eIDAS token specifications :

The EU, privacy by design, electronic identification and authentication i t bilit d l f l t iinteroperability model for electronic transactions in the internal market

St f M ill Dr Gisela MeisterStefane Mouille Dr. Gisela Meister

December 2013 – Sophia Antipolis

Toward an European Digital Identity : becoming a realityreality

3 key drivers for creating the European Digital Identity :3 key drivers for creating the European Digital Identity :

Security Schengen area protection, terrorism, immigration, border Security g p , , g ,control Frontex ABC project

DG Home -> EAC V2.10 part 1Smart Border package issue 1st of March 2013

Digital economy, dematerialization, single marketGrowth

g

Digital Agenda 2020

Creation of the European “Identity”, Digital identity and Identity

g g

data protection are key,

eIDAS draft of regulationData Protection Directive & Regulation

2

Data Protection Directive & Regulation

European Digital Identity : how to make it h ?happen?

The long way of Europe building started 60 years ago (Rome Treaty) and updated by the Lisbon treaty creating the EU institutions

Political

creating the EU institutions

Directive/Regulations (Passport Tacho ResidentLegal Directive/Regulations (Passport, Tacho, Resident, DL, Electronic Signature, PNR, VIS, SIS etc…)

Legal

Standards (ICAO, CEN, ISO) & EU Commission through delegated & Implementing acts - Member

Technicalthrough delegated & Implementing acts - Member states working group (Article) & Eu Agencies

3

2 main Digital Identity initiatives in the world

Europe with the proposed legal initiative: Europe Proposed Regulation on electronic Identification and Trusted Services Issuance of identification means is a national prerogative Notification of electronic identification schemes If notified, mutual recognition and acceptance is applicable Member States must accept liability for the unambiguity of the link and the

authentication

Global initiative: US – NSTIC The US National Strategy for Trusted Identities in Cyberspace An Identity Ecosystem “an online environment where individuals and An Identity Ecosystem, an online environment where individuals and

organizations will be able to trust each other because they follow agreed upon standards to obtain and authenticate their digital identities”

Prepare the free trade zone agreement

4

Why an ANSSI/BSI eIDAS token specifications?y p

Integrate 27 different electronic Identification and Authentication means into a given eGov web services :means into a given eGov web services : Costs Delay Technical issues > lack of interoperability Technical issues -> lack of interoperability

eIDAS token specifications are answering the following issues : EU LDS for electronic identification : global interoperability Common access right & crypto – SAC & EAC 2 Common access right & crypto SAC & EAC 2 User consent (PIN & PUK) ICAO - LDS 2 ready (EAC V2) Decentralized certificate distribution : using the EU SPOC Decentralized certificate distribution : using the EU SPOC

Preparing the EU implementing acts

5

eIDAS & MRTD : creating global e-ID interroperability

EAC 1 11

eIDAS token:- General Authentication Procedure (GAP)- EACv2 (CAv2, TAv2)

Describes eMRTD:Advanced Inspection

EAC v2.20 Part2 EAC v2.10

EAC v1.11 - PACEv2 (with PIN)- RI- ERA-TR Signature

- Advanced Inspection Procedure (AIP)- EACv1 (CAv1, TAv1)

- Refer to TR-SACAES SM eIDAS TokenPart1 - BAC forbidden- AES SM

- dynamic binding- …

EAC v2.20Part3TR-SAC

Describes :- LDS- BAC, PA, AA

EAC v2.20Part4BAC, PA, AA

eIDAS LDS

Describes :- PACEv2 without PIN

LDSv2…Describes protocol for:- CA version 1 & 2

TA version 1 & 2

6

PACEv2 without PIN- ePassport context

- TA version 1 & 2- PACEv2 (MRZ, CAN & PIN)- RI protocol - …

Protocols are provided for authentication between eIDAS token and service provider / attribute p

provider PACE /EAC 2.0*PACE /EAC 2.0

describes the authentication / authorisation between eIDAS token

and service provider PACE initiates the communication and secures the interface

between eIDAS token and a user device (local)

ERA on base of EAC 2 0 (3 way protocol !)ERA on base of EAC 2.0 (3 way protocol !) describes the authentication / authorisation and

secures the remote interface between eIDAS token and additional an attribute provider in case new credentials are to be presented by the user

see ISO/IEC 7816-4 /8 , CEN EN 4919212,1-2 Application interfaces for secure signature creationdevices and contained PACE , mEAC and mERA protocols

The PACE Protocol invokes and secures the communication between the eIDAS token and a

user device

The User or optical device e.g. Bar Code Scanner /Reader presents password to the user device The eIDAS token use s the password for key agreement

RFID

Optical / Visual eIDASUser

26753

device

The EAC 2.0 protocol describes the authentication / authorisation between eIDAS token and service

provider

U d ieID Server

TLSCV

User device

APDU / Secure MessagingTerminal AuthenticationTA and CA

E

1 U A th ti ti b PACE

PAC

E

1. User Authentication by PACE

2. Terminal Authentication

3. Chip Authentication

(4) Restricted Identification(4) Restricted Identification

ERA on base of EAC 2.0 describes the authentication process between eIDAS token and service provider as p p

well as attribute provider

CV

User device eID Server Attribute Provider

eIDAS token

CVSP

CVCVAP

Document Profiles with underlying Application Profiles can be aligned with CEN /ETSI Standardisation*be aligned with CEN /ETSI Standardisation

Document Profiles /

ePassport Application

eID Application

AttributeApplication

eSIGN** ApplicationProfiles /

Application Profiles

Application Application Application Application

European xEuropean Passport

x - - -

Identity Card with P t t d MRTD

(x)TA2 IICA2

x - xProtected MRTD A.

TA2 IICA2

Identity card - x - xwithout MRTD A.Identity Card with Open MRTD

x x x xp

Application and Attribute Capability• CEN EN 4919212,1-2 (ESIGN) and CEN TS 15480 -2.4. European Citizen Card , Application and CardCEN EN 4919212,1 2 (ESIGN) and CEN TS 15480 2.4. European Citizen Card , Application and Card Profiles

** TR ESIGN is under work under alignment with EN 4919212,1-2 (ESIGN)

Benefits of eIDAS token specifications (1/2)p ( )

Allow the development of eID solutions to be notified and certified as compliant with the EU regulation Interoperability at Secure Element APDU level Contact / contactless communication mode Possibility of various user profiles Personal data minimization, privacy protection

RI ERA

Highest level of identity assurance (ISO level 4 or Stork level 4)level 4)Multi applicativeInnovative way for trust services (such as server signing)Innovative way for trust services (such as server signing)

12

Benefits of eIDAS Token specifications (2/2)Benefits of eIDAS Token specifications (2/2)

Based on proven and deployed technologyIncorporating state-of-the-art concepts for privacy, security, usability and flexibilityAligned with latest version of ISO/IEC 7816-4Aligned with the set of documents produced within the EC/M460 mandate EN 14890 - functional specification for SSCD EN 14169 new PP for qualified signature creation devices EN 14169 - new PP for qualified signature creation devices

Allows both types of signatures Qualified secure creation device Qualified secure creation device Electronic secure creation device

13