the practice of electronic identity management technology in … · 2016-04-20 · the practice of...
TRANSCRIPT
The Practice of Electronic Identity
Management Technology in China
HU Chuan Ping, Head of the 3rd Research Institute of Ministry of
Public Security, People’s Republic of China
21 April 2016
Outline
Concept and background
Technology roadmap
Current development Situation
Future work
Identity Management
• IDM describes the management of individual identifiers,
their authentication, authorization and
privileges/permissions within or across system and
enterprise boundaries
• How users are given an identity
• The protection of that identity
• The technologies supporting that protection
Rapid Development of Internet in China
• 2016.1 CNNIC 《 The 37th Statistical Report on Internet Development in
China》
Internet users
Internet penetration rate
IDM is the foundation of Cyberspace security
Illegal collection of identity information
Thefts of Internet accounts and
identities
Criminal offences like Internet financial
swindle
As estimated, a total of 5.5 billion
personal info were leaked in 2015.
Frequent Leak of Internet Identity
The requirement for identity management
in the national cyberspace governance
Cyberspace Identity
Trustworthy
Universal
Cross-domain
Auditable
how to verify the identity’s
Authenticity of network entities
and protect the privacy
how to identify and
manage different kinds
of cyberspace entities
the trust level of cyberspace
entities trust and the scope of
application fields
how to confirm the
responsibility of cyberspace
entities' behavior
Development Planning of Network
Trust Framework in China
Opinions on the Enhance of Information Protection (NO. [2003]27 )
Opinions on the Construction of Internet Trust System (NO. [2006] 11)
National Medium and Long Term Plan for the Development of Science and Technology(2006- 2020)
NPC’s Decision of the Enhance of Information Protection 2012
Development Situation of Electronic
Certification industry
• “Electronic Digital Law of People's Republic of China”
was approved by NPC in August, 2004 and took effect
on April 1st, 2005.
• Currently, there are 35 authorized Certificated Authorities.
• Cross-use of CA systems has not realized
Regional
Separation VS
The cross-region
of Internet
Making money
by issuing
certificates
VS
Permanent
Identity Service
Lack of
Authority
and reliability
Outline
Concept and background
Technology roadmap
Current development Situation
Future work
IDM has been focus Area
• ITU Telecommunication
Standardization Sector Focus Group on Identity
Management, FG-IDM
Simple Cloud Identity
Management, SCIM
Technical Committee of
Electronic Signature, TC ESI
World Wide Web
Consortium XML ID, XML Signature,
XKMS, …
Internet Engineering Task
Force
European Telecomm
Standards Institute
The Practice of Electronic Identity Management all around the world
The US,
application
test in
May,2014
16 countries
of the UN Russia,
2012
Austrilia,2004
eID
Definition of eID in China
• electronic Identity, eID
• Based on cryptographic technique
• the carrier with smart IC chip
• Audit and issue face to face
• used for online authentication
Security
Authority
Public
welfare
Universality
Infrastructure of eIDM
eID management system
eID service system
universal internet and application
(E-business, E-government, Community website, etc.)
eID card
+ card reader
eID Hierarchy
Trust Manageme
nt
Identification Layer
Lifecycle managemen
t
Authentication Service Layer
Application Layer
金融应用 政务应用
eID状态查询验证
eID验证服务接口 eID桌面应用接口 eID移动应用接口
Basic Service Layer
编码格式 标识管理 身份审核 基础设施
虚拟身份/资产
eID载体应用接口
eID载体密钥管理 eID载体
应用安全eID读写机具应用接口eID载体
文件管理
eID读写机具应用安全 eID应用
密码管理eID读写机具
密钥管理
......
多级身份管理
社交应用 IPv6应用
eID验证服务协议 eID属性证明
责任认定
审计追溯
委托授权
跨域访问签发
管理
运维管理
发布管理
安全管理
eID Technical Architecture
eID LCM
eID authentication IF
Real identity authentication
eID MIChierarchy
Virtual asset protection
Secure login
eID extend services IF
format
Third Party App/eID APP
SM3X.509/XML/
GM/T 0015-2012
PKCS#7/GM/T 0010-2012
eID Mobile app IFeID desktop app
IF
CSP/CNG PKCS#11
minidriver
PC/SC
UAI
eID reader
CCID
NPAPI/ActiveX
eID carrier
HID UMASS
verdor device API
ISO7816/ISO14443
Key management
RSA/SM2 File system
Lifecycle Management
Authentication Service
Trust
identify
identity
coding
NFC
RFC2510/2511/2459
Identity verification
and protection
eID operating and maintaince
Security seperation
HTTP/REST
IPSec/SSL
APPs
IPV6
DSS SAMLXKMS
Delegation/Authorization
Audit/responsibility
confirmation
Identity Connection
eID cloud service platform architecture
Hardware Infrastructure Layer
Resource Virtualization Layer
VM Resource Unified Dispatch
VM rapid Deployment
VM Monitor and Migration
QoS Assurance Storage
Virtualization
eID Identity Service Layer
Identity Verfication Service
Attribute Verfication Service
SSO Service
Identifier Protection Service
eID Maintenace Service
...
