Introduction to Electronic Identity
DocumentsKlaus Schmehcryptovision
Tutorial
I'm Klaus Schmeh, Chief Editor Marketing
at cryptovision.
I have published a number of
books.
Identity Documents
Conventional Identity Documents
Identity Document Formats
ID-1 Formate. g. credit card
ID-2 Formate.g. old German identity card
ID-3 Formate.g. passport
0 cm 10 cm 20 cm 30 cm
Machine Readable Zone (MRZ)
MRTD Standard
Made by aviation organisation ICAO
MRTD: Machine Readable Travel Documents
Cryptography Basics
This text isnot
encrypted.
sfd5HBtOArzKSldklsli4FJ
fKDFKJK
This text isnot
encrypted.
Cleartext CleartextCiphertext
secret key
Symmetric Encryption
secret key
encryption decryption
This text isnot
encrypted.
sfd5HBtOArzKSldklsli4FJ
fKDFKJK
This text isnot
encrypted.
Cleartext CleartextCiphertext
encryption decryption
Asymmetric Encryption
public key private key
This text isnot
encrypted.
sfd5HBtOArzKSldklsli4FJ
fKDFKJK
Cleartext Checksum(signature)
public keyprivate key
correct/incorrect
signing verification
Digital Signature
public keyprivate key
data (challenge)
Authentication
signed data (response)
Verification if somebody is the one he claims to be
Alice Server
Basic cryptographic operations
Symmetric Encryption
secret key
Authentication
public/private key
Asymmetric Encryption
public/private key
Digital Signature
public/private key
Three of these operations require
public keys.
F7 EC DD 78 2A 9B2A 0B F7 EC E4 78EC DD 78 F7 EC E478 F3 9B AB F7 ECE4 DD 78 F7 EC E478 F3 9B AB F7 6504 4D 78 F7 EC E4F3 9B AB F7 CD 56
…
Questions
Is it really Alice‘s public key?
Is the key still in use?
Has the key been revoked?
Is the key meant for encryption or for signatures?
These questions can‘t beanswered by onlylooking at the key
Alice's Public Key
Digital Certificate
Digital Certificate
Person name: Alice Smith
Public key: F4 56 D8 90 33 BB A6 93 0D 33 07
Validity period: 10.06.2002 – 09.06.2007
Serial number: 34 12 53 29 18
CA name: CA 1
Signature: A6 56 D8 90 37 E3 BB A6 93 0D 3D
CertificationAuthority
User User User User
Who signs a digital certificate?
signscertificates
digital certificate
digital certificate
digital certificate
digital certificate
Digital Certificate Standards
X.509 CertificateVersion
Serial NumberSignature
IssuerValiditySubject
Subject Public Key InfoAuthority Key IdentifierSubject Key Identifier
Key UsagePrivate Key Usage Period
Policy MappingsSubject Alternative NameIssuer Alternative Name
typical size: 2,000 byte typical size: 200 byte
Card Verifiable Certificate
Certification Authority
Certificate Holder
Certificate Holder Authorization
Validity Period
Key
Profile Identifier
Public Key Infrastructure (PKI)
User
CertificateRepository
Identity Management
Key storage hardware Card
Management System
Certification Authority
Hardware and software used to manage digital certificates
Smart Cards
Smart Card
The chip is a small computer
Smart card operating systems:• CardOS• STARCOS• TCOS• JCOP• …
Smart Card Memorywith typical parameters
ROMEEPROM (Hard drive)
RAM
Clock: 4 MHz
768 byte
16 KB128 KB
Contact smart card
chip
contactreader
Contactless smart card
chip is not visible
contactlessreader
A smart card is a secure way to store a key
data
signed orencrypted data
chip encrypts or computessignature with key
KEY NEVER LEAVES THE CHIP
smart card
chipwatchUSB token proximity token
Smart Card Form Factors
More Smart Card Form Factors
chip implant
microSDSIM Card
Biometry and Smart Cards
Match on Card (MoC)
Mosofot ProgramDatei Bearbeiten Ansicht Einfügen Format Fenster
% * # % * # ↔ ← → ↔ ← → % * # ↔ ← →
% * # % * # ↔ ← → ↔ ← → % * # ↔ ← →
skjhfksjhfkshfk lskflksjf slkfj n slkfjg slkfj slkf slkfl
slkfj n slkfjg slkfj
slkfj n slkfjg slkfj
PC software smart card
Smart CardMiddleware
card interface
Smart Card Middleware
crypto interface
Driver
Administration tool
The best smart card middleware on the
market is sc/interface.
Electronic Identity Documents
What is an Electronic Identity Document?
