the eid-clientcore - status and outlook [email protected] dr. wolf müller
TRANSCRIPT
The eID-ClientCore- Status and Outlook
[email protected]://sar.informatik.hu-berlin.de
http://BeID-lab.de
Dr. Wolf Müller
eIDCC: Focus
Library
CommandLine
Interface
GUI
Open Identity Summit 2013
Embedded & Mobile Devices
PC
Laptop
EvaluationPrototype
Demo
Education
Research
nPAPIN-
Manag.
eID
eSIGN
eIDCC: Requirements
• Interoperability• Binary Distribution• Compiling for different hardware platforms
C based Implementation
• PACE / EAC, RSA-PSK, Secure Messaging• ASN.1 Parsing (Certificates …)• Inspection of Protocol / Freshness / Binding of Channels
Crypto
• Basic Implementation• nPA-only, (optional) Card Detection
eCard-API
• Licensing• Looking for Compatible Building Blocks
OpenSource
Open Identity Summit 2013
eIDCC: Seed
• September 2012: BDr and HUB release initial version as OpenSource• https://github.com/BeID-lab/eIDClientCore
Open Identity Summit 2013
eIDCC: License
• OpenSource, but use limited to eID@(nPA|eAT)
„Die Humboldt-Universität räumt dem Nutzer mit diesen Nutzungsbedingungen unentgeltlich ein einfaches, räumlich und zeitlich unbeschränktes Nutzungsrecht ein, den eIDClientCore nach Maßgabe der folgenden Bestimmungen zu nutzen, und zwar beschränkt auf eIDClientCore Software für clientseitige Anwendungen, die einen elektronischen Identitätsnachweis mittels eines deutschen hoheitlichen Dokuments ermöglichen …“
https://raw.github.com/BeID-Lab/eIDClientCore/master/COPYING
Open Identity Summit 2013
eIDCC (Seed): Libs & Dependencies
Open Identity Summit 2013
Lang
C C++
Crypto
gnutls cryptopp gcrypt
Parse
asn1c expat
SC
pcsc-lite
No Libs or Own
PAOS
TR-03112
TR-03110 html
eIDCC: Further Steps
Open Identity Summit 2013
• Reduce dependencies!– Integration of OpenPACE– one Cryto-Lib
• PACE, CA, TA, • SSL/TLS, RSA-PSK,• Verification of (CV)-Certificates, …
• Modularization in order to– Separate test cases for
different layers
OpenSSL
eIDCC: Future
Open Identity Summit 2013
Lang
C C++
Crypto
openssl
Parse
asn1c expat libcurl
SC
generic
No Libsor Own
PAOS TR-03112
Open-PACE
eIDCC: Challenges
Open Identity Summit 2013
• Used with real Infrastructure– Interoperability:
• Different (implemented) eID-Services• Different nPA-generations
• “Cat-B”-Reader in the field• eIDCC (or similar) becomes available
= possible automated access to eID-Services• Re-assembling/-connecting of components (of eID-infrastructure)
by an attacker becomes feasible– “Selbstauskunft”-in the middle– Relaying eSIGN
“Selbstauskunft”-in the middle*
Does X need a “Berechtigungszertifikat” to verify a users name?• Strategy like “Sofortüberweisung”
Open Identity Summit 2013
Prove ID:• Firstname• NameviaSelbstauskunft
X X eID-Service
= Remote Reader
https &eID-Client eID-Service Y
SSL/TLS (PSK)own
Secu
re M
essa
ging
SSL/TLS
*{gehring,wolfm}@informatik.hu-berlin.de
Relaying eSIGN Cat-B Cat-K*
Open Identity Summit 2013
eIDvictim
attacker
eSIGN))))
?!
Cat-B
Cat-K
2-factor “something you have attacker can access + something you know” 1-factor
*{gehring,wolfm}@informatik.hu-berlin.de
video of the demo available
Credits
Students or PHDs• Michael Gehring• Dominik Oepen• Frank Morgner
Pictures:– https://openclipart.org/{radar, 1284641890, buildng, rubik_3D_colored, service}– https://commons.wikimedia.org/wiki/File:Personalausweis_Text_logo.svg
Open Identity Summit 2013