Online Strong Authentication

and Web Digital Signature

White Paper

All the information in this document is CONFIDENTIAL and can’t

be used entirely or in part without a written permission from Bit4id SRL.

3

Contents 1. Executive Summary ........................................................................................................................ 4

2. Desktop Online Authentication ...................................................................................................... 5

2.1 Direct Online Authentication ....................................................................................................... 5

2.2 Online authentication via an Identity Provider ............................................................................ 8

3. Mobile online authentication ....................................................................................................... 12

4. Desktop digital signature.............................................................................................................. 14

5. Mobile digital signature ............................................................................................................... 18

6. Integration .................................................................................................................................... 20

7. Technical specifications ................................................................................................................ 21

4

1. Executive Summary

This document describes 4Identity, the Bit4id solution for strong authentication, digital signature

and life-cycle management of digital identities.

4Identity can be seamlessly integrated into any existing Web Application, and it does not rely nor

require a Java applet. This is crucial in today’s computing environments, where Java is progressively

unavailable for modern browsers and requires a lot of support work from IT departments to make it

working.

4Identity offers comprehensive, state-of-the-art, feature set complete, performance-wise solutions

that allows users to work in an easy, intuitive and efficient way, leveraging modern rich browsers in

a fully compatible way, without the hassles and performances degradation usually experienced with

other, legacy solutions, with a total coverage of the Windows, Macintosh and Linux operating

systems.

4Identity solution can be easily integrated with the existing infrastructure of online Application

Service Providers, to increase the security of hosted Web Applications and provide legally binding

transactions scaling from single Service Providers to National Authentication Schemes.

This white paper presents 4Identity in some relevant use cases, showing how easy is to integrate it

for desktop and mobile Online Authentication (par. 2, 3) and desktop and mobile Online Signing

(par. 4, 5). Lastly, a brief integration example is presented (par. 6) and technical specifications are

provided (par. 7).

5

2. Desktop Online Authentication

This common operation could be performed in two different ways: with a direct authentication

towards a web-based Service or with the mediation of an Identity Provider. Both are described in

the following paragraphs.

2.1 Direct Online Authentication

The purpose of this use case is to enable End Users to use their e-ID cards (or generic smart card) to

authenticate online towards a web-based service offered by an Application Service Provider,

accessed with a browser, where the Authentication Dialogue and Protocol is run as part of the

service – browser communication.

It is worth highlighting that the Authentication Protocol described here is complementary to a

preliminary mutual TSL/SSL client-server authentication and provides a further layer of security

based on a digitally signed challenge-response.

Our approach requires the installation of an advanced Middleware component on the End User

Device that is integrated with the browser environment.

Here, End User Device can be a desktop PC or a mobile device (smartphone or tablet) and the

Middleware implements the client side of an authentication protocol that is also supported by

corresponding Web Application of the Application Service Provider.

The authentication protocol from the server side is implemented by HTML5 and JavaScript.

JavaScript resources are hosted on an external application server (different from the one hosting the

Web Application) working as a Service Platform. Therefore, the major part of the business logic for

the authentication protocol is run between the client and the Service Platform and thus totally

transparent for the Application Service Provider. The latter will only need to modify the presentation

logic with some HTML5 tags and implement a suitable servlet to manage the result of the

authentication protocol coming from the Service Platform. No Java applets and corresponding Java

Virtual Machine are required on the client machine.

The supporting architecture is depicted in figure 1: the communication between a generic

Application Service Provider and the Client Machine is mediated via intents, a general standard

communication mechanism that is supported by any browser and consists of specialized URLs. Upon

the reception of intent, the Client Machine will start an HTTPS interaction with a Service Platform,

that validates the user certificates and allows for the required operation (authentication, digital

signature, challenge response) to effectively take place. The results of these operations are relayed

to the Application Service Provider, which could use it to further progress its business logic.

The Application Service Provider starts the interaction with the client by using some HTML tags; a

technical example is provided in paragraph 6, “Integration”.

