Building Applications for the Belgian eID card Introduction.

Building Applications forthe Belgian eID card

Introduction

Building applications for the Belgian eID

Vergelijking SIS en eIK

• memory card• naam + natNR• verzekeringstatus• -• -• -• beveiliging door apps• PVC• gewone bedrukking• synchrone kaart• uitgereikt door imv

• smart card• naam + natNR• -• adres• foto• digitale handtekening• zelf-beveiliging• polycarbonaat• speciale bedrukking• asynchrone kaart• uitgereikt door RRN


OS and applications on the card

Multi-application JavaCard

applet 1applet 1

JavaCard Virtual MachineJavaCard Virtual Machine

JavaCard FrameWorkJavaCard FrameWork

3rd party classes3rd party classes

card OS and functionscard OS and functions

applet 2applet 2 applet 3applet 3

JavaCard


OS and applications on the card

Multi-application JavaCard

IDID

JavaCard Virtual MachineJavaCard Virtual Machine

JavaCard FrameWorkJavaCard FrameWork

3rd party classes3rd party classes

card OS and functionscard OS and functions

JavaCard


2 Data Sets on the card

IDIDaddressaddress

authenticationkey + certificate

digital signaturekey + certificate

signed by RRN

signed by RRN

PKCS#15 data structurePKCS#15 data structure


2 Data Sets on the card

IDIDaddressaddress

authentication

digital signaturesigned by RRN

signed by RRN

eID specific dataeID specific data


File Hierarchy on the Card

Note: This diagram shows the files and directories as they exist on the card.


PKCS#15 logical data structure

Note: This diagram shows the logical links between the PKCS#15 objects.

certificates belonging to thecard holder’s private keys

PIN to activate authenticationor signature keys


Application Areas

1. DATA CAPTURE

2. IDENTIFICATION & AUTHENTICATION

3. ELECTRONIC SIGNATURE


Tools and SDK


FedICT eID software


FedICT eID software

• Microsoft Windows– CryptoAPI CSP for Internet Explorer, Outlook, .NET, …

• OS neutral standards– PKCS#11 for Linux, MacOSX, Windows and Sun Solaris

• Java OpenCard Framework


FedICT eID SDK

The main goals of the FedICT eID SDK are:

• To provide an easy way to retrieve the identity information from any version of a Belgian Identity Card

• To automate and hide all validation mechanisms

• To provide an easy to use interface to reduce the integration time in applications

• self-sufficient; as an example, all identity functions will automatically– select the right application before reading the identity file– ensure they are not interrupted in the middle of a file read– interpret the contents of a file based on the card version


FedICT eID SDK

APIDev. Platform

C ActiveX Javaapplication

Javaapplet

Java C Visual BasicDelphy

.NET VBA, VBscript Perl Web app


FedICT eID SDK

Each function returning signed data always checks the signature, toghether with the integrity of the whole certificate chain.

The function returns• the status of the signature check (long)• the global status of the certificate validation (long)• for each certificate

– the certificate– the certificate’s label– the individual checking status– the individual validation status– the individual policy used: OCSP or CRL


FedICT eID SDK

• BEID_Init() – set OCSP and CRL policy• BEID_Exit()

• BEID_GetID()BEID_GetAddress()BEID_GetPicture()

• BEID_GetRawData()BEID_SETRawData()

read straight from a cardvalidate the content and return the parsed, interpreted result to the application

create or work with a binary copy of the public data


FedICT eID SDK

• BEID_BeginTransaction()BEID_EndTransaction()

• BEID_SelectApplication()

• BEID_ReadFile()BEID_WriteFile()


FedICT eID SDK

• BEID_VerifyPIN()BEID_ChangePIN()BEID_GetStatusPIN()

• BEID_GetVersionInfo()

• BEID_SendAPDU()


FedICT eID SDK

Sample code in Visual Basic

Set RetStatus = EIDlib1.Init("", 0, 0, lHandle)If (RetStatus.GetGeneral = 0) Then Set RetStatus = EIDlib1.GetID(MapColID, CertifCheck) strName = MapColID.GetValue("Name") Label1.Caption = strNameEnd If

'Set RetStatus = EIDlib1.GetAddress(MapColAddress, CertifCheck)

'strStreet = MapColAddress.GetValue("Street")Set RetStatus = EIDlib1.Exit()


Microsoft: eID support today

Middleware• Windows 98,Me,NT 4.0, 2000, XP Windows logon• Possible but requires custom GINA logon moduleOffice• Full support in Office 2003Internet Explorer• Full support SSL in 5.5 and aboveWeb Sites• ASP and ASP .NET• SSO with Federal PortalApplications• Can do signing and data capture


Microsoft: eID toolkits

Managed C++ classManaged C++ class

.NET .NET class class AddreAddre

ssss

.NET .NET class class IdentiIdenti

tyty

.NET class .NET class CardCard

Your clientYour client

FedICT eidlibFedICT eidlib

FedICT CSPFedICT CSP

Microsoft add-on

public toolkits


Microsoft: eID toolkits

• .NET wrapper and samples for eID API

• XAdES .NET library and documentation

• .NET cookbook with code for authentication service of Federal Portal

• QUEST documents: legal, technical and practical implementation guidelines for advanced electronic signature with qualified certificates


Card Readers and Terminals


PC/SC

• Cards, readers and computers made by different manufactures work together.

