EIC 2010: National ID Card – Privacy by Design

Speaker: Andreas Reisen, Innenministerium Deutschland (Federal Ministry of the Interior, Germany)

He is one of the driving forces behind the NPA (Neuer Personalausweis).

He showed newspaper articles debating the new national ID but they have been from 1983. The back then new ID card was much debated then already because it was machine readable. In the end they were successful and with the UK together they introduced it.

What they learned: You cannot introduce something like this without a discussion about it beforehand.

Privacy by Design:

Privacy as the default, Proactive not reactive, privacy embedded into design.

German ID card fulfils all of these requirements.

charasteristic which are not typical for an ID card:

1. Card Access Number (CAN). Introduced a new security mechanism. You can get access cia the CAN but only in government context

2. CAN is also used to prevent citizens from DOS attacks. Because card is contactless (RFID). If you send three times the wrong PIN via RFID, it’s blocked. To prevent DOS you can only enter the PIN the third time with the CAN. usually nobody will have this access number.

3. The logo on the back: To get authorization to read from the identity card by third parties they can show that they are allowed to by showing this logo on the company website.

Residence Permit Cards will soon have the same capabilities.

Key facts of the New German ID card

All visual identity card functions remain preserved

Proximity Card Interface (ISO 14443) for biometrics

Based on the electronic passport (ICAO compliant)

Optional qualified electronic signatures can be ordered from third parties

Where do you see that privacy in the focus?

Services you want to give data to first need to identify themselves.

Then the citizen can choose to select which data should be shared with this service. This can only be shared with the requesting service by crypto means.

Crypto makes sure that data cannot be altered on the chip, that no eavesdropping is happening. Biometrics are never shared on the net but only via local interactions.

How does it work?

Service Provider need an authorization certificate from the Government. Part of that is what data it is allowed to read.
This will be shown to the citizen and the citizen can then further narrow the data down.
It is confirmed by entering a PIN

What is different from other projects in the world?

It is based on PKI but the identifier is not the public key but the data you transmit. That means that the channel and communication is protected by PKI (DH) but then the authentication itself is done via that Public Key but the data you exchange.

That means you get the Name, DOB, address etc. via this secure channel and you know it’s coming from ID card X and the data is guaranteed by the government. They don’t rely on PKI for means of identification.

Keys are only used for 3 months per ID card. This is completely different than e.g. SSL. On the SP side you can be sure that the data is trustworthy as it’s issued by the federal government.

Data fields for Auth

Mandatory: Blocking attributes, validity statement

The rest of the data is secured like described above.

The card can also generate a card specific service identifier, no crosschecking is possible with this (“pseudonym”). (but only one pseudonym per service as I heard).

Benefits

SP can veridy the identity of the person

served by federal guaranteed data (!!)

AuthN mechanism is useful for many apps in diffferent fields

Even new services can be offered which were not possible before (e.g. contracts req sigs)

New functions as “age verificartion” and “address verficiation”

Manageable integration effort

and mroe

How to offer Services with Support of the eID function?

Service Providers