Eddy Rubens

1
eID workshop - 24/06/2004

• Eddy Rubens
• Microsoft Services Belgium

2
Agenda

• Agenda is based on main e-functionalities of the
  eID card
• Introduction
• Certificates and Signatures
• Data capture
• Authentication and Authorization

3
IntroductionCertificates and Signatures

• What are certificates and signatures
• Types of signatures
• Binary blobs vs. XML based
• .NET XAdES library

4
IntroductionData capture

• Capture identity information from eID card
• Interface eID middleware is quite technical
• Requires intensive study
• C API with C structs
• Return codes
• Requires deep technical profile
• C/C knowledge
• Interfacing with .NET not out-of-the-box

5
IntroductionData capture

• What have we done to assist?
• .NET wrapper around FedICT middleware
• Easier to understand and use
• Simple OO interface
• Add reference to wrapper is enough to start
• Usable from any .NET language and VB6
• Can be exposed as COM component

6
IntroductionAuthentication Authorization

• What is Authentication and Authorization
• Types of authentication
• Windows logon
• ASP.NET site
• Federal Portal
• Custom made vs. Partner Solution

7
Agenda

• Introduction
• Certificates and Signatures
• Data capture
• Authentication and Authorization

8
Certificates

• What is a X509 v3 certificate?
• Digitally signed statement
• Contains a public key and information of the
  owner
• Is linked to private key
• Private key is only accessible and usable by
  owner
• Where do they come from?
• Issued by Certification Authority (CA)
• CA has responsibility for validating the request
• CA provides private key
• CAs can delegate certificate issuing to
  intermediate CAs
• What can they be used for?
• Possible uses of certificate is specified on
  certificate
• Well focus here on signing and authentication

9
Certificates

• eID card contains certificates
• Signing and authentication
• Root and intermediary CAs
• Tool to view certificates MMC
• Snap-in for Current User
• Snap-in for Local Machine
• Snap-in for Service Accounts
• Registration eID certificates in Windows
  certificate store
• Demo registration certificates

10
Signatures

• What is a digital signature?
• Proof that owner of private key signed doc
• Signature can be verified by receiver
• Signature types
• Binary blobs vs. XML
• XMLDSIG and XAdES

11
Signatures

• Scenario
• Alice sends document to Bob
• Alice wants to assure Bob that the document is
  hers

12
Signatures

• One-way calculation of Message Digest
• Hash algorithm
• Highly unlikely someone else can generate same
  digest from other document
• Digest is small
• Digest algorithm SHA1 20 bytes

Hash
Message Digest
13
Signatures

• Message digest is encrypted with Alices private
  key

Message Digest
Encrypt
Signature
Private key
Alice sends document and signature to Bob
Signature
14
Signatures

• Bob receives document with signature
• Calculates message digest on document

Hash
Message Digest

• Bob decrypts signature with Alices public key
• Verify both message digests are identical

Public key
Decrypt
Message Digest
Signature
15
Signatures on Windows platform

• Using MS office (XP 2003)
• Word, Excel, PowerPoint, InfoPath (Office 2003)
• Outlook
• XMLDSIG
• Using .NET class
• XAdES
• Using .NET XAdES library

16
Signing MS Office documents

• Signing documents
• Demo signature in Word
• Show tampering by Mallory
• Demo signature in Excel
• Demo signature in InfoPath
• Show XML

17
Signing mail

• Problem
• eID card doesnt contain email address
• Patch registry needed
• HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\
  Outlook\Security
• "SupressNameChecks"dword00000001
• Demo Outlook

18
XML Digital Signatures

• W3C standard for signatures XMLDSIG
• XML based
• W3C recommendation
• http//www.w3.org/TR/xmldsig-core/
• Human readable format
• Signatures before this standard were binary blobs
• Example binary signatures signatures in Word
• Example XMLDSIG signatures signatures in
  InfoPath
• Existing tools can be used
• Notepad vs. Berviewer
• Easier to understand

19
XMLDSIG

• Core standard for new XML standards
• Security Assertion Markup Language (SAML)
• OASIS
• XML framework for exchanging authentication and
  authorization information
• XML Advanced Electronic Signatures (XAdES)
• ETSI
• XML format for Electronic Signatures satisfying
  the requirements defined in the European
  Directive for Electronic Signatures, and with
  long term validity.

