Presentation is loading. Please wait.

Presentation is loading. Please wait.

Building Applications for the Belgian eID card

Similar presentations


Presentation on theme: "Building Applications for the Belgian eID card"— Presentation transcript:

1 Building Applications for the Belgian eID card
Introduction

2 Vergelijking SIS en eIK
memory card naam + natNR verzekeringstatus - beveiliging door apps PVC gewone bedrukking synchrone kaart uitgereikt door imv smart card naam + natNR - adres foto digitale handtekening zelf-beveiliging polycarbonaat speciale bedrukking asynchrone kaart uitgereikt door RRN

3 OS and applications on the card
Multi-application JavaCard applet 1 applet 2 applet 3 3rd party classes JavaCard FrameWork JavaCard Virtual Machine JavaCard card OS and functions

4 OS and applications on the card
Multi-application JavaCard ID 3rd party classes JavaCard FrameWork JavaCard Virtual Machine JavaCard card OS and functions

5 2 Data Sets on the card PKCS#15 data structure signed by RRN
authentication key + certificate digital signature key + certificate ID address signed by RRN signed by RRN

6 2 Data Sets on the card eID specific data signed by RRN signed by RRN
authentication digital signature ID address signed by RRN signed by RRN

7 File Hierarchy on the Card
Note: This diagram shows the files and directories as they exist on the card.

8 PKCS#15 logical data structure
PIN to activate authentication or signature keys certificates belonging to the card holder’s private keys Note: This diagram shows the logical links between the PKCS#15 objects.

9 Application Areas DATA CAPTURE IDENTIFICATION & AUTHENTICATION
ELECTRONIC SIGNATURE

10 Building Applications for the Belgian eID card
Tools and SDK

11 FedICT eID software

12 FedICT eID software Linux Microsoft Windows OS neutral standards
CryptoAPI CSP for Internet Explorer, Outlook, .NET, … OS neutral standards PKCS#11 for Linux, MacOSX, Windows and Sun Solaris Java OpenCard Framework

13 FedICT eID SDK The main goals of the FedICT eID SDK are:
To provide an easy way to retrieve the identity information from any version of a Belgian Identity Card To automate and hide all validation mechanisms To provide an easy to use interface to reduce the integration time in applications self-sufficient; as an example, all identity functions will automatically select the right application before reading the identity file ensure they are not interrupted in the middle of a file read interpret the contents of a file based on the card version

14 FedICT eID SDK  API Dev. Platform C ActiveX Java application
Java applet Java Visual Basic Delphy .NET VBA, VBscript Perl Web app

15 FedICT eID SDK Each function returning signed data always checks the signature, toghether with the integrity of the whole certificate chain. The function returns the status of the signature check (long) the global status of the certificate validation (long) for each certificate the certificate the certificate’s label the individual checking status the individual validation status the individual policy used: OCSP or CRL

16 FedICT eID SDK BEID_Init() – set OCSP and CRL policy BEID_Exit()
BEID_GetID() BEID_GetAddress() BEID_GetPicture() BEID_GetRawData() BEID_SETRawData() read straight from a card validate the content and return the parsed, interpreted result to the application create or work with a binary copy of the public data

17 FedICT eID SDK BEID_BeginTransaction() BEID_EndTransaction()
BEID_SelectApplication() BEID_ReadFile() BEID_WriteFile()

18 FedICT eID SDK BEID_VerifyPIN() BEID_ChangePIN() BEID_GetStatusPIN()
BEID_GetVersionInfo() BEID_SendAPDU()

19 FedICT eID SDK Sample code in Visual Basic
Set RetStatus = EIDlib1.Init("", 0, 0, lHandle) If (RetStatus.GetGeneral = 0) Then Set RetStatus = EIDlib1.GetID(MapColID, CertifCheck) strName = MapColID.GetValue("Name") Label1.Caption = strName End If 'Set RetStatus = EIDlib1.GetAddress(MapColAddress, CertifCheck) 'strStreet = MapColAddress.GetValue("Street") Set RetStatus = EIDlib1.Exit()

20 Microsoft: eID support today
Middleware Windows 98,Me,NT 4.0, 2000, XP Windows logon Possible but requires custom GINA logon module Office Full support in Office 2003 Internet Explorer Full support SSL in 5.5 and above Web Sites ASP and ASP .NET SSO with Federal Portal Applications Can do signing and data capture

21 Microsoft: eID toolkits
Your client .NET class Card .NET class Address .NET class Identity Microsoft add-on Managed C++ class FedICT eidlib public toolkits FedICT CSP

22 Microsoft: eID toolkits
.NET wrapper and samples for eID API XAdES .NET library and documentation .NET cookbook with code for authentication service of Federal Portal QUEST documents: legal, technical and practical implementation guidelines for advanced electronic signature with qualified certificates

23 Building Applications for the Belgian eID card
Card Readers and Terminals

24 PC/SC Cards, readers and computers made by different manufactures work together. Device independent APIs Resource management to allow multiple applications to share multiple smartcard devices with potentially multiple card slots.

