Update on WS eAuthentication status

Jan van Arkel Co-Chairman eEurope Smart Card Charter

Ambassador CEN/ISSS WS eAuthentication

FG on Biometric N N00-038

consolidate OSCIE eAuthentication GIF content and search for maintenance offer a European Forum on eAuthentication seek wider involvement and consensus

harmonise eAut with Japan and US harmonise eAut with WS e-sign i.e. Area K harmonise with eEpoch development relate with Porvoo group eGov/eID requirements

prepare a harmonised Glossary of Terms

Objectives of the Workshop eAuthentication/eID

CWA eAut Part 1: Architecture for a European interoperable eID system within a smart card infrastructure 

CWA eAut Part 2: Best Practice Manual for card scheme operators exploiting a multi-application card scheme incorporating interoperable IAS services

CWA eAut Part 3: User Requirements for a European interoperable eID system within a smart card infrastructure WP 4: eID Strategic Vision Report

Deliverables of WSeAut

The WS started September 16, 2003

Draft CWA documents were approved (with

some comments) on September 20, 2004

Revised drafts distributed for 60 days public

comment period on October 18, 2004

Disposition of comments ready by December 31

Final documents distributed by January 15, 2005

Workshop closing meeting on February 11, 2005

Official publication of CWA eAuthentication by CEN

Status WS eAut

CWA eAut Part 1: Architecture for a European interoperable eID system within a smart card

infrastructure

Deliverables of WSeAut

Table of Content Introduction Contextual Model for IAS interoperability Conceptual model for IAS interoperability The IAS functional model IAS system architecture The functional model in the IAS system architecture High level description of the primary processes - formal description IAS interoperability Securing interoperability Common requirements for IAS interoperability Annex A Mandatory fields in certificates

contente-Serviceaccess

cardaccess

IAS/ eID

cardapplication

certificate

contente-Serviceaccess

cardaccess

IAS/ eID

cardapplication

certificate

on us

not on us

Closed eID scheme

contente-Serviceaccess

cardaccess

IAS/ eID

cardapplication

certificate

contente-Serviceaccess

cardaccess

IAS/ eID

cardapplication

certificate

on us

not on us IOP #3

IOP #2

eService interoperability

IAS Smart card information system architecture

Infrastructure Layer

Card Layer

eService Layer

User access point

eService access point

PKI

VerificationAuthority

IOP #1

IOP #2

IOP #3

IAS

IOP #4

IOP #5

Infrastructure Layer

Card Layer

eService Layer

User access point

eService access point

PKI

VerificationAuthority

IOP #1

IOP #2

IOP #3

IAS

IOP #4

IOP #5

CWA eAut Part 2: Best Practice Manual for card scheme operators exploiting a multi-application card scheme incorporating interoperable IAS services

Deliverables of WSeAut

Table of Content

Multi-application smart card schemes(including Government issued eID driven MASchemes)

Risk analysis and Policy management

Service implementation and legal /adminstrative guidelines

Business case analysis

Peer support mechanisms and recommendations

CWA eAut Part 3: User Requirements for a European interoperable eID system within a smart card infrastructure

Deliverables of WSeAut

Table of Content

General User requirements for smart card based systems - common elements in support of user req- doing things with a smart card - doing things to a smart card

User requirements for Authenticatioin within an eID system- identification - authentication - signature services- eID processes

Strategic eID Vision report

Table of Content

The Vision - Rationale for a common eID approach - Drivers and inhibirtors for a common apporach

How can the vision be realised

Conditions for mass deployment - minimum requirements - Architectural model - The legal issue - Standardisation

Deployment of eID in Europe and beyond Recommendations

Deliverables of WSeAut

Deployment of eID

Group 1: the no-not for us- group

Group 2: Early adopters

Group 3: Middle of the road group

Group 1: the no-not for us- group

Anglo-saxon countries - US - Canada - Australia - New Zealand - UK ???

