The Belgian eID
Belgian eID - intro
Functionality of the BeID card
Originally referred to as Belpic - the Belgian electronic identity card.
The Belgian eID (electronic identity card) combines the features of a traditional identity card (identification of the citizen,
travel document within the EU) with the possibilities originally created by the EC Directive 1999/93 for electronic signatures.
This directive was replaced by the eIDAS regulation (EC 910/2014). The basic functionality of the card can be described as:
- visual authentication of the citizen (picture is printed on the card, and also available electronically as JPEG)
- electronic authentication of the citizen (e.g. logon to government webserver) using the citizen's authentication key
- electronic signature of the citizen (e.g. signing an XML or pdf document) using the citizen's signature key
- electronic authentication of the card itself (a basic key pair, without certificate but the National Register (RRN or Rijksregister der Natuurlijke Personen) maintains a list of which public key corresponds to which eID card)
There is no encryption/decryption capability offered.
There are three different instantiations of the BeID concept:
- the Belgian National eID card for citizens registered in the National Register
- the Electronic Foreigner Card (EVK)
- the Kids card for children
Applications
You can use the card for authentication in a web context, or you can use it to secure SSH sessions or similar.
You can sign XML, MS-Word, Acrobat PDF or anything you'd like (assuming the format supports smart cards and electronic signatures).
The first application was Mijn Dossier from the National Register.
This allows a citizen to retrieve a basic statement about himself on name, address, status etc in signed XML.
Here's a copy of mine.
The my.belgium.be site gives an overview of public sector applications. There are countless
applications, particularly in eHealth. This includes e.g. the administration of vaccinations.
For eGov purposes, a role management system has been set-up.
The IAM apps site 'Mijn digitale sleutels' binds it together.
Data visually present on the BeID card
The front of the eID card lists name (i.e. name, two first names, first letter of third name), title, nationality, birth place
and date, gender, card number, card validity dates, picture and hand-written signature of the holder.
The back of the eID card lists place of delivery of the card, the National Register Number (NRN) of the citizen, hand-written
signature of the civil servant delivering the card, and ICAO machine readable identification.
Data electronically present on the BeID card
Two applications can deliver data in electronic format:
- the identity application
- identity file
- chip number
- a copy of the information that is visually present on the card including NRN
- additional data: noble condition (king, prince, earl, ...), special status (white cane, extended minority, ...)
- card number, card validity dates, card delivery municipality, document type (Belgian citizen, EU citizen, non-EU citizen,
bootstrap card, habilitation/machtiging card)
- address file (street, number, zip-code, municipality)
- picture file (JPEG)
- the cryptographic application (callable e.g. through the PKCS11 middleware)
- two PKI key pairs and certificates for the citizen (authentication and signature, note that no encryption is included)
- one PKI key pair for the card itself (without certificate)
Technical features of the card
The card originally selected was a Gemalto (started as Schlumberger, then Axalto, now Gemalto) Cryptoflex JavaCard 32K, equipped with a 16 bit microcontroller (Infineon SLE66CX322P)
and an additional crypto processor (for RSA and DES computations). The card has ROM, EEPROM and RAM. The Belpic Java Applet handles all communications with the outside world.
On behalf of the Belgian government, Zetes delivers specific middleware intended to be used together with the card.
From an application's perspective, there are four categories of functions available (high-level summary only):
- Initialisation and termination: BEID_init and _exit
- General purpose: BEID_BeginTransaction, _EndTransaction, _SelectApplication, _ReadFile, _WriteFile, _VerifyPIN, GetPINStatus, _ChangePIN
- Identity functions: BEID_GetId, _GetAddress, _GetPicture, _GetRawData, _SetRawData
- Low-level functions: BEID_GetVersion, _SendAPDU
Visual security mechanisms include rainbow and guilloche printing, CLI (Changeable Laser Image), OVI (Optical Variable Ink), Alphagram, relief
and UV print, and laser engraving.
Timeline
Timeline - overall
The overall timeline can be approximated as:
- 1999 - eSignature: EC Directive 1999/93 on Electronic Signatures (excluding authentication)
- 2001 - eIdentity: EC Treaty of Nice - stipulates and confirms that identity is a national matter
- 2002 - eIdentity: the European Council defines a uniform model of the Foreigner card. (EG) n°:1030/2002 (13th June 2002)
- 2004 - eIdentity: EC Regulation 2252/2004 of the Council (13 December 2004)
- establishes standards for security and biometric aspects in e-passports
- outlines that the Regulation does not apply to MS identity cards since identity is a MS matter
- 2005 - eIdentity: Commission Decision (28 February 2005) about technical specifications for integration of a facial image in an e-passport (due by 2006)
- 2005 - eIdentity: Council Declaration (Justice) calls for identity cards that are secured according to e-passport standards, and Council Conclusion (2005-12) to do so
- 2006 - eIdentity: Commission Decision (28 June 2006) about technical specifications for integration of fingerprints in an e-passport (due by 2009)
- 2007 - eIdentity: STORK pilot project started
- 2008 - eIdentity: EC Directive 380/2008 modifies 1030/2002 and adds biometric data to the foreigner card for non-EU subjects (18th April 2008)
- 2009 - eIdentity: the Technical Specifications for the Foreigner card are published C(2009) 3770 (20 May 2009)
- 2009 - eSignature: publication of TS 102 231, the EU trust list for validation of eSignatures
- 2011 - eIAS: Digital Agenda, launch of the IAS study by DG Information Society (execution by DLA Piper, Timelex, Sealed, SNG and PwC)
- 2012 - eIAS: eSignature directive is rewritten in the context of the Digital Single Market (eIAS/electronic trust services)
- 2014 - eIDAS Regulation
- 2015 - eIDAS Implementing Acts
- 2021 - eIDAS impact assessment/EU.Id concept launched
Timeline - Belgium
The timeline can be approximated as:
- 2000 - Belgian Council of Ministers approves eID concept study (EU-wide travel document and SSCD - Secure Signature Creation Device)
- 2001 - Belgian Council of Ministers approves the basic concepts (PKI smart card, for the time being no integration with SIS card or driving license, no biometrics).
