EID in EMEA & QuEST Ronny Bjones Security Program Manager Microsoft EMEA.
-
Upload
clifford-hines -
Category
Documents
-
view
218 -
download
0
Transcript of EID in EMEA & QuEST Ronny Bjones Security Program Manager Microsoft EMEA.
eID in EMEA & QuESTRonny BjonesSecurity Program ManagerMicrosoft EMEA
AgendaAgenda
What is happening in EuropeWhat is happening in EuropeOur technology supportOur technology supportQuESTQuESTConclusionsConclusions
What is driving national What is driving national smart card projects in smart card projects in Europe?Europe?eGovernment - eIDeGovernment - eID
Identification of citizens on the portals & Identification of citizens on the portals & counterscounters
AustriaAustria60k cards issued to students60k cards issued to studentsScholarships, Tuition fees Scholarships, Tuition fees
ItalyItaly1.5M cards produced, 600k distributed, 1.5M cards produced, 600k distributed, another 2M in productionanother 2M in productionRegistration & tax services, e-signing of Registration & tax services, e-signing of documents, etc.documents, etc.
EstoniaEstonia500K cards distributed (50% penetration)500K cards distributed (50% penetration)Tax services, e-ticketing, etc.Tax services, e-ticketing, etc.
What is driving national What is driving national smart card projects in smart card projects in Europe?Europe?Social securitySocial security
Use of smart cards to protect privacy Use of smart cards to protect privacy sensitive datasensitive data
BelgiumBelgiumSIS card issued to all citizensSIS card issued to all citizensDoctors, Pharmacia Doctors, Pharmacia
NoNorway rway National office for social assuranceNational office for social assuranceAll doctors, hospitalsAll doctors, hospitalsPKI-based card, set of projects to simplify PKI-based card, set of projects to simplify social security reportingsocial security reporting
NorwayNorway
Public Health cardscontaining certificates Professional Health cards
containing certificates
Internet
Services
- TTP - Payment - Time stamp
2100SERVER
2100SERVER
2100SERVER
2100SERVER
2100SERVER2100SERVER
2100SERVER 2100SERVER
2100SERVER
2100SERVER
2100SERVER
DC(AD,DCHCP)
2100SERVER
IAS(Radius)
2100 SERVER
OfflineRoot CA2100SERVER
EnterpriseCA
Citrix ticketserver
Citrix farmApplication&DBase
Securegateway
Municipality: Heath care in institutions and private homes.
2100SERVER
National databases&services
Population databasePersonal ID number
2100SERVER
National healthsecurity
2100SERVER
National db on use of drugs
2100SERVER
Regional health care institutions
2100SERVER 2100SERVER
EPJ PACS
2100SERVER2100SERVER
2100 SERVER
OfflineRoot CA
2100SERVER
EnterpriseCA
IAS DC
EncryptedMy healthfolder
2100SERVER
RightMngmntServer
2100SERVER
HR
Slide with the curtousy of ERGO
Impact of the EC Impact of the EC DirectivesDirectives
EC Directive on Electronic Signatures EC Directive on Electronic Signatures (1999)(1999)
Legal framework for electronic signaturesLegal framework for electronic signaturesAdopted in all EU member states (25) + EEA Adopted in all EU member states (25) + EEA (3) + Candidates (2) + MEA (2+)(3) + Candidates (2) + MEA (2+)
EC Directive on e-Invoicing (2001)EC Directive on e-Invoicing (2001)Acceptance of electronic invoicesAcceptance of electronic invoicesSecurity based on AES or Secure EDISecurity based on AES or Secure EDIImportant for the development of the Important for the development of the supporting national PKI infrastructuressupporting national PKI infrastructures
EC Directive on e-Procurement (in EC Directive on e-Procurement (in development) development)
More numbersMore numbers
CountrCountryy
Qualified Qualified CertificateCertificatess
Other Other CertificateCertificatess
EIDEID
SpainSpain 2.000.0002.000.000 1.500.0001.500.000 YesYes
ItalyItaly 1.000.0001.000.000 250.000250.000 YesYes
EstoniaEstonia 200.000200.000 YesYes
NorwayNorway 60.00060.000 YesYes
AustriaAustria 10.00010.000 YesYes
Source: EC DG Information Society 2003Source: EC DG Information Society 2003
Typical ScenariosTypical Scenarios
Secure eGovernment, eBanking, Secure eGovernment, eBanking, eBusiness requires security serviceseBusiness requires security services
AuthenticationAuthenticationData ConfidentialityData ConfidentialityData IntegrityData IntegrityNon-repudiationNon-repudiation
How are these services facilitated by How are these services facilitated by eID?eID?
