510 likes | 841 Views
eID workshop - 24/06/2004 . Eddy Rubens Microsoft Services Belgium. Agenda. Agenda is based on main e-functionalities of the eID card Introduction Certificates and Signatures Data capture Authentication and Authorization. Introduction Certificates and Signatures.
E N D
eID workshop - 24/06/2004 Eddy Rubens Microsoft Services Belgium
Agenda Agenda is based on main e-functionalities of the eID card • Introduction • Certificates and Signatures • Data capture • Authentication and Authorization
IntroductionCertificates and Signatures • What are certificates and signatures • Types of signatures • Binary blobs vs. XML based • .NET XAdES library
IntroductionData capture • Capture identity information from eID card • Interface eID middleware is quite technical • Requires intensive study • C API with C structs • Return codes • Requires deep technical profile • C/C++ knowledge • Interfacing with .NET not out-of-the-box
IntroductionData capture • What have we done to assist? • .NET wrapper around FedICT middleware • Easier to understand and use • Simple OO interface • Add reference to wrapper is enough to start • Usable from any .NET language and VB6 • Can be exposed as COM component
IntroductionAuthentication & Authorization • What is Authentication and Authorization • Types of authentication • Windows logon • ASP.NET site • Federal Portal • Custom made vs. Partner Solution
Agenda • Introduction • Certificates and Signatures • Data capture • Authentication and Authorization
Certificates What is a X509 v3 certificate? • Digitally signed statement • Contains a public key and information of the owner • Is linked to private key • Private key is only accessible and usable by owner Where do they come from? • Issued by Certification Authority (CA) • CA has responsibility for validating the request • CA provides private key • CA’s can delegate certificate issuing to intermediate CA’s What can they be used for? • Possible uses of certificate is specified on certificate • We’ll focus here on signing and authentication
Certificates • eID card contains certificates • Signing and authentication • Root and intermediary CA’s • Tool to view certificates: MMC • Snap-in for Current User • Snap-in for Local Machine • Snap-in for Service Accounts • Registration eID certificates in Windows certificate store • Demo registration certificates
Signatures What is a digital signature? • Proof that owner of private key signed doc • Signature can be verified by receiver Signature types • Binary blobs vs. XML • XMLDSIG and XAdES
Signatures Scenario • Alice sends document to Bob • Alice wants to assure Bob that the document is hers
Signatures One-way calculation of ‘Message Digest’ • Hash algorithm • Highly unlikely someone else can generate same digest from other document • Digest is small • Digest algorithm SHA1: 20 bytes Hash Message Digest
Signatures Message digest is encrypted with Alice’s private key Message Digest Encrypt Signature Private key Alice sends document and signature to Bob Signature
Signatures Bob receives document with signature • Calculates message digest on document Hash Message Digest Bob decrypts signature with Alice’s public key Verify both message digests are identical Public key Decrypt Message Digest Signature
Signatures on Windows platform • Using MS office (XP & 2003) • Word, Excel, PowerPoint, InfoPath (Office 2003) • Outlook • XMLDSIG • Using .NET class • XAdES • Using .NET XAdES library
Signing MS Office documents • Signing documents • Demo signature in Word • Show tampering by Mallory • Demo signature in Excel • Demo signature in InfoPath • Show XML
Signing mail • Problem • eID card doesn’t contain email address • Patch registry needed [HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Security] "SupressNameChecks"=dword:00000001 • Demo Outlook
XML Digital Signatures • W3C standard for signatures: XMLDSIG • XML based • W3C recommendation • http://www.w3.org/TR/xmldsig-core/ • ‘Human readable’ format • Signatures before this standard were binary blobs • Example binary signatures: signatures in Word • Example XMLDSIG signatures: signatures in InfoPath • Existing tools can be used • Notepad vs. Berviewer • Easier to understand
XMLDSIG • Core standard for new XML standards • Security Assertion Markup Language (SAML) • OASIS • XML framework for exchanging authentication and authorization information • XML Advanced Electronic Signatures (XAdES) • ETSI • XML format for Electronic Signatures satisfying the requirements defined in the European Directive for Electronic Signatures, and with long term validity.
