1 / 51

eID workshop - 24/06/2004

eID workshop - 24/06/2004 . Eddy Rubens Microsoft Services Belgium. Agenda. Agenda is based on main e-functionalities of the eID card Introduction Certificates and Signatures Data capture Authentication and Authorization. Introduction Certificates and Signatures.

abrienda
Download Presentation

eID workshop - 24/06/2004

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. eID workshop - 24/06/2004 Eddy Rubens Microsoft Services Belgium

  2. Agenda Agenda is based on main e-functionalities of the eID card • Introduction • Certificates and Signatures • Data capture • Authentication and Authorization

  3. IntroductionCertificates and Signatures • What are certificates and signatures • Types of signatures • Binary blobs vs. XML based • .NET XAdES library

  4. IntroductionData capture • Capture identity information from eID card • Interface eID middleware is quite technical • Requires intensive study • C API with C structs • Return codes • Requires deep technical profile • C/C++ knowledge • Interfacing with .NET not out-of-the-box

  5. IntroductionData capture • What have we done to assist? • .NET wrapper around FedICT middleware • Easier to understand and use • Simple OO interface • Add reference to wrapper is enough to start • Usable from any .NET language and VB6 • Can be exposed as COM component

  6. IntroductionAuthentication & Authorization • What is Authentication and Authorization • Types of authentication • Windows logon • ASP.NET site • Federal Portal • Custom made vs. Partner Solution

  7. Agenda • Introduction • Certificates and Signatures • Data capture • Authentication and Authorization

  8. Certificates What is a X509 v3 certificate? • Digitally signed statement • Contains a public key and information of the owner • Is linked to private key • Private key is only accessible and usable by owner Where do they come from? • Issued by Certification Authority (CA) • CA has responsibility for validating the request • CA provides private key • CA’s can delegate certificate issuing to intermediate CA’s What can they be used for? • Possible uses of certificate is specified on certificate • We’ll focus here on signing and authentication

  9. Certificates • eID card contains certificates • Signing and authentication • Root and intermediary CA’s • Tool to view certificates: MMC • Snap-in for Current User • Snap-in for Local Machine • Snap-in for Service Accounts • Registration eID certificates in Windows certificate store • Demo registration certificates

  10. Signatures What is a digital signature? • Proof that owner of private key signed doc • Signature can be verified by receiver Signature types • Binary blobs vs. XML • XMLDSIG and XAdES

  11. Signatures Scenario • Alice sends document to Bob • Alice wants to assure Bob that the document is hers

  12. Signatures One-way calculation of ‘Message Digest’ • Hash algorithm • Highly unlikely someone else can generate same digest from other document • Digest is small • Digest algorithm SHA1: 20 bytes Hash Message Digest

  13. Signatures Message digest is encrypted with Alice’s private key Message Digest Encrypt Signature Private key Alice sends document and signature to Bob Signature

  14. Signatures Bob receives document with signature • Calculates message digest on document Hash Message Digest Bob decrypts signature with Alice’s public key Verify both message digests are identical Public key Decrypt Message Digest Signature

  15. Signatures on Windows platform • Using MS office (XP & 2003) • Word, Excel, PowerPoint, InfoPath (Office 2003) • Outlook • XMLDSIG • Using .NET class • XAdES • Using .NET XAdES library

  16. Signing MS Office documents • Signing documents • Demo signature in Word • Show tampering by Mallory • Demo signature in Excel • Demo signature in InfoPath • Show XML

  17. Signing mail • Problem • eID card doesn’t contain email address • Patch registry needed [HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Security] "SupressNameChecks"=dword:00000001 • Demo Outlook

  18. XML Digital Signatures • W3C standard for signatures: XMLDSIG • XML based • W3C recommendation • http://www.w3.org/TR/xmldsig-core/ • ‘Human readable’ format • Signatures before this standard were binary blobs • Example binary signatures: signatures in Word • Example XMLDSIG signatures: signatures in InfoPath • Existing tools can be used • Notepad vs. Berviewer • Easier to understand

  19. XMLDSIG • Core standard for new XML standards • Security Assertion Markup Language (SAML) • OASIS • XML framework for exchanging authentication and authorization information • XML Advanced Electronic Signatures (XAdES) • ETSI • XML format for Electronic Signatures satisfying the requirements defined in the European Directive for Electronic Signatures, and with long term validity.

