Turkishe-IDCardBasedDerivedMobileCreden7als

EdonaFASLLIJA,ElifUSTUNDAGSOYKAN

Outline

•  TheneedforMobileID•  Exis7ngSolu7ons•  Theideaofderivedmobilecreden7als•  Turkishe-IDcard,Dissemina7on,Features•  ProposedSolu7on•  Lifecycle,Issuance

•  TrustPropaga7on•  Addi7onalrequirements•  Benefits

The need for Mobile-ID

e-IDcardrolloutsareincreased,yetusageisrestrictedduetonotsomuchkillerapp-Mobileeracouldleverageusageofe-IDcardGrowingneedtoaccesse-GovservicessecurelythroughmobileenvironmentsBadnews-CardreaderrequirementposesachallengeformobileenvironmentsSo,usable,secureandtrustedmobileiden7tyauthen7ca7oniss7llachallenge

Existing solutions for mobile ID

MobileID/MobileSignatureSolu7onsAustria,Estonia,Turkey

Mobiledeviceforoutofbandauthen7ca7onviaOTPSIMmodulesforID/signaturetokenNeedsdedicatedlifecyclemanagement

The idea – Derived mobile credentials

DerivedCreden7alisNotusingthePrimaryCardwiththedevice,butanalterna7vetokentothePrimaryIDCard

DerivedIDCreden7al:Acreden7althatisissuedbasedonproofofpossessionandcontrolofapreviouslyissuedcreden7alwithoutduplica7onoftheiden7typroofingprocess.AimistoprovideID-cardenabledauthen7ca7onservicesfromthemobiledevicetoremoteITsystemsinasecure,reliableandinteroperableway.

Devlet-iAliye-iOsmaniyeTezkiresi

Collec7onofBiographiesofO=omanEmpire

1904

IDPaper(asnotebook

format)

1926 1976

IDPaper(ascardformat)

e-IDCard

2016

History of ID Documents

Firstcardwasissuedin

KırıkkaleonMarch2016

9ci7esfollowed

KırıkkaleonNovember

2016

E-IDcardsarebeingissuedeverywhereinTurkeysincetheJan2017

Allci7zenswillbegivene-IDcardwithinthreeyears

E-ID Card Dissemination Road Map

Features of e-ID Card

Small,portable,durable

environmentalistSecure

Rolebasedaccess

mechanism

Mul7biometrics(Fingerprint,fingervein,palmvein)

TravelDocument

(ICAO9303Passportapplica7on)

Electronicsignaturecanbe

loaded

Compliantwithinterna7onalstandards

(ISO-7816,ISO-14443,ICAO9303)

Usage areas of e-ID Card Health Establishment Law court

» Analysis delivery » Report delivery » Examination Report delivery

School » Application for registration record » Court article demand

» Opening/Closing account » Official petition

Bank

» The document following

Electric, water, natural gas etc. delivery companies

Land Registry

» Examination of the register of deeds

» Official Notification » License » Passaport

» Official petition » Service contract » Document demand

Any establishment

Municipality

» Official petition

Armlet unıt

» Subscription opening /close /transfer » Official Petition

» Selecting lesson » Renewing the record » Student certificate » Application for identity/free pass » Thesis / homework delivery » Graduation document / transcript

Public Notary

Authentication Factors

Digital

Certificate

ü

Digital Photo

ü

PIN

ü

Biometry

ü

Identity Verification Scenario

Identity Verification Request

Biometric Verification

Verification of e-ID Card

PIN Verification

Lifecycle

PrimaryLifecycleAc7vi7esoftheDerivedCreden7al

Ini7alIssuanceMaintenanceAc7va7onUsage

Initial Issuance (remote)

OCSPServer

CA

Iden:tyVerifica:onServer

RA(e-gov)

1-Issuancetriggered

7-MPAini7alized,KeypairisgeneratedCreden7alholderrequestedtoenterprotec7onPIN,Cer7ficaterequestalongwithOTPissenttoRA

10-GeneratestheDerivedCer7ficate

9-SignsandForwardsCer7ficateRequest

ProvidesSubstan:alLevelofAssurance

Initial Issuance (in-person) –

OCSPServer

CA

Iden:tyVerifica:onServer

RA(e-gov)

1-Issuancetriggered

7-MPAini7alized,KeypairisgeneratedCreden7alholderrequestedtoenterprotec7onPIN,Cer7ficaterequestalongwithOTPissenttoRA

10-GeneratestheDerivedCer7ficate

9-SignsandForwardsCer7ficateRequest

ProvidesHighLevelofAssurance

Maintenance

Termina7on/Revoca7onIfmobilephonecontainingthederivedcreden7alisstolen,lost,damagedIfmobilephonetransferredtoanotherindividualIfe-Idcardcontainingtheprimarycreden7alterminatedforanyreason(expired,changed,lost)Re-keyIfcer7ficateisexpiredorcomprimisedthenini7alissuanceshallbefollowedIfcer7ficateofahigherlevelofassuranceisrequestedthenini7alissueanceshallbefollowed.

Trust Propogation

OCSPServer

CA

Iden:tyVerifica:onServer

RA(e-gov)

TrustDomain-A

TrustDomain-B

TrustDomain-C

TrustDomain-D

Additional Security Requirements

Thecryptographicalgorithmandkeysizerequirementsforthederivedcreden7alcer7ficateandprivatekeyarethesameastherequirementsfortheprimarye-IDcardForhighlevelofassurance,keypairmustbegeneratedonhardwarecryptographicmodulecompliantwithFIPSLevel2or3e.g.notexpor7ngprivatekey,forsubsta7onallevelofassuranceFIPSLevel1requirementsmustbesa7sfiedUseofderivedcreden7alshallbeprotectedbyPINandshallbeblockeda`eranumberofconsecu7vefailedaaemps

Benefits

Mainadvantage:LeverageIden7tyProofingandvebngresultsofacurrentvalidCreden7al.EventuallycostsavingsSimplifiedLifecycleManagementprocessesMinimizedsecuritybreachdamageduetolimitedvalidityperiodandpermissionsPossiblemul7plederivedcreden7alsfromasingleprimarycreden7al

Challenges/Future Directions?

Thank You

Any Questions?