Study of the eID Model in Slovakia

The Slovak Identification Scheme Stems from Respective European Models

The electronic or digital identifiers are key elements to personalise the citizens and/or legal entities in the eGovernment scheme. The importance of electronic identity (eID) for eGovernment is also underlined in the European document – i2010 eGovernment Action Plan (Commision, 2006) that encourages EU countries implement electronic identification management (eIDM) in full respect of the national service needs, cultural traditions and personal data protection preferences. The electronic identification of persons enables both secure personalisation and smarter pubic services. Moreover, the Slovak identification scheme fully takes into consideration the principle objective of the Directive 95/46/EC (European Parliament and Council of the European Union, 1995) pursuing the easier and greater data sharing and providing regulations in terms of the “protection of individuals with regard to the processing of personal data”.

 

Following the personal events life-pathway, the Slovak model of eGovernmnet employs a full set of reengineering tools and approaches that increases the effectiveness of the public administration as well as their competences.

 

Although the idea of the Slovak identification scheme stems from respective European models justifying the application of cryptographic methods to identification systems, the national differences in the Slovak identity management architecture implies a brand new model of the identification scheme. For the purposes of unique identification, all natural persons registered in Slovakia as well as EU, EEA or third nationals, will have allocated a unique identification number which is derived from the unique number allocated to the citizen in the Central Register of Residents. This number will be used for eGovernment services for collaboration among state authorities as main unique person identifier.

 

The new national Slovak identification scheme is based on mix model of communication of all respective public bodies (registers, and etc.) in both ways directly and through the data intermediate centre.

 

eID hardware and operating system
The Slovak national eID card is based on a polycarbonate card and comes with an integrated contact-based crypto-controller. During the selection of the chip, the newest technologies in the secure chip cards sector were chosen: Infineon's SLE78CFX3000P with the operating system CardOS V5.0. CardOS V5.0 is based on the innovative digital security technology 'Integrity Guard' from Infineon and is implemented on the SLE78 next generation security controller platform using SOLID FLASH™.

 

CardOS V5.0 supports modern security mechanisms and cryptographic algorithms. The solution used for the Slovak eID card is derived from the German eID card system and based on EAC technology, according to BSI TR-03110. Rather than using an X.509 certificate, the verification of an electronic identity stored in the eID card based on reading the identity data via an EAC channel is used for electronic authentication and identification.

 

The eID card solution is designed as a multi-application card with a vision of future remote enhancements during eID card validity period.

 

eID SW infrastructure and eID middleware
In order to enable the authentication using the eID card for the providers of electronic services, it was necessary to develop an interoperable software infrastructure – an eID Authentication System (eID AS). This infrastructure produces an inevitable part of the eID solution and enables the integration of service providers based on standard interfaces. Secure communication with a remote eID card is provided by the eID Middleware (eID MW). Its implementation is based on the standards ISO/IEC 24727 (Identification cards – ICC programming interfaces), CEN 15480-3 (European citizen card – ECC Interoperability using an application interface) and the technical guideline BSI TR-03112 (eCard-API-Framework). eID MW enables the communication between a web-based application running on a service provider's server and a remote eID card through a secured communication channel. The communication between client and server provided by the eID MW is directed by PAOS protocol.

 

eID authentication system (eID AS)
The eID Authentication System consists of applications and software components on the server side and a multiplatform client application (eIDClient) that manages the process of authentication on the citizen's PC. The application provides an interaction with the user during the eID authentication and enables the communication of the eID AS server with the eID card.

 

An eID AS server enables the integration of the eID authentication by exposing standard interfaces based on OASIS SAML 2.0 and BSI TR-03130 (eID server) standards for the service providers. Thus the providers gain the ability to use the identification and authentication mechanism of the citizen's eID card to access their services. The eID AS represents an important construction element for the realisation of eGovernment in Slovakia. Other projects also count on using it, e.g. the eHealth project uses eID AS to authenticate the citizen to access the eHealth portal as well as to prove the presence of a citizen during a visit of a health professional (at a doctor, at a pharmacy). It will also be used by the eGovernment portal of the Slovak Ministry of Interior (MoI), which is preparing a large number of electronic services for the citizens. eID AS software components (eID MW Framework, eIDClient, eID AS server components) have been developed by a Slovak team of experts.

 

eID online authentication
The online authentication using the eID is based on a mutual prove of authenticity between a citizen and an online service provider. During this process, mutual authentication of a provider server and an eID chip is performed and an encrypted EAC channel is established.

