Branddocs is making a solid wager on the new Electronic ID 3.0 with NFC technology since it is the most secure unequivocal credential in the market for digital identification of individuals.
The Spanish Electronic ID is an aggregator of physical and digital attributes with the greatest authentication and guarantee in the market, which in its newest 3.0 version has been given the most advanced technology for its use not only as an identifier, but also as qualified electronic signature legally equivalent to the handwritten signature.
Currently 43 million citizens have the Electronic ID 2.0 who will slowly transition to the new eID 3.0. These persons have available or will have available a smartphone with the capacity to read the DNIe 3.0 through the NFC technology.
This time it seems that the Spanish government and specifically the Police once again are waging on becoming the standard certification authority in the market and everything points to the use of the current science and the market penetration of these technologies will allow them to do so.
Certainly, we find ourselves before what will likely become the standard identification in the market and we will risk on making a strong wager for its wide use in the coming years for identification and signature of users for their digital trusted transactions.
About the Electronic ID 3.0
The Spanish Electronic ID 3.0 (DNI 3.0) is the aggregator of physical and digital attribute with the most recognition and guarantee in the market, with its newest version employing the most advanced secure reading technology for its use not only as an identifier but as a qualified electronic signature legally equivalent to the manuscript signature.
“The electronic National Identity Document is the document that accredits physically and digitally the identity of the carrier and allows the electronic signature of documents.”
The birth of the electronic National Identification Document (DNIe or DNI 1.0) was designed to meet the need of granting personal identity to citizens for their use in the new Information Society, in addition to serving as a clear example of the digital credential and aggregator of identity attributes.
Its objective was to contain the data of affiliation of the citizen, the biometric data (fingerprints, photo and handwritten signature) and the two RSA keys with their respective certificate (authentication and signature) for the citizen to be able to be identified securely and unequivocally.
In March 2006, Spain began to issue DNIe 2.0. Its the “natural” evolution of the before mentioned National Identity Document (DNI 1.0), adapted and conceived in order to make use of the Information Society, with a goal of enabling carriers to access a series of electronic services.
It’s a plastic (polycarbonate) card that incorporates a chip with digital information and has identical dimensions to credit cards (85,60 mm wide x 53,98 mm height). It’s obligatory from age 14, although it can be requested from birth.
The digital credential and the most secure and versatile unequivocal electronic signature on the market
The DNI 3.0 is the new version of the DNI that was presented on January 2015 with distribution starting in the last trimester of 2015. The most important novelty is the incorporation of the contactless technology NFC (Near Field Communications).
It is important to highlight that DNI 3.0 has a “Dual Interface” characteristic, which means that it will continue to be used as it has been until now with the DNI 2.0 by connecting it to a card reader, it maintains former functionalities. Or it can be used through its contactless interface that allows the user to enjoy of the same conditions but through the NFC technology for the data transfer.
Near Field Communications – NFC, is the name of the mobile technology that is experiencing a huge upsurge in recent years thanks to its versatility and its utility.
Most terminals (Samsung Galaxy and the iPhone from models 6 and 6s, for instance) and new generation tablets use NFC thus opening a world of benefits for users to be able to identify themselves, sign digitally, make payments – although today Apple dedicates this technology exclusively to Apple Pay – it is assumed that it will eventually allow its users to leverage it to access important functionalities.
The most important and noteworthy aspect of NFC is its communication without pairing, thus allowing the transfer of data with a simple gesture, without additional steps of connecting additional devices or additional hardware. However, it does have a maximum reach of 20 cm, thus making it obligatory to pass the mobile by the NFC end point (DNIe 3.0).
NFC is a means of secure wireless transmission: in the first place, the reduced distance to realize the action makes it difficult for a third device to interfere in the action. On the other hand, the transmissions can use security encryptions such as SSL, hence the data travels between devices the same as it occurs for other types of transactions on Internet considered completely secure.
NFC operates in the band 13.56 MHz (in this band there is no license required for its use) and derives the label of RFID lately very common for transport cards or security systems of stores and companies.
NFC is an open platform initially designed for mobile devices. Its transfer speed can reach 424 kbit/s thus making its focus for the transfer of instant communications rather than large files, in order words identification and validation of devices and persons. It strong points are the speed of communication, which is almost instantaneous without prior pairing of devices and its transparent use to the users since the NFC devices are able to send and receive information at the same time. One of its drawbacks are that it works in short distances (10-20 cm).
The NFC technology works in two modalities:
NFC Active Mode, both devices are equipped with an NFC chips generating an electromagnetic field and data exchange. Both devices rely on a power source as a battery, for example.
NFC Passive Mode, in which there is only one active device and the other uses the field to exchange information. This mode has extensive use in NFC tags, for cards and ID bracelets. Since one of the devices is passive it means that it does not depend on a power source or battery for its use. A use case would be an access card or DNI 3.0.
Although it is based on secure technology, one of the potential questions that concern new users of the DNI 3.0 is security.
