Electronic Identity eID

Electronic identity (eID) – a collection of data that connects the person with his/her physical identity in an electronic environment. In Estonia, each person has one physical identity and the same applies to electronic identity.

A person may have several carriers of electronic identity (places where his/her eID data collection has been saved to), but the identity on these carriers is always the same. Carriers of eID in Estonia are ID-cards, residence cards, diplomatic IDs, mobile-ID, digital ID, and an e-Resident’s digital ID (hereinafter collectively referred to as ‘ID-card’).

Electronic identity operates on the basis of a public key infrastructure (PKI). The PKI model is based on two keys – a secret key and a public key. As is evident from the names of the keys, the secret key must be protected and can only be used by the person to whom it has been issued. The public key, on the other hand, is available to everyone and there is a specific link between the two keys. This model with a secret and public key enables safe entry into e-services, i.e. digital authentication and giving digital signatures. It also allows transferring data securely/confidentially.

All operations performed with means of eID (authentication, signing, and decryption) are PIN-protected. This prevents the misuse of eID means when PINs are not known.

Applications of electronic identity

Electronic identity can be used:

  • for authentication;
  • to give digital signatures;
  • for encryption to ensure secure data transfer;
  • as a customer card (personal information is automatically read from the card);
  • as an electronic key in access systems.

Authentication

  • Electronic personal identification is mainly suitable for providing web services in the public as well as the private sector, but also in other fields, e.g. in mobile devices.
  • Electronic personal identification with certificates is a standard function in many software packages. ID-card based identification is, among others, supported by the most common web browsers (Firefox, Google Chrome, Microsoft Edge) and web servers (IIS, Apache).
  • ID-cards and mobile-ID can be used for authentication to access most e-services of the public and private sector.

Encryption

  • The aim of data encryption is to render information illegible for strangers.
  • Encryption with an ID-card is meant for secure transfer, but not for long-term storage of information.
  • An encryption algorithm is used for encryption. It is a mathematical formula that encrypts information. In the case of asymmetric encryption used with Estonia’s ID-card, one key is used for encryption and another for decryption, one of which is a public key and the other a secret key in the sole possession of its user.
  • For decryption with an ID-card (i.e. for opening and reading an encrypted file), a secret key that corresponds to the public key in the authentication certificate and is located on the user’s ID-card must be used. If a user loses his/her ID-card, it is no longer possible to decrypt the information. It is also not possible to decrypt information that was encrypted with an earlier certificate after the user has renewed his/her ID-card’s certificates. Upon the issuing of new certificates, a new public and secret key are also generated.

Digital signature

  • According to Estonia’s and EU’s (eIDAS) legislation, Estonia’s digital signature carries equal weight with a handwritten signature.
  • Digital signature is a universal technology that all organisations in Estonia should be able to use, accept, and forward.

What’s contained in a certificate?

Upon the issuing of an ID-card, the user receives two certificates, one of which is related to digital signatures and the other with authentication and encryption. A certificate connects a person with his/her public and secret key. A certificate contains personal information, including a person’s name and personal identity code and a unique key for public use. The certificate allows to verify digital signatures. If there is a mathematical match between a certificate and a signature, then it is certain that the person written in the certificate has provided the signature.

After providing a signature, the validity of certificates must be checked. To do that, the programme that was used for the provision of the signature automatically connects with the server of the certification centre SK ID Solutions (SK) and checks the validity of the certificate. If the certificate is valid, then the SK server issues a special certificate of confirmation that is added to the signature.

Last updated: 08.11.2022