A Short Introduction to eID
- 1 A Short Introduction to eID
- 1.1 What's what
- 1.2 An overview of the application areas of eID
- 1.3 References
A Short Introduction to eID
The ID card (EstEID) is a mandatory document of personal identification that can be used for signing documents electronically (in the technical sense, giving a digital signature), for personal identification and for data encryption functions. There are two certificates in X.509 format saved on the ID card: 1) a certificate for digital personal identification and data signing and encryption; 2) a certificate for digital signing, enabling the cardholder to issue a digital signature.
An ID card issued before 1 January 2007 is valid for 10 years and the certificates on it are valid for 3 years. Upon expiration, certificates can be renewed without charge. On ID cards issued after 1 January 2007, the certificates are valid for as long as the card itself, i.e. 5 years, and there is no need to renew the certificates.
There is also a personal data file on the card, which will be discussed in more detail in the Using the personal data file section. EstEID cards comply with the ISO/IEC 7816 standard. The latest EstEID standards, certificate profiles and specifications can be found on the id.ee webpage.
Digital certificate of identity
The digital certificate of identity or Digi-ID is a state digital document for personal identification in an electronic environment and for issuing a digital signature. Unlike the ID card, Digi-ID is not designed for visual personal identification; therefore, it does not carry a photo -– just the name, personal identification number and validity end date. Also, the personal data file is empty on a Digi-ID card, except for the document number field. Cryptographically, it is a smart card similar to the ID card. Therefore, when issuing a Digi-ID certificate, SK uses the same general principles, certification policy and certificate profile as with EstEID cards. For this reason, this guide also treats Digi-ID and the ID card as equal.
A digital certificate of identity and its certificates are issued for three years.
While the issuing of an ID card can take up to a month, Digi-ID cards are issued within minutes from the service points of the Police and Border Guard Board.
The digital stamp is a service that allows legal persons (e.g. companies) sign documents digitally. This confirms that the document comes from the company that has signed it (i.e. the digital document is confirmed by the institution, not an authorised physical person – people come and go; institutions remain) and that the document has not been changed in the interim. Signatures (also in large quantities) can be attached to invoices, payment orders, confirmations, certificates, bank statements (e.g. SEB bank offers an automatically digi-stamped bank statement), etc. When the service is ordered, SK will issue the company with a USB crypto-stick that has an X.509 certificate (the usage area will be determined by the name of the certificate) and, similarly to the digital signature, when the stamp is used, a container in DigiDOC format will be created that contains the signed data.
The issuing process and evidential value of the digital stamp are regulated by law (DSA), certification policy (specific to the respective certification service, and more detailed) and more general certification principles.
Electronic residence card
An electronic residence card is issued in place of an ID card to foreigners residing in Estonia who are not citizens of the European Union, and it carries the data of the residence permit. In terms of available electronic services, the functionalities of the residence card and the ID card are the same. The residence card can also be used for digital personal identification and digital signing. The main difference is that the ID card issued to citizens of Estonia and the EU can be used as a travel document within the EU, while the residence card cannot be used for travelling outside of Estonia. Another difference is that the residence card also carries a contactless chip with the user's fingerprints and face image. An ID card does not have a contactless chip. As contactless chips are not used in this guide, the residence card and the ID card are treated as equal. A residence card is valid for up to 5 years, but not longer than the residence permit or right of residence issued to the person.
Mobile ID is an electronic document of personal identification that can be used for electronic personal identification and digital signing with a mobile telephone, where the mobile phone with its SIM card functions simultaneously as the ID card and the card reader. For using a mobile ID, a special SIM card is required that enables the service, which can be obtained by signing a service contract with the mobile operator. The mobile ID will become usable after it has been activated in the electronic application environment of the Police and Border Guard Board, where the necessary certificates are requested. Unlike other documents, certificates of a mobile ID are not saved on the SIM card. Unlike the ID card, a mobile ID cannot be used for document encryption -- otherwise both DigiDocService and the mobile phone operator would see the decrypted data.
A mobile ID issued after 1 February 2011 is a digital identification document that is issued according to the Identity Documents Act.
The certificates of a mobile ID issued before 1 February 2011 are valid for 5 years. The certificates of a digital identity card in the form of a mobile ID that has been issued since 1 February 2011 are valid for 3 years. When the certificates expire, the SIM card has to be replaced.
Security research conducted in 2008 showed that after the recommendations of the report have been fulfilled and additional risks are accepted, mobile ID can be used on an equal basis as an ID card.
According to a formal analysis conducted in 2009, the protocol of mobile ID does have a few weak points and solutions have been offered that should be implemented quickly. However, the general conclusion is that the protocol is secure enough for continuous usage in the near future.
