Important legal notices
 
Contact   |   Who 's Who   |   Search on EUROPA   
Back to IDABC home page Back to IDABC home page
The Programme 
Projects 
Your Europe 
eProcurement 
eGovernment Practice 
Open Source Observatory 
Interoperability 
eSignature 
Resources 
IDABC Events  
Public consultations  
Search
 
 
  Registration   |   Call for Tenders   |   FAQ   |     Site Map  
 
 
See printer friendly version Print

PKI: Public Key Infrastructure
null
     Security is increasingly an issue for many networks. The need to electronically exchange sensitive information securely and reliably calls for a system allowing authentication and confidentiality. A Public Key Infrastructure is a way to organise and manage keys and electronic certificates which guarantee secure data communication.

Last update: 04/2005

Top
What is PKI?
Objectives
How does it work?
Achievements
Who benefits?
The role of IDABC
Technical information
Documentation

What is PKI?

The IDABC PKI is a Public Key Infrastructure (PKI) for Closed User Groups which has been developed for the former IDA Programme. Through its establishment and the related Certificate Policies (CP's), it facilitates secure data communication between end-users in public administrations across the EU Member States and within the European Institutions working on different IDABC sectoral projects. Currently, the IDABC PKI provides on the one hand personal and functional certificates to end-users of sectoral closed user groups and on the other hand server certificates.

Top of page

Objectives

The key objective of this service is to make a Certification Authority (CA) available to IDA Projects of Common Interest (PCIs). Through the PKI, IDABC aims to improve the security of information exchanged by electronic means between the Member States and the European Community. The IDABC PKI is designed to complement the national PKIs, which are not always available to members of IDABC sectoral networks and, although technically interoperable, not always organised to support cross-border transactions.

Top of page

How does it work?

The IDABC's PKI is accessible to the members of any IDABC sectoral project, who have access to TESTA network or Internet. By offering both personal or functional certificates for closed user group members and server certificates for sectoral web-based or server-based applications, the IDABC PKI enables the following security applications to be used by end users based in national administrations across the EU Member States and the European Institutions:

  • Server authentication - a message is sent to the users allowing them to be sure that they are using the correct server.
  • Client authentication - the server is able to distinguish between authorised end-users and those illegally trying to gain access to the system.
  • Electronic signatures - a user is able to sign a document (or e-mail) electronically and the receiver can verify the signature and that the document has not been changed after it was signed.
  • Confidentiality - this is provided through the encryption of the exchanged data, through the use of a pair of encryption keys (private/public).

Let's analyse how the IDABC PKI for closed user groups does work.

Based on the assessment of the security requirements of a sectoral project, it is either the standard IDABC PKI Certificate Policy or a dedicated IDABC CP that will be used to define the applicability of the electronic certificates for that sectoral project. In either case, to have access to the services, the end-user must have a key-pair as well as a certificate. To take a concrete scenario: Maria is a civil servant within Portugal's General Directorate of Veterinary Medicine (DGV). She is part of a Committee of Experts dealing with BSE established under a Commission sectoral project under the responsibility of DG SANCO. The work of that sectoral project requires the electronic e-mail exchange of sensitive information between the members of a Closed User Group, made up of the respective MS authorities (e.g. Portugal DGV) and the Commission. However, before Maria can participate in the secure e-mail exchange of sensitive information, she needs to acquire a certificate as well as a pair of keys. To do so, the following steps need to be followed:

  • The user generates a key pair and the associated certificate request with the help of a programme downloaded from the Internet. Maria completes the information requested on the request form and sends it off to the Registration Authority (RA).
  • The RA and the requester exchange the necessary information to verify the user's identity and the legitimacy of the certificate request. Maria provides all the necessary information proving her identity and her right to access the network (e.g. the number and copy of an identity card, of a driver licence, or of a passport). According to the applicable procedure, other documents may be required as well.
  • Alternatively, a Local Registration Authority (LRA) is called upon to testify that the requester is entitled to receive a certificate. In this particular case, Maria is processed centrally so her Ministry (MADRP) does not have to be involved as the LRA.
  • The RA accepts or rejects the request. If accepted, the RA registers this with the CA server through a secure web interface. Maria's request is accepted and thus registered on the CA server.
  • If the request is accepted, the CA creates the public certificate of the user (certificate holder) and informs the user how and where they may get it. Maria's request is accepted and she receives a message from the RA to this effect. She is also advised that she can retrieve her certificate by downloading it from the server. She does this and saves it securely with her private key. Her e-mail programme is now ready to send encrypted messages to the Committee of experts.

Top of page

Achievements

PKI was launched at the start of 1999. The IDABC PKI services are currently provided by Certipost. Initially the PKI services were used for user authentication to web applications. Today the focus among the PKI customers is on the one hand electronically signed and encrypted e-mails between members of a closed user group and on the other hand server authentication. During 2002, the IDABC PKI was implemented in one of the working groups of the Council of Ministers with the purpose to encrypt e-mail exchanges among group members. Other examples are the use of the IDABC PKI in two of the networks in the Justice and Home Affairs sector to sign and encrypt all sensitive data exchanges. In 2004, a PKI closed user group was created for DG COMP to sign and encrypt sensitive competition information. DG REGIO has also set up such a closed user group to electronically sign documents related to regional policy funds. Server authentication applications have also been implemented through the use of IDABC server certificates for sectoral projects in DG TRADE, DG TREN and DG ENV.

Top of page

Who benefits?

Public Administrations: This system is flexible enough for adoption by all IDABC networks. It can be adapted to the special requirements of particular user groups and allows members of individual communities to communicate with other networks that have been granted access rights.

Top of page

The role of IDABC

Before certificates are issued to a sector a user requirements study is carried out to determine the user's security needs and to ensure that the IDABC PKI is suitable for providing the required security services. This short study also identifies any requirements specific to the sectoral project that might need additional services (e.g. in the area of user registration) not covered by the generic PKI service.

Top of page

Technical information

IDA budget

1999 € 251,000
2000 € 495,000
2001 € 634,000
2002 € 618,000
2003 € 0
2004 € 220,000

Responsible service

DG Enterprise and Industry - IDABC Unit

Project coordinator

Gzim Ocakoglu

Contact

idabc@ec.europa.eu

Countries involved

All EU Member States

Top of page

Documentation on PKI

Back to:

Other Horizontal Actions and Measures