This document discusses proposals for a national electronic identification (e-ID) scheme in Bulgaria. It begins by outlining some of the main challenges with the current fragmented system, where each institution has its own authentication methods. The document then proposes a new national e-ID system that would define common participants like an identity provider and use standards like TLS. It examines legal frameworks and technical architectures, covering topics like identity cards, anonymous identification, and privacy concerns. Examples from other countries like Austria, Estonia, and Germany are analyzed for their solutions and limitations. The goal is an open and usable e-ID system that enables secure online access to public and private services.

1. Electronic
Identification
Bozhidar Bozhanov

2. Vanity slide
• A developer
• http://blog.bozho.net
• http://techblog.bozho.net
• http://twitter.com/bozhobg
• E-government adviser to the deputy prime
minister of Bulgaria

3. Main terms
• PKI (Public Key Infrastructure)
• smartcard
• HSM (Hardware Security Module)
• Primary register (primary data
administrator)
• IdP (Identity Provider)
• SP (Service Provider)

4. E-identification
• Identification, identity
• е-identification vs digital signature
• online and offline identification
• administrative services
• e-banking (online, ATM)
• travel

5. Problem
• fragmentation
• PIN, PIC, passwords
• every institution has its own method
• low security level
• plaintext (PIN/PIC)
• password storage problems

6. A solution
National e-identification scheme

7. Legal framework

8. But anyway…
• Regulation 910/2014 of EP
• Law for e-identification
• (now in Bulgarian parliament)
• mandatory, non-exclusive e-identification scheme
• ordinance for applying the law
• will include technical details

9. The law
• identifying natural persons
• and legal persons through their legal representatives
• doesn’t define medium or storage
• defines participants
• center for e-identification (IdP)
• administrator of e-identity (Ministry of Interrior,
consulates, other)

10. The law- users’ perspective
• e-identifier (e-id) on
• separate card
• national id card (after 2017, opt-out; qualified digital
signature - opt-in)
• mandatorily accepted by all public
administration websites
• usable by the private sector

11. What can you do with it?
• inquiries and reports
• taxes due
• administrative acts
• insurance status
• requesting e-services
• travel
• е-banking?
• ...

12. Administrators of e-identity
The law - architecture
e-id
register
MI Consul Other
Centers for e-identification
MTITC Други
register of
administrators
register of centers
eid <-> national ID (considered personal data)
PKI

13. Use-cases
• Use-case 1: identifying on a government
website
• Use-case 2: identifying and providing data
about the person in real time
• identification + authorization
• public sector - healthcare, tax authority
• private sector – banks, online shops

14. Use-cases
• Use-case 3: anonymous identification (with
the purpose of recurrent recognition)
• public transport, any website
• Use-case 4: access to citizens’ data in
background mode
• not related to e-id
• currently this is done by nightly database replication
across administrations

15. Inquiries
• ...to the IdP
• is the person over 18?
• does he live in city X?

16. Existing solutions
• Austria
• Estonia
• Germany
• Idemix
• U-Prove
• …

17. Austria
• java applet
• mobile id (sms, HSM)
• ssPIN (sector identifier)
• generated on the client

18. ssPIN

19. Austria - problems
• usability
• Java - no-go
• security
• applet is vulnerable
• ssPIN replay
• sms authentication
• MITM, phishing
• hash in SMS

20. Естония
• certificate
• full name
• national identifier
• TLS clientAuth
• http://open-eid.github.io/
• National identifier -> X-Road -> data

21. X-Road

22. Estonia - problems
• no Identity Provider?
• mobile-ID using a custom SIM
• privacy

23. Germany
• only contactless smartcard
• desktop applicaiton
• incl. manual pseudonym management
• activating the reader

24. Germany - problems
• expensive readers
• usability (activation)
• small penetration
• losing your card => losing all sector IDs

25. IBM, Microsoft
• Anonymous credentials
• Idemix
• attributes, domain pseudonym
• slow, no revocation, bad usability with cards
• U-Prove
• attributes
• no revocation, bad usability with cards

26. Anonymous credentials
• applicability for national e-id schemes?
• …all institutions require the national identifier anyway
• attributes should not be on the card
• usability
• manual pseudonym generation
• using specific software
• need for knowledge of basic concepts: attributes,
anonymity, etc.

