LIPP Austrian mobile ID - ETSI · • as it is the case for health card eID – No costs for public...

20
Secure Information Technology Center – Austria [email protected] [email protected] ETSI Security Week; Sophia-Antipolis June 25 th , 2015 The Austrian mobile ID

Transcript of LIPP Austrian mobile ID - ETSI · • as it is the case for health card eID – No costs for public...

Page 1: LIPP Austrian mobile ID - ETSI · • as it is the case for health card eID – No costs for public or private relying parties • qualified certificates and SMS costs paid by gvnmt.

Secure Information Technology Center – Austria

[email protected]@a-sit.at

ETSI Security Week; Sophia-AntipolisJune 25th, 2015

The Austrian mobile ID

Page 2: LIPP Austrian mobile ID - ETSI · • as it is the case for health card eID – No costs for public or private relying parties • qualified certificates and SMS costs paid by gvnmt.

Austrian Citizen Card - an Overview

• Launched 2003, mass-rollouts from 2005• Defines functions, not the technology

– Identification, sector-specific to enhance privacy– Qualified signatures, for written form– Electronic mandates, representation

• Technology-neutral approach allowed for different implementations– Smartcards and mobile ID from 2005

ETSI Security Week; Sophia Antipolis, June 25th 2015 Folie 2

Page 3: LIPP Austrian mobile ID - ETSI · • as it is the case for health card eID – No costs for public or private relying parties • qualified certificates and SMS costs paid by gvnmt.

The technologies

SmartcardBank cardsfrom 2005; ceased

Health insurance cardsince 2005

Profession cards, service cards, …e.g. notaries, lawyers, ministries, …

ETSI Security Week; Sophia-Antipolis, June 25th, 2015 Slide 3

MobileA1 signatureservice by a MNOfrom 2005; ceased in 2008limited success

Mobile phone signatureLaunched end 2009 through the LSP STORKContracted by gvmnt. to a private sector CSPSuccess? Well, let’s see ...

Page 4: LIPP Austrian mobile ID - ETSI · • as it is the case for health card eID – No costs for public or private relying parties • qualified certificates and SMS costs paid by gvnmt.

Card ID vs mobile ID in Austria

ETSI Security Week; Sophia Antipolis, June 25th 2015 Folie 4

Mobile ID~1 k new

users/workday

Health card, ~1,3 k eID

activations/month

Page 5: LIPP Austrian mobile ID - ETSI · • as it is the case for health card eID – No costs for public or private relying parties • qualified certificates and SMS costs paid by gvnmt.

The Basics

• Follows a server-based approach– Crypto-keys kept at a central server (HSM) – 2-factor authent. (knowledge and possession)

• Secure Signature-Creation Device (SSCD)– Confirmed by notified body under 1999/93/EC

• Service operated by a certification service provider (CSP) for qualified certificates– Could be operated by any provider (MNO, etc.)

ETSI Security Week; Sophia Antipolis, June 25th 2015 Folie 5

Page 6: LIPP Austrian mobile ID - ETSI · • as it is the case for health card eID – No costs for public or private relying parties • qualified certificates and SMS costs paid by gvnmt.

The Architecture

ETSI Security Week; Sophia Antipolis, June 25th 2015 Folie 6

Web Frontend

SMS GatewayHSM

Database

User

Mobile Phone

User DomainMobile Phone Signature Domain

Web-based user interface

SMS-based user interface

Storage of private signature keys. Signature keys are stored encrypted under• Phone number• Password• HSM key

• Key generation during activation

• Decryption of signature keys

• Signature Creation

Page 7: LIPP Austrian mobile ID - ETSI · • as it is the case for health card eID – No costs for public or private relying parties • qualified certificates and SMS costs paid by gvnmt.

The Operation

ETSI Security Week; Sophia Antipolis, June 25th 2015 Folie 7

User DomainMobile Phone Signature Domain

Phone numberPassword

Encrypted signature key

TAN (SMS)

TAN

User

Mobile Phone

Web Frontend

SMS GatewayHSM

Database

Page 8: LIPP Austrian mobile ID - ETSI · • as it is the case for health card eID – No costs for public or private relying parties • qualified certificates and SMS costs paid by gvnmt.

Demo – Business Service Portal

ETSI Security Week; Sophia Antipolis, June 25th 2015 Folie 8

Page 9: LIPP Austrian mobile ID - ETSI · • as it is the case for health card eID – No costs for public or private relying parties • qualified certificates and SMS costs paid by gvnmt.

Demo – Select Card or Mobile ID

ETSI Security Week; Sophia Antipolis, June 25th 2015 Folie 9

Page 10: LIPP Austrian mobile ID - ETSI · • as it is the case for health card eID – No costs for public or private relying parties • qualified certificates and SMS costs paid by gvnmt.

Demo – Mobile ID dialogue

ETSI Security Week; Sophia Antipolis, June 25th 2015 Folie 10

Page 11: LIPP Austrian mobile ID - ETSI · • as it is the case for health card eID – No costs for public or private relying parties • qualified certificates and SMS costs paid by gvnmt.

