Docstoc

eID Workshop

Document Sample
eID Workshop Powered By Docstoc
					eID workshop - 24/06/2004
Eddy Rubens
Microsoft Services Belgium
Agenda
Agenda is based on main e-functionalities of
  the eID card

  Introduction
  Certificates and Signatures
  Data capture
  Authentication and Authorization
Introduction
Certificates and Signatures
 What are certificates and signatures
 Types of signatures
   Binary blobs vs. XML based
   .NET XAdES library
Introduction
Data capture
 Capture identity information from eID card
 Interface eID middleware is quite technical
   Requires intensive study
     C API with C structs
     Return codes
   Requires deep technical profile
     C/C++ knowledge
 Interfacing with .NET not out-of-the-box
Introduction
Data capture
 What have we done to assist?
   .NET wrapper around FedICT middleware
 Easier to understand and use
   Simple OO interface
   Add reference to wrapper is enough to start
 Usable from any .NET language and VB6
   Can be exposed as COM component
Introduction
Authentication & Authorization
 What is Authentication and Authorization
 Types of authentication
   Windows logon
   ASP.NET site
   Federal Portal
 Custom made vs. Partner Solution
Agenda
 Introduction
 Certificates and Signatures
 Data capture
 Authentication and Authorization
Certificates
What is a X509 v3 certificate?
  Digitally signed statement
  Contains a public key and information of the owner
  Is linked to private key
       Private key is only accessible and usable by owner

Where do they come from?
  Issued by Certification Authority (CA)
  CA has responsibility for validating the request
  CA provides private key
  CA‟s can delegate certificate issuing to intermediate CA‟s

What can they be used for?
  Possible uses of certificate is specified on certificate
  We‟ll focus here on signing and authentication
Certificates
 eID card contains certificates
   Signing and authentication
   Root and intermediary CA‟s
 Tool to view certificates: MMC
   Snap-in for Current User
   Snap-in for Local Machine
   Snap-in for Service Accounts
 Registration eID certificates in Windows
 certificate store
   Demo registration certificates
Signatures
What is a digital signature?
 Proof that owner of private key signed doc
 Signature can be verified by receiver

Signature types
   Binary blobs vs. XML
     XMLDSIG and XAdES
Signatures
Scenario
  Alice sends document to Bob
  Alice wants to assure Bob that the document
  is hers
Signatures
One-way calculation of „Message Digest‟
  Hash algorithm
  Highly unlikely someone else can generate
  same digest from other document
  Digest is small
  Digest algorithm SHA1: 20 bytes

                           Message
                   Hash     Digest
Signatures
Message digest is encrypted with Alice‟s
  private key
        Message
         Digest
                   Encrypt      Signature
         Private
          key

Alice sends document and signature to Bob



                    Signature
Signatures
Bob receives document with signature
  Calculates message digest on document

                             Message
                     Hash     Digest




Bob decrypts signature with Alice‟s public key
  Verify both message digests are identical
        Public
         key
                   Decrypt     Message
                                Digest
       Signature
Signatures on Windows platform
 Using MS office (XP & 2003)
   Word, Excel, PowerPoint, InfoPath (Office 2003)
   Outlook
 XMLDSIG
   Using .NET class
 XAdES
   Using .NET XAdES library
Signing MS Office documents
 Signing documents
   Demo signature in Word
     Show tampering by Mallory
   Demo signature in Excel
   Demo signature in InfoPath
     Show XML
Signing mail
   Problem
       eID card doesn‟t contain email address
       Patch registry needed
[HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Security]
"SupressNameChecks"=dword:00000001