FEDICT is given overall project ownership.
- 2002 - contract assignments:
- infrastructure contract to Steria (connectivity, database expansion)
- smart card contract to Zetes (card personalisation as well as creation of eID middleware)
- certification services to Belgacom (Belgian Root CA)
- advice contract to PwC
- 2003
- First eID cards issues to civil servants, first pilot municipality starts issuing eID cards
- Federal Public Service (FPS) Economic Affairs publishes the first 'Accreditation Scheme for Qualified Digital Signatures'
- 2004
- Pilot phase evaluation results in decision for national roll-out
- PwC performs first informal accreditation review on behalf of FPS Economic Affairs
- 2005 - all newly issued identity card in Belgium are eID cards
- 2006 - PwC performs first formal accreditation review on behalf of FOD Economic Affairs
- by 2009 the national roll-out was completed, and electronic Kids and Residence cards are introduced
- 2010 - PwC assists FPS Economic Affairs to establish criteria for Certificate Service Providers (CSP) and Registered E-mail (REM) Providers
- 2011 - Introduction of eID ecosystem components such as the eID applet, IdP, DSS
- 2012 - Audit by the State Auditor (Rekenhof/Cours des Comptes)
- 2014 - Royal Decree on unconnected credentials (17/7/2014 (published 8 Augustus 2014) - Koninklijk besluit tot vaststelling van de voorwaarden,
de procedure en de gevolgen van de erkenning van aanmeldingsdiensten voor digitale overheidstoepassingen die gebruik maken van niet-verbonden
aanmeldingsmiddelen)
- 2016 - Law 21/7/2016 on eIDAS
- Implements eIDAS
- Updates the Economic Law
- Allocates supervision responsibility to 'Federale Overheidsdienst Economie, KMO, Middenstand en Energie'
- 2017 - Law 18/7/2017 on electronic identification
- Mandates BOSA to operate authentication services
- Cross-border/SDG services
- KB of 17/7/2014 is withdrawn
- 2017 - Royal Decree 22/10/2017 on electronic identification for public services,
- Koninklijk besluit tot vaststelling van de voorwaarden, de procedure en de gevolgen van de erkenning van diensten voor elektronische identificatie voor overheidstoepassingen
- Aanwijzing van instanties conform de wet van 18 juli 2017 inzake elektronische identificatie
- Defining conditions, procedure and consequences of recognition of (private) eID services (such as ITSME)
- LOAs: substantial/high
- Recognition procedure and payment terms for service providers of authentication services
- 2017 - BOSA - Handbooks - Technical specifications related to the Royal Decree of recognition of partner’s electronic identification service,
- 2018 - Law of 20 september 2018 for harmonisation of electronic signature and reliable electronic media (de wet van 20 september 2018 tot harmonisatie van de begrippen elektronische handtekening en duurzame gegevensdrager en tot opheffing van de belemmeringen voor het sluiten van overeenkomsten langs elektronische weg)
regelt gebruik electronische documenten en email
- Wijziging van het Burgerlijk Wetboek Art. 2
- Wijzigingen van het Wetboek van economisch recht Art. 3-12
- Wijziging van het Wetboek diverse rechten en taksen Art. 13
- Wijzigingen van het Wetboek van vennootschappen Art. 14-15
- Wijziging van het Sociaal Strafwetboek Art. 16
- Wijzigingen van andere wetten Art. 17-34
- Wijzigingen van koninklijk besluiten
- 2020 - BOSA's FISP - Federal Information Security Policy
BeID ecosystem
A BeID ecosystem evolved around the card, including:
- BeID middleware
for the client side, taking care of the specific PKCS#11 implementation where the PIN is asked everytime the signing key is used
- BeID applet
that enables the use of the BeID card in a browser, running with and without eID middleware installed
- further trust services and signature services are evolving (refer to code.google.com)
- reverse proxy so an application server can call Belgian PKI services (based on Apache's reverse proxy, updated mod_ssl for OCSP, additional module for certificate validation etc)
- FAS (Federal Authentication Service, based on SAML v1) supports BeID and token) with a reference implementation based on Apache/JBoss/MySQL
- Firefox BeID add-on
- FEDICT's Frank Cornelis' e-contract site on web integration - technical details
Plans included a custom-built identity and access management system, e.g. based on JBoss and ForgeRock OpenAM.
