eidas token specifications - etsi · (rome treaty) and updated by the lisbon treaty creating the eu...
TRANSCRIPT
eIDAS token specifications :
The EU, privacy by design, electronic identification and authentication i t bilit d l f l t iinteroperability model for electronic transactions in the internal market
St f M ill Dr Gisela MeisterStefane Mouille Dr. Gisela Meister
December 2013 – Sophia Antipolis
Toward an European Digital Identity : becoming a realityreality
3 key drivers for creating the European Digital Identity :3 key drivers for creating the European Digital Identity :
Security Schengen area protection, terrorism, immigration, border Security g p , , g ,control Frontex ABC project
DG Home -> EAC V2.10 part 1Smart Border package issue 1st of March 2013
Digital economy, dematerialization, single marketGrowth
g
Digital Agenda 2020
Creation of the European “Identity”, Digital identity and Identity
g g
data protection are key,
eIDAS draft of regulationData Protection Directive & Regulation
2
Data Protection Directive & Regulation
European Digital Identity : how to make it h ?happen?
The long way of Europe building started 60 years ago (Rome Treaty) and updated by the Lisbon treaty creating the EU institutions
Political
creating the EU institutions
Directive/Regulations (Passport Tacho ResidentLegal Directive/Regulations (Passport, Tacho, Resident, DL, Electronic Signature, PNR, VIS, SIS etc…)
Legal
Standards (ICAO, CEN, ISO) & EU Commission through delegated & Implementing acts - Member
Technicalthrough delegated & Implementing acts - Member states working group (Article) & Eu Agencies
3
2 main Digital Identity initiatives in the world
Europe with the proposed legal initiative: Europe Proposed Regulation on electronic Identification and Trusted Services Issuance of identification means is a national prerogative Notification of electronic identification schemes If notified, mutual recognition and acceptance is applicable Member States must accept liability for the unambiguity of the link and the
authentication
Global initiative: US – NSTIC The US National Strategy for Trusted Identities in Cyberspace An Identity Ecosystem “an online environment where individuals and An Identity Ecosystem, an online environment where individuals and
organizations will be able to trust each other because they follow agreed upon standards to obtain and authenticate their digital identities”
Prepare the free trade zone agreement
4
Why an ANSSI/BSI eIDAS token specifications?y p
Integrate 27 different electronic Identification and Authentication means into a given eGov web services :means into a given eGov web services : Costs Delay Technical issues > lack of interoperability Technical issues -> lack of interoperability
eIDAS token specifications are answering the following issues : EU LDS for electronic identification : global interoperability Common access right & crypto – SAC & EAC 2 Common access right & crypto SAC & EAC 2 User consent (PIN & PUK) ICAO - LDS 2 ready (EAC V2) Decentralized certificate distribution : using the EU SPOC Decentralized certificate distribution : using the EU SPOC
Preparing the EU implementing acts
5
eIDAS & MRTD : creating global e-ID interroperability
EAC 1 11
eIDAS token:- General Authentication Procedure (GAP)- EACv2 (CAv2, TAv2)
Describes eMRTD:Advanced Inspection
EAC v2.20 Part2 EAC v2.10
EAC v1.11 - PACEv2 (with PIN)- RI- ERA-TR Signature
- Advanced Inspection Procedure (AIP)- EACv1 (CAv1, TAv1)
- Refer to TR-SACAES SM eIDAS TokenPart1 - BAC forbidden- AES SM
- dynamic binding- …
EAC v2.20Part3TR-SAC
Describes :- LDS- BAC, PA, AA
EAC v2.20Part4BAC, PA, AA
eIDAS LDS
Describes :- PACEv2 without PIN
LDSv2…Describes protocol for:- CA version 1 & 2
TA version 1 & 2
6
PACEv2 without PIN- ePassport context
- TA version 1 & 2- PACEv2 (MRZ, CAN & PIN)- RI protocol - …
Protocols are provided for authentication between eIDAS token and service provider / attribute p
provider PACE /EAC 2.0*PACE /EAC 2.0
describes the authentication / authorisation between eIDAS token
and service provider PACE initiates the communication and secures the interface
between eIDAS token and a user device (local)
ERA on base of EAC 2 0 (3 way protocol !)ERA on base of EAC 2.0 (3 way protocol !) describes the authentication / authorisation and
secures the remote interface between eIDAS token and additional an attribute provider in case new credentials are to be presented by the user
see ISO/IEC 7816-4 /8 , CEN EN 4919212,1-2 Application interfaces for secure signature creationdevices and contained PACE , mEAC and mERA protocols
The PACE Protocol invokes and secures the communication between the eIDAS token and a
user device
The User or optical device e.g. Bar Code Scanner /Reader presents password to the user device The eIDAS token use s the password for key agreement
RFID
Optical / Visual eIDASUser
26753
device
The EAC 2.0 protocol describes the authentication / authorisation between eIDAS token and service
provider
U d ieID Server
TLSCV
User device
APDU / Secure MessagingTerminal AuthenticationTA and CA
E
1 U A th ti ti b PACE
PAC
E
1. User Authentication by PACE
2. Terminal Authentication
3. Chip Authentication
(4) Restricted Identification(4) Restricted Identification
ERA on base of EAC 2.0 describes the authentication process between eIDAS token and service provider as p p
well as attribute provider
CV
User device eID Server Attribute Provider
eIDAS token
CVSP
CVCVAP
Document Profiles with underlying Application Profiles can be aligned with CEN /ETSI Standardisation*be aligned with CEN /ETSI Standardisation
Document Profiles /
ePassport Application
eID Application
AttributeApplication
eSIGN** ApplicationProfiles /
Application Profiles
Application Application Application Application
European xEuropean Passport
x - - -
Identity Card with P t t d MRTD
(x)TA2 IICA2
x - xProtected MRTD A.
TA2 IICA2
Identity card - x - xwithout MRTD A.Identity Card with Open MRTD
x x x xp
Application and Attribute Capability• CEN EN 4919212,1-2 (ESIGN) and CEN TS 15480 -2.4. European Citizen Card , Application and CardCEN EN 4919212,1 2 (ESIGN) and CEN TS 15480 2.4. European Citizen Card , Application and Card Profiles
** TR ESIGN is under work under alignment with EN 4919212,1-2 (ESIGN)
Benefits of eIDAS token specifications (1/2)p ( )
Allow the development of eID solutions to be notified and certified as compliant with the EU regulation Interoperability at Secure Element APDU level Contact / contactless communication mode Possibility of various user profiles Personal data minimization, privacy protection
RI ERA
Highest level of identity assurance (ISO level 4 or Stork level 4)level 4)Multi applicativeInnovative way for trust services (such as server signing)Innovative way for trust services (such as server signing)
12
Benefits of eIDAS Token specifications (2/2)Benefits of eIDAS Token specifications (2/2)
Based on proven and deployed technologyIncorporating state-of-the-art concepts for privacy, security, usability and flexibilityAligned with latest version of ISO/IEC 7816-4Aligned with the set of documents produced within the EC/M460 mandate EN 14890 - functional specification for SSCD EN 14169 new PP for qualified signature creation devices EN 14169 - new PP for qualified signature creation devices
Allows both types of signatures Qualified secure creation device Qualified secure creation device Electronic secure creation device
13