  20. XMLDSIG • What does it look like <Signature xmlns="http://www.w3.org/2000/09/xmldsig#"> <SignedInfo> <CanonicalizationMethod Algorithm="..." /> <SignatureMethod Algorithm="..." /> <Reference URI="#data" Id="enveloped"> <DigestMethod Algorithm="..." /> <DigestValue>SyNLjOrOTANUQX7K3504GPnrPss=</DigestValue> </Reference> </SignedInfo> <SignatureValue>...SignatureValue> <KeyInfo> <X509Data> <X509Certificate>...</X509Certificate> </X509Data> </KeyInfo> <Object Id="data">...</Object> </Signature>

  21. XMLDSIG • Creating XMLDSIG signature with .NET • Demo code sample

  22. XML Advanced Electronic Signatures • Aka XAdES • European Telecommunication Standards Institute (ETSI) • Compliant with European Directive 1999/93/EC on Electronic Signatures • http://uri.etsi.org/01903/v1.1.1/

  23. Why XAdES ? • XAdES opens up compelling possibilities • New use cases beyond XMLDSIG • XAdES specification is compliant with the European Directive

  24. Why XAdES ? • Main XMLDSIG use case • Short lived e-commerce style sales transactions • Some common use cases for XAdES • Counter signatures • Non-repudiation • Long-lived contracts

  25. Why XAdES ? • Counter signatures • Signature added to a document that has already been signed • To witness the first signature • To confirm an authorization • In case of multiple stakeholders • XMLDSIG doesn’t provide for counter signing out of the box

  26. Why XAdES ? • Non-repudiation timeline 31/12/2004 A signs contract “I owe B 1000€, to be paid on 31/12/2004” B receives and timestamps contract A revokes certificate B asks for the 1000€ A refuses to pay claiming that signature was forged A & B meet in court: B can prove that signature was made at a time when A’s certificate wasn’t revoked

  27. Why XAdES ? • Signing contracts that have a ‘shelf-live’ of multiple years • Issue • Over time weaknesses may occur in cryptographic algorithms used to create ES • XAdES solution • XAdES-A form: ArchiveTimeStamp element • Can be nested • Verifier has task to add ArchiveTimeStame well before algorithm becomes compromised

  28. Why a XAdES library for .NET ? • Creating applications that use XAdES is a challenge • XAdES technical specification is quite detailed • 70 printed pages • XAdES schema file (XAdES.XSD) is 19KB • Over 120 different elements

  29. Why a XAdES library for .NET ? • Get a head start in XAdES development • XAdES library eases development • Development from technical RFC style documentation is not an every day job for most business solution developers • Let you get results faster • Built-in checks can help you detect mistakes earlier

  30. Signature (XMLDSIG) SignedInfo (XMLDSIG) Signature Value (XMLDSIG) KeyInfo (XMLDSIG) Object (XMLDSIG) Signed Properties Unsigned Properties About XAdES • XAdES extends XMLDSIG • XAdES uses extension mechanism of XMLDSIG • A XAdES signature is a XMLDSIG signature

  31. About XAdES • XML structure <Signature xmlns="http://www.w3.org/2000/09/xmldsig#"> <SignedInfo> <CanonicalizationMethod /> <SignatureMethod /> <Reference URI="#SignedPropertiesId“ /> </SignedInfo> <SignatureValue /> <KeyInfo /> <Object Id="XadesObjectId"> </Object> </Signature> <QualifyingProperties xmlns="http://uri.etsi.org/01903/v1.1.1#"> <SignedProperties Id="SignedPropertiesId“ /> <UnsignedProperties /> </QualifyingProperties>

  32. XAdES .NET library architecture • XAdES extends XMLDSIG • XAdES library extends .NET XMLDSIG implementation • XadesSignedXml derives from SignedXml • Backwards compatible with XMLDSIG signatures • Property SignatureStandard

