web applications and eid integration

© Fedict 2011. All rights reserved

Web Applications and eID IntegrationFrank Cornelis

16/03/2011

© Fedict 2011. All rights reserved | p. 2

eID Electronic Functionality Identification: who are you?

Passive eID usage Readout of eID identity data Privacy sensitive

Authentication: proving who you claim you are Via digital signature using the authentication key Active challenging the eID card + eID user (2

factor)

Electronic signature: proving that you agreed with the content of a document Via digital signature using the non-repudiation

key


The Belgian eID Card

eID Card

Crypto(RSA)

CPU

ROM(operating system)

EEPROM(file system)

RAM(memory)

Infineon Chip (SLE66CX322P)

Basic Operating System

JavaCard Virtual Machine

Belgian eID Card JavaCard Applet

Physical Structure Logical Structure

APDU


eID Card Content

PKIAuthentication

RSA key + Cert

Non-repudiationRSA key + Cert

Root CACertificate

Citizen CACertificate

NRNCertificate

Citizen Identity Data

Photo

Identity File

Address File

Identity FileNRN Signature

Address FileNRN Signature

PKCS1 RSA-SHA1 NRN Signatures

PKCS#15 file structure


eID PKI Topology

Authn/non-repudCertificate

Citizen CA Certificate

Citizen CA Certificate

Root CACertificate

Root CACertificate

GlobalSign CACertificate

Gov CACertificate

Gov CACertificate

SSLCertificate

same key

CRL

CRL CRLOCSP Responder

RSA2048

RSA2048

RSA2048

RSA2048 RSA2048

RSA1024 RSA1024

Certificate Signatures

according to PKCS1-RSA-

SHA1NRN

Certificate


Web Application TechnologiesWeb applications are becoming the main communication channel between government and citizens. Lots of (server-side) technologies:

ASP.NET One-click integration syndrome

PHP Drupal, CMS

Java EE JSF, JBoss Seam, RichFaces, ADF, Struts, JSP,

Servlets, Wicket, ...

We want to make eID integration as easy as possible for all web developers.


eID Card Integration

Web Application

eID Card

??????????????

Important aspects when integrating:Important aspects when integrating:

●Ease of integration●Secure usage of eID●Platform independent solution:

● Windows● Linux● Mac OS X

●Multiple browser support:● Firefox● MS IE● Safari● Chrome

●Open Source Software●Idiot proof eID components


Server

Web Application

eID IdentificationClient

Web Browser

eID AppleteID Applet

ServiceSessionContext

Process Identity Data

PC/SC

Card Reader

eID

Identity File

Identity Signature File

2

13

6

5

7

Server-side identity integrity verification by the eID Applet Service component via the SPI design pattern.

SPIService

Implementation

4


eID Applet Configuration

<script src="https://www.java.com/js/deployJava.js"></script><script>

var attributes = {code :'be.fedict.eid.applet.Applet.class',archive :'eid-applet-package-1.0.2.GA.jar',width :600,height :300

};var parameters = {

TargetPage :'identification-result-page.jsp',AppletService :'applet-service',

};var version = '1.6';deployJava.runApplet(attributes, parameters, version);

</script>

identify-the-user.html

<%@page import="be.fedict.eid.applet.service.Identity"%><html><body>

<%=((Identity) session.getAttribute("eid.identity")).name%></body></html>

identification-result-page.jsp

<servlet><servlet-name>AppletServiceServlet</servlet-name><servlet-class>be.fedict.eid.applet.service.AppletServiceServlet</servlet-class>

</servlet><servlet-mapping>

<servlet-name>AppletServiceServlet</servlet-name><url-pattern>/applet-service</url-pattern>

</servlet-mapping>

web.xml


The eID Applet Software Product

Java 6 Web Browser eID Component

Exposes all eID functionality

Platforms: Windows, Mac OS X, Linux

Browsers: Firefox, MS IE, Safari, Chrome

Secure (CCID) & interactive eID card handling

Browser client-runtime management Auto-installation of required Java Runtime No need for installed eID Middleware

Open Source software http://code.google.com/p/eid-applet/

http://code.google.com/p/eid-applet/


The eID Applet In Action


eID Applet as Open Source Software


eID Applet Design Choices

Requires Java 6 on the client STORK came to same conclusion for middleware PC/SC access breaks dependency on eID Middleware

Server-side component: eID Applet Service Voids the need to communicate via Javascript Server-side integrity verification of NRN signatures

Generic applet: extensible via SPI design pattern

eID Applet Service is Java EE only (Open Source) Maintenance of PHP and ASP.NET eID Applet Service

is expensive/nightmare Non Java EE environments can integrate via other

SOA products and services


eID Identity Provider

Supports different OPEN authentication protocols: OpenID 2.0: PHP, Drupal, ... SAML2 Browser POST: Java EE, ... WS-Federation: ASP.NET, ...

