Meiklinen Maija F 1111 1958 1111 Maija Meiklinen

Meikäläinen Maija F 1111 1958 - 1111 Maija Meikäläinen vesa. vatka@vrk. intermin. fi www. vaestorekisterikeskus. fi

Finnish Electronic Identification and Supporting Technologies General Issues • The amount of various transactions is increasing rapidly in Internet • To make it safe we need: • both sides identification, • digital signature, • encryption: - data transfer • Field is developing rapidly • Important part of the information society

Finnish Electronic Identification and Supporting Technologies Identification, digital signatures and encryption is based on: • open standards: • Public Key Infrastructure • PKIX based Certificate Policy • chipcards and readers (ISO-standards, 7816 -series, incl. -8) • X. 509 v. 3 certificates, IETF PKIX ”qualified certificate” draft • X. 500 - and LDAP-directories • EID-application (FINEID S 4 -1=PKCS#15, FINEID impl. ) • => will be modified to meet EESSI requirements • highly secured environments • centralized key generation • face to face identification • voluntary involvning • cards and certificates valid for a certain time (3 years)

Finnish Electronic Identification and Supporting Technologies PARTNERS CAsystem ICL (i. D 2) Help. Deskservices Nova. Call Novo. Group Card manufacture and RA duties Setec, Police Directory services HPY Peer. Logic i 500 CRL services Sonera

CA / CARD VTJ Application information Pregeneration of anonymic ID-cardsi (RSA-keys +PIN) Process database request Certificates VRK certificate Certificate services Bull ” Manual information ” Matti Meikäläinen Caisse Primaire d'Assurance Maladie de CARPENTRAS sécurité sociale X. 500+ CRL Application Registration Authority services Matti Meikäläinen 12345 Face to face identification Card delivery PIN -codes Meikäläinen Matti

Electronic ID-card -99 MF FINEID appl Additional Certificates: (empl, org, customer. . . ) ~ 8 -9 Kb Other data: cityappl. , bankappl, user own ~ 6 -7 Kb

FINEID-application (PKCS#15)

FINEID-card with two keypairs • Different keys and certificates and PIN-Codes X. 509 Hello? -> Hi, encrypt session key • Authentication + encryption (PIN 1) • Non-repudiation signature (PIN 2) • Also trusted CA (PRC) certificate, includes CA public key X. 509 Allekirj X. 509

Finnish Electronic Identification and Supporting Technologies Basic fields: • version: value 2 = x. 509 v. 3 certificate Certificate • serial number: unique within an issuer • signature : the algorithm identifier for the algorithm used by the CA to sign the certificate • issuer: country = FI, organisation = VRK-FINSIGN Gov. CA, Common. Name = Finsign CA for Citizen • validity: YYMMDDHHMMSSZ • subject: country=FI, Surname=Meikäläinen, Given name=Maija, Finuid=123456786, cn= S+G+F • subject public key: The algorithm identifier of the subject’s public key Ext. : Key usage: digital. Signature, key. Encipherment, data. Encipherment - non. Repudiation Certificate policies: policy identifier, OID (CP includes possible loss limitations etc. ) Authority key identifier: particular private CA key used to sign a certificate Subject key identifier: SHA-1 hash of the value of the BIT STRING subject. Public. Key

Finnish Electronic Identification and Supporting Technologies WHERE, HOW, WHAT? COMPANY CARD BANK CARD . . . FINEID-APPLICATION CITIZEN CERTIFICATES (not for companycards) ROLE CERTIFICATES EMAIL CERTIFICATES . . .

Finnish Electronic Identification and Supporting Technologies DIRECTORY SERVICE • FINSIGN CA FOR CITIZEN X. 500, OPEN DIRECTORY SERVICE • CLOSED ENVIRONMENTS -> CLOSED DIRECTORIES X. 500 • PERSONAL CERTIFICATES: • CERTIFICATE 1: AUTHENTICATION AND ENCRYPTION CRL • CERTIFICATE 2: DIGITAL SIGNATURE • JUDICAL AND SERVER CERTIFICATES • CRL (Certificate Revocation List) V 2 • DIRECTORY REQUESTS : LDAP V. 2. 0 AND V. 3. 0 SUPPORTED