6

Figure 1 – Direct authentication with the Web-based Service

The following elements are parts of this use case, sketched in figure 2:

The End User accesses a web-based service by an Application Service Provider that needs to

authenticate the user;

The Application Service Provider runs the authentication process;

The Service Provider initiates the authentication protocol;

e-ID card or another Authenticator (e.g. OTP, biometry) is selected as mechanism for

authentication, either by the End User or by the Service Provider;

Upon being prompted, the End User presents his/her e-ID card to a card reader selects the authentication certificate and enters the correct PIN associated with the authentication function;

If the End User Device is a mobile device, the e-ID can be accessed with a Bluetooth reader or via NFC ;

If the End User Device is a mobile device, other mechanisms different from an e-ID card can be used to store and access certificates, like Remote keys stored on HSM, TPM, MicroSD, Native key store or Trusted Execution Environment;

The authentication protocol is run between the browser on the End User Device as client side and the Service Platform together with the Service Provider as server side;

7

The authentication protocol involves an authentication challenge signed using the correct private key. Signed challenge, user certificate, and preferably also certificate chain to root CA are returned to the Service Platform;

The Service Platform validates the signed challenge including checking status of all

certificates in the certificate chain, optionally the Service Platform may fetch other

information (attributes) about the End User;

The Service Platform posts the result of the authentication process and identifying

information of the End User to the Service Provider;

The Service Provider uses the personal identity information (and possibly other attributes)

received to decide whether to grant the End User access to the service or not.

Figure 2: High level flow of the Authentication Process

Figure 3 shows the Authentication Process when it is run directly from Web Application (example), as

it appears to the End User. The user chooses to authenticate with an e-ID card or PKI token (1), the

Client Plug-in is invoked by the Web Application (2), the Client Plug-in manages the communication

with the card or PKI token for the selection of the certificate to be used and the private key is used

to sign the authentication challenge.

8

Figure 3 – Authentication Process as seen by the End User

2.2 Online Authentication via an Identity Provider

Most service providers will delegate authentication to an Identity Provider (IdP) by redirecting the

user to the IdP. Thus, the authentication dialogue and protocol will be run between the IdP and the

End User (browser). The solution presented will be the same regardless of whether it is integrated

with an IdP or directly with the Application Service Provider.

Figure 4 shows the high-level architectural view of this use case.

Authentication of the Application Service Provider and/or IdP towards the End User, Browser or Chip

may be covered by the same Protocol or may rely on a TLS channel with server authentication to be

set up before the End User Authentication Protocol is run.

The considerations and the flows of events shown in paragraph 2.1 are applicable here, with the

general modification that authentication is performed by the IdP on behalf of the Application Service

Provider.

9

Figure 4 – Authentication with IdP SSO

Figures 5 and 6 show, respectively, the sequence diagrams of the Direct Authentication to the Web-

service and the Authentication mediated by an IdP.

.

10

Figure 5: Sequence diagram for Direct Authentication with the Web service

11

Figura 6: Sequence diagram for authentication mediated by an IdP

12

3. Mobile Online Authentication

In this use case, the End User, with his/her mobile device, browses to the Web Application of the

Application Service Provider where he/she wants to login. The flows of events is shown in figures from 7 to

10, with the help of an example application.

The following elements are parts of the use case:

The Web Application, by means of the Service Platform sends a push notification to the End User

Device (figure 7);

The End User clicks on the notification;

The Client App is started to manage the authentication request;

The End User selects one of the available Secure Elements and related interfacing system (e.g. e-ID

with Bluetooth reader or NFC) in order to make certificates available for the application (figure 8);

The End User selects the appropriate certificate for authentication;

The End User inserts the PIN number (figure 9);

The signed challenge is returned to the Service Platform;

The Service Platform verifies the signed challenge and posts the result to the Web Application;

The Web Application eventually grants access to the End User (figure 10);

13

Figure 7 – Users access a web application with a Mobile device; a notification appears on user’s device

Figure 8 – Interfacing of the Client App with Bluetooth reader for the Mobile Authentication Process.

