Understanding the eIDAS regulation and its potential impacts on existing infrastructures

1. EIDAS REGULATION
10/13/2016 1

2. 10/13/2016 2
Legal definition for ICT “jargon”:
Electronic identification
Election authentication
Electronic Signature (simple,
advanced, qualified)
Web site authentication
Electronic Time Stamping
Electronic Document delivery
Electronic Seal
…
Qualified Electronic Signature in
the Cloud :
AKA Server Signing
Authentication level to the Cloud is
becoming key
Re-use of Stork results for:
Authentication Assurance Level
EU PKI model based on:
 PEPS
 VIDP
Electronic identification + electronic authentication =
EU Digital Identity
Scope

3. 10/13/2016 3

4. 10/13/2016 4

5. 10/13/2016 5
MIIJxwYJKoZIhvcNAQcCoIIJuDCCCbQCAQExCzAJBgUrDgMCGgUAMDoGCSqGSIb3DQEHAaAtBCtUaGlzIHRleHQgd2FzIGxvYWRlZCBmcm9tIGEgcGxhaW4gdGV4dCBmaWxloIIHwDCC
A9owggNDoAMCAQICAQIwDQYJKoZIhvcNAQEEBQAwgZQxFTATBgNVBAMTDEVkZW1vIFN1YiBDQTEfMB0GCSqGSIb3DQEJARYQaW5mb0BnZW1hdXRoLmNvbTELMAkGA1UEBhMC
VVMxFTATBgNVBAgTDFBlbm5zeWx2YW5pYTEQMA4GA1UEBxMHSG9yc2hhbTEQMA4GA1UEChMHR2VtcGx1czESMBAGA1UECxQJTk9SQU0gUiZEMB4XDTA0MDMxODE3MjgzMVo
XDTE0MDMxNjE3MjgzMVowgZMxFDASBgNVBAMTC0VkZW1vIEFsaWNlMR8wHQYJKoZIhvcNAQkBFhBpbmZvQGdlbWF1dGguY29tMQswCQYDVQQGEwJVUzEVMBMGA1UECBMM
UGVubnN5bHZhbmlhMRAwDgYDVQQHEwdIb3JzaGFtMRAwDgYDVQQKEwdHZW1wbHVzMRIwEAYDVQQLFAlOT1JBTSBSJkQwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALZg
QPhOOF3cejp2VjWC0HrmG2xSP7s%2B2vQmfHT1D8gfpFr2f5eCJEn4GyOp4PJxLUlXRK5GheUXvFZcpX7NCR35Qhnfm978EhQ4EIBDjdhevLWsjv3oeei%2BbvzUymTHWDB0zeB5UJA0
M%2B%2BxO6%2BWluLZ16ctTkWJk9PaTvO0fpavAgMBAAGjggE5MIIBNTAhBglghkgBhvhCAQ0EFBYSQ2xpZW50IGNlcnRpZmljYXRlMAwGA1UdEwEB%2FwQCMAAwHQYDVR0OBBY
EFBYpejZfj966yRyue%2BRxS4NcR9vYMIHCBgNVHSMEgbowgbeAFBnk2hBUF9dgh7OuLL11nf62RSEIoYGbpIGYMIGVMQswCQYDVQQGEwJVUzEVMBMGA1UECBMMUGVubnN5bHZ
hbmlhMRAwDgYDVQQHEwdIb3JzaGFtMRYwFAYDVQQDEw1FZGVtbyBSb290IENBMR8wHQYJKoZIhvcNAQkBFhBpbmZvQGdlbWF1dGguY29tMRAwDgYDVQQKEwdHZW1wbHVzMRI
wEAYDVQQLFAlOT1JBTSBSJkSCAQEwCwYDVR0PBAQDAgXgMBEGCWCGSAGG%2BEIBAQQEAwIFoDANBgkqhkiG9w0BAQQFAAOBgQByaKGrjynQMJc3lJ9ZMZyjDMy7lfcne2cVphj18
GGJpsC8dzPR4y6uNl1BQ7MrYPUV9HH0rR5Onw02wMo5bnmyiGyPPE7YvXa0US1feOI0Ls3aCyCs2wbJ2ko7Z72j2scO%2FwZH7g8LBb7%2BepFftguH92YLE1Q2MgjEZX%2Fmqv5NfDC
CA94wggNHoAMCAQICAQEwDQYJKoZIhvcNAQEEBQAwgZUxCzAJBgNVBAYTAlVTMRUwEwYDVQQIEwxQZW5uc3lsdmFuaWExEDAOBgNVBAcTB0hvcnNoYW0xFjAUBgNVBAMTDUV
kZW1vIFJvb3QgQ0ExHzAdBgkqhkiG9w0BCQEWEGluZm9AZ2VtYXV0aC5jb20xEDAOBgNVBAoTB0dlbXBsdXMxEjAQBgNVBAsUCU5PUkFNIFImRDAeFw0wNDAzMTgxNzI2MzVaFw0x