25 PC/SC Resource Manager Smart Card Reader Driver Library
Smart Card Aware Apps User Applications Common Dialog SCSP CryptoAPI S D K 3rd party DLLs SCCP PC/SC Resource Manager System Services Smart Card Reader Driver Library D K Drivers for IFD Driver Driver Driver Hardware

26 PC/SC OS support Windows
from Windows 98 and higher W98 and NT4 require installation of the SmartCard Base Components also in Windows CE and search for “smartcard base components” Linux and MacOSX use “PC/SC Lite”

27 PC/SC and PIN-pad readers
PC/SC has no provisions for PIN-pad card readers public eID middleware (CSP and PKCS#11) allows plug-in extensions for PIN-pad readers specifications are available on the FedICT web site it is up to a vendor or distributor to provide these extensions for their hardware

28 Device Classification
Connection unconnected connected PC/SC Connected (PC/SC) PIN entry key pad - UI LCD display (LED) LED (buzzer) LCD display buzzer Embedded Crypto Device X Embedded software Firmware firmware progr/downl Example Vasco tokens “ISABEL” reader Cherry keyb. Xiring XiPass ACS ACR80 FINREAD

29 Kaartlezer voor PocketPC
SIS+SAM eID

30 Mobiele terminals Compact 12,5 x 7,5 x 1,5 cm Light 123 gram
Non-Volatile Memory read/store/synchronize Connects to any PC 2 AAA batteries programmable in C SIS approved

31 Low-cost SIS+SAM /eID reader

32 Gewone kaartlezers (class 2)

33 switches to PIN pad directly connected to the reader
PIN-pad readers Class 3 switches to PIN pad directly connected to the reader

34 Building Applications for the Belgian eID card
Thin Clients

35 PC-based Thin Clients PC based “fat client” thin client sw
works with USB card readers no modifications required at application level card reader’s PC/SC driver must be installed on the client and the server closest to “standard” PC configuration thin client SW application eID libs PC/SC frame PC/SC frame device redirection PC/SC driver PC/SC driver

36 Real Thin Clients Real thin client thin client HW
works with USB card readers no modifications required at application level card reader’s PC/SC driver must be installed on the client and the server PC/SC driver for embedded OS on thin client not always available or installation not always possible thin client HW application eID libs PC/SC frame PC/SC frame device redirection PC/SC driver PC/SC driver

37 Real Thin Clients Real thin client thin client HW
works with RS232 card readers no modifications required at application level card reader’s PC/SC driver must be installed on the client and the server PC/SC driver for embedded OS on thin client not always available or installation not always possible (1) older combinations of terminal server/Citrix don’t support device redirection so PC/SC API cannot be used thin client HW application eID libs real RS232 port redirection virtual RS232

38 FedICT software and thin clients
FedICT software uses PC/SC to communicate with card reader and card in some thin client environments PC/SC is not available solution: read the card via another channel and use the FedICT library to interpret, verify and parse the read binary copy of the ID card

39 FedICT software and thin clients
address ID application 2 1 3 RS232 lib for card reader FedICT libs read data files as blobs straight from card push blobs in FedICT library result = parsed data + exact copy of the blobs + OK/NOK Windows COM: port API

40 Thin Clients very often only RS232 on older thin client
power supply issues (PIN pad with display) PC/SC not always supported sometimes communication via network sockets recent Citrix Metaframe supports PC/SC older Citrix can use RS232 redirection dumb terminals -> use central eID data capture & verification server on Win/Linux

41 Thin Clients don’t confuse support for smart card logon with support for smart cards at application level ! for electronic signature: consider that key strokes (PIN entry) is sent from client to server over the network for simple data capture (ID, address, photo) there are no real issues


Download ppt "Building Applications for the Belgian eID card"

Similar presentations


Ads by Google