eID: the Belgian Electronic

Identity CardJan Deprest

Vlaanderen – OND-MVG – 28-06-2005

e-government

What is e-Government ?

NOT : about government

HOWEVER : it is about the

government’s customers citizens businesses civil servants

e-Government principles

> total solution

> transparent (hide the internal organisation)

> “I will say it only once” - Unique Data Source (Virtual Government)

> limit the administrative formalities

> no extra cost

> Privacy

> no digital divide

Architecture & building blocks

SECURITY & PRIVACY SECURITY & PRIVACY

FEDMANFEDMAN

UMEUME

OTH

ER

AU

TH

OR

ITIE

SOTH

ER

INSTIT

UTIO

NS

FPSFPS FPSFPS FPSFPS FPSFPS

Connected

government

Connected

government

PORTAL

www.belgium.be

PORTAL

www.belgium.be

AU

TH

EN

TIC

SO

UR

CE

SA

UT

HE

NT

IC S

OU

RC

ES

USER MGT

eID - basics

A new ID-card with the format of a bank card

and a powerful chip

Purpose eID project

Proof of identity

Signature tool

> To give Belgian citizens an electronic identity card enabling them to authenticate themselves towards diverse applications and to put digital signatures

Which information ?

> From a visual point of view the same information will be visible as on the current identity card :• the name• the first two Christian names• the first letter of the third Christian name• the nationality• the birth place and date• the sex• the place of delivery of the card• the begin and end data of the validity of the card• the denomination and number of the card• the photo of the holder• the signature of the holder• the identification number of the National Register

> Identical functionality to current identity card

Visual identification of the holder

Which information ?

> From an electronic point of view the chip will contain the same information as printed on the card, filled up with :• the identity and signature keys

• the identity and signature certificates

• the accredited certification service furnisher

• information necessary for authentication of the card and securization of the electronic data

• the main residence of the holder

> (Currently) no encryption certificates> No biometric data (yet)

> No electronic purse> No storage of other data

Electronic identification of the holder

Distribution eID : how and where ?

Municipality

Face to face identification

De The municipalities(1)

(2) (12)

National Register

(3)

VRKVRK

CM/CP/CI(4)

CA

ECABullBull

(7)

(8)

(5)

(9)

(6)

MeikäläinenMatti

PIN & PUK1-code

(10b)

(10a)

(11)

(13)

eID - chip

eID,welcome to the e-world !

Contents of the chip

IDID ADDRESSADDRESS

authentication

digital signature

RRN SIGN

RRN SIGN

RRN SIGN

RRN SIGN

PKI IDENTITY

eID : the main e-functionalities

authentication

data capture

digital signature

Data capture

> faster data capture

data can be read directly from the card and stored in a particular system

> more accurate data capture

no more manual re-entrying less error-prone process

> more efficient data capture

faster processing of information

eID : the main e-functionalities

authentication

data capture

digital signature

Authentication

log on to web sites (SSO)

container parklibrary

access control

…

swimming pool

eID : the main e-functionalities

authentication

data capture

digital signature

Signature

1. Receive message 3. Check CRL/OCSP 5. Fetch public key 7. Compute reference hash2. Inspect certificate 4. Check certificate 6. Fetch signature 8. Hash, signature, public

key match?

Matching triplet?

CRL

Alice

Alice

hash

Bob

3, 4

2

1 7

6

5

8

1. Compose message 3. Generate signature 5. Collect certificate2. Compute hash 4. Collect signature 6. Send message

Alice

hash

Alice

1

2

3

5 4

6

eID - PKI

Public Key Infrastructure

Trust Hierarchy

Card

AdminCert

AdminClient

AuthElec

SignData

CryptClient

Cert

Admin

CA

Hierar

Admin

CRL

Citizen

CA

CRL

GovCA

CRL

SelfSign

Belgium

RootARL

RootSign

Belgium

Root

Server

CertObject

Cert

Admin Auth/Sign

Certificates

> Citizen’s certificates & keys

• Authentication Certificate & key pair (1024 bits)• provide strong authentication (access control)

• web site authentication• single sign-on (login)• etc.

