Electronic Identification, Authentication and Trust Services
What is eIDAS?
The state borders within the European continent emerges into one common, as the mobility of it's people is in transition and escalates. Moving across physical borders within the European states turns more and more into being something fictitious. When people are in a constant process of displacement the mobility of the services people are using must follow.
The European Union announced eIDAS when realized the need for a European regulation and common standard for electronic identification throughout the union. The purpose was to allow and enable citizens' usage of their native electronic identification to access public services of any other state in the European Union.
Bound for conquering the front line of facilitating peoples' need for authentication SecMaker's solution will help people identifying themselves whenever needed. As SecMaker is applying the eIDAS framework for electronic identification it will be a pillar in the process of self fulfillment for the European citizens.
Overview of technical solution
The cross border communication of electronic identification data of the eurpoean citizens requires eIDAS to provide a secure framework to make it work. Basically, what is needed is:
- means to secure the confidentiality, authenticity, and integrity of the personal identification data
- being able to secure identification and the authentication of communication end points
In the eIDAS framework one talks about eIDAS-Connectors which are the international nodes between which the trans border data communication takes place. Sweden has chosen to centralize all eIDAS communication into one node named Sweden Connect. This node is hosted by the Swedish Agency for Digital Government (DIGG). Of course, a receiving national node must ensure that personal identification data received via an eIDAS-Connector is processed according to applicable data protection legislation. Hence, this requires that data must not be forwarded to unidentified peers.
To exemplify, a European citizen wants to authenticate to a service in Sweden. This is the communication chain:
- Client initiates authentication request
- Issuer of e-identification in a member state. Typically the instance where the digital certificate of the user has been issued and obtained from a Certificate Authority (CA).
- eIDAS-Connector of member state.
- eIDAS-Connector in Sweden.
- Relation check database in Sweden.
- eIDAS-Connector in Sweden.
- Requested login service in Sweden, for example a local, municipal or a state authority.
- The targeted service requiring electronic identification in Sweden, for example a local, municipal or a state authority.
- The steps 1 to 8 goes back to initiating client for acknowledgement and login result
To secure the communication the Transport Layer Security is used between the client and the eIDAS node, which is the server side. The server uses certificate based authentication towards the client. For speed reasons TLS uses symmetric encryption whilst the session is already established, however in the setup phase the asymmetric encryption is used. The authentication on user level, meaning the person identification data, is done using the security assertion markup language (SAML). The usage of a hash function is required for the digital signature. For this purpose the minimum requirement is the SHA-2 algorithm of 256 bits. SAML 2.0 is used for the data communication between the eIDAS-Connectors.
In the international data exchange it is important to provide an uninterrupted chain of trust for personal identification data. The involved entities and nodes have to be identified in a secure way. The SAML metadata objects of those involved entities needs to be signed by the trust anchor, in case of Sweden this is the eIDAS-Connector. It can also be done or by another entity but nevertheless all authorized via a certificate chain starting from the trust anchor.
This makes it suitable to separate the trust anchor from the SAML end points themselves (end points = the involved nodes). As a result, the entity providing the trust is not necessarily the same providing the SAML metadata. The metadata entity is therefore often provided as separated from the trust anchor (the eIDAS-Connector).
Data communication process flow between international eIDAS-Connectors
To authenticate a person initiating his request from his origin country, his eIDAS member state, to the target nation's eIDAS-Connector, the following process must take place:
- The process is started by the server providing the initial access to the server which hosts the secure software application used for identification (generally mentioned as the Relying Party, RP). This server sends an authentication request to the eIDAS-Connector responsible for it. For example, if the request would have been initiated from Sweden the RP would have connected to the Sweden Connect server node.
- The eIDAS-Connector requests and sends a SAML-request to the eIDAS-Service corresponding to the addressed nation hosting the target eIDAS-Connector.
- The eIDAS-Service verifies the authenticity of the request by verifying the signature of the originating SAML request message. The Level of Assurance for the request must be fulfilled (Level of Assurance describes the degree of confidence in the processes leading up to and including an authentication).
- An authentication of the person requesting the service is performed by the eIDAS-Service. One way to do the authentication is by the usage of an Identity Provider (IdP). All according to the requested Level of Assurance.
- A SAML response is sent to the requesting eIDAS-Connector.
- The eIDAS-Connector verifies the authenticity of the received SAML response message and if successfully authenticated the person identification data is passed on to the requesting Relying Party, meaning the target country's requested service that needs the person to be identified.
- If any of the checks in the authentication process flow fails, then the whole procedure is aborted and error handling follows.
Please look at the figure for a visualization of the data communication process.
Trust needed for communication
To be able to set up communication between member states of eIDAS, a certain level of trust needs to be known and established. In each member state it is the so called trust anchor that bilaterally exchanges a PKI based certificate following RFC 5280 to corresponding trust anchor of other countries. This is where the well proven and robust PKI solution of SecMaker makes a difference. If residing on both sides in the international eIDAS data communication the result will be reliable and fast.
In the so called centralized communication scheme between states, the eIDAS-Connector will also be acting as the trust anchor at the end border point exchanging data.
Zero Trust in eIDAS
With regards to the SecMaker article concerning Zero Trust it would be an interesting way of deployment to use the Zero Trust network security concept realising the eIDAS framework. This indicates an possible business case for SecMaker, to deploy PKI based certification between each network component as well as PKI based certification identifying individuals to be exchanged internationally. Nevertheless, the eIDAS-Connector is a target for an attacker. Hence, it cannot rely on outdated trusted network architectures. It would be suitable if it would be part of a micro segmented network arcitecture such as Zero Trust.
Authentication and signatures required for eIDAS
The idea of eIDAS is fundamentally that an electronic signature shall be as liable as a handwritten signature on a paper document and have egual legal effect as evidence.
Within eIDAS three fundamentals of signatures are considered:
- Electronic seals
Electronic seals are only available to legal persons such as corporate entities. It erases the particular need of an “authorized signer” for a company or associations. Instead, there will be a seal associated with a particular company or association. The usage of a seal will be binding to represent that legal person.
- Qualified Electronic Signature (QES)
This type of electronic signature is uniquely linked to the particular signer. As a Qualified Electronic Signature is based on a Qualified Certificate and can likewise only be issued by a Certificate Authority (CA) accredited to fulfill the requirements of eIDAS. A Qualified Certificate must be kept stored on a smart card, a USB token, or a trust service residing in the "cloud". The QES are doubtless very important as they are the only type of electronic signature that is legally equal to a handwritten signature. As well, the only type of electronic signature that provides mutual acceptance of if its' validity in all the EU member states.
- Advanced Electronic Signature (AdES)
This type of signature grants the signer of a document a unique authentication and identification and as well permits the verification of the integrity of that signed document. It is accomplished by issuing a digital certificate by a CA as first of all the signer will obtain this certificate from a CA. When signing, the certificate of the signer is cryptographically tied to the document by using the private key that is solely held by the signer. Certificates like this, for example PKI, have existed for many years but eIDAS allows the signer to use other technologies as well to accomplish, like using mobile devices.
A prominent technology provider for eIDAS
At SecMaker we already have provided the technology means for issuing electronic identication to significant players in the public sector in Sweden. Our technology base is well proven and the authorities hosting the technology, in other words the customers of SecMaker, are aiming to get the Net iD Software Suite a standard for the public sector in Sweden.
We aim for Europe. And Europe has demands that we consider we can enable to fulfil for a corresponding electronic identication provider, meaning a customer buying our technology, to make the SecMaker way of electronic identification a standard in any European country.