate: SYS
PIN #1update: NEV
PIN #2update: NEV
UnusedSpaceupdate: PIN 1
Empty areaupdate: PIN 1
TokenInfoupdate: NEV
EF (DIR)update: PIN 1
FINEID-application (PKCS#15)
FINEID-card with two keypairs
•Different keys and certificates and PIN-Codes
X.509
•Also trusted CA (PRC) certificate, includes CA
public key
Allekirj
X.509• Non-repudiation signature (PIN2)
X.509 Hello? -> Hi, encryptsession key
• Authentication + encryption (PIN1)
CertificateBasic fields:
• version: value 2 = x.509 v.3 certificate
• serial number: unique within an issuer
• signature : the algorithm identifier for the algorithm used by the CA to sign the certificate
• issuer: country = FI, organisation = VRK-FINSIGN Gov. CA, CommonName = Finsign CA for Citizen
• validity: YYMMDDHHMMSSZ
• subject: country=FI, Surname=Meikäläinen, Given name=Maija, Finuid=123456786, cn= S+G+F
• subject public key: The algorithm identifier of the subject’s public key Ext.: Key usage: digitalSignature, keyEncipherment, dataEncipherment - nonRepudiation
Certificate policies: policy identifier, OID (CP includes possible loss limitations etc.)
Authority key identifier: particular private CA key used to sign a certificate
Subject key identifier: SHA-1 hash of the value of the BIT STRING subjectPublicKey
Finnish Electronic Identificationand Supporting Technologies
Finnish Electronic Identificationand Supporting Technologies
WHERE, HOW, WHAT?
FINEID-APPLICATION
...COMPANY CARD BANK CARD
CITIZEN CERTIFICATES(not for companycards)
ROLE CERTIFICATES EMAIL CERTIFICATES
...
X.500
• FINSIGN CA FOR CITIZEN X.500, OPEN DIRECTORY SERVICE
• CLOSED ENVIRONMENTS -> CLOSED DIRECTORIES
• PERSONAL CERTIFICATES:
• CERTIFICATE 1: AUTHENTICATION AND ENCRYPTION
• CERTIFICATE 2: DIGITAL SIGNATURE
• JUDICAL AND SERVER CERTIFICATES
• CRL (Certificate Revocation List) V2
• DIRECTORY REQUESTS : LDAP V.2.0 AND V.3.0 SUPPORTED
DIRECTORYSERVICE
Finnish Electronic Identificationand Supporting Technologies
CRL
c = FI
dmd = JULHA dmd = FINEID dmd = ...
o = VRK-FINSIGNGov. CA o = CertAll o = NovoTrust ...
Issuer organisation
level
cn =FinSign CA for citizen• caCertificate• cross Certificates• CRL
CA level
cn =Meikäläinen Maija 123456789 or ui = 428 (cert serial number) • obj. = fieidPerson, strongAuthenticationUser or fineidUserCertificate• userCertificates (multivalue or per use), role and attribute certificates• s = Meikäläinen, g = Maija, finuid = 123456789, other attributes or s = Meikäläinen, g = Maija, fineidSubjectDistinquishedNameString = ”s = Meikäläinen + g = Maija + finuid = 123456789, c =fi”
User level
X.500 -directory
End user software:- Smart card support- Digital signature- encryption
- payments
integration- E-mail (S/MIME)- web-browser
Smart card- Keys, PIN1,2- certificates- Other data- other applications- ...
Firewall
WWW-server
Internet
WWW-forms
3.) Strong authenticationencryption of data transfer (SSL,IPSEC)
4.) FINUID1234567835.) Maija
MeikäläinenH:111111-114Aaddr: pöllökuja...