• Signature Certificate & key pair (1024 bits)• provide non repudiation (electronic signature

equivalent to handwritten signature)• Document Signing• Form Signing• etc.

• (Encryption Certificate & key pair)• foreseen at a later stage• private key backup/archiving

Auth Sign

Citizen

CA

Belgium

Root

CA

Crypt

Citizen

CA

Trust Services

Request

Auth/Sign Validate

Register

PopulationRegistry

Secure Sites

Municipality

XKMS

OCSP

CA Factory

Citizens

CPS SLA

eID - toolkit

Let’s make use of the power of the eID !

eID-toolkits

> Two toolkits are under development :GUI + PKCS#11 libraries : reading,

printing, validating and visualising the contents of the eID chip

authentication proxy : easy authentication on multiple platforms

> Purpose is to hide internal card changes > Labeling should be straightforward if

applications use toolkits> Both toolkits are free of charge> Distribution through federal portal

(http://www.belgium.be/fedict Projecten eID)

RELEASED

eID-toolkits

eID-toolkits : Identity

eID-toolkits : library

eID-toolkits : Certificates

eID-toolkits : Card & PIN

eID-toolkits : Options

eID - labelling

eID compliance label> Requirements:

• For citizens: get confidence in practices of service providers regarding eID usage (e.g. privacy)

• For service providers: demonstrate best practices are indeed applied regarding eID usage (e.g. fraud)

> Inspired from two industry standards• : eCommerce sites• : eTransaction systems

Lot’s of auditors available• For service providers: easy to extend a

WebTrust/SysTrust accreditation to be eID compliant

• For auditors: easy to extend a WebTrust/SysTrust license to become an eID compliance agent

Fast & Rather cheap compared to other schemes Not mandatory (but no eID liability otherwise)

Trust Services

> Labeling procedure card readers applications

creating trust for citizens, a legal basis

for the government and branding for

enterprises

Based on industry standards :

> Currently being worked out in cooperation with Banksys, CBSS

eID-label

eID - applications

Only the developers’ creativity will limit the usage

of the eID card.

Home & Work

> Office toolse-mail login (local PC & network) logon (other services)data & program confidentiality forms ...

Administration

> FederalTAX-ON-WEBVATDIV…

> Municipalitiesmarriagehousekidsschool libraryswimming poolcontainer parks…

Telecom

> Telephony reloadable & account cardsGSM cards ==> UMTS/i-mode

> TelevisionPay-TVdecryption cards

> Post registered Mail over internet

InternetVOIP (voice over IP) i-mode

Finance

> Identificationnetbanking (userID/Tokens) loket (bank agency) insurance contract (signature)

> Paymentcredit cardsdebit cardselectronic purse

Healthcare

> InsuranceMediCard (contract)

> Hospitalprivate data (hospital card, etc)health/emergency data (blood group,

etc)

ReembursementSIS cardpharmacydoctors

Transport

> Public transport ticketing in-flight entertainment

> Parkingaccess tolling

> Gas & Fuel fuel cards loyalty cards

Retail & Delivery

> Loyality Programspoints collectiononline gift selection

> Payment Creditcontract signaturepayment system (domiciliation)

> Home Deliveryonline ordersdata capture & digital signature

The sky is the limit !

home banking, online opening of accounts, …

proof of membership

SSO, …

healthcare

driver’s licence

student cards, e-learning, …

…

e-commerce

Q&A

Rue Marie Thérèse 1/3Maria-Theresiastraat 1/3

Bruxelles 1000 BrusselTEL +32 2 212 96 00

FAX +32 2 212 96 99 info@fedict.be

www.belgium.be/fedict

Th@nk you !