430 likes | 771 Views
Building Applications for the Belgian eID card. Introduction. Vergelijking SIS en eIK. memory card naam + natNR verzekeringstatus - - - beveiliging door apps PVC gewone bedrukking synchrone kaart uitgereikt door imv . smart card naam + natNR - adres foto digitale handtekening
E N D
Building Applications forthe Belgian eID card Introduction
Vergelijking SIS en eIK • memory card • naam + natNR • verzekeringstatus • - • - • - • beveiliging door apps • PVC • gewone bedrukking • synchrone kaart • uitgereikt door imv • smart card • naam + natNR • - • adres • foto • digitale handtekening • zelf-beveiliging • polycarbonaat • speciale bedrukking • asynchrone kaart • uitgereikt door RRN
applet 1 applet 2 applet 3 JavaCard Virtual Machine JavaCard FrameWork OS and applications on the card Multi-application JavaCard 3rd party classes JavaCard card OS and functions
ID JavaCard Virtual Machine JavaCard FrameWork OS and applications on the card Multi-application JavaCard 3rd party classes JavaCard card OS and functions
authenticationkey + certificate digital signaturekey + certificate 2 Data Sets on the card PKCS#15 data structure ID address signed by RRN signed by RRN
authentication digital signature 2 Data Sets on the card eID specific data ID address signed by RRN signed by RRN
File Hierarchy on the Card Note: This diagram shows the files and directories as they exist on the card.
PKCS#15 logical data structure PIN to activate authenticationor signature keys certificates belonging to thecard holder’s private keys Note: This diagram shows the logical links between the PKCS#15 objects.
Application Areas • DATA CAPTURE • IDENTIFICATION & AUTHENTICATION • ELECTRONIC SIGNATURE
Building Applications forthe Belgian eID card Tools and SDK
FedICT eID software Linux • Microsoft Windows • CryptoAPI CSP for Internet Explorer, Outlook, .NET, … • OS neutral standards • PKCS#11 for Linux, MacOSX, Windows and Sun Solaris • Java OpenCard Framework
FedICT eID SDK The main goals of the FedICT eID SDK are: • To provide an easy way to retrieve the identity information from any version of a Belgian Identity Card • To automate and hide all validation mechanisms • To provide an easy to use interface to reduce the integration time in applications • self-sufficient; as an example, all identity functions will automatically • select the right application before reading the identity file • ensure they are not interrupted in the middle of a file read • interpret the contents of a file based on the card version
FedICT eID SDK Each function returning signed data always checks the signature, toghether with the integrity of the whole certificate chain. The function returns • the status of the signature check (long) • the global status of the certificate validation (long) • for each certificate • the certificate • the certificate’s label • the individual checking status • the individual validation status • the individual policy used: OCSP or CRL
FedICT eID SDK • BEID_Init() – set OCSP and CRL policy • BEID_Exit() • BEID_GetID()BEID_GetAddress()BEID_GetPicture() • BEID_GetRawData()BEID_SETRawData() read straight from a cardvalidate the content and return the parsed, interpreted result to the application create or work with a binary copy of the public data
FedICT eID SDK • BEID_BeginTransaction()BEID_EndTransaction() • BEID_SelectApplication() • BEID_ReadFile()BEID_WriteFile()
FedICT eID SDK • BEID_VerifyPIN()BEID_ChangePIN()BEID_GetStatusPIN() • BEID_GetVersionInfo() • BEID_SendAPDU()
FedICT eID SDK Sample code in Visual Basic Set RetStatus = EIDlib1.Init("", 0, 0, lHandle) If (RetStatus.GetGeneral = 0) Then Set RetStatus = EIDlib1.GetID(MapColID, CertifCheck) strName = MapColID.GetValue("Name") Label1.Caption = strName End If 'Set RetStatus = EIDlib1.GetAddress(MapColAddress, CertifCheck) 'strStreet = MapColAddress.GetValue("Street") Set RetStatus = EIDlib1.Exit()
Microsoft: eID support today Middleware • Windows 98,Me,NT 4.0, 2000, XP Windows logon • Possible but requires custom GINA logon module Office • Full support in Office 2003 Internet Explorer • Full support SSL in 5.5 and above Web Sites • ASP and ASP .NET • SSO with Federal Portal Applications • Can do signing and data capture
Microsoft: eID toolkits Your client .NET class Card .NET class Address .NET class Identity Microsoft add-on Managed C++ class FedICT eidlib public toolkits FedICT CSP
Microsoft: eID toolkits • .NET wrapper and samples for eID API • XAdES .NET library and documentation • .NET cookbook with code for authentication service of Federal Portal • QUEST documents: legal, technical and practical implementation guidelines for advanced electronic signature with qualified certificates
Building Applications forthe Belgian eID card Card Readers and Terminals
PC/SC • Cards, readers and computers made by different manufactures work together. • Device independent APIs • Resource management to allow multiple applications to share multiple smartcard devices with potentially multiple card slots.
