Written by Text:
Vladimír Ďurači and Tomáš Balogh, Plaut Slovakia / Michal Ševčík, Hewlett-Packard Slovakia / Peter Kiefer, Atos IT Solutions and Services
Starting on December 1 2013, a new national identity card with a built-in electronic chip – a so-called electronic identity card (eID) – will be issued in the Slovak Republic. This is part of the process of introducing electronic public sector services, designed to enable the Slovak citizens to communicate securely with their government online. The fundamental requirement for accessing these services is the secure authentication and an unambiguous identification of a person. The eID card has the role of a trustworthy medium to access the eGovernment services, a secure token for storing the personal identity data of each citizen – thereby creating the citizen’s electronic identity. The Slovak eID can also be used as a Secure Signature Creation Device (SSCD) for storing qualified certificates and creating Qualified Electronic Signature (QES).
eID hardware and operating system
The future Slovak national eID card is based on a polycarbonate card and comes with an integrated contact-based cryptocontroller. During the selection of the chip, the newest technologies in the secure chip cards sector were chosen: Infineon’s SLE78CFX3000P with the operating system CardoS V5.0 developed by Atos IT Solu- tions and Services. CardoS V5.0 is based on the innovative digital security technology ‘Integrity Guard’ from Infineon and is implemented on the SLE78 next generation security controller platform using SoLID FLASHTM. CardoS V5.0 supports modern security mechanisms and cryptographic algorithms. The solution used for the Slovak eID card is derived from the German eID card system and based on EAC technology, according to BSI TR-03110. Rather than using an X.509 certificate, the verification of an electronic identity stored in the eID card based on reading the identity data via an EAC channel is used for electronic authentication and identification. The eID card solution is designed as a multi-application card with a vision of future enhancements.
eID SW infrastructure and eID middleware
In order to enable the authentication using the eID card for the providers of electronic services, it was necessary to develop an interoperable software infrastructure – an eID Authentication System (eID AS). This infrastructure produces an inevitable part of the eID solution and enables the integration of service providers based on standard interfaces. Secure communication with a remote eID card is provided by the eID Middleware (eID MW). Its implementation is based on the standards ISo/IEC 24727 (Identification cards – ICC program- ming interfaces), CEN 15480-3 (European citizen card – ECC Interoperability using an application interface) and the technical guideline BSI TR-03112 (eCard-API-Framework). eID MW enables the communication between a web-based application running on a service provider’s server and a remote eID card through a secured communication channel. The communication between client and server provided by the eID MW is directed by PAoS protocol.
eID authentication system (eID AS)
The eID Authentication System (eID AS) consists of applications and software components on the server side and a multiplatform client application (eClientApp) that manages the process of authentication on the citizen’s PC. The application provides an interac- tion with the user during the eID authentication and enables the communication of the eID AS server with the eID card. An eID AS server enables the integration of the eID authentication by exposing standard interfaces based on oASIS SAML 2.0 and BSI TR-03130 (eID server) standards for the service providers. Thus the providers gain the ability to use the identification and authentication mechanism of the citizen’s eID card to access their services. The eID AS represents an important construction element for the realization of eGovernment in Slovakia. other projects also count on using it, e.g. the eHealth project uses eID AS to authen- ticate the citizen to access the eHealth portal as well as to prove the presence of a citizen during a visit of a health professional (at a doctor, at a pharmacy). It will also be used by the eGovernment portal of the Slovak Ministry of Interior (MoI), which is preparing a large number of electronic services for the citizens. For this purpose an integration component – the SAML Communication Handler – covering the whole process of the citizen login on the MoI portal has also been developed. eID AS software components (eID MW Framework, eClientApp, eID AS server components) have been developed by Hewlett-Packard Slovakia and Plaut Slovakia.
eID online authentication
online authentication using the eID is based on a mutual prove of authenticity between a citizen and an online service provider. During this process, mutual authentication of a provider server and an eID chip is performed and an encrypted EAC channel is established. The citizen’s authentication is based on reading out the electronic identity through the established EAC channel based on rights defined in the provider’s CV (Card Verifiable) certificate. This functionality can be activated upon the citizen’s request. During the activation process, the citizen enters the PIN. While accessing a service of a provider who requires the citizen’s authentication, the request is redirected to the eID AS. During the authentication, the citizen is prompted an information about the service provider and a list of personal data that the provider requires. After approval for reading out the data, the citizen enters the PIN. After PIN verification and EAC channel establishment, the eID AS reads out the required citizen data and sends it to the service provider in an encrypted form via a signed authentication confirmation – in a SAML asser- tion. After the verification and identification of a user is successfully done, the service provider enables access to the service.
QES functionality in the eID
Slovak citizens may use the eID card for storing and renewal of qualified certificates and creation of a qualified electronic signature (QES). The QES functionality in the eID may be activated upon the citizen’s request either during document pick-up or later at a registration authority (RA) office. The QES enables the realization of acts that require a handwritten signature verified by a notary in the paper world. A QES is created by the card using a private key that encrypts an imprint of a document that is to be signed. The way of its creation provides a legal non-repudiation of the signature and allows the reliable determining of the individual who created the electronic signature. This signature also guarantees integrity of the document, i.e. that the signed document has not been altered in any way during the transmission to the recipient. Components with PKCS#11 and CSP interfaces are a part of the eID MW and allow the use of the eID card through standardized cryptographic programming interfaces. An access to SSCD signature functions through standardized interfaces is used by the most certified signature creation applications.
A citizen may request to be issued a qualified certificate at an RA office. A qualified certificate renewal may be performed online by a secure method using an established EAC channel, i.e. without personal attendance of the RA office. This concept has been evaluated by TÜViT according to Common Criteria EAL4+. To increase the availability of electronic services, the Slovak Republic plans to issue the qualified certificates to its citizens without additional fees.
Assets and perspectives
After introducing the national eID, an acceleration of administrative acts for citizens and a better availability of government services are expected, as well as the creation of transparent and auditable electronic administrative contacts. These assets should lead to resource and cost savings, both on the citizens’ and the public sector’s side as well as increased government satisfaction among citizens, entrepreneurs and the general public.
With an increasing amount of issued cards, a consecutive increase of ID services is expected: the success of the eID depends directly on them.
Besides the possibilities of using the eID card that have been mentioned (online authentication, QES), it is also considered to use the eID card for encryption of sensitive data transmitted between a citizen and a service provider (as planned for the eHealth card), sector identification, eVoting, etc. in the future. Besides the public sector, a massive use of the eID functionality in the private sector is expected, e.g. in areas of eBusiness and eBanking.
The concept of the eID card that has been realized fully complies with the European Union initiative to create a European interoperable eID platform – project SToRK – that allows citizens to create new electronic relationships across European borders. The new identity card enables a trustworthy national authentication that is an expected requirement for engagement in the project SToRK. This enables the Slovak citizens to authenticate and access electronic services also in other countries of the European Union using their eID.
This article was first published in the Vault, #13, November 2013