Estonian National ID Card

1
Estonian National ID Card
Jüri Voore Agu Kivimägi Estonian Citizenship
and Migration Board
2
National chip-based Identity Card
Issuing authority Estonian Citizenship and
Migration Board Service contractor TRÜB
Switzerland Start of issueJanuary 1,
2002 Conformance with ICAO Doc. 9303 part 3
Inside 16 Kb RSA crypto chip are 2 private
keys authentication certificate digital
signature certificate personal data file
3
Project Milestones

• Nov 1999 - Working group was established for the
  project
• May 2000 - Government approved the guidelines-
  Tender for manufacturing of the cards 2000-
  Tender for certification services 2000-2001-
  Start of issuance December 2001
• June 2000 -Tender for manufacturing and
  personalization of cards
• Dec 2000 - TRÜB Switzerland was announced the
  winner
• March 2001 - Government approved the signing of
  the contract
• July 2001 - Tender for finding Certification
  Service Provider
• Sept 2001 - AS Sertifitseerimiskeskus was
  announced the winner
• Dec 2001 - contract was signed with AS
  Sertifitseerimiskeskus
• 28 Jan 2002 - the first ID card was issued
• 1 April 2002 - over 15 000 people have submitted
  their application 7000 cards are handed over

4
Starting point assumptions/questions

• It is reasonable to set up only one commonly used
  PKI -one trust chain in co-operation with
  business community
• Political debate Do we need ID cards at all?
• Is ID card compulsory or voluntary ?
• Why do we need digital signatures at all when
  there are no services ready.
• Questions to ask Are there services to appear
  when there are no digital identities? What is it
  going to cost later?
• We must start ID issuance now where the passports
  start to expire in 2002.
• Later implementation of digital signature will
  become more costly or wont be reasonable at all.

5
Legal Basis of ID Card

• Identity Documents ActPassed on 15 February
  1999Entered into force on 1 January 2000
• Digital Signature Act Passed on 8 March
  2000Entered into force on 15 December 2000
• Amended together on 12 June 2001

6
Amendments on 12.06.2001

• A certificate which enables digital
  identification and a certificate which enables
  digital signing shall be entered on an identity
  card.
• Certificates on ID card shall be recognised by
  all authorities - public and private

7
Scope of legislation

• Digital Signature Law gives legal effect to
  digital signatures and digitally signed
  documents.
• Digital signatures will have the same legal
  validity as manual signatures if created in
  accordance with the law
• The scope of regulation of the law includes
  certification service providers, their rights and
  obligations, the procedure of certification,
• the use of certificates (including international
  ones),
• the accreditation and supervision of
  certification service providers.

8
Security of the ID Card
?
?
?
?
?
?
The visually apparent safety features ? Chip
containing digital signature information ?
Microprint Eesti Vabariik visible through
magnifying glass ? Guilloche fine-line pattern
? UV-overprint in green and blue ?
UV-fluorescent Guilloche ? OVI? optically
variable ink shifting from golden to green ?
Shadow image the boarder line of Estonia ?
Production series, marked in UV
?
?
ID card front
9
Security of the ID Card
The visually apparent safety features ?
Kineprint the image EST is visible
alternatively on white and national color
background ? MLI? Multiple Laser Image, which
screen base includes the moving and alternating
personal code and expiry date of the card ?
Guilloche fine-line pattern fluorescent ? LFI
? Latent Filter Image, upon turning the card
the image EST alternates between positive and
negative. ? Card number ? Microprint A poem
visible through magnifying glass ? Safety
thread, fluorescent ? Machine-readable OCR code
? Kinegram? upon turning the card the image of
the map of Estonia and the image of the
abbreviation EST changes
ID card back
10
EstEID card application objects
Data objects Cardholders personal data
file Certificates and key objects authentication
private key authentication certificate signing
private key signing certificate Authentication
objects PIN1 PIN2 PUK Secure messaging key
objects Card management key objects
11
ID Card Issuance
CMB Gets application from the citizen, verifies
the data and sends the request for card
personalization to TRÜB.

• ID card applications

2. Requests for Personalization
TRÜB Baltic AS
Trüb Engraves the visual data to the card,
generates the user keys and PIN codes, sends the
personal data to the CA, writes certificates to
the card , sends personalized card and PIN codes
to RA.
3. Requests for Certificates
5. ID Cards with Private Keys PIN code envelopes
are sent by courier
7. Personalized ID Cards with Certificates
and PIN code envelopes are handed over
4. Certificates
AS Sertifitseerimiskeskus
Certification Service Provider Provides the
services according to the Digital Signature
Act. CA Generates and publishes the
certificates, transfers certificates to TRÜB.
Over 150 Bank Offices of Hansapank and Ühispank
RA Identifies the person, verifies his knowledge
of the PIN code, hands over the card the
instructions to the person.

Public Directory www.sk.ee Ldap.sk.ee
12
Lessons learned (personal)

• Only simple systems work
• Standard solutions give you at least predictable
  problems
• Technology is not a security risk - people are
• You can not avoid bad publicity ( scandal is a
  mother of brand-making)
• Demo crazy is just a form of enthropia to live
  with
• You can learn only from your own mistakes
• Learning from others - get wisdom for free
• If you have small budget, do not worry - time is
  a resource
• Murphys laws works as the standards not always
• Do not forget about laws of nature

13
Sample views of applications from www.pass.ee
14
(No Transcript)
15
(No Transcript)
16
(No Transcript)
17
(No Transcript)
18
Why Two Certificates?
Digital signing
Authentication, secure messaging, encryption
19
(No Transcript)
20
(No Transcript)
21
(No Transcript)
22
(No Transcript)
23
(No Transcript)
24
(No Transcript)
25
(No Transcript)
26
(No Transcript)
27
(No Transcript)
28
Useful links

• Passport ID-card http//www.pass.ee
• CMB http//www.mig.ee
• PKI CA http//www.sk.ee
• E-government http//www.riik.ee/infosystems