Deployment of eID

Deployment of eID

Group 2: Early adopters

Malaysia South East Asia Middle East Japan

Deployment of eID

Group 3: Middle of the road group

Europe China, India South America Africa

Europe’s leading examples

Estonia 650K

Italy 400K

Belgium 85K

Finland 55K

Spain

Austria

eID deployment worldwide

Overall conclusions: - strong regional differences- a number of European countries is

on the move - smart cards prevail - PIN is omnipresent, biometrics are emerging as preferred CHV - PKI is taking off - patchy solutions

Approach eID as an infrastructure which needs to come into place at least in the European domain

Provide a legal basis for a common European eID

Organise a stronger participation in Standardisation

Organise a pan-European demonstrator

European Coordination on eID development is needed

Recommendations

Common Requirements

(WS-eAut, CEN 224-WG 15, Porvoo group)

electronic identification & authentication of the cardholder to public and private services

electronic signature for legal proof of non repudiation

Optional functions:

confidentiality services, enabling encryption of data transmitted over a network (email, documents transfer)

official travel document

Basic Functionalities

The system shall support different security profiles/classes

The system shall be trustworthy for the cardholder, the system as such shall be reliable and it shall protect the cardholders data present in the card

The IAS functionality shall be executed in a secure and controllable way

The execution of the eID and eAuthentication function shall be convenient and fast

The system shall be future proof: - based on international standards (ISO/IEC 7810, 7816 , ISO/IEC 14443, JavaCard/GP, ISO/IEC 7501-3 (ICAO) - post issuance secure updating of data as well as application downloading supported as an option - Multi-vendor support

Overall system requirements

The system shall support a secure and reliable cardholder identification function:

Personal data of the cardholder shall be held in an electronic form

The Personal data set shall contain as a minimum for interoperability: - (optional) national identification number - family name(s), given name - sex - date of birth - (optional) place of birth - (optional) nationality This file is (optionally) PIN/Biometric protected

The Card related data set shall contain as a minimum for interoperability: - card issuer name/reference - card number - country name, - date of issuance - expiration date

Cardholder identification requirements

The system shall support a secure and reliable cardholder authentication function

A PIN is mandatory and shall be compliant with ISO/IEC 7816-4

Biometrics are optional If biometrics are included the following applies:

- 1:1 verification compliant to ISO/IEC 7816-11 - a Biometric OID in support of multiple biometric technologies must be present compliant to ISO/IEC 19785-1 (under development) - Fingerprint minutia data is recommended. Implementation shall be compliant to ISO/IEC 19785-2 (under development) - Biometric template storage shall be on the card - Biometric matching on the card is recommended

A Signature key for authentication purposes - shall be present - shall occur only once and shall be protected so it cannot be derived - shall be protected against unauthorized usage by PIN and optionally by biometrics

Cardholder authentication requirements

The system shall support a secure and reliable cardholder electronic signature funtion for the purpose of legal validaty of the signature

For Europe the PKI system elements of the system shall be in complicance with the qualified digital signature as per article 5.1 of the EU directive 1999/93/EC on a Community framework for electronic signatures

The PKI system elements shall be in compliance with ETSI QCP 101456 (under revision)

The PKI system elements shall be in compliance with CWA 14890 parts 1 –2

Electronic signature requirements

The PKI system elements shall be in compliance with ETSI QCP 101456 The main issues being: - registration procedures - information content of a certificate - liability of the certificate authority - responsibility for protecting the eID card and its content - loading of other applications on the card - renewal of an eID card - prevention of use of eID card and its certificates - cancellation of an eID card - requirements for the supporting PKI (i.e. CWA 14171) - obtaining and protecting the CA certificate - obtaining certificate status information

Electronic signature requirements (2)

Compliance with CWA 14890 (area K) part 1 and 2: - key pair generation on board card - storage of keys on board card

- compliance with 7816/15 (PKCS 15) and Crypto Objects- signing function will be PIN and/or Bio protected- data to be signed cannot be altered - the format for electronic signatures and their certificates shall be

interoperable- secure messaging shall be supported (symmetric crypto) - algorithms as in EU WS eSign algo document shall be supported- public available certificate status verifying function for relying parties

PKI shall be implemented in the following way: - minimum of 2 certificates (1 for signing; 1 for other functions) - compliant with X509 V3 minimum profile:

name of CA, name of Cert holder, unique identifier of Card Holder /Certholder, period of validity of certificate, serial number of certificate, pointer to info on CA certificate policy

Electronic signature requirements (3)