electronic identity cards for user authentication—promise and practice ieee security & privacy...
TRANSCRIPT
Electronic Identity Cards for User Authentication—Promise and Practice
IEEE Security & Privacy January/February 2012
Author : Andreas Poller, Ulrich Waldmann, Sven Vowé, and Sven Türpe
Presenter:黃微珊Date : 2012/03/02
Outline
• Introduction• Electronic Identity (eID) Card• Electronic Identity (eID) System• Service Authorization• Security Properties• Privacy Properties• Applications for eID• Conclusion
Introduction
• Traditional ID card only provided offline services, but eID card support business processes online and offline, and allow services to be provided online.
• eID card promises a universal, secure authentication scheme for government and private-sector applications.
Electronic Identity (eID) Card
Electronic Identity (eID) Card(1/2)- New German Electronic ID Card
Front Back
Digital signature
• The card carries human-readable data on its surface and a contactless chip inside, combining the functions of a conventional ID document and a digital authentication token.
Electronic Identity (eID) Card(2/2)-Electronic Functions
• A contactless chip with three distinct electronic functions.
①ePass function : reserved for government use, stores a digital representation of the cardholder’s identity.
②eID function : for general applications, stores an identity record that authorized services can access with cardholder permission.
③eSign function : lets cardholders store a single private key and certificate for qualified electronic signatures.
Electronic Identity (eID) System
Electronic Identity (eID) System(1/3)-System Components
eID server
Service providerClient side
• Four principal components participate in online authentication.
eID server handles authentication on the server side and returns the result to the service.
On the client side, a card reader and a client software package provide interfaces to the user and the ID card.
The chip on the ID card verifies the user’s PIN and the eID server’s authorization certificate and releases information as authorized.
Electronic Identity (eID) System(2/3)-Cryptographic Protocols
• Between the card and the reader, the Password Authenticated Connection Establishment (PACE) protocol establishes a shared session key and verifies the password without transmitting it.
• Between the card and eID server, the Extended Access Control (EAC) protocol provides mutual authentication and creates a session key.
Electronic Identity (eID) System(2/3)-Cryptographic Protocols
eID card uses:• AES-128 CBC (cipher block chaining) and CMAC
(cipher-based message-authentication code) for messaging security.
• SHA-256 for hashing.
• elliptic-curve Diffie-Hellman for key establishment in PACE.
• Chip authentication, and restricted identification for authorization certificates.
• ECDSA (Elliptic Curve Digital Signature Algorithm) for signatures.
Electronic Identity (eID) System(3/3)-eID Authentication
eID server
Client side Service provider
Use service
1. Authenticationrequest
6. Authenticationresponse
4. Extended Access Control
5. eID function
2. Client software displays information
3. User enters PIN; PIN verified with Password Authenticated Connection Establishment
Service Authorization
Service Authorization(1/2)-Roles and Responsibilities
1.2.
1.2.
Service Authorization(2/2)
1. Request approval
2. Get authorization certificates
• The government and the private sector share eID system implementation and operation.
3. eID servers request access to the card on behalf of approved service requests.
Security Properties
• For citizens, the cryptographic protocols ensure that the eID card releases data.
• For service providers, chip authentication ensures that the data received originates from a genuine and valid government-issued eID card.
Privacy Properties
• Sharing a private chip authentication key among a batch of cards makes them indistinguishable.
• eID data remains unsigned.
• On-card verification.
Applications for eID
Three service types:• Government services that require formal identification of
citizens.
• Services that must let citizens exercise their right to access personal information.
• Operators of age-restricted services, such as cigarette vending machines or adult entertainment.
Conclusion(1/2)
• 和傳統的身份證相比,電子身份證提供了:①線上的身份驗證②電子簽名③具有生物識別技術
Conclusion(2/2)
• 然而電子身份證的功能還沒有辦法完全發揮。①讀卡機的價格影響了民眾換發電子身份證的意願。
②目前大部分的線上網站,除了部份政府報稅網站或保險公司網站,都不提供使用電子身份證來驗證身份的功能。
The End