27. STORK
• EU-wide e-identification
• SAML
• Federated identification
• PEPS (Pan-European Proxy) = IdP = Center for eid
• terrible client-side implementation of the
pilot project

28. STORK

29. Bulgarian eid: concept
• open source from day 1
• open standards
• TLS clientAuth
• oauth-like authorization
• sector identifier
• sha512(encrypt(identifier + sectorKey, privateKey))?
• lost card=lost of sector identifier
• generated by IdP (using its private key)?

30. On the card
• only eid (UUID?)
• all other data – taken from primary registers
• blood type
• key-pair
• dual interface chip?

31. identifies
requires clientAuth
Use-case 1, 2
Citizen IdP SP e-id register Primary registers
opens
redirect
(sp_id)
redirect
(token)
verifies
national ID
verifies
data (2)

32. Use-case 3
• only citizen and Service Provider
• Direct clientAuth
• Only eid, no other data is transferred
• We must think of the flow of circumventing
the IdP

33. Usability
• no java applets or ActiveX
• if possible, no additional software
• one-time installation if needed
• browser add-ons / pkcs11 module / root certificate
• no special UI
• usability problems -> operational IdP
problems
• Smartphones – with NFC?

34. …the government wants to track me!

35. No
...but we don’t trust the government, therefore
we take measures.

36. Privacy
• the government already has everything
• properties, companies, cars, addresses, relatives,
heirs, etc. It can also track us by our mobile phone
• i.e. “privacy” concerns:
• access to our data by the private sector
• data access allowed by law vs allowed by citizen
• tracking actions by the government (public transport
usage, ATM withdrawals, etc.)

37. Privacy - how
• sector identifier
• usability vs security, manual management
• attack: 1. request sectorId 2. request eid. 3 link
• atomic inquries to the IdP
• in the future: encrypting our data in the primary
registries?
• citizen control over their data and history of
access to it

38. Big Brother is not the telescreen – the
telescreen can be broken ot stopped. Big
Brother is that which prevents us from stopping
the telescreen.

39. Abuse?
• measures depending on the use-case
• smartcard (nobody can impersonate you)
• 2-factor authentication
• sms
• mobile app
• biometrics?

40. Abuse? (2)
• hardware keypad card readers
• ...or biometric sensors
• NFC security (ICAO)
• cancellation period
• note: eid vs qualified signature
• revoking a lost certificate

41. Feedback
• experts’ participation
• we need feedback
• stay tuned and follow the implementation
(GitHub)
Comments are welcome:
b.bozhanov@government.bg

42. Sources
http://www.a-sit.at/pdfs/rp_eid_in_austria.pdf
https://eid.eesti.ee/index.php/Authenticating_in_web_applications
http://www.securitydocumentworld.com/creo_files/upload/client_files/whitepaper_comparison_of_eid1.pdf
http://nelenkov.blogspot.be/2013/10/signing-email-with-nfc-smart-card.html
https://www.a-sit.at/pdfs/Praesentationen%20ab%202011/20150429%20MobileID%20London%20-
%20Austrian%20mobile%20ID.PDF
https://www.enisa.europa.eu/activities/identity-and-trust/trust-services/eid-cards-en/at_download/fullReport
https://www.digitales.oesterreich.gv.at/site/6528/default.aspx#a1
http://cdn.ttgtmedia.com/searchSecurityUK/downloads/RH4_Arora.pdf
http://blog.xot.nl/2012/05/08/the-new-german-eid-card-has-security-privacy-and-usability-limitations/
http://www.id.ee/public/The_Estonian_ID_Card_and_Digital_Signature_Concept.pdf
http://www.cs.kau.se/IFIP-summerschool/slides/herbert.pdf
http://essay.utwente.nl/65593/1/BadarinathHampiholi_Masters_EEMCS_faculty.pdf

43. Thank you!