eID in EMEA & QuESTRonny BjonesSecurity Program ManagerMicrosoft EMEA

AgendaAgenda

What is happening in EuropeWhat is happening in EuropeOur technology supportOur technology supportQuESTQuESTConclusionsConclusions

What is driving national What is driving national smart card projects in smart card projects in Europe?Europe?eGovernment - eIDeGovernment - eID

Identification of citizens on the portals & Identification of citizens on the portals & counterscounters

AustriaAustria60k cards issued to students60k cards issued to studentsScholarships, Tuition fees Scholarships, Tuition fees

ItalyItaly1.5M cards produced, 600k distributed, 1.5M cards produced, 600k distributed, another 2M in productionanother 2M in productionRegistration & tax services, e-signing of Registration & tax services, e-signing of documents, etc.documents, etc.

EstoniaEstonia500K cards distributed (50% penetration)500K cards distributed (50% penetration)Tax services, e-ticketing, etc.Tax services, e-ticketing, etc.

What is driving national What is driving national smart card projects in smart card projects in Europe?Europe?Social securitySocial security

Use of smart cards to protect privacy Use of smart cards to protect privacy sensitive datasensitive data

BelgiumBelgiumSIS card issued to all citizensSIS card issued to all citizensDoctors, Pharmacia Doctors, Pharmacia

NoNorway rway National office for social assuranceNational office for social assuranceAll doctors, hospitalsAll doctors, hospitalsPKI-based card, set of projects to simplify PKI-based card, set of projects to simplify social security reportingsocial security reporting

NorwayNorway

Public Health cardscontaining certificates Professional Health cards

containing certificates

Internet

Services

- TTP - Payment - Time stamp

2100SERVER

2100SERVER

2100SERVER

2100SERVER

2100SERVER2100SERVER

2100SERVER 2100SERVER

2100SERVER

2100SERVER

2100SERVER

DC(AD,DCHCP)

2100SERVER

IAS(Radius)

2100 SERVER

OfflineRoot CA2100SERVER

EnterpriseCA

Citrix ticketserver

Citrix farmApplication&DBase

Securegateway

Municipality: Heath care in institutions and private homes.

2100SERVER

National databases&services

Population databasePersonal ID number

2100SERVER

National healthsecurity

2100SERVER

National db on use of drugs

2100SERVER

Regional health care institutions

2100SERVER 2100SERVER

EPJ PACS

2100SERVER2100SERVER

2100 SERVER

OfflineRoot CA

2100SERVER

EnterpriseCA

IAS DC

EncryptedMy healthfolder

2100SERVER

RightMngmntServer

2100SERVER

HR

Slide with the curtousy of ERGO

Impact of the EC Impact of the EC DirectivesDirectives

EC Directive on Electronic Signatures EC Directive on Electronic Signatures (1999)(1999)

Legal framework for electronic signaturesLegal framework for electronic signaturesAdopted in all EU member states (25) + EEA Adopted in all EU member states (25) + EEA (3) + Candidates (2) + MEA (2+)(3) + Candidates (2) + MEA (2+)

EC Directive on e-Invoicing (2001)EC Directive on e-Invoicing (2001)Acceptance of electronic invoicesAcceptance of electronic invoicesSecurity based on AES or Secure EDISecurity based on AES or Secure EDIImportant for the development of the Important for the development of the supporting national PKI infrastructuressupporting national PKI infrastructures

EC Directive on e-Procurement (in EC Directive on e-Procurement (in development) development)

More numbersMore numbers

CountrCountryy

Qualified Qualified CertificateCertificatess

Other Other CertificateCertificatess

EIDEID

SpainSpain 2.000.0002.000.000 1.500.0001.500.000 YesYes

ItalyItaly 1.000.0001.000.000 250.000250.000 YesYes

EstoniaEstonia 200.000200.000 YesYes

NorwayNorway 60.00060.000 YesYes

AustriaAustria 10.00010.000 YesYes

Source: EC DG Information Society 2003Source: EC DG Information Society 2003

Typical ScenariosTypical Scenarios

Secure eGovernment, eBanking, Secure eGovernment, eBanking, eBusiness requires security serviceseBusiness requires security services

AuthenticationAuthenticationData ConfidentialityData ConfidentialityData IntegrityData IntegrityNon-repudiationNon-repudiation

How are these services facilitated by How are these services facilitated by eID?eID?

