Proceedings of the 14th IFAC Symposium on

Information Control Problems in Manufacturing

Bucharest, Romania, May 23-25, 2012

The design and implementation of an experimental model for secure management of

personal data based on electronic identity card and PKI infrastructure

A.Cernian*, A.Olteanu*, G.Mateescu*, M.Vladescu*, Gr.Stamatescu*,

A.Ropot**, C.Plesca***, M.Togan***, V.Sgarciu*, D.Carstoiu*, D.Saru*, M.
Anghel*, A. Oana*

*University POLITEHNICA of Bucharest, 313 Splaiul Independentei, Bucharest, Romania
(e-mail:vsgarciu@aii.pub.ro, Alexandra.cernian@ aii.pub.ro).
**CertSign, Bucharest, Romania
*** Academia Tehnica Militara, 81-83 Bulevardul George Coúbuc, Bucharest, Romania

Abstract: This paper presents an experimental information system for the management of personal data
and citizen identification, called PLATSEC, based on multi-application smartcards technologies and on
PKI infrastructures. The introduction offers a global view of the current context in Romania and
emphasizes the necessity of a new approach in the public sector ± which addresses both the public sectors
services and the public information security. The second section presents the platform architecture ± from
both software and hardware point of view. Afterward, we introduce and explain a use-case scenario,
which aims to prove our system efficiency and advantages, which have also been confirmed by the
quality assurance tests performed. In the end, there are a few main talking points that conclude all
presented above.

Keywords: Electronic identity cards, PKI infrastructure, secure personal data management, electronic
voting system.


1. INTRODUCTION
An information system used for the citizens¶
identification based on electronic identity cards (Sgarciu et.
al., 2011) represents a potential IT project for the Romanian
Government, with impact on the majority of governmental
institutions, such as the Public Administration and especially
on all components of the National Police ± SNAP (National
Syndicate of Police Agents) (Eched, 2004).
The identity card is the main document used for
identification in Romania, which proves WKH FLWL]HQV¶
inhabitancy and nationality. This project aims to demonstrate
that using an electronic identity card responds to the
international fight against terrorism and substantially
contributes to the minimization of illegal immigration.
Information systems convergence is realized using multi-
application smartcard technologies (Patriciu, 2006). This
approach allows the use of such electronic cards in a variety
of information systems such as e-Administration, e-
Governance, medical systems etc.
Implementing the electronic identity card at national
level brings major benefits from the national security and
fight against terrorism points of view and improves the
Government to Citizen electronic services.
Smartcard technologies are nowadays very popular
in information systems because they can ensure logical
security services ± identification, authentication, digital
signature and encryption for electronic documents and
controlled access in various types of networks. Combining
these information security abilities with the personal
information storage capability, we ensure a significant
improvement of electronic services using the existing
network infrastructure ± public and private networks, a
reduction of existing bureaucracy, the optimization of actions
and measures took to combat security threats, organized
crime and illegal traffic.
The electronic identity card stores all the
information needed for a person¶VLGHQWLILFDWLRQaccording to
the current legislation, as well as information regarding a
minimal medical record of the citizen and the driving licence
data - if the citizen has one.
2. RELATED WORK
Electronic identity cards have been successfully
implemented in other countries, such as Germany, Belgium,
and Italy.
In Germany, for example, the electronic ID card,
known as the Personalausweis (The German ID card, 2011),
is similar to a mini-passport, allowing citizens to travel
within the European Union, where they are not required a
regular passport. The German electronic ID cards can also
contain an integrated signature, if so desired.