Applications
Federal government
Other
Oversight and discussion
Belgium
Related
Technical foundation
Belgian Root
eID
- eid.belgium.be
- FOD BiZa - Dienst Vreemdelingenzaken - EVK - Electronische Vreemdelingen Kaart
- Repositories of certificates and CPSs
Related
Development
BeID on Android
Resources
Cardreaders
Getting the card to work
Follow these two steps to download the eID software on Linux:
- Install the "eID-archive" package, enabling the eID package repositories.
- Repositories are enabled in the file /etc/apt/sources.list - and in the folder /etc/apt/sources.list.d
- eid.list
- deb http://files.eid.belgium.be/debian buster main
- deb http://files2.eid.belgium.be/debian buster main
- buster-backports.list
- google-chrome.list
- Use 'apt list --installed | grep eid' to find e.g.
- beid-mozilla-extension/stable,stable,now 5.0.23v5.0.23-0deb10-1 all [installed,automatic]
- beid-mozilla-webext/stable,stable,now 5.0.23v5.0.23-0deb10-1 all [installed,automatic]
- eid-archive/stable,stable,now 2021.1 all [installed]
- eid-mw/stable,stable,now 5.0.23v5.0.23-0deb10-1 amd64 [installed]
- libbeidpkcs11-0/stable,stable,now 5.0.23v5.0.23-0deb10-1 amd64 [installed,automatic]
- libbeidpkcs11-bin/stable,stable,now 5.0.23v5.0.23-0deb10-1 amd64 [installed,automatic]
- Install the "eid-viewer" and/or "eid-mw" packages in the usual way for your distribution. This may require you to first perform an update of the indexes (e.g. using "apt-get update").
- As shown above, eid-mw was installed.
- 'sudo apt-get install eid-viewer', then launch eid-viewer from the desktop
Legacy - getting the card to work on Debian 8 Jessie
I went through the following steps to use the card on my Debian Jessie (Debian 8) with the ACR38 reader.
- With Jessie, no eID software comes included (you can check this via e.g. Synaptic)
- You need to download the deb, which contains both middleware and viewer
- Then do "dpkg -i eid-archive_2017.2_all.deb"
- And "apt-get update" and "apt-get install eid-mw eid-viewer" (you can invoke eid-viewer as test)
- Finally, install the BEID plug-in on Firefox, and TaxOnWeb works fine
Legacy - getting the card to work on Ubuntu
I went through the following steps to use the card on my Lucid Lynx (Ubuntu 10.4) with the ACR38 reader.
- With Lucid came beid-tools and beidgui, automatically (you can check this via e.g. Synaptic).
- Unfortunately the middleware in the official repository is outdated, and lacks e.g. the new root certificate.
So reading a card with the beidgui fails with "wrong root certificate". You can also check https://bugs.launchpad.net/ubuntu/+source/belpic/+bug/546366 on this
- So download deb package from "http://eid.belgium.be/nl/Hoe_installeer_je_de_eID/Linux/".
- If you want to see what's inside: "dpkg -c packagename".
- "sudo dpkg -i eid-mw_4.0.0r925_amd64_tcm147-132618.deb" failed because libbeidlibopensc2 is conflicting
- "sudo dpkg -i eid-mw_4.0.0r925_amd64_tcm147-132618.deb --auto-deconfigure" also failed for the same reason
- so I manually removed all all installed beidlibs and related packages via Synaptics
- then "sudo dpkg -i eid-mw_4.0.0r925_amd64_tcm147-132618.deb" went smoothly
- now you have the middleware, but the beidgui and tools are still missing
- So "sudo apt-get install beidgui" which results in terrifying messages that your newly installed eid-mw package will be removed and all the wrong packages will be reinstalled from the official repository (you definitely don't want this)
- Checkout http://grep.be/blog/en/computer/debian/belpic/ which suggest to download "eid-viewer_4.0.0r52_amd64.deb" from http://code.google.com/p/eid-viewer/downloads/list
- Download the viewer deb, then "sudo dpkg -i eid-viewer_4.0.0r52_amd64.deb". This works fine, to run just enter "eid-viewer". Documentation in /usr./share/eid-viewer
- So far so good but TaxOnWeb fails with "SSL peer was unable to negotiate an acceptable set of security parameters.(Error code: ssl_error_handshake_failure_alert)"
- From /usr/share/doc/eid-mw's README:
To use the Belgian eID in Firefox, we recommend the Firefox extension to handle configuration automatically.
The extension will be installed on Linux and OSX. The default install locations:
- Linux: DATADIR/mozilla/extensions/{ec8030f7-c20a-464f-9b0e-13a3a9e97384}
- So go https://addons.mozilla.org/en-US/firefox/addon/belgium-eid/, install, restart Firefox, and you're done
.