EID functionality short
An overview of the technical functionality of eID
eID documents have a personal identification certificate that contains information about the owner. By entering PIN 1, the card owner can prove that it is him or her and that the information contained in the certificate pertains to him or her. Applications and web services can use this information to identify the user. Although the personal identification signature is delivered over the mobile network in the case of mobile ID, the principle is exactly the same.
eID documents are also equipped with a signing certificate and a pair of keys. DSA section 2, subsection 3 provides:
A digital signature and the system of using the digital signature shall: 1) enable unique identification of the person in whose name the signature is given; 2) enable determination of the time at which the signature is given; 3) link the digital signature to data in such a manner that any subsequent change of the data or the meaning thereof is detectable.
Clause 1 is met by the certificate that connects the person with the public key and has been signed by SK. Clause 2 is met by timestamping. Clause 3 is met by the fact that when data changes so will their hash and signature.
Therefore, signatures given with the signing key pair of an eID document that have a validity certificate are legally binding and equal to a traditional signature. After a signature is given, the certificate's serial number together with the hash of the signed document are sent to AS Sertifitseerimiskeskus, who will confirm the validity of the certificate and make an entry into the security log about this signature -- this will guarantee non-repudiation, meaning that the signature cannot be denied. Generally, signatures are kept in a container together with the original documents, signer's certificate, validity confirmation and the validity confirmer's certificate.
If the signed document's hash is included in the certificate's validity confirmation query, the answer sent by the service acquires the meaning "at the moment I saw the document signed on the basis of this certificate, the certificate was valid", with the issuing time also included in the statement. The response is also signed and therefore protected against changing. SK takes responsibility for the accuracy of the confirmations, including their time component, and it records all the status changes of certificates as well as issued validity confirmations in a security log, which guarantees long-term evidential value.
When signing DDOC or BDOC-TM format, there is no separate time-stamping service used; it is executed through the validity confirmation service. To ensure better compliance with international standards BDOC-TS signature profile and time-stamping service must be used.
In future to ensure the the long-time validity of BDOC format it is possible to add BDOC an archive timestamp. This mechanism builds on notion “let’s secure what may be weak”. Successive timestamps protect the whole material against vulnerable hashing algorithms or the breaking of the cryptographic material or algorithms.
Digital stamping means issuing digital signatures using a digital stamp that is designed for institutions (legal persons), whether by an employee of the institution or automatically by an application. To put it simply, a digital stamp is the equivalent of an ID card for companies.
AS Sertifitseermiskeskus (Certification Centre) offers the following for digital stamping
- DigiDoc3 client software, installable with the ID card software (Windows only; guide (in Estonian)),
- TempelPlus software for mass signing
- DigiDocService web service and
- DigiDoc libraries for creating own digi-stamping applications.
Encryption / decryption
eID documents offer the functionality to encrypt and decrypt files using the authentication certificate. This function is primarily meant for the safe transport of files in an unsafe environment (e.g. the Internet) as opposed to the long-term storage of data.
Attention: When a certificate has expired or been renewed or when a new ID card is being used, a document that has been encrypted with the previous certificate cannot be decrypted. Also, a container that has been encrypted for an ID card cannot be decrypted by the same person with his or her digital ID. These are the reasons why encrypted documents are not meant for long term storage.
One way to encrypt documents is to create an XML Encryption Syntax and Processing standard compatible cryptographic container, where the encrypted documents, receivers' certificates and other useful metainfo will be stored. The tools required for encryption and decryption are available in the DigiDoc libraries, and additional information can be found on the id.ee webpage about encryption.
Another widespread application is email encryption using the S/MIME standard where an email message is encrypted using the receiver's public key (which can be found in their personal identification certificate).
Attention: S/MIME encrypted mail messages can only be sent to the address that is included in the certificate. I.e. therefore, encrypted messages can only be sent to the receiver's @eesti.ee mail address.
In addition, there are of course many other uses for encryption and, as an eID document can be used to encrypt any byte sequence, it can be used anywhere.
In addition to the main functions listed above, an ID card can also be used for the following purposes.
- transport card, i.e. primarily an ID ticket. This has been carried out as a database located in a main server where personal identification numbers are tied to respective travelling rights, mostly a particular type of monthly ticket. When checking travelling rights, an ID card reader is used for quickly and smoothly determining the passenger's personal identification number (as the ID card itself does not contain any information about travelling rights);
- library card (libraries using the URRAM information system can use the ID card as a library card);
- loyal customer card, see the section "ID card as a loyalty card";
- door or entry card;
<ref>-silt. Viite nimega