AuthenticationAuthentication

Verify the identity of citizens by Verify the identity of citizens by means of eIDmeans of eID

TCOS of Identity management is highTCOS of Identity management is highOrganisations can rely on the work done Organisations can rely on the work done by the governments and enrol users by the governments and enrol users over the Internet over the Internet

ConfidentialityConfidentiality

Basic algorithms to encrypt Basic algorithms to encrypt information are foreseen in most eID information are foreseen in most eID projectsprojects

Belgian eID does not foresee a Belgian eID does not foresee a certificate for encryptioncertificate for encryption

Integrity & Non-Integrity & Non-repudiationrepudiation

How can we be sure that the data How can we be sure that the data was not altered?was not altered?How can we have proof in a case of How can we have proof in a case of law that a certain individual did this law that a certain individual did this transaction?transaction?Typically done by Electronic Typically done by Electronic Signatures which are supported by Signatures which are supported by most eID projectsmost eID projectsSigning of forms, electronic Signing of forms, electronic documentsdocuments

AgendaAgenda

What is happening in EuropeWhat is happening in EuropeOur technology supportOur technology supportQuESTQuESTConclusionsConclusions

Microsoft Smart Card Microsoft Smart Card SupportSupport

Windows LogonWindows LogonStandard support for smart cardsStandard support for smart cardsGINA Custom modelsGINA Custom modelsFull integration with ADFull integration with ADTerminal Server (W2K3)Terminal Server (W2K3)

Applications can interface smart Applications can interface smart cards throughcards through

CryptoAPI/CAPICOMCryptoAPI/CAPICOM.Net Framework.Net Framework

Microsoft Smart Card Microsoft Smart Card SupportSupport

For vendorsFor vendorsPC/SCPC/SCPlug into CryptoAPI (custom CSP)Plug into CryptoAPI (custom CSP)New smart card base CSP New smart card base CSP

Smart card enabled Smart card enabled technologiestechnologies

SSL – Internet ExplorerSSL – Internet ExplorerSecure email (S/MIME) – Outlook Secure email (S/MIME) – Outlook (Express)(Express)VPN – W2K, XP, W2K3VPN – W2K, XP, W2K3Secure form – InfoPath Secure form – InfoPath Document signing (Word, Excel, Document signing (Word, Excel, Powerpoint)Powerpoint)Windows Right Management – W2K3Windows Right Management – W2K3Any third party CryptoAPI-enabled Any third party CryptoAPI-enabled application application

AgendaAgenda

What is happening in EuropeWhat is happening in EuropeOur technology supportOur technology supportQuESTQuESTConclusionsConclusions

QuESTQuEST

QuQualified alified EElectronic lectronic SSignatures ignatures TTutorialutorial

Demystify Qualified Electronic Demystify Qualified Electronic signaturessignaturesBest practice/guidance for designing Best practice/guidance for designing a Qualified Electronic signature a Qualified Electronic signature solutionsolution

Why did we develop Why did we develop QuEST?QuEST?

Demystify the subjectDemystify the subjectGeneral perception: Very complex subjectGeneral perception: Very complex subjectMultidisciplinary: Legal, Technology, PolicyMultidisciplinary: Legal, Technology, Policy

A lot of customers will get QES as a A lot of customers will get QES as a requirement in the years to comerequirement in the years to come

How to build a QES solution?

ApproachApproach

Provide guidance for customersProvide guidance for customersProject Managers & ArchitectsProject Managers & Architects

Design a knowledge base – BlueprintsDesign a knowledge base – BlueprintsLegal, Technology, PolicyLegal, Technology, PolicyKnowledge base for different audiencesKnowledge base for different audiences

Project Team GuideProject Team GuideWhich questions should be answered by a project team Which questions should be answered by a project team to design a QES solutionto design a QES solutionDesign processDesign process

Scenario – Contoso Lottery Scenario – Contoso Lottery Based on Norwegian LotteryBased on Norwegian LotteryShow how a QES solution can be implemented on our Show how a QES solution can be implemented on our platformplatform

QuEST BackgroundQuEST Background

EC Directive on Electronic SignaturesEC Directive on Electronic Signatures19991999Mandates member states to change Mandates member states to change their lawstheir laws

Electronic Signatures can be equivalent to Electronic Signatures can be equivalent to handwritten signatureshandwritten signaturesIf they are performed under certain If they are performed under certain conditionsconditions

European Electronic Signature European Electronic Signature Standardization Initiative (EESSI)Standardization Initiative (EESSI)ETSI – CEN standardsETSI – CEN standardsOther standardsOther standards

EESSI Standards OverviewEESSI Standards Overview

Signature creation process and environment (A III)CWA 14170

Signature validation process & environment (A IV)CWA 14171

Signature format & syntax (Advanced ES)ETSI TS 101733ETSI TS 101903 (XAdES)

