Embed Size (px)
Citation preview
Bernd KowalskiFederal Office for Information Security
FIDO, Strong Authenticationand eID in Germany
Agenda Government Objectives in Strong ID & Authentication Why did BSI join the FIDO alliance? What is the market perspective? Derived Identity / Authenticity approach
2Bernd Kowalski
Government Objectives in Strong ID & AuthenticationAbout us: Federal Office for Information Security
BSI: Bundesamt für Sicherheit in der Informationstechnik
Germany's national IT Security Agency
Founded in 1991
Staff: ~ 662 employees
Annual Budget: 89 millions Euro
3Bernd Kowalski
Government Objectives in Strong ID & AuthenticationBSI Mission
Analysis and evaluation of IT security risks,Information and awareness-building
Technical standards, Test and Certification Services for the security ofIT components and systems
Security solutions for government networksand applications
Support government regulations foradopting adequate security standards
International cooperation:SOGIS-MRA / Common Criteria, ICAO,ITU-T, CEN/CENELEC, ETSI, ISO,NFC-Forum, IETF, Global Plattform, ...
4Bernd Kowalski
Smart Grid, Smart Metering (KRITIS)
Smart Home, Smart Services
Industry 4.0 / Remote Maintenance
eMobility / car2car / car2x
eHealth / eGovernment
Cloud Computing
ePassport and national IDs
Online Banking, ePayment
Need for Secure ID & Trust Services
Government Objectives in Strong ID & AuthenticationDigital Transformation in All Regulatory Sectors
5Bernd Kowalski
Government Objectives in Strong ID & AuthenticationGeneral Requirements on Strong ID & Authentication
Replacement of passwords by 2FA / MFA(i.e. ownership + knowledge / ownership + inherence)
Support of certified secure elements and hardware token
Independancy of trust services and online services
Open technical standards permitting multifunctional usage
Security vs. Usability & Convenience
some Use Cases require a High level of Security
in other Use Cases Usability is the key factor
Appropriate Migration of (Hardware) Token(i.e. replacement / renewal / revocation) must satisfy user convenience
6Bernd Kowalski
Why did BSI join the FIDO Alliance?
FIDO provides
potential usage of strong ID & authentication for all webbrowsers and online services
simple integration and fast market penetration
standardized authentication procedure independent of the application
standardized user interface
independency of Trust Services & personal IDs from business models of market leaders
usage of mobile plattforms
synergy with NFC / ISO 14443
usage of national IDs
7Bernd Kowalski
1. Creating and Managing of a Customer Account
+
2. Creating and secure storage of a derived identity
+
3. Contactless purchasing and paying of a ticket by using a derived identity
+
+
4. Contactless ticketing by using a smartphone
Secure and safe identification Comfortable use
Strong ID for Public Transport
What is the market perspective?German National Project “NFC-Initiative”
8Bernd Kowalski
The NFC initiative is ... a joint activity of the BMI, BMWi and the BMVI in the context of the “Digital Agenda”
with the participation of German industry, represented by the following companies:
supported by the Federal Office for Information Security in Germany.
Challenges for the NFC initiative: Harmonization of standardization in various committees focusing on NFC Forum
Target: Functionality is important, therefore interoperability before strict conformity
Field implementation as a "proof-of-concept" for technical specifications and acceptance of public transport companies and their customers
comfortable and safe ticketing for the citizens!comfortable and safe ticketing for the citizens!
What is the market perspective?German National Project “NFC-Initiative”
Project Partners
9Bernd Kowalski
Standardized eGov Account Service
eGov-Services can be offered nationwide
interoperable Service Accounts canbe used in different eGov domains
Some German federal states already offer oneService Account to multiple municipalities
Impact:More municipalities are able to offer eGov-services
Current situation: Prototypical development of interoperable Service Accounts in Bavaria and North Rhine-Westphalia
What is the market perspective?Citizen Service Accounts
11Bernd Kowalski
De-Mail – The secure and reliable German eDelivery solution
Future usage of FIDO Token as 2nd factor for a high level authentication at De-Mail, depending on achievable security level (according to eIDAS)
What is the market perspective?De-Mail
User logs invia FIDO Token
12Bernd Kowalski
eIDAS-VO: Notification of member states identification systems FIDO does authentication not identification,
but: authentication is important part of identification systems→ FIDO could be part of an identification system according to eIDAS
Identification systems rated by "Level of Assurance"→ mapping to FIDO security levels?
Trust-Services: Introduction of server signatures FIDO as possible signature activation
What is the market perspective?eIDAS-VO
13Bernd Kowalski
Reasons for the revision of EU Directive 2007/64/EG: Sufficient standardization and interoperability of various payment services for card
payments and e- and mPayments is not given.
The central point of the PSD II from the perspective of information security: "Strong Customer Authentication" for retrieving account information and performing
transactions is required. Strong customer authentication is defined as a procedure based on the use of two or
more of the following elements
Chance for information security: Designing a secure, privacy-friendly and applicable authentication solution by the
European Central Bank, the European Banking Authority and the SecurePay forum is still pending.
Refinement of the security requirements can still be affected!
What is the market perspective?Payment Service Directive II (PSD II)
Ownership Knowledge Inherence
14Bernd Kowalski
Authentication Systems
Authentication Devices
Yubikey VDV core appMobile Connect
Secure Elements
Primary Identity
Technologies for Derived Identities
1. TransferDatagroups
Authentic DataAuthentic Data Identifier(secret)
Identifier(secret)+
2. RegisterAuthentication Device (build secret)
= Derived Identity
Derived Identity / Authenticity approach
15Bernd Kowalski
Growing risks through misuse of conventional IDs (passwords)
Digital society requires strong IDs with Secure Elements and2-Factor Authentication
Regulatory Framework required for sufficient Technical ID-Standards in critical areas
European Market has a sufficient size to set appropriate technical standards
PSD2 is an opportunity for the acceptance of FIDO in Europe
FIDO should support:
NFC/ISO 14443 interoperabilty activities in the NFC-Forum
usage of FIDO in regulatory projects
adoption of certified embedded or external SE
Summary
16Bernd Kowalski
Contact
Federal Office for Information Security (BSI)
Bernd KowalskiGodesberger Allee 185-18953175 BonnGermany
![T/Key: Second-Factor Authentication From Secure Hash Chains · authentication using a protocol standardized by the FIDO industry alliance [59]. Nevertheless, for desktop and laptop](https://img.pdfslide.net/doc/110x75/603f4b528f4f877fd246ec26/tkey-second-factor-authentication-from-secure-hash-chains-authentication-using.jpg)
![AMD White Paper · AMD White Paper Fast Identity Online: Password-less Authentication Page 3 FIDO Protocols The FIDO Alliance[1] defines three sets of technology agnostic specifications:](https://img.pdfslide.net/doc/110x75/5ec90b805d6be622377e1997/amd-white-paper-amd-white-paper-fast-identity-online-password-less-authentication.jpg)
