eID in EMEA & QuEST

1. eID in EMEA & QuEST Ronny Bjones Security Program Manager Microsoft EMEA

2. Agenda • What is happening in Europe • Our technology support • QuEST • Conclusions

3. What is driving national smart card projects in Europe? • eGovernment - eID • Identification of citizens on the portals & counters • Austria • 60k cards issued to students • Scholarships, Tuition fees • Italy • 1.5M cards produced, 600k distributed, another 2M in production • Registration & tax services, e-signing of documents, etc. • Estonia • 500K cards distributed (50% penetration) • Tax services, e-ticketing, etc.

4. What is driving national smart card projects in Europe? • Social security • Use of smart cards to protect privacy sensitive data • Belgium • SIS card issued to all citizens • Doctors, Pharmacia • Norway • National office for social assurance • All doctors, hospitals • PKI-based card, set of projects to simplify social security reporting

5. Norway Regional health care institutions EPJ PACS HR National databases&services National db on use of drugs Encrypted My health folder National health security Right Mngmnt Server IAS DC Offline Root CA Enterprise CA Population database Personal ID number Municipality: Heath care in institutions and private homes. Services - TTP - Payment - Time stamp Citrix farm Application&DBase Citrix ticket server Internet DC (AD,DCHCP) IAS (Radius) Secure gateway Offline Root CA Public Health cards containing certificates Enterprise CA Professional Health cards containing certificates Slide with the curtousy of ERGO

6. Impact of the EC Directives • EC Directive on Electronic Signatures (1999) • Legal framework for electronic signatures • Adopted in all EU member states (25) + EEA (3) + Candidates (2) + MEA (2+) • EC Directive on e-Invoicing (2001) • Acceptance of electronic invoices • Security based on AES or Secure EDI • Important for the development of the supporting national PKI infrastructures • EC Directive on e-Procurement (in development)

7. More numbers Source: EC DG Information Society 2003

8. Typical Scenarios • Secure eGovernment, eBanking, eBusiness requires security services • Authentication • Data Confidentiality • Data Integrity • Non-repudiation • How are these services facilitated by eID?

9. Authentication • Verify the identity of citizens by means of eID • TCOS of Identity management is high • Organisations can rely on the work done by the governments and enrol users over the Internet

10. Confidentiality • Basic algorithms to encrypt information are foreseen in most eID projects • Belgian eID does not foresee a certificate for encryption

11. Integrity & Non-repudiation • How can we be sure that the data was not altered? • How can we have proof in a case of law that a certain individual did this transaction? • Typically done by Electronic Signatures which are supported by most eID projects • Signing of forms, electronic documents

12. Agenda • What is happening in Europe • Our technology support • QuEST • Conclusions

13. Microsoft Smart Card Support • Windows Logon • Standard support for smart cards • GINA Custom models • Full integration with AD • Terminal Server (W2K3) • Applications can interface smart cards through • CryptoAPI/CAPICOM • .Net Framework

14. Microsoft Smart Card Support • For vendors • PC/SC • Plug into CryptoAPI (custom CSP) • New smart card base CSP

15. Smart card enabled technologies • SSL – Internet Explorer • Secure email (S/MIME) – Outlook (Express) • VPN – W2K, XP, W2K3 • Secure form – InfoPath • Document signing (Word, Excel, Powerpoint) • Windows Right Management – W2K3 • Any third party CryptoAPI-enabled application

16. Agenda • What is happening in Europe • Our technology support • QuEST • Conclusions

17. QuEST • Qualified Electronic Signatures Tutorial • Demystify Qualified Electronic signatures • Best practice/guidance for designing a Qualified Electronic signature solution

18. Why did we develop QuEST? • Demystify the subject • General perception: Very complex subject • Multidisciplinary: Legal, Technology, Policy • A lot of customers will get QES as a requirement in the years to come How to build a QES solution?

19. Approach • Provide guidance for customers • Project Managers & Architects • Design a knowledge base – Blueprints • Legal, Technology, Policy • Knowledge base for different audiences • Project Team Guide • Which questions should be answered by a project team to design a QES solution • Design process • Scenario – Contoso Lottery • Based on Norwegian Lottery • Show how a QES solution can be implemented on our platform

20. QuEST Background EC Directive on Electronic Signatures • 1999 • Mandates member states to change their laws • Electronic Signatures can be equivalent to handwritten signatures • If they are performed under certain conditions • European Electronic Signature Standardization Initiative (EESSI) • ETSI – CEN standards • Other standards

21. EESSI Standards Overview Certification ServiceProvider Trustworthy system (A II.f) CWA 14167-1 CWA 14167-2 Requirements for CSPs (A II) ETSI TS 101456 Time StampETSITS 101861 Qualified certificate -A I ETSI 101 862 Signature format& syntax (Advanced ES) ETSI TS 101733 ETSI TS 101903 (XAdES) Signature creation process and environment (A III) CWA 14170 Signature validation process & environment (A IV) CWA 14171 Creationdevice (A III) CWA 14169 Relying party/verifier User/signer CEN E-SIGN ETSI ESI

22. Electronic Signatures Advance Electronic Signatures QualifiedElectronicSignatures security technology based on PKI all kinds of substitutes for penned signatures Advanced Electronic SignatureQualified CertificateSecure Signature Creation Device EC Directive on Electronic Signatures

23. Building a QES Solution • Mandatory Requirements • Relate to Directive on Electronic Signatures • Compliance • Additional Requirements • Risk management • Added-value elements before court

24. Mandatory Requirements EC Directive on Electronic Signatures • Impact of Directive An independent arbiter (Judge/Notary) should follow harmonised criteria to decide whether a signature was valid at a certain moment of time • Legal requirements • Advanced Electronic Signature (AdES) • Qualified Certificate (QC) • Secure Signature Creation Device (SSCD)

25. Additional Requirements • Validation by an independent arbiter • How can we facilitate that an independent arbiter can still validate a signature in a period n years? • Electronic Signature Format • How can we reduce the risk that somebody can easily repudiate the signature? • Risk management • Standards and technology introduced to increase the overall security of a QES solution.

26. XAdES • XML Advanced Electronic Signatures • ETSI standard for XML Signatures • TS 101 903 • Based on W3C XML Signatures • W3C adopted XAdES • Include signature qualifying properties • TS 101 733 • Formats for advanced electronic signatures valid over a long period of time • Aimed at convincing an independent arbiter of the validity of a signature

27. Conclusion • eID is happening all over Europe and will become more and more a requirement in projects • We have a lot of technology available that allows you to use eID orto develop eID based applications • Download our QuEST guide and get guidance on how to enable signature scenarios in your apps based on eID

28. Resources • Register for QuESTronnybj@microsoft.comSubject: Register QuEST • EC Reporthttp://europa.eu.int/information_society/eeurope/2005/all_about/security/electronic_sig_report.pdf • Microsoft developers infohttp://msdn.microsoft.com/security/ • Microsoft Smart Card Base CSPhttp://msdn.microsoft.com/library/default.asp?url=/library/en-us/security/security/microsoft_smart_card_base_cryptographic_provider.asp

29. © 2003 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.