XMLDSIG • What does it look like <Signature xmlns="http://www.w3.org/2000/09/xmldsig#"> <SignedInfo> <CanonicalizationMethod Algorithm="..." /> <SignatureMethod Algorithm="..." /> <Reference URI="#data" Id="enveloped"> <DigestMethod Algorithm="..." /> <DigestValue>SyNLjOrOTANUQX7K3504GPnrPss=</DigestValue> </Reference> </SignedInfo> <SignatureValue>...SignatureValue> <KeyInfo> <X509Data> <X509Certificate>...</X509Certificate> </X509Data> </KeyInfo> <Object Id="data">...</Object> </Signature>
XMLDSIG • Creating XMLDSIG signature with .NET • Demo code sample
XML Advanced Electronic Signatures • Aka XAdES • European Telecommunication Standards Institute (ETSI) • Compliant with European Directive 1999/93/EC on Electronic Signatures • http://uri.etsi.org/01903/v1.1.1/
Why XAdES ? • XAdES opens up compelling possibilities • New use cases beyond XMLDSIG • XAdES specification is compliant with the European Directive
Why XAdES ? • Main XMLDSIG use case • Short lived e-commerce style sales transactions • Some common use cases for XAdES • Counter signatures • Non-repudiation • Long-lived contracts
Why XAdES ? • Counter signatures • Signature added to a document that has already been signed • To witness the first signature • To confirm an authorization • In case of multiple stakeholders • XMLDSIG doesn’t provide for counter signing out of the box
Why XAdES ? • Non-repudiation timeline 31/12/2004 A signs contract “I owe B 1000€, to be paid on 31/12/2004” B receives and timestamps contract A revokes certificate B asks for the 1000€ A refuses to pay claiming that signature was forged A & B meet in court: B can prove that signature was made at a time when A’s certificate wasn’t revoked
Why XAdES ? • Signing contracts that have a ‘shelf-live’ of multiple years • Issue • Over time weaknesses may occur in cryptographic algorithms used to create ES • XAdES solution • XAdES-A form: ArchiveTimeStamp element • Can be nested • Verifier has task to add ArchiveTimeStame well before algorithm becomes compromised
Why a XAdES library for .NET ? • Creating applications that use XAdES is a challenge • XAdES technical specification is quite detailed • 70 printed pages • XAdES schema file (XAdES.XSD) is 19KB • Over 120 different elements
Why a XAdES library for .NET ? • Get a head start in XAdES development • XAdES library eases development • Development from technical RFC style documentation is not an every day job for most business solution developers • Let you get results faster • Built-in checks can help you detect mistakes earlier
Signature (XMLDSIG) SignedInfo (XMLDSIG) Signature Value (XMLDSIG) KeyInfo (XMLDSIG) Object (XMLDSIG) Signed Properties Unsigned Properties About XAdES • XAdES extends XMLDSIG • XAdES uses extension mechanism of XMLDSIG • A XAdES signature is a XMLDSIG signature
About XAdES • XML structure <Signature xmlns="http://www.w3.org/2000/09/xmldsig#"> <SignedInfo> <CanonicalizationMethod /> <SignatureMethod /> <Reference URI="#SignedPropertiesId“ /> </SignedInfo> <SignatureValue /> <KeyInfo /> <Object Id="XadesObjectId"> </Object> </Signature> <QualifyingProperties xmlns="http://uri.etsi.org/01903/v1.1.1#"> <SignedProperties Id="SignedPropertiesId“ /> <UnsignedProperties /> </QualifyingProperties>
XAdES .NET library architecture • XAdES extends XMLDSIG • XAdES library extends .NET XMLDSIG implementation • XadesSignedXml derives from SignedXml • Backwards compatible with XMLDSIG signatures • Property SignatureStandard
XAdES .NET library architecture • Serialization model same as in SignedXml class • GetXml • Flatten the object model into XML • LoadXml • Hydrate object model from XML • XAdES schema validation
