1 / 41

Building Applications for the Belgian eID card

Building Applications for the Belgian eID card. Introduction. Vergelijking SIS en eIK. memory card naam + natNR verzekeringstatus - - - beveiliging door apps PVC gewone bedrukking synchrone kaart uitgereikt door imv . smart card naam + natNR - adres foto digitale handtekening

ally
Download Presentation

Building Applications for the Belgian eID card

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Building Applications forthe Belgian eID card Introduction

  2. Vergelijking SIS en eIK • memory card • naam + natNR • verzekeringstatus • - • - • - • beveiliging door apps • PVC • gewone bedrukking • synchrone kaart • uitgereikt door imv • smart card • naam + natNR • - • adres • foto • digitale handtekening • zelf-beveiliging • polycarbonaat • speciale bedrukking • asynchrone kaart • uitgereikt door RRN

  3. applet 1 applet 2 applet 3 JavaCard Virtual Machine JavaCard FrameWork OS and applications on the card Multi-application JavaCard 3rd party classes JavaCard card OS and functions

  4. ID JavaCard Virtual Machine JavaCard FrameWork OS and applications on the card Multi-application JavaCard 3rd party classes JavaCard card OS and functions

  5. authenticationkey + certificate digital signaturekey + certificate 2 Data Sets on the card PKCS#15 data structure ID address signed by RRN signed by RRN

  6. authentication digital signature 2 Data Sets on the card eID specific data ID address signed by RRN signed by RRN

  7. File Hierarchy on the Card Note: This diagram shows the files and directories as they exist on the card.

  8. PKCS#15 logical data structure PIN to activate authenticationor signature keys certificates belonging to thecard holder’s private keys Note: This diagram shows the logical links between the PKCS#15 objects.

  9. Application Areas • DATA CAPTURE • IDENTIFICATION & AUTHENTICATION • ELECTRONIC SIGNATURE

  10. Building Applications forthe Belgian eID card Tools and SDK

  11. FedICT eID software

  12. FedICT eID software Linux • Microsoft Windows • CryptoAPI CSP for Internet Explorer, Outlook, .NET, … • OS neutral standards • PKCS#11 for Linux, MacOSX, Windows and Sun Solaris • Java OpenCard Framework

  13. FedICT eID SDK The main goals of the FedICT eID SDK are: • To provide an easy way to retrieve the identity information from any version of a Belgian Identity Card • To automate and hide all validation mechanisms • To provide an easy to use interface to reduce the integration time in applications • self-sufficient; as an example, all identity functions will automatically • select the right application before reading the identity file • ensure they are not interrupted in the middle of a file read • interpret the contents of a file based on the card version

  14. FedICT eID SDK

  15. FedICT eID SDK Each function returning signed data always checks the signature, toghether with the integrity of the whole certificate chain. The function returns • the status of the signature check (long) • the global status of the certificate validation (long) • for each certificate • the certificate • the certificate’s label • the individual checking status • the individual validation status • the individual policy used: OCSP or CRL

  16. FedICT eID SDK • BEID_Init() – set OCSP and CRL policy • BEID_Exit() • BEID_GetID()BEID_GetAddress()BEID_GetPicture() • BEID_GetRawData()BEID_SETRawData() read straight from a cardvalidate the content and return the parsed, interpreted result to the application create or work with a binary copy of the public data

  17. FedICT eID SDK • BEID_BeginTransaction()BEID_EndTransaction() • BEID_SelectApplication() • BEID_ReadFile()BEID_WriteFile()

  18. FedICT eID SDK • BEID_VerifyPIN()BEID_ChangePIN()BEID_GetStatusPIN() • BEID_GetVersionInfo() • BEID_SendAPDU()

  19. FedICT eID SDK Sample code in Visual Basic Set RetStatus = EIDlib1.Init("", 0, 0, lHandle) If (RetStatus.GetGeneral = 0) Then Set RetStatus = EIDlib1.GetID(MapColID, CertifCheck) strName = MapColID.GetValue("Name") Label1.Caption = strName End If 'Set RetStatus = EIDlib1.GetAddress(MapColAddress, CertifCheck) 'strStreet = MapColAddress.GetValue("Street") Set RetStatus = EIDlib1.Exit()

