2. 10/13/2016 2
Legal definition for ICT “jargon”:
Electronic identification
Election authentication
Electronic Signature (simple,
advanced, qualified)
Web site authentication
Electronic Time Stamping
Electronic Document delivery
Electronic Seal
…
Qualified Electronic Signature in
the Cloud :
AKA Server Signing
Authentication level to the Cloud is
becoming key
Re-use of Stork results for:
Authentication Assurance Level
EU PKI model based on:
PEPS
VIDP
Electronic identification + electronic authentication =
EU Digital Identity
Scope
11. 10/13/2016 11
Application and registration.
Identity proofing and verification.
Binding between the electronic identification means of
natural and legal persons.
Enrolment
eID means characteristics and design.
Issuance, delivery and activation.
Suspension, revocation and reactivation.
Renewal and replacement.
Electronic identification
means management
Authentication mechanism.Authentication
General provisions.
Published notices and user information.
Information security management.
Record keeping, facilities and staff, technical controls,
compliance and audit.
Management and
organization
eID LoA is based on the reliability and
quality of each element*
*Article 1 of Implementing Act
12. 10/13/2016 12
Assurance
level
Characterisitics and design Authentication
Substantial At least two authentication factors from
different categories.
Can be assumed to be used only if under
the control or possession of the person.
Dynamic authentication.
It is highly unlikely that guessing,
eavesdropping, replay or manipulation of
communication by an attacker with
moderate attack potential can subvert the
authentication mechanisms.
High Level substantial, plus:
Protects against duplication, tampering
and attackers with high attack potential.
It can be reliably protected by the person
against use by others.
Level substantial, plus:
It is highly unlikely that guessing,
eavesdropping, replay or manipulation of
communication by an attacker with high
attack potential can subvert the
authentication mechanisms.
14. 10/13/2016 14
LEVEL 1
LEVEL 2
LEVEL 3 LEVEL 3
LEVEL 4
Token
OTP
Legacy
Password
2FA
Token
+ pw
Token OTP + pw
Token
PIN PAD
Token OTP
(PIN + certified
TEE or SE)
PKI ID (PIN +
SE, SIM/eSE)
Weak
Authentication
Secure
Authentication
Strong
Authentication
Strong
Authentication
w/secure devices
Strong
Authentication
w/secure devices
with tamper
resistance capability
Risk extremely high Risk mitigated Low risk Low risk Minimal riskRisk level
PKI eID
(PIN)
No Identity Proofing Presentation of
Identity Information Verification of Identity Information Face to face
registration
LOW SUBSTANTIAL HIGH
EnrolmentAuthenticationElectronicIDmeans
Out of
Regulation
scope
Levels of Assurance
15. 10/13/2016 15
eIDAS Regulation vs eIDAS token specifications
Legal frame for Trusted services
Electronic
signature
ElectronicSeal
ElectronicStamp
Electronic
registereddelivery
service
Qualifiedcertificate
forwebsite
authentication
eIDAS Regulation
Perform a
qualified
signature
Without GAP
With GAP
EAC V2.05
backward
compatible
Pseudo ID
with ERA
Common electronic
identification : e-ID LDS
Common
electronic
authentication:
GAP
Standard API to use Biometry as User
Authentication method (Finger Print, Voice,
Iris, Face)
Legal frame for: electronic
identification, authentication
eIDAS token specifications
TR Signature
TR Physical User Authentication
16. 10/13/2016 16
Timeline
•In line with the Implementing acts with eIDAS token
specifications - July 2014-July 2016.
•First pre-notification of eID: mid 2016.
•Mutual recognition (voluntary) between 2 MS: mid 2017.
•Obligation of Mutual recognition : 1st of January 2019.
Greek
P.
Italian
P.
Latvia
P.
Lux.
P.
NL
P.
Slovakia
P.
Malta
P.
UK
P.
Estonia
P.
Bulgaria
P.
Austria
P.
Romania
P.
Directive 99/93/EC (and PPSCD)
20. 10/13/2016 20
What Eurosmart is
About us
Eurosmart is a non-profit association located in Brussels and
representing the smart security industry. Founded in 1995, the
association advocates the use of smart secure devices and smart
security solutions to enhance the usability of digital services while
protecting privacy and combatting fraud.
The association is fully involved in political and technical initiatives as
well as R&D at the European and international levels.
About our members
Members are manufacturers of smart cards, semiconductors,
academics, laboratories and associations.
They share common European root:
– Annual turnover of over 15 billion euros of which over 40% is
generated in Europe.
– Close to 60.000 employees worldwide, of whom more than 50%
work in the EU.