Prof. Dr.
(TU NN)Norbert Pohlmann
Institute for Internet Security - if(is)
Westphalian University of Applied Sciences Gelsenkirchen, Germany www.if-is.net
eIDAS
remote signatures and seals
Prof . Norb ert P ohlm ann, Ins titute f or I ntern et S ecuri ty -if (is), W es tphal ian U niv e rsity of Applie d Sci ence s Ge lsen kirch en, Ger m any
Content
eIDAS
(Idea, applies to, what changes, …)
Remote Signatures
(Motive, Requirements, …)
Electronic Seals
(Motive, Requirements, …)
Architecture
(QES versus QRES)
Demo - XignQR
Prof . Norb ert P ohlm ann , Ins titute f or I ntern et S ecurity -if (is), W es tphal ian U niv e rsity of Ap plie d Sci ence s Ge lsen kirchen, G er m any
Electronic identification
and
trust services
(eIDAS)
EU-Regulation
Fundamentals
Prof . Norb ert P ohlm ann, Ins titute f or I ntern et S ecuri ty -if (is), W es tphal ian U niv e rsity of Applie d Sci ence s Ge lsen kirch en, Ger m any
eIDAS Regulation
Why eIDAS?
Electronic Identification and Trust Services (eIDAS) for electronic transactions in the internal market (EU) New system for electronic interaction
EU-wide: Between business, citizens and public authorities Improve trust in EU-wide electronic transactions
Public and private Online Service; e-Commerce, …
Removes barriers to use eID in the EU
Mutual recognition of notified eID is mandatory
Prof . Norb ert P ohlm ann, Ins titute f or I ntern et S ecuri ty -if (is), W es tphal ian U niv e rsity of Applie d Sci ence s Ge lsen kirch en, Ger m any
eIDAS Regulation
(Not) applies to?
Applies to
Electronic Identification (eID)
notified to the European Commission
Trust Service Providers (TSP) based in the EU
Not applies to
Trust Services in closed systems, resulting … … from national law
Prof . Norb ert P ohlm ann, Ins titute f or I ntern et S ecuri ty -if (is), W es tphal ian U niv e rsity of Applie d Sci ence s Ge lsen kirch en, Ger m any
eIDAS Regulation
What changes? What is new?
„German Signature Law‘‘ is replaced with eIDAS
First time EU-wide regulation for digital interaction Technical
Operational Formats Procedures
First time opportunity
Server-side Qualified Electronic Signatures / Remote Signatures Electronic Seals
Prof . Norb ert P ohlm ann , Ins titute f or I ntern et S ecurity -if (is), W es tphal ian U niv e rsity of Ap plie d Sci ence s Ge lsen kirchen, G er m any
eIDAS
Remote Signatures
Fundamentals
Prof . Norb ert P ohlm ann, Ins titute f or I ntern et S ecuri ty -if (is), W es tphal ian U niv e rsity of Applie d Sci ence s Ge lsen kirch en, Ger m any
eIDAS Remote Signatures
Motive
(51)
… signatory to entrust qualified electronic signature device (QESDev)
to the care of a third party ... mechanism and procedures ... to ensure
signatory has sole control over electronic signature creation data (ESCD) ... qualified electronic signatures (QES) requirements are met by the use of the device
(52)
The creation of remote electronic signature (RES)… managed by Trust Service Provider (TSP) ... on behalf of the signatory,
is set to increase ... multiple economic benefits. ...ensure RES... same legal recognition as electronic signatures created in entirely user-managed
environment, remote electronic signature service provider (RESSP) should apply specific management and administrative security procedures and
trustworthy systems … secure electronic communication channels …
… QES created using RESDev ... requirements applicable to
Prof . Norb ert P ohlm ann, Ins titute f or I ntern et S ecuri ty -if (is), W es tphal ian U niv e rsity of Applie d Sci ence s Ge lsen kirch en, Ger m any
eIDAS Remote Signatures
Requirements QES
Dev
(Annex II)
Confidentiality of ESCD (electronic signature creation data)
is reasonably assured (1. a)
ESCD can practically occur only once (1. b)
ESCD cannot be derived and is protected against forgery (1. c)
ECSD can be reliably protected by the legitimate signatory against use
by others (1. d)
QESDev shall not alter data or prevent data presented to the signatory (2)
Managing ESCD data on behalf of the signatory only by QTSP (3)
QTSP may duplicate ESCD only for back-up purpose (4)