AuthenticationAuthentication
Verify the identity of citizens by Verify the identity of citizens by means of eIDmeans of eID
TCOS of Identity management is highTCOS of Identity management is highOrganisations can rely on the work done Organisations can rely on the work done by the governments and enrol users by the governments and enrol users over the Internet over the Internet
ConfidentialityConfidentiality
Basic algorithms to encrypt Basic algorithms to encrypt information are foreseen in most eID information are foreseen in most eID projectsprojects
Belgian eID does not foresee a Belgian eID does not foresee a certificate for encryptioncertificate for encryption
Integrity & Non-Integrity & Non-repudiationrepudiation
How can we be sure that the data How can we be sure that the data was not altered?was not altered?How can we have proof in a case of How can we have proof in a case of law that a certain individual did this law that a certain individual did this transaction?transaction?Typically done by Electronic Typically done by Electronic Signatures which are supported by Signatures which are supported by most eID projectsmost eID projectsSigning of forms, electronic Signing of forms, electronic documentsdocuments
AgendaAgenda
What is happening in EuropeWhat is happening in EuropeOur technology supportOur technology supportQuESTQuESTConclusionsConclusions
Microsoft Smart Card Microsoft Smart Card SupportSupport
Windows LogonWindows LogonStandard support for smart cardsStandard support for smart cardsGINA Custom modelsGINA Custom modelsFull integration with ADFull integration with ADTerminal Server (W2K3)Terminal Server (W2K3)
Applications can interface smart Applications can interface smart cards throughcards through
CryptoAPI/CAPICOMCryptoAPI/CAPICOM.Net Framework.Net Framework
Microsoft Smart Card Microsoft Smart Card SupportSupport
For vendorsFor vendorsPC/SCPC/SCPlug into CryptoAPI (custom CSP)Plug into CryptoAPI (custom CSP)New smart card base CSP New smart card base CSP
Smart card enabled Smart card enabled technologiestechnologies
SSL – Internet ExplorerSSL – Internet ExplorerSecure email (S/MIME) – Outlook Secure email (S/MIME) – Outlook (Express)(Express)VPN – W2K, XP, W2K3VPN – W2K, XP, W2K3Secure form – InfoPath Secure form – InfoPath Document signing (Word, Excel, Document signing (Word, Excel, Powerpoint)Powerpoint)Windows Right Management – W2K3Windows Right Management – W2K3Any third party CryptoAPI-enabled Any third party CryptoAPI-enabled application application
AgendaAgenda
What is happening in EuropeWhat is happening in EuropeOur technology supportOur technology supportQuESTQuESTConclusionsConclusions
QuESTQuEST
QuQualified alified EElectronic lectronic SSignatures ignatures TTutorialutorial
Demystify Qualified Electronic Demystify Qualified Electronic signaturessignaturesBest practice/guidance for designing Best practice/guidance for designing a Qualified Electronic signature a Qualified Electronic signature solutionsolution
Why did we develop Why did we develop QuEST?QuEST?
Demystify the subjectDemystify the subjectGeneral perception: Very complex subjectGeneral perception: Very complex subjectMultidisciplinary: Legal, Technology, PolicyMultidisciplinary: Legal, Technology, Policy
A lot of customers will get QES as a A lot of customers will get QES as a requirement in the years to comerequirement in the years to come
How to build a QES solution?