  20. Microsoft: eID support today Middleware • Windows 98,Me,NT 4.0, 2000, XP Windows logon • Possible but requires custom GINA logon module Office • Full support in Office 2003 Internet Explorer • Full support SSL in 5.5 and above Web Sites • ASP and ASP .NET • SSO with Federal Portal Applications • Can do signing and data capture

  21. Microsoft: eID toolkits Your client .NET class Card .NET class Address .NET class Identity Microsoft add-on Managed C++ class FedICT eidlib public toolkits FedICT CSP

  22. Microsoft: eID toolkits • .NET wrapper and samples for eID API • XAdES .NET library and documentation • .NET cookbook with code for authentication service of Federal Portal • QUEST documents: legal, technical and practical implementation guidelines for advanced electronic signature with qualified certificates

  23. Building Applications forthe Belgian eID card Card Readers and Terminals

  24. PC/SC • Cards, readers and computers made by different manufactures work together. • Device independent APIs • Resource management to allow multiple applications to share multiple smartcard devices with potentially multiple card slots.

  25. Smart Card Aware Apps SCCP SCSP Driver Driver PC/SC User Applications CryptoAPI Common Dialog S D K 3rd party DLLs PC/SC Resource Manager System Services D D K Smart Card Reader Driver Library Drivers for IFD Driver Hardware

  26. PC/SC OS support • Windows • from Windows 98 and higher • W98 and NT4 require installation of the SmartCard Base Components • also in Windows CE http://www.microsoft.com/downloadsand search for “smartcard base components” • Linux and MacOSX use “PC/SC Lite”http://pcsclite.alioth.debian.org

  27. PC/SC and PIN-pad readers • PC/SC has no provisions for PIN-pad card readers • public eID middleware (CSP and PKCS#11) allows plug-in extensions for PIN-pad readers • specifications are available on the FedICT web site • it is up to a vendor or distributor to provide these extensions for their hardware

  28. Device Classification

  29. Kaartlezer voor PocketPC SIS+SAM eID …

  30. Mobiele terminals • Compact 12,5 x 7,5 x 1,5 cm • Light 123 gram • Non-Volatile Memoryread/store/synchronize • Connects to any PC • 2 AAA batteries • programmable in C • SIS approved

  31. Low-cost SIS+SAM /eID reader

  32. Gewone kaartlezers (class 2)

  33. switches to PIN pad directly connected to the reader PIN-pad readers Class 3

  34. Building Applications forthe Belgian eID card Thin Clients

  35. PC-based Thin Clients PC based “fat client” • thin client sw • works with USB card readers • no modifications required at application level • card reader’s PC/SC driver must be installed on the client and the server • closest to “standard” PC configuration application thin client SW eID libs PC/SC frame PC/SC frame device redirection PC/SC driver PC/SC driver

  36. Real Thin Clients Real thin client • thin client HW • works with USB card readers • no modifications required at application level • card reader’s PC/SC driver must be installed on the client and the server • PC/SC driver for embedded OS on thin client not always available or installation not always possible application thin client HW eID libs PC/SC frame PC/SC frame device redirection PC/SC driver PC/SC driver

  37. Real Thin Clients Real thin client • thin client HW • works with RS232 card readers • no modifications required at application level • card reader’s PC/SC driver must be installed on the client and the server • PC/SC driver for embedded OS on thin client not always available or installation not always possible • (1) older combinations of terminal server/Citrix don’t support device redirection so PC/SC API cannot be used application thin client HW eID libs real RS232 virtual RS232 port redirection

  38. FedICT software and thin clients • FedICT software uses PC/SC to communicate with card reader and card • in some thin client environments PC/SC is not available • solution: read the card via another channel and use the FedICT library to interpret, verify and parse the read binary copy of the ID card

  39. address ID 1 2 3 FedICT software and thin clients • read data files as blobs straight from card • push blobs in FedICT library • result = parsed data + exact copy of the blobs + OK/NOK application RS232 lib forcard reader FedICT libs WindowsCOM: port API

  40. Thin Clients • very often only RS232 on older thin client • power supply issues (PIN pad with display) • PC/SC not always supported • sometimes communication via network sockets • recent Citrix Metaframe supports PC/SC • older Citrix can use RS232 redirection • dumb terminals -> use central eID data capture & verification server on Win/Linux

  41. Thin Clients • don’t confuse support for smart card logon with support for smart cards at application level ! • for electronic signature: consider that key strokes (PIN entry) is sent from client to server over the network • for simple data capture (ID, address, photo) there are no real issues

More Related