Foreign CloudEnterprise,WebsitePersonal User
eID Core Management Layer
Data Management Security Management eID Lifecycle Management eID Signature Management
Outline
Concept and background
Technology roadmap
Current development Situation
Future work
Overall Progress of eID in China
• Supported by more than ten national projects from 2010
Breakthrough key technology
• hundred million scale
network electronic
identity management
• Cumulative results won
four National Science
and Technology
Progress Award
Standard Framework
• Workgroup for
Cyberspace
Identity
Management
• Drafted more than
30 national
standard, industry
standard
eID infrastructure
• Citizen electronic
Identity
Identification
System of Ministry
of Public Security
• Issued 40 million
eID carrier
Carried out demonstration applications
• Campus application,
the e-government
or public service
applications, social
networks
applications,
virtual assets
application
Privacy-oriented eID identification Method
• Code unique
• Unable to be tampered with
• privacy protection
Information security national standards : "network electronic identity
Format Specification"
National invention patent and international patent :"network electronic ID
card generation and verification controlling method of network identity code"
coding format :
eID_version BHash_Value eid_code_rvb
eID Lifecycle Management
eID
generation
stage
eID issuance
stage
eID
application
stage
eID
maintenanc
e stage
eID
revocation
stage
1 billion eID
Vs 10
million Security &
Privacy
The First eIDM Monograph in China
Global network identity management:
Current status and development.
Author: Hu Chuanping etc.
eID Standard Framework
eID全生命周期管理标准
eID载体标准
eID读卡器标准
Application
Standard
基于eID的电子政务安全
技术要求
基于eID的金融应用安全
技术要求
面向IPv6的eID应用
技术要求
基于eID的多级数字身份
管理框架
eID显示卡应用要求 网络实人验证技术要求
Service
Standard
eID验证服务接口
技术要求eID桌面应用接口技术要求 eID移动应用接口技术要求
eID验证服务接口测试
方法要求
eID桌面应用接口测试
方法要求
eID移动应用接口测试方法
要求虚拟资产描述语言规范
虚拟资产数据存储
与交换标准
虚拟身份描述语言
虚拟身份数据存储
与交换标准
eID审计追溯接口基于eID的属性证明规范多应用载体国密算法接口
技术要求
Management
Standard
eID专用读卡器功能
技术要求eID专用读卡器安全技术要求 eID专用读卡器测试方法要求
eID载体功能技术要求 eID载体文件系统技术要求 eID载体安全技术要求 eID载体测试方法要求
eID签发管理技术要求 eID数据管理技术要求 eID维护管理技术要求
Foundation
standard
eID数据模型 eID服务框架模型 eID术语规范 eID编码规范
eID格式规范 eID标准体系 eID审计追溯框架
Workgroup
for
Cyberspace
Identity
Management
Citizen electronic
Identity
Identification
System of Ministry
of Public Security
… National Population
database
BUPT
Citizen electronic Identity Identification System of
MPS
Shanghai social
security card center
Business processing
capabilities: one hundred
million eID per millisecond
Issued eID carrier: 40
million
eID Carrier and Usage Method
Practical application of eID
Campus applications
Offline applications
e-government applications
e-commerce applications
Mobile Internet Apps
Social network applications
eID Gets Concern from Chinese Society
Outline
Concept and background
Technology roadmap
Current development Situation
Future work
eID Can Provide Strong Protection for
Individual Privacy in Big Data Era
Each client has different identities in different Apps. Even these
account information are aggregated and analyzed, his/her
identification can not be confirmed.
Client
eIDcode
App1
App2
Appn
…
…
“Internet + Healthcare”
“Internet + Agriculture” “Internet + Life Service”
“Internet + Finance”
“Internet + Education” “Internet + Manufacture”
with Internet Plus
Smart Community
Quick Payment
Education Cloud
Safe City Smart Transportation
Smart Healthcare
with Smart City
Unified Management of Various Cyberspace Identities
person organizatio
n network
equipment terminal
equipment software services belongings vehicle ……
31
Thanks!