Electronic Identification Bozhidar Bozhanov
Electronic IdentificationBozhidar Bozhanov
Vanity slide• A developer• http://blog.bozho.net• http://techblog.bozho.net• http://twitter.com/bozhobg• E-government adviser to the deputy prime
minister of Bulgaria
Main terms• PKI (Public Key Infrastructure)• smartcard• HSM (Hardware Security Module)• Primary register (primary data
administrator)• IdP (Identity Provider)• SP (Service Provider)
E-identification• Identification, identity• е-identification vs digital signature• online and offline identification
• administrative services• e-banking (online, ATM)• travel
Problem• fragmentation
• PIN, PIC, passwords• every institution has its own method
• low security level• plaintext (PIN/PIC)• password storage problems
A solution
National e-identification scheme
Legal framework
But anyway…• Regulation 910/2014 of EP• Law for e-identification
• (now in Bulgarian parliament)• mandatory, non-exclusive e-identification scheme
• ordinance for applying the law• will include technical details
The law• identifying natural persons
• and legal persons through their legal representatives• doesn’t define medium or storage• defines participants
• center for e-identification (IdP)• administrator of e-identity (Ministry of Interrior,
consulates, other)
The law- users’ perspective• e-identifier (e-id) on
• separate card• national id card (after 2017, opt-out; qualified digital
signature - opt-in)• mandatorily accepted by all public
administration websites• usable by the private sector
What can you do with it?• inquiries and reports
• taxes due• administrative acts • insurance status
• requesting e-services• travel• е-banking?• ...
Administrators of e-identity
The law - architecture
e-idregister
MI Consul Other
Centers for e-identification
MTITC Други
register of administrators register of centers
eid <-> national ID (considered personal data)PKI
Use-cases• Use-case 1: identifying on a government
website• Use-case 2: identifying and providing data
about the person in real time• identification + authorization• public sector - healthcare, tax authority• private sector – banks, online shops
Use-cases• Use-case 3: anonymous identification (with
the purpose of recurrent recognition)• public transport, any website
• Use-case 4: access to citizens’ data in background mode• not related to e-id• currently this is done by nightly database replication
across administrations
Inquiries• ...to the IdP• is the person over 18?• does he live in city X?
Existing solutions• Austria• Estonia• Germany• Idemix• U-Prove• …
Austria• java applet• mobile id (sms, HSM)• ssPIN (sector identifier)
• generated on the client
ssPIN
Austria - problems• usability
• Java - no-go• security
• applet is vulnerable• ssPIN replay• sms authentication• MITM, phishing• hash in SMS
Естония• certificate
• full name• national identifier
• TLS clientAuth• http://open-eid.github.io/ • National identifier -> X-Road -> data
X-Road
Estonia - problems• no Identity Provider?• mobile-ID using a custom SIM• privacy
Germany• only contactless smartcard• desktop applicaiton
• incl. manual pseudonym management• activating the reader
Germany - problems• expensive readers• usability (activation)• small penetration• losing your card => losing all sector IDs
IBM, Microsoft• Anonymous credentials• Idemix
• attributes, domain pseudonym• slow, no revocation, bad usability with cards
• U-Prove• attributes• no revocation, bad usability with cards
Anonymous credentials• applicability for national e-id schemes?
• …all institutions require the national identifier anyway• attributes should not be on the card
• usability• manual pseudonym generation• using specific software• need for knowledge of basic concepts: attributes,
anonymity, etc.
STORK• EU-wide e-identification• SAML• Federated identification
• PEPS (Pan-European Proxy) = IdP = Center for eid• terrible client-side implementation of the
pilot project
STORK
Bulgarian eid: concept• open source from day 1• open standards• TLS clientAuth• oauth-like authorization• sector identifier
• sha512(encrypt(identifier + sectorKey, privateKey))?• lost card=lost of sector identifier• generated by IdP (using its private key)?
On the card• only eid (UUID?)
• all other data – taken from primary registers• blood type
• key-pair• dual interface chip?
identifies
requires clientAuth
Use-case 1, 2Citizen IdP SP e-id register Primary registers
opensredirect (sp_id)
redirect(token)
verifies
national ID
verifies
data (2)
Use-case 3• only citizen and Service Provider• Direct clientAuth• Only eid, no other data is transferred• We must think of the flow of circumventing
the IdP
Usability• no java applets or ActiveX• if possible, no additional software• one-time installation if needed
• browser add-ons / pkcs11 module / root certificate• no special UI• usability problems -> operational IdP
problems• Smartphones – with NFC?
…the government wants to track me!
No
...but we don’t trust the government, therefore we take measures.
Privacy• the government already has everything
• properties, companies, cars, addresses, relatives, heirs, etc. It can also track us by our mobile phone
• i.e. “privacy” concerns:• access to our data by the private sector• data access allowed by law vs allowed by citizen• tracking actions by the government (public transport
usage, ATM withdrawals, etc.)
Privacy - how• sector identifier
• usability vs security, manual management• attack: 1. request sectorId 2. request eid. 3 link
• atomic inquries to the IdP• in the future: encrypting our data in the primary
registries?• citizen control over their data and history of
access to it
Big Brother is not the telescreen – the telescreen can be broken ot stopped. Big
Brother is that which prevents us from stopping the telescreen.
Abuse?• measures depending on the use-case• smartcard (nobody can impersonate you)• 2-factor authentication
• sms• mobile app• biometrics?
Abuse? (2)• hardware keypad card readers
• ...or biometric sensors• NFC security (ICAO)• cancellation period
• note: eid vs qualified signature
• revoking a lost certificate
Feedback• experts’ participation• we need feedback• stay tuned and follow the implementation
(GitHub)
Comments are welcome:[email protected]
Sourceshttp://www.a-sit.at/pdfs/rp_eid_in_austria.pdfhttps://eid.eesti.ee/index.php/Authenticating_in_web_applicationshttp://www.securitydocumentworld.com/creo_files/upload/client_files/whitepaper_comparison_of_eid1.pdfhttp://nelenkov.blogspot.be/2013/10/signing-email-with-nfc-smart-card.htmlhttps://www.a-sit.at/pdfs/Praesentationen%20ab%202011/20150429%20MobileID%20London%20-%20Austrian%20mobile%20ID.PDFhttps://www.enisa.europa.eu/activities/identity-and-trust/trust-services/eid-cards-en/at_download/fullReporthttps://www.digitales.oesterreich.gv.at/site/6528/default.aspx#a1http://cdn.ttgtmedia.com/searchSecurityUK/downloads/RH4_Arora.pdfhttp://blog.xot.nl/2012/05/08/the-new-german-eid-card-has-security-privacy-and-usability-limitations/http://www.id.ee/public/The_Estonian_ID_Card_and_Digital_Signature_Concept.pdfhttp://www.cs.kau.se/IFIP-summerschool/slides/herbert.pdfhttp://essay.utwente.nl/65593/1/BadarinathHampiholi_Masters_EEMCS_faculty.pdf
Thank you!