Building Applications for the Belgian eID card

1
Building Applications forthe Belgian eID card

• Introduction

2
Vergelijking SIS en eIK

• memory card
• naam natNR
• verzekeringstatus
• -
• -
• -
• beveiliging door apps
• PVC
• gewone bedrukking
• synchrone kaart
• uitgereikt door imv

• smart card
• naam natNR
• -
• adres
• foto
• digitale handtekening
• zelf-beveiliging
• polycarbonaat
• speciale bedrukking
• asynchrone kaart
• uitgereikt door RRN

3
OS and applications on the card
Multi-application JavaCard
3rd party classes
JavaCard
card OS and functions
4
OS and applications on the card
Multi-application JavaCard
3rd party classes
JavaCard
card OS and functions
5
2 Data Sets on the card
PKCS15 data structure
ID
address
signed by RRN
signed by RRN
6
2 Data Sets on the card
eID specific data
ID
address
signed by RRN
signed by RRN
7
File Hierarchy on the Card
Note This diagram shows the files and
directories as they exist on the card.
8
PKCS15 logical data structure
PIN to activate authenticationor signature keys
certificates belonging to thecard holders
private keys
Note This diagram shows the logical links
between the PKCS15 objects.
9
Application Areas

• DATA CAPTURE
• IDENTIFICATION AUTHENTICATION
• ELECTRONIC SIGNATURE

10
Building Applications forthe Belgian eID card

• Tools and SDK

11
FedICT eID software
12
FedICT eID software
Linux

• Microsoft Windows
• CryptoAPI CSP for Internet Explorer, Outlook,
  .NET,
• OS neutral standards
• PKCS11 for Linux, MacOSX, Windows and Sun
  Solaris
• Java OpenCard Framework

13
FedICT eID SDK

• The main goals of the FedICT eID SDK are
• To provide an easy way to retrieve the identity
  information from any version of a Belgian
  Identity Card
• To automate and hide all validation mechanisms
• To provide an easy to use interface to reduce the
  integration time in applications
• self-sufficient as an example, all identity
  functions will automatically
• select the right application before reading the
  identity file
• ensure they are not interrupted in the middle of
  a file read
• interpret the contents of a file based on the
  card version

14
FedICT eID SDK
15
FedICT eID SDK

• Each function returning signed data always checks
  the signature, toghether with the integrity of
  the whole certificate chain.
• The function returns
• the status of the signature check (long)
• the global status of the certificate validation
  (long)
• for each certificate
• the certificate
• the certificates label
• the individual checking status
• the individual validation status
• the individual policy used OCSP or CRL

16
FedICT eID SDK

• BEID_Init() set OCSP and CRL policy
• BEID_Exit()
• BEID_GetID()BEID_GetAddress()BEID_GetPicture()
• BEID_GetRawData()BEID_SETRawData()

read straight from a cardvalidate the content
and return the parsed, interpreted result to the
application
create or work with a binary copy of the public
data
17
FedICT eID SDK

• BEID_BeginTransaction()BEID_EndTransaction()
• BEID_SelectApplication()
• BEID_ReadFile()BEID_WriteFile()

18
FedICT eID SDK

• BEID_VerifyPIN()BEID_ChangePIN()BEID_GetStatusPI
  N()
• BEID_GetVersionInfo()
• BEID_SendAPDU()

19
FedICT eID SDK

• Sample code in Visual Basic
• Set RetStatus EIDlib1.Init("", 0, 0, lHandle)
• If (RetStatus.GetGeneral 0) Then
• Set RetStatus EIDlib1.GetID(MapColID,
  CertifCheck)
• strName MapColID.GetValue("Name")
• Label1.Caption strName
• End If
• 'Set RetStatus EIDlib1.GetAddress(MapColAddress,
  CertifCheck)
• 'strStreet MapColAddress.GetValue("Street")
• Set RetStatus EIDlib1.Exit()

20
Microsoft eID support today

• Middleware
• Windows 98,Me,NT 4.0, 2000, XP
• Windows logon
• Possible but requires custom GINA logon module
• Office
• Full support in Office 2003
• Internet Explorer
• Full support SSL in 5.5 and above
• Web Sites
• ASP and ASP .NET
• SSO with Federal Portal
• Applications
• Can do signing and data capture

