Web Applications and eID Integration
Transcript of Web Applications and eID Integration
© Fedict 2011. All rights reserved | p. 2
eID Electronic Functionality Identification: who are you?
Passive eID usage Readout of eID identity data Privacy sensitive
Authentication: proving who you claim you are Via digital signature using the authentication key Active challenging the eID card + eID user (2
factor)
Electronic signature: proving that you agreed with the content of a document Via digital signature using the non-repudiation
key
© Fedict 2011. All rights reserved | p. 3
The Belgian eID Card
eID Card
Crypto(RSA)
CPU
ROM(operating system)
EEPROM(file system)
RAM(memory)
Infineon Chip (SLE66CX322P)
Basic Operating System
JavaCard Virtual Machine
Belgian eID Card JavaCard Applet
Physical Structure Logical Structure
APDU
© Fedict 2011. All rights reserved | p. 4
eID Card Content
PKIAuthentication
RSA key + Cert
Non-repudiationRSA key + Cert
Root CACertificate
Citizen CACertificate
NRNCertificate
Citizen Identity Data
Photo
Identity File
Address File
Identity FileNRN Signature
Address FileNRN Signature
PKCS1 RSA-SHA1 NRN Signatures
PKCS#15 file structure
© Fedict 2011. All rights reserved | p. 5
eID PKI Topology
Authn/non-repudCertificate
Citizen CA Certificate
Citizen CA Certificate
Root CACertificate
Root CACertificate
GlobalSign CACertificate
Gov CACertificate
Gov CACertificate
SSLCertificate
same key
CRL
CRL CRLOCSP Responder
RSA2048
RSA2048
RSA2048
RSA2048 RSA2048
RSA1024 RSA1024
Certificate Signatures
according to PKCS1-RSA-
SHA1NRN
Certificate
© Fedict 2011. All rights reserved | p. 6
Web Application TechnologiesWeb applications are becoming the main communication channel between government and citizens. Lots of (server-side) technologies:
ASP.NET One-click integration syndrome
PHP Drupal, CMS
Java EE JSF, JBoss Seam, RichFaces, ADF, Struts, JSP,
Servlets, Wicket, ...
We want to make eID integration as easy as possible for all web developers.
© Fedict 2011. All rights reserved | p. 7
eID Card Integration
Web Application
eID Card
??????????????
Important aspects when integrating:Important aspects when integrating:
●Ease of integration●Secure usage of eID●Platform independent solution:
● Windows● Linux● Mac OS X
●Multiple browser support:● Firefox● MS IE● Safari● Chrome
●Open Source Software●Idiot proof eID components
© Fedict 2011. All rights reserved | p. 8
Server
Web Application
eID IdentificationClient
Web Browser
eID AppleteID Applet
ServiceSessionContext
Process Identity Data
PC/SC
Card Reader
eID
Identity File
Identity Signature File
2
13
6
5
7
Server-side identity integrity verification by the eID Applet Service component via the SPI design pattern.
SPIService
Implementation
4
© Fedict 2011. All rights reserved | p. 9
eID Applet Configuration
<script src="https://www.java.com/js/deployJava.js"></script><script>
var attributes = {code :'be.fedict.eid.applet.Applet.class',archive :'eid-applet-package-1.0.2.GA.jar',width :600,height :300
};var parameters = {
TargetPage :'identification-result-page.jsp',AppletService :'applet-service',
};var version = '1.6';deployJava.runApplet(attributes, parameters, version);
</script>
identify-the-user.html
<%@page import="be.fedict.eid.applet.service.Identity"%><html><body>
<%=((Identity) session.getAttribute("eid.identity")).name%></body></html>
identification-result-page.jsp
<servlet><servlet-name>AppletServiceServlet</servlet-name><servlet-class>be.fedict.eid.applet.service.AppletServiceServlet</servlet-class>
</servlet><servlet-mapping>
<servlet-name>AppletServiceServlet</servlet-name><url-pattern>/applet-service</url-pattern>
</servlet-mapping>
web.xml
© Fedict 2011. All rights reserved | p. 10
The eID Applet Software Product
Java 6 Web Browser eID Component
Exposes all eID functionality
Platforms: Windows, Mac OS X, Linux
Browsers: Firefox, MS IE, Safari, Chrome
Secure (CCID) & interactive eID card handling
Browser client-runtime management Auto-installation of required Java Runtime No need for installed eID Middleware
Open Source software http://code.google.com/p/eid-applet/
© Fedict 2011. All rights reserved | p. 13
eID Applet Design Choices
Requires Java 6 on the client STORK came to same conclusion for middleware PC/SC access breaks dependency on eID Middleware
Server-side component: eID Applet Service Voids the need to communicate via Javascript Server-side integrity verification of NRN signatures
Generic applet: extensible via SPI design pattern
eID Applet Service is Java EE only (Open Source) Maintenance of PHP and ASP.NET eID Applet Service
is expensive/nightmare Non Java EE environments can integrate via other
SOA products and services
© Fedict 2011. All rights reserved | p. 14
eID Identity Provider
Supports different OPEN authentication protocols: OpenID 2.0: PHP, Drupal, ... SAML2 Browser POST: Java EE, ... WS-Federation: ASP.NET, ...