• Device independent APIs

• Resource management to allow multiple applications to share multiple smartcard devices with potentially multiple card slots.


PC/SC

User Applications

System Services

3rd party DLLs

SDK

Hardware

Drivers for IFD

DDK

Smart Card Reader Driver Library

DriverDriver DriverDriver DriverDriver

Smart Card Aware Apps

SCSP

PC/SC Resource Manager

CommonDialog

CryptoAPI

SCCP


PC/SC OS support

• Windows– from Windows 98 and higher– W98 and NT4 require installation of the

SmartCard Base Components– also in Windows CE

http://www.microsoft.com/downloadsand search for “smartcard base components”

• Linux and MacOSX use “PC/SC Lite”

http://pcsclite.alioth.debian.org


PC/SC and PIN-pad readers

• PC/SC has no provisions for PIN-pad card readers

• public eID middleware (CSP and PKCS#11) allows plug-in extensions for PIN-pad readers

• specifications are available on the FedICT web site

• it is up to a vendor or distributor to provide these extensions for their hardware


Device Classification

Class 1 Class 2 Class 3 Class 4 ClassConnection unconnected connected

PC/SCconnectedPC/SC

Connected(PC/SC)

Connected(PC/SC)

PIN entry key pad - key pad key pad key pad

UI LCD display (LED) LED(buzzer)

LCD displaybuzzer

LCD displaybuzzer

Embedded Crypto Device

X - - - X

Embedded software

Firmware firmware firmware firmware

progr/downl

progr/downl

Example Vasco tokens “ISABEL” reader

Cherry keyb. Xiring XiPassACS ACR80

FINREAD


Kaartlezer voor PocketPC

SIS+SAM

eID

…


Mobiele terminals

• Compact 12,5 x 7,5 x 1,5 cm• Light 123 gram• Non-Volatile Memory

read/store/synchronize• Connects to any PC• 2 AAA batteries• programmable in C• SIS approved


Low-cost SIS+SAM /eID reader


Gewone kaartlezers (class 2)


PIN-pad readers Class 3

switches to PIN pad directly

connected to the reader


Thin Clients


PC-based Thin Clients

PC based “fat client”• thin client sw• works with USB card

readers• no modifications required

at application level• card reader’s PC/SC

driver must be installed on the client and the server

• closest to “standard” PC configuration

application

eID libs

PC/SC frame

PC/SC driver

thin client SW

PC/SC frame

PC/SC driverdevice redirection


Real Thin Clients

Real thin client• thin client HW• works with USB card

readers• no modifications required

at application level• card reader’s PC/SC

driver must be installed on the client and the server

• PC/SC driver for embedded OS on thin client not always available or installation not always possible

application

eID libs

PC/SC frame

PC/SC driver

thin client HW

PC/SC frame

PC/SC driverdevice redirection


Real Thin Clients

Real thin client• thin client HW• works with RS232 card

readers• no modifications required at

application level• card reader’s PC/SC driver

must be installed on the client and the server

• PC/SC driver for embedded OS on thin client not always available or installation not always possible

• (1) older combinations of terminal server/Citrix don’t support device redirection so PC/SC API cannot be used

application

eID libs

thin client HW

port redirectionreal RS232 virtual RS232


FedICT software and thin clients

• FedICT software uses PC/SC to communicate with card reader and card

• in some thin client environments PC/SC is not available

• solution: read the card via another channel and use the FedICT library to interpret, verify and parse the read binary copy of the ID card


FedICT software and thin clients

1. read data files as blobs straight from card

2. push blobs in FedICT library3. result = parsed data + exact

copy of the blobs + OK/NOK

ad

dre

ss

ad

dre

ss ID

ID

application

FedICT libsRS232 lib forcard reader

WindowsCOM: port API

1 2 3


Thin Clients

• very often only RS232 on older thin client• power supply issues (PIN pad with display)• PC/SC not always supported• sometimes communication via network

sockets• recent Citrix Metaframe supports PC/SC• older Citrix can use RS232 redirection• dumb terminals -> use central eID data

capture & verification server on Win/Linux


Thin Clients

• don’t confuse support for smart card logon with support for smart cards at application level !

• for electronic signature: consider that key strokes (PIN entry) is sent from client to server over the network

• for simple data capture (ID, address, photo) there are no real issues

Building Applications for the Belgian eID card Introduction.

Documents

Transcript of Building Applications for the Belgian eID card Introduction.