The eID on Linux in 2015
-
Upload
wouter-verhelst -
Category
Software
-
view
405 -
download
4
Transcript of The eID on Linux in 2015
About me
● Debian Developer since 2001● Used to maintain eID software in Debian
(2004 -2010)● Contractor at Fedict for eID-software (since
2014)
Anecdote
● “It doesn't work. Help!”
:-)
● “It doesn't work. They didn't test! Bastards!”
:-T
● “It doesn't work. I'll have to use something else.”
:-(
Linux-support
● Support means:– Precompiled packages
– For a limited number of distributions and versions
– Support on equal terms as Windows or OSX
– Single person (me)...
– Source code available (LGPLv3)
Supported distributions
● List approx. based on most popular distribution (distrowatch.com)– Might add more distributions on popular request
● Currently:– Ubuntu/Mint
– Debian– openSUSE
– Fedora– CentOS/RHEL
Supported distribution versions● “Rules”:
– Most recent 'regular' release
– Two most recent 'LTS' releases (if applicable)
– Never more than three releases (two if no LTS)
– Never when no longer supported by distribution
● Example:– Ubuntu: 12.04 LTS, 14.04 LTS, 14.10
● Soon: +15.04, -14.10
– Debian: 7 (soon: +8)
– RHEL/CentOS: 6, 7
– Fedora: 20, 21
● Older packages will remain (not updated)– Currently only Fedora 19
The card
● JavaCard– On-card applet written by Gemalto
● Contains:– Identity data (name, address, photo, …)
● Signed by RRN cert
– 2 RSA private keys (1024 bit, 2048 bit for newer 10y cards)
● 1 for signature, 1 for authentication● Cannot be extracted
– 5 certificates (root, RRN, CA, signature, authentication)
PCSC
● PC SmartCard API● Low-level API: “SCardTransmit”,
“ScardControl”, etc.● Originally developed for Windows, now cross-
platform API thanks to pcsc-lite● Daemon to talk to hardware
CCID
● “Chip Card Interface Device”● Standard USB protocol for smartcard readers;
compare usb HID protocol.● Most card readers today implement this protocol● Libccid: userspace implementation, used by pcscd
to talk to card readers.● ACR38U: nonstandard protocol; oldest Fedict
cardreaders used it → libacr38u
PKCS#11
Read dataC_Initialize()C_GetSlotList()C_OpenSession()C_FindObjectsInit()C_FindObjects()C_GetAttributeValue()C_FindObjectsFinal()C_CloseSession()C_Finalize()
Sign dataC_Initialize()C_GetSlotList()C_OpenSession()C_FindObjectsInit()C_FindObjects()C_SignInit()C_Sign()C_FindObjectsFinal()C_CloseSession()C_Finalize()
● Public Key Cryptography Standard● Standardized C API● Originally RSA, now OASIS
PKCS#11 module
● libbeidpkcs11.so● In standard library path (distribution-dependent)● PKCS#11 supported by wide variety of software
– Chrome
– Firefox
– Adobe reader
– OpenSSH
– …
● Multiarch-enabled (since july 2014)
Firefox plugin
● Automates installation of:– PKCS#11
– Belgian root certificates
● Not strictly needed; possible to do manually– Does make things easier to use
● Also configures: thunderbird, libreoffice– Because they use firefox configuration...
Chrome/chromium
● No proper/“official” smartcard support under Linux
● Uses libnss, firefox' SSL library– With a simple command-line incantation, adding a
PKCS#11 module is possible● https://github.com/Fedict/eid-mw/wiki/ChromeLinux● Rough around the edges, but works
Adobe Reader
● Needed for signing PDF files w/ Adobe Lifecycle– InterVAT
● Adobe Reader for Linux EOL– Can still be found (e.g., in Ubuntu Partner
repositories)
– Not security supported!
– 32-bit only!
● Document → Security settings → PKCS#11 modules
OpenSSH
● ssh -I /usr/.../libbeidpkcs11.so # i, not L● ssh-add -s /usr/.../libbeidpkcs11.so
– ssh-add -e /usr/.../libbeidpkcs11.so● Do not forget when removing card!
– ssh-add -l
Shell scripts (!)
● Requires OpenSC● pkcs11-tool with libbeidpkcs11
– One call per label
– Many confirmation dialogs...
● eidenv– Doesn't use libbeidpkcs11
● No confirmation dialogs● No Fedict support...
HTTP server● Server-side application!
– Doesn't need card → doesn't need middleware
● Two major options:– Mutual SSL
– eid-applet
Mutual SSL
● eID certificate was used at some point● No guarantee that identity information is correct● Enough for basic needs● Client needs middleware installed● Certificates on repository.eid.belgium.be● Downsides:
– Difficult to debug for client in case of problems
– Antivirus MITM-proxies– Vulnerable:
● XSS● TLS session recovery