Demo – Proof of possession

ETSI Security Week; Sophia Antipolis, June 25th 2015 Folie 11

Page 12: LIPP Austrian mobile ID - ETSI · • as it is the case for health card eID – No costs for public or private relying parties • qualified certificates and SMS costs paid by gvnmt.

Demo – Representation information

ETSI Security Week; Sophia Antipolis, June 25th 2015 Folie 12

Page 13: LIPP Austrian mobile ID - ETSI · • as it is the case for health card eID – No costs for public or private relying parties • qualified certificates and SMS costs paid by gvnmt.

Demo – Done

ETSI Security Week; Sophia Antipolis, June 25th 2015 Folie 13

Page 14: LIPP Austrian mobile ID - ETSI · • as it is the case for health card eID – No costs for public or private relying parties • qualified certificates and SMS costs paid by gvnmt.

Initial design considerations

• Easy to use, no additional effort for citizens– E.g., no change of SIMs

• Independent from mobile device and MNO– Server-based credentials, Web-based approach

• Government has interest in broad take-up – Free of charge for citizens

• as it is the case for health card eID– No costs for public or private relying parties

• qualified certificates and SMS costs paid by gvnmt.ETSI Security Week; Sophia Antipolis, June 25th 2015 Folie 14

Page 15: LIPP Austrian mobile ID - ETSI · • as it is the case for health card eID – No costs for public or private relying parties • qualified certificates and SMS costs paid by gvnmt.

Deployment (through STORK LSP)

ETSI Security Week; Sophia Antipolis, June 25th 2015 Folie 15

AT initial planning

Signed contract with A-Trust

Launch of pilot

Start of productive operation

Certification by notified Austrian body A-SIT

Page 16: LIPP Austrian mobile ID - ETSI · • as it is the case for health card eID – No costs for public or private relying parties • qualified certificates and SMS costs paid by gvnmt.

Actual usage …

• About 10-15 k/day useson a typicalworking day

• ~4-6 k/dayuses on weekends

ETSI Security Week; Sophia Antipolis, June 25th 2015 Folie 16

Page 17: LIPP Austrian mobile ID - ETSI · • as it is the case for health card eID – No costs for public or private relying parties • qualified certificates and SMS costs paid by gvnmt.

Core promotional milestones

ETSI Security Week; Sophia Antipolis, June 25th 2015 Folie 17

Integration into Tax Online and press release

Promotion campaigns, e.g. letters by social insurance to all citizens

Page 18: LIPP Austrian mobile ID - ETSI · • as it is the case for health card eID – No costs for public or private relying parties • qualified certificates and SMS costs paid by gvnmt.

Lessons learned

• Smartcard eID– Satisfactory business users take-up– But somehow limited take-up by citizens

• Mobile eID a clear preference by citizens – In 2014 mobile ID activation about 15 times

higher than health card activation • Under comparable conditions like free of charge

• Ease of use and easy activation essential

ETSI Security Week; Sophia Antipolis, June 25th 2015 Folie 18

Page 19: LIPP Austrian mobile ID - ETSI · • as it is the case for health card eID – No costs for public or private relying parties • qualified certificates and SMS costs paid by gvnmt.

Challenges

• Server-based approach supported take-up – Easy activation, no citizen device requirement

• Advent of smartphones calls for …– reconsideration of two device policy

• So far “browser at PC/laptop” + “mobile for SMS”– investigating advanced device binding

• Secure Elements; NFC tags

ETSI Security Week; Sophia Antipolis, June 25th 2015 Folie 19

Page 20: LIPP Austrian mobile ID - ETSI · • as it is the case for health card eID – No costs for public or private relying parties • qualified certificates and SMS costs paid by gvnmt.

Secure Information Technology Center – Austria

Peter LippETSI Security Week

Sophia Antipolis, June 25th, 2015

Thank You for Your Patience and Attention!


Inspiration-Book Grand Tour FR gesamt20170209...Le travail manuel à la fête au domaine viticole Lipp Chacune des 1300 bouteilles d’Intuiva Pinot Noir du domaine Lipp est unique.

Inspiration-Book Grand Tour FR gesamt20170209...Le travail manuel à la fête au domaine viticole Lipp Chacune des 1300 bouteilles d’Intuiva Pinot Noir du domaine Lipp est unique.