Prof . Norb ert P ohlm ann, Ins titute f or I ntern et S ecuri ty -if (is), W es tphal ian U niv e rsity of Applie d Sci ence s Ge lsen kirch en, Ger m any
eIDAS Remote Signatures
Conclusion
Article 25 (2)
QES shall have the equivalent legal effect of a handwritten signature
Motive requests for Remote Signatures
Requirements for a QRES can be met by a QTSP
Operations and procedures
Secure communications and digital signatures to keep a connection trustworthy and verifiable
Strong authentication to ensure user authenticity
Prof . Norb ert P ohlm ann , Ins titute f or I ntern et S ecurity -if (is), W es tphal ian U niv e rsity of Ap plie d Sci ence s Ge lsen kirchen, G er m any
eIDAS
Electronic Seals
Fundamentals
Prof . Norb ert P ohlm ann, Ins titute f or I ntern et S ecuri ty -if (is), W es tphal ian U niv e rsity of Applie d Sci ence s Ge lsen kirch en, Ger m any
eIDAS Electronic Seals
Motive
(58)
… transaction requires a QESeal from a legal person,
a QES from the authorized representative of the legal person should be equally accepted
(59)
Electronic Seals should serve as evidence that an electronic document was issued by a legal person, ensuring certainty of the document‘s
origin and integrity (60)
TSP issuing QESCert for Electronic Seals should … be able to establish
the identity of the natural person representing the legal person ... when identification is necessary ...
(65)
… Electronic Seal (ES) can be used to authenticate digital asset of a legal person ...
Prof . Norb ert P ohlm ann, Ins titute f or I ntern et S ecuri ty -if (is), W es tphal ian U niv e rsity of Applie d Sci ence s Ge lsen kirch en, Ger m any
eIDAS Electronic Seals
Requirements QES
Dev
(Annex II)
Analog to the requirements
Prof . Norb ert P ohlm ann, Ins titute f or I ntern et S ecuri ty -if (is), W es tphal ian U niv e rsity of Applie d Sci ence s Ge lsen kirch en, Ger m any
eIDAS Electronic Seals
Conclusion
Article 35 (2)
QESeal shall enjoy the presumption of integrity and correctness of the
origin of that data the QESeal is linked
Motive allows Electronic Seals
Requirements for QESeals are similar to QES
Benefits of the electronic seals
Increase the trust in digital processes that are actual untrusted Are equivalent to the analog seal of authorities
Prof . Norb ert P ohlm ann , Ins titute f or I ntern et S ecurity -if (is), W es tphal ian U niv e rsity of Ap plie d Sci ence s Ge lsen kirchen, G er m any
“Industrial Internet” will exchange control data via the Internet
eIDAS Electronic Seals
Examples
15 algorithm
…
Security services are: - authenticity / origin
(robot, algorithm, …)
- integrity (letter, control data, …)
- non-repudiation (action, process, …) Robots will replace
administrative jobs © www.fotolia.com
Prof . Norb ert P ohlm ann , Ins titute f or I ntern et S ecurity -if (is), W es tphal ian U niv e rsity of Ap plie d Sci ence s Ge lsen kirchen, G er m any
Remote Signatures & Electronic Seals
Comparison
Remote Electronic Signatures
Electronic Seals
Signatory is a natural person Signatory is a legal person
Use of a QESDev Use of QESealDev equal to QESDev
QESCert for QES
(authentication of a natural person)
QESealCert for QESeals
(authentication of a legal person)
Equivalent legal effect of a handwritten signature
Evidence that an electronic document was issued by a legal person
Authenticate digital asset of legal person Can be replaced with a QES of the natural person representing the legal person
Prof . Norb ert P ohlm ann , Ins titute f or I ntern et S ecurity -if (is), W es tphal ian U niv e rsity of Ap plie d Sci ence s Ge lsen kirchen, G er m any
Architecture
Concept, Benefits and Restrictions
Prof . Norb ert P ohlm ann, Ins titute f or I ntern et S ecuri ty -if (is), W es tphal ian U niv e rsity of Applie d Sci ence s Ge lsen kirch en, Ger m any
SigG QES System
Architecture overview
18
Need for extra hardware (Smartcard, Smartcard Reader, Software) Expensive (reader, software, procedure, …)
Prof . Norb ert P ohlm ann, Ins titute f or I ntern et S ecuri ty -if (is), W es tphal ian U niv e rsity of Applie d Sci ence s Ge lsen kirch en, Ger m any
eIDAS Remote Signature System
Architecture Overview
19