       Demo Outlook
XML Digital Signatures
 W3C standard for signatures: XMLDSIG
   XML based
   W3C recommendation
   http://www.w3.org/TR/xmldsig-core/
 „Human readable‟ format
   Signatures before this standard were binary blobs
     Example binary signatures: signatures in Word
     Example XMLDSIG signatures: signatures in InfoPath
   Existing tools can be used
     Notepad vs. Berviewer
   Easier to understand
XMLDSIG
 Core standard for new XML standards
   Security Assertion Markup Language (SAML)
     OASIS
     XML framework for exchanging authentication and
     authorization information
   XML Advanced Electronic Signatures (XAdES)
     ETSI
     XML format for Electronic Signatures satisfying the
     requirements defined in the European Directive for
     Electronic Signatures, and with long term validity.
XMLDSIG
   What does it look like
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
  <SignedInfo>
    <CanonicalizationMethod Algorithm="..." />
    <SignatureMethod Algorithm="..." />
    <Reference URI="#data" Id="enveloped">
      <DigestMethod Algorithm="..." />
      <DigestValue>SyNLjOrOTANUQX7K3504GPnrPss=</DigestValue>
    </Reference>
  </SignedInfo>
  <SignatureValue>...SignatureValue>
  <KeyInfo>
    <X509Data>
      <X509Certificate>...</X509Certificate>
    </X509Data>
  </KeyInfo>
  <Object Id="data">...</Object>
</Signature>
XMLDSIG
 Creating XMLDSIG signature with .NET
   Demo code sample
XML Advanced Electronic
Signatures
 Aka XAdES
 European Telecommunication Standards
 Institute (ETSI)
 Compliant with European Directive
 1999/93/EC on Electronic Signatures
 http://uri.etsi.org/01903/v1.1.1/
Why XAdES ?
 XAdES opens up compelling possibilities
   New use cases beyond XMLDSIG
   XAdES specification is compliant with the
   European Directive
Why XAdES ?
 Main XMLDSIG use case
   Short lived e-commerce style sales transactions
 Some common use cases for XAdES
   Counter signatures
   Non-repudiation
   Long-lived contracts
Why XAdES ?
 Counter signatures
   Signature added to a document that has
   already been signed
     To witness the first signature
     To confirm an authorization
     In case of multiple stakeholders
   XMLDSIG doesn‟t provide for counter signing
   out of the box
Why XAdES ?
 Non-repudiation
         31/12/2004   timeline

                          A signs contract “I owe B 1000€, to
                          be paid on 31/12/2004”
                          B receives and timestamps contract
                          A revokes certificate
                          B asks for the 1000€
                          A refuses to pay claiming that
                          signature was forged
                          A & B meet in court: B can prove that
                          signature was made at a time when
                          A’s certificate wasn’t revoked
Why XAdES ?
 Signing contracts that have a „shelf-live‟ of
 multiple years
    Issue
      Over time weaknesses may occur in cryptographic algorithms
      used to create ES
    XAdES solution
      XAdES-A form: ArchiveTimeStamp element
        Can be nested
 Verifier has task to add ArchiveTimeStame well
 before algorithm becomes compromised
Why a XAdES library for .NET ?
 Creating applications that use XAdES is a
 challenge
   XAdES technical specification is quite detailed
     70 printed pages
   XAdES schema file (XAdES.XSD) is 19KB
     Over 120 different elements
Why a XAdES library for .NET ?
 Get a head start in XAdES development
   XAdES library eases development
     Development from technical RFC style
     documentation is not an every day job for most
     business solution developers
   Let you get results faster
     Built-in checks can help you detect mistakes earlier
About XAdES
 XAdES extends XMLDSIG
    XAdES uses extension mechanism of XMLDSIG
    A XAdES signature is a XMLDSIG signature


                      Signature (XMLDSIG)


                                             Object (XMLDSIG)
                Signature
  SignedInfo                  KeyInfo
                  Value                      Signed    Unsigned
 (XMLDSIG)                  (XMLDSIG)
               (XMLDSIG)                    Properties Properties
About XAdES
   XML structure
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
  <SignedInfo>
    <CanonicalizationMethod />
    <SignatureMethod />
    <Reference URI="#SignedPropertiesId“ />
  </SignedInfo>
  <SignatureValue />
  <KeyInfo />

  <Object Id="XadesObjectId">
   <QualifyingProperties
   xmlns="http://uri.etsi.org/01903/v1.1.1#">
     <SignedProperties Id="SignedPropertiesId“ />
     <UnsignedProperties />
   </QualifyingProperties>

