Eid in emea quest
Download
1 / 29

EID in EMEA QuEST - PowerPoint PPT Presentation


  • 194 Views
  • Uploaded on

eID in EMEA & QuEST. Ronny Bjones Security Program Manager Microsoft EMEA. Agenda. What is happening in Europe Our technology support QuEST Conclusions. What is driving national smart card projects in Europe?. eGovernment - eID Identification of citizens on the portals & counters

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'EID in EMEA QuEST' - vin


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Eid in emea quest l.jpg

eID in EMEA & QuEST

Ronny Bjones

Security Program Manager

Microsoft EMEA


Agenda l.jpg
Agenda

  • What is happening in Europe

  • Our technology support

  • QuEST

  • Conclusions


What is driving national smart card projects in europe l.jpg
What is driving national smart card projects in Europe?

  • eGovernment - eID

    • Identification of citizens on the portals & counters

      • Austria

        • 60k cards issued to students

        • Scholarships, Tuition fees

      • Italy

        • 1.5M cards produced, 600k distributed, another 2M in production

        • Registration & tax services, e-signing of documents, etc.

      • Estonia

        • 500K cards distributed (50% penetration)

        • Tax services, e-ticketing, etc.


What is driving national smart card projects in europe4 l.jpg
What is driving national smart card projects in Europe?

  • Social security

    • Use of smart cards to protect privacy sensitive data

      • Belgium

        • SIS card issued to all citizens

        • Doctors, Pharmacia

      • Norway

        • National office for social assurance

        • All doctors, hospitals

        • PKI-based card, set of projects to simplify social security reporting


Norway l.jpg
Norway

Regional health care institutions

EPJ

PACS

HR

National databases&services

National db on use

of drugs

Encrypted

My health

folder

National health

security

Right

Mngmnt

Server

IAS DC

Offline

Root CA

Enterprise

CA

Population database

Personal ID number

Municipality: Heath care in

institutions and private homes.

Services

- TTP

- Payment

- Time stamp

Citrix farm

Application&DBase

Citrix ticket

server

Internet

DC

(AD,DCHCP)

IAS

(Radius)

Secure

gateway

Offline

Root CA

Public Health cards

containing certificates

Enterprise

CA

Professional Health cards

containing certificates

Slide with the curtousy of ERGO


Impact of the ec directives l.jpg
Impact of the EC Directives

  • EC Directive on Electronic Signatures (1999)

    • Legal framework for electronic signatures

    • Adopted in all EU member states (25) + EEA (3) + Candidates (2) + MEA (2+)

  • EC Directive on e-Invoicing (2001)

    • Acceptance of electronic invoices

    • Security based on AES or Secure EDI

    • Important for the development of the supporting national PKI infrastructures

  • EC Directive on e-Procurement (in development)


More numbers l.jpg
More numbers

Source: EC DG Information Society 2003


Typical scenarios l.jpg
Typical Scenarios

  • Secure eGovernment, eBanking, eBusiness requires security services

    • Authentication

    • Data Confidentiality

    • Data Integrity

    • Non-repudiation

  • How are these services facilitated by eID?


Authentication l.jpg
Authentication

  • Verify the identity of citizens by means of eID

    • TCOS of Identity management is high

    • Organisations can rely on the work done by the governments and enrol users over the Internet


Confidentiality l.jpg
Confidentiality

  • Basic algorithms to encrypt information are foreseen in most eID projects

    • Belgian eID does not foresee a certificate for encryption


Integrity non repudiation l.jpg
Integrity & Non-repudiation

  • How can we be sure that the data was not altered?

  • How can we have proof in a case of law that a certain individual did this transaction?

  • Typically done by Electronic Signatures which are supported by most eID projects

  • Signing of forms, electronic documents


Agenda12 l.jpg
Agenda

  • What is happening in Europe

  • Our technology support

  • QuEST

  • Conclusions


Microsoft smart card support l.jpg
Microsoft Smart Card Support

  • Windows Logon

    • Standard support for smart cards

    • GINA Custom models

    • Full integration with AD

    • Terminal Server (W2K3)

  • Applications can interface smart cards through

    • CryptoAPI/CAPICOM

    • .Net Framework


Microsoft smart card support14 l.jpg
Microsoft Smart Card Support

  • For vendors

    • PC/SC

    • Plug into CryptoAPI (custom CSP)

    • New smart card base CSP


Smart card enabled technologies l.jpg
Smart card enabled technologies

  • SSL – Internet Explorer

  • Secure email (S/MIME) – Outlook (Express)

  • VPN – W2K, XP, W2K3

  • Secure form – InfoPath

  • Document signing (Word, Excel, Powerpoint)

  • Windows Right Management – W2K3

  • Any third party CryptoAPI-enabled application


Agenda16 l.jpg
Agenda

  • What is happening in Europe

  • Our technology support

  • QuEST

  • Conclusions


Quest l.jpg
QuEST

  • Qualified Electronic Signatures Tutorial

  • Demystify Qualified Electronic signatures

  • Best practice/guidance for designing a Qualified Electronic signature solution


Why did we develop quest l.jpg
Why did we develop QuEST?