Electronic Identity Document (eID)
Identity Document
Computer Chip
+ =An electronic identity document is a smart card
Improve identification of a
person
Why Electronic Identity Documents?
Enable new applications
Typical functionality of an electronic identity card
Additional (non-government) applications:
payment, ticketing, health card, ...
Stores name, birthday, address, ...
Digital Signature functionality
Encryption functionality
Authentication functionality
Electronic Identity Card Formats
ID-3 Format
0 cm 10 cm 20 cm 30 cm
ID-1 Format
Electronic passport
ID-2 Format
Almost all other electronic identity
documents
Not used for electronic identity
documents
Electronic Passport
German electronic identity card
Electronic Driving License
Health Insurance cardCompany card
Vehicle registration card
Examples of Electronic Identity Documents
MRTD Standard
ICAO also standardises electronic identity
documents
DG1 DG2 DG3 DG4 DG5 DG6 DG7 DG8 DG9 DG10 DG 11 DG12 DG13 DG14 DG15 DG16Detail(s)Recordedin MRZ
EncodedFace
EncodedFinger(s)
EncodedEye(s)
DisplayedPortrait
Reservedfor Furure
Use
DisplayedSignatureor UsualMark
Data Feature(s)
StructureFeature(s)
SubstanceFeature(s)
Additional Personal Detail(s)
Additional Personal Detail(s)
Optional Detail(s)
Security Options
forSecondaryBiometrics
ActiveAuthen-tication
Public Key Info
Person(s) to Notify
DocumentType
IssuingState or
Organsiation
Name (ofHolder)
DocumentNumber
Check Digit -Doc
Number
Nationality Date ofBirth
Check Digit -DOB
Sex Date of Expiry
Check Digit -DOE
Optional Data
Composite Check Digit
Standardized content of an electronic identity card
Logical Data Structure (LDS)
ICAO PassportBy far the most popular
electronic identity document
Simple technology, little functionality
About 150 countries issue Electronic Passports
European Commission: Electronic Passport obligatory for members
Electronic Passports
National identity cards
Much variety: every country deploys its own solution
Interoperability in some, but not all respects
Cryptography and PKI used by
Electronic Identity Documents
Complete fraud
Put fake data on a fake card
Cryptographiccountermeasure
digital signature
Attacks on electronic identity documents
Copy key from a genuine card to a
fake card
Some Attacks on electronic identity documents
Cloning
key on card cannot be read
Cryptographiccountermeasure
Listen to communication between card and reader
Some Attacks on electronic identity documents
Eavesdropping
key on card cannot be read
Cryptographiccountermeasure
Read data from card without permission
Inspection system needs to authenticate with key
Some Attacks on electronic identity documents
Unauthorized reading
Cryptographiccountermeasure
Some Attacks on electronic identity documents
Many attacks on electronic identity cards can be prevented with
cryptography
Signatures and keys needed to secure an electronic identity card
digital signature by issuer
user keys (used for signature,
authentication, ...)
Electronic Identity Card
inspection system key (used for authentication)
Inspection System
Java Card
Chip is a small computer
Some smart cards support the Java Programming language
Name of this technology: Java Card
Java program(applet)
Java Card operating systems
• NXP: JCOP (Java Card OpenPlatform)
• G&D: Sm@rtCafé Expert
• Infineon: jTOP
• Gemalto: IDCore
• JavaCOS
The Nigerian Electronic
Identity Card
over 500 ethnicitieslargest economy
in Africa
168 million inhabitants
capital: Abuja
Nigeria
Nigeria has started issuing electronic identity cards
cryptovision plays a key role in this project.
EMV-PAN-NummerDocument number
Birth date
Machine Readable Zone (MRZ)
Date of issuance
Nigerian electronic identity card
Payment, banking
Sub CARoot CA
CVCA CSCA X.509-CA
DVCADocument
Signer Sub-CA
signs signs signs
PKI for Nigerian Identity Card
One of the largest and complexest
PKIs in the world.
Payment function
Every electronic identity card features a prepaid function
100 million Nigerians get access to the
financial system.
Largest “Bank the Unbanked”-
initiative in history.
Gelsenkirchen, July 3, 2014For the first time in history money
is withdrawn with an electronic identity card from a German ATM.
The card is Nigerian.
Nigerianelectronicidentity card
Germanelectronic
identity cardChip contact contactless
Number of users: 100 million 50 million
Identity verification yes yes
Signature function yes yes
Biometry yes yes
Payment yes no
Banking card funtion yes no
Usable as travel document yes yes
Restricted Identification no yes
Age verification no yes
Mutual authentication (EAC2) yes yes
Nigerian card project is more
ambitious.
Summary
Electronic Identity Cards are a hot technology
Inform yourself at Mindshare
2018.
Visit our showroom.
End