electronic identification

Electronic IdentificationBozhidar Bozhanov

Vanity slide• A developer• http://blog.bozho.net• http://techblog.bozho.net• http://twitter.com/bozhobg• E-government adviser to the deputy prime

minister of Bulgaria

Main terms• PKI (Public Key Infrastructure)• smartcard• HSM (Hardware Security Module)• Primary register (primary data

administrator)• IdP (Identity Provider)• SP (Service Provider)

E-identification• Identification, identity• е-identification vs digital signature• online and offline identification

• administrative services• e-banking (online, ATM)• travel

Problem• fragmentation

• PIN, PIC, passwords• every institution has its own method

• low security level• plaintext (PIN/PIC)• password storage problems

A solution

National e-identification scheme

Legal framework

But anyway…• Regulation 910/2014 of EP• Law for e-identification

• (now in Bulgarian parliament)• mandatory, non-exclusive e-identification scheme

• ordinance for applying the law• will include technical details

The law• identifying natural persons

• and legal persons through their legal representatives• doesn’t define medium or storage• defines participants

• center for e-identification (IdP)• administrator of e-identity (Ministry of Interrior,

consulates, other)

The law- users’ perspective• e-identifier (e-id) on

• separate card• national id card (after 2017, opt-out; qualified digital

signature - opt-in)• mandatorily accepted by all public

administration websites• usable by the private sector

What can you do with it?• inquiries and reports

• taxes due• administrative acts • insurance status

• requesting e-services• travel• е-banking?• ...

Administrators of e-identity

The law - architecture

e-idregister

MI Consul Other

Centers for e-identification

MTITC Други

register of administrators register of centers

eid <-> national ID (considered personal data)PKI

Use-cases• Use-case 1: identifying on a government

website• Use-case 2: identifying and providing data

about the person in real time• identification + authorization• public sector - healthcare, tax authority• private sector – banks, online shops

Use-cases• Use-case 3: anonymous identification (with

the purpose of recurrent recognition)• public transport, any website

• Use-case 4: access to citizens’ data in background mode• not related to e-id• currently this is done by nightly database replication

across administrations

Inquiries• ...to the IdP• is the person over 18?• does he live in city X?

Existing solutions• Austria• Estonia• Germany• Idemix• U-Prove• …

Austria• java applet• mobile id (sms, HSM)• ssPIN (sector identifier)

• generated on the client

ssPIN

Austria - problems• usability

• Java - no-go• security

• applet is vulnerable• ssPIN replay• sms authentication• MITM, phishing• hash in SMS

Естония• certificate

• full name• national identifier

• TLS clientAuth• http://open-eid.github.io/ • National identifier -> X-Road -> data

X-Road

Estonia - problems• no Identity Provider?• mobile-ID using a custom SIM• privacy

Germany• only contactless smartcard• desktop applicaiton

• incl. manual pseudonym management• activating the reader

Germany - problems• expensive readers• usability (activation)• small penetration• losing your card => losing all sector IDs

IBM, Microsoft• Anonymous credentials• Idemix

• attributes, domain pseudonym• slow, no revocation, bad usability with cards

• U-Prove• attributes• no revocation, bad usability with cards

Anonymous credentials• applicability for national e-id schemes?

• …all institutions require the national identifier anyway• attributes should not be on the card

• usability• manual pseudonym generation• using specific software• need for knowledge of basic concepts: attributes,

anonymity, etc.

STORK• EU-wide e-identification• SAML• Federated identification

• PEPS (Pan-European Proxy) = IdP = Center for eid• terrible client-side implementation of the

pilot project

STORK

Bulgarian eid: concept• open source from day 1• open standards• TLS clientAuth• oauth-like authorization• sector identifier

• sha512(encrypt(identifier + sectorKey, privateKey))?• lost card=lost of sector identifier• generated by IdP (using its private key)?

On the card• only eid (UUID?)

• all other data – taken from primary registers• blood type

• key-pair• dual interface chip?

identifies

requires clientAuth

Use-case 1, 2Citizen IdP SP e-id register Primary registers

opensredirect (sp_id)

redirect(token)

verifies

national ID

verifies

data (2)

Use-case 3• only citizen and Service Provider• Direct clientAuth• Only eid, no other data is transferred• We must think of the flow of circumventing

the IdP

Usability• no java applets or ActiveX• if possible, no additional software• one-time installation if needed

• browser add-ons / pkcs11 module / root certificate• no special UI• usability problems -> operational IdP

problems• Smartphones – with NFC?

…the government wants to track me!

No

...but we don’t trust the government, therefore we take measures.

Privacy• the government already has everything

• properties, companies, cars, addresses, relatives, heirs, etc. It can also track us by our mobile phone

• i.e. “privacy” concerns:• access to our data by the private sector• data access allowed by law vs allowed by citizen• tracking actions by the government (public transport

usage, ATM withdrawals, etc.)

Privacy - how• sector identifier

• usability vs security, manual management• attack: 1. request sectorId 2. request eid. 3 link

• atomic inquries to the IdP• in the future: encrypting our data in the primary

registries?• citizen control over their data and history of

access to it

Big Brother is not the telescreen – the telescreen can be broken ot stopped. Big

Brother is that which prevents us from stopping the telescreen.

Abuse?• measures depending on the use-case• smartcard (nobody can impersonate you)• 2-factor authentication

• sms• mobile app• biometrics?

Abuse? (2)• hardware keypad card readers

• ...or biometric sensors• NFC security (ICAO)• cancellation period

• note: eid vs qualified signature

• revoking a lost certificate

Feedback• experts’ participation• we need feedback• stay tuned and follow the implementation

(GitHub)

Comments are welcome:b.bozhanov@government.bg

Sourceshttp://www.a-sit.at/pdfs/rp_eid_in_austria.pdfhttps://eid.eesti.ee/index.php/Authenticating_in_web_applicationshttp://www.securitydocumentworld.com/creo_files/upload/client_files/whitepaper_comparison_of_eid1.pdfhttp://nelenkov.blogspot.be/2013/10/signing-email-with-nfc-smart-card.htmlhttps://www.a-sit.at/pdfs/Praesentationen%20ab%202011/20150429%20MobileID%20London%20-%20Austrian%20mobile%20ID.PDFhttps://www.enisa.europa.eu/activities/identity-and-trust/trust-services/eid-cards-en/at_download/fullReporthttps://www.digitales.oesterreich.gv.at/site/6528/default.aspx#a1http://cdn.ttgtmedia.com/searchSecurityUK/downloads/RH4_Arora.pdfhttp://blog.xot.nl/2012/05/08/the-new-german-eid-card-has-security-privacy-and-usability-limitations/http://www.id.ee/public/The_Estonian_ID_Card_and_Digital_Signature_Concept.pdfhttp://www.cs.kau.se/IFIP-summerschool/slides/herbert.pdfhttp://essay.utwente.nl/65593/1/BadarinathHampiholi_Masters_EEMCS_faculty.pdf

Thank you!