20
XMLDSIG

• What does it look like

ltSignature xmlns"http//www.w3.org/2000/09/xmldsi
g"gt ltSignedInfogt ltCanonicalizationMethod
Algorithm"..." /gt ltSignatureMethod
Algorithm"..." /gt ltReference URI"data"
Id"enveloped"gt ltDigestMethod
Algorithm"..." /gt ltDigestValuegtSyNLjOrOTANU
QX7K3504GPnrPsslt/DigestValuegt lt/Referencegt
lt/SignedInfogt ltSignatureValuegt...SignatureValuegt
ltKeyInfogt ltX509Datagt
ltX509Certificategt...lt/X509Certificategt
lt/X509Datagt lt/KeyInfogt ltObject
Id"data"gt...lt/Objectgt lt/Signaturegt
21
XMLDSIG

• Creating XMLDSIG signature with .NET
• Demo code sample

22
XML Advanced Electronic Signatures

• Aka XAdES
• European Telecommunication Standards Institute
  (ETSI)
• Compliant with European Directive 1999/93/EC on
  Electronic Signatures
• http//uri.etsi.org/01903/v1.1.1/

23
Why XAdES ?

• XAdES opens up compelling possibilities
• New use cases beyond XMLDSIG
• XAdES specification is compliant with the
  European Directive

24
Why XAdES ?

• Main XMLDSIG use case
• Short lived e-commerce style sales transactions
• Some common use cases for XAdES
• Counter signatures
• Non-repudiation
• Long-lived contracts

25
Why XAdES ?

• Counter signatures
• Signature added to a document that has already
  been signed
• To witness the first signature
• To confirm an authorization
• In case of multiple stakeholders
• XMLDSIG doesnt provide for counter signing out
  of the box

26
Why XAdES ?

• Non-repudiation

timeline
31/12/2004
A signs contract I owe B 1000, to be paid on
31/12/2004 B receives and timestamps contract A
revokes certificate B asks for the 1000 A
refuses to pay claiming that signature was
forged A B meet in court B can prove that
signature was made at a time when As certificate
wasnt revoked
27
Why XAdES ?

• Signing contracts that have a shelf-live of
  multiple years
• Issue
• Over time weaknesses may occur in cryptographic
  algorithms used to create ES
• XAdES solution
• XAdES-A form ArchiveTimeStamp element
• Can be nested
• Verifier has task to add ArchiveTimeStame well
  before algorithm becomes compromised

28
Why a XAdES library for .NET ?

• Creating applications that use XAdES is a
  challenge
• XAdES technical specification is quite detailed
• 70 printed pages
• XAdES schema file (XAdES.XSD) is 19KB
• Over 120 different elements

29
Why a XAdES library for .NET ?

• Get a head start in XAdES development
• XAdES library eases development
• Development from technical RFC style
  documentation is not an every day job for most
  business solution developers
• Let you get results faster
• Built-in checks can help you detect mistakes
  earlier

30
About XAdES

• XAdES extends XMLDSIG
• XAdES uses extension mechanism of XMLDSIG
• A XAdES signature is a XMLDSIG signature

31
About XAdES

• XML structure

ltSignature xmlns"http//www.w3.org/2000/09/xmldsi
g"gt ltSignedInfogt ltCanonicalizationMethod
/gt ltSignatureMethod /gt ltReference
URI"SignedPropertiesId /gt lt/SignedInfogt
ltSignatureValue /gt ltKeyInfo /gt ltObject
Id"XadesObjectId"gt lt/Objectgt lt/Signaturegt
ltQualifyingProperties xmlns"http//uri.etsi.org/0
1903/v1.1.1"gt ltSignedProperties
Id"SignedPropertiesId /gt ltUnsignedProperties
/gt lt/QualifyingPropertiesgt
32
XAdES .NET library architecture

• XAdES extends XMLDSIG
• XAdES library extends .NET XMLDSIG implementation
• XadesSignedXml derives from SignedXml
• Backwards compatible with XMLDSIG signatures
• Property SignatureStandard

33
XAdES .NET library architecture

• Serialization model same as in SignedXml class
• GetXml
• Flatten the object model into XML
• LoadXml
• Hydrate object model from XML
• XAdES schema validation