Offers 3 eID based flows: Identification Authentication Identification combined with authentication

Configurable Relying Parties via admin console

Comes in JBoss AS 6.0 distributions: MySQL, PostgreSQL, Oracle


eID IdP: protocol flow

Client Browser Relying Party eID IdP

visit site

Authentication request (Browser POST/Redirect)

Authenticate/Identify User via eID

Authentication response (Browser POST/Redirect)

Artifact Binding

Association request

Depending on the actually used authentication protocol, the protocol flow will look different

Hello “Alice”


The eID IdP in Action


eID Identity Provider Protocols

OpenID 2.0 OP driven identifier selection (void the need for user

registration) OpenID Attribute Exchange 1.0 (piggy-back) OpenID Provider Authentication Policy Extension 1.0 OpenID User Interface Extension 1.0 (language)

SAML2 Browser POST/Redirect/Artifact SAML2 Meta-data documents (mod_mellon) Attribute Encryption

WS-Federation SAML2 Meta-data documents Windows Identity Foundation tested


eID IdP as Open Source Product


eID Electronic Signatures

Again two options: Directly via eID Applet integration Using the eID Digital Signature Service

Long-term validity of Electronic Signatures

XAdES-X-L version 1.4.2 = self-contained signature

CAdES: still unclear how to interpret the specs (A)

PAdES: no non-viral open source implementation

e-Signature Expert Group (EC) is working on this


Browser

eID Applet Signature Architecture

eID AppleteID Applet

Service

eID

SignatureSPI

XML SignatureService

ODF SignatureService

OOXML SignatureService

client server

XAdESOpenOffice Office 2010

PKCS1-RSA


eID DSS: protocol flow

Client Browser Relying Party eID DSS

Visit site

Signature Request

Sign document using eID

Signature Response

Verify Signature

Verification: OASIS DSS SOAP Web Service

Creation: proprietary protocol for the moment


eID DSS: Supported Document Formats

ODF documents Native ODF signatures: XAdES-X-L v1.4.2 Valid signatures in OpenOffice 3.2

OOXML documents Native OOXML signatures: XAdES-X-L v1.4.2 Valid signatures in MS Office 2007/2010

XML documents Co-signatures: XAdES-X-L v1.4.2

ZIP container Fallback for other document formats


eID DSS: XML Document Format

Business Domain Specific Language in XML

Example: a financial transaction


eID DSS: XML Document Format

The application uses eID DSS to sign the XML


eID DSS Portal: Signature Options

Role: XAdES-BES/EPES Claimed Role Allows the signer to express his/her role.

Include Identity: gives the certificate a face Signed as part of the XMLDSig


eID DSS Portal: Signature Visualization


eID as a Service: Architecture

eID

readerCCID

PC/SC

PKCS#15 PKCS#1

authentication

signatures

eID IdP

PKCS#11CSPtokend

minidriver

SSL eID AppletPKI

CRLOCSP

DSS

TSA

TSP

CA

NTPID

SAML

XAdESNR

OpenIDIdP

IAM

identification

TSL

InfoCard

pinpad

XKMS

WS-Trust

PKCS#7

trust

XMLDSigODF

OOXML

PDF


Mobile ID First steps taken via eID Quick-Key Toolset

Seek-for-Android (G&D - COSIC)

eID Specifications

eID JavaCard applet

JavaCard/GlobalPlatformSmart Card

eID Quick-Key Toolset

eID Quick-Key

Giesecke & DevrientMobile Security Card

Android Mobile

Mobile eID Viewer

TODOeID based proxy certificates

Mobile Web Browser SupporteID IdP mobile support

web applications and eid integration

Documents