12-26-2010 Relying Upon Gods Faithfulness

12-26-2010 Relying Upon Gods Faithfulness

GEOGEBRA, WIRIS, MOOL ŞI LIPP LASSROOM15 GEOGEBRA, WIRIS, MOOL ŞI LIPP LASSROOM Adriana PETROVICI & Roxana NEMEȘU Liceul Tehnologic „V. SAV”, Roman, ROMANIA ABSTRACT: The concept

GEOGEBRA, WIRIS, MOOL ŞI LIPP LASSROOM15 GEOGEBRA, WIRIS, MOOL ŞI LIPP LASSROOM Adriana PETROVICI & Roxana NEMEȘU Liceul Tehnologic „V. SAV”, Roman, ROMANIA ABSTRACT: The concept

FWD No 1 - Dominik Lipp

FWD No 1 - Dominik Lipp

The Third Sunday in Lent - gsptucson.orggsptucson.org/parish/bulletins/Bulletin-03-23-2014.pdf · Crucifer: Achol Magot Torches: Sarah Lipp, Savannah Lipp Ushers: BJ Bower, Chris

The Third Sunday in Lent - gsptucson.orggsptucson.org/parish/bulletins/Bulletin-03-23-2014.pdf · Crucifer: Achol Magot Torches: Sarah Lipp, Savannah Lipp Ushers: BJ Bower, Chris

The Follies of Relying on Supreme

The Follies of Relying on Supreme

SIM403. Claims Provider Trust Relying Party x Relying Party Trust Claims Provider Trust Your ADFS STS Partner ADFS STS & IP Relying Party Trust Partner.

SIM403. Claims Provider Trust Relying Party x Relying Party Trust Claims Provider Trust Your ADFS STS Partner ADFS STS & IP Relying Party Trust Partner.

Recognizing and Relying on Health Treatment - c.ymcdn.comc.ymcdn.com/sites/ · Recognizing and Relying on ... services in education, law, employment, ... •Contingency Management

Recognizing and Relying on Health Treatment - c.ymcdn.comc.ymcdn.com/sites/ · Recognizing and Relying on ... services in education, law, employment, ... •Contingency Management

Microsoft AD FS Integration with ETV...2. Click Add Relying Party Trust 3. Click Next. The Add Relying Party Trust wizard will run. 4. Select the Import data about the relying party

Microsoft AD FS Integration with ETV...2. Click Add Relying Party Trust 3. Click Next. The Add Relying Party Trust wizard will run. 4. Select the Import data about the relying party

Why Companies are Relying on Telemarketing Services

Why Companies are Relying on Telemarketing Services

Frederick Lipp Visits GESS

Frederick Lipp Visits GESS

Joe Lipp Sports Player

Joe Lipp Sports Player

Lipp, Charles, Notes from Northwestern University Masterclass - … - Notes... · 2016. 1. 26. · Lipp, Charles, "Notes from Northwestern University Masterclass - 1988", Unpublished

Lipp, Charles, Notes from Northwestern University Masterclass - … - Notes... · 2016. 1. 26. · Lipp, Charles, "Notes from Northwestern University Masterclass - 1988", Unpublished

Dynamics of labour-intensive clusters in China: Relying … · Dynamics of labour-intensive clusters in China: Relying on low labour costs or cultivating ... competition (Muscio and

Dynamics of labour-intensive clusters in China: Relying … · Dynamics of labour-intensive clusters in China: Relying on low labour costs or cultivating ... competition (Muscio and

Active Directory Federation Services (ADFS) Relying … . Active Directory Federation Services (ADFS) Relying Party Trust (RPT) Request Form . User Manual

Active Directory Federation Services (ADFS) Relying … . Active Directory Federation Services (ADFS) Relying Party Trust (RPT) Request Form . User Manual

Conformance Testing of Relying Party Client Certificate ...jitc.fhu.disa.mil/...of_relying_party_client_certificate_path_v1_07...Conformance Testing of Relying Party Client Certificate

Conformance Testing of Relying Party Client Certificate ...jitc.fhu.disa.mil/...of_relying_party_client_certificate_path_v1_07...Conformance Testing of Relying Party Client Certificate

Mike Davidge & Anna Lipp: The challenge of day case surgery

Mike Davidge & Anna Lipp: The challenge of day case surgery

From cumulative to separative exponence in inflection: Reversing … · 2020. 2. 14. · nom lipp lipu-d lippu lipu-t gen lip-u lippu-de lipu-n lipu-j-en part lipp-u lippu-sid lippu-a

From cumulative to separative exponence in inflection: Reversing … · 2020. 2. 14. · nom lipp lipu-d lippu lipu-t gen lip-u lippu-de lipu-n lipu-j-en part lipp-u lippu-sid lippu-a

LIPP - Tenzo · Lipp is a contemporary furniture collection inspired by the Scandinavian design heritage – minimum fuss, just simplicity that allows each piece to speak for itself.

LIPP - Tenzo · Lipp is a contemporary furniture collection inspired by the Scandinavian design heritage – minimum fuss, just simplicity that allows each piece to speak for itself.

Lipp, Charles, Notes from Northwestern University ... - Notes from...Lipp, Charles, "Notes from Northwestern University Masterclass - 1988", Unpublished Follow the body's laws while

Lipp, Charles, Notes from Northwestern University ... - Notes from...Lipp, Charles, "Notes from Northwestern University Masterclass - 1988", Unpublished Follow the body's laws while