c = FI dmd = JULHA o = Cert. All dmd = FINEID Issuer organisation level o = VRK-FINSIGN Gov. CA cn =Fin. Sign CA for citizen • ca. Certificate • cross Certificates • CRL X. 500 -directory dmd =. . . o = Novo. Trust. . . CA level cn =Meikäläinen Maija 123456789 or ui = 428 (cert serial number) • obj. = fieid. Person, strong. Authentication. User or fineid. User. Certificate • user. Certificates (multivalue or per use), role and attribute certificates • s = Meikäläinen, g = Maija, finuid = 123456789, other attributes or s = Meikäläinen, g = Maija, fineid. Subject. Distinquished. Name. String = ”s = Meikäläinen + g = Maija + finuid = 123456789, c =fi” User level

Interactive electronic form 8. ) Data storage End user software: - Smart cardsupport - Digital signature - encryption 1. ) Secure form - payments Firewall integration - E-mail (S/MIME) - web -browser WWWforms 3. ) Strong authentication WWW-server encryption of data transfer (SSL, IPSEC) Internet 7. ) PIN 2 2. ) Secure authentication (PIN 1) Smart card - Keys, PIN 1, 2 - certificates - Other data - other applications -. . . 10. ) Decision in storage, email to customer 11. ) Customer reads, time stamp 6. ) Digital Signature 4. ) FINUID 123456783 5. ) Maija Meikäläinen H: 111111 -114 A addr: pöllökuja. . . TJ 1 9. ) Datacheque-> database

Single Sign-on SIB l Step 1: Secure Authentication l Step 2: Transparent Sign-on SSO Product 1 Network Operating System Departmental Server 2 Login: Password: Encrypted password Mainframe Secur. ID token Smart card Intranet, Extranet

Qualified Electronic Signature environment

Baseline Qualified Certificate Policy

Specific Qualified Certificate Policy

Levels of certificates CA VRK-Finsign Gov. CA Finsign CA for. . . Specific Qualified Certificates contain FINUID RA’s - police - social insurance institute - banks Two times face to face identification => widely accepted VRK-Finsign Enterpr. CA? Organizational CA’s Finsign Enterprise CA for. . . Organizational CA’s Qualified Certificates B 2 B, B 2 C, no FINUID RA’s - ICL Invia - Tieto. Enator … other SWhouses Meets the reqs by BQCP Qualified or non-qualified. Certificates No FINUID, use is up to the org. involved May not meet the reqs coming from BQCP (i. eg. SSCD does not fulfil the required level of security

Levels of signatures

Finnish Electronic Identification and Supporting Technologies Users Finland • Public administration (100 ongoing projects) • State authorities and municipalities (0, 5 mill. employees) • Private sector • banks, assurance companies, unions • telecommunication operators and Internet Services Providers • large firms • retail, e-commerce • Citizens 5 millions • Sweden SEIS interoperability, both public and private sector, • Norway SEIS interoperability in administration, citizens • EU , PKCS#15 --> global market !

Finnish Electronic Identification and Supporting Technologies Development under process: • WWW (digital)-television with New technologies Where to use ? Education Banking Consuming Wireles communications Public services. . . FINEID interoperability • GSM/WAP with and without a separate card reader • WWW-based infokiosks with FINEID interoperability • enduser card reader and software package (ISP: s) Mobils Internet Satellit -TV Cabel-TV Digital -TV

Electronic services • The very first service to utilize the FINEID-card: electronic movement application by Population Register Centre and Finnish Post Next services among others: • Services by municipalities and regions (Tornio, Rovaniemi, Oulu, Kuusamo/ Koillismaa, Pori, Raisio, Turku, Etelä-Karjala IT-region, Espoo, Vantaa, Helsinki ja Joensuu. Common factors to all of these are different application forms, electronic forms, library services etc. ) • Application and financial services by the Finnish patent organization • Electronic taxservice for companies and organizations • Employment services by the Ministry of Labour • Electronic application form by the Office of Education and • social and welfare services / makropilot

Electronic services Private sector services, among others: • OKO-bank • Leonia-bank and • Mandatum bank will be offering, within a year, significantly wider range of Internet banking services than before. • Fennia-insurance will offer sophisticated Internet insurance services • Ge Capitals will offer financial services for car dealers and buyers • Services offered by Fortum concern consumers making contracts for buying electricity • In addition, e. g. ICL will take FINEID-card for internal usage