978-3-902661-98-2/12/$20.00 © 2012 IFAC 1697 10.3182/20120523-3-RO-2023.00398

INCOM 2012, May 23-25, 2012
Bucharest, Romania
The card also allows the citizens to identify
themselves on the internet by using a smart card reading
device at home. After registering through an online account,
they are able to perform secure online shopping, download
music and, most importantly, interact with government
authorities online.
The German ID card is based on a protocol called
personalize the citizens and authorities cards. If the
operator card is ejected from the card reader, at any
step of the workflow, the application stops.
x Police Application - can be used only with a valid
professional card and is made out of 2 different
modules: Identity Card module ± where personal
information are displayed, and Driving Licence
³EDVLF DFFHVV FRQWURO %$&´ EXW RQO\ IRU WKH EDVLF GDWD
which is printed on the front of the card, the picture and the
name, because the BAC was successfully hacked by
university researches and security experts. The most
important fields are protected by a stronger proprietary
protocol.
3. SYSTEM ARCHITECTURE
The information platform for secure management of
personal data based on electronic identity card represents a
complex information system. The overall system architecture
is depicted in Figure 1 (Sgarciu et. al, 2011).
Based on the common requirements identified in the
applications in the fields mentioned above in terms of
infrastructure and services, we outlined a general framework
for the use of smartcard and PKI infrastructure in the sphere
of public sectors. This framework FRQWDLQVWKHV\VWHP¶VPDLQ
components and the actors involved in the smartcards and
digital certificates emission, manipulation and revocation
flows. Each actor is associated with specific roles, tasks and
rights.
To ensure information security, we defined two
categories of actors: actors who are allowed only to read data
from electronic identity cards and actors who are allowed to
write/update data on the electronic identity card. Thus, every
software application on the card, corresponding to each of the
roles defined above it will be a different certificates emitter
authority. The data read/write/update on the smartcards will
be allowed only in the presence of the right card ± the
authority card which has certificate emitted by the right
authority.
Based on real activities flows, we elaborated
software specifications for both on-card and off-card
applications, specifications which meet the real environment
requirements. We took into count the following application
types:
x Off-card applications - represented by the following
suite of applications: personalization centre
application, certificates issuer application, cards
management application etc.
x On-card applications - identity card application
(authentication and digital signature), identity
validation using biometric mechanisms (match-on
card technologies) or applications based on secure
confidential information storage (medical records).
The overall software architecture is depicted in Figure 2.
As defined in the Software Architecture, the off-card
application suite has the following components:
x Citizen and Professional Card Issuer Application ±
can be used only by the card operator to issue and
1698
module ± where additional information about the
driving licence can be displayed.
x Medical Record Update Application - can be used
by the family doctor, only with a valid professional
card, to update the basic medical information about
a citizen.
x Medical Application - This allows only the
visualization of medical information. It can be used
only by paramedics with a valid professional card.
x Electronic Vote System - used for online voting. It is
made out of 2 modules - the administration module
± only authorized persons can access it, and the
FLWL]HQV¶ module - which is a web-based application
facilitating the electronic vote using the citizen
smartcard and its associated PIN code.
x Personal information auto-complete application
which reads the information from the citizen smart
card and automatically fills in an online form. This
application is useful in every kind of public sector
services and it requirHV WKH FLWL]HQ¶V VPDUWFDUG 3,1
code.
The following section will present a use case scenario for
the PLATSEC application.
4. USE CASE SCENARIO
In this section, we present an example of a real workflow
(Sgarciu et. al., 2011), while emphasizing the benefits
brought by the implementation of the information platform
for secure management of personal data based on electronic
identity card and PKI infrastructure. The use case scenario is
depicted in Figure 3. Let us assume that a policeman wants to
identify a citizen, using the electronic identity card. In order
to accomplish this purpose, the following steps will be
performed:
x The policeman identifies himself using his
professional smartcard.
x If the citizen refuses to identify him/herself to the
authority by giving his/her electronic identity card,
the policeman can identify him/her using
