Electronic identification
-
Upload
bozhidar-bozhanov -
Category
Government & Nonprofit
-
view
6.946 -
download
0
Transcript of Electronic identification
![Page 1: Electronic identification](https://reader035.fdocuments.in/reader035/viewer/2022070602/58759fcb1a28ab6d198b6403/html5/thumbnails/1.jpg)
Electronic IdentificationBozhidar Bozhanov
![Page 2: Electronic identification](https://reader035.fdocuments.in/reader035/viewer/2022070602/58759fcb1a28ab6d198b6403/html5/thumbnails/2.jpg)
Vanity slide• A developer• http://blog.bozho.net• http://techblog.bozho.net• http://twitter.com/bozhobg• E-government adviser to the deputy prime
minister of Bulgaria
![Page 3: Electronic identification](https://reader035.fdocuments.in/reader035/viewer/2022070602/58759fcb1a28ab6d198b6403/html5/thumbnails/3.jpg)
Main terms• PKI (Public Key Infrastructure)• smartcard• HSM (Hardware Security Module)• Primary register (primary data
administrator)• IdP (Identity Provider)• SP (Service Provider)
![Page 4: Electronic identification](https://reader035.fdocuments.in/reader035/viewer/2022070602/58759fcb1a28ab6d198b6403/html5/thumbnails/4.jpg)
E-identification• Identification, identity• е-identification vs digital signature• online and offline identification
• administrative services• e-banking (online, ATM)• travel
![Page 5: Electronic identification](https://reader035.fdocuments.in/reader035/viewer/2022070602/58759fcb1a28ab6d198b6403/html5/thumbnails/5.jpg)
Problem• fragmentation
• PIN, PIC, passwords• every institution has its own method
• low security level• plaintext (PIN/PIC)• password storage problems
![Page 6: Electronic identification](https://reader035.fdocuments.in/reader035/viewer/2022070602/58759fcb1a28ab6d198b6403/html5/thumbnails/6.jpg)
A solution
National e-identification scheme
![Page 7: Electronic identification](https://reader035.fdocuments.in/reader035/viewer/2022070602/58759fcb1a28ab6d198b6403/html5/thumbnails/7.jpg)
Legal framework
![Page 8: Electronic identification](https://reader035.fdocuments.in/reader035/viewer/2022070602/58759fcb1a28ab6d198b6403/html5/thumbnails/8.jpg)
But anyway…• Regulation 910/2014 of EP• Law for e-identification
• (now in Bulgarian parliament)• mandatory, non-exclusive e-identification scheme
• ordinance for applying the law• will include technical details
![Page 9: Electronic identification](https://reader035.fdocuments.in/reader035/viewer/2022070602/58759fcb1a28ab6d198b6403/html5/thumbnails/9.jpg)
The law• identifying natural persons
• and legal persons through their legal representatives• doesn’t define medium or storage• defines participants
• center for e-identification (IdP)• administrator of e-identity (Ministry of Interrior,
consulates, other)
![Page 10: Electronic identification](https://reader035.fdocuments.in/reader035/viewer/2022070602/58759fcb1a28ab6d198b6403/html5/thumbnails/10.jpg)
The law- users’ perspective• e-identifier (e-id) on
• separate card• national id card (after 2017, opt-out; qualified digital
signature - opt-in)• mandatorily accepted by all public
administration websites• usable by the private sector
![Page 11: Electronic identification](https://reader035.fdocuments.in/reader035/viewer/2022070602/58759fcb1a28ab6d198b6403/html5/thumbnails/11.jpg)
What can you do with it?• inquiries and reports
• taxes due• administrative acts • insurance status
• requesting e-services• travel• е-banking?• ...
![Page 12: Electronic identification](https://reader035.fdocuments.in/reader035/viewer/2022070602/58759fcb1a28ab6d198b6403/html5/thumbnails/12.jpg)
Administrators of e-identity
The law - architecture
e-idregister
MI Consul Other
Centers for e-identification
MTITC Други
register of administrators register of centers
eid <-> national ID (considered personal data)PKI
![Page 13: Electronic identification](https://reader035.fdocuments.in/reader035/viewer/2022070602/58759fcb1a28ab6d198b6403/html5/thumbnails/13.jpg)
Use-cases• Use-case 1: identifying on a government
website• Use-case 2: identifying and providing data
about the person in real time• identification + authorization• public sector - healthcare, tax authority• private sector – banks, online shops
![Page 14: Electronic identification](https://reader035.fdocuments.in/reader035/viewer/2022070602/58759fcb1a28ab6d198b6403/html5/thumbnails/14.jpg)
Use-cases• Use-case 3: anonymous identification (with
the purpose of recurrent recognition)• public transport, any website
• Use-case 4: access to citizens’ data in background mode• not related to e-id• currently this is done by nightly database replication
across administrations
![Page 15: Electronic identification](https://reader035.fdocuments.in/reader035/viewer/2022070602/58759fcb1a28ab6d198b6403/html5/thumbnails/15.jpg)
Inquiries• ...to the IdP• is the person over 18?• does he live in city X?
