eurosmart presentation on the eidas regulation
TRANSCRIPT
05/01/2023 1
EIDAS REGULATION
05/01/2023 2
Legal definition for ICT “jargon”:Electronic identificationElection authenticationElectronic Signature (simple, advanced, qualified)Web site authentication Electronic Time StampingElectronic Document deliveryElectronic Seal …
Qualified Electronic Signature in the Cloud :AKA Server SigningAuthentication level to the Cloud is becoming key
Re-use of Stork results for:Authentication Assurance LevelEU PKI model based on:
PEPS VIDP
Electronic identification + electronic authentication =EU Digital Identity
Scope
05/01/2023 3
Use case vs technological means:
To perform on-line public & commercial services some issues should be solved:
On the citizen side:– Who I am: Identification.– The proof I am the person I claim to be: Authentication.– My commitment: Signature.
On the administration & private side:– I am a real service provider: Web authentication.– I am a real company: Seal.
On the transaction side 5 issues should be solved:– It is a real transaction: mutual authentication.– No change of the electronic transaction during the treatment: Integrity. – Not possible to reply the same transaction: Signature.– When the transaction has been taken place: Time stamping.– Keep trace of the transaction: Electronic vault.
05/01/2023 4
eIDAS Regulation & PKI:
Digital services delivery based on a Public Key Infrastructure architecture.
Genesee of the PKI infrastructure. Definition: Public Key Infrastructure is a set of networked inter-
operable software components that enable to manage the complete life cycle of public key certificates:
– Issuance.– Renewal.– Revocation.
05/01/2023 5
MIIJxwYJKoZIhvcNAQcCoIIJuDCCCbQCAQExCzAJBgUrDgMCGgUAMDoGCSqGSIb3DQEHAaAtBCtUaGlzIHRleHQgd2FzIGxvYWRlZCBmcm9tIGEgcGxhaW4gdGV4dCBmaWxloIIHwDCCA9owggNDoAMCAQICAQIwDQYJKoZIhvcNAQEEBQAwgZQxFTATBgNVBAMTDEVkZW1vIFN1YiBDQTEfMB0GCSqGSIb3DQEJARYQaW5mb0BnZW1hdXRoLmNvbTELMAkGA1UEBhMCVVMxFTATBgNVBAgTDFBlbm5zeWx2YW5pYTEQMA4GA1UEBxMHSG9yc2hhbTEQMA4GA1UEChMHR2VtcGx1czESMBAGA1UECxQJTk9SQU0gUiZEMB4XDTA0MDMxODE3MjgzMVoXDTE0MDMxNjE3MjgzMVowgZMxFDASBgNVBAMTC0VkZW1vIEFsaWNlMR8wHQYJKoZIhvcNAQkBFhBpbmZvQGdlbWF1dGguY29tMQswCQYDVQQGEwJVUzEVMBMGA1UECBMMUGVubnN5bHZhbmlhMRAwDgYDVQQHEwdIb3JzaGFtMRAwDgYDVQQKEwdHZW1wbHVzMRIwEAYDVQQLFAlOT1JBTSBSJkQwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALZgQPhOOF3cejp2VjWC0HrmG2xSP7s%2B2vQmfHT1D8gfpFr2f5eCJEn4GyOp4PJxLUlXRK5GheUXvFZcpX7NCR35Qhnfm978EhQ4EIBDjdhevLWsjv3oeei%2BbvzUymTHWDB0zeB5UJA0M%2B%2BxO6%2BWluLZ16ctTkWJk9PaTvO0fpavAgMBAAGjggE5MIIBNTAhBglghkgBhvhCAQ0EFBYSQ2xpZW50IGNlcnRpZmljYXRlMAwGA1UdEwEB%2FwQCMAAwHQYDVR0OBBYEFBYpejZfj966yRyue%2BRxS4NcR9vYMIHCBgNVHSMEgbowgbeAFBnk2hBUF9dgh7OuLL11nf62RSEIoYGbpIGYMIGVMQswCQYDVQQGEwJVUzEVMBMGA1UECBMMUGVubnN5bHZhbmlhMRAwDgYDVQQHEwdIb3JzaGFtMRYwFAYDVQQDEw1FZGVtbyBSb290IENBMR8wHQYJKoZIhvcNAQkBFhBpbmZvQGdlbWF1dGguY29tMRAwDgYDVQQKEwdHZW1wbHVzMRIwEAYDVQQLFAlOT1JBTSBSJkSCAQEwCwYDVR0PBAQDAgXgMBEGCWCGSAGG%2BEIBAQQEAwIFoDANBgkqhkiG9w0BAQQFAAOBgQByaKGrjynQMJc3lJ9ZMZyjDMy7lfcne2cVphj18GGJpsC8dzPR4y6uNl1BQ7MrYPUV9HH0rR5Onw02wMo5bnmyiGyPPE7YvXa0US1feOI0Ls3aCyCs2wbJ2ko7Z72j2scO%2FwZH7g8LBb7%2BepFftguH92YLE1Q2MgjEZX%2Fmqv5NfDCCA94wggNHoAMCAQICAQEwDQYJKoZIhvcNAQEEBQAwgZUxCzAJBgNVBAYTAlVTMRUwEwYDVQQIEwxQZW5uc3lsdmFuaWExEDAOBgNVBAcTB0hvcnNoYW0xFjAUBgNVBAMTDUVkZW1vIFJvb3QgQ0ExHzAdBgkqhkiG9w0BCQEWEGluZm9AZ2VtYXV0aC5jb20xEDAOBgNVBAoTB0dlbXBsdXMxEjAQBgNVBAsUCU5PUkFNIFImRDAeFw0wNDAzMTgxNzI2MzVaFw0xNDAzMTYxNzI2MzVaMIGUMRUwEwYDVQQDEwxFZGVtbyBTdWIgQ0ExHzAdBgkqhkiG9w0BCQEWEGluZm9AZ2VtYXV0aC5jb20xCzAJBgNVBAYTAlVTMRUwEwYDVQQIEwxQZW5uc3lsdmFuaWExEDAOBgNVBAcTB0hvcnNoYW0xEDAOBgNVBAoTB0dlbXBsdXMxEjAQBgNVBAsUCU5PUkFNIFImRDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAxL%2B6ZgyvWPIDSh07N8XKht0mqAyj%2BmGcTvCTtKv1JJCZIPtNjJ3T5lHSjldwLlfpuoYkQApG%2FGyo1Cox0oKlyKbD%2FsAQsFbHIIGM75xLyjeqXHO0UzkHb9RMFdNsiBuak4dV%2B3mINmzFMv7Ex4MzVcMw2G2%2F1Z%2BFEt6%2BqNqC88ECAwEAAaOCATswggE3MB0GCWCGSAGG%2BEIBDQQQFg5DQSBjZXJ0aWZpY2F0ZTASBgNVHRMBAf8ECDAGAQH%2FAgEAMB0GA1UdDgQWBBQZ5NoQVBfXYIezriy9dZ3%2BtkUhCDCBwgYDVR0jBIG6MIG3gBRDPGZtLIsqyiRlY39t2wGlK3Z3KKGBm6SBmDCBlTELMAkGA1UEBhMCVVMxFTATBgNVBAgTDFBlbm5zeWx2YW5pYTEQMA4GA1UEBxMHSG9yc2hhbTEWMBQGA1UEAxMNRWRlbW8gUm9vdCBDQTEfMB0GCSqGSIb3DQEJARYQaW5mb0BnZW1hdXRoLmNvbTEQMA4GA1UEChMHR2VtcGx1czESMBAGA1UECxQJTk9SQU0gUiZEggEAMAsGA1UdDwQEAwIBBjARBglghkgBhvhCAQEEBAMCAQYwDQYJKoZIhvcNAQEEBQADgYEAuWSCUQ9%2ByUVtKCUXm4W64XePDcRIlS32nLrHvbREi7%2BMQt%2BKGtkH00eZa9wxTrp0QgVCo4H03YptQWQJgxBKb7dLB5EtFpBienrKnkfLlbdhjHZWXB03i%2FcgPjC7xgudgmooKcLWNJz7a5iOfHUf%2B3GxveRezBSa76iaRzUcM5wxggGgMIIBnAIBATCBmjCBlDEVMBMGA1UEAxMMRWRlbW8gU3ViIENBMR8wHQYJKoZIhvcNAQkBFhBpbmZvQGdlbWF1dGguY29tMQswCQYDVQQGEwJVUzEVMBMGA1UECBMMUGVubnN5bHZhbmlhMRAwDgYDVQQHEwdIb3JzaGFtMRAwDgYDVQQKEwdHZW1wbHVzMRIwEAYDVQQLFAlOT1JBTSBSJkQCAQIwCQYFKw4DAhoFAKBdMBgGCSqGSIb3DQEJAzELBgkqhkiG9w0BBwEwHAYJKoZIhvcNAQkFMQ8XDTEwMDkxMzE2NDY0MlowIwYJKoZIhvcNAQkEMRYEFFctKwKOBQXuRz1LPNvXWH2EHnm3MA0GCSqGSIb3DQEBAQUABIGArpBqvMgzcSYFGzEDXLU%2FMRehztIPBDuVpk8fk1KH%2Be6ZXmg1uUKiYAY5Tj3XlrMJbroH5tYb1dM7bH%2Brlp8F5lxpP1d%2FMQPc0tzFVC8XyvSahvuASjF0zXOmmuY1zYIF%2FA%2Fvsv%2FUxkjytOBZ6oow1UcNHwjhLY93cC7seT1RZ2A%3D
Certificate InfoUnique Serial Number, format, crypto info, validity date, usage (verif, encrypt)…
Holder identificationName, mail address…
Public key
Issuer identificationCA name, DP address…
ExtensionsAdditional standard or proprietary info
Certificate SignatureUsing Issuer’s private key
Public certificate
Electronic Signature
Privacy by Design within a PKI infrastructure?