biometrical techniques.
o The policeman can access WKH FLWL]HQ¶V
personal information from the database
using the Policeman Application described
in the previous section.
x If the citizen provides his electronic identity card,
the on-card applications stored on both cards will
proceed to the mutual authentication procedure. If
this step is successfully finished, the policeman can
visualize the FLWL]HQ¶VSHUVRQDOLQIRUPDWLRQWKURXJK
the Police Application described in the previous
section.
INCOM 2012, May 23-25, 2012
Bucharest, Romania
o According to the verification reason, the
policeman can act in order to give the
corresponding punishment (fee or
penalization points).
x The policeman updates the citizeQ¶V LQIRUPDWLRQ LQ
the database.
The following improvements have been brought to the
presented workflow:
x The cLWL]HQ¶V DQG SROLFHPDQ¶V GDWD LQWHJULW\ is
ensured.
x The ability to identify the delinquent if he refuses to
cooperate ± in the actual system, the identity
verification is a long and aggressive process, which
does not even guarantee success.
x Real-time update of the delinquent personal
information ± the fact that the policeman can see the
delinquent antecedents can help him act promptly,
by taking all the required precautions.
x The reduction of bureaucracy due to electronic mean
of data storage.
5. SYSTEM TESTING AND EXPERIMANTAL
VALIDATION
The experimental system presented in this paper has been
tested (Sgarciu et. al., 2011) using a structured strategy,
aimed to cover the following aspects:
x The compliance of the implemented system with the
predefined set of specifications. This verification
was based on real test cases for all the functionalities
required.
x The system complexity. This verification was made
using a traceability matrix between the test cases
and the experimental system.
x The system security ± using security tests and
scenarios.
x The systems KPI (Key Performance Indicators) ±
using non-functional tests UHJDUGLQJ WKH V\VWHP¶V
performance, reliability, availability and usability.
A black-box testing procedure (IEEE 983-1986) has
been used, implying tests generated by a test case, previously
designed and described, as well as exploratory tests.
Some of the tests which have been conducted in order to
validate the PLATSEC experimental model include:
x Mutual authentication in the applications suite
x Database search for the electronic card issuing
process
x Issuance of professional cards using the application
designed for the card operator
x Visualization of citizens¶ information using the
Police Application
x 8SGDWHZULWH GDWD RQ WKH FLWL]HQ¶V  PHGLFDO UHFRUG
using the Medical Record Update Application
x &LWL]HQ¶VDXWKHQWLFDWLRQXVLQJWKHFDUG3,1FRGHLQ
the application for automatic auto-completion of
personal information in an online form
1699
x Several tests concerning the electronic vote systems
± for ERWKWKHDGPLQLVWUDWLRQDQGFLWL]HQ¶VPRGXOH
All tests were successfully passed, thus the PLATSEC
experimental model we have proposed has been validated and
proved its good functionality.
6. CONCLUSIONS
The information platform proposed in this paper, PLATSEC,
aims to improve the quality of public sector services and to
ensure citizens safety against WHUURULVWV¶ acts. By providing a
secure mean of personal information storage, the electronic
identity card provides all the data needed by different actors
in various scenarios in order to ensure the optimization of the
tasks and workflows performed by each actor. This approach
has a direct and significant impact on the population,
translated in:
x Less bureaucracy for simple document flows in the
public sector services
x More accurate flows without any abuses
x Availability of critical medical information for the
paramedics on the ambulance
x Availability of personal information online which
gives the authority the possibility to identify the
VXVSHFWHYHQLIKHVKHGRHVQ¶WFRRSHUDWH
x More efficiency in the electronic system vote ± less
time spent by the citizens and confidentiality of the
vote are ensured
x Optimized election administration ± the votes count
is made automatically by the administration module
providing correct counting and the election lists are
generated from the citizen records database, thus
eliminating illegal voting.
REFERENCES
V.Sgarciu, D.Carstoiu, D.Saru, Al.Cernian, A.Olteanu ±
Contract no. 82105, Beneficiary UEFISCDI, 2008-2011.
Patriciu,V., Ene-3LHWURúDQX 0 %LFD , DQG 3ULHVFX  -
(2006). 6HPQWXUL(OHFWURQLFHúL6HFXULWDWH,QIRUPDWLF,
Editura BIC ALL, Bucharest.
IEEE - 983-1986 Guide for Software Quality Assurance
Planning
Eched, Youval ± Cabinet YeMA CONSULTANTS (2004),
Un internet GH FRQILDQFH SRXU O¶DGPLQLVWUDWLRQ
électronique, Ed. &DKLHUV 6WUDWpJLTXHV GH O¶$)125 -
ENJEUX N° 241 ± février 2004, pp 40 ± 43.
The German ID card: http://www.german-
way.com/ident.html, last accessed 10.12.2011.
INCOM 2012, May 23-25, 2012
Bucharest, Romania

Fig. 1. System architecture

Fig. 2. Software architecture of the PLATSEC system

1700
INCOM 2012, May 23-25, 2012
Bucharest, Romania

Fig. 3. Police verification workflow

1701