![Page 16: Electronic identification](https://reader035.fdocuments.in/reader035/viewer/2022070602/58759fcb1a28ab6d198b6403/html5/thumbnails/16.jpg)
Existing solutions• Austria• Estonia• Germany• Idemix• U-Prove• …
![Page 17: Electronic identification](https://reader035.fdocuments.in/reader035/viewer/2022070602/58759fcb1a28ab6d198b6403/html5/thumbnails/17.jpg)
Austria• java applet• mobile id (sms, HSM)• ssPIN (sector identifier)
• generated on the client
![Page 18: Electronic identification](https://reader035.fdocuments.in/reader035/viewer/2022070602/58759fcb1a28ab6d198b6403/html5/thumbnails/18.jpg)
ssPIN
![Page 19: Electronic identification](https://reader035.fdocuments.in/reader035/viewer/2022070602/58759fcb1a28ab6d198b6403/html5/thumbnails/19.jpg)
Austria - problems• usability
• Java - no-go• security
• applet is vulnerable• ssPIN replay• sms authentication• MITM, phishing• hash in SMS
![Page 20: Electronic identification](https://reader035.fdocuments.in/reader035/viewer/2022070602/58759fcb1a28ab6d198b6403/html5/thumbnails/20.jpg)
Естония• certificate
• full name• national identifier
• TLS clientAuth• http://open-eid.github.io/ • National identifier -> X-Road -> data
![Page 21: Electronic identification](https://reader035.fdocuments.in/reader035/viewer/2022070602/58759fcb1a28ab6d198b6403/html5/thumbnails/21.jpg)
X-Road
![Page 22: Electronic identification](https://reader035.fdocuments.in/reader035/viewer/2022070602/58759fcb1a28ab6d198b6403/html5/thumbnails/22.jpg)
Estonia - problems• no Identity Provider?• mobile-ID using a custom SIM• privacy
![Page 23: Electronic identification](https://reader035.fdocuments.in/reader035/viewer/2022070602/58759fcb1a28ab6d198b6403/html5/thumbnails/23.jpg)
Germany• only contactless smartcard• desktop applicaiton
• incl. manual pseudonym management• activating the reader
![Page 24: Electronic identification](https://reader035.fdocuments.in/reader035/viewer/2022070602/58759fcb1a28ab6d198b6403/html5/thumbnails/24.jpg)
Germany - problems• expensive readers• usability (activation)• small penetration• losing your card => losing all sector IDs
![Page 25: Electronic identification](https://reader035.fdocuments.in/reader035/viewer/2022070602/58759fcb1a28ab6d198b6403/html5/thumbnails/25.jpg)
IBM, Microsoft• Anonymous credentials• Idemix
• attributes, domain pseudonym• slow, no revocation, bad usability with cards
• U-Prove• attributes• no revocation, bad usability with cards
![Page 26: Electronic identification](https://reader035.fdocuments.in/reader035/viewer/2022070602/58759fcb1a28ab6d198b6403/html5/thumbnails/26.jpg)
Anonymous credentials• applicability for national e-id schemes?
• …all institutions require the national identifier anyway• attributes should not be on the card
• usability• manual pseudonym generation• using specific software• need for knowledge of basic concepts: attributes,
anonymity, etc.
![Page 27: Electronic identification](https://reader035.fdocuments.in/reader035/viewer/2022070602/58759fcb1a28ab6d198b6403/html5/thumbnails/27.jpg)
STORK• EU-wide e-identification• SAML• Federated identification
• PEPS (Pan-European Proxy) = IdP = Center for eid• terrible client-side implementation of the
pilot project
![Page 28: Electronic identification](https://reader035.fdocuments.in/reader035/viewer/2022070602/58759fcb1a28ab6d198b6403/html5/thumbnails/28.jpg)
STORK
![Page 29: Electronic identification](https://reader035.fdocuments.in/reader035/viewer/2022070602/58759fcb1a28ab6d198b6403/html5/thumbnails/29.jpg)
Bulgarian eid: concept• open source from day 1• open standards• TLS clientAuth• oauth-like authorization• sector identifier
• sha512(encrypt(identifier + sectorKey, privateKey))?• lost card=lost of sector identifier• generated by IdP (using its private key)?
![Page 30: Electronic identification](https://reader035.fdocuments.in/reader035/viewer/2022070602/58759fcb1a28ab6d198b6403/html5/thumbnails/30.jpg)
On the card• only eid (UUID?)
• all other data – taken from primary registers• blood type
• key-pair• dual interface chip?
