LIPP Austrian mobile ID - ETSI · • as it is the case for health card eID – No costs for public...
Transcript of LIPP Austrian mobile ID - ETSI · • as it is the case for health card eID – No costs for public...
![Page 1: LIPP Austrian mobile ID - ETSI · • as it is the case for health card eID – No costs for public or private relying parties • qualified certificates and SMS costs paid by gvnmt.](https://reader035.fdocuments.us/reader035/viewer/2022080718/5f785f35b1953e367f24720c/html5/thumbnails/1.jpg)
Secure Information Technology Center – Austria
[email protected]@a-sit.at
ETSI Security Week; Sophia-AntipolisJune 25th, 2015
The Austrian mobile ID
![Page 2: LIPP Austrian mobile ID - ETSI · • as it is the case for health card eID – No costs for public or private relying parties • qualified certificates and SMS costs paid by gvnmt.](https://reader035.fdocuments.us/reader035/viewer/2022080718/5f785f35b1953e367f24720c/html5/thumbnails/2.jpg)
Austrian Citizen Card - an Overview
• Launched 2003, mass-rollouts from 2005• Defines functions, not the technology
– Identification, sector-specific to enhance privacy– Qualified signatures, for written form– Electronic mandates, representation
• Technology-neutral approach allowed for different implementations– Smartcards and mobile ID from 2005
ETSI Security Week; Sophia Antipolis, June 25th 2015 Folie 2
![Page 3: LIPP Austrian mobile ID - ETSI · • as it is the case for health card eID – No costs for public or private relying parties • qualified certificates and SMS costs paid by gvnmt.](https://reader035.fdocuments.us/reader035/viewer/2022080718/5f785f35b1953e367f24720c/html5/thumbnails/3.jpg)
The technologies
SmartcardBank cardsfrom 2005; ceased
Health insurance cardsince 2005
Profession cards, service cards, …e.g. notaries, lawyers, ministries, …
ETSI Security Week; Sophia-Antipolis, June 25th, 2015 Slide 3
MobileA1 signatureservice by a MNOfrom 2005; ceased in 2008limited success
Mobile phone signatureLaunched end 2009 through the LSP STORKContracted by gvmnt. to a private sector CSPSuccess? Well, let’s see ...
![Page 4: LIPP Austrian mobile ID - ETSI · • as it is the case for health card eID – No costs for public or private relying parties • qualified certificates and SMS costs paid by gvnmt.](https://reader035.fdocuments.us/reader035/viewer/2022080718/5f785f35b1953e367f24720c/html5/thumbnails/4.jpg)
Card ID vs mobile ID in Austria
ETSI Security Week; Sophia Antipolis, June 25th 2015 Folie 4
Mobile ID~1 k new
users/workday
Health card, ~1,3 k eID
activations/month
![Page 5: LIPP Austrian mobile ID - ETSI · • as it is the case for health card eID – No costs for public or private relying parties • qualified certificates and SMS costs paid by gvnmt.](https://reader035.fdocuments.us/reader035/viewer/2022080718/5f785f35b1953e367f24720c/html5/thumbnails/5.jpg)
The Basics
• Follows a server-based approach– Crypto-keys kept at a central server (HSM) – 2-factor authent. (knowledge and possession)
• Secure Signature-Creation Device (SSCD)– Confirmed by notified body under 1999/93/EC
• Service operated by a certification service provider (CSP) for qualified certificates– Could be operated by any provider (MNO, etc.)