34
XAdES .NET library architecture

• Dotted notation
• XAdES XML elements are nested quite deep
• ltObjectgt
• ltQualifyingPropertiesgt
• ltSignedPropertiesgt
• ltSignedSignaturePropertiesgt
• ltSignatureProductionPlacegt
• ltCitygtBrusselslt/Citygt
• lt/SignatureProductionPlacegt
• lt/SignedSignaturePropertiesgt
• lt/SignedPropertiesgt
• lt/QualifyingPropertiesgt
• lt/Objectgt
• Automatic instantiation of nested object graph
• Easy dotted notation with Intellisense assistance
• xadesObject.QualifyingProperties.SignedSignaturePr
  operties.SignatureProductionPlace.City
  Brussels
• Only dirty objects get serialized

35
Use cases revisited

• Counter Signature sample code
• XadesSignedXml newXadesSignedXml new
  XadesSignedXml()
• XmlDocument signatureXmlDocument new
  XmlDocument()
• signatureXmlDocument.PreserveWhitespace true
• signatureXmlDocument.Load(this.counterSignatureFil
  eTextBox.Text)
• newXadesSignedXml.LoadXml(signatureXmlDocument.Doc
  umentElement)
• unsignedSignatureProperties.CounterSignatureCollec
  tion.Add(
• newXadesSignedXml)

36
Demo
37
Deliverables .NET XAdES library

• Windows installer file
• Microsoft.Xades.dll
• The xcopy-deployable library
• XAdESLibraryDocumentation.chm
• Help file
• XadesTestClient.exe
• Test client showing most use cases
• Source code of library and test client

38
Deliverables .NET XAdES library
39
Agenda

• Introduction
• Certificates and Signatures
• Data capture
• Authentication and Authorization

40
Data capture

• Architecture of .NET wrapper

Your client
.NET class Card
.NET class Address
.NET class Identity
Managed C class
FedICT eidlib
FedICT CSP
41
Role of wrapper

• Managed C class hides complexity
• Turn C API and C structs into .NET OO class
• Turn error codes and status information into .NET
  exceptions
• Conversions
• UTF8 into string
• Byte array to picture
• Byte array to .NET certificate classes
• Init and Exit functions into constructor/destructo
  r
• Façade class Card makes use easy

42
Data capture demo

• Demo client code

43
Agenda

• Introduction
• Certificates and Signatures
• Data capture
• Authentication and Authorization

44
Authentication Authorization

• Custom written web authentication
• Using eID certificate
• End-to-end solutions from partners exist
• Upcoming presentations

45
Custom Authentication

• Capture certificate information on server
• Public Class LogonPage
• Inherits System.Web.UI.Page
• Protected Overrides Sub Render(ByVal writer As
  System.Web.UI.HtmlTextWriter)
• Dim clientCert As HttpClientCertificate
• Dim keys(), key As String
• clientCert Request.ClientCertificate
• Response.Write(" IsPresent"
  clientCert.IsPresent)
• Response.Write(" Issuer" clientCert.Issuer
  "ltbrgt")
• Response.Write(" IsValid"
  clientCert.IsValid "ltbrgt")
• Dim x509Cert New X509Certificate(clientCert.
  Certificate)
• Response.Write("Hash" x509Cert.GetCertHashS
  tring())
• MyBase.Render(writer)
• End Sub
• End Class

46
Authentication using FedICT Federal Portal

• Authorization solution until eID is rolled out
• Targeted at government clients
• .NET solution
• Developed in collaboration with Cipal and FedICT
• Usable from ASP.NET and ASP
• Deliverables
• Cookbook with source code available for download

47
Federal Portal SSO
48
Solution architecture
Default.asp
DOMAIN, TARGET, LANGUAGE
Logonredirect.asp
FEDICT
Cipal.Authentication.dll
SAML
Logon.asp
OK
iLoket paginas
Error message
Christophe Pagone
49
Demo

• Demo by Christophe Pagone - Cipal

50
Windows logon using eID

• Requires Graphical Identification and
  Authentication dll (GINA)
• Sample GINA code in the Platform SDK security
  samples
• http//msdn.microsoft.com/library/default.asp?url
  /library/en-us/security/security/winlogon_and_gina
  .asp
• More information ginareqs_at_microsoft.com

51
Summary of deliverables

• .NET wrapper and samples for eID API
• XAdES .NET library and documentation
• .NET cookbook with code for authentication
  service of Federal Portal