A specific information system of basic registers that ensures the protection of personal data stored in basic registers. Its main mission is to replace birth numbers with identifiers that do not contain any obvious information.
The ORG information system belongs to the Information System of Basic Registers in the Czech Republic, which serve to support eGovernment applications in government and public administration.
The operator of IS ORG in the Czech Republic is the Office for Personal Data Protection. When building basic registers in the Czech Republic, it was decided that, for the protection of personal data, a system of non-significant identifiers would be used for the identification of natural persons and the linking of this personal data between G2G applications would be controlled.
The digital identity of each citizen thus consists of one source identifier and a group of agenda identifiers. Non-significant identifiers are stored in the IS ORG only and just identifiers from other individual eGovernment agendas are provided to them. IS ORG provides a number of services for converting identifiers between agendas.
Creation of identifiers
Identifiers are created cryptographically in HSM. The mathematical apparatus for generation uses the principle of random numbers, as well as a combination of multiple cryptographic functions at once when generating an identifier.
To optimize the process of generating and securing these identifiers, a secure application for HSM has been created that works in SEE mode and uses standard methods
and features implemented in HSM.
The HSM operates in FIPS 140-2, level 3 security mode. The IS ORG deploys nShield Connect network HSM, which shares a common secure key store.
Architecture and deployment
IS ORG is a central system that is operated in one place. Security is solved by doubling data centres within the geocluster. IS ORG was put into production in 2012.
The main components include: web servers, databases, application servers, HSM modules, integration interfaces.
The purpose of HSM deployment is mainly:
– Secure work with cryptographic material used to generate and encrypt identifiers.
– Inability to generate identifiers outside of HSM.
– Encryption of critical identifiers that are stored in the database.
– Encryption of identifiers at the application level to provide them over the Internet.
In 2014-2015, our company participated in the development and implementation of the mathematical apparatus in a similar IS IFO project in Slovakia.
This IS uses HSM nShield Salo, the architecture is designed in a similar way.
- Ministry for Regional Development
- The Office for Personal Data Protection
- Centre for Regional Development
- University Hospital Olomouc etc.