ApproachApproach
Provide guidance for customersProvide guidance for customersProject Managers & ArchitectsProject Managers & Architects
Design a knowledge base – BlueprintsDesign a knowledge base – BlueprintsLegal, Technology, PolicyLegal, Technology, PolicyKnowledge base for different audiencesKnowledge base for different audiences
Project Team GuideProject Team GuideWhich questions should be answered by a project team Which questions should be answered by a project team to design a QES solutionto design a QES solutionDesign processDesign process
Scenario – Contoso Lottery Scenario – Contoso Lottery Based on Norwegian LotteryBased on Norwegian LotteryShow how a QES solution can be implemented on our Show how a QES solution can be implemented on our platformplatform
QuEST BackgroundQuEST Background
EC Directive on Electronic SignaturesEC Directive on Electronic Signatures19991999Mandates member states to change Mandates member states to change their lawstheir laws
Electronic Signatures can be equivalent to Electronic Signatures can be equivalent to handwritten signatureshandwritten signaturesIf they are performed under certain If they are performed under certain conditionsconditions
European Electronic Signature European Electronic Signature Standardization Initiative (EESSI)Standardization Initiative (EESSI)ETSI – CEN standardsETSI – CEN standardsOther standardsOther standards
EESSI Standards OverviewEESSI Standards Overview
Signature creation process and environment (A III)CWA 14170
Signature validation process & environment (A IV)CWA 14171
Signature format & syntax (Advanced ES)ETSI TS 101733ETSI TS 101903 (XAdES)
Creationdevice (A III) CWA 14169
Requirements for CSPs (A II)ETSI TS 101456
Trustworthy system (A II.f)CWA 14167-1 CWA 14167-2
Certification ServiceProvider
User/signer Relying party/verifierCEN E-SIGN
ETSI ESI
Qualified certificate -A IETSI 101 862
Time StampETSITS 101861
Electronic SignaturesElectronic Signatures
all kinds of substitutesfor penned signatures
Advance Electronic SignaturesAdvance Electronic Signatures
security technologybased on PKI
QualifiedQualifiedElectronicElectronicSignaturesSignatures
Advanced Advanced Electronic Electronic SignatureSignatureQualified Qualified
CertificateCertificateSecure Signature Secure Signature Creation DeviceCreation Device
EC Directive on Electronic EC Directive on Electronic SignaturesSignatures
Building a QES SolutionBuilding a QES Solution
Mandatory RequirementsMandatory RequirementsRelate to Directive on Electronic Relate to Directive on Electronic SignaturesSignaturesComplianceCompliance
Additional RequirementsAdditional RequirementsRisk managementRisk managementAdded-value elements before courtAdded-value elements before court
Mandatory RequirementsMandatory Requirements
Impact of DirectiveImpact of DirectiveAn independent arbiter (Judge/Notary) An independent arbiter (Judge/Notary)
should follow harmonised criteria to should follow harmonised criteria to decide whether a signature was valid at decide whether a signature was valid at a certain moment of timea certain moment of time
Legal requirementsLegal requirementsAdvanced Electronic Signature (AdES)Advanced Electronic Signature (AdES)Qualified Certificate (QC)Qualified Certificate (QC)Secure Signature Creation Device Secure Signature Creation Device (SSCD)(SSCD)
EC Directive on Electronic Signatures
Additional RequirementsAdditional Requirements
Validation by an independent arbiterValidation by an independent arbiterHow can we facilitate that an independent How can we facilitate that an independent arbiter can still validate a signature in a arbiter can still validate a signature in a period n years?period n years?Electronic Signature FormatElectronic Signature Format
How can we reduce the risk that How can we reduce the risk that somebody can easily repudiate the somebody can easily repudiate the signature?signature?
Risk managementRisk managementStandards and technology introduced to Standards and technology introduced to increase the overall security of a QES increase the overall security of a QES solution.solution.
XAdESXAdES
XML Advanced Electronic SignaturesXML Advanced Electronic SignaturesETSI standard for XML Signatures ETSI standard for XML Signatures
TS 101 903TS 101 903Based on W3C XML Signatures Based on W3C XML Signatures
W3C adopted XAdESW3C adopted XAdES
Include signature qualifying properties Include signature qualifying properties TS 101 733TS 101 733Formats for advanced electronic signatures valid over Formats for advanced electronic signatures valid over a long period of timea long period of time
Aimed at convincing an independent Aimed at convincing an independent arbiter of the validity of a signaturearbiter of the validity of a signature
ConclusionConclusion
eID is happening all over Europe and will eID is happening all over Europe and will become more and more a requirement in become more and more a requirement in projectsprojectsWe have a lot of technology available that We have a lot of technology available that allows you to use eID orallows you to use eID orto develop eID based applicationsto develop eID based applicationsDownload our QuEST guide and get Download our QuEST guide and get guidance on how to enable signature guidance on how to enable signature scenarios in your apps based on eIDscenarios in your apps based on eID
ResourcesResources
Register for QuESTRegister for [email protected]@microsoft.com Subject: Register QuESTSubject: Register QuESTEC ReportEC Reporthttp://europa.eu.int/information_society/eehttp://europa.eu.int/information_society/eeurope/2005/all_about/security/electronic_siurope/2005/all_about/security/electronic_sig_report.pdfg_report.pdf Microsoft developers infoMicrosoft developers infohttp://msdn.microsoft.com/security/http://msdn.microsoft.com/security/Microsoft Smart Card Base CSPMicrosoft Smart Card Base CSPhttphttp://msdn.microsoft.com/library/default.asp?://msdn.microsoft.com/library/default.asp?url=/library/en-us/security/security/microsourl=/library/en-us/security/security/microsoft_smart_card_base_cryptographic_provideft_smart_card_base_cryptographic_provider.aspr.asp
© 2003 Microsoft Corporation. All rights reserved.© 2003 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.