21
Microsoft eID toolkits
Your client
.NET class Card
.NET class Address
.NET class Identity
Microsoft add-on
Managed C class
FedICT eidlib
public toolkits
FedICT CSP
22
Microsoft eID toolkits

• .NET wrapper and samples for eID API
• XAdES .NET library and documentation
• .NET cookbook with code for authentication
  service of Federal Portal
• QUEST documents legal, technical and practical
  implementation guidelines for advanced electronic
  signature with qualified certificates

23
Building Applications forthe Belgian eID card

• Card Readers and Terminals

24
PC/SC

• Cards, readers and computers made by different
  manufactures work together.
• Device independent APIs
• Resource management to allow multiple
  applications to share multiple smartcard devices
  with potentially multiple card slots.

25
PC/SC
User Applications
CryptoAPI
S D K
Common Dialog
3rd party DLLs
PC/SC Resource Manager
System Services
D D K
Smart Card Reader Driver Library
Drivers for IFD
Driver
Hardware
26
PC/SC OS support

• Windows
• from Windows 98 and higher
• W98 and NT4 require installation of the SmartCard
  Base Components
• also in Windows CE
• http//www.microsoft.com/downloadsand search for
  smartcard base components
• Linux and MacOSX use PC/SC Litehttp//pcsclite
  .alioth.debian.org

27
PC/SC and PIN-pad readers

• PC/SC has no provisions for PIN-pad card readers
• public eID middleware (CSP and PKCS11) allows
  plug-in extensions for PIN-pad readers
• specifications are available on the FedICT web
  site
• it is up to a vendor or distributor to provide
  these extensions for their hardware

28
Device Classification
29
Kaartlezer voor PocketPC
SISSAM eID
30
Mobiele terminals

• Compact 12,5 x 7,5 x 1,5 cm
• Light 123 gram
• Non-Volatile Memoryread/store/synchronize
• Connects to any PC
• 2 AAA batteries
• programmable in C
• SIS approved

31
Low-cost SISSAM /eID reader
32
Gewone kaartlezers (class 2)
33
PIN-pad readers Class 3
34
Building Applications forthe Belgian eID card

• Thin Clients

35
PC-based Thin Clients

• PC based fat client
• thin client sw
• works with USB card readers
• no modifications required at application level
• card readers PC/SC driver must be installed on
  the client and the server
• closest to standard PC configuration

application
thin client SW
eID libs
PC/SC frame
PC/SC frame
device redirection
PC/SC driver
PC/SC driver
36
Real Thin Clients

• Real thin client
• thin client HW
• works with USB card readers
• no modifications required at application level
• card readers PC/SC driver must be installed on
  the client and the server
• PC/SC driver for embedded OS on thin client not
  always available or installation not always
  possible

application
thin client HW
eID libs
PC/SC frame
PC/SC frame
device redirection
PC/SC driver
PC/SC driver
37
Real Thin Clients

• Real thin client
• thin client HW
• works with RS232 card readers
• no modifications required at application level
• card readers PC/SC driver must be installed on
  the client and the server
• PC/SC driver for embedded OS on thin client not
  always available or installation not always
  possible
• (1) older combinations of terminal server/Citrix
  dont support device redirection so PC/SC API
  cannot be used

application
thin client HW
eID libs
real RS232
virtual RS232
port redirection
38
FedICT software and thin clients

• FedICT software uses PC/SC to communicate with
  card reader and card
• in some thin client environments PC/SC is not
  available
• solution read the card via another channel and
  use the FedICT library to interpret, verify and
  parse the read binary copy of the ID card

39
FedICT software and thin clients
application
FedICT libs
RS232 lib forcard reader

• read data files as blobs straight from card
• push blobs in FedICT library
• result parsed data exact copy of the blobs
  OK/NOK

WindowsCOM port API
40
Thin Clients

• very often only RS232 on older thin client
• power supply issues (PIN pad with display)
• PC/SC not always supported
• sometimes communication via network sockets
• recent Citrix Metaframe supports PC/SC
• older Citrix can use RS232 redirection
• dumb terminals -gt use central eID data capture
  verification server on Win/Linux

41
Thin Clients

• dont confuse support for smart card logon with
  support for smart cards at application level !
• for electronic signature consider that key
  strokes (PIN entry) is sent from client to server
  over the network
• for simple data capture (ID, address, photo)
  there are no real issues