Strong authentication at user device (maybe attackable depending on auth.) Easier usage also mobile on Smartphones or Terminals
Prof . Norb ert P ohlm ann , Ins titute f or I ntern et S ecurity -if (is), W es tphal ian U niv e rsity of Ap plie d Sci ence s Ge lsen kirchen, G er m any
Concept, Benefits and Restrictions
Comparison
SigG QES
Remote QES
Security Level: Very High
- QESDev and SAC specified
Security Level: High
- Advanced Signature as trigger
Need for extra Hardware Need for strong authentication
Only useable at users device Useable at any device, user-friendly
Hardly mobile useable Can be used with mobile devices
Expensive for the end-user Cheap for the end-user
Many different implementations possible
Pseudonymity possible
Restrictions that blocked spreading of electronic signatures are eliminated Plays part in contribution for digital transformation and mobility
Prof . Norb ert P ohlm ann, Ins titute f or I ntern et S ecuri ty -if (is), W es tphal ian U niv e rsity of Applie d Sci ence s Ge lsen kirch en, Ger m any
Requirements for a successful
Remote QES distribution
Secure and still user-friendly
Cheap for the end-user and relying party No extra hardware
Easy integration
Usable in different fields and scenarios
Real and digital world
Stationary and mobile applications
Device unattached Minimal interaction
Prof . Norb ert P ohlm ann, Ins titute f or I ntern et S ecuri ty -if (is), W es tphal ian U niv e rsity of Applie d Sci ence s Ge lsen kirch en, Ger m any
eIDAS Remote Signature System
Prof . Norb ert P ohlm ann , Ins titute f or I ntern et S ecurity -if (is), W es tphal ian U niv e rsity of Ap plie d Sci ence s Ge lsen kirchen, G er m any
Demo - XignQR
eIDAS Remote Signature System
Prof . Norb ert P ohlm ann, Ins titute f or I ntern et S ecuri ty -if (is), W es tphal ian U niv e rsity of Applie d Sci ence s Ge lsen kirch en, Ger m any
Secure and still user-friendly Adaptive security mechanisms
1st factor: possession of smartphone; 2nd factor: user-behavior, context
information
More factors or less if necessary / possible
Cheap for the end-user and relying party
Use of the own smartphone as personal authentication device (PAD) Relying on standards (PKI, Protocols)
Usable in different fields and scenarios
QR Code, NFC, … as entry point, e.g. QR Code printed on paper No interaction is need, only with smartphone (PAD)
eIDAS Remote Signature System
Prof . Norb ert P ohlm ann, Ins titute f or I ntern et S ecuri ty -if (is), W es tphal ian U niv e rsity of Applie d Sci ence s Ge lsen kirch en, Ger m any
eIDAS Remote Signature System
XignQR: Architecture Overview
25
QR Code as entry point
Authentication between personalized smartphone (App) and
QESDev (security module)
Smartphone as Control Channel No limitation in use cases
Prof . Norb ert P ohlm ann, Ins titute f or I ntern et S ecuri ty -if (is), W es tphal ian U niv e rsity of Applie d Sci ence s Ge lsen kirch en, Ger m any
A secure concept for Remote Signatures Secure through no media disruption
No passwords, only PKI-based on asym. cryptography
Highly dynamic and reduced complexity
Use of multiple relying parties with one registration Fully integrable through entry points and standards
Use Cases
Document and workflow signatures
Combination from paper-based and electronic signatures Useable for signing transactions B2B, B2C, C2C
…
eIDAS Remote Signature System
Prof . Norb ert P ohlm ann, Ins titute f or I ntern et S ecuri ty -if (is), W es tphal ian U niv e rsity of Applie d Sci ence s Ge lsen kirch en, Ger m any
Usage of XignQR with electronic seals
Usage of seals in IoT and M2M Replacing the user device
Using the infrastructure to authenticate machines with challenge-response
Automatically attesting of procedures and processes
Summary
Remote Signatures / Seals are accelerator for digital transformation lowers the costs
makes life easier and increases security and trust benefit for all: organizations, authorities and citizens
eIDAS Remote Signature System
Prof. Dr.
(TU NN)Norbert Pohlmann
Institute for Internet Security - if(is)
Westphalian University of Applied Sciences Gelsenkirchen, Germany www.if-is.net