Offers 3 eID based flows: Identification Authentication Identification combined with authentication
Configurable Relying Parties via admin console
Comes in JBoss AS 6.0 distributions: MySQL, PostgreSQL, Oracle
© Fedict 2011. All rights reserved | p. 15
eID IdP: protocol flow
Client Browser Relying Party eID IdP
visit site
Authentication request (Browser POST/Redirect)
Authenticate/Identify User via eID
Authentication response (Browser POST/Redirect)
Artifact Binding
Association request
Depending on the actually used authentication protocol, the protocol flow will look different
Hello “Alice”
© Fedict 2011. All rights reserved | p. 17
eID Identity Provider Protocols
OpenID 2.0 OP driven identifier selection (void the need for user
registration) OpenID Attribute Exchange 1.0 (piggy-back) OpenID Provider Authentication Policy Extension 1.0 OpenID User Interface Extension 1.0 (language)
SAML2 Browser POST/Redirect/Artifact SAML2 Meta-data documents (mod_mellon) Attribute Encryption
WS-Federation SAML2 Meta-data documents Windows Identity Foundation tested
© Fedict 2011. All rights reserved | p. 19
eID Electronic Signatures
Again two options: Directly via eID Applet integration Using the eID Digital Signature Service
Long-term validity of Electronic Signatures
XAdES-X-L version 1.4.2 = self-contained signature
CAdES: still unclear how to interpret the specs (A)
PAdES: no non-viral open source implementation
e-Signature Expert Group (EC) is working on this
© Fedict 2011. All rights reserved | p. 20
Browser
eID Applet Signature Architecture
eID AppleteID Applet
Service
eID
SignatureSPI
XML SignatureService
ODF SignatureService
OOXML SignatureService
client server
XAdESOpenOffice Office 2010
PKCS1-RSA
© Fedict 2011. All rights reserved | p. 21
eID DSS: protocol flow
Client Browser Relying Party eID DSS
Visit site
Signature Request
Sign document using eID
Signature Response
Verify Signature
Verification: OASIS DSS SOAP Web Service
Creation: proprietary protocol for the moment
© Fedict 2011. All rights reserved | p. 22
eID DSS: Supported Document Formats
ODF documents Native ODF signatures: XAdES-X-L v1.4.2 Valid signatures in OpenOffice 3.2
OOXML documents Native OOXML signatures: XAdES-X-L v1.4.2 Valid signatures in MS Office 2007/2010
XML documents Co-signatures: XAdES-X-L v1.4.2
ZIP container Fallback for other document formats
© Fedict 2011. All rights reserved | p. 23
eID DSS: XML Document Format
Business Domain Specific Language in XML
Example: a financial transaction
© Fedict 2011. All rights reserved | p. 24
eID DSS: XML Document Format
The application uses eID DSS to sign the XML
© Fedict 2011. All rights reserved | p. 25
eID DSS Portal: Signature Options
Role: XAdES-BES/EPES Claimed Role Allows the signer to express his/her role.
Include Identity: gives the certificate a face Signed as part of the XMLDSig
© Fedict 2011. All rights reserved | p. 27
eID as a Service: Architecture
eID
readerCCID
PC/SC
PKCS#15 PKCS#1
authentication
signatures
eID IdP
PKCS#11CSPtokend
minidriver
SSL eID AppletPKI
CRLOCSP
DSS
TSA
TSP
CA
NTPID
SAML
XAdESNR
OpenIDIdP
IAM
identification
TSL
InfoCard
pinpad
XKMS
WS-Trust
PKCS#7
trust
XMLDSigODF
OOXML
© Fedict 2011. All rights reserved | p. 28
Mobile ID First steps taken via eID Quick-Key Toolset
Seek-for-Android (G&D - COSIC)
eID Specifications
eID JavaCard applet
JavaCard/GlobalPlatformSmart Card
eID Quick-Key Toolset
eID Quick-Key
Giesecke & DevrientMobile Security Card
Android Mobile
Mobile eID Viewer
TODOeID based proxy certificates
Mobile Web Browser SupporteID IdP mobile support
© Fedict 2011. All rights reserved
Thank youFedictMaria-Theresiastraat 1/3 Rue Marie-ThérèseBrussel 1000 BruxellesTEL. +32 2 212 96 00 | FAX +32 2 212 96 [email protected] | www.fedict.belgium.be