An overview of the application areas of eID
eID documents have a personal identification certificate that contains information about the owner. By entering PIN 1, the card owner can prove that it is him or her and that the information contained in the certificate pertains to him or her. Applications and web services can use this information to identify the user. Although the personal identification signature is delivered over the mobile network in the case of mobile ID, the principle is exactly the same.
eID documents are also equipped with a signing certificate and a pair of keys. DSA section 2, subsection 3 provides:
A digital signature and the system of using the digital signature shall: 1) enable unique identification of the person in whose name the signature is given; 2) enable determination of the time at which the signature is given; 3) link the digital signature to data in such a manner that any subsequent change of the data or the meaning thereof is detectable.
Clause 1 is met by the certificate that connects the person with the public key and has been signed by SK. Clause 2 is met by timestamping. Clause 3 is met by the fact that when data changes so will their hash and signature.
Therefore, signatures given with the signing key pair of an eID document are legally binding and equal to a traditional signature. After a signature is given, the certificate's serial number together with the hash of the signed document are sent to AS Sertifitseerimiskeskus, who will confirm the validity of the certificate and make an entry into the security log about this signature – this will guarantee non-repudiation, meaning that the signature cannot be denied. Generally, signatures are kept in a container together with the original documents, signer's certificate, validity confirmation and the validity confirmer's certificate.
If the signed document's hash is included in the certificate's validity confirmation query, the answer sent by the service acquires the meaning "at the moment I saw the document signed on the basis of this certificate, the certificate was valid", with the issuing time also included in the statement. The response is also signed and therefore protected against changing. SK takes responsibility for the accuracy of the confirmations, including their time component, and it records all the status changes of certificates as well as issued validity confirmations in a security log, which guarantees long-term evidential value.
Therefore, there is no separate time-stamping service; it is executed through the validity confirmation service.
Digital stamping means issuing digital signatures using a digital stamp that is designed for institutions (legal persons), whether by an employee of the institution or automatically by an application. To put it simply, a digital stamp is the equivalent of an ID card for companies.
AS Sertifitseermiskeskus (Certification Centre) offers the following for digital stamping
- DigiDoc3 client software, installable with the ID card software (Windows only; guide (in Estonian)),
- TempelPlus software for mass signing
- DigiDocService web service and
- DigiDoc libraries for creating own digi-stamping applications.
Encryption / decryption
eID documents offer the functionality to encrypt and decrypt files using the authentication certificate. This function is primarily meant for the safe transport of files in an unsafe environment (e.g. the Internet) as opposed to the long-term storage of data.
Attention: When a certificate has expired or been renewed or when a new ID card is being used, a document that has been encrypted with the previous certificate cannot be decrypted. Also, a container that has been encrypted for an ID card cannot be decrypted by the same person with his or her digital ID. These are the reasons why encrypted documents are not meant for long term storage.
One way to encrypt documents is to create an XML Encryption Syntax and Processing standard compatible cryptographic container, where the encrypted documents, receivers' certificates and other useful metainfo will be stored. The tools required for encryption and decryption are available in the DigiDoc libraries, and additional information can be found on the id.ee webpage about encryption.
Another widespread application is email encryption using the S/MIME standard where an email message is encrypted using the receiver's public key (which can be found in their personal identification certificate).
Attention: S/MIME encrypted mail messages can only be sent to the address that is included in the certificate. I.e. therefore, encrypted messages can only be sent to the receiver's @eesti.ee mail address.
In addition, there are of course many other uses for encryption and, as an eID document can be used to encrypt any byte sequence, it can be used anywhere.
In addition to the main functions listed above, an ID card can also be used for the following purposes.
- transport card, i.e. primarily an ID ticket. This has been carried out as a database located in a main server where personal identification numbers are tied to respective travelling rights, mostly a particular type of monthly ticket. When checking travelling rights, an ID card reader is used for quickly and smoothly determining the passenger's personal identification number (as the ID card itself does not contain any information about travelling rights);
- library card (libraries using the URRAM information system can use the ID card as a library card);
- loyal customer card, see the section "ID card as a loyalty card";
- door or entry card;
- J. Tepandi. Mobiil-ID turvauuring. Raporti kokkuvõte. http://www.riso.ee/et/files/MOBIIL-ID_kokkuvote_11-07-2008.pdf (in Estonian)
- P. Laud, M. Roos. Formal Analysis of the Estonian Mobile-ID Protocol. http://math.ut.ee/~peeter_l/research/nordsec09.pdf
- http://sk.ee/upload/files/kehtivuskinnituse_tech_kirjeldus.pdf (in Estonian)
- Merike Karolin (Tartu Linnaraamatukogu), http://www.minueesti.ee/minueesti/posts/list/24.page (in Estonian)