turkish e-id card based derived mobile creden7als · palmvein) travel document (icao 9303 passport...
TRANSCRIPT
Outline
• TheneedforMobileID• Exis7ngSolu7ons• Theideaofderivedmobilecreden7als• Turkishe-IDcard,Dissemina7on,Features• ProposedSolu7on• Lifecycle,Issuance
• TrustPropaga7on• Addi7onalrequirements• Benefits
The need for Mobile-ID
e-IDcardrolloutsareincreased,yetusageisrestrictedduetonotsomuchkillerapp-Mobileeracouldleverageusageofe-IDcardGrowingneedtoaccesse-GovservicessecurelythroughmobileenvironmentsBadnews-CardreaderrequirementposesachallengeformobileenvironmentsSo,usable,secureandtrustedmobileiden7tyauthen7ca7oniss7llachallenge
Existing solutions for mobile ID
MobileID/MobileSignatureSolu7onsAustria,Estonia,Turkey
Mobiledeviceforoutofbandauthen7ca7onviaOTPSIMmodulesforID/signaturetokenNeedsdedicatedlifecyclemanagement
The idea – Derived mobile credentials
DerivedCreden7alisNotusingthePrimaryCardwiththedevice,butanalterna7vetokentothePrimaryIDCard
DerivedIDCreden7al:Acreden7althatisissuedbasedonproofofpossessionandcontrolofapreviouslyissuedcreden7alwithoutduplica7onoftheiden7typroofingprocess.AimistoprovideID-cardenabledauthen7ca7onservicesfromthemobiledevicetoremoteITsystemsinasecure,reliableandinteroperableway.
Devlet-iAliye-iOsmaniyeTezkiresi
Collec7onofBiographiesofO=omanEmpire
1904
IDPaper(asnotebook
format)
1926 1976
IDPaper(ascardformat)
e-IDCard
2016
History of ID Documents
Firstcardwasissuedin
KırıkkaleonMarch2016
9ci7esfollowed
KırıkkaleonNovember
2016
E-IDcardsarebeingissuedeverywhereinTurkeysincetheJan2017
Allci7zenswillbegivene-IDcardwithinthreeyears
E-ID Card Dissemination Road Map
Features of e-ID Card
Small,portable,durable
environmentalistSecure
Rolebasedaccess
mechanism
Mul7biometrics(Fingerprint,fingervein,palmvein)
TravelDocument
(ICAO9303Passportapplica7on)
Electronicsignaturecanbe
loaded
Compliantwithinterna7onalstandards
(ISO-7816,ISO-14443,ICAO9303)
Usage areas of e-ID Card Health Establishment Law court
» Analysis delivery » Report delivery » Examination Report delivery
School » Application for registration record » Court article demand
» Opening/Closing account » Official petition
Bank
» The document following
Electric, water, natural gas etc. delivery companies
Land Registry
» Examination of the register of deeds
» Official Notification » License » Passaport
» Official petition » Service contract » Document demand
Any establishment
Municipality
» Official petition
Armlet unıt
» Subscription opening /close /transfer » Official Petition
» Selecting lesson » Renewing the record » Student certificate » Application for identity/free pass » Thesis / homework delivery » Graduation document / transcript
Public Notary
Identity Verification Scenario
Identity Verification Request
Biometric Verification
Verification of e-ID Card
PIN Verification
Initial Issuance (remote)
OCSPServer
CA
Iden:tyVerifica:onServer
RA(e-gov)
1-Issuancetriggered
7-MPAini7alized,KeypairisgeneratedCreden7alholderrequestedtoenterprotec7onPIN,Cer7ficaterequestalongwithOTPissenttoRA
10-GeneratestheDerivedCer7ficate
9-SignsandForwardsCer7ficateRequest
ProvidesSubstan:alLevelofAssurance
Initial Issuance (in-person) –
OCSPServer
CA
Iden:tyVerifica:onServer
RA(e-gov)
1-Issuancetriggered
7-MPAini7alized,KeypairisgeneratedCreden7alholderrequestedtoenterprotec7onPIN,Cer7ficaterequestalongwithOTPissenttoRA
10-GeneratestheDerivedCer7ficate
9-SignsandForwardsCer7ficateRequest
ProvidesHighLevelofAssurance
Maintenance
Termina7on/Revoca7onIfmobilephonecontainingthederivedcreden7alisstolen,lost,damagedIfmobilephonetransferredtoanotherindividualIfe-Idcardcontainingtheprimarycreden7alterminatedforanyreason(expired,changed,lost)Re-keyIfcer7ficateisexpiredorcomprimisedthenini7alissuanceshallbefollowedIfcer7ficateofahigherlevelofassuranceisrequestedthenini7alissueanceshallbefollowed.
Trust Propogation
OCSPServer
CA
Iden:tyVerifica:onServer
RA(e-gov)
TrustDomain-A
TrustDomain-B
TrustDomain-C
TrustDomain-D
Additional Security Requirements
Thecryptographicalgorithmandkeysizerequirementsforthederivedcreden7alcer7ficateandprivatekeyarethesameastherequirementsfortheprimarye-IDcardForhighlevelofassurance,keypairmustbegeneratedonhardwarecryptographicmodulecompliantwithFIPSLevel2or3e.g.notexpor7ngprivatekey,forsubsta7onallevelofassuranceFIPSLevel1requirementsmustbesa7sfiedUseofderivedcreden7alshallbeprotectedbyPINandshallbeblockeda`eranumberofconsecu7vefailedaaemps
Benefits
Mainadvantage:LeverageIden7tyProofingandvebngresultsofacurrentvalidCreden7al.EventuallycostsavingsSimplifiedLifecycleManagementprocessesMinimizedsecuritybreachdamageduetolimitedvalidityperiodandpermissionsPossiblemul7plederivedcreden7alsfromasingleprimarycreden7al