ETSI Security Week; Sophia Antipolis, June 25th 2015 Folie 5
![Page 6: LIPP Austrian mobile ID - ETSI · • as it is the case for health card eID – No costs for public or private relying parties • qualified certificates and SMS costs paid by gvnmt.](https://reader035.fdocuments.us/reader035/viewer/2022080718/5f785f35b1953e367f24720c/html5/thumbnails/6.jpg)
The Architecture
ETSI Security Week; Sophia Antipolis, June 25th 2015 Folie 6
Web Frontend
SMS GatewayHSM
Database
User
Mobile Phone
User DomainMobile Phone Signature Domain
Web-based user interface
SMS-based user interface
Storage of private signature keys. Signature keys are stored encrypted under• Phone number• Password• HSM key
• Key generation during activation
• Decryption of signature keys
• Signature Creation
![Page 7: LIPP Austrian mobile ID - ETSI · • as it is the case for health card eID – No costs for public or private relying parties • qualified certificates and SMS costs paid by gvnmt.](https://reader035.fdocuments.us/reader035/viewer/2022080718/5f785f35b1953e367f24720c/html5/thumbnails/7.jpg)
The Operation
ETSI Security Week; Sophia Antipolis, June 25th 2015 Folie 7
User DomainMobile Phone Signature Domain
Phone numberPassword
Encrypted signature key
TAN (SMS)
TAN
User
Mobile Phone
Web Frontend
SMS GatewayHSM
Database
![Page 8: LIPP Austrian mobile ID - ETSI · • as it is the case for health card eID – No costs for public or private relying parties • qualified certificates and SMS costs paid by gvnmt.](https://reader035.fdocuments.us/reader035/viewer/2022080718/5f785f35b1953e367f24720c/html5/thumbnails/8.jpg)
Demo – Business Service Portal
ETSI Security Week; Sophia Antipolis, June 25th 2015 Folie 8
![Page 9: LIPP Austrian mobile ID - ETSI · • as it is the case for health card eID – No costs for public or private relying parties • qualified certificates and SMS costs paid by gvnmt.](https://reader035.fdocuments.us/reader035/viewer/2022080718/5f785f35b1953e367f24720c/html5/thumbnails/9.jpg)
Demo – Select Card or Mobile ID
ETSI Security Week; Sophia Antipolis, June 25th 2015 Folie 9
![Page 10: LIPP Austrian mobile ID - ETSI · • as it is the case for health card eID – No costs for public or private relying parties • qualified certificates and SMS costs paid by gvnmt.](https://reader035.fdocuments.us/reader035/viewer/2022080718/5f785f35b1953e367f24720c/html5/thumbnails/10.jpg)
Demo – Mobile ID dialogue
ETSI Security Week; Sophia Antipolis, June 25th 2015 Folie 10
![Page 11: LIPP Austrian mobile ID - ETSI · • as it is the case for health card eID – No costs for public or private relying parties • qualified certificates and SMS costs paid by gvnmt.](https://reader035.fdocuments.us/reader035/viewer/2022080718/5f785f35b1953e367f24720c/html5/thumbnails/11.jpg)
Demo – Proof of possession
ETSI Security Week; Sophia Antipolis, June 25th 2015 Folie 11
![Page 12: LIPP Austrian mobile ID - ETSI · • as it is the case for health card eID – No costs for public or private relying parties • qualified certificates and SMS costs paid by gvnmt.](https://reader035.fdocuments.us/reader035/viewer/2022080718/5f785f35b1953e367f24720c/html5/thumbnails/12.jpg)
Demo – Representation information
ETSI Security Week; Sophia Antipolis, June 25th 2015 Folie 12
![Page 13: LIPP Austrian mobile ID - ETSI · • as it is the case for health card eID – No costs for public or private relying parties • qualified certificates and SMS costs paid by gvnmt.](https://reader035.fdocuments.us/reader035/viewer/2022080718/5f785f35b1953e367f24720c/html5/thumbnails/13.jpg)
Demo – Done
ETSI Security Week; Sophia Antipolis, June 25th 2015 Folie 13
![Page 14: LIPP Austrian mobile ID - ETSI · • as it is the case for health card eID – No costs for public or private relying parties • qualified certificates and SMS costs paid by gvnmt.](https://reader035.fdocuments.us/reader035/viewer/2022080718/5f785f35b1953e367f24720c/html5/thumbnails/14.jpg)