NDAzMTYxNzI2MzVaMIGUMRUwEwYDVQQDEwxFZGVtbyBTdWIgQ0ExHzAdBgkqhkiG9w0BCQEWEGluZm9AZ2VtYXV0aC5jb20xCzAJBgNVBAYTAlVTMRUwEwYDVQQIEwxQZW5uc3
lsdmFuaWExEDAOBgNVBAcTB0hvcnNoYW0xEDAOBgNVBAoTB0dlbXBsdXMxEjAQBgNVBAsUCU5PUkFNIFImRDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAxL%2B6ZgyvWPID
Sh07N8XKht0mqAyj%2BmGcTvCTtKv1JJCZIPtNjJ3T5lHSjldwLlfpuoYkQApG%2FGyo1Cox0oKlyKbD%2FsAQsFbHIIGM75xLyjeqXHO0UzkHb9RMFdNsiBuak4dV%2B3mINmzFMv7Ex4M
zVcMw2G2%2F1Z%2BFEt6%2BqNqC88ECAwEAAaOCATswggE3MB0GCWCGSAGG%2BEIBDQQQFg5DQSBjZXJ0aWZpY2F0ZTASBgNVHRMBAf8ECDAGAQH%2FAgEAMB0GA1UdDgQ
WBBQZ5NoQVBfXYIezriy9dZ3%2BtkUhCDCBwgYDVR0jBIG6MIG3gBRDPGZtLIsqyiRlY39t2wGlK3Z3KKGBm6SBmDCBlTELMAkGA1UEBhMCVVMxFTATBgNVBAgTDFBlbm5zeWx2YW5
pYTEQMA4GA1UEBxMHSG9yc2hhbTEWMBQGA1UEAxMNRWRlbW8gUm9vdCBDQTEfMB0GCSqGSIb3DQEJARYQaW5mb0BnZW1hdXRoLmNvbTEQMA4GA1UEChMHR2VtcGx1czES
MBAGA1UECxQJTk9SQU0gUiZEggEAMAsGA1UdDwQEAwIBBjARBglghkgBhvhCAQEEBAMCAQYwDQYJKoZIhvcNAQEEBQADgYEAuWSCUQ9%2ByUVtKCUXm4W64XePDcRIlS32nLrHv
bREi7%2BMQt%2BKGtkH00eZa9wxTrp0QgVCo4H03YptQWQJgxBKb7dLB5EtFpBienrKnkfLlbdhjHZWXB03i%2FcgPjC7xgudgmooKcLWNJz7a5iOfHUf%2B3GxveRezBSa76iaRzUcM5wx
ggGgMIIBnAIBATCBmjCBlDEVMBMGA1UEAxMMRWRlbW8gU3ViIENBMR8wHQYJKoZIhvcNAQkBFhBpbmZvQGdlbWF1dGguY29tMQswCQYDVQQGEwJVUzEVMBMGA1UECBMMU
GVubnN5bHZhbmlhMRAwDgYDVQQHEwdIb3JzaGFtMRAwDgYDVQQKEwdHZW1wbHVzMRIwEAYDVQQLFAlOT1JBTSBSJkQCAQIwCQYFKw4DAhoFAKBdMBgGCSqGSIb3DQEJAzELBg
kqhkiG9w0BBwEwHAYJKoZIhvcNAQkFMQ8XDTEwMDkxMzE2NDY0MlowIwYJKoZIhvcNAQkEMRYEFFctKwKOBQXuRz1LPNvXWH2EHnm3MA0GCSqGSIb3DQEBAQUABIGArpBqvMgz
cSYFGzEDXLU%2FMRehztIPBDuVpk8fk1KH%2Be6ZXmg1uUKiYAY5Tj3XlrMJbroH5tYb1dM7bH%2Brlp8F5lxpP1d%2FMQPc0tzFVC8XyvSahvuASjF0zXOmmuY1zYIF%2FA%2Fvsv%2FU
xkjytOBZ6oow1UcNHwjhLY93cC7seT1RZ2A%3D
Certificate Info
Unique Serial Number,
format, crypto info, validity
date, usage (verif, encrypt)…
Holder identification
Name, mail address…
Public key
Issuer identification
CA name, DP address…
Extensions
Additional standard or
proprietary info
Certificate Signature
Using Issuer’s private key
Public certificate
Electronic Signature
Privacy by Design within a PKI infrastructure?
Public information as it is a public
certificate

6. 10/13/2016 6
1999

7. 10/13/2016 7

8. 10/13/2016 8
Upcoming US/EU free trade zone
agreement - in 2013 = 649 B USD

9. 10/13/2016 9
national prerogative.
mutual recognition
unambiguity
Trusted Identities in Cyberspace.
and
authenticate their digital identities