XAdES .NET library architecture • Dotted notation • XAdES XML elements are nested quite deep <Object> <QualifyingProperties> <SignedProperties> <SignedSignatureProperties> <SignatureProductionPlace> <City>Brussels</City> </SignatureProductionPlace> </SignedSignatureProperties> </SignedProperties> </QualifyingProperties> </Object> • Automatic instantiation of nested object graph • Easy dotted notation with Intellisense assistance xadesObject.QualifyingProperties.SignedSignatureProperties.SignatureProductionPlace.City = “Brussels”; • Only “dirty” objects get serialized
Use cases revisited • Counter Signature sample code XadesSignedXml newXadesSignedXml = new XadesSignedXml(); XmlDocument signatureXmlDocument = new XmlDocument(); signatureXmlDocument.PreserveWhitespace = true; signatureXmlDocument.Load(this.counterSignatureFileTextBox.Text); newXadesSignedXml.LoadXml(signatureXmlDocument.DocumentElement); unsignedSignatureProperties.CounterSignatureCollection.Add( newXadesSignedXml);
Deliverables .NET XAdES library • Windows installer file • Microsoft.Xades.dll • The xcopy-deployable library • XAdESLibraryDocumentation.chm • Help file • XadesTestClient.exe • Test client showing most use cases • Source code of library and test client
Agenda • Introduction • Certificates and Signatures • Data capture • Authentication and Authorization
Data capture • Architecture of .NET wrapper Your client .NET class Card .NET class Address .NET class Identity Managed C++ class FedICT eidlib FedICT CSP
Role of wrapper • Managed C++ class hides complexity • Turn C API and C structs into .NET OO class • Turn error codes and status information into .NET exceptions • Conversions • UTF8 into string • Byte array to picture • Byte array to .NET certificate classes • Init and Exit functions into constructor/destructor • Façade class Card makes use easy
Data capture demo • Demo client code
Agenda • Introduction • Certificates and Signatures • Data capture • Authentication and Authorization
Authentication & Authorization • Custom written web authentication • Using eID certificate • End-to-end solutions from partners exist • Upcoming presentations
Custom Authentication • Capture certificate information on server Public Class LogonPage Inherits System.Web.UI.Page Protected Overrides Sub Render(ByVal writer As System.Web.UI.HtmlTextWriter) Dim clientCert As HttpClientCertificate Dim keys(), key As String clientCert = Request.ClientCertificate Response.Write(" IsPresent:" & clientCert.IsPresent) Response.Write(" Issuer:" & clientCert.Issuer & "<br>") Response.Write(" IsValid:" & clientCert.IsValid & "<br>") Dim x509Cert = New X509Certificate(clientCert.Certificate) Response.Write("Hash:" & x509Cert.GetCertHashString()) MyBase.Render(writer) End Sub End Class
Authentication using FedICT Federal Portal • Authorization solution until eID is rolled out • Targeted at government clients • .NET solution • Developed in collaboration with Cipal and FedICT • Usable from ASP.NET and ASP • Deliverables • Cookbook with source code available for download
www.belgium.be/usermgt Federal Portal SSO
Solution architecture Default.asp DOMAIN, TARGET, LANGUAGE Logonredirect.asp FEDICT Cipal.Authentication.dll SAML Logon.asp OK iLoket pagina’s Error message Christophe Pagone
Demo • Demo by Christophe Pagone - Cipal
Windows logon using eID • Requires Graphical Identification and Authentication dll (GINA) • Sample GINA code in the Platform SDK security samples • http://msdn.microsoft.com/library/default.asp?url=/library/en-us/security/security/winlogon_and_gina.asp • More information: ginareqs@microsoft.com