Initial design considerations
• Easy to use, no additional effort for citizens– E.g., no change of SIMs
• Independent from mobile device and MNO– Server-based credentials, Web-based approach
• Government has interest in broad take-up – Free of charge for citizens
• as it is the case for health card eID– No costs for public or private relying parties
• qualified certificates and SMS costs paid by gvnmt.ETSI Security Week; Sophia Antipolis, June 25th 2015 Folie 14
![Page 15: LIPP Austrian mobile ID - ETSI · • as it is the case for health card eID – No costs for public or private relying parties • qualified certificates and SMS costs paid by gvnmt.](https://reader035.fdocuments.us/reader035/viewer/2022080718/5f785f35b1953e367f24720c/html5/thumbnails/15.jpg)
Deployment (through STORK LSP)
ETSI Security Week; Sophia Antipolis, June 25th 2015 Folie 15
AT initial planning
Signed contract with A-Trust
Launch of pilot
Start of productive operation
Certification by notified Austrian body A-SIT
![Page 16: LIPP Austrian mobile ID - ETSI · • as it is the case for health card eID – No costs for public or private relying parties • qualified certificates and SMS costs paid by gvnmt.](https://reader035.fdocuments.us/reader035/viewer/2022080718/5f785f35b1953e367f24720c/html5/thumbnails/16.jpg)
Actual usage …
• About 10-15 k/day useson a typicalworking day
• ~4-6 k/dayuses on weekends
ETSI Security Week; Sophia Antipolis, June 25th 2015 Folie 16
![Page 17: LIPP Austrian mobile ID - ETSI · • as it is the case for health card eID – No costs for public or private relying parties • qualified certificates and SMS costs paid by gvnmt.](https://reader035.fdocuments.us/reader035/viewer/2022080718/5f785f35b1953e367f24720c/html5/thumbnails/17.jpg)
Core promotional milestones
ETSI Security Week; Sophia Antipolis, June 25th 2015 Folie 17
Integration into Tax Online and press release
Promotion campaigns, e.g. letters by social insurance to all citizens
![Page 18: LIPP Austrian mobile ID - ETSI · • as it is the case for health card eID – No costs for public or private relying parties • qualified certificates and SMS costs paid by gvnmt.](https://reader035.fdocuments.us/reader035/viewer/2022080718/5f785f35b1953e367f24720c/html5/thumbnails/18.jpg)
Lessons learned
• Smartcard eID– Satisfactory business users take-up– But somehow limited take-up by citizens
• Mobile eID a clear preference by citizens – In 2014 mobile ID activation about 15 times
higher than health card activation • Under comparable conditions like free of charge
• Ease of use and easy activation essential
ETSI Security Week; Sophia Antipolis, June 25th 2015 Folie 18
![Page 19: LIPP Austrian mobile ID - ETSI · • as it is the case for health card eID – No costs for public or private relying parties • qualified certificates and SMS costs paid by gvnmt.](https://reader035.fdocuments.us/reader035/viewer/2022080718/5f785f35b1953e367f24720c/html5/thumbnails/19.jpg)
Challenges
• Server-based approach supported take-up – Easy activation, no citizen device requirement
• Advent of smartphones calls for …– reconsideration of two device policy
• So far “browser at PC/laptop” + “mobile for SMS”– investigating advanced device binding
• Secure Elements; NFC tags
ETSI Security Week; Sophia Antipolis, June 25th 2015 Folie 19
![Page 20: LIPP Austrian mobile ID - ETSI · • as it is the case for health card eID – No costs for public or private relying parties • qualified certificates and SMS costs paid by gvnmt.](https://reader035.fdocuments.us/reader035/viewer/2022080718/5f785f35b1953e367f24720c/html5/thumbnails/20.jpg)
Secure Information Technology Center – Austria
Peter LippETSI Security Week
Sophia Antipolis, June 25th, 2015
Thank You for Your Patience and Attention!