Security and Privacy Threats of the Belgian Electronic Identity Card and Middleware (original) (raw)

Security and Privacy Improvements for the Belgian eID Technology

IFIP Advances in Information and Communication Technology, 2009

The Belgian Electronic Identity Card enables Belgian citizens to prove their identity digitally and to sign electronic documents. At the end of 2009, every Belgian citizen older than 12 years will have such an eID card. In the future, usage of the eID card may be mandatory. However, irresponsible use of the card may cause harm to individuals.

The evolution of the e-ID card in Belgium: Data privacy and multi-application usage

Since mandating in 2004 that all Belgian citizens carry electronic identification cards (e-ID), Belgium has been at the forefront of trends in electronic identification. As an e-ID card has become a necessity for service provisioning, the government has also started with distribution of e-ID cards to non-Belgians and children under the age of 12. Up until quite recently, the e-ID card only held the basic information of citizenship. This paper will examine the evolution of the e-ID card, and discuss the privacy issues of multi-application data on one card as the recent announcement of data for additional applications reopens the discussion of data linkage and data privacy for a card that is mandatory in usage.

Extending the Belgian eID Technology with Mobile Security Functionality

Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering, 2009

The Belgian Electronic Identity Card was introduced in 2002. The card enables Belgian citizens to prove their identity digitally and to sign electronic documents. Today, only a limited number of citizens really use the card in electronic applications. A major reason is the lack of killer functionality and killer applications. This paper presents two reusable extensions to the Belgian eID technology that opens up new opportunities for application developers. First, a secure and ubiquitously accessible remote storage service is presented. Second, we show how the eID card can be used to issue new certificates. To demonstrate the applicability and feasibility of both extensions, they are combined in the development of a secure e-mail application. The proposed solution offers strong privacy, security and key management properties while increasing the accessibility of confidential e-mail compared to existing solutions (such as PGP and S/MIME).

Enhanced Functionality Brings New Privacy and Security Issues – an Analysis of eID

Masaryk University Journal of Law and Technology (ISSN: 1802-5943) (eISSN: 1802-5951), 2018

As compared with traditional paper-based versions and the standard username-password login to e-Government services, the new electronic identity and travel documents have made on-site electronic and on-line authentication of citizen more comfortable and secure. The biometric passport was introduced in Hungary in 2006. A decade later the electronic identity card (eID) was implemented. The reason for the improvement of such documents is twofold: enhancing security features and performing new functions. The development is certainly welcome, but it also generates new types of risks, with which governments and citizens must take into account. In this paper, I will first analyze the most widespread technologies of data storage cards from the passive elements to the chipcards, including the biometric passport. The objective is to provide an overview of the technical development as a background to my paper. I will then proceed to an analysis of the relevant EU and national legal background, data elements, data protection and the functions (ePASS, eID, eSIGN) of the new Hungarian and German identity card, as well as the security risks and protection properties of the eID-type documents. The paper concludes with a summary of the lessons learned from and the risks involved in the current solutions in Hungary and Germany.

The belgian electronic identity card (overview)

2006

Currently, Belgium is introducing an electronic version of its identity card. In this article, we shortly describe the card, and give a brief introduction to its cryptographic features. In particular, we focus on the Public-Key Infrastructure (PKI) associated with the card.

Insights on identity documents based on the Belgian case study

Information Security Technical Report, 2008

Efficient eGovernment and eCommerce require the ability to authenticate citizens and transactions online, whereas the increasing mobility of citizens demands reliable identification. Identity documents tend to become the most popular form of identity tokens used for these purposes. An important problem, however, is that they can easily be passed on or used by a fraudster. We discuss the use of identity documents and the problem of linking these documents with their genuine holder. We discuss ePassports and eID cards in general using the Belgian identity documents as a reference.

Personal Identification in the Web Using Electronic Identity Cards and a Personal Identity Provider

Lecture Notes in Computer Science, 2014

This paper presents a new paradigm for implementing the authentication of individuals within Web sessions. Nowadays many countries have deployed electronic identity cards (eID tokens) for their citizens' personal identification, but these are not yet well integrated with the authentication of people in Web sessions. We used the concept of Personal Identity Provider (PIdP) to replace (or complement) the role ordinarily given to institutional Identity Providers (IdPs), which are trusted third parties to which service providers delegate the identification and the authentication of their clients. By running locally on a citizen's computer, the PIdP paradigm is well suited to assist his/her eID-based authentication. In this paper we describe an eID-based authentication protocol handled by a PIdP, its implementation and its integration in a production scenario (a campus-wide, Shibboleth IdP-based authentication infrastructure used in University of Aveiro).

Privacy and Security -Related Challenges of the Future EU Digital Identity

Romanian Cyber Security Journal, 2022

The present article comprises a brief analysis of the concept, features and value of the future EU Digital Identity, while its main purpose is to X-ray the present technical infrastructure, the legislative framework and the cyber security challenges of the future EU e-Wallet. The articles demonstrate that the implementation of future digital identities will pave the way to a greater range of e-government services, more efficient, a need that could be easily identified in the context of the COVID-19 pandemic. Nevertheless, in this context, it also highlights the role of cyber security in the context of the ongoing digital transformation, under the conditions where it becomes more and more obvious that the benefits of the European digital economy and society can only be fully accomplished under the premise of cyber security, as cornerstone of digital transformation. In addition, the article also addresses some privacy and security-related issues of personal data transfers and storage linked to the future e-Wallets. The conclusion aims to underline the role of secure identification services in the context of building a trusted and secure Digital Identity for all European citizens.

The Italian Electronic Identity Card: Overall Architecture and IT infrastructure

… and Security in Inter- …, 2005

In this paper we describe the overall process of deployment of the Italian Electronic Identity Card: the way it is issued, services it is used for, organizations involved in the process, and the Information Technology (IT) infrastructure enabling the effective management of the whole process while ensuring the mandatory security functions. Organizational complexity lies in the distribution of responsibilities for the management of Personal Data Registries (on which identity of people is based) which is an institutional duty of the more than 8000 Italian municipalities, and the need of keeping a centralized control on all processes dealing with identity of people as prescribed by laws and for national security and police purposes. Technical complexity stems from the need of efficiently supporting this distribution of responsibilities while ensuring, at the same time, interoperability of IT-based systems independent of technical choices of the organizations involved, and fulfilment of privacy constraints. The IT architecture defined for this purpose features a clear separation between security services, provided at an infrastructure level, and application services, exposed on the Internet as Web Services. This approach has allowed to easily design and implement secure interoperability, since -notwithstanding the huge variety of IT solutions deployed all over the Italian Municipalities to manage Personal Data Registries -existing application services have not required major changes to be able to interoperate.