2.) Secure authentication (PIN1)
1.) Secure form
6.) Digital Signature
7.) PIN2
8.) Data storage
TJ 1
9.) Datacheque-> database
10.) Decision in storage, email tocustomer
11.) Customer reads,time stamp
Interactive electronic formInteractive electronic form
Single Sign-on
SSO Product
DepartmentalServer
Mainframe
NetworkOperatingSystem
SIB
Login:Password:
Step 1:Secure Authentication
Step 2:Transparent Sign-on
Encrypted password
SecurID token
Smart card
2
1
Intranet, Extranet
E E S S I S t a n d a r d s O v e r v i e w
E E S S I S t a n d a r d s O v e r v i e w
O v e r v i e w O OO v e r v i e w O v e r vi e w
S i g n a t u r e c r e a t i o np r o c e s s a n de n v i r o n m e n t
S i g n a t u r e v a l i d a t i o np r o c e s s a n d e n v i r o n m e n tS i g n a t u r e f o r m a t
a n d s y n t a xC r e a t i o n
d e v i c e
Q u a l i f i e d C e r t i f i c a t ep o l i c y
T r u s t w o r t h y s y s t e m
C e r t i f i c a t i o n S e r v i c e P r o v i d e r
S u b s c r i b e r / s i g n e r R e l y i n g p a r t yC E N E - S I G N
E T S I E S I
Q u a l i f i e d c e r t i f i c a t e
T i m eS t a m p
T i m eS t a m p
Qualified Electronic Signature environment
Internaldocuments
Relyingparties
Subscriber(User)
Recogni sed Confor manceCertifi cati on Body
CSP
Qualifi ed Certif icate
OID
Auditor s
Business Application us ingQuali fied Electroni c
Sign atures
Europea n Directive Requirem en ts
Baselin e Qualif ied Certificat e P olicy
Su bscr iberAgreement
CPSSu bscr iberObligati ons
CSP Obligat ions
Recom mendedUsage
Baseline Qualified Certificate Policy
Inter naldocument s
Rely ingpar ties
S ubscrib er(U ser )
Recogn ised Con for man ceCert ifi cation Body
CS P
Qual ifi ed Cer tif icate
OID
Aud ito rs
Bu si ness Appli catio n u singQu ali fied Electron ic
S ign atu res
Eu ro pean Directive Requ iremen ts
S pecif ic Q ual ifi ed Cert ifi cate P ol icy
S ubscriber
Agreemen t
CP SS ubscriber
Obl iga tion s
Baseli ne +S pecifi c CSP
Ob liga tion s
Recom men ded
Usage
Baseli ne Q ual ifi ed Cert ifi cate P ol icy
Add itio nal comm un it y
/ a ppli catio n specif ic
requ irem ent s
Specific Qualified Certificate Policy
CA
VRK-Finsign Gov. CA
Finsign CA for ...
VRK-FinsignEnterpr. CA? Organizational CA’s
Finsign Enter-prise CA for ...
Certificates contain FINUIDRA’s- police- social insurance institute- banksTwo times face to face identification => widely accepted
B2B, B2C, no FINUIDRA’s- ICL Invia- TietoEnator… other SWhousesMeets the reqs by BQCP
Organizational CA’s
Specific Qualified Certificates Qualified Certificates Qualified or non-qualifiedCertificates
No FINUID, use is up tothe org. involvedMay not meet the reqscoming from BQCP(i.eg. SSCD does not fulfil the required levelof security
Levels of certificates
Framework for EESSI Standards & Classesfor Electronic Signatures
Security/Quality level
Signature Creation Device
Certificate Policy
Electronic Signature Syntax
Trustworthy System
Signature with long validity
Qualified Electronic signature Signature for limited value transactions
äå
Levels of signatures
UsersFinland• Public administration (100 ongoing projects)
• State authorities and municipalities (0,5 mill. employees)• Private sector
•banks, assurance companies, unions•telecommunication operators and Internet Services Providers•large firms•retail, e-commerce
• Citizens 5 millions• Sweden SEIS interoperability, both public and private sector, • Norway SEIS interoperability in administration, citizens• EU , PKCS#15 --> global market !
Finnish Electronic Identificationand Supporting Technologies
Finnish Electronic Identificationand Supporting Technologies
Mobils InternetInternet
Satellit -TV
Cabel-TV
Digital -TV-TV
Where to use ?
Education Banking Consuming Wireles communications Public services ...
New technologiesDevelopment under process:
• WWW (digital)-television with
FINEID interoperability
• GSM/WAP with and without a
separate card reader
• WWW-based infokiosks with
FINEID interoperability
• enduser card reader and
software package (ISP:s)
• The very first service to utilize the FINEID-card: electronic movement application by Population Register Centre and Finnish Post
Electronic services
Next services among others:• Services by municipalities and regions (Tornio, Rovaniemi, Oulu, Kuusamo/ Koillismaa, Pori, Raisio, Turku, Etelä-Karjala IT-region, Espoo, Vantaa, Helsinki ja Joensuu. Common factors to all of these are different application forms, electronic forms, library services etc.)
• Application and financial services by the Finnish patent organization• Electronic taxservice for companies and organizations • Employment services by the Ministry of Labour• Electronic application form by the Office of Education and• social and welfare services / makropilot
Private sector services, among others:
• OKO-bank • Leonia-bank and • Mandatum bank will be offering, within a year, significantly wider range of Internet banking services than before.
• Fennia-insurance will offer sophisticated Internet insurance services
• Ge Capitals will offer financial services for car dealers and buyers
• Services offered by Fortum concern consumers making contracts for buying electricity
• In addition,e.g. ICL will take FINEID-card for internal usage
Electronic services