Public information as it is a public certificate
05/01/2023 6
Electronic identification paradigm
In 2016:– You name is Medor.
– Your are 5 years old (human reference) and 35 years old (dog reference).
– You are loving sausages.
– You are living in Munich.
– Your owner names are David & Helena.
– Your eyes are dark.
– Your are using an Ipad Air 3 times a day.
1999
05/01/2023 7
Economic rationale?
Legal work: eIDAS Regulation - 5 years of work @ Commission, Parliament & Member States & Industry.
Infrastructure: STORK 1 & 2: 40M€ - public spending.
Standardization mandates for more than 14 years (CEN, ETSI…). Several workshops in the world.
…
But the real beef is…
05/01/2023 8
Economic rationale?
Upcoming US/EU free trade zone agreement - in 2013 = 649 B USD
05/01/2023 9
2 main Digital Identity initiatives in the world:
Europe has now (17/09/2014) a common legal ground: eIDAS Regulation:– Issuance of electronic identification & authentication means is a national prerogative. – Notification of electronic identification & authentication schemes by Member States.– If notified, mutual recognition and acceptance are applicable. – Member States must accept liability for the unambiguity of the link and the authentication.– Legal effect to all commercial sectors for: Electronic signature, Web authentication, SEAL.
Global initiative: US - NSTIC:– The US National Strategy for Trusted Identities in Cyberspace.– An Identity Ecosystem, “an online environment where individuals and organizations will be
able to trust each other because they follow agreed upon standards to obtain and authenticate their digital identities”.
05/01/2023 10
Leverage eIDs installed base in Europe
In Europe 23 States are issuing eID cards. This is the highest number in one continent. 170 Million eIDs are in the field. This captures more than 30% of the total population of 500 Million citizens.
Year 2020: more than 250 million eID-cards will be held by citizens and around 20 million e-Residence Permits by 3rd country nationals.
eID and eRP are based on secure element technology: – Rely on field proven security standards. – Allow for high level of security for identification and authentication.– Enable personal data protection and privacy.– Materialize sole control: a secure token in the citizen’s hand.– Have qualified electronic signature capabilities.
05/01/2023 11
Levels of Assurance (LoAs): Implementing Act
LoAs classify means of electronic identification into three levels depending on their security, robustness and issuance process:
– Assurance levels: Low, Substantial, High.– Based on the ISO 29115 and STORK concepts.
Four areas are taken into consideration: Application and registration. Identity proofing and verification. Binding between the electronic identification means of
natural and legal persons.
Enrolment
eID means characteristics and design. Issuance, delivery and activation. Suspension, revocation and reactivation. Renewal and replacement.
Electronic identification means management
Authentication mechanism.Authentication
General provisions. Published notices and user information. Information security management. Record keeping, facilities and staff, technical controls,
compliance and audit.
Management and organization
eID LoA is based on the reliability and quality of each element*
*Article 1 of Implementing Act
05/01/2023 12
eID Levels of Assurance dilemmas:
Assurance level
Characterisitics and design Authentication
Substantial At least two authentication factors from different categories.
Can be assumed to be used only if under the control or possession of the person.
Dynamic authentication. It is highly unlikely that guessing,
eavesdropping, replay or manipulation of communication by an attacker with moderate attack potential can subvert the authentication mechanisms.
High Level substantial, plus: Protects against duplication, tampering
and attackers with high attack potential. It can be reliably protected by the person
against use by others.
Level substantial, plus: It is highly unlikely that guessing,
eavesdropping, replay or manipulation of communication by an attacker with high attack potential can subvert the authentication mechanisms.
How do we align on wordings with the following terms ?
- « moderate », « high attack potential »
- « reliably » protected
- « highly unlikely »
- « can be assumed »
Can the same solution be differently evaluated from one country to the other ?
05/01/2023 13
Building a common understanding of the difference between « Substantial » and « High » Levels of Assurance:
Generic technical requirements are source of different interpretations in each Member State and between service providers.
Strong guidance for requirements is essential to ensure a common understanding of the details of the assurance levels and to ensure interoperability when mapping the national assurance levels of notified electronic identification schemes.
Need for a common and rigorous approach such as Common Criteria (eg. Common Criteria decodes High Attack Potential meaning).
Today legacy electronic identification means such as eID & SIM/UICC cards that are Common Criteria certified provide assurance that they fulfill LoA High.