10. 10/13/2016 10

11. 10/13/2016 11
 Application and registration.
 Identity proofing and verification.
 Binding between the electronic identification means of
natural and legal persons.
Enrolment
 eID means characteristics and design.
 Issuance, delivery and activation.
 Suspension, revocation and reactivation.
 Renewal and replacement.
Electronic identification
means management
 Authentication mechanism.Authentication
 General provisions.
 Published notices and user information.
 Information security management.
 Record keeping, facilities and staff, technical controls,
compliance and audit.
Management and
organization
eID LoA is based on the reliability and
quality of each element*
*Article 1 of Implementing Act

12. 10/13/2016 12
Assurance
level
Characterisitics and design Authentication
Substantial  At least two authentication factors from
different categories.
 Can be assumed to be used only if under
the control or possession of the person.
 Dynamic authentication.
 It is highly unlikely that guessing,
eavesdropping, replay or manipulation of
communication by an attacker with
moderate attack potential can subvert the
authentication mechanisms.
High Level substantial, plus:
 Protects against duplication, tampering
and attackers with high attack potential.
 It can be reliably protected by the person
against use by others.
Level substantial, plus:
 It is highly unlikely that guessing,
eavesdropping, replay or manipulation of
communication by an attacker with high
attack potential can subvert the
authentication mechanisms.

13. 10/13/2016 13

14. 10/13/2016 14
LEVEL 1
LEVEL 2
LEVEL 3 LEVEL 3
LEVEL 4
Token
OTP
Legacy
Password
2FA
Token
+ pw
Token OTP + pw
Token
PIN PAD
Token OTP
(PIN + certified
TEE or SE)
PKI ID (PIN +
SE, SIM/eSE)
Weak
Authentication
Secure
Authentication
Strong
Authentication
Strong
Authentication
w/secure devices
Strong
Authentication
w/secure devices
with tamper
resistance capability
Risk extremely high Risk mitigated Low risk Low risk Minimal riskRisk level
PKI eID
(PIN)
No Identity Proofing Presentation of
Identity Information Verification of Identity Information Face to face
registration
LOW SUBSTANTIAL HIGH
EnrolmentAuthenticationElectronicIDmeans
Out of
Regulation
scope
Levels of Assurance

15. 10/13/2016 15
eIDAS Regulation vs eIDAS token specifications
Legal frame for Trusted services
Electronic
signature
ElectronicSeal
ElectronicStamp
Electronic
registereddelivery
service
Qualifiedcertificate
forwebsite
authentication
eIDAS Regulation
Perform a
qualified
signature
Without GAP
With GAP
EAC V2.05
backward
compatible
Pseudo ID
with ERA
Common electronic
identification : e-ID LDS
Common
electronic
authentication:
GAP
Standard API to use Biometry as User
Authentication method (Finger Print, Voice,
Iris, Face)
Legal frame for: electronic
identification, authentication
eIDAS token specifications
TR Signature
TR Physical User Authentication

16. 10/13/2016 16
Timeline
•In line with the Implementing acts with eIDAS token
specifications - July 2014-July 2016.
•First pre-notification of eID: mid 2016.
•Mutual recognition (voluntary) between 2 MS: mid 2017.
•Obligation of Mutual recognition : 1st of January 2019.
Greek
P.
Italian
P.
Latvia
P.
Lux.
P.
NL
P.
Slovakia
P.
Malta
P.
UK
P.
Estonia
P.
Bulgaria
P.
Austria
P.
Romania
P.
Directive 99/93/EC (and PPSCD)

17. 10/13/2016 17

18. 10/13/2016 18
Contact only
Contactless
only
Hybrid
Dual
interface
Estonia
Germany eIDAS
Cyprus eIDAS
Netherlands (ICAO only)
Slovakia (eIDAS)
Poland
Netherlands (privacy
card)
Italy
Greece
Eurosmart
customers
New
projects
Finland
Belgium
Portugal
Czech Republic
Luxembourg
Bulgaria (EAC V2.05
/ eIDAS)
Malta
Sweden
Lithuania
Latvia (IAS ECC à ICAO)
Spain

19. WHAT EUROSMART IS
19

20. 10/13/2016 20
What Eurosmart is
About us
Eurosmart is a non-profit association located in Brussels and
representing the smart security industry. Founded in 1995, the
association advocates the use of smart secure devices and smart
security solutions to enhance the usability of digital services while
protecting privacy and combatting fraud.
The association is fully involved in political and technical initiatives as
well as R&D at the European and international levels.
About our members
 Members are manufacturers of smart cards, semiconductors,
academics, laboratories and associations.
 They share common European root:
– Annual turnover of over 15 billion euros of which over 40% is
generated in Europe.
– Close to 60.000 employees worldwide, of whom more than 50%
work in the EU.

21. 10/13/2016 21
Eurosmart members
What Eurosmart is
Associate members

22. 10/13/2016 22
Our mission

23. CONTACTS
23
STEFANE MOUILLE
Vice-President
timothee.mangenot@eurosmart.com
PIERRE-JEAN VERRANDO
Director of operations
pierrejean.verrando@eurosmart.com
Eurosmart | Rue du Luxembourg 19-21 | 1000 Brussels | Belgium
Tél. +32 2 506 88 38
FOLLOW-US