  </Object>
</Signature>
XAdES .NET library architecture
 XAdES extends XMLDSIG

 XAdES library extends .NET XMLDSIG
 implementation
 XadesSignedXml derives from SignedXml
   Backwards compatible with XMLDSIG
   signatures
   Property SignatureStandard
XAdES .NET library architecture
 Serialization model same as in SignedXml
 class
   GetXml
     Flatten the object model into XML
   LoadXml
     Hydrate object model from XML
 XAdES schema validation
XAdES .NET library architecture
  Dotted notation
     XAdES XML elements are nested quite deep
     <Object>
       <QualifyingProperties>
         <SignedProperties>
           <SignedSignatureProperties>
              <SignatureProductionPlace>
                <City>Brussels</City>
              </SignatureProductionPlace>
           </SignedSignatureProperties>
         </SignedProperties>
       </QualifyingProperties>
     </Object>
     Automatic instantiation of nested object graph
     Easy dotted notation with Intellisense assistance
  xadesObject.QualifyingProperties.SignedSignatureProperties.Signa
      tureProductionPlace.City = “Brussels”;
     Only “dirty” objects get serialized
Use cases revisited
   Counter Signature sample code
XadesSignedXml newXadesSignedXml = new XadesSignedXml();
XmlDocument signatureXmlDocument = new XmlDocument();
signatureXmlDocument.PreserveWhitespace = true;

signatureXmlDocument.Load(this.counterSignatureFileTextBox.Text);

newXadesSignedXml.LoadXml(signatureXmlDocument.DocumentElement);
unsignedSignatureProperties.CounterSignatureCollection.Add(
    newXadesSignedXml);
Demo
Deliverables .NET XAdES library
 Windows installer file
   Microsoft.Xades.dll
     The xcopy-deployable library
   XAdESLibraryDocumentation.chm
     Help file
   XadesTestClient.exe
     Test client showing most use cases
   Source code of library and test client
Deliverables .NET XAdES library
Agenda
 Introduction
 Certificates and Signatures
 Data capture
 Authentication and Authorization
Data capture
 Architecture of .NET wrapper

                Your client

              .NET class Card
              .NET       .NET
              class     class
             Address   Identity
             Managed C++ class

               FedICT eidlib
                FedICT CSP
Role of wrapper
 Managed C++ class hides complexity
   Turn C API and C structs into .NET OO class
   Turn error codes and status information into
   .NET exceptions
   Conversions
     UTF8 into string
     Byte array to picture
     Byte array to .NET certificate classes
   Init and Exit functions into
   constructor/destructor
 Façade class Card makes use easy
Data capture demo
 Demo client code
Agenda
 Introduction
 Certificates and Signatures
 Data capture
 Authentication and Authorization
Authentication & Authorization
 Custom written web authentication
   Using eID certificate
 End-to-end solutions from partners exist
   Upcoming presentations
Custom Authentication
   Capture certificate information on server

Public Class LogonPage
  Inherits System.Web.UI.Page
  Protected Overrides Sub Render(ByVal writer As
   System.Web.UI.HtmlTextWriter)
    Dim clientCert As HttpClientCertificate
    Dim keys(), key As String

    clientCert = Request.ClientCertificate

    Response.Write(" IsPresent:" & clientCert.IsPresent)
    Response.Write(" Issuer:" & clientCert.Issuer & "<br>")
    Response.Write(" IsValid:" & clientCert.IsValid & "<br>")

    Dim x509Cert = New X509Certificate(clientCert.Certificate)
    Response.Write("Hash:" & x509Cert.GetCertHashString())
    MyBase.Render(writer)
  End Sub
End Class
Authentication using FedICT
Federal Portal
 Authorization solution until eID is rolled out
 Targeted at government clients
 .NET solution
   Developed in collaboration with Cipal and FedICT
   Usable from ASP.NET and ASP
   Deliverables
     Cookbook with source code available for download
Federal Portal SSO




                     www.belgium.be/usermgt
Solution architecture
                                     Default.asp




                                                      DOMAIN, TARGET,
                                  Logonredirect.asp
                                                      LANGUAGE

                                                                        FEDICT
Cipal.Authentication.dll

                                                          SAML
                                     Logon.asp




                                         OK




                iLoket pagina’s                         Error message




                                                                            Christophe Pagone
Demo
 Demo by Christophe Pagone - Cipal
Windows logon using eID
 Requires Graphical Identification and
 Authentication dll (GINA)
 Sample GINA code in the Platform SDK
 security samples
 http://msdn.microsoft.com/library/default.
 asp?url=/library/en-
 us/security/security/winlogon_and_gina.as
 p
 More information: ginareqs@microsoft.com
Summary of deliverables
 .NET wrapper and samples for eID API
 XAdES .NET library and documentation
 .NET cookbook with code for authentication
 service of Federal Portal