05/01/2023 14
LEVEL 1
LEVEL 2LEVEL 3 LEVEL 3
LEVEL 4
Token
OTPLegacy Password
2FA
Token + pw
Token OTP + pw
Token PIN PAD
Token OTP (PIN + certified
TEE or SE)PKI ID (PIN + SE, SIM/eSE)
Weak Authentication
SecureAuthentication
Strong Authentication
Strong Authentication
w/secure devices
Strong Authentication
w/secure devices with tamper
resistance capability
Risk extremely high Risk mitigated Low risk Low risk Minimal riskRisk level
PKI eID (PIN)
No Identity Proofing Presentation of Identity Information Verification of Identity Information Face to face
registration
LOW SUBSTANTIAL HIGHEnrolm
entA
uthenticationElectronic ID
means
Out of Regulation
scope
Levels of Assurance
05/01/2023 15
eIDAS Regulation vs eIDAS token specifications
Legal frame for Trusted servicesE
lect
roni
c si
gnat
ure
Ele
ctro
nic
Sea
l
Ele
ctro
nic
Sta
mp
Ele
ctro
nic
regi
ster
ed
deliv
ery
serv
ice
Qua
lifie
d ce
rtific
ate
for
web
site
au
then
ticat
ion
eIDAS Regulation
Perform a qualified signature
Without GAP
With GAP
EAC V2.05backward
compatible
Pseudo ID with ERA
Common electronic identification : e-ID LDS
Common electronic
authentication: GAP
Standard API to use Biometry as User Authentication method (Finger Print, Voice,
Iris, Face)
Legal frame for: electronic identification, authentication
eIDAS token specifications
TR Signature
TR Physical User Authentication
05/01/2023 16
Timeline
•In line with the Implementing acts with eIDAS token specifications - July 2014-July 2016.•First pre-notification of eID: mid 2016.•Mutual recognition (voluntary) between 2 MS: mid 2017.•Obligation of Mutual recognition : 1st of January 2019.
Greek P.
Italian P.
Latvia P.
Lux. P.
NL P.
Slovakia P.
Malta P.
UK P.
Estonia P.
Bulgaria P.
Austria P.
Romania P.
Directive 99/93/EC (and PPSCD)
05/01/2023 17
Stork: Quésaco?
It is connector for 28 Member States. The basic concept:
– Electronic Authentication is performed in the country of e-ID issuance.– Exception for Austria & Germany.
The reality - two architectures:– PEPS - Managing legacy.– VIDP - introducing middleware approach & eIDAS token spec.
Electronic Authentication bricks for all other EU LSP (e-CODEX, ePSOS, SPOCS, PEPPOL, e-SENS).
Out of the scope:– Mobility of EU citizens: use Portuguese e-ID card in a kiosk based in German airport.
Open questions:– Who will be operating the EU root CA for signing the PEPS trusted list? -> Cyber security issue.– Privacy management?
The semantic/branding “STORK” is a must during the Implementing Acts.
05/01/2023 18
Current EU e-ID card configuration
Contact only
Contactless only
Hybrid
Dual interface
Estonia
Germany eIDASCyprus eIDAS
Netherlands (ICAO only)Slovakia (eIDAS)
Poland
Netherlands (privacy card)
Italy
Greece
Eurosmart customers
New projects
FinlandBelgiumPortugal
Czech Republic
LuxembourgBulgaria (EAC V2.05
/ eIDAS)
Malta
SwedenLithuania Latvia (IAS ECC à ICAO)
Spain
19
WHAT EUROSMART IS
05/01/2023 20
What Eurosmart is
About usEurosmart is a non-profit association located in Brussels and representing the smart security industry. Founded in 1995, the association advocates the use of smart secure devices and smart security solutions to enhance the usability of digital services while protecting privacy and combatting fraud.
The association is fully involved in political and technical initiatives as well as R&D at the European and international levels.
About our members Members are manufacturers of smart cards, semiconductors, academics,
laboratories and associations.
They share common European root:– Annual turnover of over 15 billion euros of which over 40% is generated in
Europe.– Close to 60.000 employees worldwide, of whom more than 50% work in the EU.
05/01/2023 21
Eurosmart members
What Eurosmart is
Associate members
05/01/2023 22
Our mission
We contribute to the digitalization of the economy offering expertise and skills to protect the confidentiality and the integrity of data, and secure digital access (privacy & cybersecurity).
We advocate the use of proper security hardware with strong security functions.
We support the deployment of certified and standardized solutions that integrate security and privacy by design features.
23
CONTACTSSTEFANE [email protected]
PIERRE-JEAN VERRANDODirector of [email protected]
Eurosmart | Rue du Luxembourg 19-21 | 1000 Brussels | BelgiumTél. +32 2 506 88 38
FOLLOW-US