  33. XAdES .NET library architecture • Serialization model same as in SignedXml class • GetXml • Flatten the object model into XML • LoadXml • Hydrate object model from XML • XAdES schema validation

  34. XAdES .NET library architecture • Dotted notation • XAdES XML elements are nested quite deep <Object> <QualifyingProperties> <SignedProperties> <SignedSignatureProperties> <SignatureProductionPlace> <City>Brussels</City> </SignatureProductionPlace> </SignedSignatureProperties> </SignedProperties> </QualifyingProperties> </Object> • Automatic instantiation of nested object graph • Easy dotted notation with Intellisense assistance xadesObject.QualifyingProperties.SignedSignatureProperties.SignatureProductionPlace.City = “Brussels”; • Only “dirty” objects get serialized

  35. Use cases revisited • Counter Signature sample code XadesSignedXml newXadesSignedXml = new XadesSignedXml(); XmlDocument signatureXmlDocument = new XmlDocument(); signatureXmlDocument.PreserveWhitespace = true; signatureXmlDocument.Load(this.counterSignatureFileTextBox.Text); newXadesSignedXml.LoadXml(signatureXmlDocument.DocumentElement); unsignedSignatureProperties.CounterSignatureCollection.Add( newXadesSignedXml);

  36. Demo

  37. Deliverables .NET XAdES library • Windows installer file • Microsoft.Xades.dll • The xcopy-deployable library • XAdESLibraryDocumentation.chm • Help file • XadesTestClient.exe • Test client showing most use cases • Source code of library and test client

  38. Deliverables .NET XAdES library

  39. Agenda • Introduction • Certificates and Signatures • Data capture • Authentication and Authorization

  40. Data capture • Architecture of .NET wrapper Your client .NET class Card .NET class Address .NET class Identity Managed C++ class FedICT eidlib FedICT CSP

  41. Role of wrapper • Managed C++ class hides complexity • Turn C API and C structs into .NET OO class • Turn error codes and status information into .NET exceptions • Conversions • UTF8 into string • Byte array to picture • Byte array to .NET certificate classes • Init and Exit functions into constructor/destructor • Façade class Card makes use easy

  42. Data capture demo • Demo client code

  43. Agenda • Introduction • Certificates and Signatures • Data capture • Authentication and Authorization

  44. Authentication & Authorization • Custom written web authentication • Using eID certificate • End-to-end solutions from partners exist • Upcoming presentations

  45. Custom Authentication • Capture certificate information on server Public Class LogonPage Inherits System.Web.UI.Page Protected Overrides Sub Render(ByVal writer As System.Web.UI.HtmlTextWriter) Dim clientCert As HttpClientCertificate Dim keys(), key As String clientCert = Request.ClientCertificate Response.Write(" IsPresent:" & clientCert.IsPresent) Response.Write(" Issuer:" & clientCert.Issuer & "<br>") Response.Write(" IsValid:" & clientCert.IsValid & "<br>") Dim x509Cert = New X509Certificate(clientCert.Certificate) Response.Write("Hash:" & x509Cert.GetCertHashString()) MyBase.Render(writer) End Sub End Class

  46. Authentication using FedICT Federal Portal • Authorization solution until eID is rolled out • Targeted at government clients • .NET solution • Developed in collaboration with Cipal and FedICT • Usable from ASP.NET and ASP • Deliverables • Cookbook with source code available for download

  47. www.belgium.be/usermgt Federal Portal SSO

  48. Solution architecture Default.asp DOMAIN, TARGET, LANGUAGE Logonredirect.asp FEDICT Cipal.Authentication.dll SAML Logon.asp OK iLoket pagina’s Error message Christophe Pagone

  49. Demo • Demo by Christophe Pagone - Cipal

  50. Windows logon using eID • Requires Graphical Identification and Authentication dll (GINA) • Sample GINA code in the Platform SDK security samples • http://msdn.microsoft.com/library/default.asp?url=/library/en-us/security/security/winlogon_and_gina.asp • More information: ginareqs@microsoft.com

More Related