  • Demystify the subject

    • General perception: Very complex subject

    • Multidisciplinary: Legal, Technology, Policy

  • A lot of customers will get QES as a requirement in the years to come

How to build a QES solution?


Approach l.jpg
Approach

  • Provide guidance for customers

    • Project Managers & Architects

  • Design a knowledge base – Blueprints

    • Legal, Technology, Policy

    • Knowledge base for different audiences

  • Project Team Guide

    • Which questions should be answered by a project team to design a QES solution

    • Design process

  • Scenario – Contoso Lottery

    • Based on Norwegian Lottery

    • Show how a QES solution can be implemented on our platform


Quest background l.jpg
QuEST Background

EC Directive on Electronic Signatures

  • 1999

  • Mandates member states to change their laws

    • Electronic Signatures can be equivalent to handwritten signatures

    • If they are performed under certain conditions

      • European Electronic Signature Standardization Initiative (EESSI)

      • ETSI – CEN standards

      • Other standards


Eessi standards overview l.jpg
EESSI Standards Overview

Certification ServiceProvider

Trustworthy system (A II.f)

CWA 14167-1

CWA 14167-2

Requirements for CSPs (A II)

ETSI TS 101456

Time StampETSITS 101861

Qualified certificate -A I

ETSI 101 862

Signature format& syntax (Advanced ES)

ETSI TS 101733

ETSI TS 101903 (XAdES)

Signature creation process and environment (A III)

CWA 14170

Signature validation process & environment (A IV)

CWA 14171

Creationdevice (A III)

CWA 14169

Relying party/verifier

User/signer

CEN E-SIGN

ETSI ESI


Ec directive on electronic signatures l.jpg

Electronic Signatures

Advance Electronic Signatures

QualifiedElectronicSignatures

security technology

based on PKI

all kinds of substitutes

for penned signatures

Advanced Electronic SignatureQualified CertificateSecure Signature Creation Device

EC Directive on Electronic Signatures


Building a qes solution l.jpg
Building a QES Solution

  • Mandatory Requirements

    • Relate to Directive on Electronic Signatures

    • Compliance

  • Additional Requirements

    • Risk management

    • Added-value elements before court


Mandatory requirements l.jpg
Mandatory Requirements

EC Directive on Electronic Signatures

  • Impact of Directive

    An independent arbiter (Judge/Notary) should follow harmonised criteria to decide whether a signature was valid at a certain moment of time

  • Legal requirements

    • Advanced Electronic Signature (AdES)

    • Qualified Certificate (QC)

    • Secure Signature Creation Device (SSCD)


Additional requirements l.jpg
Additional Requirements

  • Validation by an independent arbiter

    • How can we facilitate that an independent arbiter can still validate a signature in a period n years?

    • Electronic Signature Format

  • How can we reduce the risk that somebody can easily repudiate the signature?

    • Risk management

    • Standards and technology introduced to increase the overall security of a QES solution.


Xades l.jpg
XAdES

  • XML Advanced Electronic Signatures

  • ETSI standard for XML Signatures

    • TS 101 903

    • Based on W3C XML Signatures

      • W3C adopted XAdES

    • Include signature qualifying properties

      • TS 101 733

      • Formats for advanced electronic signatures valid over a long period of time

  • Aimed at convincing an independent arbiter of the validity of a signature


Conclusion l.jpg
Conclusion

  • eID is happening all over Europe and will become more and more a requirement in projects

  • We have a lot of technology available that allows you to use eID orto develop eID based applications

  • Download our QuEST guide and get guidance on how to enable signature scenarios in your apps based on eID


Resources l.jpg
Resources

  • Register for [email protected]: Register QuEST

  • EC Reporthttp://europa.eu.int/information_society/eeurope/2005/all_about/security/electronic_sig_report.pdf

  • Microsoft developers infohttp://msdn.microsoft.com/security/

  • Microsoft Smart Card Base CSPhttp://msdn.microsoft.com/library/default.asp?url=/library/en-us/security/security/microsoft_smart_card_base_cryptographic_provider.asp


Slide29 l.jpg

© 2003 Microsoft Corporation. All rights reserved.

This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.


ad