Smart Card Aware Apps SCCP SCSP Driver Driver PC/SC User Applications CryptoAPI Common Dialog S D K 3rd party DLLs PC/SC Resource Manager System Services D D K Smart Card Reader Driver Library Drivers for IFD Driver Hardware
PC/SC OS support • Windows • from Windows 98 and higher • W98 and NT4 require installation of the SmartCard Base Components • also in Windows CE http://www.microsoft.com/downloadsand search for “smartcard base components” • Linux and MacOSX use “PC/SC Lite”http://pcsclite.alioth.debian.org
PC/SC and PIN-pad readers • PC/SC has no provisions for PIN-pad card readers • public eID middleware (CSP and PKCS#11) allows plug-in extensions for PIN-pad readers • specifications are available on the FedICT web site • it is up to a vendor or distributor to provide these extensions for their hardware
Kaartlezer voor PocketPC SIS+SAM eID …
Mobiele terminals • Compact 12,5 x 7,5 x 1,5 cm • Light 123 gram • Non-Volatile Memoryread/store/synchronize • Connects to any PC • 2 AAA batteries • programmable in C • SIS approved
switches to PIN pad directly connected to the reader PIN-pad readers Class 3
Building Applications forthe Belgian eID card Thin Clients
PC-based Thin Clients PC based “fat client” • thin client sw • works with USB card readers • no modifications required at application level • card reader’s PC/SC driver must be installed on the client and the server • closest to “standard” PC configuration application thin client SW eID libs PC/SC frame PC/SC frame device redirection PC/SC driver PC/SC driver
Real Thin Clients Real thin client • thin client HW • works with USB card readers • no modifications required at application level • card reader’s PC/SC driver must be installed on the client and the server • PC/SC driver for embedded OS on thin client not always available or installation not always possible application thin client HW eID libs PC/SC frame PC/SC frame device redirection PC/SC driver PC/SC driver
Real Thin Clients Real thin client • thin client HW • works with RS232 card readers • no modifications required at application level • card reader’s PC/SC driver must be installed on the client and the server • PC/SC driver for embedded OS on thin client not always available or installation not always possible • (1) older combinations of terminal server/Citrix don’t support device redirection so PC/SC API cannot be used application thin client HW eID libs real RS232 virtual RS232 port redirection
FedICT software and thin clients • FedICT software uses PC/SC to communicate with card reader and card • in some thin client environments PC/SC is not available • solution: read the card via another channel and use the FedICT library to interpret, verify and parse the read binary copy of the ID card
address ID 1 2 3 FedICT software and thin clients • read data files as blobs straight from card • push blobs in FedICT library • result = parsed data + exact copy of the blobs + OK/NOK application RS232 lib forcard reader FedICT libs WindowsCOM: port API
Thin Clients • very often only RS232 on older thin client • power supply issues (PIN pad with display) • PC/SC not always supported • sometimes communication via network sockets • recent Citrix Metaframe supports PC/SC • older Citrix can use RS232 redirection • dumb terminals -> use central eID data capture & verification server on Win/Linux
Thin Clients • don’t confuse support for smart card logon with support for smart cards at application level ! • for electronic signature: consider that key strokes (PIN entry) is sent from client to server over the network • for simple data capture (ID, address, photo) there are no real issues