![Page 31: Electronic identification](https://reader035.fdocuments.in/reader035/viewer/2022070602/58759fcb1a28ab6d198b6403/html5/thumbnails/31.jpg)
identifies
requires clientAuth
Use-case 1, 2Citizen IdP SP e-id register Primary registers
opensredirect (sp_id)
redirect(token)
verifies
national ID
verifies
data (2)
![Page 32: Electronic identification](https://reader035.fdocuments.in/reader035/viewer/2022070602/58759fcb1a28ab6d198b6403/html5/thumbnails/32.jpg)
Use-case 3• only citizen and Service Provider• Direct clientAuth• Only eid, no other data is transferred• We must think of the flow of circumventing
the IdP
![Page 33: Electronic identification](https://reader035.fdocuments.in/reader035/viewer/2022070602/58759fcb1a28ab6d198b6403/html5/thumbnails/33.jpg)
Usability• no java applets or ActiveX• if possible, no additional software• one-time installation if needed
• browser add-ons / pkcs11 module / root certificate• no special UI• usability problems -> operational IdP
problems• Smartphones – with NFC?
![Page 34: Electronic identification](https://reader035.fdocuments.in/reader035/viewer/2022070602/58759fcb1a28ab6d198b6403/html5/thumbnails/34.jpg)
…the government wants to track me!
![Page 35: Electronic identification](https://reader035.fdocuments.in/reader035/viewer/2022070602/58759fcb1a28ab6d198b6403/html5/thumbnails/35.jpg)
No
...but we don’t trust the government, therefore we take measures.
![Page 36: Electronic identification](https://reader035.fdocuments.in/reader035/viewer/2022070602/58759fcb1a28ab6d198b6403/html5/thumbnails/36.jpg)
Privacy• the government already has everything
• properties, companies, cars, addresses, relatives, heirs, etc. It can also track us by our mobile phone
• i.e. “privacy” concerns:• access to our data by the private sector• data access allowed by law vs allowed by citizen• tracking actions by the government (public transport
usage, ATM withdrawals, etc.)
![Page 37: Electronic identification](https://reader035.fdocuments.in/reader035/viewer/2022070602/58759fcb1a28ab6d198b6403/html5/thumbnails/37.jpg)
Privacy - how• sector identifier
• usability vs security, manual management• attack: 1. request sectorId 2. request eid. 3 link
• atomic inquries to the IdP• in the future: encrypting our data in the primary
registries?• citizen control over their data and history of
access to it
![Page 38: Electronic identification](https://reader035.fdocuments.in/reader035/viewer/2022070602/58759fcb1a28ab6d198b6403/html5/thumbnails/38.jpg)
Big Brother is not the telescreen – the telescreen can be broken ot stopped. Big
Brother is that which prevents us from stopping the telescreen.
![Page 39: Electronic identification](https://reader035.fdocuments.in/reader035/viewer/2022070602/58759fcb1a28ab6d198b6403/html5/thumbnails/39.jpg)
Abuse?• measures depending on the use-case• smartcard (nobody can impersonate you)• 2-factor authentication
• sms• mobile app• biometrics?
![Page 40: Electronic identification](https://reader035.fdocuments.in/reader035/viewer/2022070602/58759fcb1a28ab6d198b6403/html5/thumbnails/40.jpg)
Abuse? (2)• hardware keypad card readers
• ...or biometric sensors• NFC security (ICAO)• cancellation period
• note: eid vs qualified signature
• revoking a lost certificate
![Page 41: Electronic identification](https://reader035.fdocuments.in/reader035/viewer/2022070602/58759fcb1a28ab6d198b6403/html5/thumbnails/41.jpg)
Feedback• experts’ participation• we need feedback• stay tuned and follow the implementation
(GitHub)
Comments are welcome:[email protected]
![Page 42: Electronic identification](https://reader035.fdocuments.in/reader035/viewer/2022070602/58759fcb1a28ab6d198b6403/html5/thumbnails/42.jpg)
Sourceshttp://www.a-sit.at/pdfs/rp_eid_in_austria.pdfhttps://eid.eesti.ee/index.php/Authenticating_in_web_applicationshttp://www.securitydocumentworld.com/creo_files/upload/client_files/whitepaper_comparison_of_eid1.pdfhttp://nelenkov.blogspot.be/2013/10/signing-email-with-nfc-smart-card.htmlhttps://www.a-sit.at/pdfs/Praesentationen%20ab%202011/20150429%20MobileID%20London%20-%20Austrian%20mobile%20ID.PDFhttps://www.enisa.europa.eu/activities/identity-and-trust/trust-services/eid-cards-en/at_download/fullReporthttps://www.digitales.oesterreich.gv.at/site/6528/default.aspx#a1http://cdn.ttgtmedia.com/searchSecurityUK/downloads/RH4_Arora.pdfhttp://blog.xot.nl/2012/05/08/the-new-german-eid-card-has-security-privacy-and-usability-limitations/http://www.id.ee/public/The_Estonian_ID_Card_and_Digital_Signature_Concept.pdfhttp://www.cs.kau.se/IFIP-summerschool/slides/herbert.pdfhttp://essay.utwente.nl/65593/1/BadarinathHampiholi_Masters_EEMCS_faculty.pdf
![Page 43: Electronic identification](https://reader035.fdocuments.in/reader035/viewer/2022070602/58759fcb1a28ab6d198b6403/html5/thumbnails/43.jpg)
Thank you!