Figure 10 – Access granted to the Web Application

Figure 9 – Authentication towards the Secure Element with Bluetooth reader

14

4. Desktop digital signature

The purpose of this use case is to enable an End User to use his/her e-ID card to sign a document that is

presented in a web-based interface from an online Application Service Provider. The signed document shall

end up at the service provider, optionally with a copy stored on the End User device.

Authentication of the Application Service Provider towards the End User will be covered by a TLS channel

with server authentication. The signing protocol is implemented following the same approach discussed

above:

Installation of an advanced Middleware component on the End User Device that is integrated with the

browser environment. The Middleware implements the client side of a signing protocol that is also

supported by corresponding Web Application of the Application Service Provider. The signing protocol from

the server side is implemented by HTML5 and JavaScript with the support of the Service Platform as

described previously.

In this use case, we consider a desktop system as the client; the mobile signature will be covered in the

next paragraph.The following elements are considered parts of the use case:

The End User interacts with a web-based service, hosted by an Application Service Provider that either produces (as part of the service workflow) or obtains an already produced document to be signed by the End User;

The Service Provider initiates the signing protocol;

The document together with any other parameters to be signed is transferred to the End User Device (browser). The document will normally be displayed on the End User device in order to implement a What-You-See-is-What-You-Sign approach; however this may depend on the document format;

e-ID card - or optionally another Authenticator (e.g. OTP, biometry) in case of remote digital

signature - is selected as mechanism for signature/authorization, either by the End User or by the

Application Service Provider;

Upon being prompted, the End User presents his/her e-ID card to a card reader, he selects the

signing certificate and enters the correct PIN associated with the authentication function;

The digital signature is computed by use of the private signing key on the card;

An appropriately formatted response, including the digital signature and possibly other unsigned or signed attributes, is generated and returned to the Service Platform;

The Service Platform validates the digital signature and checks status of all certificates in the certificate chain. If the End User is authenticated in the session where the signing takes place, the Service Platform verifies that the signer identity matches the authenticated identity;

Depending on the target signature format the Service Platform may do further formatting, e.g.

produce an extended signature format including items like certificate status information (such as an

OCSP response), time-stamp etc;

The Service Platform returns the signed document together with a verification report to the Application Service Provider;

The Application Service Provider collects and archives the signed document and verification report

coming from the Service Platform;

15

The architecture of reference for this use case is the same as described in Fig.1, while the workflow is

shown in figure 11.

Figure 11 – High Level Description of the digital signature process

The workflow of the digital signature process, as seen by the user, is shown in figures from 12 to 14, with

the help of screenshots of a demo application. The Client Plug-in, installed on the user’s desktop and

invoked by the browser when an intent (specialized URL) is found in the web page, governs the signature

process as follows. The Client Plug-in;

1) Shows to the user the certificates available on the smart card and that could be used for the signature (figure 12); at this level it is possible for the Application Server to communicate filtering criteria for the certificates (e.g. expired, revoked, etc.) so that only useful certificates are shown to the end user;

2) Shows a preview of the document to sign (figure 13); The Client Plug-in, implementing the concept of What You See Is What You Sign, will show a preview of the document to be signed in the embedded PDF viewer before the user can actually run the signature command;

3) Let the user signs the document (figure 14); Figure 15 shows the sequence diagram of the digital signature process.

16

Figure 12 – Screenshots from the 4Identity Demo for the Digital Signature Process - certificate selection

Figure 13 – Screenshots from the 4Identity for the Digital Signature process – review the document to sign

Figure 14 – Screenshots from the 4Identity Demo for the Digital Signature process – Insert PIN number

17

Figure 15: Sequence diagram for digital signature

18

5. Mobile digital signature

The End User is already authenticated to a specific Web Application (in the case shown in the example

below it is an Internet banking website, but it is apparent that this is valid for any type of Web Application).

Figures from 16 to 18 show screenshots of relevant phases.