 

The citizen's authentication is based on reading out the electronic identity through the established EAC channel based on rights defined in the provider's CV (Card Verifiable) certificate. This functionality can be activated upon the citizen's request. During the activation process, the citizen enters the PIN. While accessing a service of a provider who requires the citizen's authentication, the request is redirected to the eID AS. During the authentication, the citizen is prompted an information about the service provider and a list of personal data that the provider requires.

 

After approval for reading out the data, the citizen enters the PIN. After PIN verification and EAC channel establishment, the eID AS reads out the required citizen data and sends it to the service provider in an encrypted form via a signed authentication confirmation – in a SAML assertion. After the verification and identification of a user is successfully done, the service provider enables access to the service.

 

QES functionality in the eID
The Slovak citizens may use the eID card for storing and renewal of qualified certificates and creation of a qualified electronic signature (QES). The QES functionality in the eID may be activated upon the citizen's request either during document pick-up or later at a registration authority (RA) office. The QES enables the realization of acts that require a handwritten signature verified by a notary in the paper world. The card using a private key that encrypts an imprint of a document that is to be signed creates a QES.

 

The way of its creation provides a legal non-repudiation of the signature and allows the reliable determining of the individual who created the electronic signature. This signature also guarantees integrity of the document, i.e. that the signed document has not been altered in any way during the transmission to the recipient. Components with PKCS#11 and CSP interfaces are a part of the eID MW and allow the use of the eID card through standardized cryptographic programming interfaces. An access to SSCD signature functions through standardized interfaces is used by the most certified signature creation applications. A citizen may request to be issued a qualified certificate at an RA office.

 

A qualified certificate renewal may be performed online by a secure method using an established EAC channel, i.e. without personal attendance of the RA office. In accordance with the Common Criteria EAL4+ the concept is evaluated per TÜViT. To increase the availability of electronic services, the MoI in Slovak Republic issue the qualified certificates to its citizens without additional fees for the initial period of 5 years.

 

Cost-efficiency
The chip contains the personal information that is currently being recorded on the identity card: name, permanent address, date of birth plus data on blood group and education. It is technically possible to read the data from the ID card only with the consent of citizens, the personal security code of 6 digits and by inserting the card in a card reader. Details of the document will be accessible only to authorised service providers. The scope of the information accessible is defined by the access rules in the EAC certificate issued to service provider.


A new eID card is issued in less than two working days for €24,50 and administrative fee for regular delivery is €4,50.


Assets and perspectives
After introducing the national eID, an acceleration of administrative acts for citizens and a better availability of Government services are expected, as well as the creation of transparent and auditable electronic administrative contacts. These assets should lead to resource and cost savings, both on the citizens' and the public sector's side as well as increased Government satisfaction among citizens, entrepreneurs and the general public.

 

With an increasing amount of issued cards, a consecutive increase of ID services is expected: the success of the eID depends directly on them. Besides the possibilities of using the eID card that have been mentioned (online authentication, QES), it is also considered to use the eID card for encryption of sensitive data transmitted between a citizen and a service provider (as planned for the eHealth card), sector identification, eVoting, etc. in the future.

 

Besides the public sector, a massive use of the eID functionality in the private sector is expected, e.g. in areas of eBusiness and eBanking. The concept of the eID card that has been realized complies with the European Union initiative to create a European interoperable eID platform – project STORK – that allows citizens to create new electronic relationships across European borders. The new identity card enables a trustworthy national authentication that is an expected requirement for engagement in the project STORK. This enables the Slovak citizens to authenticate and access electronic services also in other countries of the European Union.

 

With the introduction of eID cards, Slovakia is placed at the forefront of their use, along with such EU countries as Finland, Belgium, Estonia and Germany.

 

Miloš Molnár, Independent eGovernment and eID Expert
• 2014-till now, Ministry of Finance of the Czech Republic, Advisor of the Czech Minister of Finances
• 2011-2012 Ministry of Finance Slovak Republic, General Director - Information Society Section - Managing Authority for the “Operational Programme Informatisation of Society” - eGovernment programme founded by EU > 800 mi. Euro

 

References
European Commision, 2006. i2010 eGovernment Action Plan. [Online] Available at: http://europa.eu/legislation_summaries/information_society/strategies/l24226j_en.htm
European Parliament and Council of the European Union, 1995. Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data. [Online] Available at: http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:31995L0046:en:HTML

 

* The study on eID models is provided in cooperation with experts of Plaut s.r.o.