NFC permits high frequency communications but in short distances – let’s remember that the devices must be practically on one another (10 cm may cause errors). And although it is a short distance, it being communication by radio frequency the doubt arises if it is a truly secure channel and if it is truly not possible for someone to intercept the signal and access the communication and the information of the DNI 3.0 is exposed to fraudulent acts.
It also tends to worry users that the NFC reader can identify them without their consent. To prevent establishing a non-authorized communication, the DNI 3.0 has a feature that makes the data inaccessible without the unique access code and personal 6 digits that come directly on the DNI, denominated CAN code.
The CAN code guarantees the security of our data ensuring that our data cannot be read, nor identification without consent. This way, thanks to the CAN code only the physical holder of the DNI can read the personal code.
The CAN code is robust security characteristic, but we should remember that to make use of the certificates in the last instance there is another authentication factor – PIN or corresponding unequivocal access code for each user.
The CAN code and PIN make fraudulent use of the DNI 3.0 very difficult.
DNIe 3.0 Legal Framework
As article 1.2 of the RD 1553/2005 of 23 December establishes, the issuance and regulation of national identification documents and their electronic signature certificate, “This document has sufficient value, on its own, to accredit the identity and personal data of the holder to whom it was granted, as well as the Spanish nationality of the same.”
From reading this article the characteristics of the traditional DNI are confirmed, it maintains in all of its extension of the electronic DNI, it increases in the new functionality of electronic signature of documents, in the terms previewed by the 59/2003 Law of 19 December on electronic signatures.
The 59/2003 Law of 19 December on electronic signatures, has come to be attributed to the national identification document’s new effects and utilities:
To create a document that certifies the identity of a citizen not only in the physical world but also in telematics transactions, to allow signing any type of electronic document. Using a secure device to create the signature, the electronic signature realized through the electronic DNI will carry the same effects as the manuscript signature.
Issue the electronic DNI in one administrative action, thus reducing the time required to obtain it.
Interoperability with European digital identity projects.
Foster trust in electronic transactions.
Acceptance by all the public administrations and public service entities or those dependent on the use of the electronic DNI (for example, to submit tax returns, request a residency certificate, register births or place a pension claim). With the approaching effective date of the eIDAS regulation, the DNIe 3.0 will be considered qualified electronic signature with all the legal effects of the manuscript signature for all the countries in the European Union.
Physical structure of DNI 3.0
The DNIe 3.0 is made up of two parts:
Physical Card. ISO 7816-1 Standard, composed of polycarbonate with an NFC antenna.
Chip. Model SLE78CLFX408AP by Infineon Technologies. DNIe v4.0 operating system (commercial version DNIe 3.0) with 400KB flash memory (code and customizable), 8KB RAM memory, dual interface (contact/ contactless) and RSA encryption library with 8 types of Encryption Data:
- Citizen keys.
- RSA public authentication key (Digital Signature).
- RSA non-repudiation public key (ContentCommitment).
- Public key of root CA for card verifiable certificates
- Diffie-Hellman keys.
In addition to the encryption data, the DNIe 3.0 has following management data- manufacturing tracking and serial number of the element.
Finally, DNIe 3.0 has three types of certificates:
Component Certificate. Its objective is to authenticate the DNIe through the mutual authentication protocol defined in CWA 14890 (version 2013).
Authentication Certificate. The goal of it is to electronically guarantee the identity of the citizen while conducting a telematics transaction. The Certificate of Authentication (Digital Signature) ensures that the electronic communication is carried out with the person that it claims to be. The card holder through the possession of the certificate proves identity to anyone since s/he is in possession of the identity certificate and the private key associated with it.
Signature Certificate. This certificate is what we will use to sign documents guaranteeing the integrity of the document and no-repudiation of the origin. This certificate is issued as a qualified certificate and created using a secure device for signature creation, which turns the advanced electronic signature into qualified electronic signature, equating it with the manuscript signature (Law 59/2003,1999/93/CE Directive until 1 July 2016 when the eIDAS regulation goes into effect.
Moreover, with the DNI 3.0 it widens the validity of the two identification certificates and signature of the DNI 2.0 and allows reading without PIN of the identification certificate, which eliminates the need to enter the PIN repeatedly for the transaction and blocking the PIN if its introduced incorrectly.
Use cases for DNI 3.0
The Authentication Certificate (Digital Signature) ensures that the electronic communication is carried out with the person that it claims to be. The holder can, through the certificate, accredit his/her identity before anyone thanks to the DNI 3.0 since the identification certificate and the private key associated with it are in his/her possession.
Electronic signature of documents.
Through the use of the Signature Certificate (non repudiation), the recipient of an electronically signed message with DNI 3.0 can verify the authenticity of the signature, with proof of the identity of the signer.
Document Integrity Certificate.
The guarantee of the integrity of the document is done through the utilization of the hash functionalities, used in combination with the electronic signature. It proves that the document has not been modified. This also allows us to check if a signed message has been altered after being sent.
To guarantee the “integrity” of the document a summary of the document is signed with the private key of the owner of the DNIe 3.0 so that if changes are made retrospectively to the document the change will also show in the summary and thus breaking the “integrity”.