The following elements are parts of the use case:

The Web Application produces a document to be digitally signed by the End User;

The End User accepts to sign the document;

The Web Application, by means of the Service Platform sends a push notification to the End User

Device;

The End User clicks on the notification;

The Client App is started to manage the digital signature request;

The Client App presents the document to be signed to the End User who can review the document

before deciding;

The End User selects one of the available Secure Elements and related interfacing system (e.g. e-ID

card with Bluetooth reader or NFC) in order to make certificates available for the application;

The End User selects the appropriate certificate for digital signature;

The End User inserts the PIN number;

The signed document is returned to the Service Platform;

The Service Platform verifies the signed document and posts the result to the Web Application;

The Web Application stores the digitally signed document;

19

Figure 11 – Web application requesting the user to sign a transaction

Figure 12 – Push notification alerting the user on the digital signature request. By clicking on the notification the related

Client App, responsible for handling the required action is opened.

Figure 13 – The transaction to be signed is presented to the End User which can accept or decline the invitation. If the user decides to sign the transaction, he will have to insert the PIN number (or other authenticators, e.g. fingerprint) to unlock and

leverage the capabilities of one among the several secure elements supported by the Client App.

20

6. Integration

4identity is the Bit4id solution that integrates strong user authentication and digital signature of documents

in any web application and workflow, with the same validity as wet signature on paper and with minimal

impact on existing infrastructure.

4identity can be easily integrated with digital document management system in the organization, thereby

saving significant costs on paper, printing, handling and storing. It is a software solution that can be readily

integrated in the current infrastructure by means of a Bit4id network appliance. Moreover thanks to the

several authenticators supported by the 4Identity client there is no need of deploying many additional

devices and it adapts to other existing technologies (operating systems, browsers, etc.).

With 4Identity the user can sign any document, on the local machine or hosted in a web environment. It

automates the process of signing documents, integrating with any web application and with different

workflows.

The following example shows how easy it is to integrate strong authentication with 4identity APIs of the

UKC. The only thing to do is to add to the authentication page simple HTML snippets like the ones in the

following:

It is worth to underline that:

• the third party Web App invokes UKC just using divs

• The script resource in this example is on the on the SmartEngine (UKC server) at fe.example.com

on the port 8082

The last remaining step for the integration is to write a simple servlet code in order to handle the answer

(POST OK/KO) from the SmartEngine at the end of the authentication process and redirect the user on the

landing page. We provide in the integration manual code examples for .NET, PHP and Java.

21

7. Technical specifications

Supported platforms Windows

Linux

MacOS 10.5 or later

Supported Browsers : Internet Explorer

Edge

Chrome

Firefox

Safari

Certificate profiles: X.509, ETSI TS 101 862 V1.3.2

Signature Formats: XAdES (ETSI TS 101 903 V1.3.2), CAdES (ETSI TS 101 733

V1.7.4), PAdES (ETSI TS 102 778-1 V1.1.1, TS 102 778-2

V1.2.1, TS 102 778-3 V1.1.1, TS 102 778-4 V1.1.1, TS 102

778-5 V1.1.1)

Hashing Alghoritms: SHA-256, SHA-1, MD2, MD5

Keylenght: 2048/1024

Verification: CRL, OCSP, LDAP

Encryption Alghoritms: AES-256, 3-DES

Encoding: ASN.1-DER (ISO 8824, 8825), BASE64 (RFC 1421)

Time stamped data: RFC 5544

22

www.bit4id.com

ITALY Naples:

Via Diocleziano, 107

80125 Naples – Italy

info.it@bit4id.com Tel. +39 081 7625600

Fax. +39 081 19731930

Rome: Via Tirone, 11 00146 Rome

Tel. +39 06 32803708

Fax. +39 06 99335481

Milan:

Tel. +39 02 430019163

Fax. +39 02 45500675

SPAIN Barcelona: Barcelona Advanced

Industry Park C/ Marie Curie, 8-14 08042 Barcelona - Spain Tel: +34 902 60 20 30

UNITED KINGDOM 2 London Wall Buildings

London Wall, London EC2M 5UU - UK Tel. +44 1422 570673 Fax. +44 20 78553780

PERU Mártir Olaya, nº 169 Oficina 406 (Miraflores) -

Lima (Perú) Tel: +(51) 1 242 9994 info.pe@bit4id.com

Bit4id in the world