Creationdevice (A III) CWA 14169

Requirements for CSPs (A II)ETSI TS 101456

Trustworthy system (A II.f)CWA 14167-1 CWA 14167-2

Certification ServiceProvider

User/signer Relying party/verifierCEN E-SIGN

ETSI ESI

Qualified certificate -A IETSI 101 862

Time StampETSITS 101861

Electronic SignaturesElectronic Signatures

all kinds of substitutesfor penned signatures

Advance Electronic SignaturesAdvance Electronic Signatures

security technologybased on PKI

QualifiedQualifiedElectronicElectronicSignaturesSignatures

Advanced Advanced Electronic Electronic SignatureSignatureQualified Qualified

CertificateCertificateSecure Signature Secure Signature Creation DeviceCreation Device

EC Directive on Electronic EC Directive on Electronic SignaturesSignatures

Building a QES SolutionBuilding a QES Solution

Mandatory RequirementsMandatory RequirementsRelate to Directive on Electronic Relate to Directive on Electronic SignaturesSignaturesComplianceCompliance

Additional RequirementsAdditional RequirementsRisk managementRisk managementAdded-value elements before courtAdded-value elements before court

Mandatory RequirementsMandatory Requirements

Impact of DirectiveImpact of DirectiveAn independent arbiter (Judge/Notary) An independent arbiter (Judge/Notary)

should follow harmonised criteria to should follow harmonised criteria to decide whether a signature was valid at decide whether a signature was valid at a certain moment of timea certain moment of time

Legal requirementsLegal requirementsAdvanced Electronic Signature (AdES)Advanced Electronic Signature (AdES)Qualified Certificate (QC)Qualified Certificate (QC)Secure Signature Creation Device Secure Signature Creation Device (SSCD)(SSCD)

EC Directive on Electronic Signatures

Additional RequirementsAdditional Requirements

Validation by an independent arbiterValidation by an independent arbiterHow can we facilitate that an independent How can we facilitate that an independent arbiter can still validate a signature in a arbiter can still validate a signature in a period n years?period n years?Electronic Signature FormatElectronic Signature Format

How can we reduce the risk that How can we reduce the risk that somebody can easily repudiate the somebody can easily repudiate the signature?signature?

Risk managementRisk managementStandards and technology introduced to Standards and technology introduced to increase the overall security of a QES increase the overall security of a QES solution.solution.

XAdESXAdES

XML Advanced Electronic SignaturesXML Advanced Electronic SignaturesETSI standard for XML Signatures ETSI standard for XML Signatures

TS 101 903TS 101 903Based on W3C XML Signatures Based on W3C XML Signatures

W3C adopted XAdESW3C adopted XAdES

Include signature qualifying properties Include signature qualifying properties TS 101 733TS 101 733Formats for advanced electronic signatures valid over Formats for advanced electronic signatures valid over a long period of timea long period of time

Aimed at convincing an independent Aimed at convincing an independent arbiter of the validity of a signaturearbiter of the validity of a signature

ConclusionConclusion

eID is happening all over Europe and will eID is happening all over Europe and will become more and more a requirement in become more and more a requirement in projectsprojectsWe have a lot of technology available that We have a lot of technology available that allows you to use eID orallows you to use eID orto develop eID based applicationsto develop eID based applicationsDownload our QuEST guide and get Download our QuEST guide and get guidance on how to enable signature guidance on how to enable signature scenarios in your apps based on eIDscenarios in your apps based on eID

ResourcesResources

Register for QuESTRegister for QuESTronnybj@microsoft.comronnybj@microsoft.com Subject: Register QuESTSubject: Register QuESTEC ReportEC Reporthttp://europa.eu.int/information_society/eehttp://europa.eu.int/information_society/eeurope/2005/all_about/security/electronic_siurope/2005/all_about/security/electronic_sig_report.pdfg_report.pdf Microsoft developers infoMicrosoft developers infohttp://msdn.microsoft.com/security/http://msdn.microsoft.com/security/Microsoft Smart Card Base CSPMicrosoft Smart Card Base CSPhttphttp://msdn.microsoft.com/library/default.asp?://msdn.microsoft.com/library/default.asp?url=/library/en-us/security/security/microsourl=/library/en-us/security/security/microsoft_smart_card_base_cryptographic_provideft_smart_card_base_cryptographic_provider.aspr.asp

© 2003 Microsoft Corporation. All rights reserved.© 2003 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.